TOC · Work · Menu · Mode

Disk Editor Templates

Apart built-in templates, Disk Editor supports custom templates to view and edit different disk structures. Conditions, "goto" operators, simple arithmetics can be used to parse complex disk structures, such as MFT records.

By default templates are loaded from the file template.txt. To use different files ini-parameter editortemplates= can be used, wildcards are allowed (e.g., editortemplates=template*).

Template File Structure

Each template begins with a name in square brackets [Template Name] followed by the template parameters and instructions (one per line).

Template Parameters

guid:{GUID} - the template identifier.
o:1 - the template can be applied to a not sector-aligned structure (offset can be applied).
fuse:0 - do not use the template.
flow:0 - display a single record at a time.
flow:1 - display records in a flow.
big-endian:1 - use big-endian byte order.
h:Header - display static Header at the top.

Constants

Constants are specified as decimal and hexadecimal (0x prefixed) integers.

Variables

$RECSIZE - size of the record
$RECDEVOFS - position of the current record on the disk (in bytes from the beginning of the disk)
$NEXTOFS - offset applied to data blocks (see below)
$OFFSET - additional relative offset applied to data blocks
$XOFS - additional column offset for the output (see below x:X)
$1 ... $4 - global custom variables (64-bit signed integers)
$varname - a local variable (64-bit signed integer), where varname is case-sensitive and may contain digits, latin letters, and underscores. A local variable must be initialized with the assignment operator := and is valid only within the block of the instructions where it is initialized.

Data Block

Data block is usually a single byte/word/dword at a fixed position but it also can be a range or series of bytes/bits which are processed like a single variable. Data block is specified in braces {...}.

{Z} defines range of Z bytes starting at offset $NEXTOFS (and $NEXTOFS is increased by Z then);
{X,Z} defines range of Z bytes starting at offset X,
{X:Y,Z} defines range of Z bits starting at offset X byte and Y bits,
where X, Y, and Z can be any variables or constants,
several ranges can be separated by a semicolon, e.g. {0x00,4;$1:$2,4}.

Data Block Formats

Format defines how data block is represented and edited (e.g. as integer / char / string, etc.).

The following formats are supported:
%u - unsigned integer (up to 64bit)
%d - signed integer (up to 64bit)
%X / %x - hexadecimal (up to 64bit)
%c - ANSI character (8bit)
C - array of ANSI characters
U - array of Unicode characters (UTF-16)
u - utf-8 encoded string
T - array of text characters (depending on encoding table)
CXm - byte-by-byte hex output in multiple lines
UNIXDATE - Unix date (seconds since epox)
FILETIME - Windows file time (nanoseconds since 1601)
F:ABCD.. - Flags (where A is displayed if bit 0 is set, and B if bit 0 is clear, etc.)

Output

Output instruction defines the position on the screen and format for a data block or variable or simply outputs text.

{...},x:X,w:W,c:C,Format outputs data block {...} at column X with the max. width W using the format Format.
x:X,w:W,c:C,Text outputs Text at column X with the maximum width W in color C. The Text can be enclosed in quotation marks ("Text").

Parameters w:W and c:C are optional (0 - the default color, 1 - title, 8 - red, 10 - grayed).

The output is performed at the current line, the instruction = (equal sign) moves output to the next line.

Operators and Expressions

Expression is a combination of variables, constants, data blocks, and operators (~, NOT; *, /, %; +, -; <<, >>; <, <=, >, >=; =, !=; &; ^; |; AND; OR), e.g.
$2+{0x08:$1,5}

Assignment operator := is used to copy the result of the expression to the variable, e.g.
$1:=$2+{0x08:$1,5}
$2:=$OFFSET & 8

Conditions, Cycles, and Transitions

Conditions

IF Expression1
  ... (instructions for performing if Expression1 result is true/non-zero)
ELSEIF Expression2
  ... (else instructions for performing if Expression2 result is true/non-zero, optional)
ELSE
  ... (else instructions for performing in other cases, optional)
ENDIF

Cycles

WHILE Expression3
  ... (instructions for performing while Expression3 result is true/non-zero)
  go to the start of cycle:
  CONTINUE
  break loop:
  BREAK
ENDWHILE

Transitions

Line LABEL:N defines a label, and instruction GOTO:N is a jump to line LABEL:N, where N is any constant. Inaccurate use of GOTO may cause infinite loop.

Switches and Hot Links

The switch instruction $1:=TOGGLE:N,x:X outputs a toggle box [+] ([-]) at the column X of the current output line, where N is a unique switch number (a variable or constant); and the variable $1 takes value 0 or 1 depending on the switch state (toggling is by clicking the box or by pressing [Spacebar] when focused). This allows changing the template output on the fly (e.g. to expand / collapse structures, where switch number N is convenient to set equal to the structure offset).

The hot link instruction $VAR=Param makes a current output line a hot link, i.e. allows jumping to an object offset / record / or to open another linked object in the editor window by double clicking a line (or by hitting [Enter] key when the line of focused). Param is an expression value used by a link (an offset, record, file number, sector, etc.) and $VAR can be one of the following:
$GOTOREC, $GOTORECOFS - go to the specified record number and record offset of the object
$GOTOOFS - go to the specified object offset
$OPENLBA - open the specified disk sector
$OPENDEVOFS - open the specified disk byte
$OPENVOLSEC - open the specified volume sector
$OPENCLUSTER - open the specified volume cluster
$OPENVOLPAGE - open the specified volume page / object id
$OPENFILENUM - open a file record by the specified number
$OPENFILENUMDATA - open file contents by the specified number
$OPENFILERECOFS - open a file by FS entry offset in the object
$OPENATTROFS - open a data stream by FS attribute entry offset in the object.
Optionally specify a template to apply to the opened object by the instruction:
$OPENTEMPLATE='{GUID}'; specify a template record offset: $OPENTEMPLOFS=Param.

Additional Template Sections

Record size calculation: instructions between lines CALCSIZESTART and CALCSIZEEND. It is used when record size may be greater than the sector size and may depend on disk data. Variable $RECSIZE can be assigned in this section only.

Data preprocessing: instructions between lines LOADSTART and LOADEND. It is used e.g. for MFT USN processing (restoration of last two bytes of each sector). Data blocks can be assigned in this section: e.g., {U,Y}:={X,Y} copies Y bytes at offset X to offset U.

Data postprocessing: instructions between lines FLUSHSTART and FLUSHEND. It is used for reverse operation when modified data is being written back to the disk (data blocks may also be assigned).

Defines

Defines are used to replace repetitive blocks of instructions. The define can be declared in any template in the following way

DEFINE DefineTitle(%1%,%2%,...)
  ... (the define instructions where substitution variables %1%,%2%,... can be used)
ENDDEFINE

It can be used later in any template. On processing it will be replaced with the corresponding instructions and substituted variables:
DefineTitle($varname1,$varname2,...)