Path: news.mitre.org!blanket.mitre.org!philabs!newsjunkie.ans.net!newsfeeds.ans.net!portc02.blue.aol.com!howland.erols.net!usc!newshub.cts.com!relief.cts.com!not-for-mail From: "Jamey Kirby" Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode Subject: Re: Signaure/Checksum on boot record. Date: Sat, 27 Dec 1997 07:18:15 -0800 Organization: Magnuson, Kirby & Associates, LLC. Lines: 53 Message-ID: <883236784.399687@wagasa.cts.com> References: <34A1369E.5B1A@ibm.net> <680c38$q6h$1@reader1.reader.news.ozemail.net> NNTP-Posting-Host: wagasa.cts.com X-Newsreader: Microsoft Outlook Express 4.71.1712.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.1712.0 Cache-Post-Path: wagasa.cts.com!unknown@putccb1241057.cts.com To take it a step further, the I/O to update the MBR is done via the IRP_MJ_WRITE. IoReadPartitionTable() and IoWritePartitionTable() take a pointer to physical disk device which should be the device being sent the request. This causes a re-entrant I/O request into the disk driver. Watching for IRP_MJ_WRITE to the physical device with an offset of 0 is how one would filter MBR update request. -- Jamey Kirby Senior Partner Magnuson, Kirby & Associates, LLC. jkirby@gloryroad.net http://www.mkallc.com Geoff Chappell wrote in message <680c38$q6h$1@reader1.reader.news.ozemail.net>... >TomerG wrote in article <34A1369E.5B1A@ibm.net>... >> What device is responsible for the update of the Signaure/Checksum >> >> when NT is shutting down? > >It doesn't happen quite that way. Anyone can write an MBR signature by >sending IOCTL_DISK_SET_DRIVE_LAYOUT to a device object for the relevant >disk (e.g. \\.\physicaldrive0 from an application). Similaly, anyone can >check for the presence of an MBR signature by using >IOCTL_DISK_GET_DRIVE_LAYOUT. The typical way that all this gets done is >that users run the Disk Administrator. > >In standard configurations, IOCTL codes for drive layout are handled by >the DISK.SYS driver, which in turn uses the IoReadPartitionTable and >IoWritePartitionTable functions. The default implementations for these are >in the NTOSKRNL. > >When NT starts up (as opposed to shutting down), the MBR is examined for >the signature. Also, a checksum is calculated. This is done using whatever >method of disk access applies before the relevant boot drivers are loaded >- so for multi devices, this means int 13h. The results are recorded in a >registry key so that when boot drivers initialise, they can match their >devices (accessed using the methods that will apply for the rest of the NT >session) to the ones that were accessible before NT. > >The NT DDK provides the source code to DISK.SYS, so you can see how this >happens in practice. DISK.SYS makes a call to IoReadPartitionTable. If the >result shows a non-zero signature, the signature is trusted. If the result >shows a zero signature, a checksum is calculated. > >-- >Geoff Chappell >Software Analyst > >For email address change host to ozemail.com.au >Web site in directory ~geoffch at www.ozemail.com.au