FW: RE: Checking access to boot sector

Depending on terminology the first sector of each partition is
sometimes called the ‘boot’ sector. It is also sometimes called
the ‘Bios Parameter Block’. In fact it is both. The first sector
on a drive is referred to as the ‘Master Boot Record’ or ‘MBR’.

The boot process on P.C. compatible computers loads the ‘MBR’
which is drive sector 0 and executes the code starting at byte 0.

That code looks at the partition table which is also in drive
sector 0 for a partition entry that is marked as active, i.e. it
has a hex 80 as it’s first byte.

The boot code (from the MBR) then loads the first sector of the
active partition (on most modern drives this is sector 63) and
turns over control to the code loaded from that sector. The first
two or three bytes loaded from the ‘boot’ sector are a jump command
that cause the program counter to jump over the Bios Parameter Block
and continue execution at that point. The remainder of the boot code
loads whatever other things the particular operating system needs to
get itself going.

For partitions that are ‘extended partitions’ and or partitions that
are not marked active in the partition table there is no requirement
for the boot code to exist in the ‘boot’ sector, however the ‘BPB’ must
exist since it has specific information for the partition.

The first sector of an ‘extended partition’ contain another partition table
which contains the information as to where to find the start of the
extended partition.

I will not go into the gotchas and nuances of walking the partition
structure links but suffice it to say that it is moronic the way it
has been implemented by Microsoft.

So to put the following data structures into context you will find
the following structures in the following places:

struct p_entry -> you’ll find 4 of these in the Master Boot Record
and in the first sector of each extended partition.

struct BootSector -> this is the Bios Parameter Block that is found
in the first sector of the partition (boot sector)
that is pointed to by the partition table entry.

struct Partition -> This is the Master Boot Record, the first 446 bytes
is the boot code that determines which partition is
the active partition in the partition table that is
contained in the p_tbl. The signature member
indicates a valid sector and is hex 55AA, (0x55AA).

Mike

-----Original Message-----
From: David Jones [SMTP:xxxxx@Charismac.com]
Sent: Monday, May 08, 2000 10:39 AM
To: File Systems Developers
Subject: [ntfsd] RE: Checking access to boot sector

Ratmil:

No the first sector of every partition is not the boot sector.
The partition is the complete domain of the file system. So booting
from NTFS, FAT, or any file system plug in could be completely
different. ( Microsoft does not give information out on its NTFS file
system ). Now sector 0 is scared for all Microsoft operating systems.
Not only does it contain the partition information, but also the boot
information for the disk. The structure for partition 0 is as follows:

struct p_entry
{
UCHAR boot_ID;
UCHAR boot_HSC[3]
UCHAR system_ID
UCHAR end_HSC[3];
ULONG sector_offset;
ULONG sector_length;
};

struct BootSector
{
UCHAR entry_point[3];
UCHAR oem[8];
UINT bps;
UCHAR spau;
UINT res_sectors;
UCHAR num_fats;
UINT root_files;
UINT volume_size;
UCHAR media_byte;
UINT spf;
UINT spt;
UINT hpc;
ULONG hidden;
ULONG volume_size;
};

struct Partition
{
UCHAR code[446] //Boot code for device
p_entry p_tbl[MAXPART]; // partition entries
UINT signature;
};

David Jones
CharisMac Engineering

-----Original Message-----
From: Ratmil Torres Vargas [SMTP:xxxxx@ghost.matcom.uh.cu]
Sent: Monday, May 08, 2000 10:15 AM
To: David Jones; Wyler Furgeson
Subject: [ntfsd] RE: Checking access to boot sector

Isn’t there a Boot Sector in in the first sector of every partition
of a
hard drive? And isn’t the first sector on hard drive the partition
table?
I have another question. I have noticed that Partition0 (and only
Partition0) gets called when I access any phisical sector (by
Cylinder,
Side etc), no matter in what partition that sector is. How do I get
information in that call?
THANK YOU.

On Fri, 5 May 2000, David Jones wrote:

> Ratmil:
>
> Here is how partitions work in a file system situation. One the
> drive is broken into partitions 0 through x. Now if you attach to
all
> the partitions like you say the following happens. In partition 1
when
> the ByteOffset is 0 then that is not the begining of the physical
disk
> but the begining of partition 1. ( Which if you let the Windisk set
it
> up is usually 32 sectors in. ) Now to control access to the boot
sector
> you MUST ATTACH TO PARTITION 0 of the desired harddrive. Then you
can
> look for access to BYTEOFFSET = 0. The ByteOffset is a large
integer
> and a check to the QUADPART that results in 0 is what your looking
for.
> A good way to test your code is to set up your driver on a test
> hard drive. Then partition that hard drive with windisk (Which will
> affect the boot sector ) and see if your code intercepts the call.
>
>
> I hope this is helpful
>
> David Jones
> CharisMac Engineering
>
>
> > -----Original Message-----
> > From: Ratmil Torres Vargas [SMTP:xxxxx@ghost.matcom.uh.cu]
> > Sent: Friday, May 05, 2000 7:05 AM
> > To: David Jones; Wyler Furgeson
> > Subject: [ntfsd] Checking access to boot sector
> >
> > Hello.
> > I’m writing a driver to control access to boot sector. So I
attach to
> > \HardDiskN\PartitionN. I was told that to know if boot sector
was
> > being
> > accessed to check
> > currentIrpStack->Parameters.Read.ByteOffset
> >
> > ByteOffset is a LARGE_INTEGER that indicates the sector being
> > accessed.
> > So if this number is 0 I got an access to boot sector. But in the
a
> > normal
> > file save (a .txt for example) I get (ByteOffset == 0). As well
> > ByteOffset.LowPart as ByteOffset.LowPart.
> > Am I doing something wrong?
> > Thank you.
> >
> >
> > —
> > You are currently subscribed to ntfsd as: xxxxx@Charismac.com
> > To unsubscribe send a blank email to
$subst(‘Email.Unsub’)
>

---

You are currently subscribed to ntfsd as: xxxxx@Charismac.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

You are currently subscribed to ntfsd as: xxxxx@grystone.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

Hello:

David is right that a 32 bit compiler will misinterpate some of
the UINT. As for the Master Boot Record it is discribed in sector 0,
but the question was how to intercept calls to the boot record and the
only way to do that is filter partition 0. Also for the rest of
Ratmil’s question any part of the disk can be accessed from partition 0,
so if you want total control of who access the boot record you must
filter this partition. If you want more complete information look in
Writing Dos Device Drivers in C: by Phillip M. Adams and Clovis L.
Tondo.

David Jones
CharisMac Engineering

-----Original Message-----
From: COX,DAVID (HP-Roseville,ex1) [SMTP:david_cox2@hp.com]
Sent: Monday, May 08, 2000 11:31 AM
To: David Jones; Wyler Furgeson
Subject: [ntfsd] RE: Checking access to boot sector

Your structs are a little confusing, and not the right size if
compiled
by a Win32 compiler – UINT is unsigned int, and ints are 32 bits, not
16. And MAXPART = 4. And the “master boot record” describes sector
0,
not partition 0. As you say, the contents of the individual paritions
depends on the filesystem. The MBR struct is reused in extended
partitions
to describe the “logical drives” (really nested partitions), though of

course the code area of the sector is unused. Here are structs I’ve
used
sucessfully, derived from Linux code:

#ifdef _MSC_VER //MSVC
#pragma pack(push, 1)
#endif

// Partition record in MBR

struct DosMbrPartRec
{
uint8 active; // This flag is set for active partition
uint8 start_head; // (partition from which
computer
boots)

uint8 start_sect:6;
uint8 start_cylH:2;
uint8 start_cylL;

uint8 fs_type; // Partition’s file system type
(see
table)
uint8 end_head;

uint8 end_sect:6;
uint8 end_cylH:2;
uint8 end_cylL;

uint32 rel_sect; // Number of sectors prior to
partition
uint32 num_sect; // Number of sectors in the
partition
};

// Master Boot Record stored in the first sector on the disk

struct DosMbr
{
uint8 m_code[0x1BE]; // Initial Program Loader
(IPL) code
DosMbrPartRec m_partRecs[4];
uint16 m_nMagicNum; // Magic number (must
be
0xAA55)
};

// Restore packing to default
#ifdef _MSC_VER //MSVC
#pragma pack(pop)
#endif

---

Dave Cox
Hewlett-Packard Co.
HPSO/SSMO (Santa Barbara)
https://ecardfile.com/id/Dave+Cox

-----Original Message-----
From: David Jones [mailto:xxxxx@Charismac.com]
Sent: Monday, May 08, 2000 10:39 AM
To: File Systems Developers
Subject: [ntfsd] RE: Checking access to boot sector

Ratmil:

No the first sector of every partition is not the boot sector.
The partition is the complete domain of the file system. So booting
from NTFS, FAT, or any file system plug in could be completely
different. ( Microsoft does not give information out on its NTFS file
system ). Now sector 0 is scared for all Microsoft operating
systems.
Not only does it contain the partition information, but also the boot
information for the disk. The structure for partition 0 is as
follows:

struct p_entry
{
UCHAR boot_ID;
UCHAR boot_HSC[3]
UCHAR system_ID
UCHAR end_HSC[3];
ULONG sector_offset;
ULONG sector_length;
};

struct BootSector
{
UCHAR entry_point[3];
UCHAR oem[8];
UINT bps;
UCHAR spau;
UINT res_sectors;
UCHAR num_fats;
UINT root_files;
UINT volume_size;
UCHAR media_byte;
UINT spf;
UINT spt;
UINT hpc;
ULONG hidden;
ULONG volume_size;
};

struct Partition
{
UCHAR code[446] //Boot code for device
p_entry p_tbl[MAXPART]; // partition entries
UINT signature;
};

David Jones
CharisMac Engineering

> -----Original Message-----
> From: Ratmil Torres Vargas [SMTP:xxxxx@ghost.matcom.uh.cu]
> Sent: Monday, May 08, 2000 10:15 AM
> To: David Jones; Wyler Furgeson
> Subject: [ntfsd] RE: Checking access to boot sector
>
> Isn’t there a Boot Sector in in the first sector of every
partition
> of a
> hard drive? And isn’t the first sector on hard drive the partition
> table?
> I have another question. I have noticed that Partition0 (and only
> Partition0) gets called when I access any phisical sector (by
> Cylinder,
> Side etc), no matter in what partition that sector is. How do I get
> information in that call?
> THANK YOU.
>
> On Fri, 5 May 2000, David Jones wrote:
>
> > Ratmil:
> >
> > Here is how partitions work in a file system situation. One the
> > drive is broken into partitions 0 through x. Now if you attach to
> all
> > the partitions like you say the following happens. In partition 1
> when
> > the ByteOffset is 0 then that is not the begining of the physical
> disk
> > but the begining of partition 1. ( Which if you let the Windisk
set
> it
> > up is usually 32 sectors in. ) Now to control access to the boot
> sector
> > you MUST ATTACH TO PARTITION 0 of the desired harddrive. Then you
> can
> > look for access to BYTEOFFSET = 0. The ByteOffset is a large
> integer
> > and a check to the QUADPART that results in 0 is what your looking
> for.
> > A good way to test your code is to set up your driver on a test
> > hard drive. Then partition that hard drive with windisk (Which
will
> > affect the boot sector ) and see if your code intercepts the call.
> >
> >
> > I hope this is helpful
> >
> > David Jones
> > CharisMac Engineering
> >
> >
> > > -----Original Message-----
> > > From: Ratmil Torres Vargas [SMTP:xxxxx@ghost.matcom.uh.cu]
> > > Sent: Friday, May 05, 2000 7:05 AM
> > > To: David Jones; Wyler Furgeson
> > > Subject: [ntfsd] Checking access to boot sector
> > >
> > > Hello.
> > > I’m writing a driver to control access to boot sector. So I
> attach to
> > > \HardDiskN\PartitionN. I was told that to know if boot sector
> was
> > > being
> > > accessed to check
> > > currentIrpStack->Parameters.Read.ByteOffset
> > >
> > > ByteOffset is a LARGE_INTEGER that indicates the sector being
> > > accessed.
> > > So if this number is 0 I got an access to boot sector. But in
the
> a
> > > normal
> > > file save (a .txt for example) I get (ByteOffset == 0). As well
> > > ByteOffset.LowPart as ByteOffset.LowPart.
> > > Am I doing something wrong?
> > > Thank you.
> > >
> > >
> > > —
> > > You are currently subscribed to ntfsd as: xxxxx@Charismac.com
> > > To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
> >
>
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@Charismac.com
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)

---

You are currently subscribed to ntfsd as: david_cox2@hp.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

---

You are currently subscribed to ntfsd as: xxxxx@Charismac.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

> Isn’t there a Boot Sector in in the first sector of every partition of a

hard drive?

Yes, there is a boot sector (which contains a 2nd stage boot loader code and
the description of the whole FS volume) as a sector 0 of every partition.
But also there is a partition table sector. It also contains a boot loader
code
(1st stage, called Master Boot Record) and the table itself. Partition table
is the very first sector of the whole drive.
Partition table has 4 entries.
Also note that one of the partitions in the partition table can be the
extended
partition. Extended partition has yet another partition table in its sector
0.
So, you can have up to 7 real partitions on the disk.

I have another question. I have noticed that Partition0 (and only
Partition0) gets called when I access any phisical sector (by Cylinder,
Side etc), no matter in what partition that sector is. How do I get

Partition0 is the device object which describes the whole unpartitioned
drive.
Partition1 etc are the device objects which describe the particular
partitions
of the drive.

Max

> sometimes called the ‘boot’ sector. It is also sometimes called

the ‘Bios Parameter Block’. In fact it is both. The first sector
on a drive is referred to as the ‘Master Boot Record’ or ‘MBR’.

Note that the BPB is a FAT-only thing. It is the volume descriptor for a FAT
volume. There will be no BPB if the partition does not contain a FAT volume
(if it contains NTFS or ext2 volume, for instance - these FSes use their own
volume descriptors, different from BPB).

for the boot code to exist in the ‘boot’ sector, however the ‘BPB’ must
exist since it has specific information for the partition.

No. It is a FAT-only thing and must exist only for FAT volumes.
The rule that the boot sector code must start with JMP is again FAT-only -
BTW, this is one of the checks FASTFAT makes to ensure that the partition
really contains a valid FAT volume.

Max

Maxim:

Just for clarification, windows NT does not limit the total
number of partitions to 7. I have had over fifty partitions on one disk
personally. Also it is true that FAT and I believe NTFS use sector 0 of
the partition as the boot loader. But I would trust the starting boot
sector listed in the partition table just in case your using a thrid
party file system that does not adhere to the MS standard.

David Jones
CharisMac Engineering

-----Original Message-----
From: Maxim S. Shatskih [SMTP:xxxxx@storagecraft.com]
Sent: Tuesday, May 09, 2000 8:08 AM
To: David Jones; Wyler Furgeson
Subject: [ntfsd] RE: Checking access to boot sector

> Isn’t there a Boot Sector in in the first sector of every
partition of a
> hard drive?

Yes, there is a boot sector (which contains a 2nd stage boot loader
code and
the description of the whole FS volume) as a sector 0 of every
partition.
But also there is a partition table sector. It also contains a boot
loader
code
(1st stage, called Master Boot Record) and the table itself. Partition
table
is the very first sector of the whole drive.
Partition table has 4 entries.
Also note that one of the partitions in the partition table can be the
extended
partition. Extended partition has yet another partition table in its
sector
0.
So, you can have up to 7 real partitions on the disk.

> I have another question. I have noticed that Partition0 (and only
> Partition0) gets called when I access any phisical sector (by
Cylinder,
> Side etc), no matter in what partition that sector is. How do I get

Partition0 is the device object which describes the whole
unpartitioned
drive.
Partition1 etc are the device objects which describe the particular
partitions
of the drive.

Max

---

You are currently subscribed to ntfsd as: xxxxx@Charismac.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)