How to read disk sectors in windows using ATA PIO Mode?

I was reading this paper : Exposing Bootkits with BIOS Emulation

and in it there is a sudo code for using ATA PIO mode to read from disk and bypass rootkit hooks, but there is not much information about it and it doesn’t explain how to implement it and doesn’t explain it

so is there any open source project or a book or something that i can look at that does this or at least explains in detail how its done? the lowest level programming i have done is writing simple minifilter drivers and such, so i’ve never implemented something this low level close to hardware

also is this possible to do from user-mode or it has to be implemented in a kernel module?

ATA is an ancient interface that was popular in the 1990’s. The industry has moved on to new interface types like NVMe today. It is doubtful sending ATA protocol will work with any hardware one may have these days. In user mode there were many ways of sending ATA commands like IOCTL_IDE_PASS_THROUGH, IOCTL_ATA_PASS_THROUGH, IOCTL_ATA_PASS_THROUGH_DIRECT, IOCTL_ATA_PASS_THROUGH_EX, as well as other back doors. But again, the hardware has changed and this protocol no longer exists.

@Rourke said:
ATA is an ancient interface that was popular in the 1990’s. The industry has moved on to new interface types like NVMe today. It is doubtful sending ATA protocol will work with any hardware one may have these days. In user mode there were many ways of sending ATA commands like IOCTL_IDE_PASS_THROUGH, IOCTL_ATA_PASS_THROUGH, IOCTL_ATA_PASS_THROUGH_DIRECT, IOCTL_ATA_PASS_THROUGH_EX, as well as other back doors. But again, the hardware has changed and this protocol no longer exists.

Thank you for the answer, so instead of IOCTL_ATA_PASS we should be using IOCTL_SCSI_PASS_THROUGH to support modern hardware and IOCTL_ATA_PASS_THROUGH won’t work anymore, correct?

and is there anywhere that explains how can i send IOCTL_SCSI_PASS_THROUGH or IOCTL_ATA_PASS command from user mode to write or read from disk? i literally spend hours trying to find a simple example that shows this but couldn’t find one.

The spti sample from microsoft shows you how to use scsi pass through.

https://github.com/microsoft/Windows-driver-samples/tree/master/storage/tools/spti

Mark Roddy

1 Like