rex 2.0.5 → 2.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 31837db98ac01dead4073a5d9785ee8c3885772a
-  data.tar.gz: 0976f856604fdeee60805d11fe36faeee0e4656b
+  metadata.gz: 5cc2f7d9e9457482ffe5b8935f8b93c4e57560cc
+  data.tar.gz: b6e6ee56e59286b54a62d28540e92fa6363dd6ae
 SHA512:
-  metadata.gz: f35c3bb765efa30161a507f41e8e1016296bacb8bb8b80eb0220c8cfc18092957f479f3ea17b1994fc4e38e58e60eed8bcb3e545f6a3f62cebe54a44afca9099
-  data.tar.gz: 89e3d3600fd209b95a8bf231df5d4ab8d839ca6b1b8e1178e23b676cddf1d1afd7461985c2689b54d71d437fb3839e12497c9f7bde7b5f1f9a59a1655fda82ed
+  metadata.gz: 17d81b1cda43811ec7acc076f4c903da5cb48316c399dd08abf2839df6e979b9de977f321e004ec1391fe86d472b450af2262f9be6a30aad8ddc30c2358a107e
+  data.tar.gz: f921d0e028d10c3b96eaaa65eff57a39d085dae29067d7e5b64addef567aff2043fc4079801a0cf11053abea603055a3d1ffcaeb9c3bf7788644bf44c0011d1c

data/lib/rex/exploitation/egghunter.rb

@@ -65,12 +65,10 @@ class Egghunter
         flippage = "\n\tor dx,0xfff"
         edxdirection = "\n\tinc edx"
 
-        if searchforward
-          if searchforward.to_s.downcase == 'false'
-            # go backwards
-            flippage = "\n\txor dl,dl"
-            edxdirection = "\n\tdec edx"
-          end
+        if searchforward.to_s.downcase == 'false'
+          # go backwards
+          flippage = "\n\txor dl,dl"
+          edxdirection = "\n\tdec edx"
         end
 
         # other vars

data/lib/rex/exploitation/powershell/psh_methods.rb

@@ -64,6 +64,15 @@ module Powershell
     def self.get_last_login(user)
       %Q^ Get-QADComputer -ComputerRole DomainController | foreach { (Get-QADUser -Service $_.Name -SamAccountName "#{user}").LastLogon} | Measure-Latest^
     end
+
+    #
+    # Disable SSL Certificate verification
+    #
+    # @return [String] Powershell code to disable SSL verification
+    #   checks.
+    def self.ignore_ssl_certificate
+      '[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};'
+    end
   end
 end
 end

data/lib/rex/java/serialization.rb

@@ -51,4 +51,5 @@ module Rex
   end
 end
 
-require 'rex/java/serialization/model'
+require 'rex/java/serialization/model'
+require 'rex/java/serialization/builder'

data/lib/rex/java/serialization/builder.rb

@@ -0,0 +1,94 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Java
+    module Serialization
+      # This class provides a builder to help in the construction of
+      # Java serialized contents.
+      class Builder
+
+        # Creates a Rex::Java::Serialization::Model::NewArray
+        #
+        # @param opts [Hash{Symbol => <Rex::Java::Serialization::Model::NewClassDesc, String, Array>}]
+        # @option opts [Rex::Java::Serialization::Model::NewClassDesc] :description
+        # @option opts [String] :values_type
+        # @option opts [Array] :values
+        # @return [Rex::Java::Serialization::Model::NewArray]
+        # @see #new_class
+        def new_array(opts = {})
+          class_desc = opts[:description] || new_class(opts)
+          type = opts[:values_type] || ''
+          values = opts[:values] || []
+
+          array = Rex::Java::Serialization::Model::NewArray.new
+          array.array_description = Rex::Java::Serialization::Model::ClassDesc.new
+          array.array_description.description = class_desc
+          array.type = type
+          array.values = values
+
+          array
+        end
+
+        # Creates a Rex::Java::Serialization::Model::NewObject
+        #
+        # @param opts [Hash{Symbol => <Rex::Java::Serialization::Model::NewClassDesc, Array>}]
+        # @option opts [Rex::Java::Serialization::Model::NewClassDesc] :description
+        # @option opts [Array] :data
+        # @return [Rex::Java::Serialization::Model::NewObject]
+        # @see #new_class
+        def new_object(opts = {})
+          class_desc = opts[:description] || new_class(opts)
+          data = opts[:data] || []
+
+          object = Rex::Java::Serialization::Model::NewObject.new
+          object.class_desc = Rex::Java::Serialization::Model::ClassDesc.new
+          object.class_desc.description = class_desc
+          object.class_data = data
+
+          object
+        end
+
+        # Creates a Rex::Java::Serialization::Model::NewClassDesc
+        #
+        # @param opts [Hash{Symbol => <Rex::Java::Serialization::Model::NewClassDesc, Array>}]
+        # @option opts [String] :name
+        # @option opts [Fixnum] :serial
+        # @option opts [Fixnum] :flags
+        # @option opts [Array] :fields
+        # @option opts [Array] :annotations
+        # @option opts [Rex::Java::Serialization::Model::Element] :super_class
+        # @return [Rex::Java::Serialization::Model::NewClassDesc]
+        def new_class(opts = {})
+          class_name = opts[:name] || ''
+          serial_version = opts[:serial] || 0
+          flags = opts[:flags] || 2
+          fields = opts[:fields] || []
+          annotations = opts[:annotations] || [Rex::Java::Serialization::Model::NullReference.new,
+                                               Rex::Java::Serialization::Model::EndBlockData.new]
+          super_class = opts[:super_class] || Rex::Java::Serialization::Model::NullReference.new
+
+          class_desc = Rex::Java::Serialization::Model::NewClassDesc.new
+          class_desc.class_name = Rex::Java::Serialization::Model::Utf.new(nil, class_name)
+          class_desc.serial_version = serial_version
+          class_desc.flags = flags
+          class_desc.fields = []
+
+          fields.each do |f|
+            field = Rex::Java::Serialization::Model::Field.new
+            field.type = f[0]
+            field.name = Rex::Java::Serialization::Model::Utf.new(nil, f[1])
+            field.field_type = Rex::Java::Serialization::Model::Utf.new(nil, f[2]) if f[2]
+            class_desc.fields << field
+          end
+
+          class_desc.class_annotation = Rex::Java::Serialization::Model::Annotation.new
+          class_desc.class_annotation.contents = annotations
+          class_desc.super_class = Rex::Java::Serialization::Model::ClassDesc.new
+          class_desc.super_class.description = super_class
+
+          class_desc
+        end
+      end
+    end
+  end
+end

data/lib/rex/java/serialization/model.rb

@@ -1,20 +1,31 @@
 # -*- coding: binary -*-
 
-require 'rex/java/serialization/model/element'
-require 'rex/java/serialization/model/null_reference'
-require 'rex/java/serialization/model/reference'
-require 'rex/java/serialization/model/reset'
-require 'rex/java/serialization/model/utf'
-require 'rex/java/serialization/model/long_utf'
-require 'rex/java/serialization/model/block_data'
-require 'rex/java/serialization/model/block_data_long'
-require 'rex/java/serialization/model/end_block_data'
-require 'rex/java/serialization/model/contents'
-require 'rex/java/serialization/model/new_enum'
-require 'rex/java/serialization/model/field'
-require 'rex/java/serialization/model/new_array'
-require 'rex/java/serialization/model/annotation'
-require 'rex/java/serialization/model/class_desc'
-require 'rex/java/serialization/model/new_class_desc'
-require 'rex/java/serialization/model/new_object'
-require 'rex/java/serialization/model/stream'
+module Rex
+  module Java
+    module Serialization
+      module Model
+
+        autoload :Annotation,     'rex/java/serialization/model/annotation'
+        autoload :BlockDataLong,  'rex/java/serialization/model/block_data_long'
+        autoload :BlockData,      'rex/java/serialization/model/block_data'
+        autoload :ClassDesc,      'rex/java/serialization/model/class_desc'
+        autoload :Contents,       'rex/java/serialization/model/contents'
+        autoload :Element,        'rex/java/serialization/model/element'
+        autoload :EndBlockData,   'rex/java/serialization/model/end_block_data'
+        autoload :Field,          'rex/java/serialization/model/field'
+        autoload :LongUtf,        'rex/java/serialization/model/long_utf'
+        autoload :NewArray,       'rex/java/serialization/model/new_array'
+        autoload :NewClassDesc,   'rex/java/serialization/model/new_class_desc'
+        autoload :NewEnum,        'rex/java/serialization/model/new_enum'
+        autoload :NewObject,      'rex/java/serialization/model/new_object'
+        autoload :NullReference,  'rex/java/serialization/model/null_reference'
+        autoload :Reference,      'rex/java/serialization/model/reference'
+        autoload :Reset,          'rex/java/serialization/model/reset'
+        autoload :Stream,         'rex/java/serialization/model/stream'
+        autoload :Utf,            'rex/java/serialization/model/utf'
+
+      end
+    end
+  end
+end
+

data/lib/rex/java/serialization/model/annotation.rb

@@ -29,7 +29,7 @@ module Rex
             loop do
               content = decode_content(io, stream)
               self.contents << content
-              return self if content.class == EndBlockData
+              return self if content.kind_of?(EndBlockData)
             end
 
             self
@@ -66,4 +66,4 @@ module Rex
       end
     end
   end
-end
+end

data/lib/rex/java/serialization/model/field.rb

@@ -55,7 +55,7 @@ module Rex
           # @return [String] if serialization succeeds
           # @raise [RuntimeError] if serialization doesn't succeed
           def encode
-            unless name.class == Rex::Java::Serialization::Model::Utf
+            unless name.kind_of?(Rex::Java::Serialization::Model::Utf)
               raise ::RuntimeError, 'Failed to serialize Field'
             end
 
@@ -169,4 +169,4 @@ module Rex
       end
     end
   end
-end
+end

data/lib/rex/java/serialization/model/new_array.rb

@@ -52,7 +52,7 @@ module Rex
           # @return [String] if serialization succeeds
           # @raise [RuntimeError] if serialization doesn't succeed
           def encode
-            unless array_description.class == ClassDesc
+            unless array_description.kind_of?(ClassDesc)
               raise ::RuntimeError, 'Failed to serialize NewArray'
             end
 
@@ -103,12 +103,17 @@ module Rex
               raise ::RuntimeError, 'Empty NewArray description'
             end
 
-            unless array_description.class == ClassDesc
+            unless array_description.kind_of?(ClassDesc)
               raise ::RuntimeError, 'Unsupported NewArray description class'
             end
 
             desc = array_description.description
 
+            if desc.class == Reference
+              ref = desc.handle - BASE_WIRE_HANDLE
+              desc = stream.references[ref]
+            end
+
             unless desc.class_name.contents[0] == '[' # Array
               raise ::RuntimeError, 'Unsupported NewArray description'
             end
@@ -222,4 +227,4 @@ module Rex
       end
     end
   end
-end
+end

data/lib/rex/java/serialization/model/new_class_desc.rb

@@ -66,8 +66,8 @@ module Rex
           # @return [String] if serialization succeeds
           # @raise [RuntimeError] if serialization doesn't succeed
           def encode
-            unless class_name.class == Rex::Java::Serialization::Model::Utf &&
-                    class_annotation.class == Rex::Java::Serialization::Model::Annotation &&
+            unless class_name.class == Rex::Java::Serialization::Model::Utf ||
+                    class_annotation.class == Rex::Java::Serialization::Model::Annotation ||
                     super_class.class == Rex::Java::Serialization::Model::ClassDesc
               raise ::RuntimeError, 'Filed to serialize NewClassDesc'
             end
@@ -152,4 +152,4 @@ module Rex
       end
     end
   end
-end
+end

data/lib/rex/java/serialization/model/new_enum.rb

@@ -41,8 +41,8 @@ module Rex
           # @return [String] if serialization succeeds
           # @raise [RuntimeError] if serialization doesn't succeed
           def encode
-            unless enum_description.class == ClassDesc &&
-                    constant_name.class == Utf
+            unless enum_description.kind_of?(ClassDesc) &&
+                   constant_name.kind_of?(Utf)
               raise ::RuntimeError, 'Failed to serialize EnumDescription'
             end
 
@@ -68,7 +68,7 @@ module Rex
           # @raise [RuntimeError] if deserialization doesn't succed
           def decode_constant_name(io)
             content = decode_content(io, stream)
-            raise ::RuntimeError, 'Failed to unserialize NewEnum' unless content.class == Rex::Java::Serialization::Model::Utf
+            raise ::RuntimeError, 'Failed to unserialize NewEnum' unless content.kind_of?(Rex::Java::Serialization::Model::Utf)
 
             content
           end
@@ -76,4 +76,4 @@ module Rex
       end
     end
   end
-end
+end

data/lib/rex/java/serialization/model/new_object.rb

@@ -32,9 +32,10 @@ module Rex
             self.class_desc = ClassDesc.decode(io, stream)
             stream.add_reference(self) unless stream.nil?
 
-            if class_desc.description.class == NewClassDesc
+            case class_desc.description
+            when NewClassDesc
               self.class_data = decode_class_data(io, class_desc.description)
-            elsif class_desc.description.class == Reference
+            when Reference
               ref = class_desc.description.handle - BASE_WIRE_HANDLE
               self.class_data = decode_class_data(io, stream.references[ref])
             end
@@ -47,7 +48,7 @@ module Rex
           # @return [String] if serialization succeeds
           # @raise [RuntimeError] if serialization doesn't succeed
           def encode
-            unless class_desc.class == ClassDesc
+            unless class_desc.kind_of?(ClassDesc)
               raise ::RuntimeError, 'Failed to serialize NewObject'
             end
 
@@ -55,7 +56,7 @@ module Rex
             encoded << class_desc.encode
 
             class_data.each do |value|
-              if value.class == Array
+              if value.kind_of?(Array)
                 encoded << encode_value(value)
               else
                 encoded << encode_content(value)
@@ -70,15 +71,16 @@ module Rex
           # @return [String]
           def to_s
             str  = ''
-            if class_desc.description.class == NewClassDesc
+            case class_desc.description
+            when NewClassDesc
               str << class_desc.description.class_name.to_s
-            elsif class_desc.description.class == Reference
+            when Reference
               str << (class_desc.description.handle - BASE_WIRE_HANDLE).to_s(16)
             end
 
             str << ' => { '
-            data = class_data.collect { |data| data.to_s }
-            str << data.join(', ')
+            data_str = class_data.collect { |data| data.to_s }
+            str << data_str.join(', ')
             str << ' }'
           end
 
@@ -94,7 +96,12 @@ module Rex
             values = []
 
             unless my_class_desc.super_class.description.class == NullReference
-              values += decode_class_data(io, my_class_desc.super_class.description)
+              if my_class_desc.super_class.description.class == Reference
+                ref = my_class_desc.super_class.description.handle - BASE_WIRE_HANDLE
+                values += decode_class_data(io, stream.references[ref])
+              else
+                values += decode_class_data(io, my_class_desc.super_class.description)
+              end
             end
 
             values += decode_class_fields(io, my_class_desc)
@@ -220,4 +227,4 @@ module Rex
       end
     end
   end
-end
+end

data/lib/rex/ole/direntry.rb

@@ -96,7 +96,7 @@ class DirEntry
       return de
     end
     @children.each { |cde|
-      ret = find_by_sid(cde, sid)
+      ret = find_by_sid(sid, cde)
       if (ret)
         return ret
       end

data/lib/rex/parser/foundstone_nokogiri.rb

@@ -293,7 +293,7 @@ module Rex
     # XXX: Actually implement more of these
     def process_service(service,banner)
       meth = "process_service_#{service.gsub("-","_")}"
-      if self.respond_to? meth
+      if self.respond_to?(meth, true)
         self.send meth, banner
       else
         return (first_line banner)

data/lib/rex/parser/fs/ntfs.rb

@@ -0,0 +1,252 @@
+# -*- coding: binary -*-
+module Rex
+  module Parser
+    ###
+    #
+    # This class parses the contents of an NTFS partition file.
+    # Author : Danil Bazin <danil.bazin[at]hsc.fr> @danilbaz
+    #
+    ###
+    class NTFS
+      #
+      # Initialize the NTFS class with an already open file handler
+      #
+      DATA_ATTRIBUTE_ID = 128
+      INDEX_ROOT_ID = 144
+      INDEX_ALLOCATION_ID = 160
+      def initialize(file_handler)
+        @file_handler = file_handler
+        data = @file_handler.read(4096)
+        # Boot sector reading
+        @bytes_per_sector = data[11, 2].unpack('v')[0]
+        @sector_per_cluster = data[13].unpack('C')[0]
+        @cluster_per_mft_record = data[64].unpack('c')[0]
+        if @cluster_per_mft_record < 0
+          @bytes_per_mft_record = 2**(-@cluster_per_mft_record)
+          @cluster_per_mft_record = @bytes_per_mft_record.to_f / @bytes_per_sector / @sector_per_cluster
+        else
+          @bytes_per_mft_record = @bytes_per_sector * @sector_per_cluster * @cluster_per_mft_record
+        end
+        @bytes_per_cluster = @sector_per_cluster * @bytes_per_sector
+        @mft_logical_cluster_number = data[48, 8].unpack('Q<')[0]
+        @mft_offset = @mft_logical_cluster_number * @sector_per_cluster * @bytes_per_sector
+        @file_handler.seek(@mft_offset)
+        @mft = @file_handler.read(@bytes_per_mft_record)
+      end
+
+      #
+      # Gather the MFT entry corresponding to his number
+      #
+      def mft_record_from_mft_num(mft_num)
+        mft_num_offset = mft_num * @cluster_per_mft_record
+        mft_data_attribute = mft_record_attribute(@mft)[DATA_ATTRIBUTE_ID]['data']
+        cluster_from_attribute_non_resident(mft_data_attribute, mft_num_offset, @bytes_per_mft_record)
+      end
+
+      #
+      # Get the size of the file in the $FILENAME (64) attribute
+      #
+      def real_size_from_filenameattribute(attribute)
+        filename_attribute = attribute
+        filename_attribute[48, 8].unpack('Q<')[0]
+      end
+
+      #
+      # Gather the name of the file from the $FILENAME (64) attribute
+      #
+      def filename_from_filenameattribute(attribute)
+        filename_attribute = attribute
+        length_of_name = filename_attribute[64].ord
+        # uft16 *2
+        d = ::Encoding::Converter.new('UTF-16LE', 'UTF-8')
+        d.convert(filename_attribute[66, (length_of_name * 2)])
+      end
+
+      #
+      # Get the file from the MFT number
+      # The size must be gived because the $FILENAME attribute
+      # in the MFT entry does not contain it
+      # The file is in $DATA (128) Attribute
+      #
+      def file_content_from_mft_num(mft_num, size)
+        mft_record = mft_record_from_mft_num(mft_num)
+        attribute_list = mft_record_attribute(mft_record)
+        if attribute_list[DATA_ATTRIBUTE_ID]['resident']
+          return attribute_list[DATA_ATTRIBUTE_ID]['data']
+        else
+          data_attribute = attribute_list[DATA_ATTRIBUTE_ID]['data']
+          return cluster_from_attribute_non_resident(data_attribute)[0, size]
+        end
+      end
+
+      #
+      # parse one index record and return the name, MFT number and size of the file
+      #
+      def parse_index(index_entry)
+        res = {}
+        filename_size = index_entry[10, 2].unpack('v')[0]
+        filename_attribute = index_entry[16, filename_size]
+        # Should be 8 bytes but it doesn't work
+        # mft_offset =  index_entry[0.unpack('Q<',:8])[0]
+        # work with 4 bytes
+        mft_offset =  index_entry[0, 4].unpack('V')[0]
+        res[filename_from_filenameattribute(filename_attribute)] = {
+          'mft_offset' => mft_offset,
+          'file_size' => real_size_from_filenameattribute(filename_attribute) }
+        res
+      end
+
+      #
+      # parse index_record in $INDEX_ROOT and recursively index_record in
+      # INDEX_ALLOCATION
+      #
+      def parse_index_list(index_record, index_allocation_attribute)
+        offset_index_entry_list = index_record[0, 4].unpack('V')[0]
+        index_size =  index_record[offset_index_entry_list + 8, 2].unpack('v')[0]
+        index_size_in_bytes = index_size * @bytes_per_cluster
+        index_entry = index_record[offset_index_entry_list, index_size]
+        res = {}
+        while index_entry[12, 4].unpack('V')[0] & 2 != 2
+          res.update(parse_index(index_entry))
+          # if son
+          if index_entry[12, 4].unpack('V')[0] & 1 == 1
+            # should be 8 bytes length
+            vcn =  index_entry[-8, 4].unpack('V')[0]
+            vcn_in_bytes = vcn * @bytes_per_cluster
+            res_son = parse_index_list(index_allocation_attribute[vcn_in_bytes + 24, index_size_in_bytes], index_allocation_attribute)
+            res.update(res_son)
+          end
+          offset_index_entry_list += index_size
+          index_size =  index_record[offset_index_entry_list + 8, 2].unpack('v')[0]
+          index_size_in_bytes = index_size * @bytes_per_cluster
+          index_entry = index_record [offset_index_entry_list, index_size]
+        end
+        # if son on the last
+        if index_entry[12, 4].unpack('V')[0] & 1 == 1
+          # should be 8 bytes length
+          vcn =  index_entry[-8, 4].unpack('V')[0]
+          vcn_in_bytes = vcn * @bytes_per_cluster
+          res_son = parse_index_list(index_allocation_attribute[vcn_in_bytes + 24, index_size_in_bytes], index_allocation_attribute)
+          res.update(res_son)
+        end
+        res
+      end
+
+      #
+      # return the list of files in attribute directory and their MFT number and size
+      #
+      def index_list_from_attributes(attributes)
+        index_root_attribute = attributes[INDEX_ROOT_ID]
+        index_record = index_root_attribute[16, index_root_attribute.length - 16]
+        if attributes.key?(INDEX_ALLOCATION_ID)
+          return parse_index_list(index_record, attributes[INDEX_ALLOCATION_ID])
+        else
+          return parse_index_list(index_record, '')
+        end
+      end
+
+      def cluster_from_attribute_non_resident(attribute, cluster_num = 0, size_max = ((2**31) - 1))
+        lowvcn = attribute[16, 8].unpack('Q<')[0]
+        highvcn = attribute[24, 8].unpack('Q<')[0]
+        offset = attribute[32, 2].unpack('v')[0]
+        real_size = attribute[48, 8].unpack('Q<')[0]
+        attribut = ''
+        run_list_num = lowvcn
+        old_offset = 0
+        while run_list_num <= highvcn
+          first_runlist_byte = attribute[offset].ord
+          run_offset_size = first_runlist_byte >> 4
+          run_length_size = first_runlist_byte & 15
+          run_length = attribute[offset + 1, run_length_size]
+          run_length += "\x00" * (8 - run_length_size)
+          run_length = run_length.unpack('Q<')[0]
+
+          offset_run_offset = offset + 1 + run_length_size
+          run_offset = attribute[offset_run_offset, run_offset_size]
+          if run_offset[-1].ord & 128 == 128
+            run_offset += "\xFF" * (8 - run_offset_size)
+          else
+            run_offset += "\x00" * (8 - run_offset_size)
+          end
+          run_offset = run_offset.unpack('q<')[0]
+          #offset relative to previous offset
+          run_offset += old_offset
+
+          size_wanted = [run_length * @bytes_per_cluster, size_max - attribut.length].min
+          if cluster_num + (size_max / @bytes_per_cluster) >= run_list_num && (cluster_num < run_length + run_list_num)
+            run_list_offset_in_cluster = run_offset + [cluster_num - run_list_num, 0].max
+            run_list_offset = (run_list_offset_in_cluster) * @bytes_per_cluster
+            run_list_offset = run_list_offset.to_i
+            @file_handler.seek(run_list_offset)
+
+            data = ''
+            while data.length < size_wanted
+              data << @file_handler.read(size_wanted - data.length)
+            end
+            attribut << data
+          end
+          offset += run_offset_size + run_length_size + 1
+          run_list_num += run_length
+          old_offset = run_offset
+        end
+        attribut = attribut[0, real_size]
+        attribut
+      end
+
+      #
+      # return the attribute list from the MFT record
+      # deal with resident and non resident attributes (but not $DATA due to performance issue)
+      #
+      def mft_record_attribute(mft_record)
+        attribute_list_offset = mft_record[20, 2].unpack('C')[0]
+        curs = attribute_list_offset
+        attribute_identifier = mft_record[curs, 4].unpack('V')[0]
+        res = {}
+        while attribute_identifier != 0xFFFFFFFF
+          # attribute_size=mft_record[curs + 4, 4].unpack('V')[0]
+          # should be on 4 bytes but doesnt work
+          attribute_size = mft_record[curs + 4, 2].unpack('v')[0]
+          # resident
+          if mft_record[curs + 8] == "\x00"
+            content_size = mft_record[curs + 16, 4].unpack('V')[0]
+            content_offset = mft_record[curs + 20, 2].unpack('v')[0]
+            res[attribute_identifier] = mft_record[curs + content_offset, content_size]
+          else
+            # non resident
+            if attribute_identifier == DATA_ATTRIBUTE_ID
+              res[attribute_identifier] = mft_record[curs, attribute_size]
+            else
+              res[attribute_identifier] = cluster_from_attribute_non_resident(mft_record[curs, attribute_size])
+            end
+          end
+          if attribute_identifier == DATA_ATTRIBUTE_ID
+            res[attribute_identifier] = {
+              'data' => res[attribute_identifier],
+              'resident' => mft_record[curs + 8] == "\x00" }
+          end
+          curs += attribute_size
+          attribute_identifier = mft_record[curs, 4].unpack('V')[0]
+        end
+        res
+      end
+
+      #
+      # return the file path in the NTFS partition
+      #
+      def file(path)
+        repertory = mft_record_from_mft_num(5)
+        index_entry = {}
+        path.split('\\').each do |r|
+          attributes = mft_record_attribute(repertory)
+          index = index_list_from_attributes(attributes)
+          unless index.key?(r)
+            fail ArgumentError, 'File path does not exist', caller
+          end
+          index_entry = index[r]
+          repertory = mft_record_from_mft_num(index_entry['mft_offset'])
+        end
+        file_content_from_mft_num(index_entry['mft_offset'], index_entry['file_size'])
+      end
+    end
+  end
+end