I write the template set:LDM WinHex 模板
template "LDM Private Header"
description "MyEdit Private Header"
appies_to disk
sector-aligned
big-endian
requires 0x00 "50 52 49 56 48 45 41 44"
begin
{
char[8] "Private Single"
hex 4 "校验和,本扇区所有字节之和"
uint16 "主版本号"
uint16 "次版本号"
hex 4 "未知"
hex 4 "更新时间"
hex 4 "总为零"
uint32 "更新序列号"
int64 "私有头第一备份地址"
int64 "私有头第二备份地址"
char[64] "磁盘IDGUID"
char[64] "主机ID"
char[64] "磁盘组ID"
char[32] "磁盘组名"
hex 2 "未知"
hex 9 "总为0"
int64 "逻辑磁盘起始地址"
int64 "逻辑磁盘大小(扇区数)"
int64 "LDM 数据库的起始地址(扇区)"
int64 "LDM数据库的大小(扇区数)"
int64 "TOC 数量"
int64 "TOC 大小"
uint32 "配置信息数量"
uint32 "日志数量"
int64 "配置信息大小"
int64 "日志大小"
hex 4 "磁盘签名"
hex 16 "磁盘集GUID"
hex 16 "磁盘集GUID"
}
end
template "LDM VMDB"
description "MyLDM VMDB 磁盘配置信息"
appies_to disk
big-endian
sector-aligned
requires 0x00 "56 4D 44 42"
begin
{
hex 4 "固定single VMDB"
uint32 "VBLK 的个数"
uint32 "VBLK 的大小"
uint32 "VMDB 头大小"
hex 2 "更新状态"
uint16 "主版本号"
uint16 "次版本号"
char[31] "磁盘组名"
char[64] "磁盘组ID"
int64 "提交序列号"
int64 "未决序列号"
uint32 "卷提交VBLKs数量"
uint32 "组件提交VBLKs数量"
uint32 "分区提交的VBLKs数量"
uint32 "磁盘提交的VBLKs数量"
hex 4 "未使用"
hex 4 "未使用"
hex 4 "未使用"
uint32 "卷未决VBLKs数量"
uint32 "组件未决VBLKs数量"
uint32 "分区未决VBLKs 数量"
uint32 "磁盘未决VBLKs 数量"
hex 4 "未使用"
hex 4 "未使用"
hex 4 "未使用"
FileTime "最后访问时间"
}
end
template "LDM-TOCblock DirectoryTable"
description "MyEditTOCBLOCK"
appies_to disk
big-endian
multiple
requires 00 "54 4F 43 42 4C 4F 43 4B"
begin
{
section "TOCBLOCK #1"
char[8] "fixe Single"
uint32 "序列号1"
hex 4 "总为零"
uint32 "序列号2"
hex 16 "总为零"
char[8] "位图名1"
hex 2 "位图标识1"
int64 "位图1起始地址"
int64 "位图1大小"
hex 8 "位图标识1"
char[8] "为图名2"
hex 2 "位图标识2"
int64 "位图2起始地址"
int64 "位图2大小"
hex 8 "位图标识2"
endsection
}
end
template "LDM VBLK&Volume"
description "卷的配置记录"
big-endian
appies_to disk
requires 0x00 "56 42 4C 4B"
requires 0x13 "51"
begin
section "VBLK Header"
char[4] "fixe Single VBLK"
uint32 "序列号"
uint32 "参考号"
uint16 "记录号"
uint16 "记录数"
endsection
section "VBLK & Volume(卷)"
uint24 "更新状态" // 这里书本上的结构图错误了
hex 1 "记录类型和状态" // 这里书本上的结构图错误了
uint32 "数据长度"
uint8 "对象ID长度"
IfEqual "对象ID长度" 1
uint8 "对象ID"
Endif
IfEqual "对象ID长度" 2
uint16 "对象ID"
Endif
IfEqual "对象ID长度" 3
uint24 "对象ID"
Endif
IfEqual "对象ID长度" 4
uint32 "对象ID"
Endif
uint8 "名称长度"
char[名称长度] "名称"
uint8 "应用类型长度"
char[应用类型长度] "应用类型"
hex 1 "0值"
char[14] "卷状态(活动)"
uint8 "卷类型(3为普通;4为RAID)"
hex 1 "总是1"
uint8 "卷数量"
hex 3 "0 值"
hex 1 "标志(0x11为普通,0x13为RAID)"
// 子单元数长度的值就是下面字段元数的字节数量
uint8 "子单元数长度"
uint8 "子单元数(分区)"
int64 "日志提交ID"
int64 "ID"
// 大小长度的值就是下面大小的字节数量
uint8 "大小长度"
IfEqual "大小长度" 1
int8 "当前卷扇区数量"
Endif
IfEqual "大小长度" 2
int16 "当前卷扇区数量"
Endif
IfEqual "大小长度" 3
int24 "当前卷扇区数量"
Endif
IfEqual "大小长度" 4
int32 "当前卷扇区数量"
Endif
hex 4 "0值"
hex 1 "分区类型"
hex 16 "卷GUID"
uint8 "ID1长度"
char[ID1长度] "ID1 (驱动器号)"
uint8 "ID2长度"
char[ID2长度] "ID2 (驱动器号)"
endsection
end
template "LDM VBLK&Component(磁盘配置记录)"
description "VBLK 组件配置记录"
big-endian
appies_to disk
requires 0x00 "56 42 4C 4B"
requires 0x13 "32"
begin
section "VBLK Header"
char[4] "fixe Single VBLK"
uint32 "序列号"
uint32 "参考号"
uint16 "记录号"
uint16 "记录数"
endsection
section "VBLK & component(分区)"
uint24 "更新状态"
hex 1 "记录类型和标识"
uint32 "数据长度"
uint8 "组件ID长度(P)"
IfEqual "组件ID长度(P)" 1
int8 "组件ID"
endif
IfEqual "组件ID长度(P)" 2
int16 "组件ID"
endif
IfEqual "组件ID长度(P)" 3
int24 "组件ID"
endif
IfEqual "组件ID长度(P)" 4
int32 "组件ID"
endif
uint8 "组件名称长度"
char[组件名称长度] "组件名称"
uint8 "卷状态(活动)长度(P)"
char[卷状态(活动)长度(P)] "卷状态(活动)"
uint8 "组件类型(1为条带,2为基本或跨区,3为RAID)"
hex 4 "0值"
uint8 "子组件(分区)数量长度(P)"
IfEqual "子组件(分区)数量长度(P)" 1
int8 "子组件(分区)数量"
endif
IfEqual "子组件(分区)数量长度(P)" 2
int16 "子组件(分区)数量"
endif
IfEqual "子组件(分区)数量长度(P)" 3
int24 "子组件(分区)数量"
endif
IfEqual "子组件(分区)数量长度(P)" 4
int32 "子组件(分区)数量"
endif
int64 "日志提交ID"
hex 8 "0值"
uint8 "父ID(卷)长度(P)"
IfEqual "父ID(卷)长度(P)" 1
int8 "父ID(卷)"
endif
IfEqual "父ID(卷)长度(P)" 2
int16 "父ID(卷)"
endif
IfEqual "父ID(卷)长度(P)" 3
int24 "父ID(卷)"
endif
IfEqual "父ID(卷)长度(P)" 4
int32 "父ID(卷)"
endif
hex 1 "0值"
uint8 "条带大小(以扇区为单位)长度"
IfEqual "父ID(卷)长度(P)" 1
int8 "条带大小"
endif
IfEqual "条带大小(以扇区为单位)长度" 2
int16 "条带大小"
endif
IfEqual "条带大小(以扇区为单位)长度" 3
int24 "条带大小"
endif
IfEqual "条带大小(以扇区为单位)长度" 4
int32 "条带大小"
endif
uint8 "条带数量长度"
IfEqual "条带数量长度" 1
int8 "条带数量"
endif
IfEqual "条带数量长度" 2
int16 "条带数量"
endif
IfEqual "条带数量长度" 3
int24 "条带数量"
endif
IfEqual "条带数量长度" 4
int32 "条带数量"
endif
endsection
end
template "LDM VBLK&Partition结构(磁盘配置记录)"
description "VBLK 分区类型 配置记录"
big-endian
appies_to disk
requires 0x00 "56 42 4C 4B"
requires 0x13 "33"
begin
section "VBLK Header"
char[4] "fixe Single VBLK"
uint32 "序列号"
uint32 "参考号"
uint16 "记录号"
uint16 "记录数"
endsection
section "VBLK & partition(分区)"
uint24 "更新状态"
hex 1 "记录类型和标识"
uint32 "数据长度"
uint8 "分区ID长度"
IfEqual "分区ID长度" 1
int8 "分区ID"
endif
IfEqual "分区ID长度" 2
int16 "分区ID"
endif
IfEqual "分区ID长度" 3
int24 "分区ID"
endif
IfEqual "分区ID长度" 4
int32 "分区ID"
endif
uint8 "分区名称长度"
char[分区名称长度] "分区名称"
hex 4 "0值"
int64 "日志提交ID"
int64 "在磁盘中起始位置"
int64 "在卷中偏移"
uint8 "分区大小长度"
IfEqual "分区大小长度" 1
int8 "分区大小(扇区数)"
endif
IfEqual "分区大小长度" 2
int16 "分区大小(扇区数)"
endif
IfEqual "分区大小长度" 3
int24 "分区大小(扇区数)"
endif
IfEqual "分区大小长度" 4
int32 "分区大小(扇区数)"
endif
uint8 "父对象ID(组件)长度(P)"
IfEqual "父对象ID(组件)长度(P)" 1
int8 "父对象ID(组件)"
endif
IfEqual "父对象ID(组件)长度(P)" 2
int16 "父对象ID(组件)"
endif
IfEqual "父对象ID(组件)长度(P)" 3
int24 "父对象ID(组件)"
endif
IfEqual "父对象ID(组件)长度(P)" 4
int32 "父对象ID(组件)"
endif
uint8 "磁盘对象ID长度(P)"
IfEqual "磁盘对象ID长度(P)" 1
int8 "磁盘对象ID"
int8 "组件部分的索引"
endif
IfEqual "磁盘对象ID长度(P)" 2
int16 "磁盘对象ID"
int16 "组件部分的索引"
endif
IfEqual "磁盘对象ID长度(P)" 3
int24 "磁盘对象ID"
int24 "组件部分的索引"
endif
IfEqual "磁盘对象ID长度(P)" 4
int32 "磁盘对象ID"
int32 "组件部分的索引"
endif
endsection
end
template "LDM VBLK&Disk(磁盘配置记录)"
description "VBLK 磁盘配置记录"
big-endian
appies_to disk
requires 0x00 "56 42 4C 4B"
requires 0x13 "34"
begin
section "VBLK Header"
char[4] "fixe Single VBLK"
uint32 "序列号"
uint32 "参考号"
uint16 "记录号"
uint16 "记录数"
endsection
section "VBLK & Disk(磁盘)"
uint24 "更新状态"
hex 1 "记录类型和标识"
uint32 "数据长度"
uint8 "磁盘ID长度"
IfEqual "磁盘ID长度" 1
int8 "磁盘ID"
endif
IfEqual "磁盘ID长度" 2
int16 "磁盘ID"
endif
IfEqual "磁盘ID长度" 3
int24 "磁盘ID"
endif
IfEqual "磁盘ID长度" 4
int32 "磁盘ID"
endif
uint8 "磁盘名称长度"
char[磁盘名称长度] "磁盘名称"
uint8 "磁盘GUID长度"
char[磁盘GUID长度] "磁盘GUID"
uint8 "预备名称长度"
char[预备名称长度] "预备名称"
hex 4 "0值"
int64 "日志提交ID"
endsection
end
template "LDM VBLK&DiskGroup(磁盘组配置记录)"
description "VBLK 磁盘组配置记录"
big-endian
appies_to disk
requires 0x00 "56 42 4C 4B"
requires 0x13 "35"
begin
section "VBLK Header"
hex 4 "fixe Single VBLK"
uint32 "序列号"
uint32 "参考号"
uint16 "记录号"
uint16 "记录数"
endsection
section "VBLK & DiskGroup(磁盘组)"
uint24 "更新状态"
hex 1 "记录类型和标志"
int32 "数据长度"
uint8 "磁盘组ID 长度(代号)"
IfEqual "磁盘组ID 长度(代号)" 1
int8 "磁盘组ID"
endif
IfEqual "磁盘组ID 长度(代号)" 2
int16 "磁盘组ID"
endif
IfEqual "磁盘组ID 长度(代号)" 3
int24 "磁盘组ID"
endif
IfEqual "磁盘组ID 长度(代号)" 4
int32 "磁盘组ID"
endif
uint8 "磁盘组名称长度"
char[磁盘组名称长度] "磁盘组名称"
uint8 "磁盘组GUID 长度"
char[磁盘组GUID 长度] "磁盘组GUID"
hex 4 "0值"
int64 "日志提交ID"
uint8 "可选域1长度"
IfEqual "可选域1长度" 1
hex 1 "可选域1"
endif
IfEqual "可选域1长度" 2
hex 2 "可选域1"
endif
IfEqual "可选域1长度" 3
hex 3 "可选域1"
endif
IfEqual "可选域1长度" 4
hex 4 "可选域1"
endif
uint8 "可选域2长度"
IfEqual "可选域2长度" 1
hex 1 "可选域2"
endif
IfEqual "可选域2长度" 2
hex 2 "可选域2"
endif
IfEqual "可选域2长度" 3
hex 3 "可选域2"
endif
IfEqual "可选域2长度" 4
hex 4 "可选域2"
endif
endsection
end
网友评论