subtlelonging Posted May 28, 2020 Share Posted May 28, 2020 Hi, everyone. I converted a piece of code, I can't write it now when I have a problem, please help me ,thank you expandcollapse popup#include <WinAPIFiles.au3> #include <WinAPIMem.au3> #include <WinAPIConv.au3> Global $kernel32 = DllOpen('kernel32.dll') Global $USN_JOURNAL_DATA = 'UINT64 UsnJournalID;INT64 FirstUsn;INT64 NextUsn;INT64 LowestValidUsn;INT64 MaxUsn;UINT64 MaximumSize;' & _ 'UINT64 AllocationDelta; WORD MinSupportedMajorVersion;WORD MaxSupportedMajorVersion' ;step 01. Determine whether the drive disk is in NTFS format Local $aRet = _WinAPI_GetVolumeInformation('e:\') If UBound($aRet) < 4 Then Exit If $aRet[4] <> 'NTFS' Then Exit ConsoleWrite('This drive is not in NTFS format' & @CRLF) ;step 02. Get driver handle Local $hVol = _WinAPI_CreateFile("\\.\e:", 2, 7, 7) If $hVol = 0 Then Exit ConsoleWrite('Failed to get driver handle' & @CRLF) ;step 03. Initialize USN Journal file Local $cujd = DllStructCreate('UINT64 MaximumSize;UINT64 AllocationDelta;') $cujd.MaximumSize = 0; $cujd.AllocationDelta = 0; $aRet = _WinAPI_DeviceIoControl($hVol, $FSCTL_CREATE_USN_JOURNAL, DllStructGetPtr($cujd), DllStructGetSize($cujd)) If Not $aRet Then Exit ConsoleWrite('Errer to initialize USN Journal file' & @CRLF) ;step 04. Get basic information of USN Journal Local $UsnInfo = DllStructCreate($USN_JOURNAL_DATA) Local $aRet = _WinAPI_DeviceIoControl($hVol, $FSCTL_QUERY_USN_JOURNAL, Null, 0, DllStructGetPtr($UsnInfo), DllStructGetSize($UsnInfo)) If Not $aRet Then Exit ConsoleWrite(StringFormat("Failed to get basic information of USN Journal —— status:%x error:%d\n", $aRet, _WinAPI_GetLastError()) & @CRLF) ConsoleWrite(StringFormat("UsnJournalID: %11x\n", $UsnInfo.UsnJournalID)) ConsoleWrite(StringFormat("lowUsn: %11x\n", $UsnInfo.FirstUsn)) ConsoleWrite(StringFormat("highUsn: %11x\n", $UsnInfo.NextUsn)) ;step 05. Enumerate all records in USN Journal file Global $MFT_ENUM_DATA = DllStructCreate('UINT64 StartFileReferenceNumber; UINT64 LowUsn; UINT64 HighUsn') $MFT_ENUM_DATA.StartFileReferenceNumber = 0 $MFT_ENUM_DATA.LowUsn = 0 $MFT_ENUM_DATA.HighUsn = $UsnInfo.NextUsn Global $tagUSN_RECORD = 'dword RecordLength; word MajorVersion; word MinorVersion;' & _ 'UINT64 FileReferenceNumber; UINT64 ParentFileReferenceNumber; UINT64 Usn;' & _ 'long TimeStamp; dword Reason; dword SourceInfo; dword SecurityId;' & _ 'dword FileAttributes; word FileNameLength; word FileNameOffset; wchar FileName' Local $buffer = DllStructCreate('char[4096]') Local $usnDataSize = DllStructCreate('dword') Local $UsnRecord = DllStructCreate($tagUSN_RECORD) While 1 Local $aRet = _DeviceIoControl($hVol, _ $FSCTL_ENUM_USN_DATA, _ DllStructGetPtr($MFT_ENUM_DATA), _ DllStructGetSize($MFT_ENUM_DATA), _ DllStructGetPtr($Buffer), _ DllStructGetSize($Buffer), _ DllStructGetPtr($usnDataSize), _ Null) ;ConsoleWrite($aRet & '-' & DllStructGetData($usnDataSize, 1) & @CRLF) ;DWORD dwRetBytes = usnDataSize - sizeof(USN); Local $dwRetBytes = DllStructGetData($usnDataSize, 1) - DllStructGetSize(DllStructCreate('UINT64')) ;DllStructGetSize(DllStructCreate('UINT64')) = 8 ;UsnRecord = (PUSN_RECORD)(((PCHAR)buffer) + sizeof(USN)); ;How to format buffer data $buffer into $tagusnrecord structure style? ;~ Local $Usn = DllStructCreate($tagUSN_RECORD) ;~ $Usn = _WinAPI_CreateBufferFromStruct($UsnRecord, $buffer) + DllStructGetSize(DllStructCreate('UINT64')) While $dwRetBytes > 0 Local $FileName = _WinAPI_WideCharToMultiByte(DllStructGetData($UsnRecord, 'FileName'), 1) ConsoleWrite($FileName & @CRLF) ;~ ConsoleWrite(StringFormat("FileReferenceNumber: %11x\n", $UsnRecord.FileReferenceNumber)) ;~ ConsoleWrite(StringFormat("ParentFileReferenceNumber: %11x\n", $UsnRecord.ParentFileReferenceNumber)) WEnd DllClose($kernel32) WEnd Func _DeviceIoControl($hDevice, $iControlCode, $pInBuffer, $iInBufferSize, $pOutBuffer, $iOutBufferSize, $lpBytesReturned, $lpOverlapped) Local $aRet = DllCall($kernel32, 'bool', 'DeviceIoControl', _ 'handle', $hDevice, _ 'dword', $iControlCode, _ 'struct*', $pInBuffer, _ 'dword', $iInBufferSize, _ 'struct*', $pOutBuffer, _ 'dword', $iOutBufferSize, _ 'ptr', $lpBytesReturned, _ 'ptr', $lpOverlapped) ;_ArrayDisplay($aRet) If @error Then Return SetError(@error, @extended, False) Return $aRet[0] EndFunc ;==>_DeviceIoControl #include <iostream> #include <Windows.h> #include <fstream> using namespace std; char* volName = "e:\\"; HANDLE hVol; USN_JOURNAL_DATA UsnInfo; #define BUF_LEN 4096 ofstream fout("d:\\log.txt"); long counter = 0; int main() { bool status; bool isNTFS = false; bool getHandleSuccess = false; bool initUsnJournalSuccess = false; /** * step 01. Determine whether the drive disk is in NTFS format * msdn:http://msdn.microsoft.com/en-us/library/aa364993%28VS.85%29.aspx */ char sysNameBuf[MAX_PATH] = { 0 }; status = GetVolumeInformationA(volName, NULL, 0, NULL, NULL, NULL, sysNameBuf, MAX_PATH); if (0 != status) { printf("File System Name: %s\n", sysNameBuf); if (0 == strcmp(sysNameBuf, "NTFS")) { isNTFS = true; } else { printf("This drive is not in NTFS format\n"); } } if (isNTFS) { /** * step 02. Get driver handle * msdn:http://msdn.microsoft.com/en-us/library/aa363858%28VS.85%29.aspx */ char fileName[MAX_PATH]; fileName[0] = '\0'; strcpy_s(fileName, "\\\\.\\"); strcat_s(fileName, volName); string fileNameStr = (string)fileName; fileNameStr.erase(fileNameStr.find_last_of(":") + 1); printf("Drive Disk Address: %s\n", fileNameStr.data()); //Administrator permission is required to call this function hVol = CreateFileA(fileNameStr.data(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_READONLY, NULL); if (INVALID_HANDLE_VALUE != hVol) { getHandleSuccess = true; } else { printf("Failed to get driver handle"); } } if (getHandleSuccess) { /** * step 03. Initialize USN Journal file * msdn:http://msdn.microsoft.com/en-us/library/aa364558%28v=VS.85%29.aspx */ DWORD br; CREATE_USN_JOURNAL_DATA cujd; cujd.MaximumSize = 0; cujd.AllocationDelta = 0; status = DeviceIoControl(hVol, FSCTL_CREATE_USN_JOURNAL, &cujd, sizeof(cujd), NULL, 0, &br, NULL); if (0 != status) { initUsnJournalSuccess = true; } else { printf("Errer to initialize USN Journal file —— status:%x error:%d\n", status, GetLastError()); } } if (initUsnJournalSuccess) { bool getBasicInfoSuccess = false; /** * step 04. Get basic information of USN Journal * msdn:http://msdn.microsoft.com/en-us/library/aa364583%28v=VS.85%29.aspx */ DWORD br; status = DeviceIoControl(hVol, FSCTL_QUERY_USN_JOURNAL, NULL, 0, &UsnInfo, sizeof(USN_JOURNAL_DATA), &br, NULL); if (0 != status) { getBasicInfoSuccess = true; } else { printf("Failed to get basic information of USN Journal —— status:%x error:%d\n", status, GetLastError()); } if (getBasicInfoSuccess) { printf("UsnJournalID: %llx\n", UsnInfo.UsnJournalID); printf("lowUsn: %llx\n", UsnInfo.FirstUsn); printf("highUsn: %llx\n", UsnInfo.NextUsn); /** * step 05. Enumerate all records in USN Journal file * msdn:http://msdn.microsoft.com/en-us/library/aa364563%28v=VS.85%29.aspx */ // from MSDN // On the first call, set the starting point, the StartFileReferenceNumber member of the MFT_ENUM_DATA structure, to (DWORDLONG)0. // Each call to FSCTL_ENUM_USN_DATA retrieves the starting point for the subsequent call as the first entry in the output buffer. MFT_ENUM_DATA_V0 med; med.StartFileReferenceNumber = 0; med.LowUsn = 0; med.HighUsn = UsnInfo.NextUsn; CHAR buffer[BUF_LEN]; DWORD usnDataSize; PUSN_RECORD UsnRecord; while (0 != DeviceIoControl(hVol, FSCTL_ENUM_USN_DATA, &med, sizeof(med), buffer, BUF_LEN, &usnDataSize, NULL)) { DWORD dwRetBytes = usnDataSize - sizeof(USN); // First USN Journal record found // from MSDN(http://msdn.microsoft.com/en-us/library/aa365736%28v=VS.85%29.aspx): // return a USN followed by zero or more change journal records, each in a USN_RECORD structure. UsnRecord = (PUSN_RECORD)(((PCHAR)buffer) + sizeof(USN)); printf("**********************************\n"); while (dwRetBytes > 0) { const int strLen = UsnRecord->FileNameLength; char fileName[MAX_PATH] = { 0 }; WideCharToMultiByte(CP_OEMCP, NULL, UsnRecord->FileName, strLen / 2, fileName, strLen, NULL, FALSE); printf("FileName: %s\n", fileName); printf("FileReferenceNumber: %llx\n", UsnRecord->FileReferenceNumber); printf("ParentFileReferenceNumber: %llx\n", UsnRecord->ParentFileReferenceNumber); printf("\n"); fout << "FileName:" << fileName << endl; fout << "frn:" << UsnRecord->FileReferenceNumber << endl; fout << "pfrn:" << UsnRecord->ParentFileReferenceNumber << endl; fout << endl; counter++; // Get next record DWORD recordLen = UsnRecord->RecordLength; dwRetBytes -= recordLen; UsnRecord = (PUSN_RECORD)(((PCHAR)UsnRecord) + recordLen); } //To get the data on the next page, MTF is probably stored in multiple pages, right? // from MSDN(http://msdn.microsoft.com/en-us/library/aa365736%28v=VS.85%29.aspx): // The USN returned as the first item in the output buffer is the USN of the next record number to be retrieved. // Use this value to continue reading records from the end boundary forward. med.StartFileReferenceNumber = *(USN*)&buffer; } printf("Total File %d\n", counter); fout << "Total File " << counter << endl; fout << flush; fout.close(); } /** * step 06. Delete USN Journal file * msdn:http://msdn.microsoft.com/en-us/library/aa364561%28v=VS.85%29.aspx */ DELETE_USN_JOURNAL_DATA dujd; dujd.UsnJournalID = UsnInfo.UsnJournalID; dujd.DeleteFlags = USN_DELETE_FLAG_DELETE; status = DeviceIoControl(hVol, FSCTL_DELETE_USN_JOURNAL, &dujd, sizeof(dujd), NULL, 0, &br, NULL); if (0 != status) { printf("USN Journal file deleted successfully!\n"); } else { printf("Failed to delete USN Journal file —— status:%x error:%d\n", status, GetLastError()); } } // Release resources if (getHandleSuccess) { CloseHandle(hVol); } return 0; } Link to comment Share on other sites More sharing options...
UEZ Posted May 28, 2020 Share Posted May 28, 2020 (edited) What I did so far: expandcollapse popup#RequireAdmin=y #include <Array.au3> #include <WinAPIFiles.au3> #include <WinAPIHObj.au3> Global $VolName = "c:" Global Const $BUF_LEN = 4096 ;step 01. Determine whether the drive disk is in NTFS format Global $aData = _WinAPI_GetVolumeInformation() If $aData[4] <> "NTFS" Then Exit MsgBox($MB_ICONERROR, "ERROR", "This drive is not in NTFS format.") ;step 02. Get driver handle Global $hVol = _WinAPI_CreateFileEx("\\.\" & $VolName, _ $OPEN_EXISTING, _ BitOR( $GENERIC_READ, $GENERIC_WRITE), _ BitOR($FILE_SHARE_READ, $FILE_SHARE_WRITE), _ $FILE_ATTRIBUTE_READONLY) If $hVol Then ;step 03. Initialize USN Journal file Global $tCREATE_USN_JOURNAL_DATA = DllStructCreate("uint64 MaximumSize;uint64 AllocationDelta") If Not _WinAPI_DeviceIoControl($hVol, _ $FSCTL_CREATE_USN_JOURNAL, _ $tCREATE_USN_JOURNAL_DATA, _ DllStructGetSize($tCREATE_USN_JOURNAL_DATA)) Then ConsoleWrite(_WinAPI_GetLastErrorMessage() & @CRLF) _WinAPI_CloseHandle($hVol) Exit MsgBox($MB_ICONERROR, "ERROR", "Error to initialize USN Journal file") EndIf Global $br1 = @extended ;step 04. Get basic information of USN Journal Global $tUSN_JOURNAL_DATA = DllStructCreate("uint64 UsnJournalID;int64 FirstUsn;int64 NextUsn;int64 LowestValidUsn;int64 MaxUsn;uint64 MaximumSize;uint64 AllocationDelta") If Not _WinAPI_DeviceIoControl($hVol, _ $FSCTL_QUERY_USN_JOURNAL, _ Null, _ 0, _ $tUSN_JOURNAL_DATA, _ DllStructGetSize($tUSN_JOURNAL_DATA)) Then ConsoleWrite(_WinAPI_GetLastErrorMessage() & @CRLF) _WinAPI_CloseHandle($hVol) Exit MsgBox($MB_ICONERROR, "ERROR", "Failed to get basic information of USN Journal") EndIf Global $br2 = @extended ConsoleWrite("UsnJournalID: " & $tUSN_JOURNAL_DATA.UsnJournalID & @CRLF) ConsoleWrite("lowUsn: " & $tUSN_JOURNAL_DATA.FirstUsn & @CRLF) ConsoleWrite("highUsn: " & $tUSN_JOURNAL_DATA.NextUsn & @CRLF) ;step 05. Enumerate all records in USN Journal file Global $tMFT_ENUM_DATA_V0 = DllStructCreate("uint64 StartFileReferenceNumber;int64 LowUsn;int64 HighUsn") With $tMFT_ENUM_DATA_V0 .StartFileReferenceNumber = 0 .LowUsn = 0 .HighUsn = $tUSN_JOURNAL_DATA.NextUsn EndWith Global $usnDataSize, $dwRetBytes = 0, $i Global $tagPUSN_RECORD_V2 = "dword RecordLength;word MajorVersion;word MinorVersion;uint64 FileReferenceNumber;uint64 ParentFileReferenceNumber;" & _ "int64 Usn;int64 TimeStamp;dword Reason;dword SourceInfo;dword SecurityId;dword FileAttributes;word FileNameLength;" & _ "word FileNameOffset;wchar FileName[260]" Global $tBuffer = DllStructCreate("byte data[" & $BUF_LEN & "]") Global $tUSN = DllStructCreate("int64 Usn", DllStructGetPtr($tBuffer)) Global $iJFCount = 0 While _WinAPI_DeviceIoControl($hVol, _ $FSCTL_ENUM_USN_DATA, _ $tMFT_ENUM_DATA_V0, _ DllStructGetSize($tMFT_ENUM_DATA_V0), _ $tBuffer, _ DllStructGetSize($tBuffer)) $usnDataSize = @extended $dwRetBytes = $usnDataSize - DllStructGetSize($tUSN) Global $tUsnRecord = DllStructCreate($tagPUSN_RECORD_V2, DllStructGetPtr($tBuffer) + DllStructGetSize($tUSN)) While $dwRetBytes > 0 ConsoleWrite($tUsnRecord.Filename & @CRLF) $dwRetBytes -= $tUsnRecord.RecordLength $tUsnRecord = DllStructCreate($tagPUSN_RECORD_V2, DllStructGetPtr($tUsnRecord) + $tUsnRecord.RecordLength) $iJFCount += 1 WEnd $tMFT_ENUM_DATA_V0.StartFileReferenceNumber = $tUSN.ptr If $iJFCount > 1000 Then ExitLoop ;don't list all files WEnd ;step 06. Delete USN Journal file Global Const $USN_DELETE_FLAG_DELETE = 1 Global $tDELETE_USN_JOURNAL_DATA = DllStructCreate("uint64 UsnJournalID;dword DeleteFlags") With $tDELETE_USN_JOURNAL_DATA .UsnJournalID = $tUSN_JOURNAL_DATA.UsnJournalID .DeleteFlags = $USN_DELETE_FLAG_DELETE EndWith If Not _WinAPI_DeviceIoControl($hVol, _ $FSCTL_DELETE_USN_JOURNAL, _ $tDELETE_USN_JOURNAL_DATA, _ DllStructGetSize($tDELETE_USN_JOURNAL_DATA)) Then ConsoleWrite(_WinAPI_GetLastErrorMessage() & @CRLF) MsgBox($MB_ICONERROR, "ERROR", "Failed to delete USN Journal file") EndIf _WinAPI_CloseHandle($hVol) ConsoleWrite("Journal files count = " & $iJFCount & @CRLF) EndIf Seems to run but I'm not sure if output is valid... Edited May 29, 2020 by UEZ Small code update Danyfirex 1 Please don't send me any personal message and ask for support! I will not reply! Selection of finest graphical examples at Codepen.io The own fart smells best! ✌Her 'sikim hıyar' diyene bir avuç tuz alıp koşma!¯\_(ツ)_/¯ ٩(●̮̮̃•̃)۶ ٩(-̮̮̃-̃)۶ૐ Link to comment Share on other sites More sharing options...
Nine Posted May 28, 2020 Share Posted May 28, 2020 (edited) Looks good to me : expandcollapse popup#include <Array.au3> #include <WinAPIFiles.au3> #include <WinAPIMem.au3> #include <WinAPIConv.au3> #include <WinAPIHObj.au3> Local $kernel32 = DllOpen('kernel32.dll') Local $USN_JOURNAL_DATA = 'UINT64 UsnJournalID;INT64 FirstUsn;INT64 NextUsn;INT64 LowestValidUsn;INT64 MaxUsn;UINT64 MaximumSize;' & _ 'UINT64 AllocationDelta; WORD MinSupportedMajorVersion;WORD MaxSupportedMajorVersion' ;step 01. Determine whether the drive disk is in NTFS format Local $aRet = _WinAPI_GetVolumeInformation('E:\') If UBound($aRet) < 4 Then Exit MsgBox($MB_SYSTEMMODAL, "", "Error on drive e:") If $aRet[4] <> 'NTFS' Then Exit MsgBox ($MB_SYSTEMMODAL,"",'This drive is not in NTFS format') ;step 02. Get driver handle Local $hVol = _WinAPI_CreateFile("\\.\E:", $OPEN_EXISTING, 7, 7) If $hVol = 0 Then Exit MsgBox ($MB_SYSTEMMODAL,"",'Failed to get driver handle') ;step 03. Initialize USN Journal file Local $cujd = DllStructCreate('UINT64 MaximumSize;UINT64 AllocationDelta;') $cujd.MaximumSize = 0 ; $cujd.AllocationDelta = 0 ; $aRet = _WinAPI_DeviceIoControl($hVol, $FSCTL_CREATE_USN_JOURNAL, DllStructGetPtr($cujd), DllStructGetSize($cujd)) If Not $aRet Then Exit MsgBox ($MB_SYSTEMMODAL,"",'Errer to initialize USN Journal file') ;step 04. Get basic information of USN Journal Local $UsnInfo = DllStructCreate($USN_JOURNAL_DATA) $aRet = _WinAPI_DeviceIoControl($hVol, $FSCTL_QUERY_USN_JOURNAL, Null, 0, DllStructGetPtr($UsnInfo), DllStructGetSize($UsnInfo)) If Not $aRet Then Exit MsgBox ($MB_SYSTEMMODAL,"",StringFormat("Failed to get basic information of USN Journal —— status:%x error:%d\n", $aRet, _WinAPI_GetLastError())) ConsoleWrite("Number of bytes returned = " & @extended & @CRLF) ConsoleWrite(StringFormat("UsnJournalID: %11x\n", $UsnInfo.UsnJournalID)) ConsoleWrite(StringFormat("lowUsn: %11x\n", $UsnInfo.FirstUsn)) ConsoleWrite(StringFormat("highUsn: %11x\n", $UsnInfo.NextUsn)) ;step 05. Enumerate all records in USN Journal file Local $MFT_ENUM_DATA = DllStructCreate('UINT64 StartFileReferenceNumber; UINT64 LowUsn; UINT64 HighUsn') $MFT_ENUM_DATA.StartFileReferenceNumber = 0 $MFT_ENUM_DATA.LowUsn = 0 $MFT_ENUM_DATA.HighUsn = $UsnInfo.NextUsn Local $buffer = DllStructCreate('byte[4096]') Local $USN = DllStructCreate('UINT64 ptr', DllStructGetPtr($buffer)) Local $iLength, $iPos, $tPUSN_RECORD, $sFileName, $iCount = 0 While _WinAPI_DeviceIoControl($hVol, $FSCTL_ENUM_USN_DATA, $MFT_ENUM_DATA, DllStructGetSize($MFT_ENUM_DATA), $buffer, DllStructGetSize($buffer)) $iLength = @extended $iCount += 1 ConsoleWrite("Length / Count = " & $iLength & "/" & $iCount & @CRLF) $iPos = DllStructGetSize($USN) While $iPos < $iLength $tPUSN_RECORD = DllStructCreate("dword RecordLength;word MajorVersion;word MinorVersion;uint64 FileReferenceNumber;uint64 ParentFileReferenceNumber;" & _ "uint64 Usn;uint64 TimeStamp;dword Reason;dword SourceInfo;dword SecurityId;dword FileAttributes;word FileNameLength;" & _ "word FileNameOffset;wchar FileName[256]", DllStructGetPtr($buffer)+$iPos) $sFileName = "" For $i = 1 to $tPUSN_RECORD.FileNameLength/2 $sFileName &= DllStructGetData($tPUSN_RECORD, "FileName", $i) Next ConsoleWrite ($sFileName & @CRLF) $iPos += $tPUSN_RECORD.RecordLength WEnd $MFT_ENUM_DATA.StartFileReferenceNumber = $USN.ptr WEnd DllClose($kernel32) ConsoleWrite("closing " & _WinAPI_CloseHandle($hVol) & @CRLF) Edited May 28, 2020 by Nine Danyfirex 1 “They did not know it was impossible, so they did it” ― Mark Twain Spoiler Block all input without UAC Save/Retrieve Images to/from Text Monitor Management (VCP commands) Tool to search in text (au3) files Date Range Picker Virtual Desktop Manager Sudoku Game 2020 Overlapped Named Pipe IPC HotString 2.0 - Hot keys with string x64 Bitwise Operations Multi-keyboards HotKeySet Recursive Array Display Fast and simple WCD IPC Multiple Folders Selector Printer Manager GIF Animation (cached) Screen Scraping Multi-Threading Made Easy Link to comment Share on other sites More sharing options...
subtlelonging Posted May 29, 2020 Author Share Posted May 29, 2020 @UEZ,@Nine Very good,Thank you very much! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now