Oprócz wbudowanych szablonów, edytor dysku obsługuje niestandardowe szablony, aby przeglądać i edytować różne struktury dysku. Warunki, przejścia, proste arytmetyce można stosować do analizy złożonych struktur disku, takich jak rekordy MFT.
Standardowo szablony są ładowane z pliku template.txt. Aby korzystać z innych plików, ini-parametr mogą być stosowane editortemplates=, symbole wieloznaczne są dozwolone (na przykład, editortemplates=template*).
Każdy szablon zaczyna się od nazwy w nawiasach kwadratowych [Template Name], i dalsze parametry szablonu i instrukcji (jeden na linię).
flow:0 - wyświetlić jeden rekord na raz. flow:1 - wyświetlić rekordy jeden po drugim.
big-endian:1 - use big-endian byte order.
h:Header - statyczny nagłówek Header.
Stałe są określone jako dziesiętnych i szesnastkowym (z prefiksu 0x).
$RECSIZE - rozmiar rekordu
$RECDEVOFS - pozycja aktualnego rekordu na dysku (w bajtach od początku dysku)
$NEXTOFS - ... na blokach danych
$OFFSET - dodatkowe względne przesunięcia stosowany jest na blokach danych
$XOFS - dodatkowe przesunięcie kolumny dla wyjścia (patrz poniżej x:X)
$1 ... $4 - globalne zmienne użytkownika (64-bitowa liczb całkowitych)
$varname - a local variable (64-bit signed integer), where
varname is case-sensitive and may contain digits, latin letters, and underscores.
A local variable must be initialized with the assignment operator :=
and is valid only within the block of instructions where it is initialized.
Data block is usually a single byte/word/dword at a fixed position but it also may be any range(s) of record bytes/bits which are processed as a single variable. Data block is specified in braces {...}.
{Z} defines range of Z bytes starting at offset
$NEXTOFS
(and $NEXTOFS is increased by Z then);
{X,Z} defines range of Z bytes starting at offset X,
{X:Y,Z} defines range of Z bits starting at offset X byte and Y bits,
where X, Y, and Z may be any variables or constants,
several ranges may be separated by a semicolon, e.g. {0x00,4;$1:$2,4}.
Format defines how data block is represented and edited (e.g. as integer / char / string, etc.).
The following formats are supported:
%u - unsigned integer (up to 64bit)
%d - signed integer (up to 64bit)
%X / %x - hexadecimal (up to 64bit)
%c - ANSI character (8bit)
C - array of ANSI characters
U - array of Unicode characters (UTF-16)
u - Łańcuch zakodowany w utf-8
T - array of text characters (depending on encoding table)
CXm - byte-by-byte hex output in multiple lines
UNIXDATE - Unix date (seconds since epox)
FILETIME - Windows file time (nanoseconds since 1601)
F:ABCD.. - Flags (where A is displayed if bit 0 set, and B if bit 0 clear, etc.)
Output instruction defines the position on the screen and format for a data block or variable or simply outputs text.
{...},x:X,w:W,c:C,Format outputs data block {...} at column X with the max. width W
using the format Format.
x:X,w:W,c:C,Text outputs Text at column X with the maximum width W
in color C.
The Text can be enclosed in quotation marks ("Text").
w:W, c:C jest opcjonalny
(0 - kolor domyślne, 1 - tytuł,
8 - czerwony, 10 - szary).
= (equal sign) specifies end of line (line feed).
Expression is a combination of variables, constants, data blocks, and operators
(~,
NOT;
*,
/,
%;
+,
-;
<<,
>>;
<,
<=,
>,
>=;
=,
!=;
&;
^;
|;
AND;
OR), e.g.
$2+{0x08:$1,5}
Assignment operator := is used to copy the result of the expression to the variable,
e.g.
$1:=$2+{0x08:$1,5}
$2:=$OFFSET & 8
Line LABEL:N defines a label, and instruction GOTO:N is a jump to line LABEL:N, where N is any constant. Inaccurate use of GOTO may cause infinite loop.
The switch instruction $1:=TOGGLE:N,x:X outputs a toggle box [+] ([-]) at the column X of the current output line, where N is a unique switch number (a variable or constant); and the variable $1 takes value 0 or 1 depending on the switch state (toggling is by clicking the box or by pressing [Spacebar] when focused). This allows changing the template output on the fly (e.g. to expand / collapse structures, where switch number N is convenient to set equal to the structure offset).
The hot link instruction $VAR=Param makes a current output line a hot link, i.e.
allows jumping to an object offset / record / or to open another linked object in the editor window
by double clicking a line (or by hitting [Enter] key when the line of focused).
Param is an expression value used by a link (an offset, record, file number, sector, etc.) and
$VAR can be one of the following:
$GOTOREC, $GOTORECOFS - go to the specified record number and record offset of the object
$GOTOOFS - go to the specified object offset
$OPENLBA - open the specified disk sector
$OPENDEVOFS - open the specified disk byte
$OPENVOLSEC - open the specified
volume sector
$OPENCLUSTER - open the specified
volume cluster
$OPENVOLPAGE - open the specified
volume page / object id
$OPENFILENUM - open a file record by the specified number
$OPENFILENUMDATA - open file contents by the specified number
$OPENFILERECOFS - open a file by FS entry offset in the object
$OPENATTROFS - open a data stream by FS attribute entry offset in the object.
Optionally specify a template to apply to the opened object by the instruction:
$OPENTEMPLATE='{GUID}';
specify a template record offset:
$OPENTEMPLOFS=Param.
Record size calculation: instructions between lines CALCSIZESTART and CALCSIZEEND. It is used when record size may be greater than the sector size and may depend on disk data. Variable $RECSIZE may be assigned in this section only.
Data preprocessing: instructions between lines LOADSTART and LOADEND. It is used e.g. for MFT USN processing (restoration of last two bytes of each sector). Data blocks may be assigned in this section: e.g., use {U,Y}:={X,Y} to copy Y bytes at offset X to offset U.
Data postprocessing: instructions between lines FLUSHSTART and FLUSHEND. It is used for reverse operation when writing modified data to disk (data blocks may be assigned).
Defines are used to replace repetitive blocks of instructions. The define can be declared in any template in the following way
DEFINE DefineTitle(%1%,%2%,...)
... (the define instructions where substitution variables
%1%,%2%,... can be used)
ENDDEFINE
It may be used later in any template.
On processing it will be replaced with the corresponding instructions
and substituted variables:
DefineTitle($varname1,$varname2,...)