Re[4]: Read Boot Sector with ZwXXX

OSR_Community_User · August 3, 2004, 8:34am

Hello vartika,

Tuesday, August 03, 2004, 1:31:10 PM, you wrote:

vS> Thanx.Im able to read the sector now.
vS> But a new problem has come up.
vS> Now after Zwreadfile ,second time when the request
vS> comes down from the filesystem for the 1st sector

vS> But other requests in between requests for other
vS> sectors are working fine.

dunno, you give very little informations. what bugcheck eg? anyway if
it bugchecks only when reading your first sector and everytime else it
works (try to test it, read different sector that filesystem will read
later instead of boot) then try some quick workaround. you have the
sector in your buffer so copy it instead of passing down the request.
this way you’ll also be able to hide your key (if i understand
correctly it’s prolly some kind of disk encryption).

–
Best regards,
Ivona Prenosilova

OSR_Community_User · August 3, 2004, 11:03am

You could pull all of this code out of your driver’s read routine and
just read the first sector during IRP_MJ_PNP/IRP_MN_START_DEVICE
processing after the IRP has been completed by the lower driver.

Do you have a single key on the boot disk (whatever that may be) that
you use for all other disks? Or does each disk have its own key.

If it’s the former - how do you know that \device\harddisk0\partition0
is the boot disk? There is no guarantee that the first disk in the
system is the boot disk. You would need to check the loader block to
get the arc name of the boot disk, and then open that in order to read
the value.

-p

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of vartika Singh
Sent: Tuesday, August 03, 2004 4:02 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Read Boot Sector with ZwXXX

Hi Mark,

In my particular PC’s boot sector i dnt have the MBR,but my own image
file which later on loads the MBR which is placed in some other sector
of C=0,H=0.
Im placing some information in the first sector which i want my driver
to read when it comes up.
Now,my driver is an upper disk filter driver, which comes up after the
disk driver has loaded.
I want to access that information before any read takes place, because i
derive my key from that info.
So, isn’t there any way in which i could read that particular sector
before file system starts mounting…???

rgds
V.S.

Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

OSR_Community_User · August 3, 2004, 11:34pm

Hello Ivona,
Yup,this is a disk encryption driver, and im
encrypting a particular partition.
No, Im not passing the request down.Im just parsing
the data in the dispatch routine and I free the buffer
thereitself.

This is the Debug info....(VSI)

BUGCHECK: a IRQL_NOT_LESS_OR_EQUAL
An attempt was made to touch pageable memory at an
IRQL that is too high.

Parameter 1 : 00000000 Memory Address referenced
Parameter 2 : 00000002 IRQL at fault
Parameter 3 : 00000001 Write access attempt
Parameter 4 : 8046b0de Address of instruction
executing (if known)

Probably caused by : ntoskrnl!KiTrap0E+27c
TrapFrame Address : 80473628

Context Instruction
Ptr Stack Ptr Frame Ptr Parameters
Function Table
Status

ntoskrnl!KiTrap0E+27c 8046856f
80473614 80473628
TRAP|Params:0|Registers Saved:0|#Locals:0|EBP
Allocated:0

ntoskrnl!ExFreePoolWithTag+32a 8046b0de
8047369c 804736c0
EBP |Params:2|Registers Saved:3|#Locals:6|EBP
Allocated:1

ntoskrnl!ExFreePool+b 8046ace2
804736c8 804736cc 810e0ca8,
FPO |Params:1|Registers Saved:0|#Locals:0|EBP
Allocated:0

BCHKD!_Section.text+14cdc bff7115c
804736d4 80473704 8396e000,1000,0,8396e000,
EBP

diskenc!FilterReadCompletionRoutine+80 eb818d80
8047370c 80473730 81fc49c0,810daa28,0,811a40e8,
EBP
Couldn't find call instruction preceding return
location.

Stack Frame Information for ntoskrnl!KiTrap0E+27c on
thread(0)
Count: 16

Name Value

eax 0
ebx 0
ecx 0
edx 0
esi 0
edi 0
eip 8046856f
esp 80473614
ebp 80473628
eflags 0
cs 0
ds 0
es 0
fs 0
gs 0
ss 0

ntoskrnl!KiTrap0E+27c

8046856f test
dword ptr [ebp + 70], 00020000
80468576 jz
80468585 // ntoskrnl!KiTrap0E+292
80468578 cmp
dword ptr [8046e42c], 00
8046857f jnz
80468391 // ntoskrnl!KiTrap0E+9e
80468585 cmp
dword ptr [80481c44], 00
8046858c jnz
80468391 // ntoskrnl!KiTrap0E+9e
80468592 cmp
dword ptr [804822a0], 00
80468599 jnz
80468391 // ntoskrnl!KiTrap0E+9e
8046859f mov eax,
000000ff
804685a4 jmp
80468552 // ntoskrnl!KiTrap0E+25f
804685a6 mov eax,
[ffdff052]
804685ab mov byte
ptr [ffdff052], 00
804685b2 cmp al,
0d
804685b4 jnz
804685bd // ntoskrnl!KiTrap0E+2ca
804685b6 mov eax,
80467bc7
804685bb jmp
804685d6 // ntoskrnl!KiTrap0E+2e3
804685bd cmp al,
10
804685bf jnz
804685c8 // ntoskrnl!KiTrap0E+2d5

I will do some further debugging and get back to you.

Cheers and Regards
V.S.

Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.

OSR_Community_User · August 3, 2004, 11:40pm

Hello Peter,

Do you mean to Write this code in the completion
routine of IRP_MJ_PNP/IRP_MN_START_DEVICE ?
O.K I will do that and see.
Yes, I have a single set of Keys for one partition.
Im supposed to encrypt only one partition.

If it’s the former - how do you know that
\device\harddisk0\partition0
is the boot disk? There is no guarantee that the
first disk in the
system is the boot disk. You would need to check
the loader block to
get the arc name of the boot disk, and then open
that in order to read
the value.

Yup, but i will work on that one later on.Presently,
Im getting the functionality in place.

Cheers and regards

V.S.

Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail