1. �� ¶

�� .
��: �� 화 15:00~16:00

�� 12:00~13:00

�� 할�� .

��: everything you want

2. �� ¶

��	��
��	��
��	��희��

�� : pkccr1@gmail.com
��트�� : pkccr@nate.com

3. feedback ¶

�� ZeroPage�� 행�� 4F(ThreeFs + Future Action Plan)�� feedback�� 합��.
- Facts, Feelings, Findings, Future Action Plan. ��, ��, �� , �� , �� 획.
- �� 해 �� : "�� 하�� 5��하�� .(��) �� 했�� .(��) �� 하�� .(��) �� 평�� .(�� 획)"
  - �� ? ��
feedback�� 한 �� .
- �� ZeroWiki�� 해��. 하�� 페�� 허��합��.
- �� 해��. 학��효�� .

�� ZeroWiki�� MoniWiki Engine�� 하�� Google Chrome�� Mozila Firefox, Safari�� Internet Explorer�� .

4. �� ¶

4.1. 1회��(2012�� 3�� 16��) ¶

4.1.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.1.2. �� ¶

wiki�� , �� 하�� 해 ��.
gcc ��환�� 하�� .

1) https://www.virtualbox.org �� VirtualBux��
2) http://ftp.daum.net -> Ubuntu-releases -> 11.10 -> ubuntu-11.10-deskto-amd64.iso ��
3) Virtualbox��행 -> �� -> �� : Linux �� : Ubuntu -> ��1024MB�� 하�� 폴트 ��
4) �� ubuntu ��행 -> �� ISO파�� 트 -> ��

(�� 해�� : ��판 �� 한��(101/104키 호환)�� 해��!)
gcc�� hello world�� 파�� 해��.

1) ��투 ��트�� gcc �� & ��
2) ��하�� (확�� .c�� 해��)
3) 해��
4) terminal ��행 -> .c 파�� (ls�� cd�� 합��.)
5) gcc�� 파�� 합��. (gcc 파��.c -o ��하��파�� -std=c99) 해�� .
6) ��파�� 파�� 행합��. (./파��)
w3schools�� 했��. (www.w3schools.com)
협�� 해 ��했��.
- ��, ��, �� 합��.

4.1.3. �� ¶

wiki �� 히��

1) �� 페�� - �� 하�� 페�� 하�� . �� 하�� .
2) �� - �� 회�� 편�� . �� feedback 항�� 하��.
gcc ��환�� 하��

1) virtual box�� linux �� hello world ��하�� 파��하�� 크�� .

4.1.4. ��항 ¶

�� 해�� 합��:D

1) w3schools�� html파트 �� 해��
2) linux�� 한 �� 해��
3) gcc�� 해��

4.1.5. �� ¶

�� . �� 큘�� 행�� 해��해��, �� 해��할�� (�� ). 학�� 하�� 행�� . - ��
�� . ��톤�� 했��. �� , �� 화�� 한�� . �� 항�� 히 해��. �� 탁��. - ��
�� . �� Wiki�� 흥��, ��톤�� 해�� 해��하�� . �� . �� 탁��. - ��희��
�� 행하�� 해 �� 하��. ��파�� 행 �� 해��하�� 7z�� 해��하�� 해��하��. �� iso파�� 7z�� . - ��희��
- ��... iso파�� 트��키��.. �� ? - ��
- �� 패하��. 7z ��... �� 한�� . �� cmd�� 합��. ��키�� 하�� msi 파�� . -��희��-
- amd64�� 했�� cpu�� . i386�� . -��희��

4.2. 2회��(2012�� 3�� 20��) ¶

4.2.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.2.2. �� ¶

�� 해�� .

1) gcc ��파�� . - gcc ��파�� 파�� 크��티��한 �� 하�� . ��

��트��크�� 하�� 히 ��.

1) �� 하�� 패킷 �� 포�� 하�� 트��크 ��.
2) �� 토�� 해 ��.

- app : �� 하�� 하�� . http, smtp, ftp�� .
- transport : �� 하�� . �� , �� 할�� 해 ��합��. TCP/UDP�� .
- ip : 호��트�� 호��트, �� (패킷)�� 하�� 할�� 합��. �� .
- link : �� 할�� 합��. ��, �� 포함��.
- physical : ��트�� 키�� 할�� 합��. �� 한 ��, �� .

3) 하�� 통�� 할 �� .

- �� , �� 하�� 할 �� 하�� 해��.
- ��, �� 해�� 함�� 하�� 함�� 하�� 통�� 할 �� .

4) �� ?

- �� (Internet socket, socket' �� network socket �� 한��)�� 트��크�� 퓨�� 통�� 한 통�� .

��트��크 통�� 한 �� 하��, �� 통해�� 환한��. - wikipedia

- �� 크�� :P ��히 ��하�� 클��트�� byte stream�� 파�� 하�� 해�� .

파��	��
파��	��
fopen()	connect()
read()/write()	read()/write()
close()	close()

5) ��한 ��항�� http://forum.falinux.com/zbxe/?document_srl=441104 �� 하��.

4.2.3. �� ¶

c��

1) �� 페�� 하�� 클��트 �� .
2) ��항�� 클��트�� 클��트�� .
3) �� 하�� . 한�� 해�� .
4) �� 환�� gcc�� 해 ��.
5) �� 톡�� 키 �� 해 ��.

4.2.4. ��항 ¶

�� 해�� 합��:D

1) w3schools�� 해�� .

4.2.5. �� ¶

�� 하�� =_=ㅋ �� ㅋㅋ - ��태��
�� 하��. ��트��크�� 해 �� 했�� fail�� . �� 하�� 탈�� ..... �� 화�� 해�� .. �� 희�� . �� . - ��
�� C�� ㅋㅋ - ��호
�� ㅋㅋㅋㅋ ��트��크 �� 힘�� 할�� 헤��하�� 한 �� - ��
�� 해�� 할 �� . - ��희��
- 희��...��해�� ... - ��
  - ��트 �� 2�� 할 �� .(��?) - ��희��
�� 해�� . �� 할 �� 했�� 해�� 해 할 �� . �� 했��. �� 히 해�� . �� 트�� 히 탐�� . - ��
- ��... - ��희��
- �� 했��. VS�� 하�� 하�� 투�� 했��. �� 하�� 함�� 한�� 힘��. �� 하�� . �� 행했�� 행했�� Bind�� . �� 행할 �� 포트�� 해��했��. �� ? - ��
  - �� 학�� 트�� bind ��, 해�� 포트�� (bind하��) �� 하�� bind하�� 했�� . �� bind한 �� bind�� 해��하�� 합��. bind 해�� 하��. - 황��
  - �� ! ��합��. - ��
    - ��한 해�� . �� 하�� setsockopt(mySocket, SOL_SOCKET, SO_REUSEADDR, &anyIntegerVariableThatContainsNonZero, sizeof(anyIntegerVariableThatContainsNonZero)); 함�� 호��하�� 하�� 해�� 포트�� . - 황��

4.3. 3회��(2012�� 3�� 23��) ¶

4.3.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.3.2. �� ¶

�� 한 �� 해 �� 했��.

1) 포트�� 해��하��?

- �� 할�� 하�� 클��트��

포트�� 통�� 합��.

- �� 하�� 하�� 클��트�� 하�� 황�� 히 ��할 �� .

2) 하�� 클��트�� 하�� ?

- ��. ��험해��

3) �� 클��트�� 편합��. �� ?

- thread�� 하�� 클��트�� 한 ��플�� 하��

concurrent �� 하��.

4) �� 클��트 �� 항�� 큽��.

- ��향 통�� 한�� off-line��태�� 하��

�� push형�� . �� C2DM�� 합��.
Thread�� 해�� .

- thread�� 하�� 하�� 히 ��하��.

�� 할 �� .

4.3.3. �� ¶

�� 클��트�� 하�� 하��

- terminal�� 행�� 험�� 행해 ��.
하�� 클��트�� 하�� 해��.
�� 클��트�� 한�� 하�� , �� 하�� 해��.
- 클��트�� while�� 하�� 할 �� .

4.3.4. ��항 ¶

4.3.5. �� ¶

��파�� 확��해�� gcc�� -lpthread�� 하��. - ��희��
�� 하�� 하�� send�� , recv�� 큐�� . �� read�� 파��포�� 함�� 파��포�� 하�� . recv�� 하�� 해�� 할 �� .
�� 트 :
- http://www.joinc.co.kr/modules/moniwiki/wiki.php/man/2/recv
- http://www.joinc.co.kr/modules/moniwiki/wiki.php/man/2/read
  
  -��희��
�� 트 (close�� bind 해�� )
- http://www.joinc.co.kr/modules/moniwiki/wiki.php/Site/Network_Programing/AdvancedComm/SocketOption
  
  -��희��
�� . - ��희��
�� 행 �� 하�� 포�� . �� 했��. - ��희��
�� - ��희��
- �� 확히 ��? �� - ��
  - �� 한 클��트�� (�� 한 �� )- ��희��
  - 하�� 했��...<- 퍽 - ��희��
  - �� . �� . �� 하��.. - ��
  - �� 팅 �� 20�� !. �� 토�� 태 ��... �� ! - ��희��
�� 키�� 하�� .. �� .... - ��
- ��팅�� 해��한�� 클��트�� 하�� , �� 하�� 클��트�� ? - ��희��
  
  p.s. 한�� 포트�� 학��형 �� 하�� ...
- �� 하�� 하�� 했�� ㅋㅋㅋㅋ �� 하�� ㅋㅋㅋ - ��
  - �� 한�� ... �� 험 크�� - ��희��
  - �� . - ��희��
할 �� 했�� 하�� . �� 히 해�� . - ��

4.4. 4회��(2012�� 3�� 27��) ¶

4.4.1. �� ¶

��	��	��
학��	��	O
학��	��희��	O

4.4.2. �� ¶

�� 해 �� 했��.

1) �� 학�� 클��트 �� 한��

-> �� 한�� close해�� .

2) 하�� 클��트�� 하��

-> �� 해�� 히 �� 하�� 해�� .

3) ��키�� 트�� 한 ��

-> �� 키 ��트�� 하��

�� 했�� thread�� 희�� 학�� thread�� 팅 �� . ��
concurrent �� 해 ��.

1) thread ��

- thread�� thread�� 하��, �� 키�� 해 ��.
- ��한 �� 크�� . http://www.joinc.co.kr/modules/moniwiki/wiki.php/Site/Thread/Beginning/WhatThread

4.4.3. �� ¶

socket�� thread�� 하�� 팅 �� 하��.

4.4.4. ��항 ¶

4.4.5. �� ¶

�� 키 ��트�� . �� 해�� 하��.. �� . �� . �� 해�� 큘�� 하�� 히�� 한 �� 하�� 했��. �� 할 �� . - ��

4.5. 5회��(2012�� 3�� 30��) ¶

4.5.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.5.2. �� ¶

4.5.3. �� ¶

4.5.4. ��항 ¶

4.5.5. �� ¶

��희��/��티��팅 ��. �� ... - ��희��
�� . �� . ��호 �� - ��희�� 하��...

4.6. 6회��(2012�� 4�� 3��) ¶

4.6.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.6.2. �� ¶

NTFS�� 하�� 하�� 하��.

��

  // 헤��� : ntfs.h
#pragma once
#define _WIN32_WINNT 0x0500

#include <windows.h>
#include <winioctl.h>
#include <stdio.h>

typedef BOOLEAN TF;
typedef	UCHAR U8;
typedef USHORT U16;
typedef ULONG U32;
typedef ULONGLONG U64;

typedef struct {
	U32 Type;
	U16 UsaOffset;
	U16 UsaCount;
	U64 Usn;
} NTFS_RECORD_HEADER, *PNTFS_RECORD_HEADER;

typedef struct {
	NTFS_RECORD_HEADER Ntfs;
	U16 SequenceNumber;
	U16 LinkCount;
	U16 AttributeOffset;
	U16 Flags;		// inUse 0x0001 Directory 0x0002
	U32 BytesInUse;
	U32 BytesAllocated;
	U64 BaseFileRecord;
	U16 NextAttributeNumber;
} FILE_RECORD_HEADR, *PFILE_RECORD_HEADER;

// Standard Attribute

typedef enum {
	AttributeStandardInformation = 0x10,
	AttributeAttributeList = 0x20,
	AttributeFileName = 0x30,
	AttributeObjectId = 0x40,
	AttributeSecurityDesciptor = 0x50,
	AttributeVolumeName = 0x60,
	AttributeVolumeInformation = 0x70,
	AttributeData = 0x80,
	AttributeIndexRoot = 0x90,
	AttributeIndexAllocation = 0xA0,
	AttributeBitmap = 0xB0,
	AttributeReparsePoint = 0xC0,
	AttributeEAInformation = 0xD0,
	AttributeEA = 0xE0,
	AttributePropertySet = 0xF0,
	AttributeLoggedUtilityStream = 0x100
} ATTRIBUTE_TYPE, *PATTRIBUTE_TYPE;

typedef struct {
	ATTRIBUTE_TYPE AttributeType;
	U32 Length;
	TF Nonresident;
	U8 NameLength;
	U16 NameOffset;
	U16 Flags;
	U16 AttributeNumber;
} ATTRIBUTE, *PATTRIBUTE;

typedef struct {
	ATTRIBUTE Attribute;
	U32 ValueLength;
	U16 ValueOffset;
	U16 Flags;
} RESIDENT_ATTRIBUTE,*PRESIDENT_ATTRIBUTE;



#pragma pack(push, 1)
typedef struct {
	U8 Jump[3];
	U8 Format[8];
	U16 BytesPerSector;	//��������� ������트 ���
	U8 SectorsPerCluster;	//��������� 클������������
	U16 BootSectors;
	U8 Mbz1;
	U16 Mbz2;
	U16 Reserved1;
	U8 MediaType;
	U16 Mbz3;
	U16 SectorsPerTrack;
	U16 NumberOfHeads;
	U32 PartitionOffset;
	U32 Reserved2[2];
	U64 TotalSectors;	//������크��� ��� ���������.
	U64 MftStartLcn;	//MFT��� ������������ ������.
	U64 Mft2StartLcn;	// MFT Mirror ��������� ������������ ������
	U32 ClustersPerFileRecord;	// 파��� ������������ 클������������
	U32 ClustersPerIndexBlock;	//	��������� ��������� 클������������
	U64 VolumeSerialNumber;
	U8 Code[0x1AE];
	U16 BootSignature;
} BOOT_BLOCK, *PBOOT_BLOCK;
#pragma pack(pop)

- main.cpp

#include "ntfs.h"

U32 BytesPerFileRecord;
BOOT_BLOCK boot_block;
HANDLE hVolume;
U32 cnt;
CHAR drive[] = "\\\\.\\C:";
PFILE_RECORD_HEADER MFT;


void ReadSector(U64 sector, U32 count, void* buffer);
void LoadMFT();

void main()
{

	hVolume = CreateFile(drive, GENERIC_READ,FILE_SHARE_READ | FILE_SHARE_WRITE, 0,OPEN_EXISTING, 0, 0);
	ReadFile(hVolume, &boot_block, sizeof(boot_block), &cnt, 0);
	
	printf("======My FILE SYSTEM INFO==========\n");
	printf("File System : %s \n",boot_block.Format);
	printf("Total Sectors : %u \n",boot_block.TotalSectors);
	printf("Sector per Bytes : %u \n",boot_block.BytesPerSector);
	printf("Cluster per Sectors : %u\n",boot_block.SectorsPerCluster);
	printf("Clusters Per FileRecord : %u\n",boot_block.ClustersPerFileRecord);
	printf("Clusters Per IndexBlock : %u\n",boot_block.ClustersPerIndexBlock);

}

void LoadMFT()
{
	BytesPerFileRecord = boot_block.ClustersPerFileRecord < 0x80? boot_block.ClustersPerFileRecord* boot_block.SectorsPerCluster* boot_block.BytesPerSector : 1 << (0x100 - boot_block.ClustersPerFileRecord);
	MFT = PFILE_RECORD_HEADER(new U8[BytesPerFileRecord]);
	ReadSector(boot_block.MftStartLcn * boot_block.SectorsPerCluster,	BytesPerFileRecord / boot_block.BytesPerSector, MFT);
	printf("buffer : %s\n", MFT+0x27);
}

void ReadSector(U64 sector, U32 count, void* buffer)
{
	ULARGE_INTEGER offset;
	OVERLAPPED overlap = {0};
	U32 n;
	
	offset.QuadPart = sector * boot_block.BytesPerSector;
	overlap.Offset = offset.LowPart; 
	overlap.OffsetHigh = offset.HighPart;
	ReadFile(hVolume, buffer, count * boot_block.BytesPerSector, &n, &overlap);
	
}

4.6.3. �� ¶

http://forensic-proof.com/ �� mft�� 해 ��.

4.6.4. ��항 ¶

��팅 �� 해��. 힌트 - cpp ��할, 함��화

4.6.5. �� ¶

�� 한 �� 페�� 하��. - ��희��
�� 할�� 합��. �� . - ��희��

4.7. 7회��(2012�� 4�� 6��) ¶

4.7.1. �� ¶

��	��	O
학��	��	O
학��	��희��	X

4.7.2. �� ¶

NTFS ��하��
��

4.7.3. �� ¶

�� 하�� MFT ��하��

4.7.4. ��항 ¶

�� 크�� 하�� 트�� 하�� 해��

- http://www.codeproject.com/Articles/24415/How-to-read-dump-compare-registry-hives
- http://technet.microsoft.com/en-us/library/cc750583.aspx#XSLTsection124121120120

4.7.5. �� ¶

�� URP��트 �� . ��희�� 하�� 할�� 하�� 하�� - ��
- �� F�� .ㅠㅜ - ��희��
NTFS�� 해�� . ��한 �� . �� .
�� 팅 �� 했��. �� 하�� 할 �� . - ��

4.8. 8회��(2012�� 4�� 10��) ¶

4.8.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.8.2. �� ¶

4.8.3. �� ¶

4.8.4. ��항 ¶

NTFS�� 해 틈틈히 ��해��.

4.8.5. �� ¶

CreateFile함�� 하��. - ��희��
�� 트

http://www.winapi.co.kr/reference/Function/CreateFile.htm
http://www.winapi.co.kr/reference/Function/ReadFile.htm
�� fopen�� 하�� fopen�� , fread�� . - ��희��
fopen�� Standard함�� input�� , �� 할�� 합��. - ��희��
��형�� 16�� 헤��. ;ㅅ; - ��희��
�� 확��하�� 한 �� 해�� MFT�� Little Endian형�� . - ��희��
ReadFile�� overlap�� 힘�� ;ㅅ;
ReadFile�� 파��포�� ReadSector�� ? �� ? - ��희��
- 함�� 해�� 행해 �� , 파�� . - ��희��
파�� 하��.(2012/04/13/01:44)- ��희��
�� 트

http://maj3sty.tistory.com/898
CreateFile함�� LPCWSTR�� 환�� CreateFileA�� 해��.
��한 �� http://stackoverflow.com/questions/3783842/converting-a-string-to-lpcwstr-for-createfile-to-address-a-serial-port

http://social.msdn.microsoft.com/forums/en-US/Vsexpressvc/thread/560002ab-860f-4cae-bbf4-1f16e3b0c8f4 - ��

4.9. 9회��(2012�� 4�� 13��) ¶

4.9.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.9.2. �� ¶

#include "ntfs.h"

U32 BytesPerFileRecord;
BOOT_BLOCK boot_block;
HANDLE hVolume;
U32 cnt;
CHAR drive[] = "\\\\.\\C:";
//WCHAR drive[] = TEXT("\\\\.\\C:");
PFILE_RECORD_HEADER MFT;


void ReadSector(U64 sector, U32 count, void* buffer);
void LoadMFT();

void main()
{

	hVolume = CreateFile(drive, GENERIC_READ,FILE_SHARE_READ | FILE_SHARE_WRITE, 0,OPEN_EXISTING, 0, 0);
	ReadFile(hVolume, &boot_block, sizeof(boot_block), &cnt, 0);
//	FILE *fp=fopen(drive,"rb");
//	fread((void*)&boot_block,sizeof(boot_block),1,fp);

	printf("======My FILE SYSTEM INFO==========\n");
	printf("File System : %s \n",boot_block.Format);
	printf("Total Sectors : %u \n",boot_block.TotalSectors);
	printf("Sector per Bytes : %u \n",boot_block.BytesPerSector);
	printf("Cluster per Sectors : %u\n",boot_block.SectorsPerCluster);
	printf("Clusters Per FileRecord : %u\n",boot_block.ClustersPerFileRecord);
	printf("Clusters Per IndexBlock : %u\n",boot_block.ClustersPerIndexBlock);
	printf("\n\n");
	LoadMFT();
}

void LoadMFT()
{
	int i;
	BytesPerFileRecord = boot_block.ClustersPerFileRecord < 0x80? boot_block.ClustersPerFileRecord* boot_block.SectorsPerCluster* boot_block.BytesPerSector : 1 << (0x100 - boot_block.ClustersPerFileRecord);
	MFT = PFILE_RECORD_HEADER(new U8[BytesPerFileRecord]);

	ReadSector(boot_block.MftStartLcn * boot_block.SectorsPerCluster,	BytesPerFileRecord / boot_block.BytesPerSector, MFT);

	printf("$MFT's Signaturer : %s\n", MFT);//+0x27);
	printf("Offset to fixup array : 0x%02x%02x\n", *((unsigned char*)MFT+5),*((unsigned char*)MFT+4));
	printf("Number of this MFT Entry : 0x%02x%02x%02x%02x\n"
		, *((unsigned char*)MFT+47),*((unsigned char*)MFT+46),*((unsigned char*)MFT+45),*((unsigned char*)MFT+44));

	
	printf("Offset to first attribute : 0x%02x%02x \n"
		, *((unsigned char*)MFT+21),*((unsigned char*)MFT+20));



	i=((int)(*((unsigned char*)MFT+21))<<8)+*((unsigned char*)MFT+20);//Offset������ 포������ ������
	printf("First Attribute : 0x%02x%02x%02x%02x\n",*((unsigned char*)MFT+i+3),*((unsigned char*)MFT+i+2),*((unsigned char*)MFT+i+1),*((unsigned char*)MFT+i));
	i+=4;//������������ 4������트 ������
	printf("First Attribute Size : 0x%02x%02x%02x%02x\n",*((unsigned char*)MFT+i+3),*((unsigned char*)MFT+i+2),*((unsigned char*)MFT+i+1),*((unsigned char*)MFT+i));
	printf("\n");

	

	i=	i+
		((int)(*((unsigned char*)MFT+i+3))<<24)+
		((int)(*((unsigned char*)MFT+i+2))<<16)+
		((int)(*((unsigned char*)MFT+i+1))<<8)+
		*((unsigned char*)MFT+i)
		-4;//������������ ���������해 ������한 4������트��� ������한���.

	printf("Second Attribute : 0x%02x%02x%02x%02x\n",*((unsigned char*)MFT+i+3),*((unsigned char*)MFT+i+2),*((unsigned char*)MFT+i+1),*((unsigned char*)MFT+i));
	i+=4;//������������ 4������트 ������
	printf("Second Attribute Size : 0x%02x%02x%02x%02x\n",*((unsigned char*)MFT+i+3),*((unsigned char*)MFT+i+2),*((unsigned char*)MFT+i+1),*((unsigned char*)MFT+i));
	printf("\n");


	i=	i+
		((int)(*((unsigned char*)MFT+i+3))<<24)+
		((int)(*((unsigned char*)MFT+i+2))<<16)+
		((int)(*((unsigned char*)MFT+i+1))<<8)+
		*((unsigned char*)MFT+i)
		-4;//������������ ���������해 ������한 4������트��� ������한���.

	printf("Third Attribute : 0x%02x%02x%02x%02x\n",*((unsigned char*)MFT+i+3),*((unsigned char*)MFT+i+2),*((unsigned char*)MFT+i+1),*((unsigned char*)MFT+i));
	i+=4;//������������ 4������트 ������
	printf("Third Attribute Size : 0x%02x%02x%02x%02x\n",*((unsigned char*)MFT+i+3),*((unsigned char*)MFT+i+2),*((unsigned char*)MFT+i+1),*((unsigned char*)MFT+i));
	printf("\n");
	
/*
	ReadSector(boot_block.Mft2StartLcn * boot_block.SectorsPerCluster,	BytesPerFileRecord / boot_block.BytesPerSector, MFT);

	printf("$MFT Mirr's Signaturer : %s\n", MFT);//+0x27);
	printf("Offset to fixup array : 0x%02x%02x\n", *((unsigned char*)MFT+5),*((unsigned char*)MFT+4));
	printf("Number of this MFT Entry : 0x%02x%02x%02x%02x\n"
		, *((unsigned char*)MFT+47),*((unsigned char*)MFT+46),*((unsigned char*)MFT+45),*((unsigned char*)MFT+44));
	printf("\n");
//*/

	printf("MftStartLcn : %d\n",boot_block.MftStartLcn);
	printf("Mft2StartLcn : %d\n",boot_block.Mft2StartLcn);
}


void ReadSector(U64 sector, U32 count, void* buffer)
{
	ULARGE_INTEGER offset;
	OVERLAPPED overlap = {0};
	U32 n;
	
	offset.QuadPart = sector * boot_block.BytesPerSector;
	overlap.Offset = offset.LowPart; 
	overlap.OffsetHigh = offset.HighPart;
	ReadFile(hVolume, buffer, count * boot_block.BytesPerSector, &n, &overlap);
}

4.9.3. �� ¶

4.9.4. ��항 ¶

��
��험��

4.9.5. �� ¶

�� 함�� , �� 환하�� 함�� .
�� 합��.
htons, htonl
HxD�� 헥�� . 4�� 트�� 파�� 8�� 트�� 합��. �� 한 �� .
http://mh-nexus.de/en/hxd/ - ��
Code jam�� 태�� ... - ��희��
�� 해��하�� 형�� 하��. 4bit unsigned ��형�� 3byte,7byte unsigned ��형�� 하��.ㅠㅜ - ��희��

4.10. 10회��(2012�� 4�� 17��) ¶

4.10.1. �� ¶

��	��	O
학��	��	O
학��	��희��	O

4.10.2. �� ¶

#include "ntfs.h"

U32 BytesPerFileRecord;
BOOT_BLOCK boot_block;
HANDLE hVolume;
U32 cnt;
CHAR drive[] = "\\\\.\\C:";
//WCHAR drive[] = TEXT("\\\\.\\C:");
PFILE_RECORD_HEADER MFT;


void ReadSector(U64 sector, U32 count, void* buffer);
void LoadMFT();
unsigned int LoadAttribute(int i);

unsigned __int64 htonll(unsigned __int64);
unsigned int htonl(unsigned int);
//unsigned short htons(unsigned short);

void main()
{

	hVolume = CreateFile(drive, GENERIC_READ,FILE_SHARE_READ | FILE_SHARE_WRITE, 0,OPEN_EXISTING, 0, 0);
	ReadFile(hVolume, &boot_block, sizeof(boot_block), &cnt, 0);
//	FILE *fp=fopen(drive,"rb");
//	fread((void*)&boot_block,sizeof(boot_block),1,fp);

	printf("======My FILE SYSTEM INFO==========\n");
	printf("File System : %s \n",boot_block.Format);
	printf("Total Sectors : %u \n",boot_block.TotalSectors);
	printf("Sector per Bytes : %u \n",boot_block.BytesPerSector);
	printf("Cluster per Sectors : %u\n",boot_block.SectorsPerCluster);
	printf("Clusters Per FileRecord : %u\n",boot_block.ClustersPerFileRecord);
	printf("Clusters Per IndexBlock : %u\n",boot_block.ClustersPerIndexBlock);
	printf("\n\n");
	LoadMFT();
	system("pause");
}

void LoadMFT()
{
	int point;
	unsigned __int64 num;
	BytesPerFileRecord = boot_block.ClustersPerFileRecord < 0x80? boot_block.ClustersPerFileRecord* boot_block.SectorsPerCluster* boot_block.BytesPerSector : 1 << (0x100 - boot_block.ClustersPerFileRecord);
	MFT = PFILE_RECORD_HEADER(new U8[BytesPerFileRecord]);

	printf("MftStartLcn : %016x\n",boot_block.MftStartLcn);
	printf("Mft2StartLcn : %016x\n",boot_block.Mft2StartLcn);
	printf("\n");

	//0 ������ ������ ������하��� ������ MFT entry��� ��� ��� ������.
	ReadSector((boot_block.MftStartLcn+0) * boot_block.SectorsPerCluster,	BytesPerFileRecord / boot_block.BytesPerSector, MFT);
	

	printf("MFT's Signaturer : %s\n", MFT);//+0x27);
	printf("Offset to fixup array : 0x%02x%02x\n", *((unsigned char*)MFT+5),*((unsigned char*)MFT+4));
	printf("Number of this MFT Entry : 0x%02x%02x%02x%02x\n"
		, *((unsigned char*)MFT+47),*((unsigned char*)MFT+46),*((unsigned char*)MFT+45),*((unsigned char*)MFT+44));

	printf("Offset to first attribute : 0x%02x%02x \n"
		, *((unsigned char*)MFT+21),*((unsigned char*)MFT+20));
	printf("\n");


	point=((int)(*((unsigned char*)MFT+21))<<8)+*((unsigned char*)MFT+20);//Offset������ 포������ ������
	
	printf("Attribute List Start\n\n");
	while(htonl(*((unsigned int*)((unsigned char*)MFT+point)))!=0xFFFFFFFF)
		point+=LoadAttribute(point);
	printf("Attribute List End\n");

	printf("\n");

}

unsigned int LoadAttribute(int point)
{
	int i=0,j=0,k=0;
	int HeaderSize;

	/*
		*((unsigned char*)MFT+i+9) = Attribute Name Size
		Resident=24 / Non-resident=64
	*/

	if(*((unsigned char*)MFT+point+8))
		HeaderSize=64+*((unsigned char*)MFT+point+9);
	else
		HeaderSize=24+*((unsigned char*)MFT+point+9);


	switch(htonl(*((unsigned int*)((unsigned char*)MFT+point))))
	{
	case 0x10://$STANDARD_INFORMATION
		printf("Attribute type : Standard Information\n");
		break;

	case 0x20://$ATTRIBUTE_LIST
		printf("Attribute type : Attribute List\n");
		break;

	case 0x30://$FILE_NAME
		printf("Attribute type : File Name\n");
		printf("File Name Size : %d\n",*((unsigned char*)MFT+point+HeaderSize+64));	
		printf("File NameSpace : ");
		switch(*((unsigned char*)MFT+point+HeaderSize+65))
		{
		case 0:
			printf("POSIX\n");
			break;
		case 1:
			printf("Win32\n");
			break;
		case 2:
			printf("DOS\n");
			break;
		case 3:
			printf("Win32 & DOS\n");
			break;
		}
		printf("File Name : ");
		for(j=0;j<2**((unsigned char*)MFT+point+HeaderSize+64);j++)
			printf("%c",*((unsigned char*)MFT+point+HeaderSize+66+j));
		printf("\n");
		break;

	case 0x40://$
		printf("Attribute type : \n");
		break;

	case 0x50://$SECURITY_DESCRIPTOR
		printf("Attribute type : Security Descriptor\n");
		break;

	case 0x60://$
		printf("Attribute type : \n");
		break;

	case 0x70://$
		printf("Attribute type : \n");
		break;

	case 0x80://$DATA
		printf("Attribute type : Data\n");

		//__int64��� ��������������� little endian��������� ���������. ��������� ���해��� ��� ���������...
		printf("Run List  Start VCN : %I64d\n",*((unsigned __int64*)((unsigned char*)MFT+point+16)));
		printf("Run List   End  VCN : %I64d\n",*((unsigned __int64*)((unsigned char*)MFT+point+24)));
		printf("Run List Start Offset : 0x%02x%02x\n",*((unsigned char*)MFT+point+33),*((unsigned char*)MFT+point+32));

//		printf("Cluster Size : %I64d\n",*((unsigned __int64*)((unsigned char*)MFT+point+40)));
//		printf("Attribute Size : %I64d\n",*((unsigned __int64*)((unsigned char*)MFT+point+48)));
//		printf("real Size : %I64d\n",*((unsigned __int64*)((unsigned char*)MFT+point+56)));

		i=(int)*((unsigned char*)MFT+point+33)+*((unsigned char*)MFT+point+32);

		for(j=0;j<(*((unsigned char*)MFT+point+i)&0x0F);j++)//*((unsigned __int64*)((unsigned char*)MFT+point+24));j++)
		{
			printf("Cluster %d lenth : 0x",j);
			for(k=0;k<(*((unsigned char*)MFT+point+i)&0x0F);k++)
				printf("%02x",*((unsigned char*)MFT+point+i+(*((unsigned char*)MFT+point+i)&0x0F)-k));
			printf("\n");

			printf("Cluster %d offset : 0x",j);
			for(;k<(*((unsigned char*)MFT+point+i)&0x0F)+((*((unsigned char*)MFT+point+i)&0xF0)>>4);k++)
				printf("%02x",*((unsigned char*)MFT+point+i
					+(*((unsigned char*)MFT+point+i)&0x0F)+((*((unsigned char*)MFT+point+i)&0xF0)>>4)
					-k+(*((unsigned char*)MFT+point+i)&0x0F)));
			printf("\n");
			i+=(*((unsigned char*)MFT+point+i)&0x0F)+((*((unsigned char*)MFT+point+i)&0xF0)>>4)+1;
		}
		break;
	case 0xB0:
		printf("Attribute type : Bitmap\n");
		break;
	}

	printf("\n");

	return htonl(*((unsigned int*)((unsigned char*)MFT+point+4)));
}

void ReadSector(U64 sector, U32 count, void* buffer)
{
	ULARGE_INTEGER offset;
	OVERLAPPED overlap = {0};
	U32 n;
	
	offset.QuadPart = sector * boot_block.BytesPerSector;
	overlap.Offset = offset.LowPart; 
	overlap.OffsetHigh = offset.HighPart;
	ReadFile(hVolume, buffer, count * boot_block.BytesPerSector, &n, &overlap);
}



unsigned __int64 htonll(unsigned __int64 LittleEndian)
{
	unsigned __int64 BigEndian;
	int i;
	LittleEndian>>=16;
	BigEndian=0;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+7))<<54;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+6))<<48;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+5))<<40;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+4))<<32;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+3))<<24;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+2))<<16;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+1))<<8;
	BigEndian+=(unsigned __int64)(*((unsigned char*)&LittleEndian+0));
	return BigEndian;
}


unsigned int htonl(unsigned int LittleEndian)
{
	unsigned int BigEndian;
	BigEndian=
		((unsigned int)(*((unsigned char*)&LittleEndian+3))<<24)+
		((unsigned int)(*((unsigned char*)&LittleEndian+2))<<16)+
		((unsigned int)(*((unsigned char*)&LittleEndian+1))<<8)+
		*((unsigned char*)&LittleEndian)
		;
	return BigEndian;
}



/*
unsigned short htons(unsigned short LittleEndian)
{
	unsigned short BigEndian;
	BigEndian=
		((unsigned short)(*((unsigned char*)&LittleEndian+1))<<8)+
		*((unsigned char*)&LittleEndian)
		;
	return BigEndian;
}
/*/

4.10.3. �� ¶

4.10.4. ��항 ¶

4.10.5. �� ¶

��탬�� , �� 파트�� 한테 �� ...- ��희��
- (�� MS ��, �� micro second ��)
http://ezbeat.tistory.com/124

��탬�� 포�� 환 API - ��희��
http://lioler.blog.me/20051109234

NFTS �� - ��희��
�� 황
클��화 ��, �� . (�� , 파�� , data �� )
��희��/MTFREADER - ��희��

��/2012

새싹교실/2012/세싹

Contents

1. ������������ ¶

2. ������������ ¶

3. feedback ¶

4. ������ ¶

4.1. 1회���(2012��� 3��� 16���) ¶

4.1.1. ������ ¶

4.1.2. ������������ ¶

4.1.3. ������ ¶

4.1.4. ���������항 ¶

4.1.5. ����� ¶

4.2. 2회���(2012��� 3��� 20���) ¶

4.2.1. ������ ¶

4.2.2. ������������ ¶

4.2.3. ������ ¶

4.2.4. ���������항 ¶

4.2.5. ����� ¶

4.3. 3회���(2012��� 3��� 23���) ¶

4.3.1. ������ ¶

4.3.2. ������������ ¶

4.3.3. ������ ¶

4.3.4. ���������항 ¶

4.3.5. ����� ¶

4.4. 4회���(2012��� 3��� 27���) ¶

4.4.1. ������ ¶

4.4.2. ������������ ¶

4.4.3. ������ ¶

4.4.4. ���������항 ¶

4.4.5. ����� ¶

4.5. 5회���(2012��� 3��� 30���) ¶

4.5.1. ������ ¶

4.5.2. ������������ ¶

4.5.3. ������ ¶

4.5.4. ���������항 ¶

4.5.5. ����� ¶

4.6. 6회���(2012��� 4��� 3���) ¶

4.6.1. ������ ¶

4.6.2. ������������ ¶

4.6.3. ������ ¶

4.6.4. ���������항 ¶

4.6.5. ����� ¶

4.7. 7회���(2012��� 4��� 6���) ¶

4.7.1. ������ ¶

4.7.2. ������������ ¶

4.7.3. ������ ¶

4.7.4. ���������항 ¶

4.7.5. ����� ¶

4.8. 8회���(2012��� 4��� 10���) ¶

4.8.1. ������ ¶

4.8.2. ������������ ¶

4.8.3. ������ ¶

4.8.4. ���������항 ¶

4.8.5. ����� ¶

4.9. 9회���(2012��� 4��� 13���) ¶

4.9.1. ������ ¶

4.9.2. ������������ ¶

4.9.3. ������ ¶

4.9.4. ���������항 ¶

4.9.5. ����� ¶

4.10. 10회���(2012��� 4��� 17���) ¶

4.10.1. ������ ¶

4.10.2. ������������ ¶

4.10.3. ������ ¶

4.10.4. ���������항 ¶

4.10.5. ����� ¶