这段时间家里有点事,Classic Readings 版块一直没来得及搞(只是上传了两篇 OSR 的文章——《Understanding and Using Execution Context in Windows NT Drivers》、《Nt vs. Zw - Clearing Confusion on the Native API》),我先整理个关于 NTFS 的随笔顶上...
上周末两天时间看了一下 NTFS,这东西比较好玩 (相比之下 FAT 很简单,属“大玩具”级,详见我在这里最下面的回帖:http://advdbg.com/forums/629/ShowPost.aspx)。想实践的话,第一步肯定是要重写属于自己的 ntfsboot.asm,牵扯出来的问题就是怎样从 MBR 开始加载 Bootstrap Code 进而在数据结构如云的 NTFS 磁盘结构里找到 Ntldr,最终加载并执行它。
代码的重写 / 整理过段时间再放出来,先来说说原理 && NTFS 磁盘格式。
首先 MBR 很简单,它只是比普通的启动扇区多了 4 张分区表 (OSDI一书称为“多了一个中间步骤”)。空间的减少必定意味着代码要精炼,要是像 Brian Palmer 写 freeldr/fat.asm 那样浪费空间肯定玩完... 网络上 MBR 的资料太多,这里不再重复。
接下来是 ntfsboot.asm 的前 512 个字节,这里是当成 Helper Sector 用。NTFS 的 $Boot 定义前 16 个扇区 (2个簇) 是启动部分,所以这 16 个扇区又细分为 1个扇区的 NTFS Boot 和 15 个扇区的 NTLDR Section (注意,仅是名字为 NTLDR Section,这不是 Ntldr 文件)。关于这些东西,资料也多的满天飞,重复什么是 BPB 等实在没有意义 (甚至 NTFS Boot 的 BPB 已被文档化于 MSDN 了...) 我们这里只是看看 Windows 的源代码:
...
mov word ptr [SectorCount], 16 ; read boot area
mov ax, NewSeg ; read it at NewSeg.
mov es, ax
sub bx, bx ; at NewSeg:0000.
call DoReadLL ; Call low-level DoRead routine
push NewSeg ; we'll jump to NewSeg:0200h.
push offset mainboot ; (the second sector).
ret ; "return" to the second sector.
...
前面那一段将 $Boot 重读取 (定位) 于 NewSeg,DoReadLL例程是 BIOS INT 13 的封装。后面三句话是个“ret 倒车”,此外还能看出 mainboot 是 NTLDR Section 代码的入口等 (如果仔细分析源代码的话,您会发现代码的注释——“we'll jump to NewSeg:0200h”其实不准确的,mainboot 的偏移实际是0x26A——0x200 -- 0x269 是数据结构区)。
再看看 bootntfs.h 文件,这文件多半是给绝对扇区读写工具准备的 (微软的人为什么不写成 16 进制呢,不对齐多难看啊!):
unsigned char NtfsBootCode[] = {
235,91,144,78,84,70,83,32,32,32,32,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,128,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,250,51,192,
142,208,188,0,124,251,184,192,7,142,216,199,6,84,0,0,
0,199,6,86,0,0,0,199,6,91,0,16,0,184,0,13,
142,192,43,219,232,7,0,104,0,13,104,102,2,203,80,83,
81,82,6,102,161,84,0,102,3,6,28,0,102,51,210,102,
15,183,14,24,0,102,247,241,254,194,136,22,90,0,102,139,
208,102,193,234,16,247,54,26,0,136,22,37,0,163,88,0,
161,24,0,42,6,90,0,64,59,6,91,0,118,3,161,91,
0,80,180,2,139,22,88,0,177,6,210,230,10,54,90,0,
139,202,134,233,138,54,37,0,178,128,205,19,88,114,42,1,
6,84,0,131,22,86,0,0,41,6,91,0,118,11,193,224,
5,140,194,3,208,142,194,235,138,7,90,89,91,88,195,190,
89,1,235,8,190,227,1,235,3,190,57,1,232,9,0,190,
173,1,232,3,0,251,235,254,172,60,0,116,9,180,14,187,
7,0,205,16,235,242,195,29,0,65,32,100,105,115,107,32,
114,101,97,100,32,101,114,114,111,114,32,111,99,99,117,114,
114,101,100,46,13,10,0,41,0,65,32,107,101,114,110,101,
108,32,102,105,108,101,32,105,115,32,109,105,115,115,105,110,
103,32,102,114,111,109,32,116,104,101,32,100,105,115,107,46,
13,10,0,37,0,65,32,107,101,114,110,101,108,32,102,105,
108,101,32,105,115,32,116,111,111,32,100,105,115,99,111,110,
116,105,103,117,111,117,115,46,13,10,0,51,0,73,110,115,
101,114,116,32,97,32,115,121,115,116,101,109,32,100,105,115,
107,101,116,116,101,32,97,110,100,32,114,101,115,116,97,114,
116,13,10,116,104,101,32,115,121,115,116,101,109,46,13,10,
0,23,0,92,78,84,76,68,82,32,105,115,32,99,111,109,
112,114,101,115,115,101,100,46,13,10,0,0,0,0,85,170,
...............
最后的 0xAA55 是扇区结束标志 (0x55 = 85 , 0xAA = 170),上述 512Byte 即对应 Helper Sector。
接下来都可以想见上面省略号后的代码 (即 1~15 扇区“NTLDR Section”) 主要目的就是 —— 根据 NTFS 分区格式找到 MFT,遍历到相应的 Ntldr 条目,定位 Ntldr 的 Lcn 加载并执行之。我们目前暂不上升到代码的高度,先用 WinHex 把原理 / 流程走一遍:
略去搜索的过程,借助微软 OEM 工具 nfi.exe 得出 ntldr 位于文件条目 3440 处:
File 3440
/ntldr
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
......
也就是说,Ntldr 位于 787292 簇 (MFT 起始于 0xC0000 簇,每一个簇可以装 4 个文件条目,所以:786432 + 3440 / 4 = 787292),验证一下:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0C035C000 46 49 4C 45 30 00 03 00 F3 22 3B 9B 00 00 00 00 FILE0...?;?...
0C035C010 01 00 01 00 38 00 01 00 50 01 00 00 00 04 00 00 ....8...P.......
0C035C020 00 00 00 00 00 00 00 00 05 00 00 00 70 0D 00 00 ............p...
0C035C030 F3 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 ?..........`...
0C035C040 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H.......
0C035C050 00 A0 29 F9 49 1D C5 01 00 A0 29 F9 49 1D C5 01 .?鵌.?.?鵌.?
0C035C060 88 54 85 DB 63 80 C8 01 CA 2D 3C 5D 12 A6 C8 01 圱呟c€??<].θ.
0C035C070 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 '...............
0C035C080 00 00 00 00 15 01 00 00 00 00 00 00 00 00 00 00 ................
0C035C090 00 00 00 00 00 00 00 00 30 00 00 00 68 00 00 00 ........0...h...
0C035C0A0 00 00 00 00 00 00 04 00 4C 00 00 00 18 00 01 00 ........L.......
0C035C0B0 05 00 00 00 00 00 05 00 DA CA A0 3C A6 80 C8 01 ........谑??
0C035C0C0 AA DD B3 3C A6 80 C8 01 AA DD B3 3C A6 80 C8 01 ????
0C035C0D0 AA DD B3 3C A6 80 C8 01 00 F0 03 00 00 00 00 00 ??.?.....
0C035C0E0 B0 EC 03 00 00 00 00 00 20 00 00 00 00 00 00 00 办...... .......
0C035C0F0 05 03 6E 00 74 00 6C 00 64 00 72 00 50 00 24 00 ..n.t.l.d.r.P.$. /* 文件名 */
0C035C100 80 00 00 00 48 00 00 00 01 00 00 00 00 00 03 00 ...H...........
0C035C110 00 00 00 00 00 00 00 00 3E 00 00 00 00 00 00 00 ........>.......
0C035C120 40 00 00 00 00 00 00 00 00 F0 03 00 00 00 00 00 @........?.....
0C035C130 B0 EC 03 00 00 00 00 00 B0 EC 03 00 00 00 00 00 办......办......
0C035C140 31 3F A5 BD 06 00 01 00 FF FF FF FF 82 79 47 11 1?ソ....����倅G.
0C035C150 FF FF FF FF 82 79 47 11 01 21 11 30 50 00 16 E1 ����倅G..!.0P..?
0C035C160 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 ����倅G.........
0C035C170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C1A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C1B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C1C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C1D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C1E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C1F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F3 00 ..............?
0C035C200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C2A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C2B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C2C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C2D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C2E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C2F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C350 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C360 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C370 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C390 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C3A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C3B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C3C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C3D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C3E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C035C3F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 F3 00 ..............?
关于什么是 MFT头、4选1的属性头、0x?0属性描述表 以及它们的定义,您都可以通过查阅 Linux-NTFS 或 NTFS-3g 的源代码得出。这里,绿色的 0x30属性描述表 $FILE_NAME 以及桔黄色的 0x80属性描述表 $DATA 是我们所关注的。
我们重点关注的域是 $FILE_NAME + 18H 偏移(包括属性头) —— File reference to parent directory 以及 $DATA + 40H 偏移(包括属性头),前者确定了 Ntldr 的路径信息,后者定位了 Ntldr 的内容。
05 00 00 00 00 00 05 00 的解析方法如下:
The first six bytes of this eight byte value is the $MFT record number for the parent. You can sweep them and read the parent's record number from the Hex Value Interpreter. In our example the six bytes in Little Endian are 1C 00 00 00 00 00 which equates to decimal 28. This is the $MFT record number for the Orphaned Files folder we created and examined earlier.
Also view the last two bytes of this eight byte sequence. Note that the value is 01 00 (also little endian) or decimal one. This is the sequence number for the parent we viewed earlier and at this point, agrees with the current value found in the parent at offsets 16-17d.
所以,我们会立刻明白 父目录的“文件参考号”为 5,即对应 MFT 的保留部分 —— #5 —— 卷的根目录。所以,Ntldr 的路径为:/Ntldr。
31 3F A5 BD 06 00 01 00 的解析方法如下:
N = 3,L = 1 ==> Ntldr 由 0x6BDA5 簇号开始,一共是 3F 个簇。
L+N+1 = 5 == 00,所以上述“运行(Run)数据列表”也是结束。(PS : 潘爱民在《深入解析Windows操作系统》里将 run 翻译为“行串”,实在受不了...)
最后验证一下我们对应 Ntldr 的分析:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
06BDA5000 E9 D5 01 EB 04 90 00 00 00 52 8B C3 0E 07 66 33 檎.??..R嬅..f3
06BDA5010 DB BA 01 00 E8 34 00 E9 51 01 2E 88 16 06 00 50 酆..?.镼..?..P
06BDA5020 66 0F B6 54 02 66 0F B7 04 66 F7 E2 66 C1 E8 04 f.禩.f.?f麾f凌.
06BDA5030 2E A3 07 00 8C C1 03 C8 8E C1 58 E8 30 00 0F 82 .?.屃.葞罼?..?
06BDA5040 05 00 E8 06 00 EB F4 5A E9 8D 01 8B CA 8B D0 52 ..?.媵Z閸.嬍嬓R
06BDA5050 51 06 66 53 8A 44 02 FF 1D 66 5B 07 8C C1 2E 03 Q.fS奃.�.f[.屃..
06BDA5060 0E 07 00 8E C1 59 5A 42 E2 E5 4A 8B C2 C3 66 53 ...幜YZB忮J嬄胒S
06BDA5070 66 53 50 E8 CA 00 E8 3A 00 66 8B C8 58 66 8B DA fSP枋.?.f嬋Xf嬟
06BDA5080 E8 80 00 66 5B 83 FA FF 0F 85 05 00 33 D2 F9 EB 鑰.f[凓�.?.3淫?
06BDA5090 1F 8B C2 50 E8 A9 00 66 3B C8 0F 84 03 00 E8 12 .嬄P瑭.f;??.?
06BDA50A0 00 66 0F B7 0C 66 03 CB 66 8B DA 58 E8 28 00 F8 .f.?f.薴嬟X?.?
06BDA50B0 66 5B C3 66 50 66 52 66 51 66 53 06 66 0F B7 4C f[胒PfRfQfS.f.稬
06BDA50C0 03 66 03 C8 66 89 4D 08 B0 02 FF 5D 04 07 66 5B .f.萬塎.?�]..f[
06BDA50D0 66 59 66 5A 66 58 C3 50 66 51 33 C9 E8 24 00 41 fYfZfX肞fQ3设$.A
06BDA50E0 83 FA FF 0F 84 16 00 40 3B C2 0F 85 0F 00 66 58 凓�.?.@;??.fX
06BDA50F0 66 50 66 3B D8 0F 83 04 00 8B C2 EB DF 8B D1 66 fPf;??.嬄脒嬔f
06BDA5100 59 58 C3 50 26 67 8B 13 2E 80 3E 06 00 00 0F 84 YX肞&g?.€>....?
06BDA5110 1E 00 24 01 0F 84 05 00 C1 EA 04 66 43 66 43 81 ..$..?.陵.fCfC?
06BDA5120 E2 FF 0F 81 FA F8 0F 0F 82 13 00 BA FF FF EB 0E ?.侜?.?.?�?
06BDA5130 66 83 C3 02 83 FA F8 0F 82 03 00 BA FF FF 58 C3 f兠.凓??.?�X?
06BDA5140 66 51 66 0F B7 C0 2E 80 3E 06 00 00 0F 84 0B 00 fQf.防.€>....?.
06BDA5150 66 8B C8 66 D1 E8 66 03 C1 EB 03 66 D1 E0 66 0F f嬋f谚f.岭.f燕f.
06BDA5160 B7 0C 66 33 D2 66 F7 F1 66 59 C3 66 50 66 53 66 ?f3襢黢fY胒PfSf
06BDA5170 51 66 0F B7 4C 08 0B C9 0F 85 04 00 66 8B 4C 15 Qf.稬..??.f婰.
06BDA5180 66 0F B6 5C 05 66 0F B7 44 0B 66 F7 E3 66 2B C8 f.禱.f.稤.f縻f+?
06BDA5190 66 0F B7 44 06 66 C1 E0 05 66 0F B7 1C 66 03 C3 f.稤.f拎.f.?f.?
06BDA51A0 66 48 66 33 D2 66 F7 F3 66 2B C8 66 0F B7 44 03 fHf3襢黧f+萬.稤.
06BDA51B0 66 2B C8 66 8B C1 66 0F B6 4C 02 66 33 D2 66 F7 f+萬嬃f.禠.f3襢?
06BDA51C0 F1 32 D2 66 3D F5 0F 00 00 0F 83 02 00 FE C2 66 ?襢=?...?.f
06BDA51D0 59 66 5B 66 58 E9 42 FE BB 30 2F C1 EB 04 8C C8 Yf[fX锽0/岭.屓
06BDA51E0 03 C3 8E D0 BC 28 15 52 8E D8 8E C0 66 0F B7 D0 .脦屑(.R庁幚f.沸
06BDA51F0 66 C1 E2 04 66 81 C2 80 1D 00 00 66 89 16 BE 0C f菱.f伮€...f??
06BDA5200 33 ED 66 0F B7 ED 66 0F B7 E4 8C 1E BC 15 E8 FF 3韋.讽f.蜂???
06BDA5210 16 66 68 00 00 00 00 66 9D 8B DC 8B 57 02 33 C0 .fh....f潒軏W.3?
06BDA5220 8E E8 8E C0 6A 30 0F A1 FA 0F 01 16 A8 15 0F 01 庤幚j0.→...?..
06BDA5230 1E B0 15 BE 6C 1D C7 44 02 68 00 BE 68 1D C7 44 .?緇.荄.h.緃.荄
06BDA5240 02 68 00 0F 20 C0 0B D2 0F 84 0F 00 66 0D 01 00 .h.. ???.f...
06BDA5250 00 80 0F 22 C0 87 DB 90 EB 0D 90 66 83 C8 01 0F .€."绹蹛?恌內..
06BDA5260 22 C0 87 DB EB 01 90 6A 58 68 6D 02 CB B8 60 00 "绹垭.恓Xhm.烁`.
06BDA5270 8E D8 8E D0 33 DB 0F 00 D3 0B D2 0F 85 06 00 BB 庁幮3?.???.?
06BDA5280 28 00 0F 00 DB C3 C8 00 00 00 57 56 1E 06 C4 7E (...勖?..WV..膥
......... .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
此时,0x6BDA5 簇里面显然就是 Ntldr 的数据了(可以参见我的这篇随笔:《也谈用Bochs调试NTLDR》http://advdbg.com/blogs/advdbg_system/articles/441.aspx),ntfsboot.asm 的关键任务就是要将它一字不差的 load 进内存,当然,前提就是解析与定位。
最后,让我们再实践一下,下面这个特性也是 NTFS 比较有趣的地方 —— 对于小数据的文件,NTFS 将数据内容直接存储在 MFT 中,和 FAT 相比,这样做既省空间 (免得小文件占用一个簇) 又省时间 (省去了文件内容的定位过程)。
以MFT #27 号文件为例:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0C0006C00 46 49 4C 45 30 00 03 00 37 C5 11 E2 00 00 00 00 FILE0...7??...
0C0006C10 D6 02 01 00 38 00 01 00 78 01 00 00 00 04 00 00 ?..8...x.......
0C0006C20 00 00 00 00 00 00 00 00 04 00 00 00 1B 00 00 00 ................
0C0006C30 5C 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 /...........`...
0C0006C40 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 ........H.......
0C0006C50 A2 A8 2A C7 46 99 C8 01 FC 1C 7D 56 8D CF C8 01 ⅷ*荈櫲.?}V嵪?
0C0006C60 94 59 4E 2E BA CF C8 01 E0 94 49 2E BA CF C8 01 擸N.合?鄶I.合?
0C0006C70 26 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 &...............
0C0006C80 00 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 ....t...........
0C0006C90 28 A5 EF 0C 00 00 00 00 30 00 00 00 78 00 00 00 (ワ.....0...x...
0C0006CA0 00 00 00 00 00 00 03 00 5A 00 00 00 18 00 01 00 ........Z.......
0C0006CB0 81 76 00 00 00 00 0F 00 A2 A8 2A C7 46 99 C8 01 乿......ⅷ*荈櫲.
0C0006CC0 FC 1C 7D 56 8D CF C8 01 FC 1C 7D 56 8D CF C8 01 ?}V嵪??}V嵪?
0C0006CD0 E0 94 49 2E BA CF C8 01 48 00 00 00 00 00 00 00 鄶I.合?H.......
0C0006CE0 41 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 A...............
0C0006CF0 0C 03 41 00 30 00 30 00 39 00 33 00 38 00 38 00 ..A.0.0.9.3.8.8. /* 文件名 */
0C0006D00 37 00 2E 00 69 00 6E 00 69 00 00 00 60 00 00 00 7...i.n.i...`...
0C0006D10 80 00 00 00 60 00 00 00 00 00 18 00 01 00 01 00 €...`...........
0C0006D20 41 00 00 00 18 00 00 00 5B 2E 53 68 65 6C 6C 43 A.......[.ShellC
0C0006D30 6C 61 73 73 49 6E 66 6F 5D 0D 0A 43 4C 53 49 44 lassInfo]..CLSID
0C0006D40 3D 7B 36 34 35 46 46 30 34 30 2D 35 30 38 31 2D ={645FF040-5081-
0C0006D50 31 30 31 42 2D 39 46 30 38 2D 30 30 41 41 30 30 101B-9F08-00AA00
0C0006D60 32 46 39 35 34 45 7D 0D 0A 00 00 00 00 00 00 00 2F954E}.........
0C0006D70 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 ����倅G.........
0C0006D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006D90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006DB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 00 ............../.
0C0006E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006E90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006EA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006EB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006EC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006ED0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006EE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006EF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006F90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006FA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006FB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006FC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006FD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006FE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0C0006FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 00 ............../.
还是按照刚才分析 Ntldr 的步骤:
81 76 00 00 00 00 0F 00 解析为:第 30337 号条目,nfi.exe 告诉我们:
File 30337
/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP189
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
......
文件名为:
0C0006CF0 0C 03 41 00 30 00 30 00 39 00 33 00 38 00 38 00 ..A.0.0.9.3.8.8.
0C0006D00 37 00 2E 00 69 00 6E 00 69 00 00 00 60 00 00 00 7...i.n.i...`...
所以,这个文件是:
/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP189/A0093887.ini
00 00 18 00 01 00 01 00 告诉我们,这个文件的属性头是“常驻且没有属性名”。
41 00 00 00 18 00 00 00 告诉我们,这个属性的长度是 0x41。
紧接着,该文件的内容便是:
5B 2E 53 68 65 6C 6C 43 .......[.ShellC
0C0006D30 6C 61 73 73 49 6E 66 6F 5D 0D 0A 43 4C 53 49 44 lassInfo]..CLSID
0C0006D40 3D 7B 36 34 35 46 46 30 34 30 2D 35 30 38 31 2D ={645FF040-5081-
0C0006D50 31 30 31 42 2D 39 46 30 38 2D 30 30 41 41 30 30 101B-9F08-00AA00
0C0006D60 32 46 39 35 34 45 7D 0D 0A 00 00 00 00 00 00 00 2F954E}.........
简析一下,这种存储做法节约了大量的空间,但是在该 MFT 内部,仍存在 0x60 - 0x18 - 0x41 个字节的浪费。
有了思路,转化为代码 + Debug 是力气活了...
NUPT WANGyu aka. keenjoy95
posted on 2008年7月29日 14:18 由 WANGyu
扫一扫
640
到【灌水乐园】发言
# re: NTFS短文一则 @ 2008年7月29日 23:12
分析的很不错,特别是排版很工整。关于其中的“ret 倒车”,这是ret指令的一个很有趣的用法,很多底层的软件都使用这种方法进行特殊的跳转。不太理解的朋友,看一下《软件调试》中关于CALL和RET指令的解释(22.3.2,P591)。Raymond
# re: NTFS短文一则 @ 2008年7月30日 8:27
^_^还有就是 nfi.exe 这个小程序,微软提供了符号,值得反汇编学习。
WANGyu
# re: NTFS短文一则 @ 2008年7月30日 22:03
对的,nfi是从NT时代就包含在OEM Support工具包中的一个经典工具。例如,我手头的Support Tools for Windows NT and Windows 2000, Release 3中,就有这个工具,和它的符号文件,并且同时有.dbg版本和.pdb版本。在这个包中还有一个非常好的工具叫kanalyze,它是今天的!analyze命令的前身。不过,kanalyze的很多功能和灵活的可配置性和支持插件的能力已经都不在了。Raymond
# re: NTFS短文一则 @ 2008年8月1日 10:05
早上逆了一下 nfi.exe,这程序果然不难。因为这种“分析类”软件,其核心就是数据结构的解析,抓住了数据结构就能抓住它的根基。简析一下:
例程LocateSectorInNtfsFile()是处理的入口;例程pNtfsMftOperations()为循环解析MFT结构;例程 pNtfsReadFrs()读取了每一个文件记录(循环在上一层来做);例程pNtfsPrintTypeCode()是一个Switch-Case,用于解析当前的属性类型(循环也是在上一层来做);
;
; 这段代码判断某个属性 Body 的 +08H 偏移处是否为 1 (0 表示 resident;1 表示 nonresident)
; loc_1002257 分支是“(resident)”的打印例程。
;
.text:01001E2C loc_1001E2C: ; CODE XREF: pNtfsMftOperations+17Aj
.text:01001E2C ; pNtfsMftOperations+19Aj
.text:01001E2C mov al, [ebx+8]
.text:01001E2F cmp al, 1
.text:01001E31 mov eax, [esp+254h+arg_14]
.text:01001E38 jnz loc_1002257
.text:01001E3E test eax, eax
.text:01001E40 jz short loc_1001E51
.text:01001E42 push 0 ; hMem
.text:01001E44 push 161h ; dwMessageId
.text:01001E49 call DisplayMessage
.text:01001E4E add esp, 8
;
; 这段代码判断一个文件记录的属性类型解析是否全部结束 (结束标志位为:0FFFFFFFFh)
;
.text:010020E1 loc_10020E1: ; CODE XREF: pNtfsMftOperations+619j
.text:010020E1 ; pNtfsMftOperations+62Ej
.text:010020E1 add ebx, [ebx+4]
.text:010020E4 mov [esp+254h+var_234], ebx
.text:010020E8 cmp dword ptr [ebx], 0FFFFFFFFh
.text:010020EB jnz loc_1001DB1
.text:010020F1 jmp short loc_1002131
对于非常驻的属性来说(例如某些$DATA)还需要解析它们的实际位置信息,大致的流程我上面的文章里有写,完成该功能的函数是pNtfsLcnFromMappingPair()以及pNtfsVcnFromMappingPair()。
WANGyu