Outfled/NTFS-File-Search

# NTFS-File-Search 相对轻量级的应用程序，用于快速查询位于 NTFS 卷上的文件/目录。 它通过读取和解析位于 MFT（主文件表）中的文件记录来工作。 ### 专为 Windows 操作系统设计 虽然 Linux 支持 NTFS 驱动器，但该程序是专为 Windows 设计的。 大多数与 Linux 不兼容的代码仅仅是因为 Win32 API 数据类型。 因此，将数据类型和（少量）函数调用转换为它们支持的对应项实际上应该不会太难。 ## 用法/示例 **查看 _NTFSFileSearch\Sample.cpp_ 获取更深入的用法示例代码** *变量* ``` NTFSVolumeSearcher vFileSearcher; UINT64 nFileResults; PNTFS_FILE_ENTRYA pFileResults; ``` ### 1：按名称搜索文件 ``` /* Add file search filter to find files with the name of "SampleSearchFile.txt" */ vFileSearcher.AddFileFilter( FF_OPERATOR_EQUAL, // Equal to operator; ie files that have 'equal to' (in terms of name; same as) names as the provided operand below ("SampleSearchFile.txt") FF_FACTOR_NAME, // Specifies the operand file-content type is its name (not including path) L"SampleSearchFile.txt" // The filter operand (the name of the file that each entry must be the same as) ); // TODO: // Create CNTFSVolume object & call vFileSearcher.SetVolume() // ... /* Locate files that match the criteria */ vFileSearcher.FindFilesA( FILE_SEARCH_FLAG_FIND_FILES, // Search for files only (exclude directories) &pFileResults, &nFileResults ); ``` ### 2：按文件大小搜索文件 ``` /* Look for files >= 1 GB */ vFileSearcher.AddFileFilter( FF_OPERATOR_GREATER_THAN_OR_EQ, // Greater than or equal to operator; search for files that have a greater than or equal to value as the operand value below (1GB) FF_FACTOR_SIZE, // The operand file content type. FF_FACTOR_SIZE specifies the file content type is it's allocated size on the disk GB_TO_BYTE(1) // The operand value; ie the operand value used alongside each file-entry result found in the operator ); // TODO: // Create CNTFSVolume object & call vFileSearcher.SetVolume() // ... /* Locate files that match the criteria */ vFileSearcher.FindFilesA( FILE_SEARCH_FLAG_FIND_FILES, // Search for files only (exclude directories) &pFileResults, &nFileResults ); ``` ### 3：搜索所有文件和目录 ``` // No search filter needed // TODO: // Create CNTFSVolume object & call vFileSearcher.SetVolume() // ... /* Search for files & directories */ vFileSearcher.FindFilesA( FILE_SEARCH_FLAG_FIND_ALL, // Search for both files & directories (FILE_SEARCH_FLAG_FIND_FILES | FILE_SEARCH_FLAG_FIND_DIRECTORIES) &pFileResults, &nFileResults ); ``` ## 引用来源\有帮助的参考资料 * https://www.ntfs.com/ntfs-mft.htm * https://learn.microsoft.com/en-us/windows/win32/devnotes/master-file-table * https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table * https://handmade.network/forums/articles/t/7002-tutorial_parsing_the_mft * https://flatcap.github.io/linux-ntfs/ntfs/concepts/attribute_header.html#:~:text=Overview,attribute%20depends%20on%20two%20things. * https://en.wikipedia.org/wiki/BIOS_parameter_block * https://www.ntfs.com/ntfs-partition-boot-sector.htm * https://flatcap.github.io/linux-ntfs/ntfs/concepts/file_record.html * http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/attributes/standard_information.html * https://flatcap.github.io/linux-ntfs/ntfs/attributes/file_name.html * https://stackoverflow.com/questions/62248173/how-are-dos-filenames-handled-in-the-mft-in-windows-10 * https://github.com/farfella/ntfs-cpu-search/tree/master * https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-file * https://man7.org/linux/man-pages/man7/namespaces.7.html

标签：C++, HTTP工具, Linux, MFT, NTFS, Win32 API, 主文件表, 二进制发布, 卷解析, 底层解析, 开源工具, 数字取证, 数据恢复, 数据擦除, 文件搜索, 文件枚举, 文件系统, 系统工具, 网络安全审计, 自动化脚本, 过滤查询