dissect.ntfs 3.14.dev2__tar.gz → 3.15.dev2__tar.gz

dissect_ntfs-3.15.dev2/.gitattributes

@@ -0,0 +1 @@
+tests/_data/** filter=lfs diff=lfs merge=lfs -text

{dissect_ntfs-3.14.dev2 → dissect_ntfs-3.15.dev2}/PKG-INFO

@@ -1,9 +1,9 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: dissect.ntfs
-Version: 3.14.dev2
+Version: 3.15.dev2
 Summary: A Dissect module implementing a parser for the NTFS file system, used by the Windows operating system
 Author-email: Dissect Team <dissect@fox-it.com>
-License: Affero General Public License v3
+License-Expression: AGPL-3.0-or-later
 Project-URL: homepage, https://dissect.tools
 Project-URL: documentation, https://docs.dissect.tools/en/latest/projects/dissect.ntfs
 Project-URL: repository, https://github.com/fox-it/dissect.ntfs
@@ -11,14 +11,13 @@ Classifier: Development Status :: 5 - Production/Stable
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
 Classifier: Intended Audience :: Information Technology
-Classifier: License :: OSI Approved
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3
 Classifier: Topic :: Internet :: Log Analysis
 Classifier: Topic :: Scientific/Engineering :: Information Analysis
 Classifier: Topic :: Security
 Classifier: Topic :: Utilities
-Requires-Python: ~=3.9
+Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 License-File: LICENSE
 License-File: COPYRIGHT
@@ -27,6 +26,7 @@ Requires-Dist: dissect.util<4,>=3
 Provides-Extra: dev
 Requires-Dist: dissect.cstruct<5.0.dev,>=4.0.dev; extra == "dev"
 Requires-Dist: dissect.util<4.0.dev,>=3.0.dev; extra == "dev"
+Dynamic: license-file
 
 # dissect.ntfs
 

{dissect_ntfs-3.14.dev2 → dissect_ntfs-3.15.dev2}/dissect/ntfs/attr.py

@@ -6,15 +6,9 @@ from typing import TYPE_CHECKING, Any, BinaryIO
 from dissect.util.stream import RangeStream, RunlistStream
 from dissect.util.ts import wintimestamp
 
-from dissect.ntfs.c_ntfs import (
-    ATTRIBUTE_TYPE_CODE,
-    IO_REPARSE_TAG,
-    c_ntfs,
-    segment_reference,
-    varint,
-)
+from dissect.ntfs.c_ntfs import ATTRIBUTE_TYPE_CODE, IO_REPARSE_TAG, c_ntfs
 from dissect.ntfs.exceptions import MftNotAvailableError, VolumeNotAvailableError
-from dissect.ntfs.util import ensure_volume, get_full_path, ts_to_ns
+from dissect.ntfs.util import ensure_volume, get_full_path, segment_reference, ts_to_ns, varint
 
 if TYPE_CHECKING:
     from collections.abc import Iterator

{dissect_ntfs-3.14.dev2 → dissect_ntfs-3.15.dev2}/dissect/ntfs/c_ntfs.py

@@ -1,7 +1,5 @@
 from __future__ import annotations
 
-import struct
-
 from dissect.cstruct import cstruct
 
 ntfs_def = """
@@ -276,6 +274,14 @@ typedef struct _MOUNT_POINT_REPARSE_BUFFER {
     USHORT  PrintNameLength;
 } _MOUNT_POINT_REPARSE_BUFFER;
 
+typedef struct _CLOUD_FILTER_REPARSE_BUFFER {
+    // ULONG   Unknown_1;
+    // ULONG   Unknown_2;
+    CHAR    Guid[16];
+    USHORT  NameLength;
+    // WCHAR    Name[NameLength];
+} _CLOUD_FILTER_REPARSE_BUFFER;
+
 /* ================ Index ================ */
 
 enum COLLATION : ULONG {
@@ -613,45 +619,3 @@ COMPRESSION_FORMAT_LZNT1 = 0x0002
 INDEX_NODE = 0x01
 INDEX_ENTRY_NODE = 0x01
 INDEX_ENTRY_END = 0x02
-
-
-def segment_reference(reference: c_ntfs._MFT_SEGMENT_REFERENCE) -> int:
-    """Helper to calculate the complete segment number from a cstruct MFT segment reference.
-
-    Args:
-        reference: A cstruct _MFT_SEGMENT_REFERENCE instance to return the complete segment number of.
-    """
-    return reference.SegmentNumberLowPart | (reference.SegmentNumberHighPart << 32)
-
-
-def varint(buf: bytes) -> int:
-    """Parse variable integers.
-
-    Dataruns in NTFS are stored as a tuple of variable sized integers. The size of each integer is
-    stored in the first byte, 4 bits for each integer. This logic can be seen in
-    :func:`AttributeHeader.dataruns <dissect.ntfs.attr.AttributeHeader.dataruns>`.
-
-    This function only parses those variable amount of bytes into actual integers. To do that, we
-    simply pad the bytes to 8 bytes long and parse it as a signed 64 bit integer. We pad with 0xff
-    if the number is negative and 0x00 otherwise.
-
-    Args:
-        buf: The byte buffer to parse a varint from.
-    """
-    if len(buf) < 8:
-        buf += (b"\xff" if buf[-1] & 0x80 else b"\x00") * (8 - len(buf))
-
-    return struct.unpack("<q", buf)[0]
-
-
-def bsf(value: int, size: int = 32) -> int:
-    """Count the number of trailing zero bits in an integer of a given size.
-
-    Args:
-        value: The integer to count trailing zero bits in.
-        size: Integer size to limit to.
-    """
-    for i in range(size):
-        if value & (1 << i):
-            return i
-    return 0