Small fix

- redundant Record dwMFTRecNumber is parsed only with NTFS 3.1
- added a proper Record iterator

Author: maxpat78

FATtools/NTFS/Attribute.py

@@ -164,6 +164,7 @@ def __str__ (self): return utils.class2str(self, "$ATTRIBUTE_LIST Item @%x\n" %
 
 
 class File_Name(Attribute):
+	# Always resident
 	specific_layout = {
 	0x00: ('u64FileReference', '<Q'),
 	0x08: ('u64CTime', '<Q'),
@@ -180,7 +181,7 @@ class File_Name(Attribute):
 	def __init__(self, parent, offset):
 		Attribute.__init__(self, parent, offset)
 		common_update_and_swap(self)
-		# Always resident - so name is at (24+66) bytes from start
+		# Name is at (24+66) bytes from start
 		i = self._i+90
 		self.FileName = (self._buf[i:i+self.ucbFileName*2]).decode('utf-16le')
 
@@ -316,7 +317,7 @@ class Volume_Information(Attribute):
 	# Always resident
 	specific_layout = {
 	0x00: ('u64Reserved', '<Q'),
-	0x08: ('bMajorVersion', 'B'), #  1.1=NT 3.51, 1.2=NT4, 3.0=2K, 3.1=XP+
+	0x08: ('bMajorVersion', 'B'), #  1.1/1.2=NT 3.5/4, 3.0=2K, 3.1=XP+
 	0x09: ('bMinorVersion', 'B'),
 	0x0A: ('wFlags', '<H'), # 1=dirty, 2=log resize, 4=to upgrade, 8=mounted on NT4, 10h=del USN, 20h=repair OIDS, 8000h=modified by CHKDSK
 	0x0C: ('dwReserved', '<I') } # 0x10 (16) bytes
@@ -331,6 +332,7 @@ def is_dirty(self):
 		return self.wFlags & 1
 
 class Security_Descriptor(Attribute):
+	# At least since Windows NT 3.51
 	specific_layout = {}
 
 	def __init__(self, parent, offset):

FATtools/NTFS/Boot.py

@@ -7,19 +7,21 @@ class Bootsector:
 	0x03: ('chOemID', '8s'), # "NTFS    "
 	0x0B: ('wBytesPerSec', '<H'), # typically, 512
 	0x0D: ('uchSecPerClust', 'B'), # typically, 8 (4K cluster)
-	0x0E: ('u64Unused1', '<Q'), # 0xf800000000000000
+	0x0E: ('wReservedSectors', '<H'), # unused
+	0x10: ('sUnused1', '3s'), # unused
+	0x13: ('wUnused1', '<H'), # unused
 	0x15: ('uchMediaDescriptor', 'B'), # typically 0xF8 (HDD)
 	0x16: ('wUnused2', '<H'),
-	0x18: ('wSecPerTrack', '<H'),
-	0x1A: ('wNumberOfHeads', '<H'),
-	0x1C: ('u64Unused3', '<Q'),
-	0x24: ('dwUnknown', '<I'), # typically 0x800080
-	0x25: ('dwUnused4', '<I'),
+	0x18: ('wSecPerTrack', '<H'), # typically, 0x3F
+	0x1A: ('wNumberOfHeads', '<H'), # typically, 0xFF
+	0x1C: ('dwHiddenSectors', '<I'), # typically, 0x3F
+	0x20: ('dwUnused1', '<I'), # typically 0
+	0x24: ('dwUnused2', '<I'),# typically 0x800080
 	0x28: ('u64TotalSectors', '<Q'), # count of volume sectors
 	0x30: ('u64MFTLogicalClustNum', '<Q'), # cluster of the $MFT Record (and Master File Table start)
 	0x38: ('u64MFTMirrLogicalClustNum', '<Q'), # $MFTMirr cluster (backup of first 4 $MFT Record)
 	0x40: ('nClustPerMFTRecord', '<b'), # if n<0 then 2^-n. Typically, 0xF6 (-10) or 1K. 
-	0x44: ('nClustPerIndexRecord', '<b'),
+	0x44: ('nClustPerIndexRecord', '<b'), # if n<0 then 2^-n.
 	0x48: ('u64VolumeSerialNum', '<Q'),
 	0x50: ('dwChecksum', '<I'), # typically zero
 	0x54: ('chBootstrapCode', '426s'),

FATtools/NTFS/DatarunStream.py

@@ -7,12 +7,13 @@ class DatarunStream:
 	"Accesses a sequence of data runs as a continuous stream"
 	def __init__ (self, boot, dataruns, size):
 		self.boot = boot
-		self._runs = dataruns
+		self._runs = dataruns # [(length, base_absolute_offset), (length, base_offset_delta), ...]
 		self.curdatarun = 0 # datarun paired with current stream offset
 		self.curdatarunpos = 0 # offset in current datarun
 		self.size = size # virtual stream length
 		self.seekpos = 0 # virtual stream offset
 		self.IsValid = 1 # to make FATtools code happy
+		self.seek(0)
 
 	def close(self):
 		pass
@@ -66,6 +67,7 @@ def seek(self, offset, whence=0):
 			else:
 				break
 		# Having found the datarun where the final position lays, we seek from its offset
-		if DEBUG&8: log("seek @%x, datarun=%d, relativepos=%x", self.seekpos, i-2, todo)
+		if DEBUG&8: log("seek @%x, datarun=%d, base=0x%x, offset=0x%x", self.seekpos, i-2, self._runs[i+1], todo)
+		#~ print("seek @%x, datarun=%d, relpos=%x, absbase=%x"%(self.seekpos, i-2, todo, self._runs[i+1]))
 		# BUG? Real disk stream has to seek with an Index, not the datarun stream?
 		self.boot.stream.seek(self._runs[i+1] + todo)

FATtools/NTFS/Record.py

@@ -22,8 +22,7 @@ class Record:
 	0x1C: ('dwAllLength', '<I'),
 	0x20: ('u64BaseMftRec', '<Q'),
 	0x28: ('wNextAttrID', '<H'),
-	0x2A: ('wFixupPattern', '<H'),
-	0x2C: ('dwMFTRecNumber', '<I') #  NTFS v3.0+
+	0x2A: ('wFixupPattern', '<H')
 	} # Size = 0x2C (44 byte)
 
 	def __init__ (self, boot, mftstream):
@@ -42,8 +41,11 @@ def __init__ (self, boot, mftstream):
 		self._vk = {} # { name: offset}
 		for k, v in self._kv.items():
 			self._vk[v[0]] = k
-			
+		
 		if not self.wFlags & 0x1: return # Unused record
+
+		if self.wUSAOffset == 0x30: # NTFS v3.1
+			self.layout[0x2C] = ('dwMFTRecNumber', '<I') # redundant Record number
 
 		if self.fileSignature != b'FILE':
 			print("Malformed NTFS Record @%x!" % self._pos)
@@ -99,6 +101,14 @@ def __init__ (self, boot, mftstream):
 
 	def __str__ (self): return utils.class2str(self, "MFT Record 0x%X @%x\n" % (self._pos//self.boot.cbRecord, self._pos))
 
+	def iterator(self):
+		"Iterates through all MFT Records, from start"
+		offset = 0
+		while offset < self._stream.size:
+			self._stream.seek(offset)
+			yield Record(self.boot, self._stream)
+			offset += self.boot.cbRecord
+
 	def next(self, index=1):
 		"Parses the next or n-th Record"
 		off = index * self.boot.cbRecord

FATtools/NTFS/__init__.py

@@ -4,4 +4,4 @@
 COPYRIGHT = '''Copyright (C)2012-2025, by maxpat78. GNU GPL v3 applies.
 This free software reads NTFS file systems WITH ABSOLUTELY NO WARRANTY!'''
 
-VERSION = '0.9.4b'
+VERSION = '0.9.5b'

FATtools/version.py

@@ -1 +1 @@
-__version__ = '1.1.4'
+__version__ = '1.1.5'