Path: news.mitre.org!blanket.mitre.org!news.tufts.edu!cam-news-feed5.bbnplanet.com!cam-news-hub1.bbnplanet.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!howland.erols.net!usc!newshub.cts.com!relief.cts.com!not-for-mail From: "Jamey Kirby" Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode Subject: Re: Signaure/Checksum on boot record. Date: Sat, 27 Dec 1997 11:18:37 -0800 Organization: Magnuson, Kirby & Associates, LLC. Lines: 68 Message-ID: <883251221.744857@wagasa.cts.com> References: <34A1369E.5B1A@ibm.net> <680c38$q6h$1@reader1.reader.news.ozemail.net> <883236784.399687@wagasa.cts.com> NNTP-Posting-Host: wagasa.cts.com X-Newsreader: Microsoft Outlook Express 4.71.1712.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.0 Cache-Post-Path: wagasa.cts.com!unknown@putccb1241095.cts.com Oh yes, filtering the IOCTL_DISK_SET_DRIVE_LAYOUT would work as well, but in either case, the data has to go through IRP_MJ_WRITE in order tot get to the disk. -- Jamey Kirby Senior Partner Magnuson, Kirby & Associates, LLC. jkirby@gloryroad.net http://www.mkallc.com Jamey Kirby wrote in message <883236784.399687@wagasa.cts.com>... >To take it a step further, the I/O to update the MBR is done via the >IRP_MJ_WRITE. IoReadPartitionTable() and IoWritePartitionTable() take a >pointer to physical disk device which should be the device being sent the >request. This causes a re-entrant I/O request into the disk driver. Watching >for IRP_MJ_WRITE to the physical device with an offset of 0 is how one would >filter MBR update request. > >-- >Jamey Kirby >Senior Partner >Magnuson, Kirby & Associates, LLC. >jkirby@gloryroad.net >http://www.mkallc.com >Geoff Chappell wrote in message ><680c38$q6h$1@reader1.reader.news.ozemail.net>... >>TomerG wrote in article <34A1369E.5B1A@ibm.net>... >>> What device is responsible for the update of the Signaure/Checksum >>> >>> when NT is shutting down? >> >>It doesn't happen quite that way. Anyone can write an MBR signature by >>sending IOCTL_DISK_SET_DRIVE_LAYOUT to a device object for the relevant >>disk (e.g. \\.\physicaldrive0 from an application). Similaly, anyone can >>check for the presence of an MBR signature by using >>IOCTL_DISK_GET_DRIVE_LAYOUT. The typical way that all this gets done is >>that users run the Disk Administrator. >> >>In standard configurations, IOCTL codes for drive layout are handled by >>the DISK.SYS driver, which in turn uses the IoReadPartitionTable and >>IoWritePartitionTable functions. The default implementations for these are >>in the NTOSKRNL. >> >>When NT starts up (as opposed to shutting down), the MBR is examined for >>the signature. Also, a checksum is calculated. This is done using whatever >>method of disk access applies before the relevant boot drivers are loaded >>- so for multi devices, this means int 13h. The results are recorded in a >>registry key so that when boot drivers initialise, they can match their >>devices (accessed using the methods that will apply for the rest of the NT >>session) to the ones that were accessible before NT. >> >>The NT DDK provides the source code to DISK.SYS, so you can see how this >>happens in practice. DISK.SYS makes a call to IoReadPartitionTable. If the >>result shows a non-zero signature, the signature is trusted. If the result >>shows a zero signature, a checksum is calculated. >> >>-- >>Geoff Chappell >>Software Analyst >> >>For email address change host to ozemail.com.au >>Web site in directory ~geoffch at www.ozemail.com.au > >