TOC · Work · Menu · Mode

Disk Editor Templates

Apart built-in templates, Disk Editor supports custom templates to view and edit different disk structures. Conditions, "goto" operators, simple arithmetics may be used to parse complex disk structures, such as MFT records.

By default templates are loaded from the file template.txt. To use different files ini-parameter editortemplates= may be used, wildcards are allowed (e.g., editortemplates=template*).

See files template.txt and template.tx_ for template samples.

Template File Structure

Each template begins with a name in square brackets [Template Name] followed by the template parameters and instructions (one per line).

Template Parameters

flow:0 - display single record at a time. flow:1 - display records in a flow.
h:Header - display static Header at the top.

Constants

Constants are specified as decimals and hexadecimals (with 0x prefix).

Variables

$RECSIZE - size of the record.
$OFFSET - relative offset applied to data blocks.
$1 ... $64 - custom variables (64-bit signed integers).

Data Block

Data block is usually a single byte/word/dword at a fixed position but it also may be a range or series of bytes/bits which are processed as a single variable. Data block is specified in braces {...}.

{X,Z} defines range of Z bytes starting at offset X,
{X:Y,Z} defines range of Z bits starting at offset X byte and Y bits,
where X, Y, and Z may be any variables or constants,
several ranges may be separated by a semicolon, e.g. {0x00,4;$1:$2,4}.

Data Block Formats

Format defines how data block is represented and edited (e.g. as integer / char / string, etc.).

The following formats are supported:
%u - unsigned integer (up to 32bit)
%D - signed integer (32bit)
%I - signed integer (64bit)
%X - hexadecimal (up to 32bit)
%IX - hexadecimal (up to 64bit)
%c - ANSI character (8bit)
C - array of ANSI characters
U - array of Unicode characters (UTF-16)
T - array of text characters (depending on encoding table)
UNIXDATE - Unix date (seconds since epox)
FILETIME - Windows file time (nanoseconds since 1601)
F:ABCD.. - Flags (where A is displayed if bit 0 is set, and B if bit 0 is clear, etc.)

Output

Output instruction defines the position on the screen and format for a data block or variable or simply outputs text.

{...},x:X,w:W,c:C,f:Format outputs data block {...} at column X with the max. width W.
x:X,w:W,c:C,f:Text outputs Text at column X with the maximum width W in color C.
Color c:C, is optional (0 - default, 1 - title, 8 - red, 10 - grayed).
= (equal sign) specifies the end of line (line feed).

Operators and Expressions

Expression is a combination of variables, constants, data blocks, and operators (~, NOT; *, /, %; +, -; <<, >>; <, <=, >, >=; =, !=; &; ^; |; AND; OR), e.g.
$2+{0x08:$1,5}

Assignment operator := is used to copy the result of the expression to the variable, e.g.
$1:=$2+{0x08:$1,5}
$2:=$OFFSET & 8

Conditions

IF Expression1
  ... (instructions for performing if Expression1 result is true/non-zero)
ELSEIF Expression2
  ... (else instructions for performing if Expression2 result is true/non-zero, optional)
ELSE
  ... (else instructions for performing in other cases, optional)
ENDIF
Cycle:
WHILE Expression3
  ... (instructions for performing while Expression3 result is true/non-zero)
  go to the start of cycle:
  CONTINUE
  break loop:
  BREAK
ENDWHILE

Labels and Jumps

Line LABEL:N defines a label, and instruction GOTO:N is a jump to line LABEL:N, where N is any constant. Inaccurate use of GOTO may cause infinite loop.

Switches

Switches may be used e.g. to hide/show some lines by clicking or pressing Spacebar. E.g., instruction $1:=TOGGLE:N,x:X outputs button [+] ([-]) at column X, where N is a unique switch number (variables and constants are allowed, the best way is to use the next data offset); variable $1 gets value 0 or 1 depending on the switch state.

Additional Template Sections

Record size calculation: instructions between lines CALCSIZESTART and CALCSIZEEND. It is used when record size may be greater than the sector size and may depend on disk data. Variable $RECSIZE may be assigned in this section only.

Data preprocessing: instructions between lines LOADSTART and LOADEND. It is used e.g. for MFT USN processing (restoration of last two bytes of each sector). Data blocks may be assigned in this section: e.g., use {U,Y}:={X,Y} to copy Y bytes at offset X to offset U.

Data postprocessing: instructions between lines FLUSHSTART and FLUSHEND. It is used for reverse operation when writing modified data to disk (data blocks may be assigned).