3. Attribute - $ATTRIBUTE_LIST (0x20)
3.属性 -$属性列表(0x20)
3.1. Overview
概览
NTFS Attributes
NTFS属性
9
When there are lots of attributes and space in the MFT record is short, all those attributes that can be
made non-resident are moved out of the MFT. If there is still not enough room, then an
$ATTRIBUTE_LIST attribute is needed. The remaining attributes are placed in a new MFT record and
the $ATTRIBUTE_LIST describes where to find them. It is very unusual to see this attribute.
当有大量属性切MFT记录过短时,这些属性可以作为非常驻属性转移到MFT之外。
如果仍然没有足够的空间,就需要一个属性列表属性。
后续的属性存放在一个新的MFT记录中,属性列表属性描述列如何找到它们。
这个属性是非常少见的。
3.2. Layout of the Attribute
属性的结构
After the standard header, this attribute contains a list of variable length records, describing the type and
location (in the MFT) of all the other attributes belonging to this file. Each record is aligned on an 8-byte
boundary.
在标准属性头之后,这个属性包含了一个变量长度记录表,描述这个文件的所有其他属性的类型和存储位置。每一个记录都按照8个字节对齐。
The list is sorted by:
这个列表按如下排序
1. Attribute type
属性类型
2. Attribute name (if present)
属性名
3. Sequence number
序列号
N.B. It does not list itself.
并不列出它自己
Table 2.4. Layout of the $ATTRIBUTE_LIST (0x20) attribute
属性列表属性的结构表
Offset Size Description
偏移 大小 描述
~ ~ Standard Attribute Header
标准属性头
0x00 4 Type
类型
0x04 2 Record length
记录长度
0x06 1 Name length (N)
名字长度
0x07 1 Offset to Name (a)
名字偏移
0x08 8 Starting VCN (b)
起始虚拟簇号
0x10 8 Base File Reference of the attribute
相对基文件
0x18 2 Attribute Id (c)
属性ID
0x1A 2N Name in Unicode (if N >0)
Unicode 的名字
(a) If the name doesn't exist, does this point at the attribute or zero?
(b) Starting VCN, or zero if the attribute is resident
(c) Each attribute has a unique identifier
(a) it always points to where the name would be (0x1A)
0x04 record allocation (8 byte alignment)
(c) always seems to be zero, check
(c) no it's only shown the first time for a given attribute type
not sure about sorting by sequence number. VCN definitely
3.3. Notes
注释
3.3.1. $AttrDef
属性定义
NTFS Attributes
NTFS属性
10
It can be either resident or non-resident. This attribute has a no minimum or maximum size.
他可以是常住或非常驻属性,这个属性没有最大或最小尺寸。
3.3.2. Other Information
其他信息
The offset at 0x07 is just one byte long, unusual for an attribute.
0x07偏移只有一个字节,不常用在属性中
If this attribute is non-resident, then the data runs must fit into one MFT record.
如果这个属性是非常驻属性,则数据运行必须在MFT记录中。
The $ATTRIBUTE_LIST may be needed if the file:
$属性列表属性在以下情况中用到
• has a large number of hard links (lots of file name attributes present).
有大量的硬链接(当前有大量的文件名属性)
• becomes very fragmented, so the data runs overflow the MFT record.
有大量的碎片,数据运行超出了MFT记录的大小
• has a complex security descriptor (not applicable to NTFS v3.0+
有大量复杂的安全描述符。
• has many named streams, e.g. data streams.
有大量命名数据流
3.3.3. To Do
8 VCN lowest_vcn;
Lowest virtual cluster number of this portion of the attribute value. This is usually is non-zero for the case where one attribute does not fit into one mft record and several mft records are allocated to hold this attribute. In the latter case, each record
holds one extent of the attribute and there is one attribute list entry extent. NOTE: This is DEFINITELY a signed value! The windows driver uses cmp, followed
by jg when comparing this, thus it treats it as signed.
24 __u16 instance;
If lowest_vcn = 0, the instance of the attribute being referenced; otherwise 0.
The attribute list is used in case where a file need extension FILE records in MFT to be fully described, in order to find any file attribute of this file.
This file attribute may be non-resident because its stream is likely to grow.
The extents of one non-resident attribute (if present) immediately follow
after the initial extent. They are ordered by lowest_vcn and have their instance