From 02cd3aa7f19991bf194f7c17e412f1f9f9dfe4d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Juan=20Pablo=20Gonz=C3=A1lez?= <disablez@gmail.com>
Date: Thu, 8 Apr 2021 12:02:20 +0200
Subject: smbinfo: Add command for displaying alternate data streams
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This patch adds a new command to smbinfo which retrieves and displays
the list of alternate data streams for a file.

Signed-off-by: Juan Pablo González <disablez@gmail.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
---
 smbinfo | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

(limited to 'smbinfo')

diff --git a/smbinfo b/smbinfo
index 9752963..b96fdbc 100755
--- a/smbinfo
+++ b/smbinfo
@@ -253,6 +253,10 @@ def main():
     sap.add_argument("file")
     sap.set_defaults(func=cmd_filestandardinfo)
 
+    sap = subp.add_parser("filestreaminfo", help="Prints FileStreamInfo for a cifs file")
+    sap.add_argument("file")
+    sap.set_defaults(func=cmd_filestreaminfo)
+
     sap = subp.add_parser("fsctl-getobjid", help="Prints the objectid of the file and GUID of the underlying volume.")
     sap.add_argument("file")
     sap.set_defaults(func=cmd_fsctl_getobjid)
@@ -753,6 +757,43 @@ def cmd_secdesc(args):
               print(ace)
               off_dacl += ace.size
 
+def cmd_filestreaminfo(args):
+    qi = QueryInfoStruct(info_type=0x1, file_info_class=22, input_buffer_length=INPUT_BUFFER_LENGTH)
+    try:
+        fd = os.open(args.file, os.O_RDONLY)
+        info = os.fstat(fd)
+        buf = qi.ioctl(fd)
+    except Exception as e:
+        print("syscall failed: %s"%e)
+        return False
+
+    print_filestreaminfo(buf)
+
+def print_filestreaminfo(buf):
+    offset = 0
+
+    while offset < len(buf):
+
+        next_offset = struct.unpack_from('<I', buf, offset + 0)[0]
+        name_length = struct.unpack_from('<I', buf, offset + 4)[0]
+        if (name_length > 0):
+            stream_size = struct.unpack_from('<q', buf, offset + 8)[0]
+            stream_alloc_size = struct.unpack_from('<q', buf, offset + 16)[0]
+            stream_utf16le_name = struct.unpack_from('< %ss'% name_length, buf, offset + 24)[0]
+            stream_name = stream_utf16le_name.decode("utf-16le")
+            if (offset > 0):
+                print()
+            if (stream_name=="::$DATA"):
+                print("Name: %s"% stream_name)
+            else:
+                print("Name: %s"% stream_name[stream_name.find(":") + 1 : stream_name.rfind(':$DATA')])
+            print("Size: %d bytes"% stream_size)
+            print("Allocation size: %d bytes "% stream_alloc_size)
+
+        if (next_offset == 0):
+            break
+
+        offset+=next_offset
 
 class KeyDebugInfoStruct:
     def __init__(self):
-- 
cgit v1.2.3