manageiq-smartstate 0.1.0

data/lib/fs/ntfs/attrib_header.rb

@@ -0,0 +1,194 @@
+require 'binary_struct'
+require 'util/miq-unicode'
+require 'fs/ntfs/utils'
+require 'fs/ntfs/attrib_type'
+
+module NTFS
+  # Standard attribute header.
+  # Each attribute begins with one of these.
+  STANDARD_ATTRIBUTE_HEADER = BinaryStruct.new([
+    'L',  'attrib_type',      # The (32-bit) type of the attribute
+    'L',  'length',           # Byte size of the resident part of the attribute
+    # (aligned to 8-byte boundary).  Used to get to the next attribute
+    'C',  'non_resident',     # If 0, attribute is resident.
+    # If 1, attribute is non-resident
+    'C',  'name_length',      # Unicode character size of name of attribute.
+    # 0 if unnamed
+    'S',  'name_offset',      # If name_length != 0, the byte offset to the beginning of the name
+    # from the attribute record. Note that the name is stored as a
+    # Unicode string.
+    'S',  'flags',            # Attribute flags (see AF_ below)
+    'S',  'attrib_id',        # The instance of this attribute record. This number is unique within this mft record
+  ])
+  SIZEOF_STANDARD_ATTRIBUTE_HEADER = STANDARD_ATTRIBUTE_HEADER.size
+
+  # The standard attribute header continues with one of the following two
+  # structs depending on whether the attribute is resident or non-resident.
+
+  # The resident struct.
+  SAH_RESIDENT = BinaryStruct.new([
+    'L',  'value_length',     # Byte size of attribute value
+    'S',  'value_offset',     # Byte offset of the attribute value from the start of the attribute record
+    'C',  'resident_flags',   # Flags of resident attributes (8-bit)
+    'C',  nil,                # Reserved/alignment to 8-byte boundary
+  ])
+  SIZEOF_SAH_RESIDENT = SAH_RESIDENT.size
+
+  # The non-resident struct.
+  SAH_NONRESIDENT = BinaryStruct.new([
+    'Q',  'first_vcn',        # Lowest valid virtual cluster number for this portion of the attribute value
+    # or 0 if this is the only extent (usually the case). - Only when an attribute
+    # list is used does lowest_vcn != 0 ever occur
+    'Q',  'last_vcn',         # Highest valid vcn of this extent of the attribute value. - Usually there is
+    # only one portion, so this usually equals the attribute value size in clusters
+    # minus 1. Can be -1 for zero length files. Can be 0 for "single extent" attributes
+    'S',  'mapping_pairs_offset', # Byte offset from the beginning of the structure to the mapping pairs array
+    # which contains the mappings between the vcns and the logical cluster numbers (lcns).
+    # When creating, place this at the end of this record header aligned to 8-byte boundary.
+    'S',  'compression_unit', # The compression unit expressed as the log to the base 2 of the number of
+    # clusters in a compression unit. 0 means not compressed. (This effectively limits the
+    # compression unit size to be a power of two clusters.) WinNT4 only uses a value of 4.
+    'L',  nil,                # Align to 8-byte boundary
+
+    # The sizes below are only used when lowest_vcn is zero, as otherwise it would
+    # be difficult to keep them up-to-date.
+
+    'Q',  'allocated_size',   # Byte size of disk space allocated to hold the attribute value. Always is a
+    # multiple of the cluster size. When a file is compressed, this field is a
+    # multiple of the compression block size (2^compression_unit) and it
+    # represents the logically allocated space rather than the actual on disk usage.
+    'Q',  'data_size',        # Byte size of the attribute value.
+    # Can be larger than allocated_size if attribute value is compressed or sparse
+    'Q',  'initialized_size', # Byte size of initialized portion of the attribute value. Usually equals data_size
+  ])
+  # If the attribute is named (name_length is not 0), then the name (in UNICODE) follows here.
+  # Here follows the attribute data (if resident) or the data runs (if non-resident).
+  SIZEOF_SAH_NONRESIDENT = SAH_NONRESIDENT.size
+
+  # One Attribute Header.
+  class AttribHeader
+    attr_reader :name, :type, :typeName, :flags, :id, :length, :specific, :namelen
+
+    AF_COMPRESSED  = 0x0001
+    AF_ENCRPYTED   = 0x4000
+    AF_SPARSE      = 0x8000
+
+    RESIDENT_ATTR_IS_INDEXED = 0x01 # Attribute is referenced in an index
+    # (has implications for deleting and modifying the attribute).
+
+    # NOTE: All the subordinate objects (attrib header & attributes) take
+    #       a buffer (a packed string) starting at the start of the sub object.
+    def initialize(buf)
+      raise "MIQ(NTFS::AttribHeader.initialize) Nil buffer" if buf.nil?
+
+      # Decode standard attribute header.
+      @header = STANDARD_ATTRIBUTE_HEADER.decode(buf)
+      offset  = SIZEOF_STANDARD_ATTRIBUTE_HEADER
+
+      # If type is AT_END we're done.
+      return nil if @header['attrib_type'] == AT_END
+
+      # Get accessor values.
+      @length  = @header['length']
+      @id      = @header['attrib_id']
+      @flags   = @header['flags']
+      @type    = @header['attrib_type']
+      @namelen = @header['name_length']
+
+      # Get the rest of the data (a resident or non-resident struct).
+      which = isResident? ? SAH_RESIDENT : SAH_NONRESIDENT
+      len   = isResident? ? SIZEOF_SAH_RESIDENT : SIZEOF_SAH_NONRESIDENT
+      @specific = which.decode(buf[offset..-1])
+      offset += len
+
+      # If there's a name get it.
+      @name = buf[offset, (@namelen * 2)].UnicodeToUtf8  if @namelen != 0
+    end
+
+    def get_value(buf, boot_sector)
+      # Prep a buffer to pass to subobjects.
+      if isResident?
+        # Resident attributes are after header res struct & name.
+        abuf = buf[@specific['value_offset'], @specific['value_length']]
+      else
+        # Nonresident attributes are defined by data runs.
+        alen = @specific['data_size']
+        alen = buf.size if alen == 0
+        abuf = DataRun.new(boot_sector, buf[@specific['mapping_pairs_offset'], alen], self)
+      end
+
+      abuf
+    end
+
+    # Name will always be something, either name or N/A
+    def to_s
+      @name.nil? ? 'N/A' : @name
+    end
+
+    def isResident?
+      @header['non_resident'] == 0
+    end
+
+    def typeName
+      TypeName[@header['attrib_type']]
+    end
+
+    def isCompressed?
+      NTFS::Utils.gotBit?(@flags, AF_COMPRESSED)
+    end
+
+    def isEncrypted?
+      NTFS::Utils.gotBit?(@flags, AF_ENCRYPTED)
+    end
+
+    def isSparse?
+      NTFS::Utils.gotBit?(@flags, AF_SPARSE)
+    end
+
+    ######################################################################################################
+    # The $I30 is the a "file" name given to NTFS MFT attributes containing file
+    # name indexes for directories. NTFS stores the file name contents of the
+    # directory in several places, depending on the number of files in the directory:
+    #
+    # - For directories with just a few files, all are stored resident in the MFT entry $INDEX_ROOT
+    # - For directories with many files, the indexes are stored non-resident in the MFT entry $INDEX_ALLOCATION
+    # - The allocation status of these entries are managed by the $BITMAP MFT entry
+    #
+    # NTFS uses B-tree structures to store and quickly access the data. So, the $INDEX_ROOT attribute
+    # (with a name of $I30) was not large enough to store the B-tree index of file names. Instead, it
+    # points to index records stored in the non-resident $INDEX_ALLOCATION. Viewing the contents of that
+    # file, the B-tree index of file names in the directory.
+    ######################################################################################################
+    def containsFileNameIndexes?
+      name == "$I30"
+    end
+
+    def dump
+      out = "\#<#{self.class}:0x#{'%08x' % object_id}>\n"
+      out << "  Type             : 0x#{'%08x' % @header['attrib_type']} (#{typeName})\n"
+      out << "  Length           : 0x#{'%08x' % @header['length']}\n"
+      out << "  Non resident     : 0x#{'%02x' % @header['non_resident']}\n"
+      out << "  Name length      : 0x#{'%02x' % @header['name_length']}\n"
+      out << "  Offset to name   : 0x#{'%04x' % @header['name_offset']}\n"
+      out << "  Flags            : 0x#{'%04x' % @header['flags']}\n"
+      out << "  Attrib id        : 0x#{'%04x' % @header['attrib_id']}\n"
+
+      # Further depends on type.
+      if self.isResident?
+        out << "  Value length     : 0x#{'%08x' % @specific['value_length']}\n"
+        out << "  Value offset     : 0x#{'%04x' % @specific['value_offset']}\n"
+        out << "  Resident Flags   : 0x#{'%02x' % @specific['resident_flags']}\n"
+      else
+        out << "  First VCN        : 0x#{'%016x' % @specific['first_vcn']}\n"
+        out << "  Last VCN         : 0x#{'%016x' % @specific['last_vcn']}\n"
+        out << "  Mapping Pairs Offset: 0x#{'%04x' % @specific['mapping_pairs_offset']}\n"
+        out << "  Compression      : 0x#{'%04x' % @specific['compression_unit']}\n"
+        out << "  Allocated size   : 0x#{'%016x' % @specific['allocated_size']}\n"
+        out << "  Data size        : 0x#{'%016x' % @specific['data_size']}\n"
+        out << "  Initialized size : 0x#{'%016x' % @specific['initialized_size']}\n"
+      end
+      out << "  Name             : #{@name}\n" if @header['name_length'] > 0
+      out << "---\n"
+    end
+  end
+end # module NTFS

data/lib/fs/ntfs/attrib_index_allocation.rb

@@ -0,0 +1,19 @@
+module NTFS
+  class IndexAllocation
+    def self.create_from_header(header, buf)
+      return IndexAllocation.new(buf, header) if header.containsFileNameIndexes?
+      $log.debug("Skipping #{header.typeName} for name <#{header.name}>") if $log
+      nil
+    end
+
+    attr_reader :data_run, :header
+
+    def initialize(buf, header)
+      raise "MIQ(NTFS::IndexAllocation.initialize) Buffer must be DataRun (passed #{buf.class.name})"          unless buf.kind_of?(DataRun)
+      raise "MIQ(NTFS::IndexAllocation.initialize) Header must be AttribHeader (passed #{header.class.name})"  unless header.kind_of?(NTFS::AttribHeader)
+
+      @data_run = buf
+      @header   = header
+    end
+  end
+end

data/lib/fs/ntfs/attrib_index_root.rb

@@ -0,0 +1,247 @@
+require 'binary_struct'
+require 'util/miq-unicode'
+require 'fs/ntfs/index_node_header'
+require 'fs/ntfs/directory_index_node'
+require 'fs/ntfs/index_record_header'
+
+module NTFS
+  #
+  # INDEX_ROOT - Attribute: Index root (0x90).
+  #
+  # NOTE: Always resident.
+  #
+  # This is followed by a sequence of index entries (INDEX_ENTRY structures)
+  # as described by the index header.
+  #
+  # When a directory is small enough to fit inside the index root then this
+  # is the only attribute describing the directory. When the directory is too
+  # large to fit in the index root, on the other hand, two additional attributes
+  # are present: an index allocation attribute, containing sub-nodes of the B+
+  # directory tree (see below), and a bitmap attribute, describing which virtual
+  # cluster numbers (vcns) in the index allocation attribute are in use by an
+  # index block.
+  #
+  # NOTE: The root directory (FILE_root) contains an entry for itself. Other
+  # directories do not contain entries for themselves, though.
+  #
+
+  ATTRIB_INDEX_ROOT = BinaryStruct.new([
+    'L',  'type',                     # Type of the indexed attribute. Is FILE_NAME for directories, zero
+    # for view indexes. No other values allowed.
+    'L',  'collation_rule',           # Collation rule used to sort the index entries. If type is $FILE_NAME,
+    # this must be COLLATION_FILE_NAME
+    'L',  'index_block_size',         # Size of index block in bytes (in the index allocation attribute)
+    'C',  'clusters_per_index_block', # Size of index block in clusters (in the index allocation attribute),
+    # when an index block is >= than a cluster, otherwise sectors per index block
+    'a3', nil,                        # Reserved/align to 8-byte boundary
+  ])
+  # Here follows a node header.
+  SIZEOF_ATTRIB_INDEX_ROOT = ATTRIB_INDEX_ROOT.size
+
+  class IndexRoot
+    DEBUG_TRACE_FIND = false && $log
+
+    CT_BINARY   = 0x00000000  # Binary compare, MSB is first (does that mean big endian?)
+    CT_FILENAME = 0x00000001  # UNICODE strings.
+    CT_UNICODE  = 0x00000002  # UNICODE, upper case first.
+    CT_ULONG    = 0x00000010  # Standard ULONG, 32-bits little endian.
+    CT_SID      = 0x00000011  # Security identifier.
+    CT_SECHASH  = 0x00000012  # First security hash, then security identifier.
+    CT_ULONGS   = 0x00000013  # Set of ULONGS? (doc is unclear - indicates GUID).
+
+    def self.create_from_header(header, buf, bs)
+      return IndexRoot.new(buf, bs) if header.containsFileNameIndexes?
+      $log.debug("Skipping #{header.typeName} for name <#{header.name}>") if $log
+      nil
+    end
+
+    attr_reader :type, :nodeHeader, :index, :indexAlloc
+
+    def initialize(buf, boot_sector)
+      log_prefix = "MIQ(NTFS::IndexRoot.initialize)"
+
+      raise "#{log_prefix} Nil buffer"        if buf.nil?
+      raise "#{log_prefix} Nil boot sector"   if boot_sector.nil?
+
+      buf                = buf.read(buf.length) if buf.kind_of?(DataRun)
+      @air               = ATTRIB_INDEX_ROOT.decode(buf)
+      buf                = buf[SIZEOF_ATTRIB_INDEX_ROOT..-1]
+
+      # Get accessor data.
+      @type              = @air['type']
+      @collation_rule    = @air['collation_rule']
+      @byteSize          = @air['index_block_size']
+      @clusterSize       = @air['size_of_index_clus']
+
+      @boot_sector       = boot_sector
+
+      # Get node header & index.
+      @foundEntries      = {}
+      @indexNodeHeader   = IndexNodeHeader.new(buf)
+      @indexEntries      = cleanAllocEntries(DirectoryIndexNode.nodeFactory(buf[@indexNodeHeader.startEntries..-1]))
+      @indexAlloc        = {}
+    end
+
+    def to_s
+      @type.to_s
+    end
+
+    def allocations=(indexAllocations)
+      @indexAllocRuns = []
+      if @indexNodeHeader.hasChildren? && indexAllocations
+        indexAllocations.each { |alloc| @indexAllocRuns << [alloc.header, alloc.data_run] }
+      end
+      @indexAllocRuns
+    end
+
+    def bitmap=(bmp)
+      if @indexNodeHeader.hasChildren?
+        @bitmap = bmp.data.unpack("b#{bmp.length * 8}") unless bmp.nil?
+      end
+
+      @bitmap
+    end
+
+    # Find a name in this index.
+    def find(name)
+      log_prefix = "MIQ(NTFS::IndexRoot.find)"
+
+      name = name.downcase
+      $log.debug "#{log_prefix} Searching for [#{name}]" if DEBUG_TRACE_FIND
+      if @foundEntries.key?(name)
+        $log.debug "#{log_prefix} Found [#{name}] (cached)" if DEBUG_TRACE_FIND
+        return @foundEntries[name]
+      end
+
+      found = findInEntries(name, @indexEntries)
+      if found.nil?
+        # Fallback to full directory search if not found
+        $log.debug "#{log_prefix} [#{name}] not found.  Performing full directory scan." if $log
+        found = findBackup(name)
+        $log.send(found.nil? ? :debug : :warn, "#{log_prefix} [#{name}] #{found.nil? ? "not " : ""}found in full directory scan.")  if $log
+      end
+      found
+    end
+
+    # Return all names in this index as a sorted string array.
+    def globNames
+      @globNames = globEntries.collect { |e| e.namespace == NTFS::FileName::NS_DOS ? nil : e.name.downcase }.compact if @globNames.nil?
+      @globNames
+    end
+
+    def findInEntries(name, entries)
+      log_prefix = "MIQ(NTFS::IndexRoot.findInEntries)"
+
+      if @foundEntries.key?(name)
+        $log.debug "#{log_prefix} Found [#{name}] in #{entries.collect { |e| e.isLast? ? "**last**" : e.name.downcase }.inspect}" if DEBUG_TRACE_FIND
+        return @foundEntries[name]
+      end
+
+      $log.debug "#{log_prefix} Searching for [#{name}] in #{entries.collect { |e| e.isLast? ? "**last**" : e.name.downcase }.inspect}" if DEBUG_TRACE_FIND
+      # TODO: Uses linear search within an index entry; switch to more performant search eventually
+      entries.each do |e|
+        $log.debug "#{log_prefix} before [#{e.isLast? ? "**last**" : e.name.downcase}]" if DEBUG_TRACE_FIND
+        if e.isLast? || name < e.name.downcase
+          $log.debug "#{log_prefix} #{e.hasChild? ? "Sub-search in child vcn [#{e.child}]" : "No sub-search"}" if DEBUG_TRACE_FIND
+          return e.hasChild? ? findInEntries(name, getIndexAllocEntries(e.child)) : nil
+        end
+      end
+      $log.debug "#{log_prefix} Did not find [#{name}]" if DEBUG_TRACE_FIND
+      nil
+    end
+
+    def findBackup(name)
+      globEntriesByName[name]
+    end
+
+    def getIndexAllocEntries(vcn)
+      unless @indexAlloc.key?(vcn)
+        log_prefix = "MIQ(NTFS::IndexRoot.getIndexAllocEntries)"
+
+        begin
+          raise "not allocated"    if @bitmap[vcn, 1] == "0"
+          header, run = @indexAllocRuns.detect { |h, _r| vcn >= h.specific['first_vcn'] && vcn <= h.specific['last_vcn'] }
+          raise "header not found" if header.nil?
+          raise "run not found"    if run.nil?
+
+          run.seekToVcn(vcn - header.specific['first_vcn'])
+          buf = run.read(@byteSize)
+
+          raise "buffer not found" if buf.nil?
+          raise "buffer signature is expected to be INDX, but is [#{buf[0, 4].inspect}]" if buf[0, 4] != "INDX"
+          irh = IndexRecordHeader.new(buf, @boot_sector.bytesPerSector)
+          buf = irh.data[IndexRecordHeader.size..-1]
+          inh = IndexNodeHeader.new(buf)
+          @indexAlloc[vcn] = cleanAllocEntries(DirectoryIndexNode.nodeFactory(buf[inh.startEntries..-1]))
+        rescue => err
+          $log.warn "#{log_prefix} Unable to read data from index allocation at vcn [#{vcn}] because <#{err.message}>\n#{dump}" if $log
+          @indexAlloc[vcn] = []
+        end
+      end
+
+      @indexAlloc[vcn]
+    end
+
+    def cleanAllocEntries(entries)
+      cleanEntries = []
+      entries.each do |e|
+        if e.isLast? || !(e.contentLen == 0 || (e.refMft[1] < 12 && e.name[0, 1] == "$"))
+          cleanEntries << e
+          # Since we are already looping through all entries to clean
+          #   them we can store them in a lookup for optimization
+          @foundEntries[e.name.downcase] = e unless e.isLast?
+        end
+      end
+      cleanEntries
+    end
+
+    def globEntries
+      return @globEntries unless @globEntries.nil?
+
+      # Since we are reading all entries, retrieve all of the data in one call
+      @indexAllocRuns.each do |_h, r|
+        r.rewind
+        r.read(r.length)
+      end
+
+      @globEntries = globAllEntries(@indexEntries)
+    end
+
+    def globEntriesByName
+      log_prefix = "MIQ(NTFS::IndexRoot.globEntriesByName)"
+
+      if @globbedEntriesByName
+        $log.debug "#{log_prefix} Using cached globEntries." if DEBUG_TRACE_FIND
+        return @foundEntries
+      end
+
+      $log.debug "#{log_prefix} Initializing globEntries:" if DEBUG_TRACE_FIND
+      globEntries.each do |e|
+        $log.debug "#{log_prefix} #{e.isLast? ? "**last**" : e.name.downcase}" if DEBUG_TRACE_FIND
+        @foundEntries[e.name.downcase] = e
+      end
+      @globbedEntriesByName = true
+      @foundEntries
+    end
+
+    def globAllEntries(entries)
+      ret = []
+      entries.each do |e|
+        ret += globAllEntries(getIndexAllocEntries(e.child)) if e.hasChild?
+        ret << e unless e.isLast?
+      end
+      ret
+    end
+
+    def dump
+      out = "\#<#{self.class}:0x#{'%08x' % object_id}>\n"
+      out << "  Type                 : 0x#{'%08x' % @type}\n"
+      out << "  Collation Rule       : #{@collation_rule}\n"
+      out << "  Index size (bytes)   : #{@byteSize}\n"
+      out << "  Index size (clusters): #{@clusterSize}\n"
+      @indexEntries.each { |din| out << din.dump }
+      out << "---\n"
+      out
+    end
+  end
+end # module NTFS

data/lib/fs/ntfs/attrib_object_id.rb

@@ -0,0 +1,40 @@
+require 'util/miq-uuid'
+
+module NTFS
+  # There is no real data definition for this class - it consists entirely of GUIDs.
+  #
+  # struct GUID - GUID structures store globally unique identifiers (GUID).
+  #
+  # A GUID is a 128-bit value consisting of one group of eight hexadecimal
+  # digits, followed by three groups of four hexadecimal digits each, followed
+  # by one group of twelve hexadecimal digits. GUIDs are Microsoft's
+  # implementation of the distributed computing environment (DCE) universally
+  # unique identifier (UUID).
+  #
+  # Example of a GUID:
+  #  1F010768-5A73-BC91-0010-A52216A7227B
+  #
+
+  class ObjectId
+    attr_reader :objectId, :birthVolumeId, :birthObjectId, :domainId
+
+    def initialize(buf)
+      raise "MIQ(NTFS::ObjectId.initialize) Nil buffer" if buf.nil?
+      buf = buf.read(buf.length) if buf.kind_of?(DataRun)
+      len = 16
+      @objectId       = UUIDTools::UUID.parse_raw(buf[len * 0, len])
+      @birthVolumeId  = UUIDTools::UUID.parse_raw(buf[len * 1, len]) if buf.length > 16
+      @birthObjectId  = UUIDTools::UUID.parse_raw(buf[len * 2, len]) if buf.length > 16
+      @domainId       = UUIDTools::UUID.parse_raw(buf[len * 3, len]) if buf.length > 16
+    end
+
+    def dump
+      out = "\#<#{self.class}:0x#{'%08x' % object_id}>\n"
+      out << "  Object id      : #{@objectId}\n"
+      out << "  Birth volume id: #{@birthVolumeId}\n"
+      out << "  Birth object id: #{@birthObjectId}\n"
+      out << "  Domain id      : #{@domainId}\n"
+      out << "---\n"
+    end
+  end
+end # module NTFS

data/lib/fs/ntfs/attrib_standard_information.rb

@@ -0,0 +1,107 @@
+require 'util/win32/nt_util'
+require 'binary_struct'
+
+module NTFS
+  #
+  # STANDARD_INFORMATION - Attribute: Standard information (0x10).
+  #
+  # NOTE: Always resident.
+  # NOTE: Present in all base file records on a volume.
+  # NOTE: There is conflicting information about the meaning of each of the time
+  #   fields but the meaning as defined below has been verified to be
+  #   correct by practical experimentation on Windows NT4 SP6a and is hence
+  #   assumed to be the one and only correct interpretation.
+  #
+
+  ATTRIB_STANDARD_INFORMATION = BinaryStruct.new([
+    'Q',  'time_created',     # Time file was created. Updated when a filename is changed(?)
+    'Q',  'time_altered',     # Time the data attribute was last modified
+    'Q',  'time_mft_changed', # Time this mft record was last modified
+    'Q',  'time_read',        # Approximate time when the file was last accessed (obviously
+    # this is not updated on read-only volumes). In Windows this
+    # is only updated when accessed if some time delta has passed
+    # since the last update. Also, last access times updates can be
+    # disabled altogether for speed
+    'L',  'dos_permissions',  # These are the flags we know as 'attributes' (see FP_ below)
+
+    #
+    # If a volume has been upgraded from a previous NTFS version, then thes following
+    # fields are present only if the file has been accessed since the upgrade.
+    # Recognize the difference by comparing the length of the resident attribute
+    # value. If it is 48, then the following fields are missing. If it is 72 then
+    # the fields are present. Maybe just check like this:
+    #  if (resident.ValueLength < sizeof(STANDARD_INFORMATION)) {
+    #   Assume NTFS 1.2- format.
+    #   If (volume version is 3.0+)
+    #     Upgrade attribute to NTFS 3.0 format.
+    #   else
+    #     Use NTFS 1.2- format for access.
+    #  } else
+    #   Use NTFS 3.0 format for access.
+    # Only problem is that it might be legal to set the length of the value to
+    # arbitrarily large values thus spoiling this check. - But chkdsk probably
+    # views that as a corruption, assuming that it behaves like this for all
+    # attributes.
+    #
+
+    'L',  'max_versions',     # Maximum allowed versions for file. Zero if version numbering is disabled.
+    'L',  'ver_num',          # This file's version (if any). Set to zero if maximum_versions is zero
+    'L',  'class_id',         # Class id from bidirectional class id index (?)
+    'L',  'owner_id',         # Owner_id of the user owning the file. Translate via $Q index
+    # in FILE_Extend /$Quota to the quota control entry for the user
+    # owning the file. Zero if quotas are disabled.
+    'L',  'security_id',      # This is a key in the $SII index and the $SDS data stream in the file $Secure
+    'Q',  'quota_charged',    # Number of bytes this file uses from the user's quota - total size of all streams - if zero then quotas are disabled
+    'Q',  'update_seq_num',   # This is a direct index into the file $UsnJrnl - if zero then the USN journal is disabled
+  ])
+
+  # One $STANDARD_INFORMATION attribute.
+  class StandardInformation
+    attr_reader :mTime, :aTime, :cTime, :permissions
+
+    # 'DOS' File permissions.
+    FP_READONLY   = 0x00000001
+    FP_HIDDEN     = 0x00000002
+    FP_SYSTEM     = 0x00000004
+    FP_ARCHIVE    = 0x00000020
+    FP_DEVICE     = 0x00000040
+    FP_NORMAL     = 0x00000080
+    FP_TEMPORARY  = 0x00000100
+    FP_SPARSE     = 0x00000200
+    FP_REPARSE    = 0x00000400
+    FP_COMPRESSED = 0x00000800
+    FP_OFFLINE    = 0x00001000
+    FP_NOTINDEXED = 0x00002000
+    FP_ENCRYPTED  = 0x00004000
+    FP_DIRECTORY  = 0x10000000
+    FP_INDEXVIEW  = 0x20000000
+
+    def initialize(buf)
+      raise "MIQ(NTFS::StandardInformation.initialize) Nil buffer" if buf.nil?
+
+      buf          = buf.read(buf.length) if buf.kind_of?(DataRun)
+      @asi         = ATTRIB_STANDARD_INFORMATION.decode(buf)
+      @mTime       = NtUtil.nt_filetime_to_ruby_time(@asi['time_altered'])
+      @aTime       = NtUtil.nt_filetime_to_ruby_time(@asi['time_read'])
+      @cTime       = NtUtil.nt_filetime_to_ruby_time(@asi['time_created'])
+      @permissions = @asi['dos_permissions']
+    end
+
+    def dump
+      out = "\#<#{self.class}:0x#{'%08x' % object_id}>\n"
+      out << "  Time created    : #{@cTime}\n"
+      out << "  Time altered    : #{@mTime}\n"
+      out << "  Time mft changed: #{NtUtil.nt_filetime_to_ruby_time(@asi['time_mft_changed'])}\n"
+      out << "  Time read       : #{@aTime}\n"
+      out << "  Permissions     : 0x#{'%08x' % @permissions}\n"
+      out << "  Max versions    : #{@asi['max_versions']}\n"
+      out << "  Version number  : #{@asi['ver_num']}\n"
+      out << "  Class id        : #{@asi['class_id']}\n"
+      out << "  Owner id        : #{@asi['owner_id']}\n"
+      out << "  Security id     : #{@asi['security_id']}\n"
+      out << "  Quota charged   : #{@asi['quota_charged']}\n"
+      out << "  Update seq num  : #{@asi['update_seq_num']}\n"
+      out << "---\n"
+    end
+  end
+end # module NTFS

data/lib/fs/ntfs/attrib_type.rb

@@ -0,0 +1,49 @@
+module NTFS
+  # The _ATTRIB_TYPE enumeration.
+  # Every entry in the MFT is made of a list of attributes. These are the attrib types.
+  AT_STANDARD_INFORMATION  = 0x00000010 # Base data: MAC times, version, owner, security, quota, permissions
+  AT_ATTRIBUTE_LIST        = 0x00000020 # Used for a list of attributes that spans one MFT file record
+  AT_FILE_NAME             = 0x00000030 # MAC times, size, flags, (and of course) file name
+  AT_VOLUME_VERSION        = 0x00000040 # No information
+  AT_OBJECT_ID             = 0x00000040 # Object GUID, birth GUIDs & domain GUID
+  AT_SECURITY_DESCRIPTOR   = 0x00000050 # User & Group SIDs, system and descr ACLs
+  AT_VOLUME_NAME           = 0x00000060 # Vol name (label)
+  AT_VOLUME_INFORMATION    = 0x00000070 # Major, minor & flags (chkdsk & others)
+  AT_DATA                  = 0x00000080 # File data, aux stream data
+  AT_INDEX_ROOT            = 0x00000090 # Root of an index - usually root of directory
+  AT_INDEX_ALLOCATION      = 0x000000a0 # Larger index structures use index allocation for overflow
+  AT_BITMAP                = 0x000000b0 # Cluster allocation bitmap
+  AT_SYMBOLIC_LINK         = 0x000000c0 # Haven't seen it yet
+  AT_REPARSE_POINT         = 0x000000c0 # Reparse data
+  AT_EA_INFORMATION        = 0x000000d0 # Extended attribute information
+  AT_EA                    = 0x000000e0 # Extended attribute data
+  AT_PROPERTY_SET          = 0x000000f0 # Haven't seen it
+  AT_LOGGED_UTILITY_STREAM = 0x00000100 # Encrypted File System data
+  AT_END                   = 0xffffffff # End of attributes
+
+  # OBSOLETE TYPES
+  # AT_VOLUME_VERSION and AT_SYMBOLIC_LINK have been depreciated, but remain in the type constants for
+  # backward compatibility. The name hash can't contain them since the type is used as a key.
+
+  # NT names for the attributes.
+  TypeName = {
+    AT_STANDARD_INFORMATION  => '$STANDARD_INFORMATION',
+    AT_ATTRIBUTE_LIST        => '$ATTRIBUTE_LIST',
+    AT_FILE_NAME             => '$FILE_NAME',
+    # AT_VOLUME_VERSION        => '$VOLUME_VERSION',        # This type is depreciated.
+    AT_OBJECT_ID             => '$OBJECT_ID',
+    AT_SECURITY_DESCRIPTOR   => '$SECURITY_DESCRIPTOR',
+    AT_VOLUME_NAME           => '$VOLUME_NAME',
+    AT_VOLUME_INFORMATION    => '$VOLUME_INFORMATION',
+    AT_DATA                  => '$DATA',
+    AT_INDEX_ROOT            => '$INDEX_ROOT',
+    AT_INDEX_ALLOCATION      => '$INDEX_ALLOCATION',
+    AT_BITMAP                => '$BITMAP',
+    # AT_SYMBOLIC_LINK         => '$SYMBOLIC_LINK',         # This type is depreciated.
+    AT_REPARSE_POINT         => '$REPARSE_POINT',
+    AT_EA_INFORMATION        => '$EA_INFORMATION',
+    AT_EA                    => '$EA',
+    AT_PROPERTY_SET          => '$PROPERTY_SET',
+    AT_LOGGED_UTILITY_STREAM => '$LOGGED_UTILITY_STREAM'
+  }
+end # module NTFS