[Mehdi]

Hi
I want to overwrite a specific entry in MFT (Master File Table)
I know how to access and read MFT (based on NTFS Info , sysinternals), but I don't knwo how to write on it
Can anyone help?

[GamingMasteR]

Hi,

- Gain write access to the volume/disk the MFT belongs .
- Get the MFT Logical/Physical Address in the volume/disk and write it .

[Mehdi]

Thanks
When reading MFT information, there is FSCTL_GET_VOLUME_INFORMATION which contains the information returned from file system driver; but there is no such FSCTL for writing data to MFT records (or any other write operation)

[nullptr]

You could just use CreateFile with \\.\X: - where X is partition with MFT you're accesssing. Then SetFilePointerEx - move to the start of the cluster containing the sector you wish to edit, ReadFile for the cluster into a sizeof(cluster) buffer, edit the relevant data, then move the file pointer back to the starting cluster and WriteFile to write the edited buffer back.
Hope that makes sense :?

[Vrtule]

As far as I know, there is not any special FSCTL which instructs file system driver to change certain MFT record according to sender's wish. I know only the way described by nullptr (and its slight "variants").

The "magic" FSCTL you are using to obtain information about MFT might not return ceorrect data about the table. It tells you only where it starts and how it is long. However, MFT behaves as any other file, it could be fragmented into pieces stored in different places on the disk. Hence, the FSCTL works correctly only for MFTs that are stored as one fragment.

I assume your magic FSCTL is this:

Code: Select all

Const
      FSCTL_GET_VOLUME_INFORMATION     = $90064;

Type
  TNTFSVolumeInformation = Record
                             SerialNumber         : Int64;
                             NumberOfSectors      : Int64;
                             TotalClusters        : Int64;
                             FreeClusters         : Int64;
                             Reserved             : Int64;
                             BytesPerSector       : Cardinal;
                             BytesPerCluster      : Cardinal;
                             BytesPerMFTRecord    : Cardinal;
                             ClustersPerMFTRecord : Cardinal;
                             MFTLength            : Int64;
                             MFTStart             : Int64;
                             MFTMirrorStart       : Int64;
                             MFTZoneStart         : Int64;
                             MFTZoneEnd           : Int64;
                             end;