Comments (3)
vGimly
commented on September 9, 2024
$REPARSE_POINT attribute for IO_REPARSE_TAG_WOF:
length is always 16 bytes (4 dwords): 1,2,1,PACK_TYPE
PACK_TYPE = AlgName (BLOCK_SIZE)
0 = XPRESS4K
1 = LZX (32k)
2 = XPRESS8K
3 = XPRESS16K
eg $REPARSE_POINT data:
01 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00 = XPRESS8K
01 00 00 00 02 00 00 00 01 00 00 00 01 00 00 00 = LZX
WofCompressedData stream consists in two parts:
- (optional) DWORD offsets to fragments.
- compressed fragment data.
Compression logic:
- File splits into fragments of BLOCK_SIZE. If file size lower or equals size of the single fragment, there is no offsets table in the beginning of the stream.
- Each fragment compressed/uncompressed independently.
Compression/decompression with ntdll (only XPRESS, no LZX):
DWORD64 comp_block, comp_frag;
RtlGetCompressionWorkSpaceSize(COMPRESSION_FORMAT_XPRESS_HUFF, &comp_block, &comp_frag);
LPVOID workspace = LocalAlloc(LMEM_FIXED, comp_block);
RtlCompressBuffer(COMPRESSION_FORMAT_XPRESS_HUFF, uncomp, uncomp_len, comp, comp_buf_len, block_size, &packed, workspace);
RtlDecompressBufferEx(COMPRESSION_FORMAT_XPRESS_HUFF, uncomp, uncomp_buf_len, comp,comp_len, &unpacked, workspace);
LocalFree(workspace);
eg for XPRESS16K, source file 32k of 00 bytes:
0000: 07 01 00 00 *02 00 00 00 │ 00 00 00 00 00 00 00 00
0010: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0020: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0030: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0040: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0050: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0060: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0070: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0080: 00 00 00 00 02 00 00 00 │ 00 00 00 10 00 00 00 00
0090: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00A0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00B0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00C0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00D0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00E0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
00F0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0100: 00 00 00 00 00 98 00 00 │ FF FC 3F *02 00 00 00 00
0110: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0120: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0130: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0140: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0150: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0160: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0170: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0180: 00 00 00 00 00 00 00 00 │ 00 00 00 02 00 00 00 00
0190: 00 00 10 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
01A0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
01B0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
01C0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
01D0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
01E0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
01F0: 00 00 00 00 00 00 00 00 │ 00 00 00 00 00 00 00 00
0200: 00 00 00 00 00 00 00 00 │ 00 00 00 00 98 00 00 FF
0210: FC 3F
Two fragments (32K/16K), so offsets table have 1 element (0x107).
First fragment offset 0x04, length 0x107 (due to offsets table),
Second fragment offset 0x107+0x04 = 0x10B, length till the end of the stream.
from ntfstool.
thewhiteninja
commented on September 9, 2024
Thanks for the details!
I have a working PoC for xpress, need to clean the code a bit and I will push it
from ntfstool.
thewhiteninja
commented on September 9, 2024
With ed083d4, you should be able to extract wof (xpress) files using:
ntfstool extract disk=1 volume=2 from="c:\windows\splwow64.exe:WofCompressedData" output="c:\splwow64.exe"
I also added description for $REPARSE_POINT & wof
Ex:
+----------------------------------------------------------------------------------------------------------+
| 5 | $REPARSE_POINT | False | 24 | Type : Windows Overlay |
| | Raw address: 014516e7f1d8h | | | ------ |
| | | | | Version : 1 |
| | | | | Provider : 2 |
| | | | | File Version : 1 |
| | | | | Compression Algorithm : LZX 32k |
+----------------------------------------------------------------------------------------------------------+
from ntfstool.
Related Issues (20)
- [LNK1120] Visual Studio C++ 2017 std::codecvt HOT 1
- Unhandled exception : Stack overflow HOT 5
- mft.record does not work without inode despite featured in help HOT 1
- `help extract` shows invalid command syntax HOT 2
- I wish the tool could dump all NTFS metadata HOT 1
- Build error HOT 1
- Aes-cbc-128-diffuser fvek cannot be decrypted correctly HOT 9
- Long output filename (possibly) causing hang HOT 3
- Working with .\ntfstool.x64.exe undelete HOT 4
- Cannot dump $LogFile
- Crash on most operations when record cannot be found HOT 2
- program keeps crashing on record_from_path or attribute_header HOT 2
- GPT NTFS Volume Not Being Identified As Such. Bad Disk or Bug?
- ntfstool license expired HOT 3
- Is it possible to dump a $MFT file from a forensic image (E01)? HOT 1
- [Request] Provide option to interpret index record structures in a more explicit way HOT 3
- Usn operation error : Invalid read file size HOT 4
- Support mounted volumes - for example created with VeraCrypt. HOT 1
- Suggest whether to add the ability to delete files HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ntfstool.