Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

IOCTL for MBR

Amit_Kulkarni-2Amit_Kulkarni-2 Member Posts: 249
Hi All,

We are writing a driver that will be used to retrieve MBR of a disk. But we have to by-pass any hooks (SSDT, IRP etc) that tamper the data or deny access to MBR.

According to my analysis I come to conclusion that I have to roll my own IRPs. But I have following doubts...

1. On which device object I have to roll the IRPs?
2. What IOCTLs I can use for that? Is there any internal IOCTL provided by disk drivers to retrieve MBR?
3. Is there any other way to do it?

Thanks & Regards,
Amit.

Comments

  • Don_Burn_1Don_Burn_1 Member Posts: 4,311
    What are you going to do with the MBR? There are a number of calls that
    get portions of it, so explain what you are doing and there may be a
    better way.


    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr



    "[email protected]" <[email protected]> wrote in
    message news:[email protected]:

    > Hi All,
    >
    > We are writing a driver that will be used to retrieve MBR of a disk. But we have to by-pass any hooks (SSDT, IRP etc) that tamper the data or deny access to MBR.
    >
    > According to my analysis I come to conclusion that I have to roll my own IRPs. But I have following doubts...
    >
    > 1. On which device object I have to roll the IRPs?
    > 2. What IOCTLs I can use for that? Is there any internal IOCTL provided by disk drivers to retrieve MBR?
    > 3. Is there any other way to do it?
    >
    > Thanks & Regards,
    > Amit.
  • Amit_Kulkarni-2Amit_Kulkarni-2 Member Posts: 249
    I am interested in Boot code. Actually I am checking system integrity for that I require MBR of the disk.
  • Don_Burn_1Don_Burn_1 Member Posts: 4,311
    You can use HalExamineMBR to get the MBR, but of course any smart
    malware that infects the MBR will have set a hook in the disk path to
    return a clean MBR to you.


    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr




    "[email protected]" <[email protected]> wrote in
    message news:[email protected]:

    > I am interested in Boot code. Actually I am checking system integrity for that I require MBR of the disk.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    > 1. On which device object I have to roll the IRPs?

    On disk device object (\\.\PhysicalDrive%d or enumerate the Disk class GUID)

    > 2. What IOCTLs I can use for that? Is there any internal IOCTL provided by disk drivers to retrieve MBR?

    IOCTL_DISK_GET_DRIVE_LAYOUT(_EX)

    > 3. Is there any other way to do it?

    Read sector 0 and parse yourself.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    [email protected]
    http://www.storagecraft.com
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    In general, there is no way to bypass kernel mode hooks that control reading MBR. The lowest known to me is Win32/Alureon (TDL3, TDL4 or whatever its called by various AVs), who installs its device object to the lowest possible place, which is atapi.sys or scsi.sys.
  • Amit_Kulkarni-2Amit_Kulkarni-2 Member Posts: 249
    Hi Ladislav Zezula,

    But the latest gmer & tdsskiller detect TDL3, TDL4 and that means it is possible to bypass them also.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    The fact that you can detect a rootkit, doesn't mean that you can bypass it.

    Of course, you could kill the system thread that is watching TDL's DRIVER_OBJECT, then unhook the DriverStartIo address in the TDL's fake DRIVER_OBJECT that is on the bottom of the disk stack, and if your OS still haven't bugchecked for some reason, you can then fire the SCSI IOCTL in order to read the MBR. But I wouldn't bet much on stability of such product.
  • PopAlexandraPopAlexandra Member Posts: 7

    @OSR_Community_User said:
    The fact that you can detect a rootkit, doesn't mean that you can bypass it.

    Of course, you could kill the system thread that is watching TDL analyzer DRIVER_OBJECT, then unhook the DriverStartIo address in the TDL's fake DRIVER_OBJECT that is on the bottom of the disk stack, and if your OS still haven't bugchecked for some reason, you can then fire the SCSI IOCTL in order to read the MBR. But I wouldn't bet much on stability of such product.

    That sounds very close to what I've experienced, too.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 15 November 2021 Live, Online
Writing WDF Drivers TBD Live, Online
Developing Minifilters 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online