Undelete a file in NTFS

Ramanan.T

Rate me:

4.82/5 (72 votes)

13 Jan 2005CPOL10 min read

374.1K

18.6K

214

A tool to undelete a file in NTFS and a short tutorial on NTFS

ntfsundelete_demo.zip
- Undelete.exe
ntfsundelete_src.zip
- Undelete
  - FindDlg.cpp
  - FindDlg.h
  - MFTRecord.cpp
  - MFTRecord.h
  - NTFSDrive.cpp
  - NTFSDrive.h
  - ReadMe.txt
  - Release
    - Undelete.exe
  - res
    - bitmap1.bmp
    - bitmap2.bmp
    - Undelete.ico
    - Undelete.rc2
  - Resource.h
  - StdAfx.cpp
  - StdAfx.h
  - Undelete.clw
  - Undelete.cpp
  - Undelete.dsp
  - Undelete.dsw
  - Undelete.h
  - Undelete.rc
  - UndeleteDlg.cpp
  - UndeleteDlg.h

// NTFSDrive.h: interface for the CNTFSDrive class.
//
//////////////////////////////////////////////////////////////////////

#if !defined(AFX_NTFSDRIVE_H__078B2392_2978_4C23_97FD_166C4B234BF3__INCLUDED_)
#define AFX_NTFSDRIVE_H__078B2392_2978_4C23_97FD_166C4B234BF3__INCLUDED_

#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000


#pragma pack(push, curAlignment)

#pragma pack(1)
////////////////////////////  boot sector info ///////////////////////////////////////
struct NTFS_PART_BOOT_SEC
{
	char		chJumpInstruction[3];
	char		chOemID[4];
	char		chDummy[4];
	
	struct NTFS_BPB
	{
		WORD		wBytesPerSec;
		BYTE		uchSecPerClust;
		WORD		wReservedSec;
		BYTE		uchReserved[3];
		WORD		wUnused1;
		BYTE		uchMediaDescriptor;
		WORD		wUnused2;
		WORD		wSecPerTrack;
		WORD		wNumberOfHeads;
		DWORD		dwHiddenSec;
		DWORD		dwUnused3;
		DWORD		dwUnused4;
		LONGLONG	n64TotalSec;
		LONGLONG	n64MFTLogicalClustNum;
		LONGLONG	n64MFTMirrLogicalClustNum;
		int			nClustPerMFTRecord;
		int			nClustPerIndexRecord;
		LONGLONG	n64VolumeSerialNum;
		DWORD		dwChecksum;
	} bpb;

	char		chBootstrapCode[426];
	WORD		wSecMark;
};
/////////////////////////////////////////////////////////////////////////////////////////
#pragma pack(pop, curAlignment)


class CNTFSDrive  
{
protected:
//////////////// physical drive info/////////////
	HANDLE	m_hDrive;
	DWORD m_dwStartSector;
	bool m_bInitialized;

	DWORD m_dwBytesPerCluster;
	DWORD m_dwBytesPerSector;
	
	int LoadMFT(LONGLONG nStartCluster);

/////////////////// the MFT info /////////////////
	BYTE *m_puchMFT;  /// the var to hold the loaded entire MFT
	DWORD m_dwMFTLen; // size of MFT

	BYTE *m_puchMFTRecord; // 1K, or the cluster size, whichever is larger
	DWORD m_dwMFTRecordSz; // MFT record size

public:
	struct ST_FILEINFO // this struct is to retrieve the file detail from this class
	{
		char szFilename[_MAX_PATH]; // file name
		LONGLONG	n64Create;		// Creation time
		LONGLONG	n64Modify;		// Last Modify time
		LONGLONG	n64Modfil;		// Last modify of record
		LONGLONG	n64Access;		// Last Access time
		DWORD		dwAttributes;	// file attribute
		LONGLONG	n64Size;		// no of cluseters used
		bool 		bDeleted;		// if true then its deleted file
	};

	int GetFileDetail(DWORD nFileSeq, ST_FILEINFO &stFileInfo);
	int Read_File(DWORD nFileSeq, BYTE *&puchFileData, DWORD &dwFileDataLen);
	
	void SetDriveHandle(HANDLE hDrive);
	void  SetStartSector(DWORD dwStartSector, DWORD dwBytesPerSector);

	int Initialize();
	CNTFSDrive();
	virtual ~CNTFSDrive();

};

#endif // !defined(AFX_NTFSDRIVE_H__078B2392_2978_4C23_97FD_166C4B234BF3__INCLUDED_)

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Ramanan.T

Software Developer (Senior)

Australia

This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Undelete a file in NTFS

License

Comments and Discussions