0

I'm experiencing some issues while reading raw data from NTFS Volume. I've opened my C: drive using UNC path ("\.\C") using CreateFile in order to be able to read raw from it.

As I read the first sector, I discovered that I'm reading the MBR sector. As far as I know, there is a distinction between Volumes (in this case, my C drive), and physical drives (which are represented as \\.\PhysicalDriveX).

The difference is that the MBR is only located at the first sector of the physical drive while the Volume represents a logical drive (one partition or more within the same hard drive) and therefore reading the first sector of it shouldn't be, theoretically, the MBR (because actual partition starts only after the partition table of the MBR).

What is more peculiar to me is while I'm expecting to get the MBR when reading the first sectore of \\.\PhysicalDrive0 (Which is my physical HDD), I get only NULLs.

According to wikipedia:

master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives

Although I think it is pretty clear, I'm attaching the relevant code:

tNtfsVolumeContext.hVolume = CreateFile(_T("\\\\.\\C:"), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_READONLY, NULL);
if (INVALID_HANDLE_VALUE == tNtfsVolumeContext.hVolume)
{
    return -1;
}

if ((!ReadFile(tNtfsVolumeContext.hVolume, &tBootSector, NTFS_SECTOR_SIZE, &dwBytesRead, NULL)) || (dwBytesRead != NTFS_SECTOR_SIZE))
{
    return -2;
}

I'll sum things up to my question, is there is a good explanation why reading a sector from a volume will result in reading the MBR while reading from a physical drive yields in nothing??

Thanks in advance.

CodeNinja
  • 291
  • 5
  • 19
  • Are you sure it's not the [VBR](http://www.wikiwand.com/en/Volume_boot_record) you're seeing instead? – Jonathan Potter Feb 15 '15 at 21:38
  • Pretty sure, screenshot of the sector is attached. http://i.imgur.com/5dKpb8p.jpg. can you confirm? – CodeNinja Feb 15 '15 at 21:44
  • The sector has an initial NTFS signature and also the final {0x55, 0xAA} signature. If you read the [MBR](https://en.wikipedia.org/wiki/Master_boot_record) / [GPT](https://en.wikipedia.org/wiki/GUID_Partition_Table) from the physical drive, the corresponding partition entry should contain the partition's type (e.g. 7 or BDP GUID) and 32-bit or 64-bit LBA. – Eryk Sun Feb 15 '15 at 22:44
  • Sorry, I cant manage to understand you, can you explain? Is this the mbr? – CodeNinja Feb 15 '15 at 23:08
  • 1
    Why would `\\.\C:` have the MBR? It's a volume, not a boot record with a partition table. Read `\\.\PhysicalDrive0` for the MBR/GPT. – Eryk Sun Feb 15 '15 at 23:31
  • @eryksun: that's why he's asking! – Harry Johnston Feb 16 '15 at 03:14
  • Looking at the screenshot, it's pretty clear that that's a VBR. The MBR wouldn't mention BOOTMGR. – Harry Johnston Feb 16 '15 at 03:17
  • Not sure why the MBR would be empty, perhaps you're booting from a different drive? Or it could be a code issue - if you post a complete program demonstrating the problem, I can test it on my machine. – Harry Johnston Feb 16 '15 at 03:19
  • Check `wmic path Win32_LogicalDisktoPartition` to find the physical disk for the `C:` drive. – Eryk Sun Feb 16 '15 at 04:12
  • @HarryJohnston, you are probably right, I am probably looking at the VBR. Anyway, I ran the wmi command `wmic diskdrive list brief` and reassured my physical device name, which is `\\.\PHYSICALDRIVE0`. I took the output and read a sector from that device. I got only 0' except for the end of the sector (where are the bootstrap code area? partition table?). Screenshot is attached: http://i.imgur.com/FP0Dy2M.png. I do not boot from an external device so I find it pretty confusing. Is it possible not to have a bootstrap code? – CodeNinja Feb 16 '15 at 07:22
  • 1
    That's the protective MBR of a [GUID Partition Table (GPT)](https://en.wikipedia.org/wiki/GUID_Partition_Table). The 32-bit disk ID is at index 440. Intentionally it only defines a single partition, starting at index 446. The starting CHS is sector 2. Next is the partition type, 0xEE. The final CHS address is 1023(C), 255(H), 63(S). The total partition size is recorded as the maximum MBR size, 0xFFFFFFFF sectors. The sector ends with the signature {0x55,0xAA}. – Eryk Sun Feb 16 '15 at 09:52
  • @eryksun, thanks you very much for making that clear. You can post your answer if you like to so I could accept it. Harry Johnston thanks you very much for clarifying the VBR mistake to me. – CodeNinja Feb 16 '15 at 20:32

0 Answers0