On Sat, 25 Feb 2006, Gerold J. Wucherpfennig wrote:
Can anybody help me to code a little driver for a virtual hard disk drive for examination of undocumented NTFS filesystem stuctures i.e. the $LOGFILE (journaling of NTFS)? The data should be written to e.g. C:\image.bin, filesize e.g. 50MB which will correspond to a drive e.g. Z:, drive size 50MB. After every write the driver should be paused to examine the C:\image.bin to get the undocumented structure of the file $LOGFILE?
Can anybody help me? I'm a little confused by the windows DDK documentation and tutorials found on the internet. I've already downloaded the windows DDK.
Please CC me and excuse me for crossposting. Regards,
Go to: http://www.acc.umu.se/~bosse/
It will answer all your questions and more. In particular you will probably want a copy of the ntifs.h header file there as well as copy of the FileDisk driver source code (source + binary is in the zip file) which is what you want to write... Instead of pausing you may want to just modify the driver to keep a change log of what it is writing where or to even just create a whole copy of the image every time a write occurs or whatever...
Have fun!
Note three things:
1) You will want to disable write caching on the "disk" from Windows (can't remember where it is exactly but it is something like "optimize for quick removal" or some simillar name).
2) Note that you will not actually see small modifications to $LogFile because they are all done in memory and only when (one or more?) complete log record pages are done do they get given to the nt cache manager which flushes them to disk. So you are likely to only see 4k or large writes at a time so you will never be able to see the actual fine granularity that you really need to see to figure out the $LogFile internals properly.
3) Look at the current ntfs kernel driver (2.6 kernels) or in ntfsprogs/libntfs in the header file fs/ntfs/logfile.h (kernel) or include/ntfs/logfile.h (ntfsprogs/libntfs) for the restart page definitions and fs/ntfs/logfile.c and libntfs/(somewhere).c for logfile parsin functions. They are pretty advanced in that they properly parse and sanity check the restart areas of a logfile $LogFile and analyse if the volume has been shut down cleanly or not. The only case they cannot tell is when the volume looks like it is dirty but if you were able to actually parse all the log record pages, you would find it to be clean after all (e.g. there was no activity on the system when the power failed so system was idle and no disk activity hence no not checkpointed transactions present) but we can't tell that because we do not understand the log record pages.
Oh also there is a book with a high level overview of how logging in Windows/ntfs works. It is "Inside Windows 2000, 3rd Ed" (or "Inside Windows NT, 2nd Ed") [ there may now be a more recent edition, don't know ], this is from Microsoft Press and authors are David Solomon (only author on 2nd Ed) and Mark Russinovich. See http://www.amazon.co.uk/exec/obidos/ASIN/0735610215
Best regards,
Anton