Jump to content











Photo
- - - - -

PowerMft - Commandline NTFS modification


  • Please log in to reply
3 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 10 August 2015 - 08:59 PM

Please read the entire post before downloading it..

 

Here's a tiny fun project; https://github.com/jschicht/PowerMft

 

It is a commandline tool that enables low level modification to NTFS system files. Currently it supports direct edit of the following attributes in MFT records:

  • The record header
  • $STANDARD_INFORMATION
  • $FILE_NAME
  • $OBJECT_ID
  • $REPARSE_POINT
  • $I30 index in $INDEX_ROOT and $INDEX_ALLOCATION (parent of target)
  • $O index in $ObjId at $INDEX_ROOT/$INDEX_ALLOCATION (relevant for files containing the $OBJECT_ID attribute)
  • $R index in $Reparse at $INDEX_ROOT/$INDEX_ALLOCATION (relevant for files containing the $REPARSE_POINT attribute)
  • $DATA in $AttrDef (Attribute Definition Table)

Read the readme for more detailed information about usage.

 

It's a good start, and more can be added for sure.

 

Is this a useful tool? If you are not sure what this is, do not download and mess with it! It is very likely that you will end up with a broken volume or deleted files, either through incorrect use of the tool or bugs in the code. A big WARNING is therefore submitted for a very good reason. Don't blame me for any lost data or damage done through the use of this tool, as you have been warned. This tool is ONLY provided for educational purpose.

 

Set aside all the harm this tool can do, there is at least 1 use case (not being a mis-use) I can think of :)..

 

For invalid filenames (possibly generated by other non-Windows OS) there does not exist any native tool or method in Windows to fix those filenames. Chkdsk will only be able to fix it by deleting the file, even though it reports it as a minor filename error!!



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 August 2015 - 09:12 AM

Looks nice :) while exactly the kind of tool one can use to draw big holes in one's filesystem, it will likely bring lots of fun while testing  :thumbsup:

 

:duff:

Wonko



#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 11 August 2015 - 10:16 PM

Added the presumed useless feature of support for modifying anything within $AttrDef :)



#4 joakim

joakim

    Silver Member

  • Team Reboot
  • 912 posts
  • Location:Bergen
  •  
    Norway

Posted 16 August 2015 - 09:47 PM

A bit more interesting enhancement is the addition of modification support for $OBJECT_ID and $REPARSE_POINT attributes and the respective $O and $R indexes in $ObjId and $Reparse systemfiles.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users