Merge pull request #68 from rowingdude/rowingdude-patch-1

mft.py - decodeMFTHeader value updates
rowingdude · Aug 3, 2024 · a6be7d1 · a6be7d1
2 parents 28f0895 + 011eb71
commit a6be7d1
Showing 1 changed file with 17 additions and 15 deletions.
diff --git a/analyzemft/mft.py b/analyzemft/mft.py
@@ -385,22 +385,24 @@ def add_note(record, s):
 
 
 def decodeMFTHeader(record: Dict[str, Any], raw_record: bytes) -> None:
-
-    record['magic']       = struct.unpack("<I", raw_record[:4])[0]
-    record['upd_off']     = struct.unpack("<H", raw_record[4:6])[0]
-    record['upd_cnt']     = struct.unpack("<H", raw_record[6:8])[0]
-    record['lsn']         = struct.unpack("<d", raw_record[8:16])[0]
-    record['seq']         = struct.unpack("<H", raw_record[16:18])[0]
-    record['link']        = struct.unpack("<H", raw_record[18:20])[0]
-    record['attr_off']    = struct.unpack("<H", raw_record[20:22])[0]
-    record['flags']       = struct.unpack("<H", raw_record[22:24])[0]
-    record['size']        = struct.unpack("<I", raw_record[24:28])[0]
+    record['magic'] = struct.unpack("<I", raw_record[:4])[0]
+    record['upd_off'] = struct.unpack("<H", raw_record[4:6])[0]
+    record['upd_cnt'] = struct.unpack("<H", raw_record[6:8])[0]
+    record['lsn'] = struct.unpack("<q", raw_record[8:16])[0] 
+    record['seq'] = struct.unpack("<H", raw_record[16:18])[0]
+    record['link'] = struct.unpack("<H", raw_record[18:20])[0]
+    record['attr_off'] = struct.unpack("<H", raw_record[20:22])[0]
+    record['flags'] = struct.unpack("<H", raw_record[22:24])[0]
+    record['size'] = struct.unpack("<I", raw_record[24:28])[0]
     record['alloc_sizef'] = struct.unpack("<I", raw_record[28:32])[0]
-    record['base_ref']    = struct.unpack("<Lxx", raw_record[32:38])[0]
-    record['base_seq']    = struct.unpack("<H", raw_record[38:40])[0]
+    record['base_ref'] = struct.unpack("<q", raw_record[32:40])[0] 
     record['next_attrid'] = struct.unpack("<H", raw_record[40:42])[0]
-    record['f1']          = raw_record[42:44]  # Padding
-    record['recordnum']   = struct.unpack("<I", raw_record[44:48])[0]                         
+    record['f1'] = raw_record[42:44]  # Padding
+    record['recordnum'] = struct.unpack("<I", raw_record[44:48])[0]
+
+    # Convert unsigned integers to signed if necessary
+    if record['base_ref'] & 0x8000000000000000:
+        record['base_ref'] = -(~record['base_ref'] & 0xFFFFFFFFFFFFFFFF) - 1                        
 
 
 def decodeMFTmagic(record: Dict[str, Any]) -> str:
@@ -607,4 +609,4 @@ def decodeObjectID(s):
 def ObjectID(s: bytes) -> str:
     if s == b'\x00' * 16:
         return 'Undefined'
-    return f"{s[:4].hex()}-{s[4:6].hex()}-{s[6:8].hex()}-{s[8:10].hex()}-{s[10:16].hex()}"
+    return f"{s[:4].hex()}-{s[4:6].hex()}-{s[6:8].hex()}-{s[8:10].hex()}-{s[10:16].hex()}"