Author Topic: How to read Windows MFT  (Read 762 times)

clamicun

  • Member
  • **
  • Posts: 240
How to read Windows MFT
« on: September 17, 2017, 11:43:25 PM »
I want to access Windows MFT(Master File Table) to speed up my Searchprogram, which uses
FindFirstFile, 
FindNextFile

That is directly read the Master File Table. 
Obviously all professional search programs do that.

There is very little useful info in Google except for one example written in C. 

Conceptually - this looks like:
   
First step, you have to have and assert sufficient privileges to access the MFT.
Second step, you have to get a handle to a file/folder on the volume.
Third step, you have to call  a Windows API (called DeviceIOControl) in a loop and read the entries.

Second step ... here is the access problem;
include \masm32\include\masm32rt.inc 

.data
MFT_file db  "C:\$MFT",0
SVOLINFO db "System Volume Informationen",0

Read_theMFT proc
INVOKE CreateFile,offset MFT_file,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM or FILE_ATTRIBUTE_HIDDEN,0 
INVOKE GetLastError
;Error 5 = Access denied
;ofcourse denied ...you can't even see it on your disk.

;"
;"

ret
Read_theMFT endp

Someone has an idea on how to read the FMT or can give me more useful links.
Thanks
Clamicun


aw27

  • Member
  • ****
  • Posts: 700
Re: How to read Windows MFT
« Reply #1 on: September 18, 2017, 12:53:35 AM »
I don't think you need to invoke the kernel.
I think that you will get to the MFT from the boot record doing some calculations.
So, first stage is to get a handle to \\.\PhysicalDrive0 with CreateFile and read the boot sector.

clamicun

  • Member
  • **
  • Posts: 240
Re: How to read Windows MFT
« Reply #2 on: September 18, 2017, 09:50:32 AM »
Thanks a lot... That is not much of an answer !

"So, first stage is to get a handle to \\.\PhysicalDrive0 with CreateFile and read the boot sector."

I saw this 5 times searching with Google ...

Please, show me how to create a file using  "\\.\PhysicalDrive0"

 




Visit http://www.atelierweb.com
This is just one more of lots of search programs 

aw27

  • Member
  • ****
  • Posts: 700
Re: How to read Windows MFT
« Reply #3 on: September 18, 2017, 02:15:50 PM »
Please, show me how to create a file using  "\\.\PhysicalDrive0"
Your doubts transcend the imaginable for someone set work on a recognized difficult subject like the NTFS file system.  :dazzled:

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: How to read Windows MFT
« Reply #4 on: September 18, 2017, 04:56:35 PM »
Please, show me how to create a file using  "\\.\PhysicalDrive0"

include \masm32\MasmBasic\MasmBasic.inc         ; download
  Init
  LenBoot=200h
  Open "I", 1, "\\.\PhysicalDrive0"
  deb 4, "Handle", eax, $Err$()
  Let esi=Input$(1, LenBoot)
  push esi
  xor ecx, ecx
  .Repeat
        test cl, 31
        .if Zero?
                Print CrLf$, Hex$(ecx), "  "
        .endif
        lodsb
        Print Hex$(al), " "
        inc ecx
  .Until ecx>=LenBoot
  pop esi
  FileWrite "BootSector.dat", esi, LenBoot
  Close 1
  Inkey CrLf$, "bye"
EndOfCode


Output:
Code: [Select]
Handle
eax             208
$Err$()         Operazione completata.

00000000  33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00
00000020  BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00
00000040  B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74
00000060  26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13
00000080  9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE
000000A0  4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55
000000C0  AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75
000000E0  00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00
00000100  00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66
00000120  61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD 18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4
00000140  05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD 10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8
00000160  24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72
00000180  20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E
000001A0  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 63 7B 9A BE 36 E8 A1 00 00 00 20
000001C0  21 00 27 FE FF FF 00 08 00 00 00 00 40 02 80 FE FF FF 07 FE FF FF 00 08 40 02 00 20 03 00 00 FE
000001E0  FF FF 07 FE FF FF 00 28 43 02 00 30 F5 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
« Last Edit: September 18, 2017, 06:02:54 PM by jj2007 »

Siekmanski

  • Member
  • *****
  • Posts: 1092
Re: How to read Windows MFT
« Reply #5 on: September 18, 2017, 05:43:08 PM »
Have a look at https://www.mikrocontroller.net/
There are a lot of people with knowledge of file systems and reading the MFT.
Und es ist in deiner Sprache.

You can also use the "SCSI Pass Through" Interface to read and write sectors.

In this thread are some examples to get you started, http://masm32.com/board/index.php?topic=3244.0

clamicun

  • Member
  • **
  • Posts: 240
Re: How to read Windows MFT
« Reply #6 on: September 18, 2017, 07:57:47 PM »
Thank you all-
I'll check it out and probably ask again.

clamicun

  • Member
  • **
  • Posts: 240
Re: How to read Windows MFT
« Reply #7 on: September 18, 2017, 07:59:57 PM »
aw27
"on a recognized difficult subject like the NTFS file system"
Think you are very wright.

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: How to read Windows MFT
« Reply #8 on: September 19, 2017, 12:29:55 AM »
I decided that HexDump$ would be a handy new feature for assembler programmers:

Code: [Select]
include \masm32\MasmBasic\MasmBasic.inc
  Init
  Open "I", #1, "\\.\PhysicalDrive0"
  deb 4, "Handle", eax, $Err$()
  Let esi=Input$(#1, 200h)
  Close
  Inkey HexDump$(esi)
EndOfCode

Output:
Code: [Select]
Handle
eax             208
$Err$()         The operation completed successfully.

00628C38  33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00 3ÀŽÐ¼.|ŽÀŽØ¾.|¿.
00628C48  06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00 .¹..üó¤Ph..Ëû¹..
00628C58  BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10 ½¾.€~..|..…..ƒÅ.
00628C68  E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00 âñÍ.ˆV.UÆF..ÆF..
00628C78  B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09 ´A»ªUÍ.]r.ûUªu.
00628C88  F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74 ÷Á..t.þF.f`€~..t
00628C98  26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00 &fh....fÿv.h..h.
00628CA8  7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13 |h..h..´BŠV.‹ôÍ.
00628CB8  9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00 ŸƒÄ.žë.¸..».|ŠV.
00628CC8  8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE Šv.ŠN.Šn.Í.fas.þ
00628CD8  4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84 N.u.€~.€.„Š.²€ë„
00628CE8  55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55 U2äŠV.Í.]랁>þ}U
00628CF8  AA 75 6E FF 76 00 E8 8D 00 75 17 FA B0 D1 E6 64 ªunÿv.è.u.ú°Ñæd
00628D08  E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75 èƒ.°ßæ`è|.°ÿædèu
00628D18  00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54 .û¸.»Í.f#Àu;fûT
00628D28  43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00 CPAu2ù..r,fh.».
00628D38  00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 .fh....fh....fSf
00628D48  53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66 SfUfh....fh.|..f
00628D58  61 68 00 00 07 CD 1A 5A 32 F6 EA 00 7C 00 00 CD ah...Í.Z2öê.|..Í
00628D68  18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4 . ·.ë. ¶.ë. µ.2ä
00628D78  05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD ...‹ð¬<.t.»..´.Í
00628D88  10 EB F2 F4 EB FD 2B C9 E4 64 EB 00 24 02 E0 F8 .ëòôëý+Éädë.$.àø
00628D98  24 02 C3 49 6E 76 61 6C 69 64 20 70 61 72 74 69 $.ÃInvalid parti
00628DA8  74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 tion table.Error
00628DB8  20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69  loading operati
00628DC8  6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E ng system.Missin
00628DD8  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 g operating syst
00628DE8  65 6D 00 00 00 63 7B 9A BE 36 E8 A1 00 00 00 20 em...c{š¾6è¡...
00628DF8  21 00 27 FE FF FF 00 08 00 00 00 00 40 02 80 FE !.'þÿÿ......@.€þ
00628E08  FF FF 07 FE FF FF 00 08 40 02 00 20 03 00 00 FE ÿÿ.þÿÿ..@.. ...þ
00628E18  FF FF 07 FE FF FF 00 28 43 02 00 30 F5 37 00 00 ÿÿ.þÿÿ.(C..0õ7..
00628E28  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............Uª

If you see "access denied", tell the OS "I am an assembler programmer, you cannot stop me" :icon_mrgreen:

aw27

  • Member
  • ****
  • Posts: 700
Re: How to read Windows MFT
« Reply #9 on: September 19, 2017, 02:24:53 AM »
Quote
If you see "access denied", tell the OS "I am an assembler programmer, you cannot stop me" :icon_mrgreen:
How do you specify in Visual Basic for Masm that you want to open in shared mode?  :greensml:

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: How to read Windows MFT
« Reply #10 on: September 19, 2017, 03:00:49 AM »
You are confused, José - MasmBasic is inspired by GfaBasic, not by Visual Basic (which is a fine dialect btw, much underrated by the arrogant coders who produce crap such as Adobe Flash or Visual Studio).

As to shared mode, what would change if you could specify that mode?

aw27

  • Member
  • ****
  • Posts: 700
Re: How to read Windows MFT
« Reply #11 on: September 19, 2017, 03:10:41 AM »
As to shared mode, what would change if you could specify that mode?
ASM programmers will never try to open in exclusive mode a device that is used across the system by multiple programs and claim that the OS can't stop them. It can!  :badgrin:

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: How to read Windows MFT
« Reply #12 on: September 19, 2017, 03:39:37 AM »
Wow :t

OK, specifically for you I attach a version that opens the device in shared mode 8)

aw27

  • Member
  • ****
  • Posts: 700
Re: How to read Windows MFT
« Reply #13 on: September 19, 2017, 06:35:22 PM »
Eek  :dazzled:
28 KB for a basic (or BASIC MASM?) console program. Is it the debug release?

I made an equivalent C++ program for 6KB (including MANIFEST for requireAdministrator).  :badgrin:
This without any tricks, with tricks I can reduce it to less than 3KB. :badgrin:
Actually, to 1536 bytes if I remove the MANIFEST. :badgrin:

Code: [Select]

#include <stdio.h>
#include <Windows.h>


void hexDump(void *addr, int len) {
int i;
unsigned char buff[17];
unsigned char *pc = (unsigned char*)addr;


if (len <= 0) {
return;
}

for (i = 0; i < len; i++) {
if ((i % 16) == 0) {
if (i != 0)
printf("  %s\n", buff);
printf("  %04x ", i);
}

printf(" %02x", pc[i]);

if ((pc[i] < 0x20) || (pc[i] > 0x7e))
buff[i % 16] = '.';
else
buff[i % 16] = pc[i];
buff[(i % 16) + 1] = '\0';
}

while ((i % 16) != 0) {
printf("   ");
i++;
}

printf("  %s\n", buff);
}
int main()
{
unsigned char buff[512];
DWORD dwBytesRead;
HANDLE hFile = CreateFile(L"\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL);
if (hFile == INVALID_HANDLE_VALUE)
printf("Can't open MBR. Are you launching as Administrator?");
else
{
if (!ReadFile(hFile, buff, sizeof buff, &dwBytesRead, NULL))
printf("Error reading MBR");
else
{
hexDump(buff, sizeof(buff));
}
}

CloseHandle(hFile);
getchar();
    return 0;
}


I suspect that even in Delphi I could do it for less than 28KB, and Delphi does not use the C runtime by default.  :lol:

jj2007

  • Member
  • *****
  • Posts: 7548
  • Assembler is fun ;-)
    • MasmBasic
Re: How to read Windows MFT
« Reply #14 on: September 19, 2017, 08:30:04 PM »
including MANIFEST for requireAdministrator

Congrats, so you finally realised that shared access had nothing to do with the problem :bgrin:

M$ doesn't like your code:
Code: [Select]
Microsoft (R) C/C++ Optimizing Compiler Version 19.00.24215.1 for x86
Copyright (C) Microsoft Corporation.  All rights reserved.

Tmp.cpp
c:\program files (x86)\microsoft visual studio 10.0\vc\include\codeanalysis\sourceannotations.h(78): warning C4467: usage of ATL attributes is deprecated
Tmp.cpp(42): error C2664: 'HANDLE CreateFileA(LPCSTR,DWORD,DWORD,LPSECURITY_ATTRIBUTES,DWORD,DWORD,HANDLE)': cannot convert argument 1 from 'const wchar_t [19]' to 'LPCSTR'
Tmp.cpp(42): note: Types pointed to are unrelated; conversion requires reinterpret_cast, C-style cast or function-style cast

GCC has different complaints:
Code: [Select]
Tmp.cpp: In function 'int main()':
Tmp.cpp:42:134: error: cannot convert 'const wchar_t*' to 'LPCSTR {aka const char*}' for argument '1' to 'void* CreateFileA(LPCSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE)'
  HANDLE hFile = CreateFile(L"\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL);