How to dump the NTFS $Bitmap file

2019-07-02 20:59发布

问题:

For a project, I want to get the list of all free/used clusters on an NTFS partition. For this i have to dump the $Bitmap file and parse its contents.

There are few API's and examples on the web, but however they don't seem to work. Is there a simple way/ code sample to just copy the $Bitmap file somewhere.

Is using FSCTL_GET_VOLUME_BITMAP the only way? Ideally I would like to do it in C#.

回答1:

NFI.EXE which is (used to be) part of the "oem support tools" can enumerate all NTFS partition items. It might also be capable to dump the content of $Bitmap.



回答2:

You definitely want to go the easy route and use the IOCTL rather than trying to read $Bitmap directly. Of course, you don't have to do it yourself if somebody has done it for you. It turns out that an MSDN blogger has already written a nice little wrapper for you:

http://blogs.msdn.com/b/jeffrey_wall/archive/2004/09/13/229137.aspx

The whole class is over 300 lines of code, so I won't post it all, but here's the function that gets the volume bitmap:

    /// <summary>
    /// Get cluster usage for a device
    /// </summary>
    /// <param name="DeviceName">use "c:"</param>
    /// <returns>a bitarray for each cluster</returns>
    static public BitArray GetVolumeMap(string DeviceName)
    {
        IntPtr pAlloc = IntPtr.Zero;
        IntPtr hDevice = IntPtr.Zero;

        try
        {
            hDevice = OpenVolume(DeviceName);

            Int64 i64 = 0;

            GCHandle handle = GCHandle.Alloc(i64, GCHandleType.Pinned);
            IntPtr p = handle.AddrOfPinnedObject();

            // alloc off more than enough for my machine
            // 64 megs == 67108864 bytes == 536870912 bits == cluster count
            // NTFS 4k clusters == 2147483648 k of storage == 2097152 megs == 2048 gig disk storage
            uint q = 1024 * 1024 * 64; // 1024 bytes == 1k * 1024 == 1 meg * 64 == 64 megs

            uint size = 0;
            pAlloc = Marshal.AllocHGlobal((int)q);
            IntPtr pDest = pAlloc;

            bool fResult = DeviceIoControl(
                hDevice,
                FSConstants.FSCTL_GET_VOLUME_BITMAP,
                p,
                (uint)Marshal.SizeOf(i64),
                pDest,
                q,
                ref size,
                IntPtr.Zero);

            if (!fResult)
            {
                throw new Exception(Marshal.GetLastWin32Error().ToString());
            }
            handle.Free();

            /*
            object returned was...
      typedef struct 
      {
       LARGE_INTEGER StartingLcn;
       LARGE_INTEGER BitmapSize;
       BYTE Buffer[1];
      } VOLUME_BITMAP_BUFFER, *PVOLUME_BITMAP_BUFFER;
            */
            Int64 StartingLcn = (Int64)Marshal.PtrToStructure(pDest, typeof(Int64));

            Debug.Assert(StartingLcn == 0);

            pDest = (IntPtr)((Int64)pDest + 8);
            Int64 BitmapSize = (Int64)Marshal.PtrToStructure(pDest, typeof(Int64));

            Int32 byteSize = (int)(BitmapSize / 8);
            byteSize++; // round up - even with no remainder

            IntPtr BitmapBegin = (IntPtr)((Int64)pDest + 8);

            byte[] byteArr = new byte[byteSize];

            Marshal.Copy(BitmapBegin, byteArr, 0, (Int32)byteSize);

            BitArray retVal = new BitArray(byteArr);
            retVal.Length = (int)BitmapSize; // truncate to exact cluster count
            return retVal;
        }
        finally
        {
            CloseHandle(hDevice);
            hDevice = IntPtr.Zero;

            Marshal.FreeHGlobal(pAlloc);
            pAlloc = IntPtr.Zero;
        }
    }


标签: ntfs ntfs-mft