Build raw NTFS_FILE_NAME_ATTR bytes.
(name, file_name_type=FILE_NAME_WIN32)
| 110 | |
| 111 | |
| 112 | def build_file_name_attr(name, file_name_type=FILE_NAME_WIN32): |
| 113 | """Build raw NTFS_FILE_NAME_ATTR bytes.""" |
| 114 | encoded = name.encode('utf-16le') |
| 115 | buf = struct.pack('<Q', 5) # ParentDirectory |
| 116 | buf += struct.pack('<Q', 0) # CreationTime |
| 117 | buf += struct.pack('<Q', 132_000_000_000_000_000) # LastDataChangeTime |
| 118 | buf += struct.pack('<Q', 0) # LastMftChangeTime |
| 119 | buf += struct.pack('<Q', 0) # LastAccessTime |
| 120 | buf += struct.pack('<Q', 0) # AllocatedSize |
| 121 | buf += struct.pack('<Q', 0) # DataSize |
| 122 | buf += struct.pack('<LL', 0, 0) # FileAttributes, EaSize |
| 123 | buf += struct.pack('BB', len(name), file_name_type) |
| 124 | buf += encoded |
| 125 | return buf |
| 126 | |
| 127 | |
| 128 | def build_attr_list_entry(attr_type, starting_vcn, mft_record_num, attr_id, |
no test coverage detected
searching dependent graphs…