Anti-Black action-data recovery

By men/CVC. GB
Data Recovery has always been a concern because your computer data is threatened by viruses, malicious code, hackers, and misoperations every day! So how can we restore your data? I hope this article will help you!

I. Theory

It is not easy to learn data recovery in depth. To become a data recovery expert without profound theoretical knowledge, you must have a good understanding of the logical structure of the disk, let's take a look at the theoretical knowledge we need to learn.

When we access a file, have you ever thought about how the operating system operates the file? How are these files stored on the disk? First, let's take a look at the general structure of the hard disk. Before introducing the general structure of the hard disk, it is necessary to introduce the hard disk parameters. The hard disk is accessed by a head (Heads), Cylinders, and Sectors. Among them: the number of magnetic Heads (Heads) indicates that the hard disk has a total of several Heads, that is, a few sides of the disk, the maximum is 255 (with 8 binary bit storage); Cylinders) indicates the number of tracks on each disk of the hard disk. The maximum value is 1023 (which is stored in 10 binary bits). The number of Sectors (Sectors) indicates that each track has several Sectors, the maximum value is 63 (6 binary digits are used for storage ). each slice is generally 512 bytes. If you have learned the assembly language, you may think that the CH is the track number in the input parameter for 13 h bios interruption. The value of CH is 0 h ~ FEH (up to 255 channels). The middle and low 6 bits in CL are fan area numbers, and their values are 1 h ~ 3FH (63 sectors at most), DH is the low position of the head number, and the high 2 bits in CL are the high positions of the head number. That is to say, the head number is expressed by a maximum of 10 bits, (1111111111) 2 = (1023) 10, that is, up to 1024 magnetic heads can be expressed. Please remember that these will be used in our future studies. We can see that the maximum disk capacity we can access based on this access method is:

255*1023*63*512 bytes = 8414461440/1048576 = 8024.66 M

There is only about 8 GB space, because the disk was still small in the early days. Think about the joy of having a m hard disk! Just as scientists thought that the 1 K memory was already very large, so computer users had to worry about configuring the memory under DOS for a long time. Now, you must have a hard disk larger than 8 GB. You can use it thanks to a newer hard disk access technology-extended Int13H technology. The linear addressing method is used to access the hard disk, which breaks through the 8 GB limit. In addition, the support for removable media (such as the active hard disk) is added because data recovery is not programming, I will not detail the extended INT13H technology here.

The general structure of Hard Disk Data (based on the FAT structure) is as follows:

1. Master boot sector (occupies one sector)

2. Boot sector of the first partition (occupying one sector)

3. FAT1 of the first partition (the occupied space is determined by the disk size and FAT type)

4. FAT2 of the first partition (the occupied space is determined by the disk size and FAT type)

5. root directory of the first partition

6. The first partition data zone (used to store data of various files)

7. Expand the Partition Table (occupying one sector)

8. Boot sector in the second partition (occupying one sector)

9. FAT1 of the second partition (the occupied space is determined by the disk size and FAT type)

10. FAT2 of the second partition (the occupied space is determined by the disk size and FAT type)

11. root directory of the second partition

12. The second partition data zone (used to store data of various files)

13. extended partition table

.

.

.

Note: When your hard disk does not have extended partitions, you will not have extended partition tables; when you only have one hard disk partition, your hard disk structure will be 6.

(1) Structure of the Master boot sector:

It is the first sector of the hard Disk. It consists of three parts: the Master Boot Record (MBR), the hard Disk Partition Table (DPT), and the end identifier. Its structure is as follows:

1. The offset is 0 h ~ 1 BdH Main Boot Program (which occupies 446 bytes, but may not actually contain so many bytes)

2. 1BEH ~ 1 FDH Hard Disk Partition Table (64 bytes, each partition item occupies 16 bytes, up to four partition items)

3. 1FEH ~ offset ~ 1FFH end mark (2 bytes, end mark, total 55 h aah)

I will not analyze the main boot program here. Note that there are some error messages in the Main Boot Program, some Boot viruses often overwrite this information to embed themselves into the main boot program, and change the first few bytes of the Main Boot Program to a jump command, by observing the changes in the main boot program, we can often see whether our computer has a boot virus. Once an exception is found, we can use the FDISK/MBR command to overwrite the original MBR. The two bytes of the end identifier are always 55 h aah. This identifier is only used to determine whether this sector is a valid primary boot sector. If the primary boot program finds that this end identifier does not exist, the System is deemed to be Missing and "Missing Operating System" is displayed ".

Hard Disk Partition Table:

Offset from 1BEH ~ The 64 bytes of 1FDH are stored in the hard disk partition table, which contains a maximum of 4 partition items. Each partition item consists of 16 bytes. Its structure is as follows:

1. 1BEH ~ 1CDH partition Item 1

2. 1CEH ~ 1DDH partition Item 2

3. 1DBH ~ 1EDH partition Item 3

4. 1EFH ~ 1FDH partition Item 4

Note: records on unused partition items are always 16 hexadecimal codes 00 H

Let's take a look at the detailed meaning of each partition item. Assume that the 16 bytes occupied by one partition are marked as 00H ~ 0FH. Its structure is as follows:

The value of the 00 H pilot Identifier byte can only be H or 80 H. If it is H, it indicates that the partition is not bootable. If it is 80 H, it indicates that the partition can be used for boot. Many software, such as boot magic, use this principle to implement multi-OS BOOT and understand this principle, you can also write your own multi-OS boot program.

01 H shard start head number

02 H its height is the high position of the Start cylindrical Number of the partition, and the bottom 6 is the start sector number of the partition

03 H low position of the Start cylindrical Number of the partition

04 H partition system flag. If this value is H, it indicates that this partition is an unrecognized system; if it is H, It is a FAT16 partition; for 05H or 0FH, this partition is an extended partition; For 0B, this partition is a FAT32 partition; For 83H, this partition is a Linux partition, and for 07, this partition is an NTFS partition. Some disk software such as PQMAGIC stores the content of this Byte in the hidden partition operation and changes it to 00 H.

05 H partition end head number

06 H its high 2 bits are the high position of the end of the partition cylindrical number, the bottom 6 bits are the end of the partition sector number

07 H low position of the ending cylindrical Number of the partition

08H ~ 0BH the four bytes are the slice address of the partition in linear addressing mode. When the partition size is greater than 8 GB, the extended INT13H uses this information for addressing. In this way, we can find that the most accessible space for addressing is: FFFFFFFFH fan * 512B/fan = 2048 GB, that is, we use the extended INT13H to have a maximum access space of 2048 GB. This number is very big for us now, but no one can imagine that the computer is developing fast. How can we break through this restriction? No one knows now. Note: These four bytes are arranged from high to low! For example, for the first partition item in my partition table, the 4-byte content is "3FH 00 H 00 H 00H", which indicates that the partition starts from 10000003fh, that is, it starts with 63 linear addresses (linear addresses mark the first hard disk fan as 0 h)

0CH ~ 0FH the four bytes are the partition size (total number of sectors) in the unit of slices. These four bytes are also arranged from high to low!

(2) Structure of the Boot sector:

When the primary boot program finds a partition with a boot ID of 80 h, it will read the Boot Sector of the partition into the memory address of 0000: 7C00, and hand over the control to the boot program in the boot sector. Let's take a look at some of the things we need to know:

1. 0H ~ 02 H a jump command pointing to the next Bootstrap program

2. 03H ~ 0AH vendor name and System Version

3. 0BH ~ 0CH number of bytes per row, generally 512 bytes

4. 0DH number of sectors per cluster (we will introduce the concept of cluster in detail later). For FAT32 disks, this byte is generally 08 H, each cluster is 8 H * 512B = 4 K.

5. 0EH ~ Number of 0FH reserved sectors

6. The number of FAT disks for 10 H, usually 2

7. 11 h ~ 12 H for the FAT16 disk is the maximum directory of the root directory, for the FAT32 disk this value is always "00 H 00H"

8. 13 H ~ 14 H for a floppy disk or an earlier small hard disk, this is the total number of partitions. For a hard disk, this value is generally "00 H 00H"

9. 15 H media description. For 1.44 floppy disks, the length is "F0H", and for hard disks, the length is "F8H"

10, 16 h ~ 17 H for a floppy disk or an earlier small hard disk, the number of sectors occupied by each FAT is usually "00 H 00H" for a hard disk"

11. 18H ~ 19 H number of sectors, usually "3FH 00H", that is, each with 63 sectors

12. 1AH ~ 1BH head number, generally "FFH 00H", that is, each cylinder has 255 head

13. 1CH ~ 1FH hidden sector count

14. 20 h ~ 23 H for a large hard disk, this stores the number of sectors occupied by the partition.

15, 24 h ~ 27 H for a large hard disk, this stores the number of sectors occupied by each FAT.

16. 40 H indicates the disk BIOS information. The first hard disk is "80 H", and the general floppy disk is "00H"

17. 47H ~ 51 H the volume label set by the user. If there is NO volume label, it is often the string "no name"

18, 52H ~ 59 H file system. For FAT32 file systems, it is often "FAT32"

19. 1FEH ~ The end ID of 1FFH, which is "55 h aah" like the ending ID of the Master Boot area mentioned above"

The above are some information about the boot sector. We can obtain some useful information above, we can also imagine why we can right-click a partition and view partition information, such as the partition size and file system, in the partition attributes, you can also directly call these parameters.

(3) Disk File Allocation Table (FAT)

Before introducing FAT, we should first understand the concept of a Cluster. A Cluster is a file data area divided into areas of equal size for Disk File metering and distribution units. A cluster may have 1, 2, 4, 8, 16, 32, 64, or 128 (must be a power of 2) sectors, however, for a disk system, the value is always certain. For example, in FAT16, each cluster is 32 K (64 fans ), in FAT32, each cluster is generally 4 K (eight fans ).

To understand why the operating system needs to manage disks in clusters, we still need to learn FAT. FAT32 disks have unused sectors in the system boot area, next, there is a FAT table starting with F8H FFH 0FH (for FAT16, it starts with F8H FFH). Each FAT item occupies 32 bits (4 bytes ), each FAT item in FAT16 occupies 16 bits (2 bytes). Different FAT values have different meanings:

Description of the table item value of FAT32 in FAT16

0000 H 00000000 H unused empty Clusters

001H ~ FEFH 0001H ~ FFEFH 00000001H ~