Application Security Testing: An Integral Part of DevOps
Environment: Windows 95/98/ME/NT/2000/XP
In this article, I have concentrated on the FAT file system. All the variations of FAT are being covered, as shown below:
- FAT -- the 12-bit and 16-bit file systems
- VFAT -- the FAT with long file names
- FAT32 -- the latest breed of the file system that is handled, starting from Win95 OSR 2 to Windows XP. NT 4 does not handle the FAT32 file system; however, using the utility that I have provided in this article, it is possible to read even FAT32 in NT.
Int 13h Extensions
The utility has been developed using Visual C++ 6 and DDK. It also uses some programs such as THUNK.EXE from Platform SDK for compiling the thunk script. The thunk DLLs can be used without changing them in any programs. There is also a device driver for reading CMOS memory for knowing the number of floppy disks in the system. I used BC++ 3.1 for compiling the 16-bit thunk DLL. The main project uses MFC and was compiled using VC++ 6.
The BootInd at the top should be 0x80 to denote the active partition. For other partitions it should be 0. The SysInd has the following values and meanings:
|#define PART_UNKNOWN 0x00||Unknown|
|#define PART_DOS2_FAT 0x01||12-bit FAT|
|#define PART_DOS3_FAT 0x04||16-bit FAT. Partition smaller than 32MB|
|#define PART_EXTENDED 0x05||Extended MS-DOS Partition|
|#define PART_DOS4_FAT 0x06||16-bit FAT. Partition larger than or equal to 32MB|
|#define PART_DOS32 0x0B||32-bit FAT. Partition up to 2047GB|
|#define PART_DOS32X 0x0C||Same as PART_DOS32(0Bh), but uses Logical Block Address Int 13h extensions|
|#define PART_DOSX13 0x0E||Same as PART_DOS4_FAT(06h), but uses Logical Block Address Int 13h extensions|
|#define PART_DOSX13X 0x0F||Same as PART_EXTENDED(05h), but uses Logical Block Address Int 13h extensions|
The NTFS currently has a value as 7, but I am not dealing with it in this article.
The Head, Sector, and Cylinder have the values of the start of the partition. Note that these are byte values; hence for disks larger than 8 gigabytes, these values cannot be trusted and only the RelativeSector signifies the right values. The Last values signify the end of the partition. NumberSectors is the number of sectors for a partition belonging to this structure definition. The partitions have been extended to handle many drives in the partition. This is accomplished by the following method: The partition pointing to a Extended partition table, which has the same structure but with an arrangement like linked lists. There must be one Primary partition and an extended partition that has a drive and pointer to another (extended) partition table.
This setup continues until there are no more extended partitions. I have given the deciphering of this setup in the code. Full, working MFC-based source code to the EditDisk is provided online; you can download it from the Windows Developer Magazine Web site. The partition table sector is loaded in the memory using the thunk DLLs if it is Windows 95/98/Me and the CreateFile if it is Windows NT/2000/XP. Note that the disk is loaded in the memory as if the disk were a file using ReadFile in NT. And then it is checked for the various partition types and action is taken accordingly to display it. Then the packet is prepared to point to the child items and initialized accordingly. The other items of the expansion are handled similarly.