usr/Find-Links.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
using namespace System.IO
using namespace System.Runtime.InteropServices

# fsutil hardlink list C:\Windows\notepad.exe
function Find-Links {
  [CmdletBinding()]
  param(
    [Parameter(Mandatory)]
    [ValidateNotNullOrEmpty()]
    [ValidateScript({!!($script:f = Get-Item $_ -ErrorAction 0)})]
    [SupportsWildcards()]
    [String]$Path
  )

  begin {
    New-Structure BY_HANDLE_FILE_INFORMATION {
      UInt32 dwFileAttributes
      Runtime.InteropServices.ComTypes.FILETIME ftCreationTime
      Runtime.InteropServices.ComTypes.FILETIME ftLastAccessTime
      Runtime.InteropServices.ComTypes.FILETIME ftLastWriteTime
      UInt32 dwVolumeSerialNumber
      UInt32 nFileSizeHigh
      UInt32 nFileSizeLow
      UInt32 nNumberOfLinks
      UInt32 nFileIndexHigh
      UInt32 nFileIndexLow
    } -PackingSize Size4
    $out_ = [BY_HANDLE_FILE_INFORMATION].MakeByRefType()

    New-Delegate kernelbase {
      bool FindClose([ptr])
      ptr  FindFirstFileNameW([buf, uint, uint_, buf])
      bool FindNextFileNameW([ptr, uint_, buf])
      bool GetFileInformationByHandle([ptr, _out_])
    }

    New-Delegate ntdll {
      ptr RtlGetCurrentPeb
    }
  }
  process {}
  end {
    $BitField = ConvertTo-BitMap -Value ([Marshal]::ReadByte($ntdll.RtlGetCurrentPeb.Invoke(), 0x03)) -BitMap {
      ImageUsesLargePages          : 1
      IsProtectedProcess           : 1
      IsImageDynamicallyRelocated  : 1
      SkipPatchingUser32Forwarders : 1
      IsPackagedProcess            : 1
      IsAppContainer               : 1
      IsProtectedProcessLight      : 1
      IsLongPathAwareProcess       : 1
    }

    $buf = [Byte[]]::new($BitField.IsLongPathAwareProcess -eq 0 ? 0x0104 : 0x7FFF)
    $ret = $buf.Length

    try {
      $sfh = [File]::Open($f.FullName, [FileMode]::Open, [FileAccess]::Read, [FileShare]::Read)
      $out = [BY_HANDLE_FILE_INFORMATION]::new()
      if (!$kernelbase.GetFileInformationByHandle.Invoke($sfh.Handle, [ref]$out)) {
        throw [InvalidOPerationException]::new('Cannot retrieve file information.')
      }
      if (($nl = $out.nNumberOfLinks) -le 1) { throw [InvalidOPerationException]::new('File has not hard links.') }
      $fff = $kernelbase.FindFirstFileNameW.Invoke([buf].Uni($f.FullName), 0, [ref]$ret, $buf)
      $chr = "$([Char]32)`u{251C}", "$([Char]32)`u{2514}"
      "`e[7m$($f.FullName) (index: 0x$($out.nFileIndexLow.ToString('X8')), links: $nl)`e[0m"
      do {
        "$(--$nl -ne 0 ? $chr[0] : $chr[1])$([buf].StrU($buf))"
        $buf.Clear() # releasing artifacts
        $ret = $buf.Length
      } while ($kernelbase.FindNextFileNameW.Invoke($fff, [ref]$ret, $buf))
    }
    catch { Write-Verbose $_ }
    finally {
      if ($fff) { if (!$kernelbase.FindClose.Invoke($fff)) { Write-Verbose 'Resourses has not been released.' } }
      if ($sfh) { $sfh.Dispose() }
    }
  }
}

Export-ModuleMember -Function Find-Links