chrysocome.netChrysocome Logo

Reading partitions via the backdoor

There is some kind of bug/feature in Windows XP SP2 which prevents DASD IO on some partitions, even if they are not mounted. The workaround involves obtaining the disk extents for the partition and doing the IO on the disk object, with the correct offsets for the partition. It is a dirty hack and removes the protection you get by using the partition object, but it seems necessary.

Procedure

Open a partition object and use the IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS IOCTL. This returns a structure which tells you which disk and offsets the partition exists on. It is possible that there are multiple but most partitions only have one extent.

You can then open the disk object as returned by the IOCTL and read & write at the specified offset. Nothing is stopping you from accessing outside the partition so you must take care.

This has been implemented in Explore2fs and Virtual Volumes. It will be implemented in dd soon. Until it does, you can download SysInternals DiskExt which will tell you the extents for your partitions.

This is an example on how to read the boot sector off drive D:. First check the disk number and extent offset diskext Extents for C: Extent [1]: Disk: 0 Offset: 57576960 Length: 20974464000 Extents for D: Extent [1]: Disk: 0 Offset: 21139001856 Length: 58860071424 Divide the offset by your block size 21139001856 / 512 = 41287113 and use that with skip= dd if=\\?\Device\Harddisk0\Partition0 of=bootsector.bin skip=41287113 count=1

Donate