The MASM Forum

General => The Workshop => Topic started by: clamicun on September 17, 2017, 11:43:25 PM

Title: How to read Windows MFT
Post by: clamicun on September 17, 2017, 11:43:25 PM
I want to access Windows MFT(Master File Table) to speed up my Searchprogram, which uses
FindFirstFile, 
FindNextFile

That is directly read the Master File Table. 
Obviously all professional search programs do that.

There is very little useful info in Google except for one example written in C. 

Conceptually - this looks like:
   
First step, you have to have and assert sufficient privileges to access the MFT.
Second step, you have to get a handle to a file/folder on the volume.
Third step, you have to call  a Windows API (called DeviceIOControl) in a loop and read the entries.

Second step ... here is the access problem;
include \masm32\include\masm32rt.inc 

.data
MFT_file db  "C:\$MFT",0
SVOLINFO db "System Volume Informationen",0

Read_theMFT proc
INVOKE CreateFile,offset MFT_file,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM or FILE_ATTRIBUTE_HIDDEN,0 
INVOKE GetLastError
;Error 5 = Access denied
;ofcourse denied ...you can't even see it on your disk.

;"
;"

ret
Read_theMFT endp

Someone has an idea on how to read the FMT or can give me more useful links.
Thanks
Clamicun

Title: Re: How to read Windows MFT
Post by: aw27 on September 18, 2017, 12:53:35 AM
I don't think you need to invoke the kernel.
I think that you will get to the MFT from the boot record doing some calculations.
So, first stage is to get a handle to \\.\PhysicalDrive0 with CreateFile and read the boot sector.
Title: Re: How to read Windows MFT
Post by: clamicun on September 18, 2017, 09:50:32 AM
Thanks a lot... That is not much of an answer !

"So, first stage is to get a handle to \\.\PhysicalDrive0 with CreateFile and read the boot sector."

I saw this 5 times searching with Google ...

Please, show me how to create a file using  "\\.\PhysicalDrive0"

 




Visit http://www.atelierweb.com
This is just one more of lots of search programs 
Title: Re: How to read Windows MFT
Post by: aw27 on September 18, 2017, 02:15:50 PM
Please, show me how to create a file using  "\\.\PhysicalDrive0"
Your doubts transcend the imaginable for someone set work on a recognized difficult subject like the NTFS file system.  :dazzled:
Title: Re: How to read Windows MFT
Post by: jj2007 on September 18, 2017, 04:56:35 PM
Please, show me how to create a file using  "\\.\PhysicalDrive0"

include \masm32\MasmBasic\MasmBasic.inc         ; download (http://masm32.com/board/index.php?topic=94.0)
  Init
  LenBoot=200h
  Open "I", 1, "\\.\PhysicalDrive0"
  deb 4, "Handle", eax, $Err$()
  Let esi=Input$(1, LenBoot)
  push esi
  xor ecx, ecx
  .Repeat
        test cl, 31
        .if Zero?
                Print CrLf$, Hex$(ecx), "  "
        .endif
        lodsb
        Print Hex$(al), " "
        inc ecx
  .Until ecx>=LenBoot
  pop esi
  FileWrite "BootSector.dat", esi, LenBoot
  Close 1
  Inkey CrLf$, "bye"
EndOfCode


Output:
Code: [Select]
Handle
eax             208
$Err$()         Operazione completata.

00000000  33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00
00000020  BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00
00000040  B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74
00000060  26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13
00000080  9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE
000000A0  4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55
000000C0  AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75
000000E0  00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00
00000100  00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66
00000120  61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4
00000140  05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8
00000160  24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72
00000180  20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E
000001A0  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 63 7B 9A BE 36 E8 A1 00 00 00 20
000001C0  21 00 27 FE FF FF 00 08 00 00 00 00 40 02 80 FE FF FF 07 FE FF FF 00 08 40 02 00 20 03 00 00 FE
000001E0  FF FF 07 FE FF FF 00 28 43 02 00 30 F5 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
Title: Re: How to read Windows MFT
Post by: Siekmanski on September 18, 2017, 05:43:08 PM
Have a look at https://www.mikrocontroller.net/
There are a lot of people with knowledge of file systems and reading the MFT.
Und es ist in deiner Sprache.

You can also use the "SCSI Pass Through" Interface to read and write sectors.

In this thread are some examples to get you started, http://masm32.com/board/index.php?topic=3244.0
Title: Re: How to read Windows MFT
Post by: clamicun on September 18, 2017, 07:57:47 PM
Thank you all-
I'll check it out and probably ask again.
Title: Re: How to read Windows MFT
Post by: clamicun on September 18, 2017, 07:59:57 PM
aw27
"on a recognized difficult subject like the NTFS file system"
Think you are very wright.
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 12:29:55 AM
I decided that HexDump$ (http://masm32.com/board/index.php?topic=94.msg70201#msg70201) would be a handy new feature for assembler programmers:

Code: [Select]
include \masm32\MasmBasic\MasmBasic.inc
  Init
  Open "I", #1, "\\.\PhysicalDrive0"
  deb 4, "Handle", eax, $Err$()
  Let esi=Input$(#1, 200h)
  Close
  Inkey HexDump$(esi)
EndOfCode

Output:
Code: [Select]
Handle
eax             208
$Err$()         The operation completed successfully.

00628C38  33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3ÀŽÐ¼.|ŽÀŽØ¾.|¿.
00628C48  06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .¹..üó¤Ph..Ëû¹..
00628C58  BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 ½¾.€~..|..…..ƒÅ.
00628C68  E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 âñÍ.ˆV.UÆF..ÆF..
00628C78  B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 ´A»ªUÍ.]r.ûUªu.
00628C88  F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ÷Á..t.þF.f`€~..t
00628C98  26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....fÿv.h..h.
00628CA8  7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h..´BŠV.‹ôÍ.
00628CB8  9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ŸƒÄ.žë.¸..».|ŠV.
00628CC8  8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE Šv.ŠN.Šn.Í.fas.þ
00628CD8  4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 N.u.€~.€.„Š.²€ë„
00628CE8  55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55 U2äŠV.Í.]랁>þ}U
00628CF8  AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 ªunÿv.è.u.ú°Ñæd
00628D08  E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75 èƒ.°ßæ`è|.°ÿædèu
00628D18  00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 .û¸.»Í.f#Àu;fûT
00628D28  43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00 CPAu2ù..r,fh.».
00628D38  00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 .fh....fh....fSf
00628D48  53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66 SfUfh....fh.|..f
00628D58  61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD ah...Í.Z2öê.|..Í
00628D68  18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4 . ·.ë. ¶.ë. µ.2ä
00628D78  05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD ...‹ð¬<.t.»..´.Í
00628D88  10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8 .ëòôëý+Éädë.$.àø
00628D98  24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 $.ÃInvalid parti
00628DA8  74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 tion table.Error
00628DB8  20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69  loading operati
00628DC8  6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E ng system.Missin
00628DD8  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst
00628DE8  65 6D 00 00 00 63 7B 9A BE 36 E8 A1 00 00 00 20 em...c{š¾6è¡...
00628DF8  21 00 27 FE FF FF 00 08 00 00 00 00 40 02 80 FE !.'þÿÿ......@.€þ
00628E08  FF FF 07 FE FF FF 00 08 40 02 00 20 03 00 00 FE ÿÿ.þÿÿ..@.. ...þ
00628E18  FF FF 07 FE FF FF 00 28 43 02 00 30 F5 37 00 00 ÿÿ.þÿÿ.(C..0õ7..
00628E28  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

If you see "access denied", tell the OS "I am an assembler programmer, you cannot stop me" :icon_mrgreen:
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 02:24:53 AM
Quote
If you see "access denied", tell the OS "I am an assembler programmer, you cannot stop me" :icon_mrgreen:
How do you specify in Visual Basic for Masm that you want to open in shared mode?  :greensml:
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 03:00:49 AM
You are confused, José - MasmBasic is inspired by GfaBasic, not by Visual Basic (which is a fine dialect btw, much underrated by the arrogant coders who produce crap such as Adobe Flash or Visual Studio).

As to shared mode, what would change if you could specify that mode?
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 03:10:41 AM
As to shared mode, what would change if you could specify that mode?
ASM programmers will never try to open in exclusive mode a device that is used across the system by multiple programs and claim that the OS can't stop them. It can!  :badgrin:
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 03:39:37 AM
Wow :t

OK, specifically for you I attach a version that opens the device in shared mode 8)
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 06:35:22 PM
Eek  :dazzled:
28 KB for a basic (or BASIC MASM?) console program. Is it the debug release?

I made an equivalent C++ program for 6KB (including MANIFEST for requireAdministrator).  :badgrin:
This without any tricks, with tricks I can reduce it to less than 3KB. :badgrin:
Actually, to 1536 bytes if I remove the MANIFEST. :badgrin:

Code: [Select]

#include <stdio.h>
#include <Windows.h>


void hexDump(void *addr, int len) {
int i;
unsigned char buff[17];
unsigned char *pc = (unsigned char*)addr;


if (len <= 0) {
return;
}

for (i = 0; i < len; i++) {
if ((i % 16) == 0) {
if (i != 0)
printf("  %s\n", buff);
printf("  %04x ", i);
}

printf(" %02x", pc[i]);

if ((pc[i] < 0x20) || (pc[i] > 0x7e))
buff[i % 16] = '.';
else
buff[i % 16] = pc[i];
buff[(i % 16) + 1] = '\0';
}

while ((i % 16) != 0) {
printf("   ");
i++;
}

printf("  %s\n", buff);
}
int main()
{
unsigned char buff[512];
DWORD dwBytesRead;
HANDLE hFile = CreateFile(L"\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL);
if (hFile == INVALID_HANDLE_VALUE)
printf("Can't open MBR. Are you launching as Administrator?");
else
{
if (!ReadFile(hFile, buff, sizeof buff, &dwBytesRead, NULL))
printf("Error reading MBR");
else
{
hexDump(buff, sizeof(buff));
}
}

CloseHandle(hFile);
getchar();
    return 0;
}


I suspect that even in Delphi I could do it for less than 28KB, and Delphi does not use the C runtime by default.  :lol:
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 08:30:04 PM
including MANIFEST for requireAdministrator

Congrats, so you finally realised that shared access had nothing to do with the problem :bgrin:

M$ doesn't like your code:
Code: [Select]
Microsoft (R) C/C++ Optimizing Compiler Version 19.00.24215.1 for x86
Copyright (C) Microsoft Corporation.  All rights reserved.

Tmp.cpp
c:\program files (x86)\microsoft visual studio 10.0\vc\include\codeanalysis\sourceannotations.h(78): warning C4467: usage of ATL attributes is deprecated
Tmp.cpp(42): error C2664: 'HANDLE CreateFileA(LPCSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE)': cannot convert argument 1 from 'const wchar_t [19]' to 'LPCSTR'
Tmp.cpp(42): note: Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast

GCC has different complaints:
Code: [Select]
Tmp.cpp: In function 'int main()':
Tmp.cpp:42:134: error: cannot convert 'const wchar_t*' to 'LPCSTR {aka const char*}' for argument '1' to 'void* CreateFileA(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE)'
  HANDLE hFile = CreateFile(L"\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL);
Title: Re: How to read Windows MFT
Post by: hutch-- on September 19, 2017, 08:38:18 PM
Having read JJ's last post, I know why I detest C++, endless clutter, unnecessary complexity and lousy performance.
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 08:42:52 PM
Congrats, so you finally realised that shared access had nothing to do with the problem :bgrin:
No wonder, your default is actually shared access.
Should be a bug somewhere in your libs.   :idea:

Quote
M$ doesn't lile your code
I always use M$ and normally the latest version. Builds without warnings or errors.
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 08:46:48 PM
Having read JJ's last post, I know why I detest C++, endless clutter, unnecessary complexity and lousy performance.
I am not talking about C++ with objects, straight C++ is as performant as C and in many cases outperforms no optimized ASM. I have proven that and am still waiting for a contradiction.
Title: Re: How to read Windows MFT
Post by: hutch-- on September 19, 2017, 09:00:51 PM
Jose,

Forgive my humour here but I have heard this one many times.
Quote
performant as C and in many cases outperforms no optimized ASM

The simple answer is,
Quote
performant as [put any language you like here] and in many cases outperforms no optimized [put any language you like here]

 :P
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 09:10:21 PM
Forgive my humour here but I have heard this one many times.
Hutch,
This is small talk, actually with some sense of humour.
But I prefer this one for a good laugh:
Please translate this French sentence:
dans la cuisine=
Title: Re: How to read Windows MFT
Post by: habran on September 19, 2017, 09:16:59 PM
Hi aw27 :biggrin:
nice proggy :t
It can be build as C or CPP
It builds instantly from the box with MSVS 2013 Community, however, it gives me:
Code: [Select]
Can't open MBR. Are you launching as Administrator? even though I run it as administrator
That doesn't mean tat it is something wrong with your proggy, it is probably my windows 8.1 fault

JJ, you need to set up your MSVS properly as it is obvious that it doesn't like you because it is aware that the filing is mutual :biggrin:
 
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 09:25:03 PM
JJ, you need to set up your MSVS properly as it is obvious that it doesn't like you because it is aware that the filing is mutual :biggrin:

My C or C++ stuff builds just fine with MS VC and GCC. Even José's code builds without errors with GCC if I add a "W":

CreateFile(L"\\\\.\\PhysicalDrive0", ....  //WRONG
CreateFileW(L"\\\\.\\PhysicalDrive0", .... //RIGHT

Which won't help for the M$ compiler, its linker complains about "error LNK2019: unresolved external symbol ___report_rangecheckfailure referenced in function "void __cdecl hexDump(void *,int)" (?hexDump@@YAXPAXH@Z)" :greensml:

Having read JJ's last post, I know why I detest C++, endless clutter, unnecessary complexity and lousy performance.

But it keeps Google happy: Countless C/C++ coders searching the internet in a desperate attempt to understand their endless error messages. Trial and error as the ultimate programming paradigm. Even ML64 is more compatible and consistent than the average C++ compiler :biggrin:
Title: Re: How to read Windows MFT
Post by: habran on September 19, 2017, 09:26:58 PM
aw27, I'd suggest you to rewrite it in asm 32 and 64 bit and post it here
we can include it in Sample folder for UASM
 :biggrin:
Title: Re: How to read Windows MFT
Post by: habran on September 19, 2017, 09:35:57 PM
JJ, you just said it wouldn't build and I have done it instantly, so, what conclusion we can draw from that?
 :biggrin:
I am not trying to make you stupid or something, I appreciate you and your programming skills as well as your personality :t
However, if your M$ refuses to build such a simple proggy than I have to come to conclusion that something is wrong with it.
Wouldn't you agree with that logic?

Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 09:38:07 PM
That doesn't mean tat it is something wrong with your proggy, it is probably my windows 8.1 fault
Hi habran!
I tested in Windows 8.1 and it works, a possible cause might be security software.

Quote
I'd suggest you to rewrite it in asm 32 and 64 bit and post it here
All right, I will put on the agenda. :t

Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 09:40:05 PM
However, if your M$ refuses to build such a simple proggy than I have to come to conclusion that something is wrong with it.
Wouldn't you agree with that logic?

Absolutely :t

Btw José's code works, when compiled with GCC and run as admin, see attachment. A bit bloated at 29k but ok, let's be generous :bgrin:
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 09:43:13 PM
CreateFileW(L"\\\\.\\PhysicalDrive0", .... //RIGHT
JJ, the default for M$ in this century is Use Unicode Character Set. But M$ is flexible and will let you use Multibytes (select it in Project Properties), in which case you need to remove the L", which means (guess what?)
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 09:47:00 PM
JJ, the default for M$ in this century is Use Unicode Character Set.

Is it? My M$ C compiler is version 19.00.24215.1, 21st century. Besides, GCC uses another default. Aren't C compiler supposed to be "compatible", whatever that means...?
Title: Re: How to read Windows MFT
Post by: habran on September 19, 2017, 09:51:36 PM
aw27,
I have no idea what is wrong with my system, there is quite a few issues with it, I was not even able to install MSVS 2017 because of some administrator's bull**it, however, other people had the same problem
However, I am happy for now with MSVS 2013 Community :t
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 10:03:58 PM
I have no idea what is wrong with my system

OMG, your M$ is also rotten? It seems the World is full of rotten M$ systems and compilers :dazzled:

(hint: Masm32 works out of the box on all Windows versions since the beginning of the 21st Century ;))
Title: Re: How to read Windows MFT
Post by: habran on September 19, 2017, 10:08:26 PM
In my opinion only windows 7 was good M$ ;)
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 10:36:14 PM
Is it? My M$ C compiler is version 19.00.24215.1, 21st century. Besides, GCC uses another default. Aren't C compiler supposed to be "compatible", whatever that means...?
I was talking about the IDE, from command line you need to specify  /D "_UNICODE" /D "UNICODE"
Title: Re: How to read Windows MFT
Post by: aw27 on September 19, 2017, 10:41:28 PM
aw27,
I have no idea what is wrong with my system, there is quite a few issues with it, I was not even able to install MSVS 2017 because of some administrator's bull**it, however, other people had the same problem
However, I am happy for now with MSVS 2013 Community :t
I never used Windows 8.xx, I keep them in Virtual Boxes, as well as all OS since Windows 3.1 and DOS 6.0 onwards,  for tests only. I have licenses for all of them since the time I was a subscriber of MSDN and it was worthwhile, not now anymore .
Title: Re: How to read Windows MFT
Post by: jj2007 on September 19, 2017, 10:49:44 PM
from command line you need to specify  /D "_UNICODE" /D "UNICODE"

More fun with M$ :t
There is even a dedicated SOF page: Why both UNICODE and _UNICODE? (https://stackoverflow.com/questions/7953025/why-both-unicode-and-unicode)

A propos: will it solve the little "error LNK2019: unresolved external symbol ___report_rangecheckfailure" problem, or does that require yet another magic trick?
Title: Re: How to read Windows MFT
Post by: nidud on September 19, 2017, 11:04:46 PM
 :biggrin:

Code: [Select]
;
; http://masm32.com/board/index.php?topic=6546.msg70220#msg70220
;
; Build:
;
;  A 32-bit: asmc -pe -D__PE__ test.asm
;  W 32-bit: asmc -ws -pe -D__PE__ -D_UNICODE test.asm
;  A 64-bit: asmc -pe -D__PE__ -D_WIN64 test.asm
;  W 64-bit: asmc -ws -pe -D__PE__ -D_UNICODE -D_WIN64 test.asm
;
include stdio.inc
include conio.inc
include windows.inc
include tchar.inc

ifdef _UNICODE
WC equ <ax>
else
WC equ <al>
endif

.code

hexDump proc uses RSI RDI RBX address:ptr, len:SINT

    local buff[17]:TCHAR

    .repeat

        .if len <= 0
            .break
        .endif

        .for (ebx=0, RSI=address: ebx < len: ebx++)

            .if !(ebx & 7)
                .if (ebx != 0)
                    _tprintf("  %s\n", &buff)
                .endif
                _tprintf("  %04x ", ebx)
            .endif

            lodsb
            movzx edi,al

            _tprintf(" %02x", edi)

            mov edx,ebx
            and edx,7
            mov eax,edi
            lea RCX,buff
            .if ((edi < 0x20) || (edi > 0x7e))
                mov TCHAR ptr [RCX+RDX*TCHAR],'.'
            .else
                mov [RCX+RDX*TCHAR],WC
            .endif
            xor eax,eax
            mov [RCX+RDX*TCHAR+TCHAR],WC
        .endf

        .while (ebx & 7)
            _tprintf("   ")
            inc ebx
        .endw
        _tprintf("  %s\n", &buff)

    .until 1
    ret

hexDump endp

_tmain proc

    local buff[512]:byte
    local dwBytesRead:dword
    local hFile:HANDLE

    mov hFile,CreateFile("\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ,
            NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL)

    .if (hFile == INVALID_HANDLE_VALUE)
        _tprintf("Can't open MBR. Are you launching as Administrator?")
    .else
        .if (!ReadFile(hFile, &buff, sizeof(buff), &dwBytesRead, NULL))
            _tprintf("Error reading MBR")
        .else
            hexDump(&buff, sizeof(buff))
        .endif
    .endif

    CloseHandle(hFile)
    _getch()
    xor eax,eax
    ret

_tmain endp

    end _tstart

EDIT: added -ws switch for Unicode.
Title: Re: How to read Windows MFT
Post by: aw27 on September 20, 2017, 12:23:55 AM
@JJ,
cl /GS- /TC /GL /analyze- /W3 /Gy /Zc:wchar_t /Zi /Gm- /O1 /fp:precise /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oy- /Oi /MD /nologo /Fe /Fombr.obj mbr.cpp /link /OUT:mbr.exe /ENTRY:main /SUBSYSTEM:CONSOLE /DYNAMICBASE:NO /FIXED /MACHINE:X86 /OPT:REF /SAFESEH:NO /INCREMENTAL:NO kernel32.lib ucrt.lib

Builds a 3 KB exe.

I am sure you will not get it to work, as usual. :badgrin:
Title: Re: How to read Windows MFT
Post by: hutch-- on September 20, 2017, 12:36:09 AM
 :biggrin:

aw,
Quote
cl /GS- /TC /GL /analyze- /W3 /Gy /Zc:wchar_t /Zi /Gm- /O1 /fp:precise /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oy- /Oi /MD /nologo /Fe /Fombr.obj mbr.cpp /link /OUT:mbr.exe /ENTRY:main /SUBSYSTEM:CONSOLE /DYNAMICBASE:NO /FIXED /MACHINE:X86 /OPT:REF /SAFESEH:NO /INCREMENTAL:NO kernel32.lib ucrtd.lib

Now you know why I write in MASM.  :P
Title: Re: How to read Windows MFT
Post by: Siekmanski on September 20, 2017, 12:59:56 AM
Because we are now at low level disk access routines, I'll post my SPTI disk routines.
For a microcontroller project I needed to have raw access to USB sticks and SD cards.
Made this utility ( 10 years ago ) for myself to read and write data as raw sectors from them in Windows using SPTI.
You can do really low level stuff with this....... ( even reading CDTEXT from an AUDIO CD if you want to.  8))
The program is now only enumerating exchangable media types.
Change the sources to use it for other storage media such as harddisks etc.
Be careful, don't write sectors, unless you know what you're doing.

For complete sources: see Reply #58
Title: Re: How to read Windows MFT
Post by: aw27 on September 20, 2017, 01:02:43 AM
Now you know why I write in MASM.  :P
I don't use much the command line, it is just for JJ cause he can't open the IDE.  ;)
Title: Re: How to read Windows MFT
Post by: jj2007 on September 20, 2017, 02:41:50 AM
I don't use much the command line, it is just for JJ cause he can't open the IDE.  ;)

I can open the Visual Crap "IDE", but why should I waste my time if I can do it in assembler? Besides, you should have posted the whole "project" with *.sln etc, otherwise the dumb "IDE" will not know what to do with your code :biggrin:
Title: Re: How to read Windows MFT
Post by: aw27 on September 20, 2017, 04:11:24 AM
@habran,

Here is your order  :t

Code: [Select]
; Requires UASM

.386
.MODEL FLAT, STDCALL
OPTION CASEMAP:NONE
OPTION LITERALS:ON

HANDLE typedef ptr

GENERIC_READ equ 80000000h
FILE_SHARE_READ equ 1
NULL equ 0
OPEN_EXISTING equ 3
FILE_FLAG_NO_BUFFERING equ 20000000h
INVALID_HANDLE_VALUE equ -1

includelib \masm32\lib\msvcrt.lib
printf proto C :ptr, :vararg
getchar proto C
includelib \masm32\lib\kernel32.lib
CreateFileA proto :ptr, :dword, :dword, :ptr, :dword, :dword, :HANDLE
ReadFile proto :HANDLE, :ptr, :dword, :ptr, :ptr
CloseHandle proto :HANDLE

.code

hexDump proc private uses ebx esi  base:ptr, _len:sdword
LOCAL buff[17]:byte

mov esi, base

.if _len<=0
ret
.endif

.for (ebx=0 : ebx<_len : ebx++) ; Note: .for (ebx=0, ebx<_len, ebx++) crashes Assembler
.if !(ebx & 0Fh)
.if (ebx != 0)
INVOKE printf, "  %s\n", addr buff
.endif
INVOKE printf, "  %04x ", ebx
.endif
INVOKE printf, " %02x", byte ptr [esi+ebx]

mov eax, ebx
and eax, 0Fh

.if (byte ptr [esi+ebx]<20h) || (byte ptr [esi+ebx]>7eh)
mov byte ptr buff[eax], '.'
.else
mov dl, byte ptr [esi+ebx]
mov byte ptr buff[eax], dl
.endif

inc eax
mov byte ptr buff[eax], 0

.endfor

dec eax
mov ebx, eax

.while eax!=0
INVOKE printf, "  "
inc ebx
mov eax, ebx
and eax, 0Fh
.endw
INVOKE printf, "  %s\n", addr buff

ret
hexDump endp

main proc
LOCAL buff[512]:byte
LOCAL dwBytesRead : dword
LOCAL hFile : HANDLE

INVOKE CreateFileA, "\\.\PhysicalDrive0",  GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL ; When/if UASM considers \ an escape char filename has to be changed to  \\\\.\\PhysicalDrive0

.if eax==INVALID_HANDLE_VALUE
INVOKE printf, "Can't open MBR. Are you launching as Administrator?"
ret
.else
mov hFile, eax
INVOKE ReadFile, hFile, addr buff, sizeof buff, addr dwBytesRead, NULL
.if eax==0
INVOKE printf, "Error reading MBR"
.else
INVOKE hexDump, addr buff, sizeof buff
.endif
.endif
INVOKE CloseHandle, hFile
INVOKE getchar
ret

main endp

end main
Title: Re: How to read Windows MFT
Post by: habran on September 20, 2017, 06:02:04 AM
Thanks aw27, nicely done :t
Quote
.for (ebx=0 : ebx<_len : ebx++) ; Note: .for (ebx=0, ebx<_len, ebx++) crashes Assembler
The base for '.for' is .for ( : : ), it must have 2 ':', otherwise it will not work
we can use ',' for several initiators but they must be separated with ':'
 
Code: [Select]
.for (ebx=0,ecx=16 : ebx<_len : ebx++,ecx--)
However, as usual, you have pointed to an error in UASM, because it should not crash, it should give an error report. I'll look at it and fix it.
Title: Re: How to read Windows MFT
Post by: habran on September 20, 2017, 06:18:01 AM
Nice proggy Siekmanski :t
I would suggest you to increase the size of window and characters :biggrin:
Title: Re: How to read Windows MFT
Post by: Siekmanski on September 20, 2017, 07:48:18 AM
 :biggrin:

You're right. It's an old proggy, made in the era of low resolution monitors.
Title: Re: How to read Windows MFT
Post by: habran on September 20, 2017, 08:40:34 AM
aw27, .FOR-.ENDFOR is fixed, will be soon(maybe today) uploaded, with some of other fixes and polishes,
it'll come shiny and functional, better than ever ;)
Title: Re: How to read Windows MFT
Post by: aw27 on September 20, 2017, 04:36:06 PM
you should have posted the whole "project" with *.sln etc,
It is not necessary in most cases, you simply make a new project and add the existing files to it. Then you play with the project properties as you wish. 
Title: Re: How to read Windows MFT
Post by: aw27 on September 20, 2017, 04:40:29 PM
aw27, .FOR-.ENDFOR is fixed, will be soon(maybe today) uploaded, with some of other fixes and polishes,
it'll come shiny and functional, better than ever ;)
:t
Title: Re: How to read Windows MFT
Post by: jj2007 on September 20, 2017, 04:51:45 PM
Then you play with the project properties as you wish.

Yeah, this is the fascinating part: trial and error, and googling if somebody has seen the same absurd error messages. If you have too much free time, start C/C++ programming :badgrin:
Title: Re: How to read Windows MFT
Post by: clamicun on September 20, 2017, 07:50:30 PM
Glad I started this topic "How to read Windows MFT"
47 replies from members who understand 'lightyears' more than me.
Lots to read and to to learn.
I even  might be able o read the MFT at the end.     

Thank you all.
Title: Re: How to read Windows MFT
Post by: habran on September 20, 2017, 08:07:45 PM
Hi JJ, here is a  C/C++ project with everything included and built hexDump.exe
it can be built as 32bit or 64bit 8)

Title: Re: How to read Windows MFT
Post by: jj2007 on September 20, 2017, 08:31:11 PM
Hi JJ, here is a  C/C++ project with everything included and built hexDump.exe
it can be built as 32bit or 64bit 8)

Thanks :bgrin:
Code: [Select]
1>------ Build started: Project: hexdump, Configuration: Debug Win32 ------
1>Project file contains ToolsVersion="12.0". This toolset may be unknown or missing, in which case you may be able to resolve this by installing the appropriate version of MSBuild, or the build may have been forced to a particular ToolsVersion for policy reasons. Treating the project as if it had ToolsVersion="4.0". For more information, please see http://go.microsoft.com/fwlink/?LinkId=291333.
1>C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.Targets(518,5): error MSB8008: Specified platform toolset (v120) is not installed or invalid. Please make sure that a supported PlatformToolset value is selected.
========== Build: 0 succeeded, 1 failed, 0 up-to-date, 0 skipped ==========

OK, so that compiler was too old, it seems :icon_mrgreen:

Trying again with VS 2015, I see the error box below - your project is too old, Habran :eusa_naughty:

But, miracles happen, after slightly less than two minutes, VC succeeds in building this big project :t

My advice: Use UAsm - much less code, it loads in under 0.2 seconds and builds in about 0.3 seconds, and the resulting exe is much shorter :bgrin:

include \masm32\MasmBasic\MasmBasic.inc
  Init
  Open "I", #1, "\\.\PhysicalDrive0"
  deb 4, "Handle", eax, $Err$()
  Let esi=Input$(#1, 200h)
  Close
  Inkey HexDumpHeader$, HexDump$(esi, 200h, 0)
EndOfCode
Title: Re: How to read Windows MFT
Post by: habran on September 20, 2017, 08:44:15 PM
Quote
OK, so that compiler was too old, it seems :icon_mrgreen:

Trying again with VS 2015, I see the error box below - your project is too old, Habran :eusa_naughty:
I know, I am also old but still fully functional ;)
MSVS can easy upgrade to newer project but not backwards, so it is better to upload older project then newer
I prefer MSVS 2013 because it creates smaller exe :t
Anyhow, you succeeded to build it, didn't you? 8)
Title: Re: How to read Windows MFT
Post by: aw27 on September 20, 2017, 08:54:19 PM
My advice: Use UAsm :bgrin:
include \masm32\MasmBasic\MasmBasic.inc
:greenclp:

Quote
resulting exe is much shorter :bgrin:
Only 28KB, I will add. Not bigger, because BASIC MASM is there to reduce it. :exclaim:
Title: Re: How to read Windows MFT
Post by: felipe on September 20, 2017, 10:40:40 PM
Glad I started this topic "How to read Windows MFT"
47 replies from members who understand 'lightyears' more than me.
Lots to read and to to learn.
I even  might be able o read the MFT at the end.     

Thank you all.

 :biggrin:
Title: Re: How to read Windows MFT
Post by: clamicun on September 23, 2017, 03:58:50 AM
sinsi,
trying to get your program 1m.asm running.

What does mean ?

"Usage: readdrive drive: filename"

Whatever I write, it gives me ""Error opening D:"
Title: Re: How to read Windows MFT
Post by: sinsi on September 23, 2017, 06:52:00 AM
From what I remember, I used this program to copy a CD/DVD. Never tried it on a hard drive, maybe that's the problem?
Also I noticed that D: is hard coded in the error message, meaning if you try and open C: or E: it will still say D:  :icon_redface:

The original program was called readdrive.exe, testing out different buffer sizes gave me 1m.exe (uses a 1MB buffer)
Usage would be "1m D: c:\copy_of_cd.iso"
Title: Re: How to read Windows MFT
Post by: clamicun on September 23, 2017, 11:25:55 PM
sinsy,
thank you ...I get it now
Title: Re: How to read Windows MFT
Post by: clamicun on September 27, 2017, 09:57:01 PM
Goede dag Siekmanski,
Your example RawSectorsReaderWriter seems to be the most interesting.
But SD_Lezer.asm doesn't compile.
It gives me dozens of errors.

include     mijn_macros.inc is one of them.

What to do, please ?
Title: Re: How to read Windows MFT
Post by: Siekmanski on September 28, 2017, 01:50:24 AM
You're right,

The "mijn_macros.inc" was missing.
Included a make.bat file, you have to change the "SET PATH=D:\masm32\bin\" to C:\ if necessary.

Marinus
Title: Re: How to read Windows MFT
Post by: clamicun on September 28, 2017, 08:49:45 AM
Marinus,
yes many thanks.

You obviously didn't check it.
Gives me 4 errors.

ASPI_SPTL.ASM
Line 429   .elseif

ASPI_SPTL.ASM
Line 443  invoke  sprintf

SD_Lezer.ASM
Line 111  invoke  sprintf

SD_Lezer.ASM
Line 554  invoke  sprintf

But no problem. It compiles now and is very well done.
Title: Re: How to read Windows MFT
Post by: Siekmanski on September 28, 2017, 01:54:05 PM
Quote
You obviously didn't check it.

I did. No errors here.

Code: [Select]
d:\RadASM2212\Masm\Projects\SDlezer engels\SD_lezer>SET FILE=SD_Lezer

d:\RadASM2212\Masm\Projects\SDlezer engels\SD_lezer>SET PATH=D:\masm32\bin\
Microsoft (R) Windows (R) Resource Compiler, Version 5.00.1823.1 - Build 1823
Copyright (C) Microsoft Corp. 1985-1998. All rights reserved.

Using codepage 1252 as default
Creating rsrc.RES
RC: RCPP -CP 1252 -f d:\RadASM2212\Masm\Projects\SDlezer engels\SD_lezer\RCa0802
8 -g d:\RadASM2212\Masm\Projects\SDlezer engels\SD_lezer\RDa08028 -DRC_INVOKED -
D_WIN32 -pc\:/ -E -I. -I .

rsrc.rc.
Writing DIALOG:1000,    lang:0x409,     size 1392.
Writing ICON:1, lang:0x409,     size 2216
Writing GROUP_ICON:102, lang:0x409,     size 20.
Writing 24:1,   lang:0x409,     size 533
Microsoft (R) Windows Resource To Object Converter Version 5.00.1736.1
Copyright (C) Microsoft Corp. 1992-1997. All rights reserved.

Microsoft (R) Macro Assembler Version 12.00.21005.1
Copyright (C) Microsoft Corporation.  All rights reserved.

 Assembling: SD_Lezer.asm
Microsoft (R) Incremental Linker Version 5.12.8078
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.

 Volume in drive D is DataSchijf
 Volume Serial Number is 642F-B3AB

 Directory of d:\RadASM2212\Masm\Projects\SDlezer engels\SD_lezer

27-09-2017  14:56            23.352 SD_Lezer.Asm
28-09-2017  05:40            15.360 SD_Lezer.exe
27-09-2017  21:51             1.032 SD_Lezer.rap
27-09-2017  17:41            20.090 SD_lezer.zip
               4 File(s)         59.834 bytes
               0 Dir(s)  2.620.570.652.672 bytes free
Title: Re: How to read Windows MFT
Post by: clamicun on September 28, 2017, 06:27:34 PM
I do not understand,
I unzip SD_lezer.zip, correct the path in MAKE.BAT, run MAKE.BAT and get those 4 errors.

Line 429
.elseif
can't work

The other 3 errors are sprintf instead of wsprintf

 
Title: Re: How to read Windows MFT
Post by: aw27 on September 28, 2017, 07:13:22 PM
You get stuck very easily.  :badgrin:

What about this sprintf equ <_imp__sprintf> ?
Title: Re: How to read Windows MFT
Post by: Siekmanski on September 28, 2017, 08:52:39 PM
You can try replacing this line "include \masm32\include\msvcrt.inc"
by this, "sprintf PROTO C :DWORD,:DWORD,:VARARG"
Title: Re: How to read Windows MFT
Post by: clamicun on September 30, 2017, 12:20:22 AM
"You get stuck very easily"

ok.  I give up trying to understand it .
Thank you