An Analysis of NFTS FileSystem

 

1. The NTFS partition boot sector is actually a part of

    the NTFS metadata file $Boot.

 

2. Structure of Sector 0 of Logical Drive C (NTFS)

    A View of the Sector 0 

 

3. It contains 6 parts.

Jump/Nop

OEM String

BIOS Parameter Block (BPB)

Initial Program Loader (IPL)

Strings of Error Message

Signature

 

-------------------------------------------------------------------------

/Jump

JMP                                                               EB 52

-------------------------------------------------------------------------

/NOP

NOP                                                               90

-------------------------------------------------------------------------

/OEM String

OEM                                                              4E 54 46 53 20 20 20 20

-------------------------------------------------------------------------

/BPB

Bytes/Sectors                                               00 02

Sectors/Cluster                                             08

Reserve Sectors Count                                  00 00

Table Count                                                   00

Root Entry Count                                          00 00

Sector Count                                                 00 00

Media Type                                                    F8

Sectors/Table                                               00 00

Sectors/Track                                               3F 00

Number of Heads                                          FF 00

Hidden Sector Count                                     3F 00 00 00

Reserved                                                       00 00 00 00

Not Used                                                       80 00 80 00

Total Sectors Count                                      F8 3F 71 09 00 00 00 00

MFT Cluster                                                   00 00 0C 00 00 00 00 00

MFTmirr Cluster                                            10 D6 04 01 00 00 00 00

Cluster/MFT Record                                      F6

Reserved                                                       00 00 00

Cluster/Index                                               01

Reserved                                                       00 00 00

Volumn Serial Number                                 E0 85 C9 F8 95 C9 F8 C4

Check Sum                                                    00 00 00 00

-------------------------------------------------------------------------

/IPL

FA 33 C0 8E D0 BC 00 7C FB B8 C0 07

8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00

10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4

08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66

0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F

B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A

16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01

74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66

03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A

00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00

0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00

B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07

66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00

66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36

1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8

01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66

FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61

C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE

B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10

EB F2 C3

-------------------------------------------------------------------------

/Strings of Error Message

0D 0A 41 20 64 69 73 6B 20 72 65 61 64

20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00

0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69

6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F

6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73

20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F

20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00

00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00

-------------------------------------------------------------------------

/Signature

55 AA

 

 

 

4. Unassemble and analyse IPL

   An easy way is,

   a.  Use WinHex and copy the code from the IPL block exactly

        to a file called IPL.txt. 

   b.  Edit the IPL.txt file like the following first,

        than in command line mode type this, "debug < IPL.txt"

       e 100

     <IPL codes here>

     rcx

     12F

     n ipl.com

     w

     q

     q

 

  c.  Now you shoud have a file called ipl.com in you directory.

      Open it with IDA-Pro and see what IPL is doing. 

 

 

 

 

About The NTFS System (Will Be Removed Later)

 

1. The NTFS Alternate Data Streams. 

The related article is very simple and easy to understand.

http://d.hatena.ne.jp/hideakii/20050908

 

2. To view the ADS, you need tools like flexhex or others,

FlexHEX Download

 

3. The following link tells you what actually happens in you NTFS file system.

http://www.pcguide.com/ref/hdd/file/ntfs/arch_Files.htm

 

4. I did an experiment on my volumn c: (NTFS). 

α。I prepare a simple text file called "a.txt".

β。There is only a single string "here is sth" in it.

Θ。According to the artcle above (the link in 3. ),

if the file is small enough, it would just fit in

the $MFT of the logical drive instead of taking

additional storage of volumn.

 

Reference " If the amount of space required for all of the attributes of a file, including the data it contains, is smaller than the size of the MFT record, the data attribute will be stored resident--within the MFT record itself. Thus, such files require no additional storage space on the volume, and also do not require separate accesses to the disk to check the MFT and then read the file, which improves performance."

 

 

 

 

 

 

5. Where is the $MFT located? 

To find out the answer, I used a command line executable called "ntfsinfo.exe".

It shows the follwoing info about the $MFT in my C drive.

 

NTFS Information Dump V1.01Copyright (C) 1997 Mark Russinovichhttp://www.sysinternals.com


Volume Size

-----------

Volume size            : 77351 MB

Total sectors          : 158416888

Total clusters         : 19802111

Free clusters          : 6529180

Free space             : 25504 MB (32% of drive)


Allocation Size

----------------

Bytes per sector       : 512

Bytes per cluster      : 4096

Bytes per MFT record   : 1024

Clusters per MFT record: 0


MFT Information

---------------

MFT size               : 145 MB (0% of drive)

MFT start cluster      : 786432

MFT zone clusters      : 10310176 - 10499456

MFT zone size          : 739 MB (0% of drive)

MFT mirror start       : 17094160


Meta-Data files---------------

 

Then just multipled the start cluster by the bytes by cluster,

I got the MFT physical start address at C0000000 (in Hex).

 

To confirm it, I used FlexHEX again. 

See the following result, the left window is the hex view of logical drive c,

and the right windows is the hex view of the MFT of the drive c.


 

 

 

It took me several hours to figure out how to find the place of it

by using NTFSINFO.EXE and Flexhex.

However, if you wish, just download WinHex, open disk view,

take a look at those files with a $ prefix.

It shows you everything I mentioned above as well as

what Microsoft is hiding from us.  

 

Or if you know the sector where it is, you can download debugx.com

load and dump it.

After research, I found out the address of MFT starting cluster is located

in the boot sector of the NTFS logical drive,

with the offset of 0x30, and it is a 8 bytes data.

For example, in my case, 

the offset address from 0030 to 0037 of logical drive C boot setor

has the following data,

 00 0C 00 00 00 00 00 00

which stands for C000000 in hex and 786432 in clusters

since 8 sectors per cluster,

the starting logical sector of MFT is 6291456

since 512 bytes per sector

the starting offset address of MFT is 3221225472 (in Hex C0000000) 

 

 

What's New

このホームページを使って、

アセンブリ言語の紹介をします。