-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathRecycleBinDumper.cpp
417 lines (346 loc) · 12.4 KB
/
RecycleBinDumper.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
// RecycleBinDumper.cpp
//
// Utility to dump information about files and folders (i.e. directories) in the Windows Recycle Bin.
//
// When a file or folder is deleted in Windows, it is actually moved to a special folder known
// as the Recycle Bin and additional information is also saved there so that it can be restored
// if it was deleted by mistake.
//
// Because the file or folder is simply moved to the Recycle Bin, there actually needs to be
// a Recycle Bin on each logical disk drive (i.e. for each drive letter).
// In fact each user has there own Recycle Bin on each logical disk drive.
//
// The Recycle Bin is a folder with a name in the form:
// C:\$Recycle.Bin\S-1-5-21-1851798247-1933540348-1582327844-1001
// where C: may be any drive letter on the machine
// and where the string starting S-1-5... is the SID of the user.
//
// When a file or folder is moved to the Recycle Bin, it is renamed with a name of the form:
// $RXXXXXX - where XXXXXXX is six random upper case letters or numbers.
//
// A separate file with the same name except starting with $I instead of $R is created
// alongside the original file.
//
// This file is a binary format file that contains the additional information about when the
// file or folder was deleted, the full path to the deleted file or folder's original location,
// and the size of the file or folder when it was deleted.
//
// There are two versions of this file format.
//
// Version 1: Prior to Windows 10
// uint64_t version; // 8 bytes - 1 for this version
// uint64_t size; // 8 bytes - The size in bytes of the original file or folder
// FILETIME deletedTime; // 8 bytes - The date/time the file or folder was deleted
// wchar_t fileName[260]; // 520 bytes - The full path of the original file or folder.
//
// Version 2: Windows 10
// uint64_t version; // 8 bytes - 2 for this version
// uint64_t size; // 8 bytes - The size in bytes of the original file or folder
// FILETIME deletedTime; // 8 bytes - The date/time the file or folder was deleted
// uint32_t fileNameLen; // 4 bytes - The length of the fileName that follows.
// wchar_t fileName[]; // variable length - The full path of the original file or folder.
//
// RecycleBinDumper dumps out information about all the files and folders located in the
// Recycle Bin passed as a command line argument.
//
// The output is to stdout and can be redirected to a file on the command line.
// The output is in csv (comma separated values) format and can be loaded directly
// into Excel for display and analysis.
// A single row is output for each file and folder in the recycle bin (recursively into
// each folder and subfolder so everything is listed).
//
// Because files and folders in deleted folders share the same information about when the folder
// was deleted, that information is repeated on each row for those files and folders.
//
// For deleted files, the value under "Deleted Size" should equal the value under "Original File Size".
// For a particular deleted folder, the sum of all the values under "Original File Size" should
// equal the value under "Deleted Size".
#include "windows.h"
#include "stdio.h"
#include "cstdint"
#include "strsafe.h"
// Helper class to buffer line output.
class CharBuffer
{
public:
CharBuffer(size_t size)
{
this->buffer = new wchar_t[size];
this->size = size;
this->position = 0;
}
~CharBuffer()
{
delete this->buffer;
}
void PrintLine()
{
wprintf(L"%s\n", buffer);
OutputDebugString(buffer);
OutputDebugString(L"\n");
}
size_t PrintF(const wchar_t* format...)
{
va_list args;
va_start(args, format);
this->position += vswprintf_s(this->buffer + this->position, this->size - this->position, format, args);
return this->position;
}
size_t GetPosition()
{
return this->position;
}
void SetPosition(size_t position)
{
this->position = position;
}
wchar_t* buffer;
protected:
size_t size;
size_t position;
};
typedef void (*EachFileHandler)(const wchar_t *szRoot, WIN32_FIND_DATA* pffd, CharBuffer *lineBuffer);
void ForeachFile(const wchar_t* szRoot, const wchar_t* szWild, EachFileHandler fn, CharBuffer *lineBuffer);
// PrintRecycledFileInfo is an EachFileHandler (i.e. called from ForeachFile())
void PrintRecycledFileInfo(const wchar_t* szRoot, WIN32_FIND_DATA* pffd, CharBuffer *lineBuffer);
void PrintRecycleInfo(CharBuffer *lineBuffer, const wchar_t* szFileName);
void PrintFileAttributes(CharBuffer *lineBuffer, const wchar_t* szFullPath, bool *pfFolder);
void PrintFileDetails(CharBuffer *lineBuffer, const wchar_t* szFileName, FILETIME* pFileTimeCreated, FILETIME* pFileTimeModified, FILETIME* pFileTimeAccessed);
void PrintFileTime(CharBuffer *lineBuffer, FILETIME* pFileTime, bool comma = true);
// Recursively print out the folder
void PrintFolder(const wchar_t* szFolder, CharBuffer *lineBuffer);
// PrintFileOrFolder is an EachFileHandler (i.e. called from ForeachFile())
void PrintFileOrFolder(const wchar_t * szRoot, WIN32_FIND_DATA* pffd, CharBuffer *lineBuffer);
wchar_t header[] =
L"Original Full Path,"
L"Deleted Date Time,"
L"Deleted File Size,"
L"Recycle Info File,"
L"Recycle Info Created,"
L"Recycle Info Last Modified,"
L"Recycle Info Last Accessed,"
L"Original File,"
L"Original File Created,"
L"Original File Last Modified,"
L"Original File Last Accessed,"
L"Original File Size,"
;
#include <windows.h>
#include <iostream>
#include <vector>
#include <sddl.h> // For ConvertSidToStringSid
// 获取当前登录用户的SID字符串
bool GetUserSidString(std::wstring& sidString) {
bool result = false;
HANDLE token = NULL;
if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token)) {
DWORD tokenInfoLength = 0;
GetTokenInformation(token, TokenUser, NULL, 0, &tokenInfoLength);
std::vector<BYTE> tokenInfo(tokenInfoLength, 0);
if (GetTokenInformation(token, TokenUser, tokenInfo.data(), tokenInfoLength, &tokenInfoLength)) {
PTOKEN_USER tokenUser = reinterpret_cast<PTOKEN_USER>(tokenInfo.data());
LPWSTR stringSid = NULL;
if (ConvertSidToStringSid(tokenUser->User.Sid, &stringSid)) {
sidString.assign(stringSid);
LocalFree(stringSid);
result = true;
}
}
CloseHandle(token);
}
return result;
}
// 列出所有驱动器的回收站路径
void ListRecycleBinPaths() {
DWORD driveMask = GetLogicalDrives();
if (driveMask == 0) {
std::cerr << "Error getting drives: " << GetLastError() << std::endl;
return;
}
std::wstring userSid;
if (!GetUserSidString(userSid)) {
std::cerr << "Error getting user SID." << std::endl;
return;
}
WCHAR drive[] = L"G:\\";
while (driveMask) {
if (driveMask & 1) {
std::wstring recycleBinPath = drive;
recycleBinPath += L"$RECYCLE.BIN\\";
recycleBinPath += userSid;
std::wcout << L"Recycle Bin Path for drive " << drive[0] << L": " << recycleBinPath << std::endl;
}
driveMask >>= 1;
++drive[0];
}
}
//int __cdecl wmain(int argc, const wchar_t** argv)
int mainx(int argc, void * argv[])
{
ListRecycleBinPaths();
CharBuffer* lineBuffer = new CharBuffer(2 * 1024);
wprintf(L"%s\n", header);
SetCurrentDirectoryA("G:\\$RECYCLE.BIN\\S-1-5-21-4149340107-2149467646-1357157184-1002");
// Look for the Recycle Bin information files.
ForeachFile(L".", L"$I*", PrintRecycledFileInfo, lineBuffer);
delete lineBuffer;
}
void ForeachFile(const wchar_t *szRoot, const wchar_t* szWild, EachFileHandler fn, CharBuffer *lineBuffer)
{
WIN32_FIND_DATA ffd;
HANDLE hFind = INVALID_HANDLE_VALUE;
CharBuffer* findPattern = new CharBuffer(MAX_PATH);
findPattern->PrintF(L"%s\\%s", szRoot, szWild);
size_t initialPosition = lineBuffer->GetPosition();
hFind = FindFirstFile(findPattern->buffer, &ffd);
if (hFind != INVALID_HANDLE_VALUE)
{
do
{
bool skip = false;
if (ffd.cFileName[0] == L'.')
{
skip = (ffd.cFileName[1] == L'\0')
|| ((ffd.cFileName[1] == L'.') && (ffd.cFileName[2] == L'\0'));
}
if (!skip)
{
lineBuffer->SetPosition(initialPosition);
fn(szRoot, &ffd, lineBuffer);
}
else
{
}
} while (FindNextFile(hFind, &ffd) != 0);
FindClose(hFind);
}
}
void PrintRecycledFileInfo(const wchar_t* szRoot, WIN32_FIND_DATA* pffd, CharBuffer *lineBuffer)
{
if (pffd->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
}
else
{
PrintRecycleInfo(lineBuffer, pffd->cFileName);
PrintFileDetails(lineBuffer, pffd->cFileName, &(pffd->ftCreationTime), &(pffd->ftLastWriteTime), &(pffd->ftLastAccessTime));
wchar_t szDataFile[MAX_PATH];
// Data file is the same as the recycle info file except it starts with "$R" instead of "$I".
StringCchCopy(szDataFile, MAX_PATH, pffd->cFileName);
szDataFile[1] = L'R';
bool isFolder = false;
size_t pos = lineBuffer->GetPosition();
PrintFileAttributes(lineBuffer, szDataFile, &isFolder);
lineBuffer->PrintLine();
if (isFolder)
{
// Everything before pos is repeated for all the files and folders under this folder.
lineBuffer->SetPosition(pos);
PrintFolder(szDataFile, lineBuffer);
}
}
}
void PrintRecycleInfo(CharBuffer *lineBuffer, const wchar_t* szFileName)
{
FILE* pFile;
errno_t err = _wfopen_s(&pFile, szFileName, L"rb");
if (err == 0)
{
uint64_t version;
size_t count = fread(&version, sizeof(version), 1, pFile);
if (count == 1)
{
uint64_t fileSize;
count = fread(&fileSize, sizeof(fileSize), 1, pFile);
if (count == 1)
{
FILETIME timeStamp;
count = fread(&timeStamp, sizeof(timeStamp), 1, pFile);
if (count == 1)
{
uint32_t fileNameSize = 0;
if (version == 1)
{
fileNameSize = 520 / sizeof(wchar_t);
}
else
{
count = fread(&fileNameSize, sizeof(fileNameSize), 1, pFile);
if (count != 1)
{
fileNameSize = 0;
}
}
if (fileNameSize > 0)
{
wchar_t* pOriginalFileName = new wchar_t[fileNameSize + 1];
count = fread(pOriginalFileName, sizeof(wchar_t), fileNameSize, pFile);
if (count == fileNameSize)
{
pOriginalFileName[fileNameSize] = L'\0';
lineBuffer->PrintF(L"%s,", pOriginalFileName);
PrintFileTime(lineBuffer, &timeStamp);
lineBuffer->PrintF(L"%lld,", fileSize);
}
delete[] pOriginalFileName;
}
}
}
}
fclose(pFile);
}
}
void PrintFileAttributes(CharBuffer *lineBuffer, const wchar_t* szFileName, bool *pIsFolder)
{
WIN32_FILE_ATTRIBUTE_DATA fileAttributeData;
int err = GetFileAttributesEx(szFileName, GetFileExInfoStandard, &fileAttributeData);
if (err == 0)
{
*pIsFolder = false;
lineBuffer->PrintF(L"Missing,,,,,");
return;
}
PrintFileDetails(lineBuffer, szFileName, &(fileAttributeData.ftCreationTime), &(fileAttributeData.ftLastWriteTime), &(fileAttributeData.ftLastAccessTime));
uint64_t size = (((uint64_t)fileAttributeData.nFileSizeHigh) << 32) + fileAttributeData.nFileSizeLow;
lineBuffer->PrintF(L"%lld,", size);
*pIsFolder = (fileAttributeData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0;
}
void PrintFileDetails(CharBuffer *lineBuffer, const wchar_t* szFileName, FILETIME* pFileTimeCreated, FILETIME* pFileTimeModified, FILETIME* pFileTimeAccessed)
{
lineBuffer->PrintF(L"%s,", szFileName);
PrintFileTime(lineBuffer, pFileTimeCreated);
PrintFileTime(lineBuffer, pFileTimeModified);
PrintFileTime(lineBuffer, pFileTimeAccessed);
}
void PrintFileTime(CharBuffer *lineBuffer, FILETIME *pFileTime, bool comma)
{
SYSTEMTIME utc;
FileTimeToSystemTime(pFileTime, &utc);
lineBuffer->PrintF(L"%4d-%02d-%02d %02d:%02d:%02d",
utc.wYear, utc.wMonth, utc.wDay, utc.wHour, utc.wMinute, utc.wSecond);
if (comma)
{
lineBuffer->PrintF(L",");
}
}
void PrintFolder(const wchar_t* szFolder, CharBuffer *lineBuffer)
{
ForeachFile(szFolder, L"*", PrintFileOrFolder, lineBuffer);
}
void PrintFileOrFolder(const wchar_t * szRoot, WIN32_FIND_DATA* pffd, CharBuffer *lineBuffer)
{
size_t initialPosition = lineBuffer->GetPosition();
CharBuffer* fileName = new CharBuffer(MAX_PATH);
fileName->PrintF(L"%s\\%s", szRoot, pffd->cFileName);
PrintFileDetails(lineBuffer, fileName->buffer, &(pffd->ftCreationTime), &(pffd->ftLastWriteTime), &(pffd->ftLastAccessTime));
delete fileName;
fileName = NULL;
uint64_t size = (((uint64_t)pffd->nFileSizeHigh) << 32) + pffd->nFileSizeLow;
lineBuffer->PrintF(L"%lld,", size);
lineBuffer->PrintLine();
if ((pffd->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0)
{
lineBuffer->SetPosition(initialPosition);
PrintFolder(fileName->buffer, lineBuffer);
}
}