The first paragraph is the boot sector,
CodePudding user response:
To specify the drive letter writing, only discuss FAT32:Bootsect. Exe when preparing processing, according to the first file system, a new distribution space, including the size of FAT32 file system is 0 x600,
Then read it partitions the first sector (sector size during preparation through NtQueryVolumeInformationFile access), read the space at the beginning,
Before the judge to see 3 bytes is how to write a jump instruction, the location of the boot code is calculated according to the relative position, and then, through its built-in hexadecimal data selection for corresponding to the file system (FAT32) of the data, after the data corresponding to the location of all the data is copied to the allocated space before,
The next process is somewhat special, especially to determine whether the next FAT32, then if is FAT32, will allocate space in the first sector within the first sector data is written to the size of a partition, and then set the file pointer to the 0 x1800 (12th sector location), from 0 x400 in assigned space (third sector starting position), and then write a sector size data to disk, end of the writing process,
Then it's not understand, why it specifically to write data in 12th sector location,,,
Stick down analysis code section for a while, so that reference can see I have any errors in the analysis at the same time,
CodePudding user response:
First it when dealing with command line parameters, according to/NT52,/NT60 judge whether it is the use of compatible BOOTMGR or compatible with the boot sector of the NTLDR content,
PBootmgr and pNtldr should be __int32 * * secondary pointer,
After that, it has a process, according to the partition plate operator to obtain the corresponding namespace object name (should be), similar to the \ \ Harddisk \ Volume... The impact is not big, what should be,
Skip a lot of code directly after the write partition preparation section, try to call a function determine the file system type
See the first NtQuery... Where access to the file system type, and then recorded in v6, can see the values are respectively 0: FAT, 1:2: FAT32, NTFS, 3: other
Then the second NtQuery... There, get the size information, the file system type is returned to the fstype variables, each sector bytes returned to bytesPerSector
Above it to VolumeInformation the variable analysis of some problems, should be a void * pointer, pointing to a structure of the first address, the first address of the members to use, but by IDA recognition into a char variable, look at the disassembly parts can see
VolumeInformation and var_C two variables
Pay attention to the back of the migration, one is ebp - 0 x20, one is the ebp 0 xc, then in the structure is
0000 VolumeInformation
0004
0008
.
0014 var_C
There needs to be under reference NtQueryVolumeInformationFile document,
You can find a structure
The LARGE_INTEGER is 8 bytes, ULONG, 4 bytes 0 x14=20=8 + 8 + 4, then actually var_C is BytesPerSector in structure, each sector of bytes,
Then come back, then look after code, according to the different file system type to determine which built-in allocated space size and use the boot sector data,
Which corresponds to the size of the FAT32 is 0 x600, boot sector data, in the previous screenshots pBootMgr and pNtldr pointer to the three respectively, according to the situation, choose the corresponding assigned to v6, then will be assigned to bootsect_template variables, that is me how do you determine the data before the origin of the corresponding relationship with the file system,
The size should be aligned (for example, may be a sector of 512 bytes), and spatial distribution, etc., should be no problem, please let us know if you have any questions
Attempt to lock file (partition), if lock fails to uninstall, including fscontrol function call is NtFsControlFile
Then the first sector read data to the allocated space, then according to the partition type (and FAT/FAT32 file system to judge according to the beginning of the jump instruction) locate the boot code to write, and then the data in the built-in template, starting from that position, everything after the kao to allocate space,
Then set the file pointer to the beginning, and then it determine the file system type
Then we go downwards see FAT32 part code
Wrote the first sector data, and then set the file pointer to the 12th sector position, jump to write_sectors,
Explain, to FAT, NTFS file system, which is wrote before preparing the content directly to the partition, but special the FAT32, write head sector data first, and then ignoring the second sector data in prepared data, and write the third sector data directly to the 12th sector of the partition, the second step and FAT, NTFS write overlap, that should not need to explain, is not the same as the file pointer and bufBootsector),
Remove partition lock, after finishing, the function returns,
General process in this way,
CodePudding user response:
Less preach a picture
CodePudding user response:
Then write a second piece of data is it?CodePudding user response:
FAT32 Bootmgr part hexadecimal data
Hex
0 x200 ~ 0 x3ff is the first sector content, boot sector, 0 x400 ~ 0 x5ff is evidently FAT32 Fs Information, this part does not have written
Next, it is the second Duan Dongxi, don't know what data
Ntldr and of the same, the difference seems to be changed BOOTMGR Ntldr, boot code section, write a second piece of data no distinction,
Could someone please help explain the second paragraph what meaning? Writes 12 sectors, but the FAT32 document didn't see the corresponding specification, :)
CodePudding user response:
These graphs, the first segment 0 x200 ~ 0 x3ff
The second paragraph, the unknown things
