Email Password Remember me?  Lost your password?

• Download source and binary - 287.47 KB

Introduction

This is a tool to read and write raw disk sectors on Windows systems (NT5.0, 5.1 kernels)
Inspiration to write this tool came to me when I had my laptop infected with some malware which was sitting on top of disk class driver as an upper filter and not allowing me to write to disk sectors using user mode disk editing tools like WinHex.

After a few days, I thought I should write a utility to read and write raw disk sectors by directly
communicating with disk class driver.

Background

To understand this article, one should have knowledge of C Programming and Windows Driver Programming.

We will go through the following topics to understand the utility in a better way:

1. Device stack for storage drivers
2. Enumerating device objects representing disks and partitions
3. How to read/write to sectors

1. Device Stack for Storage Drivers

Microsoft provides generic storage drivers for managing the storage on a logical level and thus abstracting hardware details from upper level file system and other file drivers. This is called disk class driver (a driver to handle disk class of hardware, i.e. "disk.sys").

Similarly to handle SCSI, IDE hardware devices, Microsoft provides generic port interface drivers to which drivers supplied by specific vendors for their disk devices can be dynamically linked.

E.g. scsiport.sys (old interface) storport.sys (new interface) is used as an interface to SCSI port while Pciidex.sys is used as an interface to IDE port.

2. Enumerating Device Objects Representing Disks and Partitions

There is a question which needs to be answered first.

How does the OS come to know that a harddisk has been attached to the system?

Whenever a new disk device is attached to the system, SCSI and IDE port drivers create device object (although PCI driver is the first one which comes into the picture) to represent a SCSI/IDE device and inform I/O manager about it. I/O manager in turn queries the devices to know their device id and vendor id. Depending on dev id and vendor id, I/O manager decides (through registry or INF file mechanism) which driver is suitable to handle this device (driver supplied by vendor) and loads the hardware device driver which creates device objects representing the Functions device objects for the device and attaches itself to lower devices created by respective port drivers.

I/O manager informs disk class driver (disk.sys) of new disks added into the system. Disk class driver then creates the device objects representing the raw disks.

If a valid partition is present on the system, then it creates device objects for the respective partitions too.

E.g. Device objects created by disk class driver are as follows:

• \Device\Harddisk0\DR(0) --> Represents Raw Harddisk 0
• \Device\Harddisk0\DP(1)0x7e000-0x7ff50c00+2 --> Represents partition 2 of disk 0

The first hexadecimal digit shows the start and thsecond shows the length of partition.

That means all the device objects representing disks and partitions are chained in driver object of disk class driver (i.e. disk.sys).

Now to enumerate the device objects created, you first need to have access to the driver object of disk class driver.

The solution is to use undocumented Object management kernel function "ObReferenceObjectByName" prototype:

NTSTATUS ObReferenceObjectByName(
        PUNICODE_STRING, 
        DWORD, 
        PACCESS_STATE, 
        ACCESS_MASK,
        POBJECT_TYPE,
        KPROCESSOR_MODE,
        PVOID,
        PVOID *Object); 

The first argument is a Unicode string, i.e. "\Driver\disk", object receives the pointer to the DRIVER_OBJECT of disk.sys.

From DRIVER_OBJECT, you can enumerate all the device objects created by disk class driver and store pointer to device objects responsible for raw disks and partitions. The following snippet will clear the things:

PDEVICE_OBJECT pDeviceObject;
  ..... 
// DeviceType 7 corresponds to FILE_DISK_DEVICE Type Device Object and

 // It should have name too that's why Flags checks for 0x40 (DO_DEVICE_HAS_NAME )

                if (pDeviceObject->DeviceType == 7
                        && (pDeviceObjectTemp->Flags & 0x40))

3. How to Read/Write to Sectors

Once you have pointers to device objects for raw disks and partitions, reading and writing to those raw disks/partitions is not a difficult thing. You only have to do a IoCallDriver on the respective device object with IRP_MJ_READ/IRP_MJ_WRITE function codes initialized in the IRPs.

The following code will make things clear:

LARGET_INTEGER lDiskOffset; 

PDEVICE_OBJECT pDevObj; //Device object representing disk/partition

KEVENT Event; 

// Trying to read some arbitrary sector number 1169944 and 
// by default assuming sector size 

// 512 

..........

..........

        lDiskOffset.QuadPart = 1169944*512;
        sBuf = ExAllocatePool(NonPagedPool, size);
        
        if (!sBuf) {
            ObDereferenceObject(pFileObj);
            return STATUS_INSUFFICIENT_RESOURCES;
        }
        KeInitializeEvent(&Event, NotificationEvent, FALSE);
        memset(sBuf, '0x00', size);
        pIrp = IoBuildSynchronousFsdRequest(IRP_MJ_WRITE/*IRP_MJ_READ*/, 
			pDevObj, sBuf, size, &lDiskOffset, &Event, &ioStatus);
        
        
        if (!pIrp) {
            ExFreePool(sBuf);
            return STATUS_INSUFFICIENT_RESOURCES;
        }
        
        status = IoCallDriver(pDevObj, pIrp);

        if (status == STATUS_PENDING) {
            KeWaitForSingleObject(&Event, Executive, KernelMode, FALSE,    NULL);
            status = ioStatus.Status;
        }
        ExFreePool(sBuf);

.......... 

Given above is just a sample code for sending a write operation to sector number 1169944.

Points of Interest

While writing the code, I was just doing a READ operation for verifying my results. I didn't take care while passing data buffer for write operations in the design (Please see driver code for more explanations). So I implemented an ugly hack for passing user mode buffer for write operations. I will improve it in future releases.

History

• 2^nd August, 2008: Initial post

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Read/Write 1-2 Bytes in MBR only BrianPeterson 19:44 19 Nov '09   I am looking to write a file filter for disk.sys that needs to attach to the creaton process before the operating system gains access to the disk/partition. However, I only need to read/write one-two bytes in the MBR nothing more and I am not very clear on the ASM/C required to do this. Hopefully this example will clarify my intentions. I need to layer the file filter for disk.sys so that when the Disk class driver creates the device objects representing the raw disks (any). \Device\Harddisk0\DR(0) --> Represents Raw Harddisk 0 it looks in the raw disk MBR at track 0, side 0, sector 1, offset 0x01BC (optionally 0x01BC-0x01BD) and reads the value there and or writes a value to the same location. dkg0414, your program got me in the right area for conducting this, but I only want to deal with those two bytes not all 512. Any thoughts you can provide would be helpful. Sign In·View Thread·PermaLink Re: Read/Write 1-2 Bytes in MBR only dkg0414 20:04 19 Nov '09   Hey Brian, disk.sys is disk class, so filter would be a disk class filter driver. file filter are filters above the filesystems. I wrote this thing for special cases in which there is some malware sitting and guarding some specific sectors/clusters on volume. If you want to write to do some operations on MBR or Boot Sector, easy approach would be do a CreateFile on "\\.\\PhysicalDriveX" where X is the disk number (and not drive/partition number). Then read (ReadFile) out the first sector (which will be MBR) in a buffer, modify the bytes which concern you and do a WriteFile on offset 0. I am not sure whether this approach will work on vista and later 64bit versions (I think it should work, since you are only modifying MBR or boot sector of partition) I hope it will help. Regards Deepak/dkg0414 Sign In·View Thread·PermaLink Disk/Partition Sectors trlacey 9:23 28 Oct '09   Hi. Thanks. It looks like you're doing everything right here, but oddly, I'm getting far different numbers than what this driver is returning. When I read sector 0, I get the main boot record which starts with 3 numbers and then the ASCII representation for NTFS. This software seems to be pulling data from a sector other than Logical Block Address 0. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors dkg0414 21:11 29 Oct '09   Can you post your command which you are executing to get the data? Sign In·View Thread·PermaLink Re: Disk/Partition Sectors trlacey 8:48 30 Oct '09   Hi Deepak, Thanks. Certainly. I'm just calling ReadFile() from a Win32 usermode app on Windows Vista. The subroutine is below. Maybe I'm missing something, but I can't see what could possibly be different. When I read sector 0 using this subroutine, I get the MBR of my drive. When I use your driver to read raw disk sector 0, I get an entirely different set of numbers. But it must be reading a sector somewhere, because I can see the sector fixup in the data that your driver returns. Odd. I'm still working on the problem. There's always a reason. DWORD ReadSector(LPSTR volume, ULONGLONG sector, unsigned char *q) { ULONGLONG ull, ull1; unsigned long ul, ul1; unsigned long bytesread = 0; unsigned long sectorsize = 512; char sstr[STRINGLENGTH], device[STRINGLENGTH]; HANDLE hDriver; strcpy_s(device, volume); _strupr_s(device); hDriver = CreateFile(device, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); if(hDriver != INVALID_HANDLE_VALUE) { ull = sector * sectorsize; ul = (unsigned long) ull; ull >>= 32; ul1 = (unsigned long) ull; SetFilePointer(hDriver, ul, (PLONG) &ul1, FILE_BEGIN); if(!ReadFile(hDriver, q, sectorsize, &bytesread, NULL)) { sprintf_s(sstr, sizeof(sstr), "Error reading sector. Error = %d", GetLastError()); PleaseWait(sstr); } CloseHandle(hDriver); } else { sprintf_s(sstr, sizeof(sstr), "Error opening driver %s", volume); PleaseWait(sstr); } return(bytesread); } Sign In·View Thread·PermaLink Re: Disk/Partition Sectors dkg0414 21:29 31 Oct '09   What is the Volume name here, I mean the input to your ReadSector function. I think you are giving input here as \\.\PhysicalDriveX. And what are you giving inputs to the "DiskSector" utility. Is /disk or /partition? /disk is for the entire disk starting from sector 0 while /partition is from the starting of partition which will not be starting of the disk. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors trlacey 4:58 1 Nov '09   Hi Deepak, The volume names are \\.\PhysicalDriveX and \\.\X: They both work. I'm reading drives 0 and 1 ( c: and d: ). They both have an MBR on sector 0. (d: is a bootable drive as well). I can see the MBR's and the MFT's, etc. on both drives. I run your software with the command line: disksector /disk 1 /read 0 Totally different numbers on sector 0. It's really odd. As far as I can tell, everything looks correct in your source code. Can you see your MBR using this software? I have no idea yet what I could be doing wrong. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors dkg0414 19:35 1 Nov '09   hmm ok. AFAIK, MBR is just one, it can't be present on both the drives. Infact it is not at all present on drives (partitions). I think you are talking about Boot Sector (or Boot Record) of specific drives (partitions). MBR stands for Master Boot Record and is present on the start of properly partitioned hard disk. MBR contains info about partitions on the hard drive in a Partition Table (Like start and end of partition, type of partition, etc). It contains other info also (I dont remember offhand right now). Typically after 64 starting sectors (it is a typical value, it can vary also), first partition area starts. So when you read \\.\PhysicalDriveX, you are reading from the starting of the harddisk (i.e MBR will be read). When you read drives i.e (\\.\C:\), then you are reading at a offset on the harddisk (typically 64 sectors as said above) and it's first sector will be a boot sector (if bootable partition). Ok So far so good. Now about the my utility. Below I have pasted the usage of utility again. DiskSector {/disk | /partition} <rawdisk number | partition number> {/read | /write} <sectornumber> {/unload} Options Meanings :-- {/disk | /partition} <rawdisk number | partition number> Disk and Parition options are mutually exclusive Disk numbering starts from 0 while partition starts from 1 {/read | /write} <sectornumber> Read and Write options are mutually exclusive Sector numbering starts from 0 {/unload} This option simply unloads the support driver e.g "DiskSector /disk 0 /read 0" will read raw sector 0 of harddisk 0 From the above usage it is evident that I am referring /disk as the physicaldrive (i.e the hard disk) and it's numbering starts from 0 (and not 1) while /partition refers to partitions (i.e drives) and their numbering starts from 1 (and not 0). I hope all above helped, please forgive me if all above was confusing Sign In·View Thread·PermaLink Re: Disk/Partition Sectors trlacey 6:00 2 Nov '09   Thanks Deepak. Sorry. Yes, I meant Boot Sector. The command line I'm using is: disksector /disk 1 /read 0 The response is this: 33C0 8ED0 BC00 7C8E C08E D8BE 007C BF00 06B9 0002 FCF3 A450 681C 06CB FBB9 0400 .... 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 55AA When I use ReadFile() to read the same sector from the same drive the response is this: EB52 904E 5446 5320 2020 2000 0208 0000 0000 0000 00F8 0000 3F00 FF00 0008 0000 .... 6F20 7265 7374 6172 740D 0A00 0000 0000 0000 0000 0000 0000 809D B2CA 0000 55AA Note the fixups are the same, and the output from ReadFile() contains the NTFS designator after the first 3 bytes, which is correct. I can't figure out where the data from your utility is coming from. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors dkg0414 7:19 2 Nov '09   hmm Are you intending to read the first disk attached (i.e PhysicalDrive0) to your system? If yes then your command line should be "disksector /disk 0 /read 0" I already told you that disk numbering starts from 0, 1, 2 and so on. Let me know if you were intending to read first disk of your system. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors trlacey 7:25 2 Nov '09   Thanks Deepak. No, I was reading drive D: "/disk 1". But I've tested both drives with both pieces of software. Same results on both drives. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors dkg0414 7:36 2 Nov '09   Ok since you are reading a drive, it is a partition and not a physical disk. Even if it is on a different disk, you should specify it as partition. try "/partition 2". See usage correctly, partition numbering starts as 1,2,3,... while disk numbering starts as 0,1,2,... Sign In·View Thread·PermaLink Re: Disk/Partition Sectors trlacey 7:37 2 Nov '09   Again, The command line I'm using is: disksector /disk 1 /read 0 Does that not read a raw disk sector? Sign In·View Thread·PermaLink Re: Disk/Partition Sectors dkg0414 7:43 2 Nov '09   There is a difference between disk and drives. With disk here I am talking about here as physical disks as exposed by the storage stack. While partition are different partitions on the hard drive. If you intend to read a drive, you need to give /partition option. If you are reading a physical drive then you need to give /disk option. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors trlacey 8:09 2 Nov '09   I don't think you're understanding what I'm saying Deepak. I have two disk drives. \\.\PhysicalDrive0 is disk drive c: and \\.\PhysicalDrive1 is disk drive d: I've tested everything thoroughly using the ReadFile() command. Everything corresponds to the literature regarding what an NTFS raw disk drive should look like. I'm reading sector 0, the Boot Sector from both drives. Let's stop the confusion here and talk about the first disk. \\.\PhysicalDrive0. What command do you use to read the Boot Sector, raw disk sector 0, on your 1st physical drive. And when you do read it, do you see the Boot Sector, or something else? By Boot Sector, I mean this: http://www.ntfs.com/ntfs-partition-boot-sector.htm This should be in sector 0 of your first physical drive. This is what I see when I use the ReadFile() command. Sign In·View Thread·PermaLink Re: Disk/Partition Sectors trlacey 8:17 2 Nov '09   If I use: disksector /partition 1 /read 1 I get error code 1167. Sign In·View Thread·PermaLink 1.00/5 Reading from pendrive and sd card pawloch 5:43 10 Oct '09   I'd like to read sectors from my SD card and i have problem - it is recognized as disk but calling DiskSector /disk 1 /read 0 returns "DeviceIoControl Failed and error code is 1167". it means that the resource may be out of sync. Is there sth. I can do about that? (sorry for my english) Sign In·View Thread·PermaLink Build error with DDK 7600.16385.0 ysahn 9:05 17 Sep '09   1>errors in directory c:\disksector\src\exe 1>link : error LNK2001: unresolved external symbol _mainCRTStartup 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol _strncat referenced in function _cleanupDriver@0 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol _printf referenced in function _uninstallDriver@0 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol _memset referenced in function _uninstallDriver@0 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol _free referenced in function _DoDeviceIoCtl@24 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol _getc referenced in function _DoDeviceIoCtl@24 1>c:\disksector\src\exe\sector_io.obj : error LNK2001: unresolved external symbol __iob 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol _malloc referenced in function _DoDeviceIoCtl@24 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol _strtoul referenced in function _main 1>c:\disksector\src\exe\sector_io.obj : error LNK2019: unresolved external symbol __strtoui64 referenced in function _main 1>c:\disksector\bin\fre_wxp_x86\i386\disksector.exe : error LNK1120: 10 unresolved externals Can you recommend what to change to resolve the above link failure? Sign In·View Thread·PermaLink Re: Build error with DDK 7600.16385.0 dkg0414 9:27 17 Sep '09   You need to point to the correct lib path. I have not used 7600 DDK yet, but looks like their lib path has changed. Look into the SOURCES file and check out the LIBS, and try to find their location in 7600 DDK install path. Sign In·View Thread·PermaLink Re: Build error with DDK 7600.16385.0 Member 2310379 8:06 26 Oct '09   Just add this line to the sources file: USE_MSVCRT=1 Sign In·View Thread·PermaLink Access to \\.\PhysicalDrive0 jurasix 1:09 24 Jun '09   I would like to gain a read/write access to \\.\PhysicalDrive0 under Vista from within a virtual environment (for example vmware). I need this access on the physical sector level to do mainly read-operation in order to create backup-image of the whole device or partition. Would your code-example help me to get this working? Currently there is an access restriction under Vista, and any attempt to access \\.\PhysicalDrive0 ends up with access denied. Thanks in advance. Sign In·View Thread·PermaLink 2.00/5 Re: Access to \\.\PhysicalDrive0 dkg0414 6:25 24 Jun '09   hmm vista 32bit or 64bit. How are you calling CreateFile. Use these flags FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE in dwShared param of CreateFile. I really don't see any problem in opening handle to \\.\PhysicalDrive0 on my vista 32bit machine. Or you might have UAC enabled on your vista machine, Try disabling that UAC option from control panel. You should be able to read the PhysicalDrives using CreateFile API. Regards Deepak Sign In·View Thread·PermaLink Re: Access to \\.\PhysicalDrive0 jurasix 10:22 24 Jun '09   Dear Deepak, thank you very much for your reply! It was a nifty hint! Now I can access \\.\PhysicalDrive0 at least in read-only mode. But anyway, the question about read/write access is still open. The problem is, that I cannot control CreateFile() function because all this stuff runs within the VMware software. The only parameters that I can supply to VMware is the physical device "\\.\PhysicalDrive0" the geometry of this device and that the open mode should be "read-only" or "read-write". All other stuff I cannot control. In case of "read-write" mode I get "access denied" independently of any security setting. I think about some sort of adapter or filter (or dispatcher) sitting some were on the way to physical device and help me to bypass the read/write requests direct to driver ignoring the Windows control mechanisms. Is it possible? Sincerely. Sign In·View Thread·PermaLink Re: Access to \\.\PhysicalDrive0 dkg0414 10:51 24 Jun '09   If you will give dwShareMode = FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE and dwDesiredAccess = GENERIC_READ|GENERIC_WRITE, then also it (CreateFile) will open the handle for you. Now you are saying that you can't control the CreateFile. Can you control the "dwShareMode" that you pass to the VM machine. Or tell the software in VMWare to open the files with SHARE_DELETE, READ and WRITE access. If this is not possible, then probably you would need writing a driver which will be running on the VMMachine as filter driver and will attach to the volumes (see file system filter devpment guide) on system. This particular example is just for tutorial purposes and may crash. A properly developed filter will help you if you can't control the dwShareMode. Sign In·View Thread·PermaLink 3.00/5 Locked file and rootkits hooking IRP's My2Cents 15:45 7 Apr '09   It looks like you'r constructing IRP's for disk driver which is nice. Two questions: 1. Does this allows you to overwrite files in use. Probably does? 2. Rootkits hooking driver's IRP still can filter your calls, right? Sign In·View Thread·PermaLink

Last Visit: 1:21 21 Nov '09     Last Update: 1:21 21 Nov '09 12 Next »