数据恢复(一)——获取硬盘信息
// testdisk.cpp : 定义控制台应用程序的入口点。//
#include "stdafx.h"
#include <windows.h>
#include <iostream>
#include "BeaEngine.h"
#pragma comment(lib,"BeaEngine.lib")
using namespace std;
#pragma pack(push,1)
typedef struct _ON_DISK_PTE
{
UCHAR ActiveFlag;//引导标识,是否活动分区
UCHAR StartHead;//开始磁头
UCHAR StartSector;//开始扇区
UCHAR StartCylinder;//开始柱面 使用StartSector后2位
UCHAR SystemId;//分区类型
UCHAR EndHead;//结束磁头
UCHAR EndSector;//结束扇区
UCHAR EndCylinder;//结束柱面 使用EndSector后2位
ULONG RelativeSectors;//本分区之前的扇区数
ULONG SectorCount;//分区总扇区数
} ON_DISK_PTE, *PON_DISK_PTE;
typedef struct _ON_DISK_MBR
{
#define PTABLE_DIMENSION 4//分区数
UCHAR BootCode;//启动代码
UCHAR NTFTSignature;//磁盘标志
UCHAR Filler;
ON_DISK_PTE PartitionTable;//主分区表
UCHAR AA55Signature;//AA55标志
} ON_DISK_MBR, *PON_DISK_MBR;
#pragma pack(pop)
#define SECTORSIZE 0x200
#define PARTITION_ENTRY_UNUSED 0x00 // 不使用
#define PARTITION_FAT_12 0x01 // FAT12
#define PARTITION_XENIX_1 0x02 // Xenix
#define PARTITION_XENIX_2 0x03 // Xenix
#define PARTITION_FAT_16 0x04 // FAT16
#define PARTITION_EXTENDED 0x05 // 扩展分区
#define PARTITION_HUGE 0x06 // MS-DOS V4大分区
#define PARTITION_IFS 0x07 // NTFS/HPFS分区
#define PARTITION_FAT32 0x0B // FAT32
#define PARTITION_FAT32_XINT13 0x0C // FAT32 使用int13服务
#define PARTITION_XINT13 0x0E // Win95分区 使用int13服务
#define PARTITION_XINT13_EXTENDED 0x0F // 扩展分区 使用int13服务
void DisasmAndShow(UCHAR* codebuf, int codesize)
{
DISASM bootcode;
int len=0,i=0,Error=0,totallen=0;
memset(&bootcode,0,sizeof(bootcode));
bootcode.EIP = (UIntPtr)codebuf;
while((!Error) && totallen<codesize)
{
len=Disasm(&bootcode);
cout<<hex<<"0x"<<totallen<<dec<<"\t\t"<<bootcode.CompleteInstr<<endl;
bootcode.EIP += len;
totallen += len;
}
}
void ShowPartion(PON_DISK_PTE PartitionTable)
{
cout<<"\t\t";
if(PartitionTable->ActiveFlag == 0x80)
{
cout<<"活动分区"<<endl;
}
else
{
cout<<"不活动分区"<<endl;
}
cout<<"分区类型:";
switch(PartitionTable->SystemId)
{
case PARTITION_EXTENDED:
case PARTITION_XINT13_EXTENDED:
//遇到扩展分区,下面又是一层分区表,给你们实现吧
break;
case PARTITION_IFS:
cout<<"NTFS";
break;
case PARTITION_FAT32:
case PARTITION_FAT32_XINT13:
cout<<"FAT32";
break;
}
cout<<endl;
//以下为物理属性
cout<<"开始磁头:"<<(int)PartitionTable->StartHead<<endl;
cout<<"结束磁头:"<<(int)PartitionTable->EndHead<<endl;
cout<<"起始柱面:"<<(int)PartitionTable->StartCylinder<<endl;
cout<<"结束柱面:"<<(int)PartitionTable->EndCylinder<<endl;
cout<<"起始扇区:"<<(int)PartitionTable->StartSector<<endl;
cout<<"结束扇区:"<<(int)PartitionTable->EndSector<<endl;
//以下为逻辑属性
cout<<"分区起始逻辑偏移:"<<hex<<PartitionTable->RelativeSectors*SECTORSIZE<<dec<<endl;
cout<<"分区大小(B):"<<PartitionTable->SectorCount*SECTORSIZE<<endl;
cout<<endl;
}
int _tmain(int argc, _TCHAR* argv[])
{
int physicaldrivenum = 0;//硬盘数
char buf;
for(physicaldrivenum=0; physicaldrivenum < 16;physicaldrivenum++)
{
sprintf(buf,"\\\\.\\PhysicalDrive%d",physicaldrivenum);
HANDLE hPhysical = CreateFileA(buf,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,
OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(hPhysical == INVALID_HANDLE_VALUE)
{
int error = GetLastError();
if(error == ERROR_ACCESS_DENIED)
{
cout<<"访问权限不够"<<endl;
continue;
}
else if(ERROR_FILE_NOT_FOUND)
{//已经是最后一个硬盘
break;
}
}
ON_DISK_MBR curmbr;
DWORD readnum;
ReadFile(hPhysical,&curmbr,sizeof(curmbr),&readnum,NULL);
cout<<"硬盘"<<physicaldrivenum+1<<":"<<endl;
cout<<"\t启动代码:"<<endl;
DisasmAndShow(curmbr.BootCode,sizeof(curmbr.BootCode));
cout<<"\t硬盘签名:"<<hex<<(int)curmbr.BootCode<<" "<<(int)curmbr.BootCode<<" "<<
(int)curmbr.BootCode<<" "<<(int)curmbr.BootCode<<dec<<endl;
for(int mainpartition=0;mainpartition<PTABLE_DIMENSION;mainpartition++)//遍历主分区
{
if(curmbr.PartitionTable.StartSector == 0)
break;
ShowPartion(&curmbr.PartitionTable);
}
CloseHandle(hPhysical);
}
return 0;
}
结果:
硬盘1:
启动代码:
0x0 xor eax, eax
0x2 mov ss, ax
0x4 mov esp, 50FB7C00h
0x9 pop es
0xa push eax
0xb pop ds
0xc cld
0xd mov esi, 1BBF7C1Bh
0x12 push es
0x13 push eax
0x14 push edi
0x15 mov ecx, A4F301E5h
0x1a retf
0x1b mov ebp, 04B107BEh
0x20 cmp byte ptr , ch
0x23 jl 0070F406h
0x25 jne 0070F412h
0x27 add ebp, 10h
0x2a loop 0070F3F8h
0x2c int 18h
0x2e mov esi, ebp
0x30 add esi, 10h
0x33 dec ecx
0x34 je 0070F427h
0x36 cmp byte ptr , ch
0x39 mul byte ptr
0x3f mov esi, eax
0x41 lodsb
0x42 cmp al, 00h
0x44 je 0070F41Ah
0x46 mov ebx, 0EB40007h
0x4b int 10h
0x4d jmp 0070F419h
0x4f mov byte ptr , cl
0x52 call 2AE3F475h
0x57 inc byte ptr
0x5a cmp byte ptr , 0Bh
0x5e je 0070F443h
0x60 cmp byte ptr , 0Ch
0x64 je 0070F443h
0x66 mov al, byte ptr
0x6b add byte ptr , 06h
0x6f add dword ptr , 06h
0x73 adc dword ptr , 00000000h
0x77 call 05E3F475h
0x7c mov al, byte ptr
0x81 cmp dword ptr , AA557DFEh
0x87 je 0070F46Ch
0x89 cmp byte ptr , 00h
0x8d je 0070F42Fh
0x8f mov al, byte ptr
0x94 mov edi, esp
0x96 push ds
0x97 push edi
0x98 mov esi, ebp
0x9a retf
0x9b mov edi, 568A0005h
0xa0 add byte ptr , dh
0xa7 mov al, cl
0xa9 and al, 3Fh
0xab cwde
0xac mov bl, dh
0xae mov bh, ah
0xb0 inc ebx
0xb1 mul ebx
0xb3 mov edx, ecx
0xb5 xchg dh, dl
0xb7 mov cl, 06h
0xb9 shr dh, cl
0xbb inc edx
0xbc mul edx
0xbe cmp dword ptr , edx
0xc1 jnbe 0070F4BEh
0xc3 jc 0070F4A2h
0xc5 cmp dword ptr , eax
0xc8 jnc 0070F4BEh
0xca mov eax, 00BB0201h
0xcf jl 0070F434h
0xd1 dec esi
0xd2 add cl, byte ptr
0xd8 jnc 0070F503h
0xda dec edi
0xdb je 0070F503h
0xdd xor ah, ah
0xdf mov dl, byte ptr
0xe2 int 13h
0xe4 jmp 0070F4A2h
0xe6 mov dl, byte ptr
0xe9 pushad
0xea mov ebx, 41B455AAh
0xef int 13h
0xf1 jc 0070F501h
0xf3 cmp ebx, 3075AA55h
0xf9 test cl, 01h
0xfc je 0070F501h
0xfe popad
0xff pushad
0x100 push 00000000h
0x102 push 00000000h
0x104 push dword ptr
0x107 push dword ptr
0x10a push 00000000h
0x10c push 016A7C00h
0x111 push 00000010h
0x113 mov ah, 42h
0x115 mov esi, esp
0x117 int 13h
0x119 popad
0x11a popad
0x11b jnc 0070F503h
0x11d dec edi
0x11e je 0070F503h
0x120 xor ah, ah
0x122 mov dl, byte ptr
0x125 int 13h
0x127 jmp 0070F4D7h
0x129 popad
0x12a stc
0x12b ret
0x12c dec ecx
0x12d outsb
0x12e jbe 0070F569h
0x130 insb
0x131 imul esp, dword ptr , 69747261h
0x139 je 0070F57Ch
0x13b outsd
0x13c outsb
0x13d and byte ptr , dh
0x141 insb
0x142 add byte ptr , al
0x146 jc 0070F58Fh
0x148 jc 0070F542h
0x14a insb
0x14b outsd
0x14c popad
0x14d imul ebp, dword ptr fs:, 65706F20h
0x155 jc 0070F590h
0x157 je 0070F59Ah
0x159 outsb
0x15a and byte ptr , dh
0x15e jnc 0070F5ACh
0x160 insd
0x162 add byte ptr , cl
0x165 jnc 0070F5B2h
0x167 imul ebp, dword ptr , 65706F20h
0x16e jc 0070F5A9h
0x170 je 0070F5B3h
0x172 outsb
0x173 and byte ptr , dh
0x177 jnc 0070F5C5h
0x179 insd
0x17b add byte ptr , al
0x17d add byte ptr , al
0x17f add byte ptr , al
0x181 add byte ptr , al
0x183 add byte ptr , al
0x185 add byte ptr , al
0x187 add byte ptr , al
0x189 add byte ptr , al
0x18b add byte ptr , al
0x18d add byte ptr , al
0x18f add byte ptr , al
0x191 add byte ptr , al
0x193 add byte ptr , al
0x195 add byte ptr , al
0x197 add byte ptr , al
0x199 add byte ptr , al
0x19b add byte ptr , al
0x19d add byte ptr , al
0x19f add byte ptr , al
0x1a1 add byte ptr , al
0x1a3 add byte ptr , al
0x1a5 add byte ptr , al
0x1a7 add byte ptr , al
0x1a9 add byte ptr , al
0x1ab add byte ptr , al
0x1ad add byte ptr , al
0x1af add byte ptr , al
0x1b1 add byte ptr , al
0x1b3 add byte ptr , al
0x1b5 add byte ptr , al
0x1b7 add al, ch
硬盘签名:33 c0 8e d0
活动分区
分区类型:NTFS
开始磁头:32
结束磁头:254
起始柱面:0
结束柱面:255
起始扇区:33
结束扇区:255
分区起始逻辑偏移:100000
分区大小(B):120030494720
硬盘2:
启动代码:
0x0 xor eax, eax
0x2 mov ss, ax
0x4 mov esp, C08E7C00h
0x9 mov ds, ax
0xb mov esi, 00BF7C00h
0x10 push es
0x11 mov ecx, F3FC0200h
0x16 movsb
0x17 push eax
0x18 push FBCB061Ch
0x1d mov ecx, BEBD0004h
0x22 pop es
0x23 cmp byte ptr , 00h
0x27 jl 0070F40Ch
0x29 jne FFFFFFFFC5F3F515h
0x2f adc dl, ah
0x31 int1
0x32 int 18h
0x34 mov byte ptr , dl
0x37 push ebp
0x38 mov byte ptr , 05h
0x3c mov byte ptr , 00h
0x40 mov ah, 41h
0x42 mov ebx, 13CD55AAh
0x47 pop ebp
0x48 jc 0070F431h
0x4a cmp ebx, 0975AA55h
0x50 test ecx, 03740001h
0x56 inc byte ptr
0x59 pusha
0x5b cmp byte ptr , 00h
0x5f je 0070F45Fh
0x61 push 0000h
0x65 add byte ptr , al
0x67 push word ptr
0x6b push 00680000h
0x70 jl 0070F4B2h
0x72 add dword ptr , eax
0x74 push 42B40010h
0x79 mov dl, byte ptr
0x7c mov esi, esp
0x7e int 13h
0x80 lahf
0x81 add esp, 10h
0x84 sahf
0x85 jmp 0070F473h
0x87 mov eax, 00BB0201h
0x8c jl 0070F3F0h
0x8e push esi
0x8f add byte ptr , cl
0x95 add cl, byte ptr
0x9b popa
0x9d jnc 0070F493h
0x9f dec byte ptr
0xa2 jne 0070F488h
0xa4 cmp byte ptr , 80h
0xa8 je FFFFFFFF8122F510h
0xae jmp 0070F40Ch
0xb0 push ebp
0xb1 xor ah, ah
0xb3 mov dl, byte ptr
0xb6 int 13h
0xb8 pop ebp
0xb9 jmp 0070F431h
0xbb cmp dword ptr , AA557DFEh
0xc1 jne 0070F509h
0xc3 push dword ptr
0xc6 call 17E5F530h
0xcb cli
0xcc mov al, D1h
0xce out 64h, al
0xd0 call FFFFFFFFE020F530h
0xd5 out 60h, al
0xd7 call 0020F530h
0xdc out 64h, al
0xde call FFFFFFFFB96BF530h
0xe3 add byte ptr , bh
0xe9 sal byte ptr , 66h
0xed cmp ebx, 41504354h
0xf3 jne 0070F4FFh
0xf5 cmp ecx, 2C720102h
0xfb push BB07h
0xff add byte ptr , al
0x101 push 0200h
0x105 add byte ptr , al
0x107 push 0008h
0x10b add byte ptr , al
0x10d push bx
0x10f push bx
0x111 push bp
0x113 push 0000h
0x117 add byte ptr , al
0x119 push 7C00h
0x11d add byte ptr , al
0x11f popa
0x121 push CD070000h
0x126 sbb bl, byte ptr
0x129 imul dl
0x12b add byte ptr , bh
0x12f int 18h
0x131 mov al, byte ptr
0x136 mov al, byte ptr
0x13b mov al, byte ptr
0x140 add eax, F08B0700h
0x145 lodsb
0x146 cmp al, 00h
0x148 je 0070F52Bh
0x14a mov ebx, 0EB40007h
0x14f int 10h
0x151 jmp 0070F51Dh
0x153 hlt
0x154 jmp 0070F52Bh
0x156 sub ecx, ecx
0x158 in al, 64h
0x15a jmp 0070F534h
0x15c and al, 02h
0x15e loopne 0070F530h
0x160 and al, 02h
0x162 ret
0x163 dec ecx
0x164 outsb
0x165 jbe 0070F5A0h
0x167 insb
0x168 imul esp, dword ptr , 69747261h
0x170 je 0070F5B3h
0x172 outsd
0x173 outsb
0x174 and byte ptr , dh
0x178 insb
0x179 add byte ptr , al
0x17d jc 0070F5C6h
0x17f jc 0070F579h
0x181 insb
0x182 outsd
0x183 popad
0x184 imul ebp, dword ptr fs:, 65706F20h
0x18c jc 0070F5C7h
0x18e je 0070F5D1h
0x190 outsb
0x191 and byte ptr , dh
0x195 jnc 0070F5E3h
0x197 insd
0x199 add byte ptr , cl
0x19c jnc 0070F5E9h
0x19e imul ebp, dword ptr , 65706F20h
0x1a5 jc 0070F5E0h
0x1a7 je 0070F5EAh
0x1a9 outsb
0x1aa and byte ptr , dh
0x1ae jnc 0070F5FCh
0x1b0 insd
0x1b2 add byte ptr , al
0x1b4 add byte ptr , ah
0x1b7 call far 0000h : 24129D8Dh
硬盘签名:33 c0 8e d0
不活动分区
分区类型:NTFS
开始磁头:32
结束磁头:254
起始柱面:0
结束柱面:255
起始扇区:33
结束扇区:255
分区起始逻辑偏移:100000
分区大小(B):1000202043392
硬盘3:
启动代码:
0x0 xor eax, eax
0x2 mov ss, ax
0x4 mov esp, C08E7C00h
0x9 mov ds, ax
0xb mov esi, 00BF7C00h
0x10 push es
0x11 mov ecx, F3FC0200h
0x16 movsb
0x17 push eax
0x18 push FBCB061Ch
0x1d mov ecx, BEBD0004h
0x22 pop es
0x23 cmp byte ptr , 00h
0x27 jl 0070F40Ch
0x29 jne FFFFFFFFC5F3F515h
0x2f adc dl, ah
0x31 int1
0x32 int 18h
0x34 mov byte ptr , dl
0x37 push ebp
0x38 mov byte ptr , 05h
0x3c mov byte ptr , 00h
0x40 mov ah, 41h
0x42 mov ebx, 13CD55AAh
0x47 pop ebp
0x48 jc 0070F431h
0x4a cmp ebx, 0975AA55h
0x50 test ecx, 03740001h
0x56 inc byte ptr
0x59 pusha
0x5b cmp byte ptr , 00h
0x5f je 0070F45Fh
0x61 push 0000h
0x65 add byte ptr , al
0x67 push word ptr
0x6b push 00680000h
0x70 jl 0070F4B2h
0x72 add dword ptr , eax
0x74 push 42B40010h
0x79 mov dl, byte ptr
0x7c mov esi, esp
0x7e int 13h
0x80 lahf
0x81 add esp, 10h
0x84 sahf
0x85 jmp 0070F473h
0x87 mov eax, 00BB0201h
0x8c jl 0070F3F0h
0x8e push esi
0x8f add byte ptr , cl
0x95 add cl, byte ptr
0x9b popa
0x9d jnc 0070F493h
0x9f dec byte ptr
0xa2 jne 0070F488h
0xa4 cmp byte ptr , 80h
0xa8 je FFFFFFFF8122F510h
0xae jmp 0070F40Ch
0xb0 push ebp
0xb1 xor ah, ah
0xb3 mov dl, byte ptr
0xb6 int 13h
0xb8 pop ebp
0xb9 jmp 0070F431h
0xbb cmp dword ptr , AA557DFEh
0xc1 jne 0070F509h
0xc3 push dword ptr
0xc6 call 17E5F530h
0xcb cli
0xcc mov al, D1h
0xce out 64h, al
0xd0 call FFFFFFFFE020F530h
0xd5 out 60h, al
0xd7 call 0020F530h
0xdc out 64h, al
0xde call FFFFFFFFB96BF530h
0xe3 add byte ptr , bh
0xe9 sal byte ptr , 66h
0xed cmp ebx, 41504354h
0xf3 jne 0070F4FFh
0xf5 cmp ecx, 2C720102h
0xfb push BB07h
0xff add byte ptr , al
0x101 push 0200h
0x105 add byte ptr , al
0x107 push 0008h
0x10b add byte ptr , al
0x10d push bx
0x10f push bx
0x111 push bp
0x113 push 0000h
0x117 add byte ptr , al
0x119 push 7C00h
0x11d add byte ptr , al
0x11f popa
0x121 push CD070000h
0x126 sbb bl, byte ptr
0x129 imul dl
0x12b add byte ptr , bh
0x12f int 18h
0x131 mov al, byte ptr
0x136 mov al, byte ptr
0x13b mov al, byte ptr
0x140 add eax, F08B0700h
0x145 lodsb
0x146 cmp al, 00h
0x148 je 0070F52Bh
0x14a mov ebx, 0EB40007h
0x14f int 10h
0x151 jmp 0070F51Dh
0x153 hlt
0x154 jmp 0070F52Bh
0x156 sub ecx, ecx
0x158 in al, 64h
0x15a jmp 0070F534h
0x15c and al, 02h
0x15e loopne 0070F530h
0x160 and al, 02h
0x162 ret
0x163 dec ecx
0x164 outsb
0x165 jbe 0070F5A0h
0x167 insb
0x168 imul esp, dword ptr , 69747261h
0x170 je 0070F5B3h
0x172 outsd
0x173 outsb
0x174 and byte ptr , dh
0x178 insb
0x179 add byte ptr , al
0x17d jc 0070F5C6h
0x17f jc 0070F579h
0x181 insb
0x182 outsd
0x183 popad
0x184 imul ebp, dword ptr fs:, 65706F20h
0x18c jc 0070F5C7h
0x18e je 0070F5D1h
0x190 outsb
0x191 and byte ptr , dh
0x195 jnc 0070F5E3h
0x197 insd
0x199 add byte ptr , cl
0x19c jnc 0070F5E9h
0x19e imul ebp, dword ptr , 65706F20h
0x1a5 jc 0070F5E0h
0x1a7 je 0070F5EAh
0x1a9 outsb
0x1aa and byte ptr , dh
0x1ae jnc 0070F5FCh
0x1b0 insd
0x1b2 add byte ptr , al
0x1b4 add byte ptr , ah
0x1b7 call far 0000h : 042ED2AFh
硬盘签名:33 c0 8e d0
不活动分区
分区类型:NTFS
开始磁头:32
结束磁头:254
起始柱面:0
结束柱面:255
起始扇区:33
结束扇区:255
分区起始逻辑偏移:100000
分区大小(B):1000202043392
//留下2个问题
//1 怎么得到每个硬盘大小(B)?
//2 怎么遍历到所有分区
页:
[1]