mirror of
https://github.com/WerWolv/ImHex-Patterns.git
synced 2026-03-28 07:47:02 -05:00
b4bf2b946f
Added FileSystem Checking and comments && renamed struct ReFSHeader to VolumeBootRecord && Fixed Typo
163 lines
4.3 KiB
Rust
163 lines
4.3 KiB
Rust
#pragma author 5h4rrK
|
|
#pragma description ReFS-File-System
|
|
|
|
import type.types.win32;
|
|
import type.guid;
|
|
import std.mem;
|
|
|
|
enum FILESYSTEM : u64 {
|
|
ReFS = 0x53466552
|
|
};
|
|
|
|
struct ReFS_Version {
|
|
u8 Major;
|
|
u8 Minor;
|
|
};
|
|
|
|
struct CheckPoint_REFS_Version {
|
|
u16 Major;
|
|
u16 Minor;
|
|
};
|
|
|
|
enum BLOCK : u32 {
|
|
SuperBlock = 0x42505553,
|
|
CheckPoint = 0x504b4843,
|
|
MSBPlus = 0x2b42534d
|
|
};
|
|
|
|
struct META_HEADERS {
|
|
BLOCK Signature[[comment("Block Signature"), name("BlockSignature")]];
|
|
u32 unk[[comment("Fixed Value 0x02"), name("Unknown")]];
|
|
$ = $ + (0x8 + 0x10);
|
|
u64 LCN1[[comment("MetaPage 1st LogicalClusterNumber"), name("FirstLCN")]];
|
|
u64 LCN2[[comment("MetaPage 2nd LogicalClusterNumber"), name("SecondLCN")]];
|
|
u64 LCN3[[comment("MetaPage 3rd LogicalClusterNumber"), name("ThirdLCN")]];
|
|
u64 LCN4[[comment("MetaPage 4th LogicalClusterNumber"), name("FourthLCN")]];
|
|
u64 _Objid;
|
|
u64 ObjId;
|
|
|
|
};
|
|
|
|
struct ATTRIBUTE {
|
|
u64 LCN1[[name("FirstLCN")]];
|
|
u64 LCN2[[name("SecondLCN")]];
|
|
u64 LCN3[[name("ThirdLCN")]];
|
|
u64 LCN4[[name("FourthLCN")]];
|
|
u32 Unk1[[comment("UnknownField"), name("Unknown1")]];
|
|
u32 Unk2[[comment("UnknownField"), name("Unknown2")]];
|
|
u64 checksum[[name("CheckSum")]];
|
|
BYTE ZeroPadding[56][[name("Padding")]];
|
|
};
|
|
|
|
u32 keeptrack = 0;
|
|
|
|
struct EntryArray {
|
|
u32 AttrOffsetEntry;
|
|
u32 prev = $;
|
|
$ = (0x1000 * ($ / 0x1000));
|
|
$ = $ + AttrOffsetEntry;
|
|
keeptrack += 1;
|
|
if (keeptrack == 1) {
|
|
ATTRIBUTE ObjectTable;
|
|
}
|
|
else if (keeptrack == 2) {
|
|
ATTRIBUTE UNKNOWN1;
|
|
}
|
|
else if (keeptrack == 3) {
|
|
ATTRIBUTE UNKNOWN2;
|
|
}
|
|
else if (keeptrack == 4) {
|
|
ATTRIBUTE AttributeList;
|
|
}
|
|
else if (keeptrack == 5) {
|
|
ATTRIBUTE DirectoryTree;
|
|
}
|
|
else if (keeptrack == 6) {
|
|
ATTRIBUTE UNKNOWN3;
|
|
}
|
|
else if (keeptrack == 7) {
|
|
ATTRIBUTE UNKNOWN4;
|
|
}
|
|
else if (keeptrack == 8) {
|
|
ATTRIBUTE ContainerTable;
|
|
}
|
|
else if (keeptrack == 9) {
|
|
ATTRIBUTE ContainerTableDup;
|
|
}
|
|
else if (keeptrack == 10) {
|
|
ATTRIBUTE UNKNOWN5;
|
|
}
|
|
else if (keeptrack == 11) {
|
|
ATTRIBUTE AllocatorLarge;
|
|
}
|
|
else if (keeptrack == 12) {
|
|
ATTRIBUTE UNKNOWN6;
|
|
}
|
|
else if (keeptrack == 13) {
|
|
ATTRIBUTE UNKNOWN7;
|
|
}
|
|
$ = prev;
|
|
};
|
|
|
|
struct CHECKPOINT {
|
|
META_HEADERS CheckPointMetaHeader[[name("FSPageMetaHeader")]];
|
|
$ += (0x04);
|
|
CheckPoint_REFS_Version ReFSVersion;
|
|
u32 EntryOffset;
|
|
u32 EntrySz[[name("EntrySize")]];
|
|
u64 blockno[[name("BlockNumber")]];
|
|
$ += (0x28);
|
|
u32 NumOfEntries;
|
|
EntryArray AttributeEntries[NumOfEntries];
|
|
$ += (0x08);
|
|
u64 LCN1dup[[comment("Duplicate LCN of MetaPage of this block"), name("DupFirstLCN")]];
|
|
u64 LCN2dup[[comment("Duplicate LCN of MetaPage of this block"), name("DupSecondLCN")]];
|
|
u64 LCN3dup[[comment("Duplicate LCN of MetaPage of this block"), name("DupThirdLCN")]];
|
|
u64 LCN4dup[[comment("Duplicate LCN of MetaPage of this block"), name("DupFourthLCN")]];;
|
|
};
|
|
|
|
struct SUPERBLOCK {
|
|
META_HEADERS SuperBlockMetaHeader[[name("FSPageMetaHeader")]];
|
|
type::GUID GUID;
|
|
$ = $ + (0x10 * 0x06);
|
|
u64 primarychekpoint[[name("PrimaryCheckPoint")]];
|
|
u64 secondaychekpoint[[name("SecondaryCheckPoint")]];
|
|
u64 LCN1dup[[name("DupFirstLCN")]];
|
|
u64 LCN2dup[[name("DupSecondtLCN")]];
|
|
u64 LCN3dup[[name("DupThirdLCN")]];
|
|
u64 LCN4dup[[name("DupFourthLCN")]];
|
|
};
|
|
|
|
struct VOLUME_BOOT_RECORD {
|
|
BYTE jmpInstruction[3] [[comment("Jump Instruction"), name("JumpInstruction")]];;
|
|
FILESYSTEM FileSystem[[comment("FileSystemName"), name("FileSystem")]];
|
|
BYTE UnKnown[5];
|
|
char Identifier[4][[comment("File System Recognition Structure, allows OS to recognise the structure"), name("FSRSIdentifier")]];
|
|
u16 Length[[comment("Size of VBR"), name("Length") ]];
|
|
u16 Checksum[[comment("Computed FileSystem Information Checksum"), name("CheckSum")]];
|
|
u64 TotalNoOfSectors;
|
|
u32 BytesPerSec[[comment("Bytes Per Sector"), name("BytesPerSector")]];
|
|
u32 SectorPerCluster[[comment("Sector Per Cluster"), name("SectorPerCluster")]];
|
|
ReFS_Version ReFSVersion;
|
|
BYTE UnknownBuff[0x0e][[name("Unknown")]];
|
|
u64 SerialNo[[name("SerialNumber")]];
|
|
|
|
};
|
|
struct REFS_FILE_SYSTEM {
|
|
u64 checkVal = std::mem::read_unsigned($+3, 8);
|
|
$ = 0;
|
|
if(checkVal == FILESYSTEM::ReFS){
|
|
VOLUME_BOOT_RECORD vbr @ 0x00[[name("VolumeBootRecord")]];
|
|
SUPERBLOCK SuperBlock @ (0x1e * 0x1000);
|
|
|
|
CHECKPOINT PrimaryCheckPoint @(SuperBlock.primarychekpoint * 0x1000);
|
|
keeptrack = 0;
|
|
CHECKPOINT SecondaryCheckPoint @(SuperBlock.secondaychekpoint * 0x1000);
|
|
}
|
|
else{
|
|
break;
|
|
}
|
|
};
|
|
|
|
REFS_FILE_SYSTEM ReFSFileSystem @0x00;
|