Reading data from volume by 2MB blocks: strange behavior

OSR_Community_User · March 1, 2011, 10:43am

I read data from volume by 2 MB blocks.

I’ve discovered strange behavior when I read the specific block from the specific volume.

My code looks like that:

DWORD dwBlockSize = 2048*1024;
PBYTE cluster = new BYTE[dwBlockSize];
LARGE_INTEGER offset;
HANDLE hFile;
LONGLONG baseOffset = 138LL*dwBlockSize;
DWORD dwMisteryOffset = 0x8F000;
DWORD dwBytesPerCluster = 4096;

// Read 2MB block
offset.QuadPart = baseOffset;
SetFilePointer(hVolume, offset.LowPart, &offset.HighPart, FILE_BEGIN);
ReadFile(hVolume, cluster, dwBlockSize, &dwNumBytes, NULL);

hFile = CreateFile(L"C:\cluster.dat", GENERIC_WRITE, FILE_SHARE_READ,
NULL, CREATE_ALWAYS, 0, NULL);
WriteFile(hFile, cluster + dwMisteryOffset, dwBytesPerCluster,
&dwNumBytes, NULL);
CloseHandle(hFile);

Here I read 2 MB block and save the specific cluster (dwMisteryOffset = 0x8F000) content to the file “cluster.dat”. I get null cluster data, but cluster actually should actually store directory index.

If I use this code:

// Read only one cluster
offset.QuadPart = baseOffset + dwMisteryOffset;
SetFilePointer(hVolume, offset.LowPart, &offset.HighPart, FILE_BEGIN);
ReadFile(hVolume, cluster, dwBytesPerCluster, &dwNumBytes, NULL);

hFile = CreateFile(L"C:\cluster2.dat", GENERIC_WRITE, FILE_SHARE_READ,
NULL, CREATE_ALWAYS, 0, NULL);
WriteFile(hFile, cluster, dwBytesPerCluster, &dwNumBytes, NULL);
CloseHandle(hFile);

then I get correct cluster data.
I don’t have any AntiVirus software installed.

Volume is 8GB, NTFS. Volume offset on disk is 2 MB.

Did anybody encounter the same problem?

Mahmoud_Al-Qudsi · March 1, 2011, 1:31pm

Can you post the CreateFile code for hVolume?

OSR_Community_User · March 1, 2011, 1:50pm

hVolume = CreateFile(szVolumePath, GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);

where szVolumePath is L"\\.\G:".

I see the same behavior for the volume VSS snapshot.

Tim_Roberts · March 1, 2011, 2:29pm

xxxxx@rambler.ru wrote:

I read data from volume by 2 MB blocks.

I’ve discovered strange behavior when I read the specific block from the specific volume.

My code looks like that:

DWORD dwBlockSize = 2048*1024;
PBYTE cluster = new BYTE[dwBlockSize];
LARGE_INTEGER offset;
HANDLE hFile;
LONGLONG baseOffset = 138LL*dwBlockSize;
DWORD dwMisteryOffset = 0x8F000;
DWORD dwBytesPerCluster = 4096;

// Read 2MB block
offset.QuadPart = baseOffset;
SetFilePointer(hVolume, offset.LowPart, &offset.HighPart, FILE_BEGIN);
ReadFile(hVolume, cluster, dwBlockSize, &dwNumBytes, NULL);

Does it actually tell you that it read 2048576 bytes here?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · March 2, 2011, 1:21am

Yes, I get 2048576 bytes read from ReadFile.

It seems, that it is a VirtualBox bug.

I have Disk1.vhd image. I’ve attached it to VirtualBox machine with Windows Server 2008 R2 x64 installed. When I run the code above in VirtualBox environment, I get the bug I describe in the first message.

I’ve attached the same image to VirtualPC machine. When I run the code in VirtualPC environment, I don’t get the bug.

Finally I’ve attached the image on my work computer using Windows 7 “Disk Management” applet. I don’t get the bug again.