Page 3 of 11 FirstFirst 12345678910 ... LastLast
Results 31 to 45 of 154

Thread: NTFS MFT Internals

  1. #31
    Quote Originally Posted by WaxfordSqueers View Post
    ...

    I would imagine HAL, or something, reads the standard 512 bytes from disk, or multiples thereof, and reads it into a buffer. Then something must process the buffer to get the info it needs to access files stored in a binary tree. Otherwise, how would they ever retrieve a file of any kind, or know where to read a directory? The system must know where the MFT pointer is located in the boot record section and it must know where to go in the MFT to get the file attributes.

    ...
    My suggestion?

    Use Ubuntu in the INSTALLATION AS APP mode using the WUBI installer (link on Ubuntu website itself).

    Code:
    https://wiki.ubuntu.com/WubiGuide
    Ubuntu is the only linux installation that I am currently aware of, that has a unique installation mode. The Windows APP mode. Here, you install Ubuntu as an application (just as you install Word, or Office or Comodo). The software (in this case, our OS) installs. All you need is to create a folder where it will be installed.

    THEN, Ubuntu simply changes the boot.ini and includes a place to boot itself. Reboot the machine, and it will give you a choice to boot into Ubuntu or Windows.

    The main point, however, is that Ubuntu, once booted like this has 2 very important characteristics:

    1. It can read NTFS (read, write, execute... you get the idea) including all DRIVES residing in Windows.

    2. It uses Windows SYSTEM FILES (HAL, NTOSKRNL, et al) for everything. Which means, if you go into Ubuntu, DELETE these files, and reboot, UBUNTU will NOT WORK. That's because its installed in the APPLICATION mode. To uninstall UBUNTU, simply boot back in Windows and Program->Uninstall. Peachy!

    However, Point no. 2 has a deeper meaning.

    IF Ubuntu/WUBI uses HAL and NTOSKRNL to read/write/execute everything, THEN it must know how to read/write/execute from it. Comprende? THIS means, if you download the SOURCE CODE for UBUNTU/WUBI, then you will get an idea, where in the APPLICATION mode, is the HAL/NTOSKRNL et al being used, and HOW (plus, C/C++/ASM code in all its glory!) No need to scour google. No need to read up searchlores.org to polish your searching skills (heh, hello mods, I'm unable to wget any of the pages from woodmann.com/searchlores just thought you should know -- even with the robots.txt control OFF -- but I digress)

    Mayhaps, that could be a slightly easier way to look at what's happening at HAL/NTOSKRNL levels without delving too much into Google. Just another attack vector, if you will.

    Have Phun.
    Last edited by Aimless; May 17th, 2013 at 10:40.
    Blame Microsoft, get l337 !!

  2. #32
    Quote Originally Posted by Aimless View Post
    My suggestion? Use Ubuntu in the INSTALLATION AS APP mode using the WUBI installer (link on Ubuntu website itself).
    Thanks for suggestion. It's a good idea and worth checking out but I am being stretched in several different directions right now and tending to lose focus. Sometimes that is part of reversing, as you know.

    Having the source code for the Ubuntu kernel is obviously a plus.

    Quote Originally Posted by Aimless View Post
    IF Ubuntu/WUBI uses HAL and NTOSKRNL to read/write/execute everything, THEN it must know how to read/write/execute from it.
    Not necessarily. Ubuntu knows how to call functions in those windows kernel modules but they are the ones that know how to interpret disk I/O. I could be wrong. For example, in what I know of C++ code, all the calls are high level, unless they build in inline assembly instructions. I would imagine all you're going to see in Ubuntu source is calls to Hal, Ntoskernel, NTFS.sys, etc.
    Last edited by WaxfordSqueers; May 17th, 2013 at 23:10.

  3. #33
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    windbg is a frontend to kd kd can perform better in few circumstances where windbg wont run (like remotely terminally ill platforms with no access to food water or weed)

    a quote from windbg doc
    If the client is unable to send a connection request to the server, but the server is able to send a request to the client, you can use remote debugging through the debugger with a reverse connection by using the clicon parameter.

    Remote debugging through remote.exe is used to remotely control a Command Prompt window. It can be used to remotely control KD, CDB, or NTSD. It cannot be used with WinDbg.


    oh btw i cleaned up the src i posted few threads above to use a few structures

    and it can now find all the file names 498 filenames out of 512 asked for
    the remaining few have no attribute 0xffffffff as the first header
    and few have attribute offset > 0x50 ( ima readin only 0x200 bytes)

    you can also stuff these structs back into ntfs.pdb and build an nms of the modified pdb to use with softice

    since you brought up cache

    one of the places where nt plays with cache is nt!ccmapdata

    you can use the struct in the code i post below like this

    Code:
    kd> bp 8056d719 "dt Ntfs!_NTFSMFT (@ecx & 0xffffff00)" 
    breakpoint 0 redefined
    kd> bl
     0 e 8056d719     0001 (0001) nt!CcMapData+0xf2 "dt Ntfs!_NTFSMFT (@ecx & 0xffffff00)"
    
    kd> g
       +0x000 MAGIC            : 0x454c4946
       +0x004 UpdateSeqOffset  : 0x30
       +0x006 FixupArrayEntries : 3
       +0x008 $LogFileSeqNo    : 0x711322c
       +0x010 SequenceNumber   : 1
       +0x012 HardLinkCount    : 1
       +0x014 AttributeOffset  : 0x38
       +0x016 Flags            : 3
       +0x018 MftUsed          : 0x1e8
       +0x01c MftAlloc         : 0x400
       +0x020 FileRefernace    : 0
       +0x028 NextAttributeID  : 8
       +0x02a AlignNext4B      : 0
       +0x02c ThisMFTRecordNumber : 0x1d
       +0x030 UpdateSequence   : [8]  "???"
    nt!CcMapData+0xf2:
    8056d719 884de7          mov     byte ptr [ebp-19h],cl
    
    kd> !address @ecx
      c1000000 - 20000000                           
              Usage       KernelSpaceUsageSystemCache
    
    kd> dt Ntfs!_ATTRIBUTE_HEADER ((@ecx & 0xffffff00)+0x38)
       +0x000 AttributeType    : 0x10
       +0x004 AttributeLength  : 0x60
       +0x008 Resident         : 0 ''
       +0x009 NameLength       : 0 ''
       +0x00a NameOffset       : 0
       +0x00c Flags            : 0
       +0x00e AttributeNumber  : 0
       +0x010 AttributeContentLength : 0x48
       +0x014 AttributeContentStartOffset : 0x18
       +0x016 unk              : 0
    
    
    kd> dt Ntfs!_ATTRIBUTE_HEADER (((@ecx & 0xffffff00)+0x38)+60)
       +0x000 AttributeType    : 0x30
       +0x004 AttributeLength  : 0x70
       +0x008 Resident         : 0 ''
       +0x009 NameLength       : 0 ''
       +0x00a NameOffset       : 0
       +0x00c Flags            : 0
       +0x00e AttributeNumber  : 2
       +0x010 AttributeContentLength : 0x52
       +0x014 AttributeContentStartOffset : 0x18
    
    
    kd>  dt Ntfs!_FILE_INFO_ATTRIBUTE_RECORD ((((@ecx & 0xffffff00)+0x38)+60)+18)
       +0x000 ParentDirectory  : 0x10000`0000001c
       +0x008 FileCreationTime : 0x1ce4c4a`d5b48900
       +0x010 FileModificationTime : [2] 0x1ce4c4a`d5b48900
       +0x020 FileAccessTime   : 0x1ce4c4a`d5b48900
       +0x028 AllocatedSizeOfFile : 0
       +0x030 RealSizeOfFile   : 0
       +0x038 Flags            : 0x10000000
       +0x040 FileNameLengthinUnicodeChars : 0x8 ''
       +0x041 NtfsNameSpace    : 0x3 ''
       +0x042 Filename         : [1]  "s"
    
    kd> ?? (wchar_t *) ((Ntfs!_FILE_INFO_ATTRIBUTE_RECORD *) @@masm(((((@ecx & 0xffffff00)+0x38)+60)+18)))->Filename
    wchar_t * 0xc42074f2
     "system32"
    
    
    it is mapping the system32Directory
    
    lets see the stack
    
    kd> kb
    ChildEBP RetAddr  Args to Child              
    facbb32c fa6c3a6e 812c01c8 facbb35c 00000400 nt!CcMapData+0xf2
    facbb34c fa6c3c89 81237008 812d1008 00007400 Ntfs!NtfsMapStream+0x46
    facbb3c0 fa6c3b96 81237008 812bc100 e13f9858 Ntfs!NtfsReadMftRecord+0x86
    facbb3f8 fa6c3aed 81237008 812bc100 e13f9858 Ntfs!NtfsReadFileRecord+0x7a
    facbb430 fa6c49e2 81237008 e13f9850 e13f9858 Ntfs!NtfsLookupInFileRecord+0x37
    facbb470 fa6c5b95 81237008 e13f9918 e1528ef8 Ntfs!FindFirstIndexEntry+0x32
    facbb4b8 fa6c5ce8 81237008 e13f9918 e1528ef8 Ntfs!NtfsFindIndexEntry+0x48
    facbb4ec fa6c5a23 81237008 e13f9918 00000101 Ntfs!NtfsLookupEntry+0xa2
    facbb718 fa6c2f2d 81237008 811a9008 facbb770 Ntfs!NtfsCommonCreate+0x10c3
    facbb7fc 804e37f7 812bc020 811a9008 811f5988 Ntfs!NtfsFsdCreate+0x1dc
    facbb80c fa746876 811a9018 812d47d0 811f5988 nt!IopfCallDriver+0x31
    facbb858 804e37f7 812d2628 00000001 811a9008 sr!SrCreate+0x150
    facbb868 8056c712 812c0a50 811f256c facbba10 nt!IopfCallDriver+0x31
    facbb948 80563fec 812c0a68 00000000 811f24c8 nt!IopParseDevice+0xa12
    facbb9d0 805684da 00000000 facbba10 00000240 nt!ObpLookupObjectName+0x56a
    facbba24 8056cbeb 00000000 00000000 00000000 nt!ObOpenObjectByName+0xeb
    facbbaa0 8056ccba facbbbdc 00000020 facbbb48 nt!IopCreateFile+0x407
    facbbafc 80586517 facbbbdc 00000020 facbbb48 nt!IoCreateFile+0x8e
    facbbb70 80586b1a facbbb98 00000020 facbbbd0 nt!CcPfGetSectionObject+0x91
    facbbc04 805b3040 facbbd24 00000003 01cbbc84 nt!CcPfPrefetchSections+0x2b7
    facbbdac 8057aeff 813074a8 00000000 00000000 nt!CcPfBootWorker+0x3fc
    facbbddc 804f88ea 805b2cfd 813074a8 00000000 nt!PspSystemThreadStartup+0x34
    00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
    the code i cleaned up is below

    Code:
    #include "stdafx.h"
    #include <windows.h>
    
    typedef struct _NTFSMFT {
        DWORD MAGIC; //4
        WORD UpdateSeqOffset; //6
        WORD FixupArrayEntries; //8
        DWORD64 $LogFileSeqNo; //0x10
        WORD SequenceNumber; //0x12
        WORD HardLinkCount; //0x14
        WORD AttributeOffset; //0x16
        WORD Flags; //0x18
        DWORD MftUsed; //0x1c
        DWORD MftAlloc; //0x20
        DWORD64 FileRefernace; //0x28
        WORD NextAttributeID; //0x2a
        WORD AlignNext4B; // 0x2c
        DWORD ThisMFTRecordNumber; //0x30
        BYTE UpdateSequence[0x8]; //0x38
    } NtfsMft, *PNtfsMft;
    
    typedef struct _ATTRIBUTE_HEADER 
    {
        DWORD AttributeType; //0x04
        DWORD AttributeLength; //0x08
        BYTE Resident; //0x09
        BYTE NameLength; //0x0a
        WORD NameOffset ; // 0x0c
        WORD Flags;  //0xe
        WORD AttributeNumber; //0x10
        DWORD AttributeContentLength; //0x14
        WORD AttributeContentStartOffset; //0x16
        WORD unk; //0x18
    }AttributeHeader,*PAttributeHeader;
    
    typedef struct _FILE_INFO_ATTRIBUTE_RECORD
    {
        DWORD64 ParentDirectory; //0x08
        DWORD64 FileCreationTime; // 0x10
        DWORD64 FileModificationTime[0x02]; // 0x20
        DWORD64 FileAccessTime; // 0x28
        DWORD64 AllocatedSizeOfFile; //0x30
        DWORD64 RealSizeOfFile; //0x38
        DWORD64 Flags; //0x40
        BYTE FileNameLengthinUnicodeChars; // 0x41
        BYTE NtfsNameSpace; //0x42
        wchar_t Filename[1];
    }FileInfoAttributeRecord,*PFileInfoAttributeRecord;
    
    
    int _tmain(int argc, _TCHAR* argv[])
    {
        printf("lets open the harddisk and look at it \n");
        FILE * fp = NULL;
        BYTE dump[0x260] = {0};
        PNtfsMft pntmft = NULL;
        PAttributeHeader pfirstheader = NULL;
        PAttributeHeader psecondheader = NULL ;
        PAttributeHeader pthirdheader = NULL;
        PFileInfoAttributeRecord pfinforecord = NULL;
    
        memset(&dump,0,sizeof(dump));
        fopen_s( &fp,"\\\\.\\PHYSICALDRIVE0", "rb" );
        int foo = -1;
        do
    
        {
            foo++;
            do
            {
                fread_s(dump,0x260,1,0x200,fp);  // read one sector
                int i = -1;
                do 
                {
                    do 
                    {
                        i++;
    
                    }while ((dump[i] != 0x46) && (i<=0x1ff) ); 
                } while ( ( (*(DWORD64 *)dump & 0xffffffffff) != 0x30454c4946) && (i<0x1ff)  );
            }while      ( ( (*(DWORD64 *)dump)& 0xffffffffff) != 0x30454c4946) ;
            pntmft = (PNtfsMft)&dump;
            if(pntmft->AttributeOffset > 0x50)
            {
                printf("pntmft->AttributeOffset %x > 0x50 readonly 200 bytes\n",pntmft->AttributeOffset);
                continue;
            }
            pfirstheader    = (PAttributeHeader)&dump[pntmft->AttributeOffset];
            psecondheader   = (PAttributeHeader)&dump[(pntmft->AttributeOffset+pfirstheader->AttributeLength)];
            pthirdheader    = (PAttributeHeader)&dump[(pntmft->AttributeOffset+pfirstheader->AttributeLength +psecondheader->AttributeLength)];
            if ( pfirstheader->AttributeType == 0x30 )
            {
                pfinforecord = (PFileInfoAttributeRecord)(&dump[pntmft->AttributeOffset]+pfirstheader->AttributeContentStartOffset );
                printf (
                    "FILE0 found at %I64x file name is %.*S\n",
                    (_ftelli64(fp)-0x200),
                    pfinforecord->FileNameLengthinUnicodeChars,
                    pfinforecord->Filename 
                    );
                continue;
            }
            else if ( psecondheader->AttributeType == 0x30 )
            {
                pfinforecord = (PFileInfoAttributeRecord)(&dump[pntmft->AttributeOffset+pfirstheader->AttributeLength]+psecondheader->AttributeContentStartOffset  );
                printf (
                    "FILE0 found at %I64x file name is %.*S\n",
                    (_ftelli64(fp)-0x200),
                    pfinforecord->FileNameLengthinUnicodeChars,
                    pfinforecord->Filename 
                    );
                continue;
            }
            else if ( pthirdheader->AttributeType == 0x30 )
            {
                pfinforecord = (PFileInfoAttributeRecord)(&dump[pntmft->AttributeOffset+pfirstheader->AttributeLength+psecondheader->AttributeLength+pthirdheader->AttributeContentStartOffset  ] );
                printf (
                    "FILE0 found at %I64x file name is %.*S\n",
                    (_ftelli64(fp)-0x200),
                    pfinforecord->FileNameLengthinUnicodeChars,
                    pfinforecord->Filename 
                    );
               continue;
            }
            else 
            {
                printf("name info attribute not in first three headers need to research more\n");
                continue;
            }
        } while(foo<0x200); // exit after printing 200 Filenames
        printf("printed 0n512 filenames or bs\n");
        return TRUE;
    }
    here is how to put the structures back into ntfs.pdb

    Code:
    copy the three defined structures into a file named xxxx.c and declare them  copy the xxx.c file to a new folder
    
    typedef struct _XXXX{
    .....
    }XXXX;
    
    xxxx foo;
     
    copy the original ntfs.pdb  to the new folder
    
    open a wdk command prompt say xp fre environment  and navigate to the new folder
    
    and compile the c file using
    
    cl.exe /Zi /Gz /c /Fd%1.pdb   %1.c  provide include paths as needed

  4. #34
    Quote Originally Posted by blabberer View Post
    windbg is a frontend to kd kd can perform better in few circumstances where windbg wont run (like remotely terminally ill platforms with no access to food water or weed)
    I have the Debugging Tools for Windows set up on my XP (they have been there for a long time) and when I called up KD it gave me an option to connect with various means, none of which I have immediately available. However, the 'Local' choice brought up LiveKD, so I played with it.

    I was able to use !filecache, !ca, !fileobj, etc. to examine the VABC table, also DC to dump some stuff. Barely got started.

    The network setup I have between XP and my laptop (Win 7) is not stable. i.e. it works sometimes and sometimes not. I am looking in to a USB - USB network but it means getting the special cable with the chip in it that allows USBs between computers to operate without blowing the USB bus. Apparently it comes with software so you can use it for either straight file copies or for networking.


    Quote Originally Posted by blabberer View Post
    oh btw i cleaned up the src i posted few threads above to use a few structures
    Again, I appreciate the amount of work you have put into this and I have read it with great interest. I have little practical experience programming in C or C++, just enough to make myself dangerous. I think I have Visual C++ 6 somewhere, so I'll have to set it up again.

    I was surprised that you have a pdb for NTFS.sys. I looked in my symbols file I have on disk and there is no PDB listed for it. I made one using the IDA2ICE plugin for IDA. I'll have to look closer for a pdb.

    I am driving myself a bit wonky through the focus I have put on this stuff the past couple of weeks. I tend to get into something like this to the point where my health suffers due to lack of exercise and sleep issues. I never learn. I am going to have to back off a bit, temporarily.

    Meantime, I have made a couple of screen capture of Active@ to show you how they have captured the data extracted by your program.

    In capture '$Boot.jpg', at offset 0x30, you can see the pointer to the $MFTfile. At 0x38 is the ptr to $MftMirr, the back up of MFT. Those are cluster offset so they have to be converted to byte offsets. My MFT is at 0XC0000 and my Mirr is at cluster 2.

    $MFT001.jpg shows offset 0xC0000000 and (0xC0000 clusters) x (0x8 sectors/cluster) x (0x200 bytes /sector) = byte offset 0xC0000000

    Note that 0XC0000000 begins with FILE. I have placed the NTFS MFT File Record template over the F in File (ie. offset 0 of the MFT) using right-click Set Template Position. You can set bookmarks in Active@ to quickly return to your previous view. Look in the template table and you will see all the file record headers you have listed with your app. Also, you can hover the mouse over the offset and it will display some info from the template table.

    Sorry...for some reason the system wont let me upload jpegs. I get a red exclamation mark each time I try. Maybe files are too big (250K) or maybe I need to zip them).

    NTFS.rar

    Let me know if they come out OK.

    I made some headway tracing the files and directories using the info from Active@ template. If you look down the table further you get much more info. For example, it lists 'data runs' which is a file's actual data stream. You will see various attributes highlighted and if you open the 0x80 attribute, you'll see data runs in some. On one jpeg file I was able to trace it from the an MFT record right to the file, but I have not learned yet how to identify a directory. Apparently directories have an $I30 header in them, although it's not always aligned with a paragraph boundary like a FILE header is.

    I am still working with softice and painting myself into a corner by approaching this from too many angles. :-)
    Last edited by WaxfordSqueers; May 18th, 2013 at 23:06.

  5. #35
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    I have the Debugging Tools for Windows set up on my XP (they have been there for a long time) and when I called up KD it gave me an option to connect with various means, none of which I have immediately available. However, the 'Local' choice brought up LiveKD, so I played with it.
    don't give me this again it is absolutely not possible that nothing could be available
    i said you DONT NEED TWO MACHINES

    a connection problem between vm and physical machine cannot exist unless the vm and machine are absolutely fubar

    ill put it up once again

    1 ) go to ms and download virtual pc 2007 sp1 (free)
    2)) install virtual pc in physical machine and create a virtual hard disk
    3) create an iso from xp setup (imgburn ..........)
    4) mount the iso in virtual pc using capture iso image in cd tab on virtual pc
    5) fdisk , format and install xpsp3 in vpc 's virtual harddisk
    6) open boot.ini in c:\ in vpc hard disk and add one more boot entry
    7) in the virtual pc edit->setting->com1-> setup a named pipe \\.\pipe\debugPipe
    8)reboot vpc and select the newly added boot entry
    9)in the physical machine create a shortcut <path>\windbg.exe -k comipe,port=\\.\pipe\debugPipe,resets=0,reconnect
    10) double click and launch the shortcut (i e windbg waiting to reconnect)
    11)press ctrl+break a few times in windbg or open the vpc and press ctrl+alt+prtscreen for kd connection to happen
    12) set up symbol path in myComputer->properties->advanced -> environment variables-> new in physical machine
    13) if your internet connection is active windbg will automatically fetch the symbols from ms as and when needed
    14) that is it nothing more nothing less

    [quote]
    iam surprised you have ntfs.pdb
    [/quote

    i have ntfs pdb for several os gathered over a few years and all of it were fetched by windbg as and when it required
    Code:
    F:\>cd SYMBOLS\ntfs.pdb
    
    F:\SYMBOLS\ntfs.pdb>tree /f /a
    Folder PATH listing
    
    F:.
    +---513BBB60430D411DBE02DF92418A2B272
    |       ntfs.pdb
    |
    +---930EE4647C27429A84EDF147B1500AA62
    |       ntfs.pdb
    |
    +---AA4F4A5C7B1D4663A7E0891479090D8A2
    |   |   ntfs.pdb
    |   |
    |   \---somechanges
    |       |   ntfs.pdb
    |       |   orinntfs.pdb
    |       |
    |       \---addtypeinfotontfs.pdb
    |               addtypeinfot.bat
    |               ntfs.c
    |               ntfs.obj
    |               ntfs.pdb
    |
    +---CF3F539EE3B2408887756DD42D7E53442
    |       ntfs.pdb
    |
    \---E236541273E04837AC83A3E7C8C776B42
            ntfs.pdb
    
    
    F:\SYMBOLS\ntfs.pdb>

    i ll take a look at the images but there are several utilities that will show them in colored and or several other formats (0x10 /winhex / to mention a few

  6. #36
    Quote Originally Posted by blabberer View Post
    don't give me this again it is absolutely not possible that nothing could be available
    i said you DONT NEED TWO MACHINES
    Heh....be nice, after all, I sent you all those purdy peectoores. I hope you don't take me seriously with my offhand comments. I worked for years in construction/industrial environment and I'm used to mouthing off and being mouthed off at. It's all in good fun.

    I have not forgotten what you said about VMs, I just haven't had time to go through the learning curve. My eyes feel like pee holes in the snow from all the reading I've been doing. They are a very unnatural colour of red, like a vampire in heat. I used Live KD just to have a look at !filecache, etc.

    I was only opening files like KD to see what would happen. I got a tabbed menu with different options for connecting to a remote machine and the last tab was for local connections, That's all I was saying. Another problem is that my XP machine is not online hence a difficulty in getting the symbols directly. My XP was configured through the LAN connection to access the Net via my laptop wireless connection but despite all the blethering from Microsoft, setting up a LAN connection between XP and 7 is not that apparent. For example, setting up the XP side of an Internet connection calls for making a disk on XP and using it on the other system. There are no provisions for that on 7 and I had to resort to processes I have since forgotten, like adjusting the XP NIC to my laptop's wireless IP.

    It just disappeared on me for no apparent reason and troubleshooting it became a major event.

    I am completely comfortable with softice (hey Kayaker...how's it goin?) and learning windbg at this particular moment would hold me up so badly you'd not hear back from me for days, maybe weeks.

    The hold up is that I am trying to learn how to get 'direct' disk access via softice. I had no idea what I was dealing with when it came to file caching and that has been a major revelation in itself. Typical Microsoft bs, trying to out-think the user. They should have a radio button prominently displayed to turn off file caching and save us some grief. I know of the function in Device Manager for hard disks where some file caching (write-behind) can be turned off but I think that refers only to one part where the system holds writes back for a while. Both the drives on my XP system are turned off for write-behind. I turned that off for good when I was single-stepping and killed my system during a BSOD. Fortunately, chkdsk recovered the disk. There are times under heavy usage when my Win 7 system just slows to a near-halt, and now I know why, not the lazy-write, but the entire file caching nonsense.

    It's so convoluted it's a wonder Windoze works at all. They seem to forget this is a time-slice system where all this stuff has to be done in a fraction of a second. All it takes is an overloaded or confused file caching system to slow things right down, and there's no remedy but a reboot.

    Imagine Microsoft logic trying to guess what a user is going to read next, and all the bloatware that goes into doing that. Every time I open File Explorer, it anticipates what I want to do and opens to a directory I have never used. That's partly why I never use the piece of garbage, using a third party file manager that actually allows me to open two panes at the same time. With Explorer, you still have to open another instance and I don't bother. Same with IE Explorer....garbage. I used Firefox, which is twice the browser and free, Even Opera leaves IE in the dust.

    Anyway, I now feel far more confident about exploring the MFT via softice, or windbg, if I get it going. Each day I learn a bit more about the spider approach. And I keep you full of life raving at me.

    I have discovered some functions that relate to MFT metadata, like CcPinRead. Of course, those are cache related funcs. There's also IoCallDriver and CcCopyRead, which I encountered the other night while traipsing through the dark code woods. Also, I learned that NtReadFile should be called closer to the MFT read. As I told you, it was breaking all over the place the other night.

    I will look at your VM setup tomorrow. I already have VMWare setup with a Windows XP VHD but I don't think it's SP3. Softice did not like SP3 but deroko claims to have it running with SP3 on a VM. He's in the softice genius class, however, like Kayaker.

    Quote Originally Posted by blabberer View Post
    i ll take a look at the images but there are several utilities that will show them in colored and or several other formats (0x10 /winhex / to mention a few
    The point of the images is not the nice colours, it's the correlation between them and the template descriptions. A heck of a lot of work has gone into deciphering the file attributes and it makes life a whole lot easier when trying to make head or tail about what is happening. The template descriptors go into great detail but unfortunately only for files beginning with 'FILE'. There are other that begin with 'INDX' I'd like to get into.

    According to the reading I was doing tonight, NTFS uses an LCN - VCN compression and I have seen reference to that before. As you know, an LCN is the cluster distance from the start of volume and the VCN is the offset from the start of file. It also uses record numbers for files that are not all that apparent because they are combined with another number into a 64-bit number. The MSBs of the number represents the number of times the MFT space has been used and the LSBs is the file number.
    Last edited by WaxfordSqueers; May 19th, 2013 at 08:29.

  7. #37
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    Another problem is that my XP machine is not online hence a difficulty in getting the symbols directly.
    no need for vm to be online is your win7 machine fine ? if yes set xp vm in win7 get symbols in win7 for xp run windbg in win7 kernel debugging xp vm

    hey im not forcing you to setup windbg and learn it i understand your reluctance i myself dont use ida much though the whole fscking world loves it
    it is an opinion from me that is all

    There are other that begin with 'INDX' I'd like to get into.
    here you go atleast how indx looks like in cache

    Code:
    kd> bl
     0 e 8056d719     0001 (0001) nt!CcMapData+0xf2 ".if ( @@masm(dwo (@ecx & 0xffffff00)) != 'XDNI' ) {gc}"
    
    kd> dt Ntfs!_NTATTR_STANDARD_INDEX_HEADER (@ecx &0xffffff00)
       +0x000 magicNumber      : [4]  "INDX"
       +0x004 updateSeqOffs    : 0x28
       +0x006 sizeOfUpdateSequenceNumberInWords : 9
       +0x008 logFileSeqNum    : 0x7118124
       +0x010 vcnOfINDX        : 0
       +0x018 indexEntryOffs   : 0x40
       +0x01c sizeOFEntries    : 0x7d8
       +0x020 sizeOfEntryAlloc : 0xfe8
       +0x024 flags            : 0 ''
       +0x025 padding          : [3]  ""
       +0x028 updateSeq        : 0xba
    
    kd> $ index entry offset is at 0x40 from self == 0x58
    
    kd> dt Ntfs!_NTATTR_INDEX_RECORD_ENTRY ((@ecx & 0xffffff00)+58)
       +0x000 mftReference     : 0x40000`00000004
       +0x008 sizeOfIndexEntry : 0x68
       +0x00a filenameOffset   : 0x52
       +0x00c flags            : 0
       +0x00e padding          : [2]  ""
       +0x010 mftFileReferenceOfParent : 0x50000`00000005
       +0x018 creationTime     : 0x1ce4c4a`cd3c31f0
       +0x020 lastModified     : 0x1ce4c4a`cd3c31f0
       +0x028 lastModifiedForFileRecord : 0x1ce4c4a`cd3c31f0
       +0x030 lastAccessTime   : 0x1ce4c4a`cd3c31f0
       +0x038 allocatedSizeOfFile : 0x9000
       +0x040 realFileSize     : 0x8ca0
       +0x048 fileFlags        : 6
       +0x050 fNameLength      : 0x8 ''
       +0x051 filenameNamespace : 0x3 ''
    
    kd> du (@ecx & 0xffffff00)+58+52
    
    c1e000aa  "$AttrDef"  <------------
    kd> dt Ntfs!_NTATTR_INDEX_RECORD_ENTRY (((@ecx & 0xffffff00)+58)+68)
       +0x000 mftReference     : 0x80000`00000008
       +0x008 sizeOfIndexEntry : 0x68
       +0x00a filenameOffset   : 0x52
       +0x00c flags            : 0
       +0x00e padding          : [2]  ""
       +0x010 mftFileReferenceOfParent : 0x50000`00000005
       +0x018 creationTime     : 0x1ce4c4a`cd3c31f0
       +0x020 lastModified     : 0x1ce4c4a`cd3c31f0
       +0x028 lastModifiedForFileRecord : 0x1ce4c4a`cd3c31f0
       +0x030 lastAccessTime   : 0x1ce4c4a`cd3c31f0
       +0x038 allocatedSizeOfFile : 0
       +0x040 realFileSize     : 0
       +0x048 fileFlags        : 6
       +0x050 fNameLength      : 0x8 ''
       +0x051 filenameNamespace : 0x3 ''
    kd> du (@ecx & 0xffffff00)+58+52+68+52
    c1e00164  ""
    kd> du (@ecx & 0xffffff00)+58+52+68
    c1e00112  "$BadClus" <---------------
    kd> dt Ntfs!_NTATTR_INDEX_RECORD_ENTRY (((@ecx & 0xffffff00)+58)+68 + 68)
       +0x000 mftReference     : 0x60000`00000006
       +0x008 sizeOfIndexEntry : 0x60
       +0x00a filenameOffset   : 0x50
       +0x00c flags            : 0
       +0x00e padding          : [2]  ""
       +0x010 mftFileReferenceOfParent : 0x50000`00000005
       +0x018 creationTime     : 0x1ce4c4a`cd3c31f0
       +0x020 lastModified     : 0x1ce4c4a`cd3c31f0
       +0x028 lastModifiedForFileRecord : 0x1ce4c4a`cd3c31f0
       +0x030 lastAccessTime   : 0x1ce4c4a`cd3c31f0
       +0x038 allocatedSizeOfFile : 0x200000
       +0x040 realFileSize     : 0x1ffe60
       +0x048 fileFlags        : 6
       +0x050 fNameLength      : 0x7 ''
       +0x051 filenameNamespace : 0x3 ''
    kd> du (@ecx & 0xffffff00)+58+52+68+68
    c1e0017a  "$Bitmap." <---------------------
    kd> dt Ntfs!_NTATTR_INDEX_RECORD_ENTRY (((@ecx & 0xffffff00)+58)+68 + 68 + 60)
       +0x000 mftReference     : 0x70000`00000007
       +0x008 sizeOfIndexEntry : 0x60
       +0x00a filenameOffset   : 0x4c
       +0x00c flags            : 0
       +0x00e padding          : [2]  ""
       +0x010 mftFileReferenceOfParent : 0x50000`00000005
       +0x018 creationTime     : 0x1ce4c4a`cd3c31f0
       +0x020 lastModified     : 0x1ce4c4a`cd3c31f0
       +0x028 lastModifiedForFileRecord : 0x1ce4c4a`cd3c31f0
       +0x030 lastAccessTime   : 0x1ce4c4a`cd3c31f0
       +0x038 allocatedSizeOfFile : 0x2000
       +0x040 realFileSize     : 0x2000
       +0x048 fileFlags        : 6
       +0x050 fNameLength      : 0x5 ''
       +0x051 filenameNamespace : 0x3 ''
    kd> du (@ecx & 0xffffff00)+58+52+68+68+60
    c1e001da  "$Boot" <--------------------
    easy aint it
    come on keep me raving

  8. #38
    Quote Originally Posted by blabberer View Post
    hey im not forcing you to setup windbg and learn it i understand your reluctance i myself dont use ida much though the whole fscking world loves it it is an opinion from me that is all
    I have already indicated to you that I want to learn windbg and I have been thinking that long before starting this thread. Right now, my focus is on doing something with my external drive so I can use it again. All I have to do is reformat it and the case is closed. I am taking an interest in NTFS to see if I can repair a broken link in the MFT chain and make my directories and files re-appear.

    When the Comodo backup utility began to write to my external drive in a clone process, it only lasted a few seconds, However, it managed to overwrite the existing Boot sector. It may have gone a lot further and overwritten critical files placed near the start of disk, but the drive is not bootable and that should not matter. It's for storage only. I don't know if it got to the MFT but it created a new partition, relegating my data to unallocated space. I have no idea as of yet how much damage it has done to my original root directory, and if it has damaged it, whether I can re-route the existing root directory to another node on the B-tree.

    I was pretty naive about NTFS, and too impatient to get results. I should have sat on it till I understand what I was dealing with but got impatient and used a tool to remove the partition created by Comodo. I know now to immediately make an image of the damaged disk and store it away.

    I can see directories I recognize in the unallocated data based on file headers but I still don't know how to traverse the B-tree. I think most of it is still intact. I learned last night that once NTFS open a file, it no longer traverses the B-tree. It uses the file record number to find it directly.

    I don't know how NTFS implements the B-tree structure of it's directory structure, but if only a few nodes are damaged, can I repair them? First I have to learn how the system gets from the root to the next B-tree node and try to trace it through. Understanding B-tree theory should not be necessary so long as I see a few traversals of the nodes. I can do that with a dry read, using a disk editor like Active@ or I can trace it with softice, or windbg, if I can learn it fast enough.

    Now might be a good time to learn windbg as I use softice in parallel. I have no idea whether their drivers will clash, but that's part of the fun in reversing, finding out.

    Quote Originally Posted by blabberer View Post
    here you go atleast how indx looks like in cache
    It looks interesting but can you explain how to find a file using that info? for example:

    mftFileReferenceOfParent : 0x50000`00000005 obviously reference to inode #5 on the MFT metadate file structure. That would be the root directory, so we're in the ballpark. The other records you have generated, like $BadClust, $Boot, etc, are of no help. So you need to read the $Root entry and figure out how to get to the first file or directory from there.

    Apparently files have metadata that point back to the parent, but that metadata is in a data stream that sits between the root directory and file or directory. I am guessing that the root has a pointer to a stream (data run) but I have been unable to decipher it yet.


    Quote Originally Posted by blabberer View Post
    easy aint it come on keep me raving
    The raving shot was a humourous reference to your use of block capitals to draw my attention to information for which I had full awareness. I got a grin out of it but wondered at the emotion and frustration driving you.

    No...it's not easy. It's easy to print out configuration data but it's far from easy to interpret it and use it to find things.

    Show me how to get from inode 5 to the first directory entry, then I'll agree that it's easy.

  9. #39
    Quote Originally Posted by blabberer View Post
    6) open boot.ini in c:\ in vpc hard disk and add one more boot entry
    Another insanely late night.

    I tried my vmware setup first but I have d/l'd and installed VM 2007 on my laptop. I was checking to see if I could import/mod a vhdm disk from VMWare to VP 2007. Some say you can, but I'm getting ahead of myself.

    Why did I try VMWare first, because as George Mallory said when he was asked why he climbed Everest, because it's there? And because from past experience it has more bells and whistles. I had it setup with XP and softice. Better check to see if it has sp3 or not.

    Got seriously hung up on a few issues but just got it going. One problem was with the debug statement in boot.ini. From everything I had read, it was supposed to look like

    debug" /debugport=com1 /baudrate=115200 at the end of the other long string for debugging. However it would not work. Also, in the VM, for the serial port, the choices made little sense. You had to choose between server/client and The other end is a virtual machine/The other end is an application. I finally settled on client/application.

    I was also thrown by the windbg shortcut, about where to put the extra command line stuff. It goes on the end of the target path/filename but you have to observe the quotation marks around path/filename. You put double quotes around the path/filename and tack the rest onto the end, i.e.

    "<path>\windbg.exe" -k comipe,port=\\.\pipe\debugPipe,resets=0,reconnect

    If it's not exactly that, windbg whines and whines, giving no clue as to what is wrong.

    Your clue about ctrl-break while in the windbg window was fortuitous because someone else suggested tacking /break onto the end of the debug string in boot.ini. All that does is freeze the boot.

    Furthermore, I had to add something to the debug line. Instead of:

    debug" /debugport=com1 /baudrate=115200, I had to add another COM1 as in:

    debug COM1" /debugport=com1 /baudrate=115200

    I have no idea why, but I saw it on an internet article and it worked.

    Quote Originally Posted by blabberer View Post
    12) set up symbol path in myComputer->properties->advanced -> environment variables-> new in physical machine
    13) if your internet connection is active windbg will automatically fetch the symbols from ms as and when needed
    14) that is it nothing more nothing less
    I've had it for the night. I found my Internet connection working on my XP, thru my laptop, for whatever reason. Windbg already had my local symbol storage and the MDSL address. It might have changed, I'd better check.

    windbg loaded and it's sitting at

    nt!RtlpBreakWithStatusInstruction
    804e3592 cc int 3

    I entered !filecache and it's off processing that. It's taking its time. livekd had it back pretty quick.

    In fact. it never did come back. I gave it a ctrl-break and it returned.

    Under breakpoints, I don't see the equivalent of a softice BMSG, where you can enter a handle and a windows message. Is such an animal available on windbg?

    Putting it another way, how could I load notepad in the VM and have windbg break early enough in the load procedure? With softice, I set a BMSG hwnd 203 for the LButtonDblClk message (203) and it broke right away inside my file manager.
    Last edited by WaxfordSqueers; May 20th, 2013 at 11:39.

  10. #40
    Quote Originally Posted by blabberer View Post
    2)) install virtual pc
    I have a lot to say about Microsoft virtual PC and none of it is good. So, I'll say no more than that I will not be using it further. I just spent about 12 fruitless hours trying to configure it and I must say that it rates among the most non-functional and poorly designed pieces of software I have ever encountered. It's flexibility and ability to adapt to varying user-mode circumstances is essentially nil.

    The thing I hate about myself at times is my tendency to beat a dead horse. When it is abundantly clear that a tool is not doing the job, I have a terrible habit of trying to make a silk purse out of a sow's ear.

    If there's a redeeming value in this it's that I have learned a lot about how VMs are not supposed to work.

  11. #41
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,487
    Blog Entries
    15
    Show me how to get from inode 5 to the first directory entry, then I'll agree that it's easy.
    i will show how to extract an arbitrary file from a nonresident datarun from FILE0 signature

    Name:  ntfs_file_extraction3.JPG
Views: 228
Size:  115.4 KB

  12. #42
    Quote Originally Posted by blabberer View Post
    i will show how to extract an arbitrary file from a nonresident datarun from FILE0 signature
    Hexcellent (digital for excellent) or 48 65 78 65 6C 6C 65 6E 74 00 (zero-terminated).

    Appreciate the work.

    I did trace one file a few days ago using your method but not from the root directory. It too came from a non-resident file. I would like to tie that into the root, to see where it finds the first directory.

    I am theorizing that even if the B-tree has been lopped off near the top that I might be able to splice the root dir to the B-tree using a pointer in the root. However, that might mess up the algorithm used to read the B-tree. The aim is not to repair the system per se, but to enable seeing a directory structure that has been lost due to a breach in the B-tree. As it stands, utilities that do such recoveries normally rename the files they recover. It would be nice just to see them listed on the disk under their proper directories.

    The Active@ Disk Editor allows writing to the disk but I know any good hex-editor allows that. I used to do it with Norton but unfortunately it does not work on USB.

    In one of my MFTs, I have seen several metafiles listed in the root metafile, like $MFT, etc, along with other typical root files. I have read that it is possible, using some NTFS utitlities to see them in the root directory of a volume. Apparently it used to be possible to see them using a dir command from a DOS prompt.

    I am forcing myself out the door for a long walk but I'll have a closer look when I get back. I am also going out of town for a week or so, so if you don't see further progress that's what happened.

    BTW...after sleeping for nearly 24 hours, after being up nearly as long, I am not so steamed about Microsoft VM. Nevertheless, I have a VM that works a heck of a lot better, and which is quite flexible. I have also garnered more info on how to setup on a laptop and use the desktop as a client. I did not know that I could simply set a port between 49152 and 65553 and use an Ethernet connection. Live and learn.

    Thanks again.
    Last edited by WaxfordSqueers; May 21st, 2013 at 21:31.

  13. #43
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Interesting stuff you guys have gotten into. I've been trying to follow it, reading a bit, downloaded a few of the NTFS directory listing apps and traced them in Softice (yes, still my GOTO Wax) to see how they access the data, etc.

    Still wallowing in the shallow end for sure, but I had to say that I was pleasantly surprised to discover one of those NTFS based file listing apps, that I don't think has been mentioned yet, but is _blazingly_ fast at doing file searches. Never again will I use the Windows file search function. Thanks for that enlightenment at least.

    NTFS Direct File Find
    http://ndff.hotbox.ru/en/index.html


    Waxford, if you're setting up the VMWare/Softice thing, you probably already know about editing the .vmx file. Also discussed in a few forum threads here.

    vmmouse.present = FALSE
    svga.maxFullscreenRefreshTick = 5

    http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=965

    I recently re-set things up successfully in Win7/x64 with Softice running with XP3 in VMWare. You should be able to do that too. One note that may help - make sure you set the VM to use only 1 processor - no multiple cores, no Hyperthreading.

    Also, re the remote Windbg/VMWare setup, at least in a single box host/guest setup, I highly recommend incorporating VirtualKD. Not only is it faster, it does all the configuration for you.

    http://virtualkd.sysprogs.org/

  14. #44
    Quote Originally Posted by Kayaker View Post
    Interesting stuff you guys have gotten into. I've been trying to follow it, reading a bit, downloaded a few of the NTFS directory listing apps and traced them in Softice (yes, still my GOTO Wax) to see how they access the data, etc.
    Interesting reply Kayaker....thanks. I am still very comfortable with softice but I have been reading a lot on windbg and it has obvious advantages for listing internal stuff that only microsoft knows about. Of course, I have only used ice minimally and don't know it to the level you do.

    What I like about softice is seeing everything on one screen, like registers, data dumps, code, etc. I like the black background, it sucks me into the debugging space.

    The breakpoint instructions are surprisingly similar but I have still to find the equivalent in windbg of BMSG, one of my favourites in ice for getting an app to stop on hwnds I get from SPYXX.

    Quote Originally Posted by Kayaker View Post
    I was pleasantly surprised to discover one of those NTFS based file listing apps, that I don't think has been mentioned yet
    I'll have to check that out. I was using the search function in Active@ Disk Editor and it is quite fast on record header like FILE but terminally slow on string searches like CBU (extension for a Microsoft backup). I calculated at the rate it was going on a 500 gig drive that it could take me months for it to finish.

    Quote Originally Posted by Kayaker View Post
    Waxford, if you're setting up the VMWare/Softice thing, you probably already know about editing the .vmx file.
    I did know about it but would likely have forgotten. Thanks for reminder. Your suggestion of setting up softice in a VM on win7 is my next project. I had success setting up windbg on an XP with a VM and wnddbg running on the host, but it sure ain't intuitive. No matter how many good tutes you get on it, or good advice from Blabs, there is always a wrinkle peculiar to your own setup it doesn't like. Of course, softice setup can be like that too.

    Quote Originally Posted by Kayaker View Post
    I recently re-set things up successfully in Win7/x64 with Softice running with XP3 in VMWare. You should be able to do that too. One note that may help - make sure you set the VM to use only 1 processor - no multiple cores, no Hyperthreading.
    Does VMware have to be 64 bit as well? I loaded debugging tools for windows (x86) no problem and I have winddbg running on it but doing nothing.

    I was checking out the tab under KD where it claims you can use a network to connect. After reading on it, they require certified NIC cards and Win Vista on the client. Funny enough, the host can be XP. Also, when you set up the debug environment in boot.ini, the Debug command is apparently geared to COM ports. I am not sure how they can claim that and use a network.

    BTW, while reading on this I noticed there are USB to serial converters available if you are trying to run a host on a laptop to a client on a desktop. You still need a null-modem cable and the one Microsoft describes is one with full handshaking. Cheaper null modem cables come with only the receive/send pairs connected and a ground. Microsoft calls for one with most of the 9 other pins connected, like RTS and CTS. That would make a huge difference if someone just picked up the cheaper version of the cable and it did not work.

    Correction: The USB connecter has only a transmit and a receive available in it's 4 connector tabs, the other two being +5 volts and ground. So, you have to watch what kind of USB - serial connector you buy. A basic one could give you basic functionality without full handshaking and windbg require the latter.

    This converter uses a chip in the adapter to do that.

    http://www.ftdichip.com/Support/Documents/DataSheets/Cables/DS_Chipi-X.pdf

    Handshaking refers to the communication between peers where they ask each other how the other is doing. RTS means request to send (rather polite) and the other replies CTS = clear to send. There is also DTR = data terminal ready, and so forth. The cheaper null modem cables have none of that and if the software is using it, things jam up. A word to the wise, when buying null modem cables for microsoft communications make sure it states 'full handshaking'. Or, buy the wire, connectors and solder one up.

    Sometimes it's just as expensive by the time you get all the gear, depending on where you buy it. Of course, if you buy the 9-pin D-connectors, you can repair them whereas store bought cables are usually molded. It wont be the first time I took a sharp knife to a molded assembly to get at the pins, then taped it back together.

    http://msdn.microsoft.com/en-us/library/windows/hardware/ff556867%28v=vs.85%29.aspx

    see the hyperlink to null-modem cable.

    Also,

    http://www.lammertbies.nl/comm/info/RS-232_null_modem.html

    explains RS-232 cables pretty well ( a null modem cable is a form of RS-232).

    Thanks for the VirtualKD heads up.
    Last edited by WaxfordSqueers; May 23rd, 2013 at 01:14.

  15. #45
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,085
    Blog Entries
    5
    Does VMware have to be 64 bit as well?
    32bit VMWare works fine.

    The breakpoint instructions are surprisingly similar but I have still to find the equivalent in windbg of BMSG, one of my favourites in ice for getting an app to stop on hwnds I get from SPYXX.
    Fortunately it's not much more involved, simply set a conditional breakpoint on the message handler for the Msg of interest. Spy++ should give you all the information you need including the Msg ID.

    Say you want to break on WM_MENUSELECT (011f) when a menu item is selected in notepad. Spy++ says the WndProc of the main window is at:

    Code:
    :01003429 _NPWndProc@16   proc near
    :01003429
    :01003429 Msg             = dword ptr  0Ch
    ...
    :01003431                 mov     esi, [ebp+Msg]
    The Windbg conditional breakpoint would be:

    bp 1003431 "j (poi(ebp+0x0c)==011f) ''; 'gc' "

    Who needs old creaky cranky Softice? (oops, did I say that? )

Similar Threads

  1. NTFS reversing
    By WaxfordSqueers in forum The Newbie Forum
    Replies: 21
    Last Post: April 28th, 2013, 00:56
  2. Qt Internals & Reversing
    By Daniel Pistelli in forum Blogs Forum
    Replies: 11
    Last Post: December 5th, 2008, 04:12
  3. problem with NTFS file encryption
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: October 22nd, 2004, 03:49
  4. New project: RSA-65 analysis on GetDataBack for NTFS
    By Lbolt99 in forum RCE Cryptographics
    Replies: 6
    Last Post: August 1st, 2002, 14:48
  5. Write to NTFS
    By tentakkel in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 8th, 2001, 17:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •