Windows 7 VBR 영문 분석자료(NTFS) File Control


Windows 7 VBR 영문 분석자료(NTFS)

------------------------------------------------------------------------------------------------------

Introduction

    This page examines the Windows™ Vista OS Volume Boot Record code; the code which actually tests and begins to load a Windows™ Vista operating system from within the OS volume.

    For our Windows™ Vista install, all the code bytes of Vista's Volume Boot Record sector were also found inside the following files (listed by location, alphabetically; with offset to first byte of the code). In each case, there will be a full 512 bytes that comprise the VBR sector, but locations for the Volume Serial Number and other vital data are all zero-filled in these 'template' files; the correct data being entered when the file is copied to disk by the installation program or operating system. The last two bytes will always be a 55h followed by an AAh:

    Note: The code for the whole Vista Boot Record actually spans across 9 sectors; including the one we're examining here, plus 40 bytes in the ninth one, for a total of 4,136 bytes. Technically, the Boot Record area is a full 16 contiguous sectors; the remainder being all zero bytes.

    1. C:\Windows\System32\autochk.exe [Offset: 616B0h]; immediately followed by all 3,624 bytes of the BOOTMGR Loader code beginning at offset 618B0h.
    ("Auto Check Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 640,000 bytes; Modification Date: "11/02/2006 2:44 AM").
    There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe
    2. C:\Windows\System32\autoconv.exe [Offset: 64AC8h]; immediately followed by the BOOTMGR Loader code beginning at offset 64CC8h.
    ("Auto File System Conversion Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 653,312 bytes; Modification Date: "11/02/2006 2:44 AM").
    There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.0.6000.16386_none_9a9e88bfab67232b\autoconv.exe
    3. C:\Windows\System32\autofmt.exe [Offset: 5F890h]; immediately followed by the BOOTMGR Loader code beginning at offset 5FA90h.
    ("Auto File System Format Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 632,320 bytes; Modification Date: "11/02/2006 2:44 AM").
    There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-autofmt_31bf3856ad364e35_6.0.6000.16386_none_e3bd7ae1c2430704\autofmt.exe
    4. C:\Windows\System32\untfs.dll [Offset: 49E00h]; immediately followed by the BOOTMGR Loader code beginning at offset 4A000h.
    ("NTFS Utility DLL"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 321,536 bytes; Modification Date: "11/02/2006 2:46 AM").
    There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-f..mutilityntfslibrary_31bf3856ad364e35_6.0.6000.16386_none_fc8cf5d0f7021a0d\untfs.dll
    5. C:\Windows\System32\oobe\winsetup.dll [Twice. Offsets: 12DAB8h and 130CE0h]; which are both immediately followed by the BOOTMGR Loader code (at offsets 12DCB8h and 130EE0h).
    ("Windows System Setup"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 1,374,208 bytes; Modification Date: "11/02/2006 2:46 AM").
    There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-setup-component_31bf3856ad364e35_6.0.6000.16386_none_2ff5bc52b05737c3\winsetup.dll.

     

    Like all previous MS Boot Records, the first three bytes are often called the Jump Instruction. But only the first two bytes (EB 52 in this case) are actually used to form the actual JMP (Jump) code to the rest of the executable x86 (PC) Assembly code; the third byte (90h) is just a NOP ('No Op' or do nothing) instruction. The next 8 bytes are the "OEM ID" or System Name ("NTFSand four blank spaces) for an NTFS volume; followed by the BPB (BIOS Parameter Block).

    Just like the _ BPB _ area for the Windows™ XP Volume Boot Record sector, this one also has all the fields that an NTFS volume has in common with FAT16 and FAT32 Boot Records; such as Bytes per SectorSectors per Cluster, etc. and even the old Media Descriptor byte (F8), but again, this one does not contain "System ID" or "Volume Label" fields, nor any system file names. However, if you can locate "bootmgr" on your system and dig into its code, you will find a number of system file names, such as winload.exe and BCD in there.

    All the elements of a Vista VBR's _ BPB _ area are the same as those for earlier NTFS boot records (for details on the NTFS BPB, see ourNTFS Boot Record page). About the only thing a technician might want to brush up on is the fact a fresh Vista OS install will have 2,048reserved sectors at the beginning of the disk ("00 08 00 00" between brackets at offsets 1Ch-1Fh below; 0x800 = 2048).

    The following is a disk editor view of how the bytes of this VBR are stored on a hard disk in the first sector of a Windows Vista OS volume:

 Relative Sector 0 (within the Volume)                                          NTFS BPB          "OEM ID"                                              |                 |         0  1  2  3  4  5  6  7  8  9  A  B  C| D  E  F         | 0000:  EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00  .R.NTFS    ..... 0010:  00 00 00 00 00 F8 00 00 3F 00 FF 00[00 08 00 00] ........?....... 0020:  00 00 00 00 80 00 80 00 FF EF 3F 01 00 00 00 00  ..........?..... 0030:  04 00 00 00 00 00 00 00 FF FE 13 00 00 00 00 00  ................ 0040:  F6 00 00 00 01 00 00 00 6B E5 F9 78 1A FA 78 EA  ........k..x..x. 0050:  00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07  .....3.....|.h.. 0060:  1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00[4E  ..hf......f.>..N 0070:  54 46 53]75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB  TFSu..A..U..r... 0080:  55 AA 75 06 F7 C1 01 00 75 03 E9 D2 00 1E 83 EC  U.u.....u....... 0090:  18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13  .h...H.......... 00A0:  9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3  .....X.r.;...u.. 00B0:  0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8  ........Z3... +. 00C0:  66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8  f............... 00D0:  40 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D  @.+.w......f#.u- 00E0:  66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16  f..TCPAu$....r.. 00F0:  68 07 BB 16 68 70 0E 16 68 09 00 66 53 66 53 66  h...hp..h..fSfSf 0100:  55 16 16 16 68 B8 01 66 61 0E 07 CD 1A E9 6A 01  U...h..fa.....j. 0110:  90 90 66 60 1E 06 66 A1 11 00 66 03 06 1C 00 1E  ..f`..f...f..... 0120:  66 68 00 00 00 00 66 50 06 53 68 01 00 68 10 00  fh....fP.Sh..h.. 0130:  B4 42 8A 16 0E 00 16 1F 8B F4 CD 13 66 59 5B 5A  .B..........fY[Z 0140:  66 59 66 59 1F 0F 82 16 00 66 FF 06 11 00 03 16  fYfY.....f...... 0150:  0F 00 8E C2 FF 0E 16 00 75 BC 07 1F 66 61 C3 A0  ........u...fa.. 0160:  F8 01 E8 08 00 A0 FB 01 E8 02 00 EB FE B4 01 8B  ................ 0170:  F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3  ..<.t........... 0180:  0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72  ..A disk read er 0190:  72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 42  ror occurred...B 01A0:  4F 4F 54 4D 47 52 20 69 73 20 6D 69 73 73 69 6E  OOTMGR is missin 01B0:  67 00 0D 0A 42 4F 4F 54 4D 47 52 20 69 73 20 63  g...BOOTMGR is c 01C0:  6F 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73  ompressed...Pres 01D0:  73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74  s Ctrl+Alt+Del t 01E0:  6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00  o restart....... 01F0:  00 00 00 00 00 00 00 00 80 9D B2 CA 00 00 55 AA  ..............U.         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

Figure 1.

    The last 128 bytes of this Boot Record contain Error MessagesMessage Offset bytes and the Word-sized signature ID (or Magicnumber) of AA55h. Remember that hex Words (numerical data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last to make CPU processing quicker.

    Each Error Message begins with the Hex bytes 0Dh and 0Ah; a Carriage Return and Line Feed, and ends with a 00h byte which makes these what's commonly known in various programming languages as zero-terminated or 'sz' strings (a character string followed by a single zero byte). The error messages are exactly the same as those under Windows XP, except 'NTLDR' has been replaced by "BOOTMGR".

    Note that the string of letters ("TCPA") at offsets E3h through E6h are not coincidental; they stand for "Trusted Computing Platform Alliance" and are actually part of the code, which tests for the existence of a TPM chip. If the hardware supports TPM (Trusted Platform Module) version1.2, then it can be used to provide extra functionality for Vista's BitLocker™ Drive Encryption. Neither are the bytes at offsets 6Fh through72h a coincidence. The characters here ("NTFS") being used ....

    The eight physical sectors directly following a Windows™ Vista NTFS Boot Sector, contain code which can interface with both the olderNTLDR file (in order to boot up Windows™ NT2000XP2003 OS partitions) plus code to interact with the new BOOTMGR (boot manager) program introduced with the Vista OS. This code is still necessary when booting up a Windows™ OS (even though the bootmgr orNTLDR files may have been copied to the OS partition you start booting up from; as would be the case if, for example, you installed Windows™ Vista on a disk already containing a bootable Win 98 OS in the first partition followed by Vista's partition). When the code in such an altered volume boot record is executed, it will look for, and require the existence of, the Windows™ XP or Vista OS partition's system code in order to boot-up the original Windows™ 98 OS (cf. FAT32 Boot Record under Windows NT OSs).

    The four bytes at offsets 1F8h through 1FBh ("80 9D B2 CA") are used by the Microsoft Windows™ Vista VBR for a very specific purpose; for English versions of Windows Vista, you'll always see these same Hex values ("80 9D B2 CA") in your VBR. They're used by the code to display Error Message on your screen. But for those using Windows™ Vista in a different language, their VBRs may have different values in the secondthird and fourth bytes depending upon how many characters are in each of the messages. In the disassembled code, we'll point out where these values show up. In any case, since the code portion above the messages will always be the same, the first offset (0780h) will never change no matter what languages (or string lengths) are used.

    Now that you know what the bytes at offsets 1F8h through 1FBh are used for, you could change these error messages to display whatever you wish (as long as they all fit into the space between offsets 180h and 1F7h) by counting the character lengths and using a disk editor to change the appropriate bytes in the VBR sector.

     

    After the code in your hard disk's MBR sector transfers control to this Volume Boot Record code, it will test critical aspects of the Vista operating system, then load and run the BOOTMGR "bootstrap" code which will eventually run the actual "bootmgr.exe" program that finallyattempts to load an operating system!


덧글

댓글 입력 영역


통계 위젯 (블랙)

08
98
411790