wincmd/ntfs/cmd/example/main.go

package main

import (
	"b612.me/wincmd"
	"b612.me/wincmd/ntfs/mft"
	"b612.me/wincmd/ntfs/usn"
	"b612.me/wincmd/ntfs/utf16"
	"encoding/binary"
	"errors"
	"fmt"
	"io"
	"log"
	_ "net/http/pprof"
	"regexp"
	"runtime"
	"time"
)

func main() {
	f, size, err := mft.GetMFTFile(`C:\`)
	if err != nil {
		panic(err)
	}
	recordSize := int64(1024)
	i := int64(0)
	fmt.Println("start size is", size)
	alreadyGot := int64(0)
	maxRecordSize := size / recordSize
	if maxRecordSize > 1024 {
		maxRecordSize = 1024
	}
	for {
		for {
			if (size - alreadyGot) < maxRecordSize*recordSize {
				maxRecordSize--
			} else {
				break
			}
		}
		if maxRecordSize < 10 {
			maxRecordSize = 1
		}
		buf := make([]byte, maxRecordSize*recordSize)
		got, err := io.ReadFull(f, buf)
		if err != nil {
			if errors.Is(err, io.EOF) {
				break
			}
			log.Fatalln("Unable to read record data", err)
		}
		alreadyGot += int64(got)
		for j := int64(0); j < 1024*maxRecordSize; j += 1024 {
			record, err := mft.ParseRecord(buf[j : j+1024])
			if err != nil {
				//	fmt.Println("Unable to parse MFT record", err)
				continue
			}

			fname := record.FindAttributes(mft.AttributeTypeFileName)

			for _, v := range fname {
				if (record.Flags&mft.RecordFlagIsIndex)>>3 == 0 && record.Flags&mft.RecordFlagInUse == 1 {
					filename := utf16.DecodeString(v.Data[66:], binary.LittleEndian)
					//data:=utf16.DecodeString(v.Data, binary.LittleEndian)
					if filename != "" {
						attbr := record.FindAttributes(mft.AttributeTypeStandardInformation)
						if len(attbr) == 0 {
							break
						}
						stand, _ := mft.ParseStandardInformation(attbr[0].Data)
						if stand.FileAttributes&mft.FileAttributeNormal == 1 {
							i++
						}
						//oo:=record.FindAttributes(mft.AttributeTypeData)
						//if len(oo)!=0 {
						//	fmt.Println(oo[0].ActualSize)
						//}
						//r := binutil.NewLittleEndianReader(v.Data[:8])
						//fmt.Println(record.FileReference.ToUint64(), r.Uint64(0))
						//fmt.Println(filename)
						//log.Println("Read MFT record")

					}
				}
			}
		}
	}
	fmt.Println(i)

	//go http.ListenAndServe("0.0.0.0:8888", nil)
	fmt.Println("开始获取Windows磁盘列表")
	lists, err := wincmd.ListDrivers()
	if err != nil {
		panic(err)
	}
	info := []usn.DiskInfo{}
	for _, v := range lists {
		data, err := wincmd.GetDiskInfo(v)
		if err != nil {
			continue
		}
		fmt.Println("获取到磁盘信息:", data)
		info = append(info, data)
	}
	fmt.Println("忽略非NTFS磁盘")
	var m runtime.MemStats
	for _, v := range info {
		if v.Format == "NTFS" && v.Driver == `C:\` {

			fmt.Println("开始获取NTFS USN日志，磁盘：", v.Driver)
			fileLists, err := usn.ListUsnFileFn(v.Driver, func(name string, typed bool) bool {
				return true
				if ok, _ := regexp.MatchString(`\.exe$`, name); ok {
					return true
				}
				return false
			})
			if err != nil {
				panic(err)
			}
			fmt.Println(len(fileLists))
			return
			for k, _ := range fileLists {
				fmt.Println(k)
			}
			runtime.ReadMemStats(&m)
			log.Printf("Alloc = %v TotalAlloc = %v Sys = %v NumGC = %v\n", m.Alloc/1024, m.TotalAlloc/1024, m.Sys/1024, m.NumGC)
			runtime.GC()
			p := time.After(time.Second * 86400)
			for {
				select {
				case <-p:
					return
				case <-time.After(time.Second * 10):
					runtime.ReadMemStats(&m)
					log.Printf("Alloc = %v TotalAlloc = %v Sys = %v NumGC = %v\n", m.Alloc/1024, m.TotalAlloc/1024, m.Sys/1024, m.NumGC)
				}
			}
		}
	}
}