Support NTFS USA stream patching #30
Comments
|
Hachoir is basically unmaintained, so I prefer to be more explicit and close this feature request. http://unmaintained.tech/ If you want a feature, you have to implement it ;-) |
|
I thought about implementing this, but never figured out a clean way to
implement "patchable" streams. So I don't really mind closing the FR.
…On Thu, Mar 21, 2019 at 7:29 AM Victor Stinner ***@***.***> wrote:
Hachoir is basically unmaintained, so I prefer to be more explicit and
close this feature request. http://unmaintained.tech/
If you want a feature, you have to implement it ;-)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#30 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAEmuRELhQXdjRQdpCORtCQSzNiYba3Sks5vY5dEgaJpZM4U9sA->
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For the NTFS parser I recently learned about the "update sequence array", which is a set of binary patches applied to specific offsets in the stream. Essentially, suppose you have a USA value of "05 00, 6F 20". Then, later in the file, you might see
68 65 6C 6C 05 00 77 6F 72 6C 64
(with the 05 00 at a specific offset - 510 bytes from the start of a 512-byte sector). You are supposed to apply the patch here, to fix it up into
68 65 6C 6C 6F 20 77 6F 72 6C 64
The patches are always at predictable addresses, but in general they could land in the middle of any field set, causing massive breakage when the NTFS parser attempts to parse the USA substitute values instead of the intended bytes.
Is there a way I could temporarily patch the stream reader to return the correct bytes, or is there some other option for properly handling this kind of weakly context-dependent stream patching?
The text was updated successfully, but these errors were encountered: