mft.ParseDataRuns returns invalid values

[shen1l]

• in "padTo" function , I don't get the point of filling 0xff to the return value. maybe you should jsut remove it

func ParseDataRuns(b []byte) ([]DataRun, error) {
	...
	dataLength := binary.LittleEndian.Uint64(padTo(lengthBytes, 8))
	....
	dataOffset := int64(binary.LittleEndian.Uint64(padTo(offsetBytes, 8)))
}

func padTo(data []byte, length int) []byte {
        ..... 
	if data[len(data)-1]&0b10000000 == 0b10000000 {
		for i := len(data); i < length; i++ {
			result[i] = 0xFF
		}
	}
	return result
}

[t9t]

Hi @shen1l thanks for taking the time to create an issue and I'm sorry that I didn't get the chance to look into it and write a reply. Could you maybe help me and mention what you found out as to close the issue?

The padding is necessary to ensure the byte slice is 8 bytes (64 bits) long before converting from little endian. If you put fewer than 8 bytes into binary.LittleEndian.Uint64 it will produce an error. A lot of the numbers in the MFT are stored in fewer than 8 bytes (sometimes even pretty odd numbers, like 3 bytes).

[haobaojiang]

@t9t Sorry, I closed the issue coz I endup using any third-part parser to do the thing I am working on, I am now using windows API "DeviceIoControl" with ioctl code "fsctl_get_retrieval_pointers" "fsctl get_ntfs_file record" to do the work.

Here was my trouble case,I used ParseDataRuns->DataRunsToFragments. from the return values I found that on fragment offset is very large which is 60gb ,but my volume is 6gb size only, I don't know where went wrong.

type Fragment struct {
	Offset int64         // the value of this field exceeded the whole volume size 
	Length int64
}