Create a file with NTFS

Author: progmboy

By: programmeboy http://hi.baidu.com/programmeboy
Environment: first create a M file, and then use filedisk to create a volume. And then formatted as NTFS. I formatted it in 512 bytes per cluster.
Objective: To create an empty file named 777.txt in the root directory
Tools: filedisk, Runtime's diskexplorer for NTFs, winhex
1. First find $ MFT to save important data
(Based on the data in bootsector) shows my bootsector.
Views: 240
File Size: 120.4 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33564 & D = 1256544966 "border =" 0 "alt =" Name: 1.jpg
Views: 240
File Size: 120.4 kb ">
Here, we use offset B, d, and 30. Here we describe that the result is 10 in hexadecimal format. The offset of $ MFT is (349525) D * (512) D * 1 = (178956800) d into hexadecimal notation (aaaaa00) X. Note: Here (number) d refers to the number in decimal format.
(Number) X refers to the number in hexadecimal notation.
Here we are
For example:
Views: 241
File Size: 90.4 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33565 & D = 1256544966 "border =" 0 "alt =" Name: 2.jpg
Views: 241
File Size: 90.4 kb ">
2. Locate and set $ MFT's bitmap
Locate run based on the bitmap attribute (B0) in $ MFT and then locate its data zone based on run.
Views: 240
File Size: 101.5 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33566 & D = 1256544966 "border =" 0 "alt =" Name: 3.jpg
Views: 240
File Size: 101.5 kb ">
The selected attribute is B0. Here we use the purple run. According to run, we know that the data is in the 55554 cluster, that is, the offset (55554) x * (512) D (one cluster of my disks has one slice) = (aaaa800) x
Here we are:
Views: 240
File Size: 66.9 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33567 & D = 1256544966 "border =" 0 "alt =" Name: 4.jpg
Views: 240
File Size: 66.9 kb ">
Look at the Purple part. $ Every bit in the bitmap attribute data in MFT represents the usage of this MFT number. For example, the first two bytes of 16 bits represent $ MFT, $ mftmirr, $ logfile, $ volume ,..... $ One byte below extend is the eight MFT numbers reserved by the System
The next step is 0f, which is converted into a binary system of 00001111. here we need to describe that the high bit in bitmap represents the low MFT number.
For example:

Byte order: 1f
Binary: 0 0 0 1 1 1 1 1
MFT number: 8 7 6 5 4 3 2 1 (that is, 12,345th is using 78 as idle)
We can find the idle bit and write it to our MFT. The 17th bit is shown in purple as idle, but this is reserved by the system and cannot be used. Next, find 29 characters to be idle. Then we can write our MFT in 29th MFT. We set bitmap data from FF 00 0f to FF 1f After 29th bits.
3. Create a New MFT and write it to the disk.
We came to MFT 29th, where (aaaa800) x (offset of the first MFT) + (29-1) * (1024) D (size of each filerecord) = (aab1a00) X
Next we will fill in this MFT manually. Here I have added three basic attributes, 10, 30, and 80.
Views: 242
File Size: 186.9 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33568 & D = 1256544987 "border =" 0 "alt =" Name: 5.jpg
Views: 242
File Size: 186.9 kb ">
This is not easy to understand.
Views: 243
File Size: 234.5 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33569 & D = 1256544987 "border =" 0 "alt =" Name: 6.jpg
Views: 243
File Size: 234.5 kb ">
Yes, it is much better than reading data directly .....
Which of the above colors must be correct... You have to set the USA at the end of each slice of the MFT. for example, if the value here is 01 00 (see the above offset aab1a30), we have to set it at the end of the two sectors of this MFT.:
First Sector
Views: 240
File Size: 18.3 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33570 & D = 1256544987 "border =" 0 "alt =" Name: 7.jpg
Views: 240
File Size: 18.3 kb ">
Second Sector:
Views: 240
File Size: 10.1 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33571 & D = 1256544987 "border =" 0 "alt =" Name: 8.jpg
Views: 240
File Size: 10.1 kb ">
That's it...
Alas... I forgot to add the atributeid here... Log records are not added either. But it doesn't matter for our goals.
4. Add index_entry
After MFT is added, we can get it and add it to the index ....
We first find the A0 attribute in the fifth MFT, that is, root, and find the index root.
Views: 240
File Size: 108.4 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33572 & D = 1256545004 "border =" 0 "alt =" Name: 9.jpg
Views: 240
File Size: 108.4 kb ">
Its run is the purple part. We came to its data location.
Views: 240
File Size: 64.1 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33573 & D = 1256545004 "border =" 0 "alt =" Name: 10.jpg
Views: 240
File Size: 64.1 kb ">
The above purple is the total length of index_entry. We also need to modify this value after adding index_entry.
Shows the index_entry I added:
Views: 236
File Size: 84.3 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33574 & D = 1256545004 "border =" 0 "alt =" Name: 11.jpg
Views: 236
File Size: 84.3 kb ">
Note that the last line indicates that this line at the end must exist... You can simply add other parameters in the struct format.
5. Set this sector to in use in $ Bitmap (note that this is not the bitmap attribute in $ MFT)
$ Bitmap in MFT indicates which MFT number is in use
$ Bitmap indicates the usage of each sector in the entire disk.
Here, we need to calculate the sector in which our MFT is located? (Aaab1a00) x/(512) d = (5558d) x
The number of bytes (558d) X/8 = aab1.
Let's set the aab1 byte. $ bitmap's data zone is at 1000be00 (that is, find $ bitmap's filerecord in MFT and then find run to find the data zone)
Views: 238
File Size: 142.2 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33553 & D = 1256542385 "border =" 0 "alt =" Name: 12.jpg
Views: 238
File Size: 142.2 kb ">
The sectors of our MFT are (aab1) x + (1000be00) x = (100168b1) x
Views: 237
File Size: 66.1 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33554 & D = 1256542385 "border =" 0 "alt =" Name: 13.jpg
Views: 237
File Size: 66.1 kb ">
Already used ....
This is basically the case...
I will not refresh the cache, but it is very troublesome to restart .. This shows the convenience of using filedisk. First, detach the disk and re-create the disk. The cache will be automatically refreshed. The new file is displayed.
Views: 235
File Size: 99.3 kb "src =" http://bbs.pediy.com/attachment.php? Attachmentid = 33555 & D = 1256542385 "border =" 0 "alt =" Name: 14.jpg
Views: 235
File Size: 99.3 kb ">

If you want to add data, you can add data in its filerecord 80 ..
Remember. This program is only valid for the environment described above. Do not experiment in a real disk... You can use filedisk to create a virtual disk...

The following is the source code and DOC file of the Program for adding files .. I wanted to write it in the CMD format, but I haven't finished it yet...