NTFS Driver.asm

This file defines the NTFS driver of PwnOS.

See Also

Authors

  • Neil G.  Dickson
Summary
NTFS Driver.asmThis file defines the NTFS driver of PwnOS.
Functions
OpenFileNTFSThis procedure opens a file from an NTFS partition.
ReadFileNTFSThis procedure reads data from an open file on an NTFS partition.
SearchNTFSDirectoryThis procedure finds a file (or directory) in an NTFS directory.
GetNTFSFileRecordThis procedure reads in the NTFS file record of the file with the specified file record number.
ReadVirtualClustersThis procedure reads the specified range of virtual cluster of any non-resident attribute.
VirtualClusNumToSectorThis procedure determines the starting sector number of the specified virtual cluster of any non-resident attribute.
LogicalClusNumToSectorThis procedure determines the starting sector number of the specified logical cluster.

Functions

OpenFileNTFS

This procedure opens a file from an NTFS partition.  It should only be called from OpenFile.

TODO: Add handling for Access value and Creation value.

Parameters

pPartitionaddress of <PARTITIONINFO_NTFS> structure for the NTFS partition
pNameaddress of unicode filename with no preceding protocol
pDirectoryaddress of FILE structure for the directory to which the filename is relative, or NULL if absolute
Accessaccess options
Creationcreation options
Flagsmiscellaneous

Local Variables

pHeapaddress of the heap on which to allocate memory
MFTRecordNumNTFSMFTREF to keep track of the MFT record number of the file found

Returns

  • address of the FILE structure or NULL if the file doesn’t exist or couldn’t be opened

ReadFileNTFS

This procedure reads data from an open file on an NTFS partition.

Parameters

pFileaddress of <FILE_NTFS> structure
pDestinationaddress to which the data is to be read
nBytesnumber of bytes to read

Local Variables

nBytesPerClustersize of a cluster in bytes
nBytesInCachesize of the file’s cache in bytes

Returns

  • number of bytes read from the file

SearchNTFSDirectory

This procedure finds a file (or directory) in an NTFS directory.  It should only be called from OpenFileNTFS.

Parameters

pPartitionaddress of <PARTITIONINFO_NTFS> structure for the NTFS partition
pNameaddress of unicode filename; in case pointing to the middle of a path, the function considers “\”, “/”, or 0 to be the name end
pDirFileHeaderaddress of <NTFSFILEHEADER> structure for the directory to search
pIndexScratchaddress of I/O scratch memory (must be at least cluster size)

Local Variables

pIndexRootaddress of index root attribute structure
pIndexAllocaddress of index allocation attribute structure

Returns

edx:eaxthe NTFSMFTREF (eax is low, edx is high), including sequence number, or 0 if file not found

GetNTFSFileRecord

This procedure reads in the NTFS file record of the file with the specified file record number.

Parameters

pDestaddress to which the file record is to be written
pPartitionaddress of <PARTITIONINFO_NTFS> structure for the NTFS partition
FileRecNumLowlow dword of file record number
FileRecNumHighhigh dword of file record number

Local Variables

nClusLeftnumber of clusters left (if file record is 1 cluster or larger)

ReadVirtualClusters

This procedure reads the specified range of virtual cluster of any non-resident attribute.

Parameters

pPartitionaddress of <PARTITIONINFO_NTFS> structure for the NTFS partition
VCNLowlow dword of virtual cluster number
VCNHighhigh dword of virtual cluster number
pAttributeaddress of the <NTFSATTRIBHEADER_NRES> structure for the attribute
pDestinationaddress to which the data is to be read
nClustersnumber of clusters to read

VirtualClusNumToSector

This procedure determines the starting sector number of the specified virtual cluster of any non-resident attribute.

FIXME: Add support for offset larger than 4 bytes (>= 2^31 or < -2^31 clusters) FIXME: Add support for run length larger than 4 bytes (>= 2^31 or < -2^31 clusters) FIXME: Add support for VCN >= 2^32

Parameters

pPartitionaddress of <PARTITIONINFO_NTFS> structure for the NTFS partition
VCNLowlow dword of virtual cluster number
VCNHighhigh dword of virtual cluster number
pAttributeaddress of the <NTFSATTRIBHEADER_NRES> structure for the attribute

Returns

ecx:edxthe sector number (edx is low, ecx is high), or 0 if sparse cluster run, or -1 if past end of runs
eaxthe number of subsequent clusters in the run

LogicalClusNumToSector

This procedure determines the starting sector number of the specified logical cluster.

Parameters

pPartitionaddress of <PARTITIONINFO_NTFS> structure for the NTFS partition
LCNLowlow dword of logical cluster number
LCNHighhigh dword of logical cluster number

Returns

ecx:edxthe sector number (edx is low, ecx is high)
eaxthe given value of pPartition (this is only returned for convenience of the calling function)
This file defines constants, structures, and macros for the NTFS driver of PwnOS.
This file defines constants, structures, and macros for NTFS.
This file defines file management functions of PwnOS.
This procedure opens a file.
This structure defines an open file.
This structure defines a file reference into the Master File Table of an NTFS partition.
This procedure opens a file from an NTFS partition.