[Vrtule]

Hello,

Does anybody know about something which could help me to learn how to read/write disk from a very low level? By "very low level" I mean nearer to HW than the disk.sys driver is. The help can be in form of a link to a tutorial or a snippet of code, I do not expect very detailed explanations from the members of this forum (although it would be welcomed, of course ), I know that one can learn much more if he/she gets the information in a raw state.

Some time ago, I coded a FAT12/FAT16/FAT32/NTFS filesystem parser. It works quite well although it does not support compression yet. I am also able to parse MBR-style disk partitioning - I recongize physical and logical partitions. The method of reading/writing disk is very trivial - I access the disk throug \\.\PhysicalDriveX symbolic link (from usermode and kernelmode). So, I woud like to implement a better method of making disk I/O.

Best Regards

Vrtule

[Cr4sh]

SPTI? http://en.wikipedia.org/wiki/SCSI_Pass_ ... _Interface
Also, direct i/o ports access is not so scary as you think.

[Vrtule]

Cr4sh: Yes, I/O ports are not so scary. I tried them two years ago. Unfortunately for the content of my harddisk, there were some synchronization bugs...

Thanks for the link

[EP_X0FF]

Hi Vrtule,

Yes, I/O ports are not so scary. I tried them two years ago.

Would you like to share source? :)

The method of reading/writing disk is very trivial - I access the disk throug \\.\PhysicalDriveX symbolic link (from usermode and kernelmode). So, I woud like to implement a better method of making disk I/O.

You can work directly with device objects for example :)

Regards.

[Vrtule]

EP: I would like to share, but unfortunately the source disappeared when, due to that synchronization problem, huge portions of disk were overriden by nonsense... After that disaster, I tried once more to write the code from scratch, but I did not worked well. I am planning to return back to the I/O ports in near future.

[alon]

You can work directly with IRPs

[Vrtule]

alon: Do you mean sending IRPs directly to the atapi.sys or similar driver? Yes, I have looked at this in one DDK sample recently, but did not catch head or tail of it really .

[alon]

Hi Vrtule,
Look this article http://support.microsoft.com/kb/326315
Using this method bypassing common ssdt hooks, however, cannot bypass TDDS rookit family for example.

[Vrtule]

I am not afraid of SSDT hooks. AFAIK rootkits/malware use them mostly to hook NtQueryDirectoryFile (if we focus on filesystem area). I use ReadFile to read \\.\PhysicalDriveX. I have coded also a driver that creates the IRP and sends it to the disk.sys driver.

The problem is that I have no experience with sending IRPs to the low-level drivers like atapi.sys is. Unfortunately, I have not much free time now to look at it more closely.

Anyway, thanks for the link.

[Tigzy]

Hello

Sorry for the revival of this old thead, but I need to do nearly the same for MBR reading purpose.
In Userland this is trivial (CreateFile / ReadFile), but in kernelmode I need to be as close as possible from hardware for comparison.

Did you find a way to do so? Is there any mean to bypass common TDL infection?