Results 1 to 15 of 154

Thread: NTFS MFT Internals

Threaded View

  1. #11
    Quote Originally Posted by WaxfordSqueers View Post

    I would imagine HAL, or something, reads the standard 512 bytes from disk, or multiples thereof, and reads it into a buffer. Then something must process the buffer to get the info it needs to access files stored in a binary tree. Otherwise, how would they ever retrieve a file of any kind, or know where to read a directory? The system must know where the MFT pointer is located in the boot record section and it must know where to go in the MFT to get the file attributes.

    My suggestion?

    Use Ubuntu in the INSTALLATION AS APP mode using the WUBI installer (link on Ubuntu website itself).

    Ubuntu is the only linux installation that I am currently aware of, that has a unique installation mode. The Windows APP mode. Here, you install Ubuntu as an application (just as you install Word, or Office or Comodo). The software (in this case, our OS) installs. All you need is to create a folder where it will be installed.

    THEN, Ubuntu simply changes the boot.ini and includes a place to boot itself. Reboot the machine, and it will give you a choice to boot into Ubuntu or Windows.

    The main point, however, is that Ubuntu, once booted like this has 2 very important characteristics:

    1. It can read NTFS (read, write, execute... you get the idea) including all DRIVES residing in Windows.

    2. It uses Windows SYSTEM FILES (HAL, NTOSKRNL, et al) for everything. Which means, if you go into Ubuntu, DELETE these files, and reboot, UBUNTU will NOT WORK. That's because its installed in the APPLICATION mode. To uninstall UBUNTU, simply boot back in Windows and Program->Uninstall. Peachy!

    However, Point no. 2 has a deeper meaning.

    IF Ubuntu/WUBI uses HAL and NTOSKRNL to read/write/execute everything, THEN it must know how to read/write/execute from it. Comprende? THIS means, if you download the SOURCE CODE for UBUNTU/WUBI, then you will get an idea, where in the APPLICATION mode, is the HAL/NTOSKRNL et al being used, and HOW (plus, C/C++/ASM code in all its glory!) No need to scour google. No need to read up to polish your searching skills (heh, hello mods, I'm unable to wget any of the pages from just thought you should know -- even with the robots.txt control OFF -- but I digress)

    Mayhaps, that could be a slightly easier way to look at what's happening at HAL/NTOSKRNL levels without delving too much into Google. Just another attack vector, if you will.

    Have Phun.
    Last edited by Aimless; May 17th, 2013 at 10:40.
    Blame Microsoft, get l337 !!

Similar Threads

  1. NTFS reversing
    By WaxfordSqueers in forum The Newbie Forum
    Replies: 21
    Last Post: April 28th, 2013, 00:56
  2. Qt Internals & Reversing
    By Daniel Pistelli in forum Blogs Forum
    Replies: 11
    Last Post: December 5th, 2008, 04:12
  3. problem with NTFS file encryption
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: October 22nd, 2004, 03:49
  4. New project: RSA-65 analysis on GetDataBack for NTFS
    By Lbolt99 in forum RCE Cryptographics
    Replies: 6
    Last Post: August 1st, 2002, 14:48
  5. Write to NTFS
    By tentakkel in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 8th, 2001, 17:18


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts