General > The Workshop

How to read Windows MFT

(1/13) > >>

clamicun:
I want to access Windows MFT(Master File Table) to speed up my Searchprogram, which uses
FindFirstFile, 
FindNextFile

That is directly read the Master File Table. 
Obviously all professional search programs do that.

There is very little useful info in Google except for one example written in C. 

Conceptually - this looks like:
   
First step, you have to have and assert sufficient privileges to access the MFT.
Second step, you have to get a handle to a file/folder on the volume.
Third step, you have to call  a Windows API (called DeviceIOControl) in a loop and read the entries.

Second step ... here is the access problem;
include \masm32\include\masm32rt.inc 

.data
MFT_file db  "C:\$MFT",0
SVOLINFO db "System Volume Informationen",0

Read_theMFT proc
INVOKE CreateFile,offset MFT_file,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM or FILE_ATTRIBUTE_HIDDEN,0 
INVOKE GetLastError
;Error 5 = Access denied
;ofcourse denied ...you can't even see it on your disk.

;"
;"

ret
Read_theMFT endp

Someone has an idea on how to read the FMT or can give me more useful links.
Thanks
Clamicun

aw27:
I don't think you need to invoke the kernel.
I think that you will get to the MFT from the boot record doing some calculations.
So, first stage is to get a handle to \\.\PhysicalDrive0 with CreateFile and read the boot sector.

clamicun:
Thanks a lot... That is not much of an answer !

"So, first stage is to get a handle to \\.\PhysicalDrive0 with CreateFile and read the boot sector."

I saw this 5 times searching with Google ...

Please, show me how to create a file using  "\\.\PhysicalDrive0"

 




Visit http://www.atelierweb.com
This is just one more of lots of search programs 

aw27:

--- Quote from: clamicun on September 18, 2017, 09:50:32 AM ---Please, show me how to create a file using  "\\.\PhysicalDrive0"

--- End quote ---
Your doubts transcend the imaginable for someone set work on a recognized difficult subject like the NTFS file system.  :dazzled:

jj2007:

--- Quote from: clamicun on September 18, 2017, 09:50:32 AM ---Please, show me how to create a file using  "\\.\PhysicalDrive0"
--- End quote ---

include \masm32\MasmBasic\MasmBasic.inc         ; download
  Init
  LenBoot=200h
  Open "I", 1, "\\.\PhysicalDrive0"
  deb 4, "Handle", eax, $Err$()
  Let esi=Input$(1, LenBoot)
  push esi
  xor ecx, ecx
  .Repeat
        test cl, 31
        .if Zero?
                Print CrLf$, Hex$(ecx), "  "
        .endif
        lodsb
        Print Hex$(al), " "
        inc ecx
  .Until ecx>=LenBoot
  pop esi
  FileWrite "BootSector.dat", esi, LenBoot
  Close 1
  Inkey CrLf$, "bye"
EndOfCode

Output:
--- Code: ---Handle
eax             208
$Err$()         Operazione completata.

00000000  33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00
00000020  BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00
00000040  B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74
00000060  26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13
00000080  9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE
000000A0  4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55
000000C0  AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75
000000E0  00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00
00000100  00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66
00000120  61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4
00000140  05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8
00000160  24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72
00000180  20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E
000001A0  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 63 7B 9A BE 36 E8 A1 00 00 00 20
000001C0  21 00 27 FE FF FF 00 08 00 00 00 00 40 02 80 FE FF FF 07 FE FF FF 00 08 40 02 00 20 03 00 00 FE
000001E0  FF FF 07 FE FF FF 00 28 43 02 00 30 F5 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
--- End code ---

Navigation

[0] Message Index

[#] Next page

Go to full version