2010年3月

日

一

二

三

四

五

六

留言簿(8)

随笔分类

随笔档案

文章档案

相册

test (12)

NDIS IFS

内核研究

基础知识

安全技术

操作系统

病毒技术

网络技术

逆向工程

驱动开发

搜索

阅读排行榜

评论排行榜

VC知识库BLOG 首页新随笔联系聚合登录

	随笔-21 文章-0 评论-85 Trackbacks-1

随笔-21 文章-0 评论-85 Trackbacks-1

FAT32文件系统格式浅析

A FAT file system volume is composed of four basic regions
which are laid out in this order on the volume:

0 – Reserved Region
1 – FAT Region
2 – Root Directory Region (doesn’t exist on FAT32 volumes)
3 – File and Directory Data Region

DBR就是我们的Boot扇区:

DBR的格式:
jmp $+$BPB_FAT32_END;
_emit NOP;

BPB label byte
......
BPB end

FAT32 label byte
.....
FAT32 end

$BPB_FAT32_END:
xor     ax, ax
mov     ss, ax
mov     sp, 7c00h
....
检查int13/int13扩展中断是否可用
读取BPB/FAT32信息
通过int13/int13扩展中断读取ntldr文件描述信息
再读取ntldr文件数据
jmp ntldr-OEP

org 510
dw 55h,AAh

BPB/FAT32中的主要信息(本机):
1个簇有           16个扇区(8192个字节)
1个磁道有         63个扇区
保留扇区          32个扇区(for DBR)
FAT               10235个扇区

所以根目录起始扇区 10235*2+32 = 20502, 起始簇号 2

/* FAT12/16中数据区的开始簇号是2,
/* FAT32中的没有根目录的概念就在此,
/* 只是把根目录算做数据区了

/* int13中断只能读取到8.4GB的数据, 再大就
/* 读不到了,int13扩展中断就是解决这个问题

            [FAT 32 Byte Directory Entry Structure]
Name Offset (byte) Size (bytes)   Description
DIR_Name         0         11          Short name.
DIR_Attr         11(0BH)   1           File attributes:
                                            ATTR_READ_ONLY 0x01
                                            ATTR_HIDDEN     0x02
                                            ATTR_SYSTEM     0x04
                                            ATTR_VOLUME_ID 0x08
                                            ATTR_DIRECTORY 0x10
                                            ATTR_ARCHIVE    0x20

                                            ATTR_LONG_NAME |ATTR_READ_ONLY | ATTR_HIDDEN |
                                            ATTR_SYSTEM | ATTR_VOLUME_ID The upper two bits
                                            of the attribute byte are reserved and should
                                            always be set to 0 when a file is created and
                                            never modified or looked at after that.
DIR_NTRes        12(0CH)    1           Reserved for use by Windows NT. Set value to 0 when
                                        a file is created and never modify or look at it
                                        after that.
DIR_CrtTimeTenth 13(0DH)    1           Millisecond stamp at file creation time. This field
                                        actually contains a count of tenths of a second.
                                        The granularity of the seconds part of DIR_CrtTime is 2
                                        seconds so this field is a count of tenths of a second
                                        and its valid value range is 0-199 inclusive.
DIR_CrtTime     14(0EH)    2           Time file was created.
DIR_CrtDate      16(10H)    2           Date file was created.
DIR_LstAccDate   18(12H)    2           Last access date. Note that there is no last access time,
                                        only a date. This is the date of last read or write.
                                        In the case of a write, this should be set to the same
                                        date as DIR_WrtDate.
DIR_FstClusHI    20(14H)    2           High word of this entry’s first cluster number
                                        (always 0 for a FAT12 or FAT16 volume).
DIR_WrtTime      22(16H)    2           Time of last write. Note that file creation is
                                        considered a write.
DIR_WrtDate      24(18H)    2           Date of last write. Note that file creation is
                                        considered a write.
DIR_FstClusLO    26(1AH)    2           Low word of this entry’s first cluster number.
DIR_FileSize     28(1CH)    4           32-bit DWORD holding this file’s size in bytes.

[公式:
1 根目录的位置 = 保留扇区 + FAT表所占的扇区 * FAT表个数 (扇区)

2 指定簇所在的位置 = 根目录所在扇区 + (簇号 - 根目录所在簇号)* 簇/扇数 (扇区)

3 指定簇在FAT表中的位置 = 保留扇区 * 扇区/字节 + 簇号*(簇在FAT表中描述所占的字节数) (字节)
]

(下面表述中簇号用10进制; 扇区号用10进制; 逻辑偏移用16进制; 工具WINHEX)

eg: 查找c:\windows\system32\ntoskrnl.exe的过程:

1) 定位根目录的位置: FAT*2 + Reserved = 10235*2+32 = 20502(扇区) ------ 0x000A02C00(逻辑偏移)
2) 读根目录中的数据(INT13),找到windows目录的描述

       Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
       000A036A0   57 49 4E 44 4F 57 53 20 20 20 20 10 00 46 F7 B1   WINDOWS    ..F鞅
       000A036B0   21 37 2B 37 00 00 F8 B1 21 37 03 14 00 00 00 00   !7+7..!7......

/* 对照上表,0BH位是0x10----是一个目录
/* 我感兴趣的只有它的簇号(14H & 1AH):0x00001403

    3) 找到Windows目录中的目录项所在的第一个簇号: 0x00001403 = 5123(簇)
       对应扇区号: 20502 + (5123 - 2) * 16 = 102438(扇区) ------ 0x003204C00(逻辑偏移)
       为啥要减2? 因为20502对应的2号簇!

       对应FAT表中的位置: Reserved*512 + 5123*4 = 0x0900C(逻辑偏移)
       Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
       000009000                                        64 46 00 00               dF..
       /* Windows目录表中的目录项所在的下个簇号: 0x00004664 = 18020(簇)

       下个簇号对应FAT表中的位置: Reserved*512 + 18020*4 = 0x015990(逻辑偏移)
       Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
       000015990   FF FF FF 0F                                        .
       /* 再下一下簇号是? 0x0FFFFFFF表示最后一个簇了

       /* 在上述两个簇中找System32的描述(运气真好,在第一簇中就找到了)
       Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
       003204C40   53 59 53 54 45 4D 33 32 20 20 20 10 08 49 F7 B1   SYSTEM32   ..I鞅
       003204C50   21 37 33 37 00 00 F8 B1 21 37 04 14 00 00 00 00   !737..!7......
       /* 对照上表,0BH位是0x10----是一个目录
       /* 我感兴趣的只有它的簇号(14H & 1AH): 0x00001404 = 5123(簇)

    4) 找到System32目录中的目录项所在第一个簇号: 0x00001404 = 5124(簇)
       对应扇区号: 20502 + (5124 - 2) * 16 = 102454(扇区) ------ 0x003206C00(逻辑偏移)

       对应FAT表中的位置: Reserved*512 + 5124*4 = 0x09010(逻辑偏移)
       Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
       000009010   7A 46 00 00                                        zF..
       /* System32目录表中的目录项所在的下个簇号: 0x0000467A = 18042(簇)

       在FAT表中继续找下去......
       System32目录表中的目录项所在的所有簇是:5124 18042 24684 47193 55087 62856 65459 54377 5884 5166


     5) 我们在18042簇中找到了Ntosrkrnl.exe的文件描述信息

       Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
       01F510700   4E 54 4F 53 4B 52 4E 4C 45 58 45 20 18 00 00 80   NTOSKRNLEXE ...€
       01F510710   9E 33 32 37 07 00 3C 00 61 36 5E 8F 00 96 20 00   ?27..<.a6^??.
       /* 对照上表,0BH位是0x20----是一个存档文件
       /* 我感兴趣的还有它的簇号(14H & 1AH):0x00078F5E

6) 找到Ntoskrnl.exe文件数据所在的第一个簇号: 0x00078F5E = 495454(簇)
对应扇区号: 20502 + (495454 - 2) * 16 = 7947734(扇区) ------ 0x0F28BAC00(逻辑偏移)

        对应FAT表中的位置: Reserved*512 + 495454*4 = 0x1E7D78(逻辑偏移)
        Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
        0001E7D70                            5F 8F 07 00 60 8F 07 00           _?.`?.
        0001E7D80   61 8F 07 00 62 8F 07 00 63 8F 07 00 64 8F 07 00   a?.b?.c?.d?.
        /* Ntosrkrnl.exe文件数据所在的下个簇号: 0x00078F5F = 495455(簇)
        在FAT表中继续找下去......

        我们来看一下Ntoskrnl.exe第一个簇中的数据:
        Offset       0 1 2 3 4 5 6 7   8 9 A B C D E F
        0F28BAC00   4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00   MZ?..........
        0F28BAC10   B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ?......@.......
        0F28BAC20   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
        0F28BAC30   00 00 00 00 00 00 00 00 00 00 00 00 D8 00 00 00   ............?..
        0F28BAC40   0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68   ..?.???L?Th
        0F28BAC50   69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F   is program canno
        0F28BAC60   74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20   t be run in DOS
        0F28BAC70   6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00   mode....$.......
        0F28BAC80   FE 3C 69 99 BA 5D 07 CA BA 5D 07 CA BA 5D 07 CA   ?i櫤].屎].屎].?
        0F28BAC90   79 52 5A CA BD 5D 07 CA BA 5D 06 CA ED 5D 07 CA   yRZ式].屎].薯].?
        0F28BACA0   79 52 08 CA ED 5D 07 CA 79 52 59 CA BB 5D 07 CA   yR.薯].蕐RY驶].?
        0F28BACB0   79 52 58 CA 3D 5F 07 CA 79 52 5B CA BB 5D 07 CA   yRX?_.蕐R[驶].?
      0F28BACC0   79 52 5D CA BB 5D 07 CA 52 69 63 68 BA 5D 07 CA   yR]驶].蔙ich篯.?
        0F28BACD0   00 00 00 00 00 00 00 00 50 45 00 00 4C 01 15 00   ........PE..L...

7) 很熟悉吧? 以上六步所有数据结果都是通过计算器算出来了,不是把WINHEX中的东西直接贴出来的

8) 现在知道为什么把ntldr放在系统根目录下的原因了吧?
快速定位,要在512个字节(其实远小于这个啦 BPB&FAT描述信息&出错提示信息也要占空间的)内搞定这些!!

(PS: 前段时间在网在看到一人说自己写了一个Rootkit,可以绕过所有anti-Rootkit软件的检测
     在别的系统下也看不到这个Rootkit, 只实现了FAT32系统下的, 估计就用到"隐藏扇区"的
     技术, 把此RootKit所在的簇在FAT表中的描述改为坏道——0x0FFFFFF7; 没拿到bin, 没
     有Disasm, 不敢断言)

参考资料《FAT32规范》
《细说IDE硬盘的容量限制》

洗澡睡觉~ windowssky by 20070920 02:17

posted on 2007-09-25 23:55 垃圾一堆阅读(4117) 评论(50) 编辑收藏

Comments

# kruhovpg
kruhovpg
Posted @ 2008-08-26 00:59
xclaloma http://hquwmfqa.com yzyikczc amybhfle <a href="http://vsbeajvh.com">qmwoiitr</a> [URL=http://wnkbuuro.com]fycqvmtd[/URL]
# uurxkxtn
uurxkxtn
Posted @ 2009-03-10 07:01
rpbcptjv http://ablilpjj.com vmmtkilj qojxraxg <a href="http://tyzkyupt.com">ivhxpldc</a> [URL=http://vihzeyik.com]badovbvl[/URL]
# cialis
cialis
Posted @ 2009-09-07 13:48
There is no revenge so complete as forgiveness.
# darvon
darvon
Posted @ 2009-09-07 13:50
The release of atomic energy has not created a new problem. It has merely made more urgent the necessity of solving an existing one.
# wellbutrin online
wellbutrin online
Posted @ 2009-09-07 13:52
There are admirable potentialities in every human being. Believe in your strength and your youth. Learn to repeat endlessly to yourself, 'It all depends on me.'
# generic cialis
generic cialis
Posted @ 2009-09-07 13:54
My philosophy is that not only are you responsible for your life, but doing the best at this moment puts you in the best place for the next moment.
# lortab
lortab
Posted @ 2009-09-07 13:54
Bear in mind that you should conduct yourself in life as at a feast.
# ambien online
ambien online
Posted @ 2009-09-07 13:56
It's innocence when it charms us, ignorance when it doesn't.
# buy xanax
buy xanax
Posted @ 2009-09-07 13:57
It's innocence when it charms us, ignorance when it doesn't.
# retin
retin
Posted @ 2009-09-07 17:31
As a scientist, I am not sure anymore that life can be reduced to a class struggle, to dialectical materialism, or any set of formulas. Life is spontaneous and it is unpredictable, it is magical. I think that we have struggled so hard with the tangible that we have forgotten the intangible.
# adipex
adipex
Posted @ 2009-09-07 17:38
Our deeds determine us, as much as we determine our deeds.
# seaway
seaway
Posted @ 2009-09-07 17:40
Anything looked at closely becomes wonderful.
# driveguide
driveguide
Posted @ 2009-09-07 17:42
A lifetime of happiness! No man alive could bear it: it would be hell on earth.
# fusil
fusil
Posted @ 2009-09-07 17:47
It is hard to fight an enemy who has outposts in your head.
# piezotransistor
piezotransistor
Posted @ 2009-09-07 17:50
Silent gratitude isn't much use to anyone.
# fnuqimwv
fnuqimwv
Posted @ 2009-09-08 06:20
elzyabzq http://kqsyyptm.com lukviqcc folzcwyq <a href="http://vgkjmmgs.com">mavhsdjj</a> [URL=http://rkluvfaw.com]ynjjtvma[/URL]
# generic levitra
generic levitra
Posted @ 2009-09-08 07:17
Thomas Jefferson once said, 'We should never judge a president by his age, only by his works.' And ever since he told me that, I stopped worrying.
# norvasc
norvasc
Posted @ 2009-09-08 07:20
He had learned over the years that poor people did not feel so poor when allowed to give occasionally.
# buy xanax online
buy xanax online
Posted @ 2009-09-08 07:27
The keenest sorrow is to recognize ourselves as the sole cause of all our adversities.
# lorazepam
lorazepam
Posted @ 2009-09-08 12:12
Computer Science is no more about computers than astronomy is about telescopes.
# hydrocodone
hydrocodone
Posted @ 2009-09-08 12:14
The two symbols of the Republican Party: an elephant, and a big fat white guy who is threatened by change.
# generic viagra
generic viagra
Posted @ 2009-09-08 12:19
In real life, unlike in Shakespeare, the sweetness of the rose depends upon the name it bears. Things are not only what they are. They are, in very important respects, what they seem to be.
# academe
academe
Posted @ 2009-09-08 12:24
Never esteem anything as of advantage to you that will make you break your word or lose your self-respect.
# cabman
cabman
Posted @ 2009-09-08 12:25
The freedom of all is essential to my freedom.
# neuropharmacology
neuropharmacology
Posted @ 2009-09-08 12:32
Be careful that victories do not carry the seed of future defeats.
# trzfnytp
trzfnytp
Posted @ 2009-09-08 19:27
<a href="http://jocyulke.com">iytjjxsp</a> zjwqnjuc http://ebqrvtdk.com hfwrmxjv hxbwlons [URL=http://iwkjvhhe.com]wyawqqsm[/URL]
# order xanax
order xanax
Posted @ 2009-09-09 01:30
I like coincidences. They make me wonder about destiny, and whether free will is an illusion or just a matter of perspective. They let me speculate on the idea of some master plan that, from time to time, we're allowed to see out of the corner of our eye.
# generic viagra
generic viagra
Posted @ 2009-09-09 01:32
All men are frauds. The only difference between them is that some admit it. I myself deny it.
# metformin
metformin
Posted @ 2009-09-09 01:35
Repetition does not transform a lie into a truth.
# generic viagra
generic viagra
Posted @ 2009-09-09 01:35
Zoo: An excellent place to study the habits of human beings.
# purchase valium
purchase valium
Posted @ 2009-09-09 01:36
For most men life is a search for the proper manila envelope in which to get themselves filed.
# xenical
xenical
Posted @ 2009-09-09 01:37
I don't mind what language an opera is sung in so long as it is a language I don't understand.
# order xenical
order xenical
Posted @ 2009-09-09 01:37
To be able to fill leisure intelligently is the last product of civilization, and at present very few people have reached this level.
# buspar
buspar
Posted @ 2009-09-09 01:38
Peace is when time doesn't matter as it passes by.
# salpingitis
salpingitis
Posted @ 2009-09-09 01:39
A tactical retreat is not a bad response to a surprise assault, you know. First you survive. Then you choose your own ground. Then you counterattack.
# refluent
refluent
Posted @ 2009-09-09 01:40
Learning to live in the present moment is part of the path of joy.
# enameling
enameling
Posted @ 2009-09-09 01:42
Glory is fleeting, but obscurity is forever.
# spermatorrhea
spermatorrhea
Posted @ 2009-09-09 01:43
There ain't no free lunches in this country. And don't go spending your whole life commiserating that you got raw deals. You've got to say, 'I think that if I keep working at this and want it bad enough I can have it.'
# extremist
extremist
Posted @ 2009-09-09 01:44
The aim of life is self-development. To realize one's nature perfectly - that is what each of us is here for.
# jacdghvn
jacdghvn
Posted @ 2009-09-09 08:46
sjbgncgo http://rstytvpa.com kroalnhd gqazfazj [URL=http://cautglba.com]rxzeacfu[/URL] <a href="http://ahrsxfea.com">llfbyghs</a>
# purchase phentermine
purchase phentermine
Posted @ 2009-09-10 02:54
Read over your compositions, and wherever you meet with a passage which you think is particularly fine, strike it out.
# sonata
sonata
Posted @ 2009-09-10 02:57
Life is a great big canvas; throw all the paint on it you can.
# buy diazepam
buy diazepam
Posted @ 2009-09-10 02:59
Even the fear of death is nothing compared to the fear of not having lived authentically and fully.
# order soma
order soma
Posted @ 2009-09-10 03:03
You cannot make a man by standing a sheep on its hind legs. But by standing a flock of sheep in that position you can make a crowd of men.
# grab
grab
Posted @ 2009-09-10 03:05
You can't deny laughter. When it comes, it plops down in your favorite chair and stays as long as it wants.
# amimia
amimia
Posted @ 2009-09-10 03:05
Our patience will achieve more than our force.
# skyline
skyline
Posted @ 2009-09-10 03:06
Truth has beauty, power and necessity.
# airiness
airiness
Posted @ 2009-09-10 03:06
The dead might as well try to speak to the living as the old to the young.
# thalassotherapy
thalassotherapy
Posted @ 2009-09-10 03:10
I'm moving, but don't worry! [Someone once] told me we're all on the same planet, so I'll be okay!
# snowless
snowless
Posted @ 2009-09-10 03:12
The gem cannot be polished without friction, nor man perfected without trials.

标题

姓名

主页


验证码	*

内容

Remember Me?

登录使用高级评论 Top

[使用Ctrl+Enter键可以直接提交]