search

thewhiteninja / ntfstool

Forensics tool for NTFS (parser, mft, bitlocker, deleted files)
MIT License
483 stars 97 forks source link

Stack overflow on my inode 9 #7

Closed vGimly closed 2 years ago

vGimly commented 2 years ago

Due to infinite recursion, app crashed with stack overflow. Note $ATTRIBUTE_LIST with $INDEX_ROOT and Record Num: 0009000000000009 which is &0xFFF... mapped to the same inode "9" as "MFT Record Index".

Signature         : FILE
Update Offset     : 30
Update Number     : 3
$LogFile LSN      : 4854ca4c4
Sequence Number   : 9
Hardlink Count    : 1
Attribute Offset  : 38
Flags             : Unknown (00000009)
Real Size         : 3c0
Allocated Size    : 400
Base File Record  : 0000000000000000h
Next Attribute ID : 13
MFT Record Index  : 9
Update Seq Number : bf
Update Seq Array  : eb010000

Attributes:
-----------

+----------------------------------------------------------------------------------------------------------+
| Id | Type                       | Non-resident | Length | Overview                                       |
+----------------------------------------------------------------------------------------------------------+
| 1  | $STANDARD_INFORMATION      | False        | 72     | File Created Time       : 2021-06-16 12:04:30  |
|    | Raw address: 0000c0002450h |              |        | Last File Write Time    : 2021-06-16 12:04:30  |
|    |                            |              |        | FileRecord Changed Time : 2021-06-16 12:04:30  |
|    |                            |              |        | Last Access Time        : 2021-06-16 12:04:30  |
|    |                            |              |        | Permissions             :                      |
|    |                            |              |        |   read_only     : 0                            |
|    |                            |              |        |   hidden        : 1                            |
|    |                            |              |        |   system        : 1                            |
|    |                            |              |        |   device        : 0                            |
|    |                            |              |        |   normal        : 0                            |
|    |                            |              |        |   temporary     : 0                            |
|    |                            |              |        |   sparse        : 0                            |
|    |                            |              |        |   reparse_point : 0                            |
|    |                            |              |        |   compressed    : 0                            |
|    |                            |              |        |   offline       : 0                            |
|    |                            |              |        |   not_indexed   : 0                            |
|    |                            |              |        |   encrypted     : 0                            |
|    |                            |              |        | Max Number of Versions  : 0                    |
|    |                            |              |        | Version Number          : 0                    |
+----------------------------------------------------------------------------------------------------------+
| 2  | $ATTRIBUTE_LIST            | True         | 344    | $STANDARD_INFORMATION                          |
|    | Raw address: 0000c00024d8h |              |        | Record Num: 0009000000000009                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $FILE_NAME                                     |
|    |                            |              |        | Record Num: 0009000000000009                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $DATA                                          |
|    |                            |              |        | Name      : $SDS                               |
|    |                            |              |        | Record Num: 0009000000000009                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $INDEX_ROOT                                    |
|    |                            |              |        | Name      : $SDH                               |
|    |                            |              |        | Record Num: 0009000000000009                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $INDEX_ROOT                                    |
|    |                            |              |        | Name      : $SII                               |
|    |                            |              |        | Record Num: 0009000000000009                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $INDEX_ALLOCATION                              |
|    |                            |              |        | Name      : $SDH                               |
|    |                            |              |        | Record Num: 00010000000009a2                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $INDEX_ALLOCATION                              |
|    |                            |              |        | Name      : $SII                               |
|    |                            |              |        | Record Num: 00010000000009a2                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $BITMAP                                        |
|    |                            |              |        | Name      : $SDH                               |
|    |                            |              |        | Record Num: 00010000000009a2                   |
|    |                            |              |        | ------                                         |
|    |                            |              |        | $BITMAP                                        |
|    |                            |              |        | Name      : $SII                               |
|    |                            |              |        | Record Num: 00010000000009a2                   |
+----------------------------------------------------------------------------------------------------------+
| 3  | $FILE_NAME                 | False        | 80     | Parent Dir Record Index : 5                    |
|    | Raw address: 0000c00024f8h |              |        | Parent Dir Sequence Num : 5                    |
|    |                            |              |        | File Created Time       : 2021-06-16 12:04:30  |
|    |                            |              |        | Last File Write Time    : 2021-06-16 12:04:30  |
|    |                            |              |        | FileRecord Changed Time : 2021-06-16 12:04:30  |
|    |                            |              |        | Last Access Time        : 2021-06-16 12:04:30  |
|    |                            |              |        | Allocated Size          : 0                    |
|    |                            |              |        | Real Size               : 0                    |
|    |                            |              |        | ------                                         |
|    |                            |              |        | NameType                : DOS & WIN32          |
|    |                            |              |        | Name                    : $Secure              |
+----------------------------------------------------------------------------------------------------------+
| 4  | $DATA                      | True         | 900436 | Name                    : $SDS                 |
|    | Raw address: 0000c0002590h |              |        | Data Size               : 900436 (879.33 KiBs) |
|    |                            |              |        | Dataruns                :                      |
|    |                            |              |        |     Length: 00000041 Offset: 00000325          |
|    |                            |              |        |     Length: 00000001 Offset: 0002870f          |
... skip ...
|    |                            |              |        |     Length: 00000001 Offset: 0009ef91          |
|    |                            |              |        |     Length: 00000001 Offset: 0035ea9f          |
|    |                            |              |        |     Length: 00000001 Offset: 0030301f          |
|    |                            |              |        |     Length: 00000001 Offset: 0068d0b8          |
|    |                            |              |        |     Length: 00000001 Offset: 007fb400          |
|    |                            |              |        |     Length: 00000001 Offset: 00816f84          |
|    |                            |              |        |     Length: 00000001 Offset: 0081a256          |
|    |                            |              |        | Size on disk            : 901120 (880.00 KiBs) |
+----------------------------------------------------------------------------------------------------------+
| 5  | $INDEX_ROOT                | False        | 56     | Attribute Type          : Reparse points       |
|    | Raw address: 0000c0002728h |              |        | Collation Rule          : 18                   |
|    |                            |              |        | Index Alloc Entry Size  : 4096                 |
|    |                            |              |        | Cluster/Index Record    : 1                    |
|    |                            |              |        | -----                                          |
|    |                            |              |        | First Entry Offset      : 16                   |
|    |                            |              |        | Index Entries Size      : 40                   |
|    |                            |              |        | Index Entries Allocated : 40                   |
|    |                            |              |        | Flags                   : Large Index          |
+----------------------------------------------------------------------------------------------------------+
| 6  | $INDEX_ROOT                | False        | 56     | Attribute Type          : Reparse points       |
|    | Raw address: 0000c0002780h |              |        | Collation Rule          : 16                   |
|    |                            |              |        | Index Alloc Entry Size  : 4096                 |
|    |                            |              |        | Cluster/Index Record    : 1                    |
|    |                            |              |        | -----                                          |
|    |                            |              |        | First Entry Offset      : 16                   |
|    |                            |              |        | Index Entries Size      : 40                   |
|    |                            |              |        | Index Entries Allocated : 40                   |
|    |                            |              |        | Flags                   : Large Index          |
+----------------------------------------------------------------------------------------------------------+

To fix this just added check for the same inode before diving into the recursion loop. Probably Better solution is to limit recursion depth in that place - to fix weird cycled links (just add counter argument or global variable)...