[Win32] Direct read and write disk sector (disk absolute read and write)

?? This blog post by Csdn blogger Zuishikonghuan made, copyright Zuishikonghuan all. Reprint Please specify source: http://blog.csdn.net/zuishikonghuan/article/details/50380313

Is talking about driving development, here suddenly inserted a Win32 blog post. In fact. Or as a primer, in the previous post "IRP and dispatch function", we know that the driver needs to handle I/O requests. Let's take a look at how to make an I/O request.

The general program does not go directly to the disk, after all, there is a file system (FileSystem) to help us organize files easily, but sometimes we have to access the disk, because the file system hides the low-level implementation, Linux people like the file system called "Virtual file System (VFS)", In fact the reason is here. For example, we copy a file from a partition to a partition (in fact, it reads a file from a partition and then writes a file to a partition, usually a fragment read or a virtual memory (linear address space) mapping file), we do not need to care about the partitioning of the disk on the organization method. In the case of MBR or GPT format, there is no need to care about how partitions are organized for data, whether FAT32. NTFS,EXFAT,EXT2/3/4 format and so on, this is the charm of the file system. Cough, pull a little far ha, back to the point, our goal is to bypass the file system, direct access to the disk sector, just like the market on the PE disk maker. The boot program can be written to the main boot sector of the U disk (the first sector). is typically 512 bytes).

demonstrates reading the primary boot sector of the first disk. Write the words to change the ReadFile to WriteFile, and then slightly change the code will be able to . These API functions are detailed in one of my previous blogs (see: http://blog.csdn.net/zuishikonghuan/article/details/46926787). That's right. BIOS boot system crossing do not write Ah , write bad MBR can not guide the system, repair very troublesome, with the UEFI boot system casually write, not afraid, because the UEFI does not load the boot program from MBR, which is also the cause of the uefi innate immune ghost virus one of the reasons.

The code is as follows:

#include "stdafx.h" #include <windows.h>//: Output string pointer, start position, length//return value: Read size DWORD readdisk (unsigned char* &out , DWORD Start,dword size) {OVERLAPPED over = {0};over. Offset = start; HANDLE HANDLE = CreateFile (TEXT ("\\\\.\\physicaldrive0"), Generic_read, file_share_read| File_share_write, NULL, open_existing, 0, NULL); if (handle = = INVALID_HANDLE_VALUE) return 0;unsigned char* buffer = new UN Signed Char[size + 1];D word readsize;if (ReadFile (handle, buffer, size, &readsize, &over) = = 0) {CloseHandle (Handl e); return 0;} Buffer[size] = 0;out = Buffer;//delete [] buffer;//note the need to release memory CloseHandle (handle); return size;} int _tmain (int argc, _tchar* argv[]) {unsigned char* A;dword len=readdisk (A, 0,), if (len) {for (int i = 0; i < len; I + +) {printf ("%02x", A[i]);}} GetChar (); return 0;}

：

There are several areas to note in the code:

1. "\\.\physicaldrive0" represents the first physical disk. "\\.\physicaldrive1" represents a second physical disk. Do not distinguish between uppercase and lowercase, and so on. Also, don't forget that C + + string escapes should be written in \\\\.\\
2. The dwCreationDisposition parameter must have a open_existing flag. Don't ask me why, that's what Microsoft said, not to check MSDN.
3. MSDN says that if you read or write a volume device, dwShareMode must have a file_share_write flag. However, reading and writing disk devices on the W10 system assumes that CreateFile will fail without this flag, but not on w8.1. As for why don't you ask me about it. Ask Microsoft.

4. assume that you are using UEFI boot. Then your MBR first more than 400 bytes may be blank , Bo Master for some special reasons (convenient to load the MBR boot of the U-disk), specifically changed to BIOS boot. So the boot program in the MBR is not empty, so let's say you do code discovery before the 400 multibyte is 0, don't think it's a mistake.

Special reminder: Read and write the physical disk requires Administrator privileges , how to get administrator rights look here, do not pay attention to this cause failure and toss.

In addition, you are not allowed to learn to take to do the virus ah. Do the virus at your own peril!

We read and write a "disk" device like a file. The fact is that the I/O request to the read and write operation is sent to the dispatch function of the driver register of the device where the disk is located.

That's right. Microsoft provides the underlying hardware drivers for Windows. Regardless of the type of disk, whether it is an IDE disk, a SCSI disk, a SATA disk, or a disk that is hung from USB, it is abstracted into a unified interface disk device. So, just the disk you're using is the type supported by Microsoft. or the hardware manufacturer provides the driver, then the above code is available!

To return to the point, we open the "\\.\physicaldrive0". The disk device is turned on. Let's say I read the last few posts. You will find that this is not symbolic connection, yes. This is the symbolic connection for the disk device.

At the same time. A volume is also a device, which is a device created by Windows on a partition on a disk, which is a drive listed in this computer (File Explorer). B-plate, C-drive ... That's right. A volume is just a logical concept. We don't have a device like "volume" on our computer, but Windows created a device for it (not strictly an operating system creation, a task to create a device that is not an operating system, but one that Microsoft created for Windows-provided basic device drivers). For example, the device name of the C drive is usually "\device\harddiskvolume1". The symbolic connection name is "\??" \c: "(R0) and" \\.\c: "(R3), in fact, we see the * disk is to drive the development of symbolic connection!

Using Device Manager to change the drive letter, in fact, notifies the volume driver to delete and create the symbolic connection again.

In combination with the previous "IRP and dispatch function" and the "basic structure of NT Drive", you must have a rough idea. The next and next article will show you how to handle I/O requests in the driver.

??

[Win32] Direct read and write disk sector (disk absolute read and write)