Author Topic: How to read Windows MFT  (Read 1394 times)

habran

  • Member
  • *****
  • Posts: 1116
    • uasm
Re: How to read Windows MFT
« Reply #30 on: September 19, 2017, 10:08:26 PM »
In my opinion only windows 7 was good M$ ;)
Cod-Father

aw27

  • Member
  • ****
  • Posts: 855
  • Let's Make ASM Great Again!
Re: How to read Windows MFT
« Reply #31 on: September 19, 2017, 10:36:14 PM »
Is it? My M$ C compiler is version 19.00.24215.1, 21st century. Besides, GCC uses another default. Aren't C compiler supposed to be "compatible", whatever that means...?
I was talking about the IDE, from command line you need to specify  /D "_UNICODE" /D "UNICODE"

aw27

  • Member
  • ****
  • Posts: 855
  • Let's Make ASM Great Again!
Re: How to read Windows MFT
« Reply #32 on: September 19, 2017, 10:41:28 PM »
aw27,
I have no idea what is wrong with my system, there is quite a few issues with it, I was not even able to install MSVS 2017 because of some administrator's bull**it, however, other people had the same problem
However, I am happy for now with MSVS 2013 Community :t
I never used Windows 8.xx, I keep them in Virtual Boxes, as well as all OS since Windows 3.1 and DOS 6.0 onwards,  for tests only. I have licenses for all of them since the time I was a subscriber of MSDN and it was worthwhile, not now anymore .

jj2007

  • Member
  • *****
  • Posts: 7756
  • Assembler is fun ;-)
    • MasmBasic
Re: How to read Windows MFT
« Reply #33 on: September 19, 2017, 10:49:44 PM »
from command line you need to specify  /D "_UNICODE" /D "UNICODE"

More fun with M$ :t
There is even a dedicated SOF page: Why both UNICODE and _UNICODE?

A propos: will it solve the little "error LNK2019: unresolved external symbol ___report_rangecheckfailure" problem, or does that require yet another magic trick?

nidud

  • Member
  • *****
  • Posts: 1411
    • https://github.com/nidud/asmc
Re: How to read Windows MFT
« Reply #34 on: September 19, 2017, 11:04:46 PM »
 :biggrin:

Code: [Select]
;
; http://masm32.com/board/index.php?topic=6546.msg70220#msg70220
;
; Build:
;
;  A 32-bit: asmc -pe -D__PE__ test.asm
;  W 32-bit: asmc -ws -pe -D__PE__ -D_UNICODE test.asm
;  A 64-bit: asmc -pe -D__PE__ -D_WIN64 test.asm
;  W 64-bit: asmc -ws -pe -D__PE__ -D_UNICODE -D_WIN64 test.asm
;
include stdio.inc
include conio.inc
include windows.inc
include tchar.inc

ifdef _UNICODE
WC equ <ax>
else
WC equ <al>
endif

.code

hexDump proc uses RSI RDI RBX address:ptr, len:SINT

    local buff[17]:TCHAR

    .repeat

        .if len <= 0
            .break
        .endif

        .for (ebx=0, RSI=address: ebx < len: ebx++)

            .if !(ebx & 7)
                .if (ebx != 0)
                    _tprintf("  %s\n", &buff)
                .endif
                _tprintf("  %04x ", ebx)
            .endif

            lodsb
            movzx edi,al

            _tprintf(" %02x", edi)

            mov edx,ebx
            and edx,7
            mov eax,edi
            lea RCX,buff
            .if ((edi < 0x20) || (edi > 0x7e))
                mov TCHAR ptr [RCX+RDX*TCHAR],'.'
            .else
                mov [RCX+RDX*TCHAR],WC
            .endif
            xor eax,eax
            mov [RCX+RDX*TCHAR+TCHAR],WC
        .endf

        .while (ebx & 7)
            _tprintf("   ")
            inc ebx
        .endw
        _tprintf("  %s\n", &buff)

    .until 1
    ret

hexDump endp

_tmain proc

    local buff[512]:byte
    local dwBytesRead:dword
    local hFile:HANDLE

    mov hFile,CreateFile("\\\\.\\PhysicalDrive0", GENERIC_READ, FILE_SHARE_READ,
            NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL)

    .if (hFile == INVALID_HANDLE_VALUE)
        _tprintf("Can't open MBR. Are you launching as Administrator?")
    .else
        .if (!ReadFile(hFile, &buff, sizeof(buff), &dwBytesRead, NULL))
            _tprintf("Error reading MBR")
        .else
            hexDump(&buff, sizeof(buff))
        .endif
    .endif

    CloseHandle(hFile)
    _getch()
    xor eax,eax
    ret

_tmain endp

    end _tstart

EDIT: added -ws switch for Unicode.
« Last Edit: September 20, 2017, 10:57:27 AM by nidud »

aw27

  • Member
  • ****
  • Posts: 855
  • Let's Make ASM Great Again!
Re: How to read Windows MFT
« Reply #35 on: September 20, 2017, 12:23:55 AM »
@JJ,
cl /GS- /TC /GL /analyze- /W3 /Gy /Zc:wchar_t /Zi /Gm- /O1 /fp:precise /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oy- /Oi /MD /nologo /Fe /Fombr.obj mbr.cpp /link /OUT:mbr.exe /ENTRY:main /SUBSYSTEM:CONSOLE /DYNAMICBASE:NO /FIXED /MACHINE:X86 /OPT:REF /SAFESEH:NO /INCREMENTAL:NO kernel32.lib ucrt.lib

Builds a 3 KB exe.

I am sure you will not get it to work, as usual. :badgrin:

hutch--

  • Administrator
  • Member
  • ******
  • Posts: 4934
  • Mnemonic Driven API Grinder
    • The MASM32 SDK
Re: How to read Windows MFT
« Reply #36 on: September 20, 2017, 12:36:09 AM »
 :biggrin:

aw,
Quote
cl /GS- /TC /GL /analyze- /W3 /Gy /Zc:wchar_t /Zi /Gm- /O1 /fp:precise /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_UNICODE" /D "UNICODE" /errorReport:prompt /WX- /Zc:forScope /Gd /Oy- /Oi /MD /nologo /Fe /Fombr.obj mbr.cpp /link /OUT:mbr.exe /ENTRY:main /SUBSYSTEM:CONSOLE /DYNAMICBASE:NO /FIXED /MACHINE:X86 /OPT:REF /SAFESEH:NO /INCREMENTAL:NO kernel32.lib ucrtd.lib

Now you know why I write in MASM.  :P
hutch at movsd dot com
http://www.masm32.com    :biggrin:  :biggrin:

Siekmanski

  • Member
  • *****
  • Posts: 1145
Re: How to read Windows MFT
« Reply #37 on: September 20, 2017, 12:59:56 AM »
Because we are now at low level disk access routines, I'll post my SPTI disk routines.
For a microcontroller project I needed to have raw access to USB sticks and SD cards.
Made this utility ( 10 years ago ) for myself to read and write data as raw sectors from them in Windows using SPTI.
You can do really low level stuff with this....... ( even reading CDTEXT from an AUDIO CD if you want to.  8))
The program is now only enumerating exchangable media types.
Change the sources to use it for other storage media such as harddisks etc.
Be careful, don't write sectors, unless you know what you're doing.

For complete sources: see Reply #58
« Last Edit: September 28, 2017, 01:52:09 AM by Siekmanski »

aw27

  • Member
  • ****
  • Posts: 855
  • Let's Make ASM Great Again!
Re: How to read Windows MFT
« Reply #38 on: September 20, 2017, 01:02:43 AM »
Now you know why I write in MASM.  :P
I don't use much the command line, it is just for JJ cause he can't open the IDE.  ;)

jj2007

  • Member
  • *****
  • Posts: 7756
  • Assembler is fun ;-)
    • MasmBasic
Re: How to read Windows MFT
« Reply #39 on: September 20, 2017, 02:41:50 AM »
I don't use much the command line, it is just for JJ cause he can't open the IDE.  ;)

I can open the Visual Crap "IDE", but why should I waste my time if I can do it in assembler? Besides, you should have posted the whole "project" with *.sln etc, otherwise the dumb "IDE" will not know what to do with your code :biggrin:

aw27

  • Member
  • ****
  • Posts: 855
  • Let's Make ASM Great Again!
Re: How to read Windows MFT
« Reply #40 on: September 20, 2017, 04:11:24 AM »
@habran,

Here is your order  :t

Code: [Select]
; Requires UASM

.386
.MODEL FLAT, STDCALL
OPTION CASEMAP:NONE
OPTION LITERALS:ON

HANDLE typedef ptr

GENERIC_READ equ 80000000h
FILE_SHARE_READ equ 1
NULL equ 0
OPEN_EXISTING equ 3
FILE_FLAG_NO_BUFFERING equ 20000000h
INVALID_HANDLE_VALUE equ -1

includelib \masm32\lib\msvcrt.lib
printf proto C :ptr, :vararg
getchar proto C
includelib \masm32\lib\kernel32.lib
CreateFileA proto :ptr, :dword, :dword, :ptr, :dword, :dword, :HANDLE
ReadFile proto :HANDLE, :ptr, :dword, :ptr, :ptr
CloseHandle proto :HANDLE

.code

hexDump proc private uses ebx esi  base:ptr, _len:sdword
LOCAL buff[17]:byte

mov esi, base

.if _len<=0
ret
.endif

.for (ebx=0 : ebx<_len : ebx++) ; Note: .for (ebx=0, ebx<_len, ebx++) crashes Assembler
.if !(ebx & 0Fh)
.if (ebx != 0)
INVOKE printf, "  %s\n", addr buff
.endif
INVOKE printf, "  %04x ", ebx
.endif
INVOKE printf, " %02x", byte ptr [esi+ebx]

mov eax, ebx
and eax, 0Fh

.if (byte ptr [esi+ebx]<20h) || (byte ptr [esi+ebx]>7eh)
mov byte ptr buff[eax], '.'
.else
mov dl, byte ptr [esi+ebx]
mov byte ptr buff[eax], dl
.endif

inc eax
mov byte ptr buff[eax], 0

.endfor

dec eax
mov ebx, eax

.while eax!=0
INVOKE printf, "  "
inc ebx
mov eax, ebx
and eax, 0Fh
.endw
INVOKE printf, "  %s\n", addr buff

ret
hexDump endp

main proc
LOCAL buff[512]:byte
LOCAL dwBytesRead : dword
LOCAL hFile : HANDLE

INVOKE CreateFileA, "\\.\PhysicalDrive0",  GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL ; When/if UASM considers \ an escape char filename has to be changed to  \\\\.\\PhysicalDrive0

.if eax==INVALID_HANDLE_VALUE
INVOKE printf, "Can't open MBR. Are you launching as Administrator?"
ret
.else
mov hFile, eax
INVOKE ReadFile, hFile, addr buff, sizeof buff, addr dwBytesRead, NULL
.if eax==0
INVOKE printf, "Error reading MBR"
.else
INVOKE hexDump, addr buff, sizeof buff
.endif
.endif
INVOKE CloseHandle, hFile
INVOKE getchar
ret

main endp

end main

habran

  • Member
  • *****
  • Posts: 1116
    • uasm
Re: How to read Windows MFT
« Reply #41 on: September 20, 2017, 06:02:04 AM »
Thanks aw27, nicely done :t
Quote
.for (ebx=0 : ebx<_len : ebx++) ; Note: .for (ebx=0, ebx<_len, ebx++) crashes Assembler
The base for '.for' is .for ( : : ), it must have 2 ':', otherwise it will not work
we can use ',' for several initiators but they must be separated with ':'
 
Code: [Select]
.for (ebx=0,ecx=16 : ebx<_len : ebx++,ecx--)
However, as usual, you have pointed to an error in UASM, because it should not crash, it should give an error report. I'll look at it and fix it.
Cod-Father

habran

  • Member
  • *****
  • Posts: 1116
    • uasm
Re: How to read Windows MFT
« Reply #42 on: September 20, 2017, 06:18:01 AM »
Nice proggy Siekmanski :t
I would suggest you to increase the size of window and characters :biggrin:
Cod-Father

Siekmanski

  • Member
  • *****
  • Posts: 1145
Re: How to read Windows MFT
« Reply #43 on: September 20, 2017, 07:48:18 AM »
 :biggrin:

You're right. It's an old proggy, made in the era of low resolution monitors.

habran

  • Member
  • *****
  • Posts: 1116
    • uasm
Re: How to read Windows MFT
« Reply #44 on: September 20, 2017, 08:40:34 AM »
aw27, .FOR-.ENDFOR is fixed, will be soon(maybe today) uploaded, with some of other fixes and polishes,
it'll come shiny and functional, better than ever ;)
Cod-Father