Skip to content

Instantly share code, notes, and snippets.

@JockiHendry

JockiHendry/main.c

Last active March 14, 2018 03:08
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save JockiHendry/9263890 to your computer and use it in GitHub Desktop.
Save JockiHendry/9263890 to your computer and use it in GitHub Desktop.
Download ZIP
Visual C++ 2010 code for displaying NTFS Change Journal File
Raw
main.c
#include "stdafx.h"
#include <Windows.h>
#include <WinIoCtl.h>
int _tmain(int argc, _TCHAR* argv[])
{
// Mengatur console
HANDLE hStdOut = GetStdHandle(STD_OUTPUT_HANDLE);
CONSOLE_SCREEN_BUFFER_INFO screenBufferInfo;
SetConsoleTitle(L"Change Journal Viewer by TheSolidSnake");
// Membaca volume C:
HANDLE h = CreateFile(L"\\\\.\\c:", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, 0, NULL);
if (h == INVALID_HANDLE_VALUE) {
printf("Gagal membaca drive C. Kode kesalahan: %d\n", GetLastError());
return -1;
}
// Membaca informasi Change Journal dengan FSCTL_QUERY_USN_JOURNAL
USN_JOURNAL_DATA journal;
DWORD jumlahByte;
if (!DeviceIoControl(h, FSCTL_QUERY_USN_JOURNAL, NULL, 0, &journal, sizeof(journal), &jumlahByte, NULL)) {
printf("Gagal membaca Change Journal. Kode kesalahan: %d\n", GetLastError());
return -1;
}
printf("USN_JOURNAL_DATA.UsnJournalID = %#020llx\n", journal.UsnJournalID);
printf("USN_JOURNAL_DATA.FirstUsn = %#020llx\n", journal.FirstUsn);
printf("USN_JOURNAL_DATA.NextUsn = %#020llx\n", journal.NextUsn);
printf("USN_JOURNAL_DATA.LowestValidUsn = %#020llx\n", journal.LowestValidUsn);
printf("USN_JOURNAL_DATA.MaxUsn = %#020llx\n", journal.MaxUsn);
printf("USN_JOURNAL_DATA.MaximumSize = %#020llx\n", journal.MaximumSize);
printf("USN_JOURNAL_DATA.AllocationDelta = %#020llx\n", journal.AllocationDelta);
// Membaca isi Change Journal
printf("\nDaftar Record di Change Journal:\n\n");
READ_USN_JOURNAL_DATA cariUSN;
PUSN_RECORD record;
CHAR hasil[4096];
USN nextUSN;
cariUSN.StartUsn = journal.FirstUsn;
cariUSN.ReasonMask = USN_REASON_FILE_CREATE | USN_REASON_FILE_DELETE | USN_REASON_RENAME_NEW_NAME;
cariUSN.ReturnOnlyOnClose = 0;
cariUSN.BytesToWaitFor = 0;
cariUSN.UsnJournalID = journal.UsnJournalID;
while (1) {
memset(hasil, 0, 4096);
if (!DeviceIoControl(h, FSCTL_READ_USN_JOURNAL, &cariUSN, sizeof(cariUSN), &hasil, 4096, &jumlahByte, NULL)) {
printf("Gagal membaca record di Change Journal. Kode kesalahan: %d\n", GetLastError());
return -1;
}
record = (PUSN_RECORD)(((PUCHAR)hasil) + sizeof(USN));
jumlahByte -= sizeof(USN);
while (jumlahByte > 0) {
printf("USN : %#020llxn", record->Usn);
printf("Nama File : %Sn", record->FileName);
printf("Reason : ");
if (record->Reason & USN_REASON_CLOSE) {
printf(" CLOSE");
}
if (record->Reason & USN_REASON_FILE_CREATE) {
printf(" FILE_CREATE");
}
if (record->Reason & USN_REASON_FILE_DELETE) {
printf(" FILE_DELETE");
}
if (record->Reason & USN_REASON_RENAME_NEW_NAME) {
printf(" RENAME_NEW_NAME");
}
printf("\n\n");
jumlahByte -= record->RecordLength;
record = (PUSN_RECORD)(((PCHAR) record) + record->RecordLength);
GetConsoleScreenBufferInfo(hStdOut, &screenBufferInfo);
if (screenBufferInfo.dwCursorPosition.Y + 4 > screenBufferInfo.srWindow.Bottom) {
printf("Tekan sembarang tombol untuk melanjutkan...");
getchar();
system("cls");
}
}
nextUSN = *(USN*) &hasil;
if (nextUSN==cariUSN.StartUsn) break;
cariUSN.StartUsn = nextUSN;
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment