Crash on most operations when record cannot be found

[mirh]

Now, for some reason, I have this (totally normally working) partition which mft.record complains has no file record. Trying to run ls from shell or logfile.dump results in a crash.

LogFile from \\.\PhysicalDrive0 > Volume:2
------------------------------------------

[+] Opening \\?\Volume{cb55d575-0000-0000-0000-300300000000}\
[+] Reading $LogFile record

[!] Sorry, the application has crashed!

In WinDbg:

(4d78.2a30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
[0x0]   ntfstool_x64!std::_Ptr_base<Buffer<MFT_RECORD_HEADER *> >::get + 0x1b   
[0x1]   ntfstool_x64!std::shared_ptr<Buffer<MFT_RECORD_HEADER *> >::operator-><Buffer<MFT_RECORD_HEADER *>,0> + 0x20   
[0x2]   ntfstool_x64!MFTRecord::datasize + 0x6d   
[0x3]   ntfstool_x64!print_logfile_records + 0x47c   
[0x4]   ntfstool_x64!commands::logfile::dispatch + 0x282   
00007ff7`ec0a782b 488b00          mov     rax,qword ptr [rax] ds:00000000`00000010=????????????????

EDIT: maybe?

[thewhiteninja]

Can't reproduce the crash without an image.

But there was a problem with large clusters. I changed the way to compute the sectorPerCluster value (8aa1a26d42bd9b5d1d3ac38d882cfd8018578278) and It seems to work 👍 (not intensively tested 😎)

[mirh]

I can confirm it improved, no crashes anymore and mft.record works. Though the other two commands now hit "Attribute $INDEX_ALLOCATION not found" and #23 respectively.