From bbe6c3839e028e213adab6777efda28a5ca079b6 Mon Sep 17 00:00:00 2001
From: Orange20000922 <2140523341@qq.com>
Date: Thu, 19 Feb 2026 20:05:51 +0800
Subject: [PATCH 1/7] =?UTF-8?q?1=E3=80=81=E6=9B=B4=E6=96=B0USN=E8=A7=A6?=
=?UTF-8?q?=E5=8F=91MFT=E5=BF=AB=E7=85=A7=E5=92=8C=E5=86=85=E6=A0=B8IRP?=
=?UTF-8?q?=E8=A7=A6=E5=8F=91=E5=BF=AB=E7=85=A7=EF=BC=88=E5=AE=9E=E9=AA=8C?=
=?UTF-8?q?=E6=80=A7=EF=BC=89=E5=8A=9F=E8=83=BD=202=E3=80=81=E4=BF=AE?=
=?UTF-8?q?=E5=A4=8D=E4=B8=80=E4=BA=9B=E5=B7=B2=E7=9F=A5=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.gitignore | 10 +-
Filerestore_CLI/Filerestore_CLI.vcxproj | 3 -
.../Filerestore_CLI.vcxproj.filters | 5 -
Filerestore_CLI/src/commands/cmd.cpp | 13 -
.../src/fileRestore/KernelBridgeClient.cpp | 234 +++++
.../src/fileRestore/KernelBridgeClient.h | 93 ++
.../src/fileRestore/MFTSnapshotStore.cpp | 280 ++++++
.../src/fileRestore/MFTSnapshotStore.h | 113 +++
.../src/fileRestore/MonitorDaemon.cpp | 392 ++++++++
.../src/fileRestore/MonitorDaemon.h | 80 ++
.../src/fileRestore/UsnDeleteMonitor.cpp | 262 ++++++
.../src/fileRestore/UsnDeleteMonitor.h | 103 ++
Filerestore_sys/Filerestore_sys.sln | 35 +
.../Filerestore_sys/Filerestore_sys.inf | 84 ++
.../Filerestore_sys/Filerestore_sys.vcxproj | 168 ++++
.../Filerestore_sys.vcxproj.filters | 48 +
Filerestore_sys/Filerestore_sys/common.h | 86 ++
.../Filerestore_sys/communication.c | 271 ++++++
Filerestore_sys/Filerestore_sys/driver.c | 118 +++
Filerestore_sys/Filerestore_sys/driver.h | 59 ++
Filerestore_sys/Filerestore_sys/filter.c | 275 ++++++
.../Filerestore_sys/packages.config | 6 +
dev_notes/kernel_solution.docx | Bin 0 -> 41390 bytes
dev_notes/kernel_solution.md | 884 ++++++++++++++++++
dev_notes/monitor_daemon_implementation.md | 165 ++++
25 files changed, 3761 insertions(+), 26 deletions(-)
delete mode 100644 Filerestore_CLI/src/commands/cmd.cpp
create mode 100644 Filerestore_CLI/src/fileRestore/KernelBridgeClient.cpp
create mode 100644 Filerestore_CLI/src/fileRestore/KernelBridgeClient.h
create mode 100644 Filerestore_CLI/src/fileRestore/MFTSnapshotStore.cpp
create mode 100644 Filerestore_CLI/src/fileRestore/MFTSnapshotStore.h
create mode 100644 Filerestore_CLI/src/fileRestore/MonitorDaemon.cpp
create mode 100644 Filerestore_CLI/src/fileRestore/MonitorDaemon.h
create mode 100644 Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.cpp
create mode 100644 Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.h
create mode 100644 Filerestore_sys/Filerestore_sys.sln
create mode 100644 Filerestore_sys/Filerestore_sys/Filerestore_sys.inf
create mode 100644 Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj
create mode 100644 Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj.filters
create mode 100644 Filerestore_sys/Filerestore_sys/common.h
create mode 100644 Filerestore_sys/Filerestore_sys/communication.c
create mode 100644 Filerestore_sys/Filerestore_sys/driver.c
create mode 100644 Filerestore_sys/Filerestore_sys/driver.h
create mode 100644 Filerestore_sys/Filerestore_sys/filter.c
create mode 100644 Filerestore_sys/Filerestore_sys/packages.config
create mode 100644 dev_notes/kernel_solution.docx
create mode 100644 dev_notes/kernel_solution.md
create mode 100644 dev_notes/monitor_daemon_implementation.md
diff --git a/.gitignore b/.gitignore
index d09c765..709f6c0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,10 +33,6 @@ x86/
*.VC.db-wal
*.VC.opendb
-# Build directories
-# (已统一输出到解决方案根目录的 x64/)
-x64/
-
# NuGet packages (can be restored via nuget restore)
packages/
*.nupkg
@@ -109,4 +105,8 @@ release_packages/
Filerestore_CLI/deps/ftxui/.git/
Filerestore_CLI/deps/ftxui/build/
Filerestore_CLI/deps/ftxui/.cache/
-Filerestore_CLI/deps/ftxui/cmake-build-*/
\ No newline at end of file
+Filerestore_CLI/deps/ftxui/cmake-build-*/
+
+# Kernel driver build outputs
+*.sys
+*.cer
\ No newline at end of file
diff --git a/Filerestore_CLI/Filerestore_CLI.vcxproj b/Filerestore_CLI/Filerestore_CLI.vcxproj
index 94def0a..1fddce0 100644
--- a/Filerestore_CLI/Filerestore_CLI.vcxproj
+++ b/Filerestore_CLI/Filerestore_CLI.vcxproj
@@ -169,7 +169,6 @@
-
@@ -207,7 +206,6 @@
-
@@ -259,7 +257,6 @@
-
diff --git a/Filerestore_CLI/Filerestore_CLI.vcxproj.filters b/Filerestore_CLI/Filerestore_CLI.vcxproj.filters
index f1999a2..776dbe2 100644
--- a/Filerestore_CLI/Filerestore_CLI.vcxproj.filters
+++ b/Filerestore_CLI/Filerestore_CLI.vcxproj.filters
@@ -101,9 +101,6 @@
源文件\Core
-
- 源文件\Commands
-
源文件\Commands
@@ -192,7 +189,6 @@
源文件\FileRestore\ML
-
源文件\FileRestore
@@ -357,7 +353,6 @@
头文件\FileRestore\ML
-
头文件\FileRestore
diff --git a/Filerestore_CLI/src/commands/cmd.cpp b/Filerestore_CLI/src/commands/cmd.cpp
deleted file mode 100644
index 29619f4..0000000
--- a/Filerestore_CLI/src/commands/cmd.cpp
+++ /dev/null
@@ -1,13 +0,0 @@
-// cmd.cpp - Command framework
-// All command implementations have been moved to separate files:
-// - SystemCommands.cpp
-// - RestoreCommands.cpp
-// - SearchCommands.cpp
-// - DiagnosticCommands.cpp
-// - CarveCommands.cpp
-// - PEAnalysisCommands.cpp
-
-#include "cmd.h"
-
-// This file now only serves as a compilation unit for the command framework.
-// Individual command implementations are in their respective category files.
diff --git a/Filerestore_CLI/src/fileRestore/KernelBridgeClient.cpp b/Filerestore_CLI/src/fileRestore/KernelBridgeClient.cpp
new file mode 100644
index 0000000..ecc9533
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/KernelBridgeClient.cpp
@@ -0,0 +1,234 @@
+// ============================================================================
+// 内核桥接客户端 - 通过 minifilter 通信端口连接 FileRestoreMon 驱动
+// ============================================================================
+
+#ifdef ENABLE_KERNEL_BRIDGE
+
+#include "KernelBridgeClient.h"
+#include "MFTSnapshotStore.h"
+#include "Logger.h"
+
+#pragma comment(lib, "fltlib.lib")
+
+using namespace std;
+
+KernelBridgeClient::KernelBridgeClient()
+ : hPort(INVALID_HANDLE_VALUE) {}
+
+KernelBridgeClient::~KernelBridgeClient() {
+ Disconnect();
+}
+
+// ========== 连接管理 ==========
+
+bool KernelBridgeClient::Connect() {
+ if (IsConnected()) return true;
+
+ HRESULT hr = FilterConnectCommunicationPort(
+ FILERESTORE_PORT_NAME,
+ 0, // options
+ nullptr, // context
+ 0, // context size
+ nullptr, // security attributes
+ &hPort);
+
+ if (FAILED(hr)) {
+ hPort = INVALID_HANDLE_VALUE;
+ if (hr == HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)) {
+ lastError = "驱动未加载: FileRestoreMon 通信端口不存在";
+ } else if (hr == HRESULT_FROM_WIN32(ERROR_ACCESS_DENIED)) {
+ lastError = "权限不足: 需要管理员权限连接驱动";
+ } else {
+ lastError = "连接驱动失败, HRESULT: 0x" +
+ to_string(static_cast(hr));
+ }
+ LOG_DEBUG_FMT("KernelBridgeClient: %s", lastError.c_str());
+ return false;
+ }
+
+ LOG_INFO("KernelBridgeClient: 已连接到 minifilter 驱动");
+ return true;
+}
+
+void KernelBridgeClient::Disconnect() {
+ if (hPort != INVALID_HANDLE_VALUE) {
+ CloseHandle(hPort);
+ hPort = INVALID_HANDLE_VALUE;
+ }
+}
+
+// ========== 内部通信 ==========
+
+bool KernelBridgeClient::SendCommand(ULONG command, void* outBuffer, ULONG outSize, ULONG* bytesReturned) {
+ if (!IsConnected()) {
+ lastError = "未连接到驱动";
+ return false;
+ }
+
+ COMMAND_MESSAGE msg;
+ msg.Command = command;
+
+ DWORD returned = 0;
+ HRESULT hr = FilterSendMessage(
+ hPort,
+ &msg,
+ sizeof(msg),
+ outBuffer,
+ outSize,
+ &returned);
+
+ if (FAILED(hr)) {
+ lastError = "FilterSendMessage 失败, HRESULT: 0x" +
+ to_string(static_cast(hr));
+ return false;
+ }
+
+ if (bytesReturned) {
+ *bytesReturned = returned;
+ }
+ return true;
+}
+
+// ========== 监控控制 ==========
+
+bool KernelBridgeClient::StartMonitor() {
+ return SendCommand(CMD_START_MONITOR, nullptr, 0, nullptr);
+}
+
+bool KernelBridgeClient::StopMonitor() {
+ return SendCommand(CMD_STOP_MONITOR, nullptr, 0, nullptr);
+}
+
+// ========== 通知接收 ==========
+
+bool KernelBridgeClient::PollNotifications(vector& notifications) {
+ notifications.clear();
+
+ // 分配接收缓冲区:能容纳 EVENTS_REPLY 头 + 若干 DELETE_NOTIFICATION
+ const ULONG BUFFER_SIZE = FIELD_OFFSET(EVENTS_REPLY, Events) +
+ 64 * sizeof(DELETE_NOTIFICATION);
+ vector buffer(BUFFER_SIZE, 0);
+
+ ULONG bytesReturned = 0;
+ if (!SendCommand(CMD_GET_EVENTS, buffer.data(), BUFFER_SIZE, &bytesReturned)) {
+ return false;
+ }
+
+ if (bytesReturned < FIELD_OFFSET(EVENTS_REPLY, Events)) {
+ return true; // 无数据
+ }
+
+ auto* reply = reinterpret_cast(buffer.data());
+ if (reply->EventCount == 0) {
+ return true;
+ }
+
+ // 校验返回数据大小
+ ULONG expectedSize = FIELD_OFFSET(EVENTS_REPLY, Events) +
+ reply->EventCount * sizeof(DELETE_NOTIFICATION);
+ if (bytesReturned < expectedSize) {
+ lastError = "回复数据不完整";
+ return false;
+ }
+
+ notifications.reserve(reply->EventCount);
+ for (ULONG i = 0; i < reply->EventCount; i++) {
+ const DELETE_NOTIFICATION& src = reply->Events[i];
+ DeleteNotification notif;
+
+ notif.fileName = wstring(src.FileName, src.FileNameLength / sizeof(WCHAR));
+ notif.fileSize = src.FileSize.QuadPart;
+ notif.allocationSize = src.AllocationSize.QuadPart;
+ notif.processId = src.ProcessId;
+ notif.deleteType = src.DeleteType;
+
+ // LARGE_INTEGER → FILETIME(二进制布局相同)
+ memcpy(¬if.creationTime, &src.CreationTime, sizeof(FILETIME));
+ memcpy(¬if.lastWriteTime, &src.LastWriteTime, sizeof(FILETIME));
+ memcpy(¬if.deleteTime, &src.Timestamp, sizeof(FILETIME));
+
+ // LCN 映射
+ notif.lcnMappings.reserve(src.LCNCount);
+ for (ULONG j = 0; j < src.LCNCount; j++) {
+ notif.lcnMappings.emplace_back(
+ src.LCNEntries[j].StartLCN,
+ src.LCNEntries[j].ClusterCount);
+ }
+
+ notifications.push_back(move(notif));
+ }
+
+ return true;
+}
+
+size_t KernelBridgeClient::FlushToSnapshotStore(MFTSnapshotStore& store) {
+ vector notifications;
+ if (!PollNotifications(notifications)) {
+ return 0;
+ }
+
+ size_t count = 0;
+ for (const auto& notif : notifications) {
+ MFTSnapshot snapshot;
+ snapshot.recordNumber = 0; // 驱动未提供 MFT 记录号
+ snapshot.sequenceNumber = 0;
+ snapshot.fileName = notif.fileName;
+ snapshot.fileSize = notif.fileSize;
+ snapshot.isResident = notif.lcnMappings.empty() && notif.fileSize > 0;
+
+ // LCN 映射转换: (ULONGLONG, ULONG) → (ULONGLONG, ULONGLONG)
+ snapshot.dataRuns.reserve(notif.lcnMappings.size());
+ for (const auto& [lcn, clusters] : notif.lcnMappings) {
+ snapshot.dataRuns.emplace_back(lcn, static_cast(clusters));
+ }
+
+ snapshot.deleteTime = notif.deleteTime;
+ GetSystemTimeAsFileTime(&snapshot.captureTime);
+
+ store.AddSnapshot(snapshot);
+ count++;
+ }
+
+ return count;
+}
+
+// ========== 驱动信息 ==========
+
+string KernelBridgeClient::GetDriverVersion() {
+ if (!IsConnected()) return "未连接";
+
+ VERSION_REPLY reply = {};
+ ULONG bytesReturned = 0;
+
+ if (!SendCommand(CMD_GET_VERSION, &reply, sizeof(reply), &bytesReturned)) {
+ return "未知版本";
+ }
+
+ if (bytesReturned == 0) {
+ return "未知版本";
+ }
+
+ return string(reply.Version);
+}
+
+bool KernelBridgeClient::GetStats(DriverStats& stats) {
+ STATS_REPLY reply = {};
+ ULONG bytesReturned = 0;
+
+ if (!SendCommand(CMD_GET_STATS, &reply, sizeof(reply), &bytesReturned)) {
+ return false;
+ }
+
+ if (bytesReturned < sizeof(STATS_REPLY)) {
+ lastError = "统计数据不完整";
+ return false;
+ }
+
+ stats.totalEvents = reply.TotalEvents;
+ stats.pendingEvents = reply.PendingEvents;
+ stats.droppedEvents = reply.DroppedEvents;
+ stats.monitorActive = (reply.MonitorActive != 0);
+ return true;
+}
+
+#endif // ENABLE_KERNEL_BRIDGE
diff --git a/Filerestore_CLI/src/fileRestore/KernelBridgeClient.h b/Filerestore_CLI/src/fileRestore/KernelBridgeClient.h
new file mode 100644
index 0000000..8acecc9
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/KernelBridgeClient.h
@@ -0,0 +1,93 @@
+#pragma once
+
+// ============================================================================
+// 内核桥接客户端 - 通过 minifilter 通信端口连接 FileRestoreMon 驱动
+//
+// 默认不启用。要启用,在项目属性中定义 ENABLE_KERNEL_BRIDGE 预处理器宏。
+// ============================================================================
+
+#ifdef ENABLE_KERNEL_BRIDGE
+
+#include
+#include
+#include
+#include
+
+// 共享定义(与内核驱动 common.h 一致)
+#include "../../../../Filerestore_sys/Filerestore_sys/common.h"
+
+class MFTSnapshotStore;
+
+class KernelBridgeClient {
+public:
+ KernelBridgeClient();
+ ~KernelBridgeClient();
+
+ // ========== 连接管理 ==========
+
+ // 通过 FilterConnectCommunicationPort 连接到 minifilter 驱动
+ bool Connect();
+
+ // 断开连接
+ void Disconnect();
+
+ // 是否已连接
+ bool IsConnected() const { return hPort != INVALID_HANDLE_VALUE; }
+
+ // ========== 监控控制 ==========
+
+ // 启动文件删除监控
+ bool StartMonitor();
+
+ // 停止文件删除监控
+ bool StopMonitor();
+
+ // ========== 通知接收 ==========
+
+ // 删除通知结构
+ struct DeleteNotification {
+ std::wstring fileName;
+ ULONGLONG fileSize;
+ ULONGLONG allocationSize;
+ FILETIME creationTime;
+ FILETIME lastWriteTime;
+ FILETIME deleteTime;
+ DWORD processId;
+ DWORD deleteType;
+ std::vector> lcnMappings; // (startLCN, clusterCount)
+ };
+
+ // 从驱动获取待处理的删除通知
+ bool PollNotifications(std::vector& notifications);
+
+ // 将通知转换为快照并存入 MFTSnapshotStore
+ size_t FlushToSnapshotStore(MFTSnapshotStore& store);
+
+ // ========== 驱动信息 ==========
+
+ // 获取驱动版本
+ std::string GetDriverVersion();
+
+ // 驱动统计信息
+ struct DriverStats {
+ ULONG totalEvents;
+ ULONG pendingEvents;
+ ULONG droppedEvents;
+ bool monitorActive;
+ };
+
+ // 获取驱动统计
+ bool GetStats(DriverStats& stats);
+
+ // 获取最后的错误信息
+ std::string GetLastError() const { return lastError; }
+
+private:
+ HANDLE hPort; // minifilter 通信端口句柄
+ std::string lastError;
+
+ // 向驱动发送命令并接收回复
+ bool SendCommand(ULONG command, void* outBuffer, ULONG outSize, ULONG* bytesReturned);
+};
+
+#endif // ENABLE_KERNEL_BRIDGE
diff --git a/Filerestore_CLI/src/fileRestore/MFTSnapshotStore.cpp b/Filerestore_CLI/src/fileRestore/MFTSnapshotStore.cpp
new file mode 100644
index 0000000..0b4b3a8
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/MFTSnapshotStore.cpp
@@ -0,0 +1,280 @@
+#include "MFTSnapshotStore.h"
+#include "Logger.h"
+#include
+
+using namespace std;
+
+// ============================================================================
+// 构造和析构
+// ============================================================================
+MFTSnapshotStore::MFTSnapshotStore() : driveLetter(0) {}
+MFTSnapshotStore::~MFTSnapshotStore() {}
+
+string MFTSnapshotStore::GenerateStorePath(char drive) {
+ char tempPath[MAX_PATH];
+ GetTempPathA(MAX_PATH, tempPath);
+ return string(tempPath) + "mft_snapshot_" + drive + ".dat";
+}
+
+// ============================================================================
+// 快照管理
+// ============================================================================
+void MFTSnapshotStore::AddSnapshot(const MFTSnapshot& snapshot) {
+ lock_guard lock(mtx);
+ snapshots[snapshot.recordNumber].push_back(snapshot);
+}
+
+const MFTSnapshot* MFTSnapshotStore::FindByRecord(ULONGLONG recordNum, WORD seqNum) const {
+ lock_guard lock(mtx);
+
+ auto it = snapshots.find(recordNum);
+ if (it == snapshots.end()) return nullptr;
+
+ for (const auto& snap : it->second) {
+ if (snap.sequenceNumber == seqNum) {
+ return &snap;
+ }
+ }
+ return nullptr;
+}
+
+const MFTSnapshot* MFTSnapshotStore::FindLatestByRecord(ULONGLONG recordNum) const {
+ lock_guard lock(mtx);
+
+ auto it = snapshots.find(recordNum);
+ if (it == snapshots.end() || it->second.empty()) return nullptr;
+
+ // 返回最后一个(最新添加的)
+ return &it->second.back();
+}
+
+vector MFTSnapshotStore::SearchByName(const wstring& pattern) const {
+ lock_guard lock(mtx);
+ vector results;
+
+ wstring lowerPattern = pattern;
+ transform(lowerPattern.begin(), lowerPattern.end(), lowerPattern.begin(), ::towlower);
+
+ for (const auto& [recordNum, snapList] : snapshots) {
+ for (const auto& snap : snapList) {
+ wstring lowerName = snap.fileName;
+ transform(lowerName.begin(), lowerName.end(), lowerName.begin(), ::towlower);
+ if (lowerName.find(lowerPattern) != wstring::npos) {
+ results.push_back(&snap);
+ }
+ }
+ }
+ return results;
+}
+
+// ============================================================================
+// 持久化
+// ============================================================================
+void MFTSnapshotStore::SerializeSnapshot(ofstream& out, const MFTSnapshot& snap) {
+ out.write((char*)&snap.recordNumber, sizeof(ULONGLONG));
+ out.write((char*)&snap.sequenceNumber, sizeof(WORD));
+ out.write((char*)&snap.fileSize, sizeof(ULONGLONG));
+ out.write((char*)&snap.captureTime, sizeof(FILETIME));
+ out.write((char*)&snap.deleteTime, sizeof(FILETIME));
+ out.write((char*)&snap.parentRecord, sizeof(ULONGLONG));
+
+ BYTE flags = snap.isResident ? 0x01 : 0x00;
+ out.write((char*)&flags, sizeof(BYTE));
+
+ // 文件名
+ WORD nameLen = (WORD)snap.fileName.length();
+ out.write((char*)&nameLen, sizeof(WORD));
+ if (nameLen > 0) {
+ out.write((char*)snap.fileName.data(), nameLen * sizeof(WCHAR));
+ }
+
+ // Data Runs
+ DWORD runCount = (DWORD)snap.dataRuns.size();
+ out.write((char*)&runCount, sizeof(DWORD));
+ for (const auto& [lcn, count] : snap.dataRuns) {
+ out.write((char*)&lcn, sizeof(ULONGLONG));
+ out.write((char*)&count, sizeof(ULONGLONG));
+ }
+
+ // 常驻数据
+ DWORD resDataLen = (DWORD)snap.residentData.size();
+ out.write((char*)&resDataLen, sizeof(DWORD));
+ if (resDataLen > 0) {
+ out.write((char*)snap.residentData.data(), resDataLen);
+ }
+}
+
+bool MFTSnapshotStore::DeserializeSnapshot(ifstream& in, MFTSnapshot& snap) {
+ in.read((char*)&snap.recordNumber, sizeof(ULONGLONG));
+ in.read((char*)&snap.sequenceNumber, sizeof(WORD));
+ in.read((char*)&snap.fileSize, sizeof(ULONGLONG));
+ in.read((char*)&snap.captureTime, sizeof(FILETIME));
+ in.read((char*)&snap.deleteTime, sizeof(FILETIME));
+ in.read((char*)&snap.parentRecord, sizeof(ULONGLONG));
+
+ BYTE flags;
+ in.read((char*)&flags, sizeof(BYTE));
+ snap.isResident = (flags & 0x01) != 0;
+
+ // 文件名
+ WORD nameLen;
+ in.read((char*)&nameLen, sizeof(WORD));
+ if (nameLen > 0 && nameLen < 512) {
+ snap.fileName.resize(nameLen);
+ in.read((char*)snap.fileName.data(), nameLen * sizeof(WCHAR));
+ }
+
+ // Data Runs
+ DWORD runCount;
+ in.read((char*)&runCount, sizeof(DWORD));
+ if (runCount > 0 && runCount < 10000) {
+ snap.dataRuns.resize(runCount);
+ for (DWORD j = 0; j < runCount; j++) {
+ in.read((char*)&snap.dataRuns[j].first, sizeof(ULONGLONG));
+ in.read((char*)&snap.dataRuns[j].second, sizeof(ULONGLONG));
+ }
+ }
+
+ // 常驻数据
+ DWORD resDataLen;
+ in.read((char*)&resDataLen, sizeof(DWORD));
+ if (resDataLen > 0 && resDataLen < 4096) { // MFT 常驻数据最大 ~3.5KB
+ snap.residentData.resize(resDataLen);
+ in.read((char*)snap.residentData.data(), resDataLen);
+ }
+
+ return in.good();
+}
+
+bool MFTSnapshotStore::SaveToFile(const string& path) {
+ lock_guard lock(mtx);
+
+ ofstream out(path, ios::binary);
+ if (!out) {
+ LOG_ERROR("无法创建快照存储文件");
+ return false;
+ }
+
+ // 计算总快照数
+ size_t totalCount = 0;
+ for (const auto& [recordNum, snapList] : snapshots) {
+ totalCount += snapList.size();
+ }
+
+ // 写入头
+ MFTSnapshotHeader header;
+ header.magic = MFT_SNAPSHOT_MAGIC;
+ header.version = MFT_SNAPSHOT_VERSION;
+ header.snapshotCount = totalCount;
+ header.driveLetter = driveLetter;
+ memset(header.padding, 0, sizeof(header.padding));
+ GetSystemTimeAsFileTime(&header.lastUpdateTime);
+ header.createTime = header.lastUpdateTime;
+
+ out.write((char*)&header, sizeof(header));
+
+ // 写入快照
+ for (const auto& [recordNum, snapList] : snapshots) {
+ for (const auto& snap : snapList) {
+ SerializeSnapshot(out, snap);
+ }
+ }
+
+ out.close();
+ LOG_INFO_FMT("快照存储已保存: %zu 个快照到 %s", totalCount, path.c_str());
+ return true;
+}
+
+bool MFTSnapshotStore::LoadFromFile(const string& path) {
+ lock_guard lock(mtx);
+ snapshots.clear();
+
+ ifstream in(path, ios::binary);
+ if (!in) {
+ return false;
+ }
+
+ // 读取头
+ MFTSnapshotHeader header;
+ in.read((char*)&header, sizeof(header));
+
+ if (header.magic != MFT_SNAPSHOT_MAGIC || header.version != MFT_SNAPSHOT_VERSION) {
+ LOG_ERROR("快照存储文件格式无效或版本不匹配");
+ return false;
+ }
+
+ driveLetter = header.driveLetter;
+
+ // 读取快照
+ for (ULONGLONG i = 0; i < header.snapshotCount; i++) {
+ MFTSnapshot snap;
+ if (!DeserializeSnapshot(in, snap)) {
+ LOG_ERROR("快照存储文件损坏");
+ snapshots.clear();
+ return false;
+ }
+ snapshots[snap.recordNumber].push_back(snap);
+ }
+
+ in.close();
+ LOG_INFO_FMT("快照存储已加载: %llu 个快照从 %s", header.snapshotCount, path.c_str());
+ return true;
+}
+
+// ============================================================================
+// 清理和统计
+// ============================================================================
+size_t MFTSnapshotStore::PurgeOlderThan(int days) {
+ lock_guard lock(mtx);
+
+ FILETIME now;
+ GetSystemTimeAsFileTime(&now);
+
+ ULARGE_INTEGER nowLI;
+ nowLI.LowPart = now.dwLowDateTime;
+ nowLI.HighPart = now.dwHighDateTime;
+
+ // 100 纳秒 * 10^7 = 1 秒, * 86400 = 1 天
+ ULONGLONG cutoff = nowLI.QuadPart - (ULONGLONG)days * 864000000000ULL;
+
+ size_t purgedCount = 0;
+
+ for (auto it = snapshots.begin(); it != snapshots.end(); ) {
+ auto& snapList = it->second;
+
+ auto removeIt = remove_if(snapList.begin(), snapList.end(),
+ [cutoff, &purgedCount](const MFTSnapshot& snap) {
+ ULARGE_INTEGER snapTime;
+ snapTime.LowPart = snap.captureTime.dwLowDateTime;
+ snapTime.HighPart = snap.captureTime.dwHighDateTime;
+ if (snapTime.QuadPart < cutoff) {
+ purgedCount++;
+ return true;
+ }
+ return false;
+ });
+ snapList.erase(removeIt, snapList.end());
+
+ if (snapList.empty()) {
+ it = snapshots.erase(it);
+ } else {
+ ++it;
+ }
+ }
+
+ return purgedCount;
+}
+
+size_t MFTSnapshotStore::GetCount() const {
+ lock_guard lock(mtx);
+ size_t count = 0;
+ for (const auto& [recordNum, snapList] : snapshots) {
+ count += snapList.size();
+ }
+ return count;
+}
+
+void MFTSnapshotStore::Clear() {
+ lock_guard lock(mtx);
+ snapshots.clear();
+}
diff --git a/Filerestore_CLI/src/fileRestore/MFTSnapshotStore.h b/Filerestore_CLI/src/fileRestore/MFTSnapshotStore.h
new file mode 100644
index 0000000..cc86d17
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/MFTSnapshotStore.h
@@ -0,0 +1,113 @@
+#pragma once
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+using namespace std;
+
+// ============================================================================
+// MFT 快照魔术字节和版本
+// ============================================================================
+constexpr DWORD MFT_SNAPSHOT_MAGIC = 0x4D465453; // "MFTS"
+constexpr DWORD MFT_SNAPSHOT_VERSION = 1;
+
+// ============================================================================
+// MFT 快照条目 - 记录文件删除时刻的完整 MFT 元数据
+// ============================================================================
+struct MFTSnapshot {
+ ULONGLONG recordNumber; // MFT 记录号
+ WORD sequenceNumber; // 删除时的序列号
+ wstring fileName; // 文件名
+ ULONGLONG fileSize; // 文件大小
+ vector> dataRuns; // 完整 LCN 映射 (LCN, clusterCount)
+ FILETIME captureTime; // 快照捕获时间
+ FILETIME deleteTime; // 删除时间(来自 USN)
+ bool isResident; // 是否常驻数据
+ vector residentData; // 常驻数据内容
+ ULONGLONG parentRecord; // 父目录记录号
+
+ MFTSnapshot() :
+ recordNumber(0), sequenceNumber(0), fileSize(0),
+ isResident(false), parentRecord(0) {
+ ZeroMemory(&captureTime, sizeof(FILETIME));
+ ZeroMemory(&deleteTime, sizeof(FILETIME));
+ }
+};
+
+// ============================================================================
+// MFT 快照存储文件头
+// ============================================================================
+struct MFTSnapshotHeader {
+ DWORD magic;
+ DWORD version;
+ ULONGLONG snapshotCount;
+ char driveLetter;
+ char padding[7];
+ FILETIME createTime; // 存储创建时间
+ FILETIME lastUpdateTime; // 最后更新时间
+};
+
+// ============================================================================
+// MFT 快照存储 - 线程安全的增量式快照管理
+// ============================================================================
+class MFTSnapshotStore {
+public:
+ MFTSnapshotStore();
+ ~MFTSnapshotStore();
+
+ // ========== 快照管理 ==========
+
+ // 添加快照(线程安全)
+ void AddSnapshot(const MFTSnapshot& snapshot);
+
+ // 按 MFT 记录号 + 序列号精确查询
+ // 返回 nullptr 如果未找到
+ const MFTSnapshot* FindByRecord(ULONGLONG recordNum, WORD seqNum) const;
+
+ // 按 MFT 记录号查找最近的快照(不限序列号)
+ const MFTSnapshot* FindLatestByRecord(ULONGLONG recordNum) const;
+
+ // 按文件名模糊查询
+ vector SearchByName(const wstring& pattern) const;
+
+ // ========== 持久化 ==========
+
+ // 保存到文件
+ bool SaveToFile(const string& path);
+
+ // 从文件加载
+ bool LoadFromFile(const string& path);
+
+ // 生成默认存储路径
+ static string GenerateStorePath(char drive);
+
+ // ========== 清理和统计 ==========
+
+ // 清理超过指定天数的快照,返回删除数量
+ size_t PurgeOlderThan(int days);
+
+ // 获取快照总数
+ size_t GetCount() const;
+
+ // 清空所有快照
+ void Clear();
+
+ // ========== 驱动器信息 ==========
+
+ void SetDriveLetter(char drive) { driveLetter = drive; }
+ char GetDriveLetter() const { return driveLetter; }
+
+private:
+ // 按记录号索引(key = recordNumber, value = 该记录的快照列表,按序列号排序)
+ unordered_map> snapshots;
+ mutable mutex mtx;
+ char driveLetter;
+
+ // 序列化单条快照
+ void SerializeSnapshot(ofstream& out, const MFTSnapshot& snap);
+ bool DeserializeSnapshot(ifstream& in, MFTSnapshot& snap);
+};
diff --git a/Filerestore_CLI/src/fileRestore/MonitorDaemon.cpp b/Filerestore_CLI/src/fileRestore/MonitorDaemon.cpp
new file mode 100644
index 0000000..341fa50
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/MonitorDaemon.cpp
@@ -0,0 +1,392 @@
+#include "MonitorDaemon.h"
+#include "UsnDeleteMonitor.h"
+#include "MFTSnapshotStore.h"
+#include "Logger.h"
+#include
+
+using namespace std;
+
+// ============================================================================
+// 共享内存自旋锁(跨进程安全)
+// ============================================================================
+static void SpinLockAcquire(volatile LONG* lock) {
+ while (InterlockedCompareExchange(lock, 1, 0) != 0) {
+ YieldProcessor();
+ }
+}
+
+static void SpinLockRelease(volatile LONG* lock) {
+ InterlockedExchange(lock, 0);
+}
+
+// ============================================================================
+// 析构
+// ============================================================================
+MonitorDaemon::~MonitorDaemon() {
+ DetachSharedMemory();
+}
+
+// ============================================================================
+// 命名约定
+// ============================================================================
+wstring MonitorDaemon::GetMutexName(char d) {
+ return wstring(L"Global\\FileRestoreMonitor_") + (wchar_t)d;
+}
+
+wstring MonitorDaemon::GetSharedMemName(char d) {
+ return wstring(L"Global\\FileRestoreMonitor_") + (wchar_t)d + L"_Mem";
+}
+
+wstring MonitorDaemon::GetStopEventName(char d) {
+ return wstring(L"Global\\FileRestoreMonitor_") + (wchar_t)d + L"_Stop";
+}
+
+// ============================================================================
+// IsDaemonRunning - 通过 Mutex 检测守护进程是否已在运行
+// ============================================================================
+bool MonitorDaemon::IsDaemonRunning(char drive) {
+ wstring mutexName = GetMutexName(drive);
+ HANDLE hMutex = OpenMutexW(SYNCHRONIZE, FALSE, mutexName.c_str());
+ if (hMutex) {
+ CloseHandle(hMutex);
+ return true;
+ }
+ return false;
+}
+
+// ============================================================================
+// GetDaemonPID - 从共享内存读取 PID
+// ============================================================================
+DWORD MonitorDaemon::GetDaemonPID(char drive) {
+ if (AttachSharedMemory(drive)) {
+ MonitorSharedState state;
+ if (ReadState(state)) {
+ DetachSharedMemory();
+ return state.pid;
+ }
+ DetachSharedMemory();
+ }
+ return 0;
+}
+
+// ============================================================================
+// StartDaemon - 启动独立守护进程
+// ============================================================================
+bool MonitorDaemon::StartDaemon(char drive) {
+ // 检查是否已运行
+ if (IsDaemonRunning(drive)) {
+ return true;
+ }
+
+ // 获取自身路径
+ wchar_t exePath[MAX_PATH];
+ GetModuleFileNameW(NULL, exePath, MAX_PATH);
+
+ // 构造命令行: "" --monitor-daemon D
+ wstring cmdLine = wstring(L"\"") + exePath + L"\" --monitor-daemon " + (wchar_t)drive;
+
+ STARTUPINFOW si = {};
+ si.cb = sizeof(si);
+ PROCESS_INFORMATION pi = {};
+
+ // CREATE_NO_WINDOW | DETACHED_PROCESS 确保无窗口后台运行
+ BOOL ok = CreateProcessW(
+ NULL,
+ (LPWSTR)cmdLine.c_str(),
+ NULL, NULL, FALSE,
+ CREATE_NO_WINDOW | DETACHED_PROCESS,
+ NULL, NULL,
+ &si, &pi
+ );
+
+ if (!ok) {
+ LOG_ERROR_FMT("StartDaemon: CreateProcessW failed, error=%u", GetLastError());
+ return false;
+ }
+
+ CloseHandle(pi.hThread);
+ CloseHandle(pi.hProcess);
+
+ // 轮询等待共享内存出现(最多 3 秒)
+ for (int i = 0; i < 30; i++) {
+ Sleep(100);
+ if (IsDaemonRunning(drive)) {
+ return true;
+ }
+ }
+
+ LOG_ERROR("StartDaemon: Daemon did not start within timeout");
+ return false;
+}
+
+// ============================================================================
+// StopDaemon - 通知守护进程退出
+// ============================================================================
+bool MonitorDaemon::StopDaemon(char drive) {
+ if (!IsDaemonRunning(drive)) {
+ return true; // 已经停止
+ }
+
+ wstring eventName = GetStopEventName(drive);
+ HANDLE hEvent = OpenEventW(EVENT_MODIFY_STATE, FALSE, eventName.c_str());
+ if (!hEvent) {
+ LOG_ERROR_FMT("StopDaemon: Cannot open stop event, error=%u", GetLastError());
+ return false;
+ }
+
+ SetEvent(hEvent);
+ CloseHandle(hEvent);
+
+ // 轮询等待守护进程退出(最多 5 秒)
+ for (int i = 0; i < 50; i++) {
+ Sleep(100);
+ if (!IsDaemonRunning(drive)) {
+ return true;
+ }
+ }
+
+ LOG_ERROR("StopDaemon: Daemon did not stop within timeout");
+ return false;
+}
+
+// ============================================================================
+// AttachSharedMemory / DetachSharedMemory / ReadState
+// ============================================================================
+bool MonitorDaemon::AttachSharedMemory(char drive) {
+ if (sharedPtr_) return true; // 已附加
+
+ wstring memName = GetSharedMemName(drive);
+ hSharedMem_ = OpenFileMappingW(FILE_MAP_READ | FILE_MAP_WRITE, FALSE, memName.c_str());
+ if (!hSharedMem_) {
+ return false;
+ }
+
+ sharedPtr_ = (MonitorSharedState*)MapViewOfFile(
+ hSharedMem_, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, sizeof(MonitorSharedState));
+ if (!sharedPtr_) {
+ CloseHandle(hSharedMem_);
+ hSharedMem_ = nullptr;
+ return false;
+ }
+
+ return true;
+}
+
+void MonitorDaemon::DetachSharedMemory() {
+ if (sharedPtr_) {
+ UnmapViewOfFile(sharedPtr_);
+ sharedPtr_ = nullptr;
+ }
+ if (hSharedMem_) {
+ CloseHandle(hSharedMem_);
+ hSharedMem_ = nullptr;
+ }
+}
+
+bool MonitorDaemon::ReadState(MonitorSharedState& out) {
+ if (!sharedPtr_) return false;
+ if (sharedPtr_->magic != MONITOR_SHARED_MAGIC) return false;
+ if (sharedPtr_->version != MONITOR_SHARED_VERSION) return false;
+
+ // 加锁拷贝,确保不会读到写了一半的事件
+ SpinLockAcquire(&sharedPtr_->spinLock);
+ memcpy(&out, (const void*)sharedPtr_, sizeof(MonitorSharedState));
+ SpinLockRelease(&sharedPtr_->spinLock);
+
+ // 拷贝完成后释放锁,out 是本地副本,后续操作无需锁
+ return true;
+}
+
+// ============================================================================
+// 自启动注册表
+// ============================================================================
+static wstring GetAutoStartValueName(char drive) {
+ return wstring(L"FileRestoreMonitor_") + (wchar_t)drive;
+}
+
+bool MonitorDaemon::InstallAutoStart(char drive) {
+ wchar_t exePath[MAX_PATH];
+ GetModuleFileNameW(NULL, exePath, MAX_PATH);
+ wstring cmdLine = wstring(L"\"") + exePath + L"\" --monitor-daemon " + (wchar_t)drive;
+ wstring valueName = GetAutoStartValueName(drive);
+
+ HKEY hKey;
+ LONG result = RegOpenKeyExW(HKEY_CURRENT_USER,
+ L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+ 0, KEY_SET_VALUE, &hKey);
+ if (result != ERROR_SUCCESS) {
+ LOG_ERROR_FMT("InstallAutoStart: RegOpenKeyExW failed, error=%ld", result);
+ return false;
+ }
+
+ result = RegSetValueExW(hKey, valueName.c_str(), 0, REG_SZ,
+ (const BYTE*)cmdLine.c_str(),
+ (DWORD)((cmdLine.size() + 1) * sizeof(wchar_t)));
+ RegCloseKey(hKey);
+
+ return result == ERROR_SUCCESS;
+}
+
+bool MonitorDaemon::UninstallAutoStart(char drive) {
+ wstring valueName = GetAutoStartValueName(drive);
+
+ HKEY hKey;
+ LONG result = RegOpenKeyExW(HKEY_CURRENT_USER,
+ L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+ 0, KEY_SET_VALUE, &hKey);
+ if (result != ERROR_SUCCESS) return false;
+
+ result = RegDeleteValueW(hKey, valueName.c_str());
+ RegCloseKey(hKey);
+
+ return result == ERROR_SUCCESS || result == ERROR_FILE_NOT_FOUND;
+}
+
+bool MonitorDaemon::IsAutoStartInstalled(char drive) {
+ wstring valueName = GetAutoStartValueName(drive);
+
+ HKEY hKey;
+ LONG result = RegOpenKeyExW(HKEY_CURRENT_USER,
+ L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+ 0, KEY_QUERY_VALUE, &hKey);
+ if (result != ERROR_SUCCESS) return false;
+
+ result = RegQueryValueExW(hKey, valueName.c_str(), NULL, NULL, NULL, NULL);
+ RegCloseKey(hKey);
+
+ return result == ERROR_SUCCESS;
+}
+
+// ============================================================================
+// RunDaemonMain - 守护进程主入口
+// ============================================================================
+int MonitorDaemon::RunDaemonMain(char drive) {
+ // 1. 创建单例 Mutex
+ wstring mutexName = GetMutexName(drive);
+ HANDLE hMutex = CreateMutexW(NULL, TRUE, mutexName.c_str());
+ if (!hMutex || GetLastError() == ERROR_ALREADY_EXISTS) {
+ if (hMutex) CloseHandle(hMutex);
+ return 1; // 已有实例运行
+ }
+
+ // 2. 创建停止事件(手动复位)
+ wstring eventName = GetStopEventName(drive);
+ HANDLE hStopEvent = CreateEventW(NULL, TRUE, FALSE, eventName.c_str());
+ if (!hStopEvent) {
+ ReleaseMutex(hMutex);
+ CloseHandle(hMutex);
+ return 1;
+ }
+
+ // 3. 创建共享内存
+ wstring memName = GetSharedMemName(drive);
+ HANDLE hMapping = CreateFileMappingW(
+ INVALID_HANDLE_VALUE, NULL, PAGE_READWRITE,
+ 0, sizeof(MonitorSharedState), memName.c_str());
+ if (!hMapping) {
+ CloseHandle(hStopEvent);
+ ReleaseMutex(hMutex);
+ CloseHandle(hMutex);
+ return 1;
+ }
+
+ MonitorSharedState* shared = (MonitorSharedState*)MapViewOfFile(
+ hMapping, FILE_MAP_ALL_ACCESS, 0, 0, sizeof(MonitorSharedState));
+ if (!shared) {
+ CloseHandle(hMapping);
+ CloseHandle(hStopEvent);
+ ReleaseMutex(hMutex);
+ CloseHandle(hMutex);
+ return 1;
+ }
+
+ // 4. 初始化共享内存
+ memset(shared, 0, sizeof(MonitorSharedState));
+ shared->magic = MONITOR_SHARED_MAGIC;
+ shared->version = MONITOR_SHARED_VERSION;
+ shared->driveLetter = drive;
+ shared->pid = GetCurrentProcessId();
+ GetSystemTimeAsFileTime(&shared->startTime);
+ shared->daemonRunning = 1;
+ shared->autoStartEnabled = IsAutoStartInstalled(drive) ? 1 : 0;
+
+ // 5. 创建 UsnDeleteMonitor
+ UsnDeleteMonitor monitor(drive);
+ monitor.SetPollInterval(1000);
+
+ shared->pollIntervalMs = monitor.GetPollInterval();
+
+ // 设置事件回调 - 写入环形缓冲区(加锁)
+ monitor.SetEventCallback([shared](ULONGLONG recordNum, ULONGLONG fileSize,
+ FILETIME deleteTime, const wstring& fileName,
+ bool captured) {
+ SpinLockAcquire(&shared->spinLock);
+
+ LONG head = shared->recentEventHead;
+ LONG idx = head % MONITOR_RECENT_EVENT_MAX;
+
+ MonitorRecentEvent& evt = shared->recentEvents[idx];
+ evt.mftRecord = recordNum;
+ evt.fileSize = fileSize;
+ evt.deleteTime = deleteTime;
+ evt.captured = captured ? 1 : 0;
+
+ // 安全拷贝文件名
+ size_t copyLen = min(fileName.size(), (size_t)259);
+ memcpy(evt.fileName, fileName.c_str(), copyLen * sizeof(wchar_t));
+ evt.fileName[copyLen] = L'\0';
+
+ shared->recentEventHead = head + 1;
+ LONG count = shared->recentEventCount + 1;
+ if (count > MONITOR_RECENT_EVENT_MAX) count = MONITOR_RECENT_EVENT_MAX;
+ shared->recentEventCount = count;
+
+ SpinLockRelease(&shared->spinLock);
+ });
+
+ // 6. 捕获现有删除记录
+ LOG_INFO_FMT("Daemon: Capturing existing deleted files on %c:...", drive);
+ size_t captured = monitor.CaptureExistingDeleted(24);
+ InterlockedExchange64(&shared->snapshotCount, (LONGLONG)monitor.GetSnapshotStore().GetCount());
+ LOG_INFO_FMT("Daemon: Captured %zu existing snapshots", captured);
+
+ // 7. 启动监控
+ if (!monitor.Start()) {
+ LOG_ERROR("Daemon: Failed to start monitor");
+ shared->daemonRunning = 0;
+ UnmapViewOfFile(shared);
+ CloseHandle(hMapping);
+ CloseHandle(hStopEvent);
+ ReleaseMutex(hMutex);
+ CloseHandle(hMutex);
+ return 1;
+ }
+
+ LOG_INFO_FMT("Daemon: Monitor started on %c:, PID=%u", drive, GetCurrentProcessId());
+
+ // 8. 主循环 - 等待停止信号,定期更新统计
+ while (WaitForSingleObject(hStopEvent, 500) == WAIT_TIMEOUT) {
+ // 更新统计到共享内存
+ auto& stats = monitor.GetStats();
+ InterlockedExchange64(&shared->totalEvents, (LONGLONG)stats.totalEvents.load());
+ InterlockedExchange64(&shared->capturedCount, (LONGLONG)stats.capturedCount.load());
+ InterlockedExchange64(&shared->missedCount, (LONGLONG)stats.missedCount.load());
+ InterlockedExchange64(&shared->skippedCount, (LONGLONG)stats.skippedCount.load());
+ InterlockedExchange64(&shared->snapshotCount, (LONGLONG)monitor.GetSnapshotStore().GetCount());
+ GetSystemTimeAsFileTime(&shared->lastUpdate);
+ }
+
+ // 9. 清理退出
+ LOG_INFO("Daemon: Stop signal received, shutting down...");
+ monitor.Stop();
+ shared->daemonRunning = 0;
+
+ UnmapViewOfFile(shared);
+ CloseHandle(hMapping);
+ CloseHandle(hStopEvent);
+ ReleaseMutex(hMutex);
+ CloseHandle(hMutex);
+
+ LOG_INFO("Daemon: Exited cleanly");
+ return 0;
+}
diff --git a/Filerestore_CLI/src/fileRestore/MonitorDaemon.h b/Filerestore_CLI/src/fileRestore/MonitorDaemon.h
new file mode 100644
index 0000000..3ca5f24
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/MonitorDaemon.h
@@ -0,0 +1,80 @@
+#pragma once
+#include
+#include
+
+// ============================================================================
+// 共享内存常量
+// ============================================================================
+constexpr DWORD MONITOR_SHARED_MAGIC = 0x46524D44; // 'FRMD'
+constexpr DWORD MONITOR_SHARED_VERSION = 1;
+constexpr int MONITOR_RECENT_EVENT_MAX = 16;
+
+// ============================================================================
+// 共享内存结构 - 固定大小 POD,无指针/STL
+// ============================================================================
+#pragma pack(push, 8)
+
+struct MonitorRecentEvent {
+ ULONGLONG mftRecord;
+ ULONGLONG fileSize;
+ FILETIME deleteTime;
+ wchar_t fileName[260];
+ BYTE captured; // 1=success, 0=failed
+ BYTE padding[7];
+};
+
+struct MonitorSharedState {
+ DWORD magic, version;
+ char driveLetter; char pad1[3];
+ DWORD pid;
+ FILETIME startTime, lastUpdate;
+ // 统计(Interlocked 更新)
+ volatile LONGLONG totalEvents, capturedCount, missedCount, skippedCount, snapshotCount;
+ DWORD pollIntervalMs; DWORD pad2;
+ // 环形缓冲区自旋锁
+ volatile LONG spinLock;
+ // 环形缓冲区
+ volatile LONG recentEventCount, recentEventHead;
+ MonitorRecentEvent recentEvents[MONITOR_RECENT_EVENT_MAX];
+ // 标志
+ volatile LONG daemonRunning, autoStartEnabled;
+};
+
+#pragma pack(pop)
+
+// ============================================================================
+// MonitorDaemon - 守护进程管理器
+// ============================================================================
+class MonitorDaemon {
+public:
+ MonitorDaemon() = default;
+ ~MonitorDaemon();
+
+ // ========== 守护进程生命周期 ==========
+ bool StartDaemon(char drive);
+ bool StopDaemon(char drive);
+ bool IsDaemonRunning(char drive);
+ DWORD GetDaemonPID(char drive);
+
+ // ========== 共享内存读取(CLI/TUI 侧)==========
+ bool AttachSharedMemory(char drive);
+ void DetachSharedMemory();
+ bool ReadState(MonitorSharedState& out);
+
+ // ========== 自启动注册表 ==========
+ static bool InstallAutoStart(char drive);
+ static bool UninstallAutoStart(char drive);
+ static bool IsAutoStartInstalled(char drive);
+
+ // ========== 命名约定 ==========
+ static std::wstring GetMutexName(char d);
+ static std::wstring GetSharedMemName(char d);
+ static std::wstring GetStopEventName(char d);
+
+ // ========== 守护进程入口(从 Main.cpp 调用)==========
+ static int RunDaemonMain(char drive);
+
+private:
+ HANDLE hSharedMem_ = nullptr;
+ MonitorSharedState* sharedPtr_ = nullptr;
+};
diff --git a/Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.cpp b/Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.cpp
new file mode 100644
index 0000000..28d22f5
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.cpp
@@ -0,0 +1,262 @@
+#include "UsnDeleteMonitor.h"
+#include "Logger.h"
+#include
+
+using namespace std;
+
+// ============================================================================
+// 构造和析构
+// ============================================================================
+UsnDeleteMonitor::UsnDeleteMonitor(char driveLetter)
+ : driveLetter(driveLetter), running(false),
+ lastProcessedUsn(0), pollIntervalMs(1000), autoSaveIntervalSec(60) {
+ snapshotStore.SetDriveLetter(driveLetter);
+}
+
+UsnDeleteMonitor::~UsnDeleteMonitor() {
+ Stop();
+}
+
+// ============================================================================
+// 一次性扫描:为现有 USN 删除记录捕获快照
+// ============================================================================
+size_t UsnDeleteMonitor::CaptureExistingDeleted(int maxTimeHours) {
+ MFTReader reader;
+ if (!reader.OpenVolume(driveLetter)) {
+ LOG_ERROR_FMT("CaptureExistingDeleted: 无法打开卷 %c:", driveLetter);
+ return 0;
+ }
+ reader.GetTotalMFTRecords();
+
+ MFTParser parser(&reader);
+
+ UsnJournalReader usnReader;
+ if (!usnReader.Open(driveLetter)) {
+ LOG_ERROR_FMT("CaptureExistingDeleted: 无法打开 USN 日志 %c:", driveLetter);
+ return 0;
+ }
+
+ int maxTimeSeconds = maxTimeHours * 3600;
+ auto deletedFiles = usnReader.ScanRecentlyDeletedFiles(maxTimeSeconds, 0);
+
+ size_t captured = 0;
+ size_t missed = 0;
+ size_t skipped = 0;
+
+ for (const auto& info : deletedFiles) {
+ // 跳过目录
+ if (info.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+ skipped++;
+ continue;
+ }
+
+ ULONGLONG recordNum = info.GetMftRecordNumber();
+ WORD expectedSeq = info.GetExpectedSequence();
+
+ // 读取 MFT 记录
+ vector recordData;
+ if (!reader.ReadMFT(recordNum, recordData)) {
+ missed++;
+ continue;
+ }
+
+ // 提取文件数据信息
+ auto dataInfo = parser.ExtractFileDataInfo(recordData.data(), recordData.size());
+ if (!dataInfo) {
+ missed++;
+ continue;
+ }
+
+ // 检查序列号:如果已经被复用(序列号递增),仍然尝试捕获
+ // 因为 data runs 可能仍然指向原文件数据(尤其是刚删除的情况下)
+ WORD actualSeq = dataInfo->sequenceNumber;
+
+ MFTSnapshot snapshot;
+ snapshot.recordNumber = recordNum;
+ snapshot.sequenceNumber = expectedSeq; // 使用 USN 中的序列号
+ snapshot.fileName = info.FileName;
+ snapshot.fileSize = dataInfo->fileSize;
+ snapshot.dataRuns = dataInfo->dataRuns;
+ snapshot.isResident = dataInfo->isResident;
+ snapshot.residentData = dataInfo->residentData;
+ snapshot.parentRecord = info.GetParentMftRecordNumber();
+
+ // 时间戳
+ GetSystemTimeAsFileTime(&snapshot.captureTime);
+ snapshot.deleteTime.dwLowDateTime = info.TimeStamp.LowPart;
+ snapshot.deleteTime.dwHighDateTime = info.TimeStamp.HighPart;
+
+ snapshotStore.AddSnapshot(snapshot);
+ captured++;
+ }
+
+ stats.capturedCount += captured;
+ stats.missedCount += missed;
+ stats.skippedCount += skipped;
+ stats.totalEvents += deletedFiles.size();
+
+ LOG_INFO_FMT("CaptureExistingDeleted: %zu 个删除记录, 捕获 %zu, 失败 %zu, 跳过 %zu",
+ deletedFiles.size(), captured, missed, skipped);
+
+ return captured;
+}
+
+// ============================================================================
+// 处理单个删除事件
+// ============================================================================
+bool UsnDeleteMonitor::HandleDeleteEvent(const UsnDeletedFileInfo& info) {
+ // 跳过目录
+ if (info.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+ stats.skippedCount++;
+ return false;
+ }
+
+ stats.totalEvents++;
+
+ ULONGLONG recordNum = info.GetMftRecordNumber();
+
+ // 读取 MFT 记录(需要独立的 reader,因为在后台线程中)
+ MFTReader reader;
+ if (!reader.OpenVolume(driveLetter)) {
+ stats.missedCount++;
+ return false;
+ }
+ reader.GetTotalMFTRecords();
+
+ MFTParser parser(&reader);
+
+ vector recordData;
+ if (!reader.ReadMFT(recordNum, recordData)) {
+ stats.missedCount++;
+ return false;
+ }
+
+ auto dataInfo = parser.ExtractFileDataInfo(recordData.data(), recordData.size());
+ if (!dataInfo) {
+ stats.missedCount++;
+ if (eventCallback) {
+ FILETIME ft;
+ ft.dwLowDateTime = info.TimeStamp.LowPart;
+ ft.dwHighDateTime = info.TimeStamp.HighPart;
+ eventCallback(recordNum, 0, ft, info.FileName, false);
+ }
+ return false;
+ }
+
+ MFTSnapshot snapshot;
+ snapshot.recordNumber = recordNum;
+ snapshot.sequenceNumber = info.GetExpectedSequence();
+ snapshot.fileName = info.FileName;
+ snapshot.fileSize = dataInfo->fileSize;
+ snapshot.dataRuns = dataInfo->dataRuns;
+ snapshot.isResident = dataInfo->isResident;
+ snapshot.residentData = dataInfo->residentData;
+ snapshot.parentRecord = info.GetParentMftRecordNumber();
+
+ GetSystemTimeAsFileTime(&snapshot.captureTime);
+ snapshot.deleteTime.dwLowDateTime = info.TimeStamp.LowPart;
+ snapshot.deleteTime.dwHighDateTime = info.TimeStamp.HighPart;
+
+ snapshotStore.AddSnapshot(snapshot);
+ stats.capturedCount++;
+
+ if (eventCallback) {
+ FILETIME ft;
+ ft.dwLowDateTime = info.TimeStamp.LowPart;
+ ft.dwHighDateTime = info.TimeStamp.HighPart;
+ eventCallback(recordNum, dataInfo->fileSize, ft, info.FileName, true);
+ }
+
+ LOG_DEBUG_FMT("捕获快照: MFT#%llu %S (%.1fKB, %zu runs)",
+ recordNum, info.FileName.c_str(),
+ (double)dataInfo->fileSize / 1024.0,
+ dataInfo->dataRuns.size());
+
+ return true;
+}
+
+// ============================================================================
+// 后台监控线程
+// ============================================================================
+void UsnDeleteMonitor::MonitorThread() {
+ LOG_INFO_FMT("USN 删除监控已启动: 驱动器 %c:, 轮询间隔 %ums", driveLetter, pollIntervalMs);
+
+ UsnJournalReader usnReader;
+ if (!usnReader.Open(driveLetter)) {
+ LOG_ERROR_FMT("MonitorThread: 无法打开 USN 日志 %c:", driveLetter);
+ running = false;
+ return;
+ }
+
+ // 获取当前 USN 位置作为起点
+ UsnJournalStats journalStats;
+ if (usnReader.GetJournalStats(journalStats)) {
+ lastProcessedUsn = journalStats.NextUsn;
+ }
+
+ DWORD lastSaveTime = GetTickCount();
+
+ while (running.load()) {
+ // 扫描新的删除事件
+ // 使用短时间窗口(30秒)避免重复处理
+ auto deleted = usnReader.ScanRecentlyDeletedFiles(30, 1000);
+
+ for (const auto& info : deleted) {
+ // 只处理 USN 位置在上次处理之后的记录
+ if (info.Usn > lastProcessedUsn) {
+ HandleDeleteEvent(info);
+ if (info.Usn > lastProcessedUsn) {
+ lastProcessedUsn = info.Usn;
+ }
+ }
+ }
+
+ // 自动保存
+ if (autoSaveIntervalSec > 0) {
+ DWORD now = GetTickCount();
+ if (now - lastSaveTime >= autoSaveIntervalSec * 1000) {
+ string path = MFTSnapshotStore::GenerateStorePath(driveLetter);
+ snapshotStore.SaveToFile(path);
+ lastSaveTime = now;
+ }
+ }
+
+ // 等待下一次轮询
+ for (DWORD waited = 0; waited < pollIntervalMs && running.load(); waited += 100) {
+ Sleep(100);
+ }
+ }
+
+ // 退出前保存
+ string path = MFTSnapshotStore::GenerateStorePath(driveLetter);
+ snapshotStore.SaveToFile(path);
+
+ LOG_INFO("USN 删除监控已停止");
+}
+
+// ============================================================================
+// 启动和停止
+// ============================================================================
+bool UsnDeleteMonitor::Start() {
+ if (running.load()) {
+ return true; // 已经在运行
+ }
+
+ // 尝试加载已有的快照
+ string path = MFTSnapshotStore::GenerateStorePath(driveLetter);
+ snapshotStore.LoadFromFile(path);
+
+ running = true;
+ monitorThread = thread(&UsnDeleteMonitor::MonitorThread, this);
+
+ return true;
+}
+
+void UsnDeleteMonitor::Stop() {
+ if (!running.load()) return;
+
+ running = false;
+ if (monitorThread.joinable()) {
+ monitorThread.join();
+ }
+}
diff --git a/Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.h b/Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.h
new file mode 100644
index 0000000..b0d3693
--- /dev/null
+++ b/Filerestore_CLI/src/fileRestore/UsnDeleteMonitor.h
@@ -0,0 +1,103 @@
+#pragma once
+#include
+#include
+#include
+#include
+#include
+#include "UsnJournalReader.h"
+#include "MFTReader.h"
+#include "MFTParser.h"
+#include "MFTSnapshotStore.h"
+
+using namespace std;
+
+// ============================================================================
+// USN 删除监控统计
+// ============================================================================
+struct UsnMonitorStats {
+ atomic totalEvents{0}; // 总检测到的删除事件
+ atomic capturedCount{0}; // 成功捕获快照数
+ atomic missedCount{0}; // MFT 已复用来不及捕获数
+ atomic skippedCount{0}; // 跳过数(目录、系统文件等)
+};
+
+// ============================================================================
+// USN 删除监控器 - 后台轮询 USN Journal,捕获被删文件的 MFT 快照
+// ============================================================================
+class UsnDeleteMonitor {
+public:
+ UsnDeleteMonitor(char driveLetter);
+ ~UsnDeleteMonitor();
+
+ // ========== 控制 ==========
+
+ // 启动后台监控
+ bool Start();
+
+ // 停止监控
+ void Stop();
+
+ // 是否正在运行
+ bool IsRunning() const { return running.load(); }
+
+ // ========== 快照访问 ==========
+
+ // 获取快照存储引用
+ MFTSnapshotStore& GetSnapshotStore() { return snapshotStore; }
+ const MFTSnapshotStore& GetSnapshotStore() const { return snapshotStore; }
+
+ // ========== 一次性扫描 ==========
+
+ // 扫描 USN 日志中已有的删除记录并捕获快照(非后台,立即执行)
+ // maxTimeHours: 回溯时间(小时)
+ // 返回捕获的快照数
+ size_t CaptureExistingDeleted(int maxTimeHours = 24);
+
+ // ========== 统计 ==========
+
+ const UsnMonitorStats& GetStats() const { return stats; }
+
+ // ========== 配置 ==========
+
+ // 轮询间隔(毫秒),默认 1000ms
+ void SetPollInterval(DWORD ms) { pollIntervalMs = ms; }
+ DWORD GetPollInterval() const { return pollIntervalMs; }
+
+ // 自动保存间隔(秒),0 = 不自动保存,默认 60s
+ void SetAutoSaveInterval(DWORD seconds) { autoSaveIntervalSec = seconds; }
+
+ // ========== 事件回调 ==========
+
+ using EventCallback = function;
+ void SetEventCallback(EventCallback cb) { eventCallback = std::move(cb); }
+
+private:
+ // 后台轮询线程
+ void MonitorThread();
+
+ // 处理单个删除事件:读取 MFT 记录,创建快照
+ bool HandleDeleteEvent(const UsnDeletedFileInfo& info);
+
+ // 组件
+ char driveLetter;
+ MFTSnapshotStore snapshotStore;
+
+ // 线程控制
+ thread monitorThread;
+ atomic running;
+
+ // USN 游标
+ USN lastProcessedUsn;
+
+ // 配置
+ DWORD pollIntervalMs;
+ DWORD autoSaveIntervalSec;
+
+ // 统计
+ UsnMonitorStats stats;
+
+ // 事件回调
+ EventCallback eventCallback;
+};
diff --git a/Filerestore_sys/Filerestore_sys.sln b/Filerestore_sys/Filerestore_sys.sln
new file mode 100644
index 0000000..b08bbc5
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys.sln
@@ -0,0 +1,35 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.14.36811.4 d17.14
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Filerestore_sys", "Filerestore_sys\Filerestore_sys.vcxproj", "{4E97BA7A-9203-3699-D57F-5596CAD720A0}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|ARM64 = Debug|ARM64
+ Debug|x64 = Debug|x64
+ Release|ARM64 = Release|ARM64
+ Release|x64 = Release|x64
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Debug|ARM64.ActiveCfg = Debug|ARM64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Debug|ARM64.Build.0 = Debug|ARM64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Debug|ARM64.Deploy.0 = Debug|ARM64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Debug|x64.ActiveCfg = Debug|x64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Debug|x64.Build.0 = Debug|x64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Debug|x64.Deploy.0 = Debug|x64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Release|ARM64.ActiveCfg = Release|ARM64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Release|ARM64.Build.0 = Release|ARM64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Release|ARM64.Deploy.0 = Release|ARM64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Release|x64.ActiveCfg = Release|x64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Release|x64.Build.0 = Release|x64
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}.Release|x64.Deploy.0 = Release|x64
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {C73C08B3-4928-41BE-980A-DC28CB001DD0}
+ EndGlobalSection
+EndGlobal
diff --git a/Filerestore_sys/Filerestore_sys/Filerestore_sys.inf b/Filerestore_sys/Filerestore_sys/Filerestore_sys.inf
new file mode 100644
index 0000000..996f5d9
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/Filerestore_sys.inf
@@ -0,0 +1,84 @@
+;
+; Filerestore_sys.inf - Minifilter driver installation
+;
+
+[Version]
+Signature = "$WINDOWS NT$"
+Class = "ActivityMonitor"
+ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2}
+Provider = %ManufacturerName%
+CatalogFile = Filerestore_sys.cat
+DriverVer = 02/19/2026,1.0.0.0
+PnpLockdown = 1
+
+[DestinationDirs]
+DefaultDestDir = 12 ; %windir%\system32\drivers
+FileRestoreMon.CopyFiles = 12
+
+[SourceDisksNames]
+1 = %DiskName%,,,""
+
+[SourceDisksFiles]
+Filerestore_sys.sys = 1,,
+
+;*****************************************
+; DefaultInstall Section (non-PnP)
+;*****************************************
+
+[DefaultInstall.NT$ARCH$]
+OptionDesc = %ServiceDescription%
+CopyFiles = FileRestoreMon.CopyFiles
+
+[DefaultInstall.NT$ARCH$.Services]
+AddService = FileRestoreMon,,FileRestoreMon.Service
+
+[DefaultUninstall.NT$ARCH$]
+LegacyUninstall = 1
+DelFiles = FileRestoreMon.CopyFiles
+
+[DefaultUninstall.NT$ARCH$.Services]
+DelService = FileRestoreMon,0x200 ; SPSVCINST_STOPSERVICE
+
+;*****************************************
+; File copy
+;*****************************************
+
+[FileRestoreMon.CopyFiles]
+Filerestore_sys.sys
+
+;*****************************************
+; Service installation
+;*****************************************
+
+[FileRestoreMon.Service]
+DisplayName = %ServiceName%
+Description = %ServiceDescription%
+ServiceType = 2 ; SERVICE_FILE_SYSTEM_DRIVER
+StartType = 3 ; SERVICE_DEMAND_START
+ErrorControl = 1 ; SERVICE_ERROR_NORMAL
+ServiceBinary = %12%\Filerestore_sys.sys
+LoadOrderGroup = "FSFilter Activity Monitor"
+AddReg = FileRestoreMon.AddRegistry
+
+;*****************************************
+; Minifilter instance registration
+;*****************************************
+
+[FileRestoreMon.AddRegistry]
+HKR,"Instances","DefaultInstance",0x00000000,%DefaultInstance%
+HKR,"Instances\"%Instance1.Name%,"Altitude",0x00000000,%Instance1.Altitude%
+HKR,"Instances\"%Instance1.Name%,"Flags",0x00010001,%Instance1.Flags%
+
+;*****************************************
+; Strings
+;*****************************************
+
+[Strings]
+ManufacturerName = "FileRestore"
+ServiceName = "FileRestoreMon"
+ServiceDescription = "FileRestore Monitor Minifilter Driver"
+DiskName = "FileRestoreMon Installation Disk"
+DefaultInstance = "FileRestoreMon Instance"
+Instance1.Name = "FileRestoreMon Instance"
+Instance1.Altitude = "370100"
+Instance1.Flags = 0x0 ; automatic attachment
diff --git a/Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj b/Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj
new file mode 100644
index 0000000..f48cde3
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj
@@ -0,0 +1,168 @@
+
+
+
+
+
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+ Debug
+ ARM64
+
+
+ Release
+ ARM64
+
+
+
+ {4E97BA7A-9203-3699-D57F-5596CAD720A0}
+ {1bc93793-694f-48fe-9372-81e2b05556fd}
+ v4.5
+ 12.0
+ Debug
+ x64
+ Filerestore_sys
+
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+ Universal
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+ Universal
+
+
+ Windows10
+ true
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+ Universal
+
+
+ Windows10
+ false
+ WindowsKernelModeDriver10.0
+ Driver
+ WDM
+ Universal
+
+
+
+
+
+
+
+
+
+ false
+ false
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+ DbgengKernelDebugger
+
+
+
+ sha256
+
+
+ %(PreprocessorDefinitions)
+ %(AdditionalIncludeDirectories)
+
+
+ %(AdditionalDependencies);fltMgr.lib
+
+
+
+
+ sha256
+
+
+ %(PreprocessorDefinitions)
+ %(AdditionalIncludeDirectories)
+
+
+ %(AdditionalDependencies);fltMgr.lib
+
+
+
+
+ sha256
+
+
+ %(PreprocessorDefinitions)
+ %(AdditionalIncludeDirectories)
+
+
+ %(AdditionalDependencies);fltMgr.lib
+
+
+
+
+ sha256
+
+
+ %(PreprocessorDefinitions)
+ %(AdditionalIncludeDirectories)
+
+
+ %(AdditionalDependencies);fltMgr.lib
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 这台计算机上缺少此项目引用的 NuGet 程序包。使用“NuGet 程序包还原”可下载这些程序包。有关更多信息,请参见 http://go.microsoft.com/fwlink/?LinkID=322105。缺少的文件是 {0}。
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj.filters b/Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj.filters
new file mode 100644
index 0000000..ee59303
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/Filerestore_sys.vcxproj.filters
@@ -0,0 +1,48 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hpp;hxx;hm;inl;inc;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+ {8E41214B-6785-4CFE-B992-037D68949A14}
+ inf;inv;inx;mof;mc;
+
+
+
+
+ Source Files
+
+
+ Source Files
+
+
+ Source Files
+
+
+
+
+ Header Files
+
+
+ Header Files
+
+
+
+
+ Driver Files
+
+
+
+
+
+
diff --git a/Filerestore_sys/Filerestore_sys/common.h b/Filerestore_sys/Filerestore_sys/common.h
new file mode 100644
index 0000000..ae3f61b
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/common.h
@@ -0,0 +1,86 @@
+/*
+ * common.h - Shared definitions between kernel driver and user-mode client
+ *
+ * This header is included by both the minifilter driver (kernel) and the
+ * user-mode application (Filerestore_CLI). Keep it pure C compatible.
+ */
+
+#ifndef _FILERESTORE_COMMON_H_
+#define _FILERESTORE_COMMON_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Communication port name */
+#define FILERESTORE_PORT_NAME L"\\FileRestoreMonPort"
+
+/* Command codes (user -> kernel) */
+#define CMD_START_MONITOR 1
+#define CMD_STOP_MONITOR 2
+#define CMD_GET_EVENTS 3
+#define CMD_GET_STATS 4
+#define CMD_GET_VERSION 5
+
+/* Delete types */
+#define DELETE_TYPE_PERMANENT 0
+#define DELETE_TYPE_RECYCLE 1
+
+/* Limits */
+#define MAX_LCN_ENTRIES 64
+#define MAX_FILE_PATH_CHARS 520
+#define DRIVER_VERSION_STRING "1.0.0"
+
+/* ===== Structures ===== */
+
+/* LCN (Logical Cluster Number) entry for file extent mapping */
+typedef struct _LCN_ENTRY {
+ ULONGLONG StartLCN;
+ ULONG ClusterCount;
+ ULONG Reserved;
+} LCN_ENTRY, *PLCN_ENTRY;
+
+/* Single delete event notification */
+typedef struct _DELETE_NOTIFICATION {
+ LARGE_INTEGER Timestamp;
+ ULONG ProcessId;
+ ULONG DeleteType;
+ LARGE_INTEGER FileSize;
+ LARGE_INTEGER AllocationSize;
+ LARGE_INTEGER CreationTime;
+ LARGE_INTEGER LastWriteTime;
+ ULONG LCNCount;
+ LCN_ENTRY LCNEntries[MAX_LCN_ENTRIES];
+ USHORT FileNameLength; /* in bytes */
+ WCHAR FileName[MAX_FILE_PATH_CHARS];
+} DELETE_NOTIFICATION, *PDELETE_NOTIFICATION;
+
+/* Command message (user -> kernel) */
+typedef struct _COMMAND_MESSAGE {
+ ULONG Command;
+} COMMAND_MESSAGE, *PCOMMAND_MESSAGE;
+
+/* Events reply header (kernel -> user, for CMD_GET_EVENTS) */
+typedef struct _EVENTS_REPLY {
+ ULONG EventCount;
+ DELETE_NOTIFICATION Events[1]; /* variable-length array */
+} EVENTS_REPLY, *PEVENTS_REPLY;
+
+/* Statistics reply (kernel -> user, for CMD_GET_STATS) */
+typedef struct _STATS_REPLY {
+ ULONG TotalEvents;
+ ULONG PendingEvents;
+ ULONG DroppedEvents;
+ ULONG MonitorActive;
+} STATS_REPLY, *PSTATS_REPLY;
+
+/* Version reply (kernel -> user, for CMD_GET_VERSION) */
+typedef struct _VERSION_REPLY {
+ CHAR Version[64];
+} VERSION_REPLY, *PVERSION_REPLY;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _FILERESTORE_COMMON_H_ */
diff --git a/Filerestore_sys/Filerestore_sys/communication.c b/Filerestore_sys/Filerestore_sys/communication.c
new file mode 100644
index 0000000..d9348e4
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/communication.c
@@ -0,0 +1,271 @@
+/*
+ * communication.c - FltMgr communication port management and event buffering
+ */
+
+#include "driver.h"
+
+/* Forward declarations for port callbacks */
+static NTSTATUS
+ConnectNotifyCallback(
+ _In_ PFLT_PORT ClientPort,
+ _In_opt_ PVOID ServerPortCookie,
+ _In_reads_bytes_opt_(SizeOfContext) PVOID ConnectionContext,
+ _In_ ULONG SizeOfContext,
+ _Outptr_result_maybenull_ PVOID *ConnectionCookie
+ );
+
+static VOID
+DisconnectNotifyCallback(
+ _In_opt_ PVOID ConnectionCookie
+ );
+
+static NTSTATUS
+MessageNotifyCallback(
+ _In_opt_ PVOID PortCookie,
+ _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_writes_bytes_to_opt_(OutputBufferLength, *ReturnOutputBufferLength) PVOID OutputBuffer,
+ _In_ ULONG OutputBufferLength,
+ _Out_ PULONG ReturnOutputBufferLength
+ );
+
+/* ===== SetupCommunicationPort ===== */
+
+NTSTATUS
+SetupCommunicationPort(VOID)
+{
+ NTSTATUS status;
+ UNICODE_STRING portName;
+ PSECURITY_DESCRIPTOR sd = NULL;
+ OBJECT_ATTRIBUTES oa;
+
+ RtlInitUnicodeString(&portName, FILERESTORE_PORT_NAME);
+
+ /* Build a security descriptor that only allows admin access */
+ status = FltBuildDefaultSecurityDescriptor(&sd, FLT_PORT_ALL_ACCESS);
+ if (!NT_SUCCESS(status)) {
+ return status;
+ }
+
+ InitializeObjectAttributes(
+ &oa,
+ &portName,
+ OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
+ NULL,
+ sd
+ );
+
+ status = FltCreateCommunicationPort(
+ g_Context.FilterHandle,
+ &g_Context.ServerPort,
+ &oa,
+ NULL, /* ServerPortCookie */
+ ConnectNotifyCallback,
+ DisconnectNotifyCallback,
+ MessageNotifyCallback,
+ 1 /* MaxConnections: single client */
+ );
+
+ FltFreeSecurityDescriptor(sd);
+ return status;
+}
+
+/* ===== ConnectNotifyCallback ===== */
+
+static NTSTATUS
+ConnectNotifyCallback(
+ _In_ PFLT_PORT ClientPort,
+ _In_opt_ PVOID ServerPortCookie,
+ _In_reads_bytes_opt_(SizeOfContext) PVOID ConnectionContext,
+ _In_ ULONG SizeOfContext,
+ _Outptr_result_maybenull_ PVOID *ConnectionCookie
+ )
+{
+ UNREFERENCED_PARAMETER(ServerPortCookie);
+ UNREFERENCED_PARAMETER(ConnectionContext);
+ UNREFERENCED_PARAMETER(SizeOfContext);
+
+ g_Context.ClientPort = ClientPort;
+ *ConnectionCookie = NULL;
+ return STATUS_SUCCESS;
+}
+
+/* ===== DisconnectNotifyCallback ===== */
+
+static VOID
+DisconnectNotifyCallback(
+ _In_opt_ PVOID ConnectionCookie
+ )
+{
+ UNREFERENCED_PARAMETER(ConnectionCookie);
+
+ if (g_Context.ClientPort != NULL) {
+ FltCloseClientPort(g_Context.FilterHandle, &g_Context.ClientPort);
+ g_Context.ClientPort = NULL;
+ }
+
+ /* Stop monitoring when client disconnects */
+ InterlockedExchange(&g_Context.MonitorActive, 0);
+}
+
+/* ===== MessageNotifyCallback ===== */
+
+static NTSTATUS
+MessageNotifyCallback(
+ _In_opt_ PVOID PortCookie,
+ _In_reads_bytes_opt_(InputBufferLength) PVOID InputBuffer,
+ _In_ ULONG InputBufferLength,
+ _Out_writes_bytes_to_opt_(OutputBufferLength, *ReturnOutputBufferLength) PVOID OutputBuffer,
+ _In_ ULONG OutputBufferLength,
+ _Out_ PULONG ReturnOutputBufferLength
+ )
+{
+ PCOMMAND_MESSAGE cmdMsg;
+ KIRQL oldIrql;
+ LONG count;
+ LONG tail;
+ LONG i;
+
+ UNREFERENCED_PARAMETER(PortCookie);
+
+ *ReturnOutputBufferLength = 0;
+
+ if (InputBuffer == NULL || InputBufferLength < sizeof(COMMAND_MESSAGE)) {
+ return STATUS_INVALID_PARAMETER;
+ }
+
+ cmdMsg = (PCOMMAND_MESSAGE)InputBuffer;
+
+ switch (cmdMsg->Command) {
+
+ case CMD_START_MONITOR:
+ InterlockedExchange(&g_Context.MonitorActive, 1);
+ return STATUS_SUCCESS;
+
+ case CMD_STOP_MONITOR:
+ InterlockedExchange(&g_Context.MonitorActive, 0);
+ return STATUS_SUCCESS;
+
+ case CMD_GET_EVENTS:
+ {
+ PEVENTS_REPLY reply;
+ ULONG replySize;
+
+ if (OutputBuffer == NULL || OutputBufferLength < sizeof(EVENTS_REPLY)) {
+ return STATUS_BUFFER_TOO_SMALL;
+ }
+
+ reply = (PEVENTS_REPLY)OutputBuffer;
+
+ KeAcquireSpinLock(&g_Context.BufferLock, &oldIrql);
+
+ count = g_Context.EventCount;
+ if (count == 0) {
+ KeReleaseSpinLock(&g_Context.BufferLock, oldIrql);
+ reply->EventCount = 0;
+ *ReturnOutputBufferLength = FIELD_OFFSET(EVENTS_REPLY, Events);
+ return STATUS_SUCCESS;
+ }
+
+ /* Calculate how many events fit in the output buffer */
+ replySize = FIELD_OFFSET(EVENTS_REPLY, Events);
+ {
+ LONG maxEvents = (LONG)((OutputBufferLength - replySize) / sizeof(DELETE_NOTIFICATION)) + 1;
+ if (count > maxEvents) {
+ count = maxEvents;
+ }
+ }
+
+ /* Copy events from ring buffer */
+ tail = g_Context.EventTail;
+ for (i = 0; i < count; i++) {
+ RtlCopyMemory(
+ &reply->Events[i],
+ &g_Context.Events[tail],
+ sizeof(DELETE_NOTIFICATION)
+ );
+ tail = (tail + 1) % MAX_PENDING_EVENTS;
+ }
+
+ g_Context.EventTail = tail;
+ g_Context.EventCount -= count;
+
+ KeReleaseSpinLock(&g_Context.BufferLock, oldIrql);
+
+ reply->EventCount = (ULONG)count;
+ *ReturnOutputBufferLength = FIELD_OFFSET(EVENTS_REPLY, Events) +
+ (ULONG)count * sizeof(DELETE_NOTIFICATION);
+ return STATUS_SUCCESS;
+ }
+
+ case CMD_GET_STATS:
+ {
+ PSTATS_REPLY statsReply;
+
+ if (OutputBuffer == NULL || OutputBufferLength < sizeof(STATS_REPLY)) {
+ return STATUS_BUFFER_TOO_SMALL;
+ }
+
+ statsReply = (PSTATS_REPLY)OutputBuffer;
+ statsReply->TotalEvents = (ULONG)g_Context.TotalEvents;
+ statsReply->DroppedEvents = (ULONG)g_Context.DroppedEvents;
+ statsReply->MonitorActive = (ULONG)g_Context.MonitorActive;
+
+ KeAcquireSpinLock(&g_Context.BufferLock, &oldIrql);
+ statsReply->PendingEvents = (ULONG)g_Context.EventCount;
+ KeReleaseSpinLock(&g_Context.BufferLock, oldIrql);
+
+ *ReturnOutputBufferLength = sizeof(STATS_REPLY);
+ return STATUS_SUCCESS;
+ }
+
+ case CMD_GET_VERSION:
+ {
+ PVERSION_REPLY verReply;
+
+ if (OutputBuffer == NULL || OutputBufferLength < sizeof(VERSION_REPLY)) {
+ return STATUS_BUFFER_TOO_SMALL;
+ }
+
+ verReply = (PVERSION_REPLY)OutputBuffer;
+ RtlZeroMemory(verReply, sizeof(VERSION_REPLY));
+ RtlStringCbCopyA(verReply->Version, sizeof(verReply->Version), DRIVER_VERSION_STRING);
+
+ *ReturnOutputBufferLength = sizeof(VERSION_REPLY);
+ return STATUS_SUCCESS;
+ }
+
+ default:
+ return STATUS_INVALID_PARAMETER;
+ }
+}
+
+/* ===== BufferPushEvent ===== */
+
+VOID
+BufferPushEvent(
+ _In_ const DELETE_NOTIFICATION* Event
+ )
+{
+ KIRQL oldIrql;
+
+ KeAcquireSpinLock(&g_Context.BufferLock, &oldIrql);
+
+ if (g_Context.EventCount >= MAX_PENDING_EVENTS) {
+ /* Buffer full - drop the oldest event by advancing tail */
+ g_Context.EventTail = (g_Context.EventTail + 1) % MAX_PENDING_EVENTS;
+ g_Context.EventCount--;
+ InterlockedIncrement(&g_Context.DroppedEvents);
+ }
+
+ RtlCopyMemory(
+ &g_Context.Events[g_Context.EventHead],
+ Event,
+ sizeof(DELETE_NOTIFICATION)
+ );
+
+ g_Context.EventHead = (g_Context.EventHead + 1) % MAX_PENDING_EVENTS;
+ g_Context.EventCount++;
+
+ KeReleaseSpinLock(&g_Context.BufferLock, oldIrql);
+}
diff --git a/Filerestore_sys/Filerestore_sys/driver.c b/Filerestore_sys/Filerestore_sys/driver.c
new file mode 100644
index 0000000..f91b65a
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/driver.c
@@ -0,0 +1,118 @@
+/*
+ * driver.c - DriverEntry, filter registration, unload
+ */
+
+#include "driver.h"
+
+/* Global context - zero-initialized */
+GLOBAL_CONTEXT g_Context = { 0 };
+
+/* Forward declarations */
+DRIVER_INITIALIZE DriverEntry;
+
+static NTSTATUS
+FilterUnloadCallback(
+ _In_ FLT_FILTER_UNLOAD_FLAGS Flags
+ );
+
+/* ===== Filter registration ===== */
+
+static const FLT_OPERATION_REGISTRATION FilterCallbacks[] = {
+ {
+ IRP_MJ_SET_INFORMATION,
+ 0,
+ PreSetInformation, /* PreOperation */
+ NULL /* PostOperation - not needed */
+ },
+ { IRP_MJ_OPERATION_END }
+};
+
+static const FLT_REGISTRATION FilterRegistration = {
+ sizeof(FLT_REGISTRATION), /* Size */
+ FLT_REGISTRATION_VERSION, /* Version */
+ 0, /* Flags */
+ NULL, /* ContextRegistration */
+ FilterCallbacks, /* OperationRegistration */
+ FilterUnloadCallback, /* FilterUnloadCallback */
+ NULL, /* InstanceSetupCallback */
+ NULL, /* InstanceQueryTeardownCallback */
+ NULL, /* InstanceTeardownStartCallback */
+ NULL, /* InstanceTeardownCompleteCallback */
+ NULL, /* GenerateFileNameCallback */
+ NULL, /* NormalizeNameComponentCallback */
+ NULL /* NormalizeContextCleanupCallback */
+};
+
+/* ===== DriverEntry ===== */
+
+NTSTATUS
+DriverEntry(
+ _In_ PDRIVER_OBJECT DriverObject,
+ _In_ PUNICODE_STRING RegistryPath
+ )
+{
+ NTSTATUS status;
+
+ UNREFERENCED_PARAMETER(RegistryPath);
+
+ /* 1. Initialize the event ring buffer lock */
+ KeInitializeSpinLock(&g_Context.BufferLock);
+ g_Context.EventCount = 0;
+ g_Context.EventHead = 0;
+ g_Context.EventTail = 0;
+ g_Context.TotalEvents = 0;
+ g_Context.DroppedEvents = 0;
+ g_Context.MonitorActive = 0;
+
+ /* 2. Register the minifilter */
+ status = FltRegisterFilter(
+ DriverObject,
+ &FilterRegistration,
+ &g_Context.FilterHandle
+ );
+
+ if (!NT_SUCCESS(status)) {
+ return status;
+ }
+
+ /* 3. Create the communication port */
+ status = SetupCommunicationPort();
+ if (!NT_SUCCESS(status)) {
+ FltUnregisterFilter(g_Context.FilterHandle);
+ return status;
+ }
+
+ /* 4. Start filtering */
+ status = FltStartFiltering(g_Context.FilterHandle);
+ if (!NT_SUCCESS(status)) {
+ FltCloseCommunicationPort(g_Context.ServerPort);
+ FltUnregisterFilter(g_Context.FilterHandle);
+ return status;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+/* ===== FilterUnloadCallback ===== */
+
+static NTSTATUS
+FilterUnloadCallback(
+ _In_ FLT_FILTER_UNLOAD_FLAGS Flags
+ )
+{
+ UNREFERENCED_PARAMETER(Flags);
+
+ /* Close the server port first - prevents new connections */
+ if (g_Context.ServerPort != NULL) {
+ FltCloseCommunicationPort(g_Context.ServerPort);
+ g_Context.ServerPort = NULL;
+ }
+
+ /* Unregister the filter */
+ if (g_Context.FilterHandle != NULL) {
+ FltUnregisterFilter(g_Context.FilterHandle);
+ g_Context.FilterHandle = NULL;
+ }
+
+ return STATUS_SUCCESS;
+}
diff --git a/Filerestore_sys/Filerestore_sys/driver.h b/Filerestore_sys/Filerestore_sys/driver.h
new file mode 100644
index 0000000..c3f9f93
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/driver.h
@@ -0,0 +1,59 @@
+/*
+ * driver.h - Internal driver declarations
+ */
+
+#ifndef _FILERESTORE_DRIVER_H_
+#define _FILERESTORE_DRIVER_H_
+
+#include
+#include
+#include "common.h"
+
+/* Pool tag: 'MsFR' (stored little-endian as 'RFsM') */
+#define POOL_TAG 'RFsM'
+
+/* Maximum pending events in the kernel ring buffer */
+#define MAX_PENDING_EVENTS 256
+
+/* ===== Global context ===== */
+
+typedef struct _GLOBAL_CONTEXT {
+ PFLT_FILTER FilterHandle;
+ PFLT_PORT ServerPort; /* server-side communication port */
+ PFLT_PORT ClientPort; /* connected client port (single client) */
+
+ /* Kernel event ring buffer */
+ KSPIN_LOCK BufferLock;
+ LONG EventCount; /* number of events currently buffered */
+ LONG EventHead; /* next write position */
+ LONG EventTail; /* next read position */
+ DELETE_NOTIFICATION Events[MAX_PENDING_EVENTS];
+
+ /* Statistics */
+ volatile LONG TotalEvents;
+ volatile LONG DroppedEvents;
+ volatile LONG MonitorActive; /* 1 = monitoring active */
+} GLOBAL_CONTEXT, *PGLOBAL_CONTEXT;
+
+extern GLOBAL_CONTEXT g_Context;
+
+/* ===== Function prototypes ===== */
+
+/* communication.c */
+NTSTATUS
+SetupCommunicationPort(VOID);
+
+VOID
+BufferPushEvent(
+ _In_ const DELETE_NOTIFICATION* Event
+ );
+
+/* filter.c */
+FLT_PREOP_CALLBACK_STATUS
+PreSetInformation(
+ _Inout_ PFLT_CALLBACK_DATA Data,
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _Flt_CompletionContext_Outptr_ PVOID *CompletionContext
+ );
+
+#endif /* _FILERESTORE_DRIVER_H_ */
diff --git a/Filerestore_sys/Filerestore_sys/filter.c b/Filerestore_sys/Filerestore_sys/filter.c
new file mode 100644
index 0000000..a4456e1
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/filter.c
@@ -0,0 +1,275 @@
+/*
+ * filter.c - PreSetInformation callback and file metadata capture
+ */
+
+#include "driver.h"
+
+/* Forward declarations */
+static VOID
+CaptureDeleteEvent(
+ _Inout_ PFLT_CALLBACK_DATA Data,
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _In_ FILE_INFORMATION_CLASS InfoClass
+ );
+
+static NTSTATUS
+QueryFileLCNs(
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _Inout_ PDELETE_NOTIFICATION Notification
+ );
+
+/* ===== PreSetInformation callback ===== */
+
+FLT_PREOP_CALLBACK_STATUS
+PreSetInformation(
+ _Inout_ PFLT_CALLBACK_DATA Data,
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _Flt_CompletionContext_Outptr_ PVOID *CompletionContext
+ )
+{
+ FILE_INFORMATION_CLASS infoClass;
+
+ *CompletionContext = NULL;
+
+ /* Check if monitoring is active */
+ if (!g_Context.MonitorActive) {
+ return FLT_PREOP_SUCCESS_NO_CALLBACK;
+ }
+
+ infoClass = Data->Iopb->Parameters.SetFileInformation.FileInformationClass;
+
+ switch (infoClass) {
+
+ case FileDispositionInformation:
+ {
+ PFILE_DISPOSITION_INFORMATION dispInfo;
+ dispInfo = (PFILE_DISPOSITION_INFORMATION)
+ Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
+ if (dispInfo == NULL || !dispInfo->DeleteFile) {
+ return FLT_PREOP_SUCCESS_NO_CALLBACK;
+ }
+ break;
+ }
+
+ case FileDispositionInformationEx:
+ {
+ PFILE_DISPOSITION_INFORMATION_EX dispInfoEx;
+ dispInfoEx = (PFILE_DISPOSITION_INFORMATION_EX)
+ Data->Iopb->Parameters.SetFileInformation.InfoBuffer;
+ if (dispInfoEx == NULL ||
+ !(dispInfoEx->Flags & FILE_DISPOSITION_DELETE)) {
+ return FLT_PREOP_SUCCESS_NO_CALLBACK;
+ }
+ break;
+ }
+
+ default:
+ /* Not a delete operation */
+ return FLT_PREOP_SUCCESS_NO_CALLBACK;
+ }
+
+ /* Capture metadata before the delete reaches NTFS */
+ CaptureDeleteEvent(Data, FltObjects, infoClass);
+
+ /* Never block the original operation */
+ return FLT_PREOP_SUCCESS_NO_CALLBACK;
+}
+
+/* ===== CaptureDeleteEvent ===== */
+
+static VOID
+CaptureDeleteEvent(
+ _Inout_ PFLT_CALLBACK_DATA Data,
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _In_ FILE_INFORMATION_CLASS InfoClass
+ )
+{
+ DELETE_NOTIFICATION notif;
+ PFLT_FILE_NAME_INFORMATION nameInfo = NULL;
+ FILE_STANDARD_INFORMATION stdInfo;
+ FILE_BASIC_INFORMATION basicInfo;
+ NTSTATUS status;
+ USHORT copyLen;
+
+ UNREFERENCED_PARAMETER(InfoClass);
+
+ RtlZeroMemory(¬if, sizeof(notif));
+
+ __try {
+
+ /* 1. Get file name */
+ status = FltGetFileNameInformation(
+ Data,
+ FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT,
+ &nameInfo
+ );
+
+ if (NT_SUCCESS(status)) {
+ status = FltParseFileNameInformation(nameInfo);
+ if (NT_SUCCESS(status)) {
+ copyLen = nameInfo->Name.Length;
+ if (copyLen > (MAX_FILE_PATH_CHARS - 1) * sizeof(WCHAR)) {
+ copyLen = (MAX_FILE_PATH_CHARS - 1) * sizeof(WCHAR);
+ }
+ RtlCopyMemory(notif.FileName, nameInfo->Name.Buffer, copyLen);
+ notif.FileNameLength = copyLen;
+ notif.FileName[copyLen / sizeof(WCHAR)] = L'\0';
+ }
+ FltReleaseFileNameInformation(nameInfo);
+ nameInfo = NULL;
+ }
+
+ /* 2. Get file size */
+ status = FltQueryInformationFile(
+ FltObjects->Instance,
+ FltObjects->FileObject,
+ &stdInfo,
+ sizeof(stdInfo),
+ FileStandardInformation,
+ NULL
+ );
+
+ if (NT_SUCCESS(status)) {
+ notif.FileSize = stdInfo.EndOfFile;
+ notif.AllocationSize = stdInfo.AllocationSize;
+ }
+
+ /* 3. Get timestamps */
+ status = FltQueryInformationFile(
+ FltObjects->Instance,
+ FltObjects->FileObject,
+ &basicInfo,
+ sizeof(basicInfo),
+ FileBasicInformation,
+ NULL
+ );
+
+ if (NT_SUCCESS(status)) {
+ notif.CreationTime = basicInfo.CreationTime;
+ notif.LastWriteTime = basicInfo.LastWriteTime;
+ }
+
+ /* 4. Get LCN mapping (may fail for resident files - that's OK) */
+ QueryFileLCNs(FltObjects, ¬if);
+
+ /* 5. Fill remaining fields */
+ notif.ProcessId = FltGetRequestorProcessId(Data);
+ notif.DeleteType = DELETE_TYPE_PERMANENT;
+ KeQuerySystemTimePrecise(¬if.Timestamp);
+
+ /* 6. Push to ring buffer */
+ BufferPushEvent(¬if);
+ InterlockedIncrement(&g_Context.TotalEvents);
+ }
+ __except (EXCEPTION_EXECUTE_HANDLER) {
+ /* Silent failure - never interfere with the original delete */
+ if (nameInfo != NULL) {
+ FltReleaseFileNameInformation(nameInfo);
+ }
+ }
+}
+
+/* ===== QueryFileLCNs ===== */
+
+static NTSTATUS
+QueryFileLCNs(
+ _In_ PCFLT_RELATED_OBJECTS FltObjects,
+ _Inout_ PDELETE_NOTIFICATION Notification
+ )
+{
+ NTSTATUS status;
+ STARTING_VCN_INPUT_BUFFER vcnInput;
+ PRETRIEVAL_POINTERS_BUFFER rpBuf = NULL;
+ ULONG rpBufSize = 4096;
+ ULONG returned;
+ ULONG i;
+ ULONG count;
+ LARGE_INTEGER prevVcn;
+
+ vcnInput.StartingVcn.QuadPart = 0;
+
+ /* Allocate initial buffer */
+ rpBuf = (PRETRIEVAL_POINTERS_BUFFER)ExAllocatePool2(
+ POOL_FLAG_NON_PAGED,
+ rpBufSize,
+ POOL_TAG
+ );
+
+ if (rpBuf == NULL) {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
+
+ /* Query retrieval pointers */
+ status = FltFsControlFile(
+ FltObjects->Instance,
+ FltObjects->FileObject,
+ FSCTL_GET_RETRIEVAL_POINTERS,
+ &vcnInput,
+ sizeof(vcnInput),
+ rpBuf,
+ rpBufSize,
+ &returned
+ );
+
+ if (status == STATUS_BUFFER_OVERFLOW) {
+ /* Retry with larger buffer */
+ ExFreePoolWithTag(rpBuf, POOL_TAG);
+ rpBufSize = 16384;
+ rpBuf = (PRETRIEVAL_POINTERS_BUFFER)ExAllocatePool2(
+ POOL_FLAG_NON_PAGED,
+ rpBufSize,
+ POOL_TAG
+ );
+ if (rpBuf == NULL) {
+ return STATUS_INSUFFICIENT_RESOURCES;
+ }
+
+ status = FltFsControlFile(
+ FltObjects->Instance,
+ FltObjects->FileObject,
+ FSCTL_GET_RETRIEVAL_POINTERS,
+ &vcnInput,
+ sizeof(vcnInput),
+ rpBuf,
+ rpBufSize,
+ &returned
+ );
+ }
+
+ if (!NT_SUCCESS(status)) {
+ /* Resident files or other failures - LCNCount stays 0 */
+ ExFreePoolWithTag(rpBuf, POOL_TAG);
+ return status;
+ }
+
+ /* Parse extents */
+ count = rpBuf->ExtentCount;
+ if (count > MAX_LCN_ENTRIES) {
+ count = MAX_LCN_ENTRIES;
+ }
+
+ prevVcn = rpBuf->StartingVcn;
+ for (i = 0; i < count; i++) {
+ LARGE_INTEGER nextVcn = rpBuf->Extents[i].NextVcn;
+ LARGE_INTEGER lcn = rpBuf->Extents[i].Lcn;
+
+ /* LCN == -1 means sparse/unallocated extent, skip */
+ if (lcn.QuadPart != -1) {
+ Notification->LCNEntries[Notification->LCNCount].StartLCN =
+ (ULONGLONG)lcn.QuadPart;
+ Notification->LCNEntries[Notification->LCNCount].ClusterCount =
+ (ULONG)(nextVcn.QuadPart - prevVcn.QuadPart);
+ Notification->LCNEntries[Notification->LCNCount].Reserved = 0;
+ Notification->LCNCount++;
+
+ if (Notification->LCNCount >= MAX_LCN_ENTRIES) {
+ break;
+ }
+ }
+
+ prevVcn = nextVcn;
+ }
+
+ ExFreePoolWithTag(rpBuf, POOL_TAG);
+ return STATUS_SUCCESS;
+}
diff --git a/Filerestore_sys/Filerestore_sys/packages.config b/Filerestore_sys/Filerestore_sys/packages.config
new file mode 100644
index 0000000..bb6933b
--- /dev/null
+++ b/Filerestore_sys/Filerestore_sys/packages.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/dev_notes/kernel_solution.docx b/dev_notes/kernel_solution.docx
new file mode 100644
index 0000000000000000000000000000000000000000..7956ea8f576cc233328d0d9719fde6568c58aea4
GIT binary patch
literal 41390
zcmeEsQ+s7myJegTDzsn|xvww+W^v28nD-#LBJ{q#>by)M?xnm2Pk
zYrI2KQ3f0W4Fn402M7oVF^F^*n3EkS2nZDv2nZ_34=^232YXjDdshQhFGn*MJqAxZ
zTcSb;FsghIuz&0S|MNfi1e#JNtp}Nq#Gk{yLgrgmr8}rfhQX7aV$Us)EV`6C*~Q0ez-HW?JsCS
z#89gf*z$P?i&Vo?%<8=9CPOd*$rId6Qd3!XyXTdOmR{E?38}4;6M@d#sOf8?xYmXr
zmLh80_;V*)mh8f`fKrm3DyoVY2VF&7?sgif%$!#4fzxOa8Oz7iUx@M|u}$|2rgkN0
zYXmO}&SD$bk>3hR@9v}EBrtCvmf5_>983Y%aeKeKC;_{8+7W&qamyX3VAW?)yE`8-
z{ECGcxF;rvac-0l3*^CX++7(a4lWEyJZ1f_fOPr~ql>}Q%0JXUFNpI6dQUlk)r`4_
zl~v_J_~S?KynDouu&xqj&t=Cw_+Lj)=ARR!Qq&V6F1b>s%ObmO*T=oCr14MX=MB4%c#D*3M1o_{gcsMwl
zGMYM=xY_-qvj1?{g`b}a>fes*@76Q_2nLU7hT|Ef4vpT%gxs^0?!P)=VCFM5-NzWI
zK@!d!WZ7gVp7J@=iv8tX+$8x#(RH!$!ji2db=$)^OF18h8f{gb$%#V2v_V62mz62~
zR}W`b+xH#0kJT2R=e?h+D>B)vB=d$`u6sY+viU@?3T7NNm|UNRfDY@ACIiSMIB=mI
zVBNckPJ3gJq}~VH@?Y2Ak9EhmodY@GeiBp?`3xfSBln*
z8Va^%{ODfXwZC)wu5w={ybC>^$yApY8Qjm-r+0S!Nkiq`BS`&%u-+UFY())-?w*6b
zOv?Aagy>#G>p8JH1K-HnZ8?JsPp;AVkUMBrLQLbA^k}=Nbmc
z^FFAp;qv@VzC75_2gyD^pZ>b?6%3=cE>Zn;mSof^nmsx@S6jE@ch~Jx41l*@(>ti`
z^9mjCG0!VTbh>$pqYb7&)P+@fHRT2ApORkXM!hv5-oScQ|E?_4@|3M7k3quwZDhm2;Ff{g*eqVN5T{7H7fD>;Yi!00-}G*tF2TL*VALjaoGTPNfqd3>Ti1@%JNjto{%)QD(#9T5!BG
zz-1A%UhOIEf}7GEamd|BWY@MBA-83S4+
zO3uZ5fB#LbGp}J~JdVDN+ZKU8FkxislyZf={{2y{@G`pueh{eCb+gO)~u7&B>30O*`&NE!j
zNkq2M+}}bs{m5ddW0KY-@!tm{@GL41($yC^Tw2
zTgUJ+bpYL6DL4Vplq?&jTX-_|Q$_w++B&)d;?I?!&~e=y7Fz?mt!6h$;+zxd47iWG
zE2kBqaPIvzF|5?%6R|{&+Wah5x0FZXKO-w8yd=^CGBSyjbpUnzzp=NCo*qi#9yTG{
ze(#kZc{n<5VgQF2TSgKRGT@TqJ9_Q)aoLX3?c_SRtPupnJJ2aGs&CUPJSH9Q??xYa
zHR1D5lEer}poqvJ$Ff~`70%UM-n!ed>Uv5=x>W7(!!(h-;D->d!9#etrPRoTR>*5&
z1eq1FgHlyD?>C}sFPBRW-srko!h``5>Om6Y1H`{s;S()$4!h(5ri_WH4dzGHG1s`v
zR8sTNBvLr1Zn{4Pl(c4E!e5x~Sb@62qWK!_M({x+%%SHN+-3Kh+BR35HVi?a6pHBK
zrYRk+=Fx)8GUt4Ao=fKk9&)N@r=nbUIFfW&;>*~XcU>C6iNfIDJ_+{`_z2%+5iL76
z8Q1~l^1YS-JH4PP1?5Q_ORR8E0?F}Wiogz6kt)#KB3|X9^qmb{XkHDQHt6a{16zRj
zEiL?xrW7(D?$I}v7%m$(P{bPp-zo4{dtNS~Y;Em;M}o>EDbp98q^g%%sU-m(L5YkE
z7*6SY?z8v?s2xp1rZk-~Qc@aMvD2%lDZiCc8hi9p*ZqOE0v8KB>a}3)==34X{Z%0@
zIhlVU;0}vO3alqXO0V+-BFl*cosUuGcdh3ZK+FUfG=rrSIQF_}a%b5)zuwsk6m)i6
z7YX{ZRNyKNGX}zGwr)t``gGH;G|;{}O?1l*4O!po!=3JZdeA_*CWVyU1aoXKi#P%3SwW{917
zC#*Yns2E*^h;VrcPrVzYI90cXzT;93nBY_N+b`hZVZ*p!Eo=}n2zYRq`fjW+Gm)?m
zB8?w-!PC{T1K5*KRXqQ!7*hA9mvM-}I12cRgk+lflCl`Nnsi6118-;6;h=a0
zl37JoZNEADoNEgvS-@rNesxBfnQkn!wm8P(mcUjQgUl9x`kOCvm1MtWs|c`riXKF-
zJ78@TcvjxTQ+}rzISp+wh@wgkZf+`(O8AOC;1o1A5a1y|!y;M98+Om^e&0jGGhu}*
zYw1-_M&0cx$Ts5CMHN2Ziw9`Q&2~xE_BNrg60Ypi7)?*3@X39~09eHA(+GXk^ORkM
zi`Zu+Y2uOHM|6$nI&fN1NzAW~l{0nA{r9BynqtARrpK~~09(-T6cW=q4!V6i2lqLF
zN^}&)cp$L@o)*J%1d(wDt&7ly77D#UW0y}md$hYr*&t6y`xYnnl_o)Y{aCX?6gK+Ox1%|Xi=IOurx97
zMU|@_H&<1$nnpzQ3Xb^fAhKCmF&sYm?AL`cH`?y9&xYavothi5?qWc
zb$9NIm*Btd9uD}vgVoo0>p9D5(j83fNjw$v``QX#7lNIg~MmbP3j
zv3XrlHONeRm(7?^Rp(az(^V)-JJvqwku89mjB&piO;{sPbhwG05D_?WlS1by(8xuY
z#d7F0dOR&q>-I;E`=G#7ZwIZvZa2uc>4`4^hSHD=n8rp30Tn&aoUS3*t)FE_8RHfX
z!|jlMk?05iI=lh4joEm!hoakSwuLvFL*oyFP|H^_Ui_RMdJ%R$e{g1LZG$kf?QhcU
z6__~faucH$1WHRS-9*CTrgfE1QGaEG6EMtT3)#IZG&7z}BAs+h*=%FFkM*#IGv|9W
ze`%3si8%Q@K5N>3K&&NPM)p_ZfI9H-BfS8dpsXH83RL3B_qHCMjn~YxOq8cRZi~T)
zaj(nVUwSChjZH=nSB@UBUDCNMyHZa_W2#wlo$`jL
z)KtpQ>l!m+EaatC&eIHn;);xO#9jD;%sn$iVfsDh#|c>MCW+?y$4kscZh_P}$VnEF7vc1$7@Od=1x7@C
zG!gAbLFEU{9m{y-R^3O(M^Ap*bOUfYQF
z8=)GbQvvW=GAsWE@+R0cLr_CH&D?M4%D~4iAJB;O>h`~}9v5k4ZY{S?p(UJDp5vZYY2?fD<-u9@<6X2*n`e!?hhsb=`)^qm
zy6cDmk__0aUCnq>e!-F>`|AZw#k}179+Dm>3|0mTUG~_om?r0u6AMvZE-Ga*h0{mu
zpA5u5NN9hHKxA{TZWU+GE19$W?4V48>g&u{LJF)xI4OXRw^`i_35ZV5HX4jc4z4xTmP
z3qFO(x2{K_vNLZ)CRsDB5ynH=NiQ#ek1R&vNE4J
zEeTyk8s$}RG^X|KK+JEw)f~+Lx#tn@k2IZ42tsPGGgkuhJq37D?C8B0scS^-tZl69
zZLA%v1s3OBB^)S%BV&hP@VcnvRNR*C-FWZT=Qs2HqGzA44OUHG*W9NZ?VA}5#-B`W
z>#8N>7qkyo{G%
zCmJTAwz6eXx*zgr92Q_Y{O+iIy+;kLrlw|J*2R7RL9&)BH-&rcU4_H*qi7sYBTq_&
zyoscy9u_CxC&&A#1C-Kbt;2=8z4@Q$H%UxB5c~O~`sbh#aoK~`q$B^=#0dAu+exT8Nh=dX5qx=k3YtakkUSF4;?Lb&Jd?>I$9
zOdzB-(F0Nf%5)6i#VtqGCFf!?$!j2#qt#`M%=N}v!l@~54|0_uYUb1PQ|k{?xU64U
zebPf4d7*vNp^pz1HqDMvl2JNpIy{!SC|XPJwQmu&rwP@ach>!QzR`b*8auVXyW9yG
z64*3lLY5yO5bP}-rIV%optz+KwRhNa()sct4dv)FZ#|B7=9pLV6cD$Bw|JqXyp$-#
zCHTblZKcrx2;9?Km|KI*o!B$+=6G_^!6aV(Bh_M%v@W|f?T*~3tFq)6F*)1z8Ib*e
z_$BV^>rt=OCzip#y|LiG3t9ST^^XNOPpDdrCZHiL!<2n@{u)fVfJPQQg%b1N!%4;>
z9I7rl?Mn{U`u7MjX=y8o&%E2z;4!t1O558Za(&RWzu~>A--zEjA9doI^Q%OI!5)7`
z6Y(mtOGYGJN9>+7=^>o&CU)O*>ko>l8CvPBd@4n9I;3zufC%7-?t9;F?ff1U0kL2$=%Al0@Ug&)S9^m
zewq%7rOtzvFTP2u39+B^^aIx&U!0aUeAV-@)RX<1-Bg!+DV6il)Nj%WqrYYtM@`eQ
zXyQy-jP@#Eo2K54z8aBc?{G@tq?Kr($pYYyXPeIL#N^a_T5!CLn#+}2xnCY@%-Cct
z6fM}3)INEjgO`}VQRu{zg9)EZ_;h(acP`dIxw2AR71OD)$W?hstMCTB1gwVex{XFG
zl4(lfHhwv#W)$MK6d)*NzGzfk@uPmyxs!UGa%$wOb4{fFQN5Nd>
z8=~J8Pis8a43TtD&eT-0t_{aoMi)~>3pmmu6mb``#}}H-nxv$vrYjLbz;YuOAd8N_`CGEWB#`O&
zet*T2rH{3G1a>1mP`^RJZvw;uk%xQ&GsM#a6Tpj-K6~MKX=i=DHTu|Q1Gm8Hu;5WD
zP-`&VNv42QFRFo3WeI!J^?gCClrOF}4|*6gY+)Z<$L?REh(=MmJ9d6><|%^n^k0*{26n`#-(0LenGNG64xNg9w
zYI)C)U=lOmwTI@MP5%5+I=}JQM_=xV(6k5VWG*fhwTqSZ>S``fGC6#Wx|xV!O~mt6R(de6{x9Kzr9QuNZyKa^vB18
zJk0B{otqiBu_`ifAQIW#2}8Tk!7w49>6=8K4)p&=2%4^Dy7qJz^;3Ci#lu
z^7k^u0r~d>(`eI{G7s~WO==hT6V0GPY`MzGAdP=XoR`)TdG1|=Ss^ZP6mWNQKCmKhq-^Wi49b7tqCm#H4{gCUBOaV0l=;_+qV`alFF!+2zL@j~|5h+j-a
zGf8v+yh|@O7GjLi15FQx!CjB>xL-FT63&;v&Q543bsi
zeHTZ&r4p9-iIv2)1+3XlG)TqlI_b!EPOLaL?sqD8qs_~mqA8jMw;W_rB-VIw(f^8_
z!u!GSWF`VDXS4sM6;tes_<)9B0@T6CsF%&?N?uSGg*3!w-Y50^B@Yy~+EkFSAWB@N
z(a4AI_2q_6;PY5XBESE4z2c7dc}rTr;ZH~qNnC&xnPzrt8D4V8qo=AP;tEWLYJ0=e
zBd8`in6+FRuEL7~*dYws^cpH+Fcre0&EIpO3n}5dtY8a0pCLy0G+e3uG{HQ%+{C!e
z-sI&)x>z#`k^!_AG6h1paW_$a4aL&c$L@X7g>Rb;bpYDi_WJ6ZCeC7aUN!C0#$nc1
z$W-x6LBv^;u3jGvxJ`8tH=M!-yY(avG^;6*NIdbv`XbpX#`cJne`MF52R{2hCiv1i
zY_?}#gJ-nv9S!)t^&cL*O(vXsFpa^J2^(1*$MOHn;!YkZ{18;#3v(JthfECRw3*SIw
z-v_jw?0Wz8&?*HSm|}0`C~>Z~FDHI`jb*=dp<`y$G0&jIwzq0M6%i!WaAm8Bds>J~
zH}loAe&0t=uydAzcLUmPgW95!%4ZMN*`Lb)!mKKCmY9BJB_
zkJMA(PrFKMp@R)`kSlFG%ORRHQdLL>>^tIk+`Hqe
zpY^%B|E>yKtrKR*U$Z#q(d6s><&VdN^XI9TpInh6yqp(cQiDzzn)M^BE`C>GPqBH8
z@)LS^Il4ZUn}ly|0$JWXp-_@1>0_u3w3G(^aFnC0UIt#`sjM)YUhPKTctdLvnHXN7
z=fqj`VDM);`&I2|MJM-Ag*p8@QKWVwf9r*P*TtIjPTq+(Y&_;k!wQFIT_rpS8BA-F
z36EA_$5LL)&{nAV!GVeM;;s>-5GSM{k$aY^(kp72H8PF5B1LDxG?vDCJb%bvOcd~)
z@18A80*DfK%20X>6wC#$b-mMyekv=3|BJYH$#7g^2io5OeZU2#V`vo}&Ycew-&?ZR
zFMo-?m9m@nvd>=zRp6KcFOgu%ed9m+yDAhSZ-t
z&yN1}LfLkQwfv!i32XZYk1=CIMj*pV(Sdv=9e8eOp2k}9=$pKc;|l)&3WvnXzywYt
zb|4EtFhg9LB=u!@8Ff;jx)~XZkQtNWSy2ffk!T%=x{|mbLPp-WY~hbSvc1;pD&1@1
zO^8#(k}rVDA;ZTk1GWVHc;-Ue?w$peKC}Ax88jBt;hzEJ65ID9d&bM3UK{ub5T82x
z;)EC7f|-$fGU@P`!BSh|gt72Nt>(SDuGt%Zd|zJU7o%EEdQ)C3{9{lc^hj_c<=%B^b^hsvI67yflU|i34XtJJ&+|BvQCc
zvMIF({elud(=r`3fUNFqHpja;g9)bt8-3)@vr@tl0I4Ub>~8J`3(t9mKO)hw6sOi-5A%1JWVL0lUBbfvi_h(I;$ME
zoWEsz5)R0MtQ3M>%9a=u
zg;{uMJ<3V+$>-lmayz=BZ*^**D0Ic0ft1X3D5vvUsG`rpKGh6`DxKn&BE
zOAYy9Im?{JO4B~J=NQ9eT@Bm51E|I;J42p-c}DL+4!^^Zx(6qJuK$ECgTB^$CcqSG
ze+PqS3!0I_IsELt@CZ`T&`15rr8M`M{4>}Ve*@2*JG0(nREEB;Kk76%3h|xE*Y$4}
zo|6lLb7EQ$?JzZ3Vv}goF9PZqzB$X;_t{MJz<<{%u%yk<8w6U#`2d;%vT-Uq~w>l+?9id0b4HphH&Ze+|G>APmV
zOIW-E`S}Kj2&WrTc0zu#+p5o^t$MMUZ*`wcbosHhGuvN(yM4oUvFzC&y*hnb&$tjL
z(K61RK70^myxmR(HgqZl(NWb`t0#Jugk
z8G2jKaocw5H!fe5=%zf0fqB+O8)&-2a_A
zl~mYVJQ8GSH}kv`j?S83^2bu}QWoHfOLrZA7k9(w1?s^Z*k30CK{%xr7})vw%+s-5
zQ0eM=WxCscAp@b)T`U$|92(0eZtB_8K~mutWQ_2t}JrrX~8e&gHqn}9lv&~?A-ZuLb-kTzdez*DmU?tHOO%C
zq!QjfZ5z3z7FWEb6r(7}o>kJFq#VOsBrdxVR##o`9wE(aVX{$EN7ugfotb7sv7xma
z#Ti&NNnW}udU_3bzp-X(%ImEOsl&wo%LW-fk`}IP9ux@*LA{Y2VZrSM#i2{8ihqc
zx*XMTzpy=;j`_MZFtciyFbGO2+tdh%2iwF8hNH52>Pk+4Q2pE4oi4W^6Kb8*EF#ZI
zfdho8_Y*-Z>CoPCBQclJ`{ETBD!5RZsaSmVtl~c(0981nV(iB-C;&*(vEfvSQuFD4
zW01Vwe=C2z!p9M8pIn=M?f=)1=XOfoJ^9DP9zz~w1UQQ%7D#*;y?@`f{39$
zZ7zZ0Vsq&6oJ%AiXyiay)kms=MeyREA%2x&!$xXM=I03Zy7Ex(-`j!KlrIqWQ|G7q
z8iH4p5>DqA#E)#fM4tpz-y@r)ggbVC2SqJ9s^L5u&~Yhn#FmFaFSr9MgN>jv7XlVD
z&@>@RP@0jqEnh-2o~xl^r{0TWh(@*Oy&RS6g@Wjrrq5g{%CqBh`m?$Jx$29l29E=p
zuCdxwBUmp~*b8#8Dv>E_g^~IREyAY3Ut4-A4_K!Rfo(!R6-%5xmJJpVE$B%*)c-~=
zhQ4btVlhB9xkI-3{m*HmRL$DPgU3|
z0lC%hqMWym5^!#UT-+oY|Kw|H-*S3D
zb?kT}Hu||t%BLor{$!$)bIHx@F3%4gwm^y$G^a^MlOI#6O`UPL8*-gZ|aX|whb#v{awv#OzHbY
z2>RK=py-1LaUODdMf*mevf!9QMim&h99YwnS@2V$Z#^u_Np|gcF{Aq8Rjbh&sx}&6
zlThXbF;6XXsFai(E*p>}fck7Y{&5SZ=~4CB<%58W=WnE$v_dtT
zuyOZ7?%*Wni%?tB!MgBIte-8B+;;Qsz4buFn$EVi;>bg-o!&i(R1h$x4)SEngC$|`
z_12prE;so58DmzowOhptQdsx1T63MTSU#4Se^7xP)(g_J(kOs$A5f#$_r7|=#K(51
z-EG+pMB&~J1Yy<35>@=}ja6|6n+;pd?lESx@Q6XR*JEBG@Pjq%Oa*6A
zSctBT>XD-3)^)*kKlPV&sXpbIJ{8Ewc^k^WvYCs;=3QVHSD`WxKX~Hj*s^FYACEqP
zAXCHiWna+)kwJDiwI!QtWxTF_5lzXMqH@AICVt*8zUrbcJ*S|~>I12JL4OC(3?e^{
z(={EQK|T+_)(yfNoUl-zW+{O6KlQFNcpM3(UBj&KhyGXU+LB=23y0xgA)RhMvoAai
zTb(~qjR>1~6;Fq;qq};?%-{{R=u^a=5BIfNL^L{vFI`2^Yy)}XKVgg~^rwK___})q
z?F_+Wvzi7u!ndWOpSBfB)Z#Gc%AQnti*{wAYE@MK=?OHZx5!QLVU=XY-Gsln?O5FUKLU&$jVB6Qppo1AbIkhcw1_E
zy;Baay$#We
zxHUXf3p2Oc`Na<}!|@LN+C1u>%_3Q6YEx~2U=%nRSq*`9ecTv;vw>0xCC!Eb~z`
z=z>2`f!_~|(*9zV!e3!Hgu8U!jldD@(8Q7U{z=+3yfq_B<07uk&jFJehoUf;ftiHd
zi%^NMhT2Ru3-zo~!1mw3r5U~9JN9B2sGJi*iR5#V*3%B=wcl~i$k~i9`Sq%pWgjVL
zf1WG2PNw}oLRCR3n956lKffU8#5t`5@A`r@a<4_iKJ#y6+
zdAdZ>GC6QO>(b2o8WeV>P@Z!1gz3SNt<{yO)#WU!GfYJNK{9<_eQY6XOMJ@G5oJlo
zGKWpd^W|Bol_u{-HEprh{Jk#!!3m|>L=#EE=(EE%5k+(25j(NB0+F$64#(R75YCxMo6xn)Gv6xk(N{iwb1mzu((T~GBa
z{>9)?*h3$vnsqBl-`8uoZDnDt;K8fWzVyRY&rzA-Ty)Ls-`%36dn4+IGdp^@@4RjY
z2j?QL=Pw!_ZZ&Rq<7L0=%xp00(#}z;WocX~4$4;LsLh6X;WQ3y`t)o?vn@jg7(-><
zf#Loj@Su%)sXMTK3g3*Cg|&cJ+Ah|Gi7j>%dn*rb$;GouBp>G7EB{>otJ!PnWms~j
z4XUMxZi29W&0}~qwfD%l16=Xab_NudfFYC804z3~KjLA?b^9;MlsP*d?M)sL
zNPc)Qu%yncz2LKk*MmzPq0$Unmz=37sJcd;
zkb?OFy%K!ZB09hAJSjj$uX$Zt88@2UaKOd$Nm&eVQ0maNX7W@Ivt~-j=c2i#59B6`
zSnqe}q`DmT@-thU#YB0GR@{&tYa-!lvZ;>5r7E>cv}Yv!LqYASBFb=afn3@Z9%YqA
z*a~!1DT+a{4m^uPJk@GIA-wGnfwAZsX3-q0E{U|UzU-}yxoBi&1*D+MNM!7QJDU)i
zc;ipmy`b-?EAe)on=+CSD)m+c|MHufyjY~xfZw?AFFFy;zlZdNbg@l)U@iM
z!z5^Lk?tPwT;L#mIBE;ne$!{A((9m7<$
z>lFAByY*~%FjP8cR|ILetNG!+0MheG<
z&qt@Hq98x3@jY3n#-~c&;u}Vuu8w52@){(%3&kg@cFe*lOUnD@xLpuHtM1nG83Srt}&f|L>spt{Wf+#Bdg;s0Y=Zlefld;3Rh+aty)kp?Jm*BAbS=
zRJkK=o7pYw9C8YF{qtlV4`=wz9YLk*U#MQAA$TVEto41NvLg6(HsT=I*$_ocPFqLwK?~gr)x?J(kQdsbr2T+yL+5)~wKgr)%2=kMuJSmMt@8HB399OP+
zfRZ>kGB-aumV^;bZKwmK9{NG^j9dscnmtlhKXsW66ltX$FdHsUYsQ~%V?cyyzMIdFw&11}02T!X7Hb;D6;&P#>RuM(Zs3Y!){_T5qSDrXg
za>GITmG90?7!DnYBd5*h{Z2olx>94lcI(%7DBJDbo8i18=VuDvVwi-1Asg3Ur%qE^2~w(bSiv0PV^%m7JDE6NUIaF`wP{rV
zLMW0ec55Mm9WnQlb2(~_d1p`BLjeT`quE8ax2OL?Nv(*Bs%<}57}Ly@W=1FEIY8I;
zwsR|@_p1BG`+9?NrRT-vI@6`Q_e{3AQ1exG6?E)Z&-(=Ke|7S%S>q;PQEP0Q>NAdO6js=1QhcOqv_d=d@|_DBA~9
zjZ%Uu0~r|rV)CS;niE^Y(@#gV8ed+e?hxo)?|jSmv#I#DiPlv7f!0~$w7jMG`>k=M
z*01w6ErmEBnR(Yl9Zza^fU
z3@%AJ4~SX7Z{IGA+Qu(R;#AxA+|wp8<)+2d}CYD*Jv%!QVzJr
zX~*jrt~l=QTD)!HKUoN#Asd~Miy2XD9Y~@w(Y<@@{NW+_wKDv))}hTEA@zzG@Vho9Q%GjN`^(Ln<2d|lgFX;Qp
z7v(AKY63;Vst74b!P83IXr}SA5EFb#2?W!2@Oay6nL)>$O&vY8qKecY>P+|1uiGmF
zDsk!=ReU?CsnzsVhsv)J&7RIqS4gJq*9SyGrtjYfh{&B<_J3#Xx?L-t4}Ekr3{Ls)
zTesj0EH|iz=SU%@=283SBJ>mezHOq7jQgCx)03ujcspzN8o;C0riIyeJPC|Ys1M&V
z8Jm`3J>Cay!|+{X%rhV%z=eRvn!qCh`JgJVC2Q{Myz1LL
z_AYdKt0OL?f<%JMeC^zNVke@l^BA2%|9WgrJz?Zwa=Lw74Ne15`~gE$qe!~wELwPV
zr0D4b++6jvY{a!Eo92Aqb!OR<99YSUhf+C2lE{Y6nWyFJ)4jbwY~YkL3|TJTBI6`a
zOq$CIu1Wg-Tys)ms1&&bt)qgYd5-Cy-P4kL6|&Jrg$~+pSKo;lsq!pToNLECLOx?M
zpRO-`(PyiL@gODk&wo>5~thfJ#Nl@OpoON2CpFxQ~e31#QtyGxBh;E}_pm+}jY31!sA(Ge_
zCJ0oEK#m^Mb5&B$?T^jBq>yr;fh=K1!xojQuOFe-zKyTY*7CaRckZcVpTs~hfElUI
zL?Eb$%A%rYJg(B-rJylI${9{upLZo_A0!viKeCb7FFE9MzF-z!;C6QIWi*}ls`-vm
zb=P0))5vvDNHRS$r-LWSIq``J>L`k)KXAU_sR&iY?lmdLqX6dxBNzj8X|i#70Rp+AA>r<_0gx)wm9ol
zB1VYrixfFAYMu+}1aBNb7HDM4sTySe0Um}&`@3B`ihHjf1j#HcTbJzUK@d1GglD4Y
zIT0_s8=mr(K)}ih`j@V+>~CAXJ|slR>To>!*6PELyht#SHgp$i*Q5#ExjJes0uI9Q0h$GX?XG+YKm7J0ch@PR>D6P
zd2aRH9TOWan8)4t`B3wSsxO3~Gt-2hhQJWraWsvq9TC8?$h^4Ss>YiC!QbtT8vvfqW)J@Pe?c;MR!vu#36?>|LIbSSQC$AKpqpovEQ+RMDix
ziF~)?cPveNlaU!#;u;<7^gedhFnfF44^@5+upAZjH5a+NuVH2fPWPzzS4a-3-=XTD
zAbMwE#{b@`89n=kA?4)CEsD>Wb02nZb*gO8P8bX@Z#x7q+`yvqZ->8+?epbaeZAn5
z%IjhPXj!6J73_$e9Mc1*DCe8Jjrg`>E}pqzb(H&jgSw^~x%4OEGO<6Ocvl#|l|yRL
zM4(ZD()*5Jlsvhn@MgKSKx!XrCY6pBZ3hm*$~u8U?hZ((44z1f9+}r|+?u7MBkhcL
z_ePt63!bG50z}@L`u2zV<&`H>>D-=uz`hhdKR9BAYucdPDl;Y30(mB*LxTQw3z`3Y
z(HAYF{`;MXX~au9Krk@4i88
zJ`wo);`(jSHGmJn3UYG2KtDFFX_4L$FlCxRfccdPqGH&3mPSfyS%k49KO{dxbx_QT
za+_jhUuqEgHLZSUEg5qd?~woUoBCd~Iu{t2S)6cfl_g9>iVvK)k4(dhrWi&hdh@G?
zPliuI=!ZgeuB$*}8AkbG|3$*3q2gVHvbdMz+xag&>T{m;n7k;~VS3KtdMlm!*qedUA2w6b#SAk*1n3ICYpA$zA
zalI_*DDr@|_sUmG8=ydEDB!_Q>)mwSmA@vXR%Xm{
zj<1F&Ih)J>=$A4(B^L})*tIrrZv9GICMXatYqM#bt48J847#yrFH^vM2rI4e)i$<&
zaMM19;I~zlAy|PZ9*pOa4XdlRlu3p=qfkZYJ6^8|Liu3G6#U4q0+HL3d0jre%PNDd
zt~d4Xm4Fk$=dvxA-rn1z_rYa~pM~II<@NdLJo2tJDQZ?F6kQ_y&qKFaJ&Q-uhoZT!
zPcZbr>}t72PREw?j5z%
z4R>c+imr_@N-Uhw(=kgX1L;E~+WKGW@@aQ0&-mbC7?-T)(@bgc`wKH31&^L0MubX*
z8{&K>SZ(2<#!)p`g1oT$3ZVEi_JXii>g_%{@7(#0nHxK%)n!xm9p;dQOmos9w
znPEY0AX^|QnmxW0x}Wp5yk9ekJy)5s8y}yJyIlf$pO!j5%NXqZoW+mneISg}b(Dr|
zPtb9dMo?$GuKT8Yj%{vK#v7#V(rAo0E!hU~
zL94k=8}6T39p`&2=9^+cWx4K-U=(m+#ePiqw<~pV5ZJhC5YA*`-J8uI&b!PohcLtg
z?7%bko3*!p#DyY|a+BlYo?pgE(3Q!K?DUoiyMrLZv{{H#G2@$RL?JTFlkyEH!x)EY
z64tCDVjVdJd|x~!FxqUOpw$)z>aa$0=_9%gypd{?#s{J*v^7A1P8DBJMbwPF$o*;&
z0&~s-*z|oOr0h{Ep+#~$#H
ziS}*ETDu}U^*)Bhif!y0%ntBEqga#?lmVM`#^OGcam^Pl;o5=h?aXl7c(GH81IazC
zlFP`^q1n(;=(ibdl*a+HPydU&Z~Bs~-auOSx~wkSwr$(CZQHi%*8cW6
z=bka{{ts?GtbEAzkU2)i{LP4%YX+Sc!r$%A5k`#r}{gu)m=O0CHS0
zuh_+Pi31r0s8^G&P_p&%8Lqb!rk3{2)c$w+snrz;RIdWBwptQaeyB@CtRbh~avxb-
z50CZRf9TxVi1*fcti&=VB7=JY^O2A(@w5vR;*J}HzLVBOJFcZn#!_STnd&ADNs}5D
z=9E$brJtu5S}@hfs#peIOeUPP>Y1(7SeD&_i776$eJq72H=7ty&!2a
ztWZ7~>UvzhNoK?1E?eq;ysah5Iu($?YEh)3J`Gi!&&-5DsuAUN;fY_^mT)iT>r?;L
zEASuoWn4M79(xPD#AE7F*~fenYf95-+{uQJ`vpdmC^CrbOala?t`{iYrdvconc+7kN?~0@M&Y8fDJ@6Wik(`oY|U8!C9i9Ws)@cf*jfzqyh!VD1ssD(AL
z&EU!QwaqSHkADiX!*w6%K8!cMjqriahK}%
zFheJlQa;rl%wP>)zBw+GzBbd@syb%fzvIupUv`cb(W^Ya46esz-KslQ+)oXz`*kg&
zX>z;}%|#xZ^$$u>a(J&7`7Ek*+hHn7;GJ@LWx`bxknDKclUad2M}*d3S^A^b25L^J@KF<$A74*CzE
zepZVPix834^!SV-7k(b%3klwKV=Ix
zVDg6V?EC5Yb2)1snaKwfs!cD8Gl66PL^FP>K(ckK-TNw&Ynki$w2`{nQndmR&NHeM
z73{DJV%F0xCis$l@q{i@CM_*AY=B>WerplNg+WoV&ns&V<0Jjm4yXOLX^79$2Ql_n
z6PVxGmwc$#V=(m?KR|B90KAC6p>zKOw)+4Ve0$#5xQ;w(xdzMGM*M=lirJJoD8D^b
z?ixGtZ@8({$5SJJhR7JdbWS|Dj;h2OCWL~@MY#qxO>JQRHe`4pG+7j=QOSaS$$164
zpy&_1`mQFVPf+mjVK;|nKq5S$+LSTBf^e%+Ya@$_z)bqQp3|A@fJafVXEt(1+kfa1
z>zySuCi`iT3TsrLcJ1nEK;>1$GE2WIamW1$lpFd4fs0G)vrKF&F|yvGy%t8
zgpn1TQ@V-Vn?PapV*7&jwDQWeX@h5bb0^Pcc-}7y47(7?PbHJ`;p-GJxLSWk-EZDL
z%GtlMUH+b+j5baeZDGT319sx-eICL6j9Dxtz^FY@s9>d+7)BxP8EdJtzhB3?_Uw5)QUV#S{u9DpHCmfFIP1F1h5F7z?pQ<=oln9glV*(4IjlP-Ss1=nbK%3U?%Opu%lR
zC^$pMm&E?@s7s1D5A+VjDFyZ1$&lHG7^penZ}vL$+0U?
zL%*;RG>c&+t234HzfN=13n~(?2Fi)ltwNv4ylr257Q)B
zM1JeajsD^Jp8g6vZr*Zx`zbeW$8_55cfB$j87Ig6coza54c|l8?#WJAwV24h2ULly
z{Q>9&TFc-YVXpi}V@c(&d$nugi14D?9P+rU>|nwl`Q?=!mY(-MoW+l|Zp5)ZzSQ2Wu4X9A9Bnf4
zFqGC|=8zgKN|nlK+ye!#(7Rhu)!Xjj6J^Tmr+{KB9JAubry>gPJ?YA;9wvtrm9!<52IJEfO#0u@Ni$))J3Lc7gEfK
zf5cnQ9p~NbT$r)`5vWd#%*53#7nq;`5NZ3u~b+3F
zI-mHu-#nfk-uYxI*I>Pcx;YiSM%r#^
zJf8Gh)=*a_PZEF&tmVb$rf&vX-Q-ucO+=3625>yzjo?fK#Z4y;d&P1ee<;DP+Fx`C
z)mB3)*Y8&@jT&)0@RU1h^N@@hoI>*uP9I{xnup})8_-GvQ9D`6lbG{k
zbs#9UZrmpUr)T7wmI;RK7z<5kq5!1)P@3`4bBO*U4q8L?e7OqGyzGQJMuJ6kx27La
zsUa&^>%OH6knQQ2ODOY+^gdO6-1moHoE4KG&OpgUcfZIkFd!z(o-W&w8_!dupsB7^or?$Hpy}Fi*P8EoPfOpgug`E~WPzEX_myo-l
zRex1rF;V5hs@CO^#lDHCg}!;K6qIlU{a{dj&4Wh=PrL0tTb&l)rrM|MOaE=oKva)2K_`009fNXsELc>jebv8C
zZI!P~Pq+PQNO?fRg~mbum1pqUIrHiuZ0w(n7}4-&JOE_4I0WHAB3Q%?FzNbi6~Dc;
z?-I6n7v=6Z*SkMn8@;o*;{2bVw!DhJ&x$p@y%haX=^?m9w5ivQVd@281{Eu^Atj4t
z{sfE`zci3=6XH-9iJa{VANne^T4byR);P7j+ftQCi}!d;D2QL)as_3G8H`$m_3o^=
zmY84fp?^aE6ySfjtGOKN%S>@kZ62CcGlS&`YVpvYUOC8N+2fV9*5U`&9=rTaiD?*@
zX?P#H%AQyT8Jk&1@P#OzJtetx$_bAvjaU&jnM=WkdvLDE5oAf|R!9Mb8OJo%eU}Ii
z2=;_jS^7WNh71v5O^89haS-dXET$`eSXGeAQ8~yWep{@DiLE+sNkhjHvYbfx}2f8V;WP@C*g-xI2-@jxp{v
zsc%(ai&=kR=%B49$~wvP-XF5mHJ`zwR&C`s+M;x4WGiC6`j<~`=v9FlN)#d%rD(qY
z<7|?{$Wbw7lXI$%N#f=fgFF*Xhs~ttIy-9ICi`SE!LT)rM=qIr%avucWNf@=P|*PM
zi*a7&etL-BVv*xEuXnO!VdQQEu8ewQMjW*m1A|-@lvAYvCo96yQhhS<@2kA5^dO9g9*ysx64WEhT@}x>
zXVe((Qlw^z({7KXq#|)4!?{)KD`h4)W&8Lrg>5JuA^fyeEdvgD-ZXeQh|{;OCzW4T
z^|O%F=aDM8oo`}$R_W}FVWqQr#g?~vCm{mKLA=ee>s$s_cd3-g{LoK6l1~e
z6cLKmf>RL15yyDagMhZgDVrkNfV!c3%2O|bsG2-eTWsG2CV?E&SB1c86H4r9yJf-s
z6@Iy@%jpw-+N$%@?Yl3#O1Ev!`_leUK=B3&2G6=@ml=rOFJ}S6Bbyd<$WiR(6}S(XmM^fbKi+yL_-bT>5Oc
z)`Gs&XQqEiKgP7YXq{47rE;=wz;)dS+eAn~O76R9Ly)0#gC1-`9-z#zYucwfbid}T
zePQY`{kFKV(C`bcLs0C#7&Xw49rA@dS2((fW2$c
z=3hZeKJbm_Vw@<%2C_CcvqRwx8gEw(l~iB$X4>4b{ztJu*uQi+PbIUQQDNCI|D&5@EPlVzE|K%`)ILx}#-k!2%E!Rr5Ef6w
zB{33b9Q29zyF=G00Bm}5a2G*877E)`SEJLd|NosTz#_`YE
z7Pe+7#A{32Q_TU0`>}-_BH~(4#w;|}r;3^>JN}mnwQ{vvUY>yPo?emdlO33g_MjoS
zLGS40aiYzzigp(M6WGm6)Xop;5+_xub8JU(NChwXWtR(!WON&Jh
z*61e8503kh7D!2
zg(Z6~Mw_Gmi$hwIK<9T`J;wGu>8%u8A6}uwEP-AagDZx8r*`F{s|b!Et~3(qSi(fK
zFw`B2xL@w{=++YrU9}%u>#nr3GX})8BXzbh>9bu}(ZE)IXzFawRq9GlGrj-HY@m8g
z6%7?T*4k8u%Y^Ek-MXl)w
z5%YJhF|J1}Ms0qcQym~#r6{o*h6`v_zbHb5#yh)h=KI`T=(XHI67M-MxYUsAQ%ae2G=f(T^_bsWY&8s3PeIMtT*$%sW3|p@
z=jT)-ofocpP3JxS1064}dTVnUJCTFSdG+-3my^tN%VCvY0z!F&rjTn+Y3LKYX^xcp
z9thCszf~deZNa-r8X-g{H6}lS6uJ~#T1Bp9T5NLA2vxTdoZr>-R*_J2pXC2o+@qqc
zPdbs3C3L6|6{+?04#wT4QbIliJszPzmi*c-Rk`9Ps8B36JA|kD$Q*FP&IxQ=tzCvY
zwI##gHii^p<+IyqVX8nOF)=+UMoaRW0JG7-nJOzCITlT<>;yq`N?qgw3*MRh=jj|5lZYUHK-P;#$ypn
z?=O6Yxr4>ZnZveV{!Bs0hZDWj!cPqY4t?S5ZW12=pK;wDR}dVtDVqe`7g?b1A
zyK6M>p(dMlJ*Z!Qoc}X?^Rj8F+qv$2rmzw4@T0iVb)kKh>#v%8H;#W_{|s;aoTkrT
zZ5MsLEiqsE^zMH(x}!fK0w%G*ZwSat*y3#TjfM_
z2w{kBucs`3khwbSaa*7|GQRf2omBVM3#nXcp-%-UMR=@|D)Hu{cw6Imq!Al1E6)~#
z3}+iNrmzOd^^^id&tQAUtHv)*F3Br0m3i&MLaCz
zi)-sbxijkOH<0>hvI0B4JI&f3i4qaJ%=xI}tS3nB^=F}di~a{BF%;A^uQDr}7Y#)<
zFbobcFmgxk&yE>N5}v^zr$z}sd?PC%qh~_2=Bm~7xg!^{gT@2D_X7BO8w~gJrSk+`
z)4Qv{jspiw!j3@{5#tP)($0izT889!HoukW@@JClYC$DEvSv|RLtA$mw@u`56K;TH
z$rQ$c?Y?)#+onM!J>63OYF(Om>((%GN#ngXvTz_XtXh^Uo!=}NIJrP^NZNIX{>HP1
zQCFjBt-{7CC4?6=(&RwZO8AaQ3vUdT0RdaQ{v^Qve8FkI=e{(WX}h{<%bZ)|I!I$w
zRF@H*pSnjR=yIEEYpA~;F-n{dv~ms^4AT*`4(OzpAdnhIw
z#|Cz86~;9wX)+M-mX@%lHni-#-z6i@HzVOy(15Q<{%90uS!lV8?4+YsNGqM*@Hp@BO&t
zt+HQ+5G#Q=oMyk?&T#Sp0!^mECG9>yG9XaU(5{ao??HcRxdKjMDFzHvsvWNlz5OQM
zkmPk2zp1}%V;)Iw-|9Eh2-WkFLRDt3voJOm->SRucIkiUp$z?yiYVjZQ}V+xnwgg`-IA}#^&WBEmJ>NR@WST8WKzyvMj
zZD+^@ix#RDpZ(M*>avqIHH56OlD(f6G_M3ipo2}b!il+V$^DqO^=UBMeLCa(^AQ$y
zFRw=)t_J*IeW0E#_2u>ZLi=aWvN+Z^RcmE=dFOpk)@c@7d4q+Hb`=6U|8w*@HFXT4
z12z&>z~fU{6I4vIA_DiU$SsPtlCyfRwuiQ#7dkah{J&N#r%K7Kz?y=`jnZe9qM#zB
zoO-oo7iT}~#yB~n2MsBM$%=r3?TvQz=d=I^W4m&s9C|nEfj?6@-*A(i-vEF9*
zIfhbUzzSJk5-E*4jg(_4!2h0AN0_WxOAyX-42Rmed!irU@1)K#CLjtqcT&oT@<~Pw=zF-@A
zDMDfd5t4j5w=TeN1tnGjtcF?=k|xIzyGBDWxr4$IQz6MwVf|YT+28_h!lgVT|5L`;kmU{npi=^^xK5Ro_~kMf_45^9Ks14iyQ+_vG4jl
zd8&A^#kC|~OWdeM8x@mduc%6!{8KHxS8H_0o-rc=Y*Z9j!}>DbNa!18XJvarg^(a8
zU}?lbh>KPbfC=^^aSAH=rYimORR!u!F(84AK
zjh!Ipj%i9)T7-zmu>j-@!QwGpI&#GY?S2Ojv>1}49{UPQOSLJ~YP>>xoR>G4;-MoB
zLF8M?84FtwMHgxLTLyu5j9?p_K*7Ri5oeCGDcekv{
zwT@1|>G`Aoq7X3m%obGjnL&UL^W)`q^p32IebI|PXZkYcR8+`Hgc3OsIcJv8+gVK%@ZGRg=UX>0jm^GBvura46#1gF^M
zPIz7@741N61nvWH6=YO(NHPW4SHyc7BX#v0G6VNr4{rUpIc-L5Q=4|`FrmPNZKwNO^j6
zJ8FnEZUjs(W6>$90L*HfKDAAB&7-x$>C)Z4R+W%kSz%9u?!@?)=T34$JFXxfiu0J-
zGaL`YV$uEBx=13Pn1}+G^shA-kdQ$zo5S+;=AH;ePA;D>4C43YdIU&NNaQtfg39G9
z63NYAc`NE)Ce6`uqRfhf1TB1H$O7Y}*&7PVJB`r(sgB&Mst#V|Ks1rL;hZt0RGqeT
zd=t0Ool%)?O@gJG{@UNgY3oAdP1?4k}TQg)C8yyk4O>ku2WYb{C`=EMYI`6VyWW8Dlk)X
z0Y#Lsn@l_(9>zY`x=v5OBwdp+CcSaPhB!007PYKmIJjergd)rKN_=dCk1J23p7DXc
zY(+UzUZq=2UU>#XDo8>(m9Y%@pOnV+idWyAZ2BTV9c7jGnyb@98`fL3D+@1mn0WE@
zM~GzG$RxuMN4$IvMQQlOkqNY&8jlrDM~aIz*Vkp<^r;5V8_kJ(l0SmoCaY7ncdH33
zl-Cy)8V%V^s
zp09HXTq+pTW@(Raw`%lWXX$|+S&6Z(GTXx^6%_STO*D)!)A4BDSBO4y6iZ2{HYZdm
z3s0OoOH{GVPAU153-QxlU;BmQ)gw_>yMYaF)9YONIL9
zPj0(QmhKOUEFI=HI>dyrz2H_l#;
znl?8pd!1Od`{}ycucF(#p|Iye)aP3Zc;0&-Oo*{g0_Y7h?Pyz5+q^eLlXx$1yd6p6
zXxa*{=>3^sQ+Gbb#FZAB1-9<&-?kvr?D*U@S5c_lPfE6YANjwD9Ofo6#7TqRq=_@n
zZ0um>&FY?3Qr$(`KC+RKB%eG&I&4L{1(xdo`F`UFQbHP!Vy{
zmDHI9Y(ZJrZbgY4gXrkPl0JCRCI{Z^;aYyRcDgZj^ZFL6xZEc{Zq__r)OEI)&`KZa
zR_reuF7kOJo9EO7M>lLkY-iPBX-)X`nrOR(SPjt!mid*8&FWdLnS
zL=<~d4r?Fa3}M0;0*Lw274_=l50t@)$Q)4I!2T>xA7Ja66gNfqcMgyWP0;f-giK1`Sl1W3_d+ZV{o_npq*&syuhp@~VEn_{q4Nqv$Ge
z28o+1ho3J8%i&hVK!C|Hk&OC@gr6}%SH(q#0qUBU?rg{^Cl5dJ8MvL|1E@KE9`8yD
zTX~Z)_-p6vesAq{ndQzMSrLE1A%CDA7-U;6S`i1PNtC2oc|=Ma6T*ZG>DMQ}b4bSE
zj^QgrbwIIGe<{7c61g;y=JF=OJGjqx=%xO+p;9$o)RG+1HYu~%x1XqLJxTjj3k3*Y?I^v7VO%c>^Hoe)R{v5OELUz!A2n$sV$W~cRBY3p-|
z-7n?lyHX5++9a~u1L1-~?MrJ?!t?>b%wj*Q!TL>(2%Izy(M6fGOYReKvmx8E0onr@vX+C1mv#B2j%jibx|~svm!SJdcWs_qLz?yPt%4*(>I6VpBw{Z2}}h^x*V4{(9!;
zP9ffdDm6UCb^RAH>`HBej~&(NnN#^7MY(9Nnx|BXZ1H>dJm9bO
zaP#q`*@P7SxA4Kn+MVICLTSW%IZ10_@9CKt`1!+|#iL)PN%z57kxO5DjG`RVv#df}$B<0>$b;Bd0dv#*
zg{bDJ&hd4dU~9;JVS^&Pm@M~Tlbl}jAZ>`%$t{wNVv=;!G}*R`mgQob
z^J0^r3Oyq6HN+kFh>#eVCm-tUbOH3vZ`%j@w5`=9(Y?C`H(r;Q{@n{|2^pKIVJe3)&;)v0we4M$kU2bG3(csXMZGz;+{
zlH=QJ(brB+YMkdL90PSCK7|6Y*Qc)m#bf?N69p@+?;!_Vs*s436`PIiZs+*Kb2ERD
z07c4^As)rct!>Y5XLlGw%E*`?3vdj<;Nb|Xje!&zVX^oC`wAO&VhIb(bZjDyIJ*f5
z5z$g26xS}*2u4!KMJyOz1G}EJO4|eG2sBC$5M$^J!Z)u3RRvND-?*1v)H43F?7~u3{j}JfRfDYkb>OdBE^mB^+#5
zW%q$vx9NIFA1136Y{^s(;CamjjERAFh-m(D!W(l(7X8qc2s6$|i?EHBRwVsGKJ$ml
zbNy0X9xT{2I40<$rI0MCGU>|lpn)o-ZHYJsDk(&k0y8MP1VM5d%Qj$qN&mruARJ!k
z9^c}|4TgL0q_u91^(HAHXq-K-M6Rr)EN_{IPQcZMkl%(O(BA76JiE4jn*I5L^N>}1
zHLnXkIpAstoHunPnB`%h9b0HP&H8BtyX10@4{yA%}pHq~>p_#&hR>tTsNTTci3--x|4JN{rJQ
zSnpVurGHjM-ya=8%c)+hk>_+Bj#zpz9qncMiaTSVx(jy@6RLqxPf##xzHMVJ^D*WW
z8EmFySwa-KLhOf|grBSKQBQD$9Hx9q%!5!_6g@1lylL;=lT%2mAZd
z+XrbjYKNwNm1ipl%Fdk_@4IbT<5sv_E+h@H%SwA6uFCw~vhPw$2Fp(LJb^)8;eps)
zk!uO$E{|bMkJel2=r~}-VP~5YQISquvmg(gC5Wd7WTjj>5@512mLm1n&ZNp##3Q8FXFTZ*;gy{??+yE1(@%s1{bY(!v4y?b=yZ-t?!2g?lW?(3<`}~8E
zsUM8|PxhIywbB2A$fSKbJ%Z15<|!Bb1}+5K4hbJX-vca`S8}8*?zmb&C&9%=@OD^@cC|0!r_ISUl
zP2|O^&&_4J=HQSpH8G(^V2Ip&A(3n@Ip0&xkBCAJJi(nhHX*jSuV68(TYeYbQa<4Dz?HrfOc@OpT-zXWO^R@
z!2DBPv3C*88bNp?tI22(k{Kq8?1W-1o8^eg9?2`aoOsF}&PB@w>h(=}H=t(oM;pu?
z7h_hG&#=XzWCAJkgHR?3q7+UN4*$697@F6lu*Q6f0c^(efnTCOXZpZExE
zR67jUkKIRycCitpqs>~t*zMY+N0Q^n*qXX3nN9hf!&~vf5}W`E3WDpP!5XSFA)J=2
z+pqN0S+Fas&;&dAK7v2>JWpi+?(In=)
z$1|fGp?EHWR3B-+qHh;#Wr#RmB9ir=_U{cdYPB5FX#EQ#XFnK$pL_Xx>9*yJTG6z*
z5Jc88BISKJ`hyVzyecYx*)d+nC`c>309ykJEx|11krZiBdQ06bXlz(5j8mfWBC0=)
ziG5}<;;8`XD3Vtlx5r
z|J4nk12YKTdolEO_0yO92b3K2Jp*%r0|1~90RW)>_etVtX8gyP?w>2eKPiD4y5ZQO
zNZ#-pE*MAJOA{yEwKxxKQJt1_?UupZP0W?4O>RXZE|xBXh!9irh!7xg{qUv`e@BHN
z&|7*^+k@YK9qYv(@D3Wi`LP&Df
z{!TmQWY4UNDUe_8^yaK;&=wU-2nwk~aoI#gyJ~0qzL|n`)E;8*g&Qf}<2-AtO$a|<
zEK3n&Lt0(|DyC;Oy-o$qU
zS^;=Wd|-Yqbn!S&`^Fw7X3&lB>#v7B{BL_WF%+Qu~(PaiI
zNKi|?N&{S$T9nFkNa2e
zERTzikLGHx*F8xtorK$=xe8nJnYa6AILPKWRcIRnVC9PvBYDKZ0_FXjlQHY%NlRPVTcV?|VHRP;`{utQI(G)E>BJ6{6
z@`hGXwIUZnf-voPag?ThlLhyLc5fkS()JQ$znT98SjU2V)YTz^cw;wlcO^N@5N`uRjyQt^x~3(zO1O)HAsnM$II&Qry}PjWux3P|MHnj)<7y?McaVKry)3@ZJtG
zh3-GXo@+K7p=z#~WNnVcEHBG6@Ws_$SHqDEK&&HYH*kN!scJ%+hAM>IduQIxOebVY
zvt5a3axI*1jg^2@O<$7P%My!tyj*lcAttU+(p=eh8if7+OyU7!g!c}H@iN8~yXanJ
zEe^p#wgNgrK|JnBvKAPy{r)Zdhn%*lVQg|jy4_C5sr*P>?Cr-|^j3Z2_r3j~lciZ1
zr*ygKS*CP+I*hx#Gr_lRFTte8i)-#K!pt*v3)sb|<*$}VD~~(+?kZSq&aQ?^Ef+j0
zi>VFo@D(&sY(Ig{d1Q%Rio58%PeqiFJqX(a&Mn6SbmzknDz-Mu-3v2E>^J1i^bKd9
zn}##J118#!$Dq~2(w#;K)p8=q07aH#KeaBmX5mjBC4|1m=2q4})s#lyx1Yae3G*tM
zGg?}=`cuUZ{n&2xe9c9N(K6&@8RqFK5N&)mjH{NkEU!g3JP#JC(2`0bp^wqOTf6Bw+I3~6
zWig{zv{E>0(G96vPEwbMZD!Gw;V@WQ_#ic#cRsa4i_A?1Ek~hLCde$&ex-Dj^u<$Z
z+#85PglJ07lYmJ;h~y9)2jbUx0iKpL;-oj5+IXvfrOQi6`QSnExS0
zX?hP+l?}~V=ww#3Ue37wYCsliKWB;GPKT}lTv*Y13?e^V#N*r1s@OGP5&r_KqJFg{
z@0VVlryb-34gp$yqTTkULV>UhoS
z4uQxU;_xiagoimWsi=c}FYP@bu>2!7%qrQ)Qll6!4R1eHs1I5!m399B9|v9hf<2ud
zS0^xMv8+fhO0~tRAFWT_=ex|7FxNC_tsP;>xK-M>gTiF$Cbd7TB34u4Fb$Ww&z&y{
z>^$13-m%Pmnet7LQ&Ohw3cvGrH7^8~f7r5h1l6O)W_bg4r$*tj*}{i>|8vmi4sj0o
z{(y}U98P|~jPe&M#Af$BONh~D(BWDFsdCY_v{GZu7ghlNN*9=2*^qV()C|;bFP;-n
z|1rH2HtI*cm5K(7HT?Rz5{2eqa^6!qkf9U)F+mnKp4+7GI0sw&i9LE3ClR6kXI+|OX{zKau
zR5caX*-^ZGDRyN%c5l&vk$+~*g%}Qikk@|&m3+O|
zZ+p8p%b?C;O(?+=v`CyAELAsH&+W>gqL#*TBEjzF&;(Y*2FbSKEQ#?pOy(ds`7=*a
z=DRUT<(aKL(;F<=kjnB5NF=Pa6y(vE3w+4l#8ii#YaQj8S@tzXvL^%x!1$Kbz%(bI?-?x&aG9zx)Dv7_LHF>M>n)z;rXU5{G@?70*`7^OJS
z_lkIjOX|Z?4ekwO!ot!mkPlpFBE~fsg%iTLCTIgQ%yV5CBnd|SQwO@Su!&iAY~DGu
zDB~pQ5L&Pgvpwe&yG7F)Ltz>N*We7_R&QF*g+8Lb^BO3l{z7#^1jn(zffaVZ|s
z)+~cf1l_XS6D+@gk0k=94lF)3D4JWZA~9?4A&oHNRiXot+lh7cv!Xqc`5?Y5h~DJ1
zQ4d7m?c9-49(DkOWC=VTsZnY>pL;$JFdx;ADiS#xA;}Duz*{2hn@C|EsJ21?G{n!G
zJJn6G3@eCrS#XZLm&M?I>KUrU8<`uZp&q`5uTCbzNuDqiYNZt38