1. About hard disk partition: IDE interface hard disk, no matter what operating system, there is a structure:
MASTER Boot Record and Basic Partition Table Partition 1 Partition 2 ... Partition NMBR and basic partition table share the first sector of the hard disk (ie 0 face 0 1 sector, after referred to as the first sector MBR), the partition table is located at the last 66 bytes of the sector, except for the last 2 bytes 55AA, 4 partition records, and 16 bytes per partition. The various fields have the following:
Offset Sign 0 Subworns (80 is active partition, 00 is non-active partition) 1 Start head number H2 start sector number S3 start column Number Cyl (CYL high 2 bits in S byte) Bit 4 partition format flag (01: FAT12; 05: Extended; 06: FAT16; 07: HPFS / NTFS; 0B, 0D: WIN95 FAT32; 0E: WIN95 FAT16; 82: Linux swap; 83: Linux; 85: Linux extended 5 Termination of the head number H6 terminating sector number S7 terminating the column Number CYL8-11 The number of sectors used before this partition (when the partition table belongs to the record in the extended partition, the value is the location of the relative-extension partition first address) 12-15 The total number of sectors in this partition (Note: C / H / S) is started from 0/0/1) It can be seen that when using the C / H / S three-dimensional address, the disk's addressing space is only 224 sectors. That is, the capacity of 8GB, when the disk capacity is greater than 8GB, C / H / S cannot address it. Then use the LBA (Logic Block Address) linear address to address. In the LBA mode, the system is pressed. Some ways or rules are seen as a linear number sector, which is arranged from 0 to a maximum mode. C / h / s to LBA: LBA = (CC) * pH * ps (hh) * ps (SS ) Generally, C = 0, h = 0, s = 1, ps = 63, pH = 255, and PS indicate how many sectors per track, pH indicates how much track of each cylinder. LBA to C / H / S: c = LBA / (PH * PS) C H = (LBA / PS) MOD PH H S = LBA MOD PS S Since the MBR can only record information of 4 partitions, Windows records more than 4 partitions by expanding partitions. Record, it is called virtual MBR. The practice is to let the primary MBR define the unfined partition as an extended partition, specify the starting position of the partition, point to a certain sector of the hard disk according to the starting position, as the next partition Table, continuing to define partitions in this sector. If there is only one partition, define the partition, then end; if more than one partition is not limited, define a basic partition and an extension partition, extend the partition and point the next partition table, in the next partition The partition continues to define the partition until the end. This forms a partition chain, which can describe all partitions. An example of a partition table:
MBR 80 0101 00 0C Fe FF FF 3F 00-00 00 FC 8A 38 01 00 00 00 FF 83 Fe FF FF 3B 8B-38 01 6E 9A F6 00 00c1 FF 82 Fe FF A9 25-2F 02 E1 16 08 00 00 00 00 00 00 00 00c1 FF 0F Fe FF FF 8A 3C-37 02 62 43 53 07 55 Aaext-1: 00 01C1 FF 0B Fe FF FF 3F 00-00 00 37 16 71 02 00 00c1 FF 05 Fe FF FF 76 16-71 02 3B 8B 38 01 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AAEXT-2: 00 01C1 FF 0B FE FF FF 3F 00-00 00 FC 8A 38 01 00 00C1 FF 05 FE FF FF B1 A1-A9 03 2C D5 FB 02 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AAEXT-3: 00 01C1 FF 0B FE FF FF 3F 00-00 00 ED D4 FB 02 00 00C1 FF 05 FE FF FF DD 76-A5 06 3E 15 AC 00 00 0000 00 00 00 00 00 00 00- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 14 AC 00 00c1 ff 05 Fe FF FF 1b 8c-51 07 47 B7 01 00 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 55 AAEXT-5: 00 01C1 FF 07 FE FF FF 3F 00-00 00 08 B7 01 00 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 00 00 0000 00 00 00 00 00 00 00-00 00 00 00 00 0055 AA (Note: The system finds partitions in the order of the partition chain at startup until you find all partitions, if the partition chain forms a ring, form a so-called hard disk "logic lock", resulting in the system unable to start, the floppy disk can not be start up.
Since the Windows startup process is determined in I.sys, you can find IO.SYS, change the first 55AA to another, and the program has not started to find the partition table, and the detection of the partition table is avoided. 2. About INT 132.1 Read the physical sector by int 13:
A100MOV AX, 201MOV BX, 200MOV CX, 1MOV DX, 80INT 13INT 3G = 100 Parameter Explanation:
Al: Number of read sectors
BX: buffer address
DH: magnetic head number
DL: Equipment number (A disk is 0, B is 1, the first hard disk is 80, the second hard disk is 81)
CH: Cylinder low 8
CL: The low 6 bits are the starting fan area number to read, and the high 2 bits are 2 bits of the column.
2.2 Expansion INT 13: Data Type Convention:
BYTE1 byte integer (8 digits) Word2 byte integer (16-bit) DWORD4 byte integer (32-bit) Qword8 byte integer (64-bit) Disk Address Pack Disk Address Packet (DAP): DAP is based on For the absolute sector address, the INT13H can be easily transumated by the 1024 cylinder, because it does not need CHS concept. The structure of the DAP is as follows: struct diskaddresspacket {byte packetsize; // data packet size (16 words Section) BYTE RESERVED; / / == 0 Word blockcount; // The number of data blocks to be transmitted (in sector) DWORD BUFFERADDR; // Transfer buffer address (segment: offset, for OFFSET in memory at low address Such as 166b: 400 in memory: 00 04 6b 16) Qword blockNum; / / disk start absolute block address (ie, LBA address)}; Drive Parameter Packet Drive Parameters Packet: Drive Parameter Packet is extended in extending INT13H The packet used in the driver parameter sub-function call. The format is as follows: struct drousparameterspacket {Word infsize; // Packet size (26 bytes) Word flags; // Information flag DWORD CYLINDERS; // Disk column number DWORD HEADS; / / Disk head number DWORD SECTORSPERTRACK; // Each track sector number qword sectors; // disk total sector number word sectorsize; // sector size (in bytes)}; 2.2.1) Inspection expansion features Entrance: AH = 41H bx = 55AAH DL = Drive letter returns: cf = 0 ah = expansion The main version of the exhibition function Al = internal use bx = aa55h CX = API subset support bitmap cf = 1 AH = error code 01h, invalid command This call checks for the specific drive exists. If the entry flag is set 1 This drive does not support extension. If the carrier flag is 0, the BX = AA55H is existed. At this time, the 0 bit of the CX indicates whether the first subset is supported, and the 1 bit indicates whether the second subset is supported. For 1 For the .x version of the extended INT13h, the main version number AH = 1. Al is the secondary version number, but this is limited to the internal use of the BIOS, any software must not check the value of Al. 2.2.2) Extended read port: AH = 42h DL = Drive No. DS: Si = Disk Address Packet Returns: CF = 0, AH = 0 Success Cf = 1, AH = Errors This call reads data on the disk into memory. If there is an error, DAP In the blockcount item, the number of data blocks actually read before. 2.2.3) Extended port: AH = 43h Al 0 bit = 0 Close Write check 1 Open the write check 1 - 7 reserved, set 0 DL = Drive No. DS: Si = Disk Address Pack (DAP) Return: Cf = 0, AH =
0 Successful CF = 1, AH = Error Code This call writes data in memory to disk. If the write check option is opened, but the BIOS does not support, the error code AH = 01H, CF = 1. Function 48h can Detecting whether the BIOS supports writing check. If an error occurs, the number of data blocks actually written before the error is recorded. 2.2.4) Verify sector entry: AH = 44h DL = Laptor number DS: Si = Disk Address Packet Returns: CF = 0, AH = 0 Success CF = 1, AH = Errors This call check disk data, but does not read the data into memory. If there is an error, DAP In the blockcount item, the number of data blocks actually verified before the error is recorded. 2.2.5) Lock / unlock driver entry: AH = 45h al = 0 lock driver = 1 Drive unlock = 02 Return lock / unlock state = 03H- FFH - Keep DL = Drive letter returns: cf = 0, AH = 0 Success Cf = 1, AH = Error code This call is used to determine the media in the specified drive. All labels are greater than or equal to 0x80, which must support this feature If this feature is used on a fixed drive that supports the removable drive control function subset, it will be successfully returned. The drive must support the maximum 255 lock, before all locks are unlocked, unlock the drive physically. Unlock one The unlocked drive will return an error code AH = B0H. If the lock has been locked 255 drivers, the error code AH = B4H will be returned. Locking a driver without the media is legal. 2.2.6) Pop-up the movable drive Media Inlet: AH = 46h Al = 0 Keep DL = Drive Number Returns: CF = 0, AH = 0 Success CF = 1, AH = Errors This call is used to pop up the media in the specified movable drive. All labels The removable drive greater than or equal to 0x80 must support this feature. If this function is used on a fixed drive that supports the removable drive control function subset, the error code AH = B2H will be returned (the medium is not movable). If you try to pop up one The locked medium will return an error code AH = B1H (the medium is locked). If you try to pop up a driver without a medium, return an error code AH = 31h (there is no medium in the drive). If you try to pop up a medium in a unlocked movable drive, INT13H will call int15h (AH = 52h) to check the pop-up request. Whether it can be executed. If the pop-up request is rejected, the error code (with INT15H) is returned. If the pop-up request is accepted, other errors have occurred, then the error code AH = B5H. 2.2.7) Extended positioning entry: AH = 47h DL = Drive No. DS: Si = Disk Address Packet Returns: CF = 0, AH = 0 Success Cf = 1, AH = Errors This call positions the head to the specified sector. 2.2.8) acquisition drive Parameter entry: AH = 48h DL = Drive number DS: Si = Return data buffer address return: cf = 0, AH = 0 Success DS: Si drive parameter packet address, (see previous article) CF = 1, AH = Errors This call returns the parameters of the specified drive. 2.2.9) Number of extended drive media replacement detection line status portal: AH = 49h DL = Drive letter return: Cf = 0, AH =
0 Media does not replace CF = 1, AH = 06H media may have replaced this call returns the media replacement state of the specified drive. This call is the same as INT13H AH = 16H sub function call, just allows any drive label. If you support a mobile The fixed drive of the media function subset uses this feature, will always return CF = 0, AH = 0. Simply lock the removable medium to activate the detection line without having to truly replace the medium. 2.2.10) INT 15H Moving media pop-up support portal: AH = 52H DL = Drive letter returns: cf = 0, AH = 0 pop-up request may be able to execute CF = 1, AH = error code B1H or B3H pop-up request cannot be executed by INT13H AH = 46h The pop-up medium function calls internal use (Note: 8-11 bytes, 8-11 bytes - the number of sectors used before this partition, that is, the LBA address of the first partition area. You can access the disk by extending the INT 13 Arbitrary sector) 3. FAT file system Structure: 3.1 FAT12, FAT16: DBR - FAT1 - FAT2 - DFT - DATADBR only accounts for 1 sector, DFT is the root directory, the root directory DIR item The number is fixed, generally 512 items, each item accounts for 32 bytes, namely 32 sectors, a logical sector number of a file:
Logic fan area number = 1 2 * FAT occupied by DIR number (Start cluster number-2) * * per cluster number 3.2fat32: DBR and subsequent reservation sector - FAT1 - FAT2-DATA uses 3 sectors in DBR, actually only uses the first sector, and the 2, 3 sector is also written to the 55AA flag, and there is a reserved sector, typically 20h or 21h, where the sixth sector is It is a backup of DBR. At the same time, DIR is treated as a file, not in a fixed position, and there is no fixed size of the file logical sector number:
Logic fan area number = reserved sector number 2 * FAT occupancy sector number (start cluster number-2) * Each cluster is at this time because DIR is not fixed, the entry cluster of DIR is read in the BPB. For a determined partition, the sector in the partition can be accessed through a logical address. The logical address starts from 0. Use Debug's L command to access in 98 and DOS:
L [address] [drive] [firstsector] [Number] Read the sector of the logic disk, the sector number is logical address, 0 is DBR, the boot area Drive is sorted by A, B, C, D, corresponding 0, 1, 2, 3 ... Corresponding W Command: w [address] [number] [Number] W If the parameter is not used, or only the address parameters, press BX: The byte indicated by the CX register is written from the memory. data. The file name at this time is the file name used before this command, or the file specified in the n command. If no n command is used, use the file specified in the DEBUG command line. The DBR (DOS Boot Record operating system can access the first sector. Includes a guidard program and a Bios parameter block, this partition parameter record table. The records in the FAT (File Allocation Table) and the clusters on the disk correspond. FAT2 is a backup of FAT1. There are a variety of FAT's format, where FAT16 refers to the file allocation table uses 16 bits to represent a cluster, FAT12, FAT32. It is understood that the FAT16 can manage 65,536 clusters, while the maximum 32KB per cluster is 32KB, so the FAT16 is up to 2GB. (Note: The 0, 1 cluster of FAT is retained, 0 bytes represent disk type, cluster number starts from 2.) DFT (file directory table) The root area, only in FAT12 and FAT16, followed by FAT2. The files and subdirectories under the root directory have a 'directory registration item in the DFT account for 32 bytes, and the number of items are described in BPB. The DFT in FAT32 does not have a fixed position, regarding the DFT as a normal file processing, indicating the DFT first cluster address in the BPB. Long file name rules: Directory item Save the short text name of the file, long file name is saved with a number of long file name directories, and the long file name directory entry is arranged in front of the file short directory item, and the double-byte Unicode is saved. For up to 13 internal codes, the first one is the sequence byte, indicating the sequence of the long text name, 11 bytes of 0F, 12 bytes indicated type, 13 bytes are checksum, 26, 27 The byte is 0. -------------------------------------------------- ------------------------ 3.3 FAT file systems: 3.3.1 FAT16 BPB:
Offset length Description 003JMP instruction; jump to the boot program. Then follow an empty operation. (Not a BPB) 038OEM flag (FAT16 is mswin4.0) 0B2 Each zone byte 0d1 0D1 per cluster number 0E2DOS reserved sector number 101fat number 112 root number, such as 512132 sector number (less than 32m partition 151 Media Descriptor 162 Each FAT Sector 182 Each track number (logic parameter) 1A2 head number (logical parameter 1c4 implicit sector (ie 8-11 bytes in the partition table - this partition is used Number of sectors *** 204 sectors (ie 12-15 bytes in the partition table) 241BIOS device number (HEX: HD = 8x) 251 Unused 261 extended boot tag 274 volume sequence number (random) 2b11 volume label , Partition identification, such as: win98368 file system format: FAT163.3.2 FAT32 BPB: Offset length Description 003JMP instruction 038OEM flag (FAT32 is mswin4.1) 0B2 Each segment sector number 0D1 per cluster number 0E2DOS reserved sector Number, FAT32 is generally 32101fat number 112 root number, generally 0, no 132 sector number (less than 32m partition, no reproduction in FAT32) 151 Media Descriptor 162 Each FAT sector (FAT32 is not available 182 Number of tag (logical parameters) 1A2 (logical parameters) 1A2 (logical parameters) 1C4 implicit sector (ie 8-11 bytes in the partition table - the number of sectors used before the partition) *** 204 Area (ie 12-15 bytes in the partition table) 244 per FAT sector 282 mark 2A2 version 2C4 root directory first cluster address 302DBR occupied sector number 322 backup DBR address 3412 Reserved 401bios device number (HEX: HD = 8X) 411 Unused 421 Extended Boot Tag 434 volume sequence number (random) 4711 volume label, partition identification, such as Win2000528 file system format: FAT323.3.3 Magnetic media descriptor:
Hexadecimal note F8 hard disk F9 double-sided 5IN floppy disk (15 sector high density) double-sided 3IN floppy disk FA double-sided 3IN RAM virtual disk FC single-sided 5IN floppy disk (9 sector high density) double-sided 8IN disk FD double-sided 5in Dish (9 sector low density) FE single side 8IN disk (single, double density) single-sided 5IN disk (8 sector low density) FF double-sided 5IN disk (8 sector low dense) 3.3.4 FAT Each cluster Number of item values and meanings:
Table item value (12-bit) Item value (16-bit) Item value (32-bit) Cluster Description 000H 0000H00000000H Unused cluster 00000002h-fffefh Allocated cluster (visible cluster number from 2) FF0H -FF6H FFF0H-FFF6HFFFFFFF0H-FFFFFFF6H reserved FF7HFFF7HFFFFFFF7H bad clusters FF8H-FFFHFFF8H-FFFFHFFFFFFF8H-FFFFFFFFH end cluster file FDT field of meaning 3.3.5 FAT16:
Offset length Description 0-78 File name 8-103 extension 111 attribute byte (00000000 read / write, 00000001), 00000010 hidden, 0000100 system, 00001000 volume label, 00010000 sub-directory, 00100000 file) 12-2110 Reserved 22-232 File Creation Time (HHHH MMMMM SSSSS 24-252 File Creation Time (YYYYYYY MMM DDDD) 26-272 Represents the first cluster number 28-314 file length 3.3.6 FAT32 FDT field meaning: Offset length Description 0 -78 file name 8-103 extension 111 attribute byte (with FAT16, but 0fh, indicating that the item is a long file name record item) 12-132 types, checksum 13-153 file creation time (HHHHH MMMMM SSSSS After the number of 5-72 file creation time (YYYYYYY MMMM DDDD) 18-192 The latest access date, defined with the 16-bit 22-232 of the 16-bit 22-232 of the startup cluster (HHHHH MMMMM SSSSS) 24-252 The latest modification date, defined with the low 16-bit 28-314 file length of the startup cluster with 16-1726-272 The length of the FAT system can read the contents of any file in the FAT system through the DEBUG L command. -------------------------------------------------- ------------------------ 4.NTFS file system structure: Partition Guide Sector - MFT (Main File) - System File - The file area is in NTFS, anything on the disk is file. The file is determined by the MFT to determine its storage location on the disk. The main file table is a database corresponding to the file, consisting of a series of files - each file in the volume has a file record (there may be multiple records for large files). The main file table itself has its own record. The MFT file record size is generally fixed, and it is 1K regardless of the size of the cluster. The MFT is only available for system itself organizational architecture file system, referred to as metadata, and cannot be accessed by the application. One of the most basic 16 records is a very important metadata file for operating systems. These files start with '$', hidden files, cannot be listed in the DIR command. However, there is a tool NFI.EXE to be dump important metadata files. NTFS positions the cluster using logic cluster LCN and virtual cluster number VCN. The LCN is the number of the entire volume from the head to the tail, which is equivalent to the logical cluster number of the FAT system. VCN is numbered from head until the cluster of a particular file. The VCN can be mapped to LCN. NTFS divides the disk into two parts, approximately 12% assigned to MFT, and the remaining use to store files. NTFS Access the volume through the MFT is as follows:
First, you must load the volume - view the boot file ($ boot metadata file), find the physical address of the MFT;
Then obtain the mapping information of the VCN to LCN from the data attribute recorded, and stored in memory. This mapping information is positioned with the operation of the MFT (RUN or EXTENT, the immediate settlement and very resident attribute) on the disk;
Then open the MFT record of several metadata files and open these files. Thereafter, the user can access the volume.
NTFS processes the file as a collection of 'attribute / attribute value'. Document data is the value of the unnamed attribute. A file usually takes up a file record. But when a file has many attribute values or very fragment, it may take up more than one file record. In this case, the first file record is its basic file record, which stores the location of other file records required by the file. Small files and folders will be stored in the MFT record of the file. The NTFS folder is just a simple file name and file reference number index. If the directory list is less than a record length, all information of the folder is stored in the record of the main file table. For folders larger than the recorded folder, use the B tree to manage, and use a pointer to an external cluster, which is used to store the properties of the folders that cannot be stored in those MFTs. When a file is small, all its attributes and attribute values can be stored in the MFT file record. When the attribute value can be stored directly in the MFT, the attribute is called a resident attribute (RESIDENT Attribute). Some properties are always always in this, so NTFs can determine other very resident properties. All attributes of big files or big catalogs are not possible to stay in MFT. If an attribute is too large and cannot be stored in the MFT file record of only 1kb size, the NTFS will allocate the area from the MFT. These areas are often referred to as a run or a panel (extent) that can be used to store attribute values, such as file data. If the attribute value increases later, NTFS will reallocate a run to store additional data. The value stores in the run instead of the attribute in the MFT file record is called a very resident property. In standard properties, only attributes that can grow are very stationed. For documentation, the property has data, attribute list, etc. 4.1 NTFS BPB: Offset length Description 003JMP instruction 038OEM flag 0B2 Each zone byte 0D1 per cluster number 0E2 reserved sector 103 is always 0132NTFS unused, total 0151 Media Description 162 Total 0182 per track 1A2 magnetic head 1c4 implicit sector 204NTFS unused, total 0244NTFS unused, total 0288 sector total number 308 $ MFT logic number 383 $ mftmir log number 404 per MFT record cluster 444 per MFT record cluster number 444 488 Volume 504 Check and 4.2 NTFS yuan file:
Sequence meta file function 0 $ mft main file table itself 1 $ mftmirr main file table partial mirror (content is the first 16 file records) 2 $ logfile log file 3 $ volume Volume 4 $ attrDef Property Definition list 5 $ root root 6 $ BITMAP bitmap file 7 $ boot boot file 8 $ BADClus bad cluster file 9 $ secure security file 10 $ upcase capitalized file 11 $ Extend Metadata Directory extension metadata catalog 12 $ extend / $ repartse Recommoding Distance Point File 13 $ EXTEND / $ USNJRNL Change Log File 14 $ EXTEND / Quota Quota Management File 15 $ EXTEND / $ OBJID Object ID File 16-23 Reserved 23 User Files and Contents 4.3 MFT Structure:
Offset length attribute 004 flag, must be 'File'042 Update Sequence US Offset 062 Update Serial Number USN The size and array, including the first byte 088 log file serial number 102 serial number (SN) 122 hard connection 142 Offset address 162 flag of the first attribute, 1 means that the record is being used, 2 indicates that the record is the total length of the record head and the attribute, ie the actual length 1c4 of the file record is distributed to the recording length 208 basic file record Document index number 282 Next attribute ID2A2WINDOWS XP, border 2c4windows XP is used, file record number 4.4 standard index head structure:
Offset length attribute 004 always' index'042 update sequence number offset 062 Update the size and arrangement of serial number USN, including the first byte 088 log file serial number LSN108 The index of the index of the index VCN184 index VCN184 cable introduction port Move (relative 18) 1C4 cable introduction port size (relative 18) 204 index size (relative 18) 241 Non-page joint is 1 (with subso index) 253 Always 0282 Update sequence number 2A2S-2 Update sequence arrangement 4.5 Common Index Table: Name Index Description $ I30 File Name Directory Using $ SDH Security Description $ Secure $ SII Security IDS $ Secure $ O object IDS $ OBJID $ O Owner $ quota $ Q Quota $ R Reissue Distons $ Reparse4. 6 NTFS volumes commonly used attribute description:
Attribute Name Properties Description $ Volume_information volume information, existing only $ volume_name volume name or identity in the $ VOLUME metadata file, exemplified only $ standard_information standard information in the Volume metadata file, including basic file properties, such as read-only, archive; Time tag; how many directory points to this file (ie hard connection) $ file_name file name, indicate $ security_descriptor security descriptor with Unicode. (2000 / XP puts all file security descriptors in the $ secure metadata file, earlier version put it with the file directory) $ data file data $ index_root index root $ index_allocation Index Assign $ Bitmap bitmap $ Attribute_List Attribute List $ Object_ID Object ID: An identifier with 64 bytes, where the minimum 16 byte is the only $ repax_point Recomficing point $ EA Duzzle Property $ EA_INFORMATION Dunction Properties $ Logged_Utility_StreamEfs Encryption Properties
