zyustc

常用链接

统计

最新评论

MBR和DBR详细分析

标 题: 【原创】MBR和DBR详细分析
作 者: HSQ
时 间: 2007-08-30,11:14
链 接: http://bbs.pediy.com/showthread.php?t=50714

之所以贴出来,是有些地方不明白,希望能于大家交流分析
我系统2K PRO SP4,C盘采用NTFS,用WinHex提取MBR和DBR,拿IDA分析的.关键在DBR几处不明白.
1.一点预备知识:
 主引导扇区代码(MBR)
代码:
 
;====================================================================================
; 
; MBR( Master Boot Record )主引导记录包含两部分的内容,前446字节为启动代码及数据,而
; 从446(0x1BE)开始则是分区表,分区表由四个分区项组成,每个分区项数据为16字节,记录了
; 启动时需要的分区参数。
;
; 在CPU上电之后,若由硬盘启动,则BIOS将硬盘的主引导记录(位于0柱面、0磁道、1扇区)读
; 入7C00处,然后将控制权交给主引导代码。主引导代码的任务包括:
; (1) 扫描分区表,找到一个激活(可引导)分区;
; (2) 找到激活分区的起始扇区;
; (3) 将激活分区的引导扇区装载到内存7C00处;
; (4) 将控制权交给引导扇区代码;
;  
; 如果主引导代码无法完成上述任务,它将显示以下错误信息之一:
; No active partition.
; Invalid partition table.
; Error loading operating system.
; Missing operating system.
;
;====================================================================================
; FAT16分区尺寸与LBA
;====================================================================================
; LBA   HeadsPerCylinder SectorsPerTrack  Maximum Size for Boot Partition
; Disabled 64     32     1GB
; Enabled  255     63     4GB
;
; 为了适应超过8G的硬盘,Windows2000忽略了Start CHS和End CHS,而使用StartLBA和TotalSector    
; 来确定分区在整个磁盘中的位置和大小。
;  
;====================================================================================
;     分区表项结构(16字节)
;====================================================================================
;
; typedef struct _PARTITION_ENTRY
; {
;  UCHAR BootIndicator;  // 能否启动标志
;  UCHAR StartHead;   // 该分区起始磁头号
;  UCHAR StartSector;  // 起始柱面号高2位:6位起始扇区号
;  UCHAR StartCylinder;  // 起始柱面号低8位
;  UCHAR PartitionType;  // 分区类型
;  UCHAR EndHead;   // 该分区终止磁头号
;  UCHAR EndSector;   // 终止柱面号高2位:6位终止扇区号
;  UCHAR EndCylinder;  // 终止柱面号低8位
;  ULONG StartLBA;   // 起始扇区号
;  ULONG TotalSector;  // 分区尺寸(总扇区数)
; }PARTITION_ENTRY,*PPARTITION_ENTRY;
;
;====================================================================================
;    主引导记录(MBR)结构 
;====================================================================================
; typedef struct _MASTER_BOOT_RECORD
; {
;  UCHAR    BootCode[446];
;  PARTITION_ENTRY  Partition[4];
;  USHORT    Signature;
; }MASTER_BOOT_RECORD,*PMASTER_BOOT_RECORD;
;
;====================================================================================
2.MBR详细分析
代码:
code:7C00 code            segment byte public 'CODE' use16
code:7C00                 assume cs:code
code:7C00                 org 7C00h
code:7C00                 assume es:nothing, ss:nothing, ds:code, fs:nothing, gs:nothing
code:7C00 start           proc far
code:7C00                 xor     ax, ax
code:7C02                 mov     ss, ax
code:7C04                 mov     sp, 7C00h
code:7C07                 sti
code:7C08                 push    ax
code:7C09                 pop     es
code:7C0A                 push    ax      ; es=ds=ss=0x0000
code:7C0B                 pop     ds              ; initial segment and stack                                        
code:7C0C                 cld
code:7C0D                 push    ax
code:7C0E                 mov     si, 7C00h
code:7C11                 mov     di, 600h 
code:7C14                 mov     cx, 200h 
code:7C17                 rep movsb               ; move this MBR code to 600h
code:7C19                 mov     di, 61Eh 
code:7C1C                 push    di
code:7C1D                 retf                    ; jmp 0000:61Eh
code:7C1E                 xor     bx, bx          ; ip=61Eh
code:7C20                 xor     dx, dx
code:7C22                 mov     si, 7BEh    ; partition state
code:7C25                 mov     cl, 4           ; Search DPT,and it has 4 itemes,
code:7C27 check_next_partition:   
code:7C27                 test    byte ptr [si], 80h            ; 0x80->Active 0x00->not active
code:7C2A                 jz      short search_active_partition ;  next item, size of one item is 10h
code:7C2A
code:7C2C                 mov     dx, si          ; save item base address
code:7C2E                 inc     bx              ; the sum of the active item
code:7C2F search_active_partition:             
code:7C2F                 add     si, 10h         ;  next item, size of one item is 10h
code:7C32                 loop    check_next_partition          ; 0x80->Active 0x00->not active
code:7C34                 cmp     bx, 1
code:7C37                 jz      short found_partition_active
code:7C39                 mov     si, 0C4h        ; sz_Invalid_DPT Si=lpString (Offset)
code:7C3C                 mov     cx, 17h         ; length
code:7C3F                 jmp     short Display_Error_Informatin ; add base ip
code:7C41                 nop
code:7C42 found_partition_active:                
code:7C42                 push    dx
code:7C43                 mov     ah, 41h
code:7C45                 mov     dl, 80h
code:7C47                 mov     bx, 55AAh
code:7C4A                 int     13h             ; Detect sport extend int 13h call
code:7C4C                 pop     dx
code:7C4D                 cmp     bx, 0AA55h
code:7C51                 jnz     short CHSReadMBRFormDisk
code:7C53                 test    cl, 1
code:7C56                 jz      short CHSReadMBRFormDisk
code:7C58 LBAReadMBRFormDisk:
code:7C58                 mov     ax, 4200h
code:7C5B                 mov     si, 7ADh 
code:7C5E                 mov     cl, 10h
code:7C60 init_disk_addr_pkt:                     
code:7C60                 mov     byte ptr [si], 0
code:7C63                 inc     si
code:7C64                 loop    init_disk_addr_pkt
code:7C66                 mov     si, 7ADh
code:7C69                 mov     di, dx          ; dx point to active item base address
code:7C6B                 mov     byte ptr [si], 10h ; packet_size=16 (DB must)
code:7C6E                 mov     byte ptr [si+2], 1 ; sector_count 01h (DW)
code:7C72                 mov     word ptr [si+4], 7C00h ; buffer_addr (DD)
code:7C77                 mov     bx, [di+8]      ; line address of sectors (DD RAV)
code:7C7A                 mov     [si+8], bx      ; sector_base (QD)
code:7C7D                 mov     bx, [di+0Ah]    ; line address of sectors + 2 (DD RAV)
code:7C80                 mov     [si+0Ah], bx    ; sector_base + 2 (QD)
code:7C83                 jmp     short ReadDisk
code:7C85                 nop
code:7C86 CHSReadMBRFormDisk:  
code:7C86                 mov     ax, 201h 
code:7C89                 mov     bx, 7C00h       ; offset buffer_addr (DW)
code:7C8C                 mov     si, dx          ; dx point to active item base address
code:7C8E                 mov     cx, [si+2]      ; CH = track, CL = sector
code:7C91                 mov     dh, [si+1]      ; DH = head
code:7C94 ReadDisk:     
code:7C94                 mov     dl, 80h
code:7C96                 int     13h             AH = status, AL = number of sectors read
code:7C98                 mov     si, 7DFEh
code:7C9B                 cmp     word ptr [si], 0AA55h ; chech is invalid MBR
code:7C9F                 jz      short Load_OS_MBR
code:7CA1                 mov     si, 0DBh
code:7CA4                 mov     cx, 18h
code:7CA7                 jmp     short Display_Error_Informatin ; add base ip
code:7CA9                 nop
code:7CAA Load_OS_MBR:                       
code:7CAA                 xor     ax, ax
code:7CAC                 push    ax
code:7CAD                 mov     ax, 7C00h
code:7CB0                 push    ax
code:7CB1                 retf                    ; jmp load os MBR 
code:7CB2 Display_Error_Informatin:
code:7CB2                 add     si, 600h        ; add base ip
code:7CB6 Display:       
code:7CB6                 lodsb        ; AL = character
code:7CB7                 mov     bx, 7      ; BH = display page BL = foreground color
code:7CBA                 mov     ah, 0Eh
code:7CBC                 int     10h             ; VIDEO - WRITE CHARACTER AND ADVANCE CURSOR
code:7CBE                 loop    Display
code:7CC0                 db 0B1h
code:7CC1                 db  0Fh
code:7CC2                 db 0E2h ; ?
code:7CC3                 db 0FCh ; ?
code:7CC4 sz_Invalid_DPT  db 'Invalid partition tableMissing operating system',0
code:7CF4 sz_MBR_Information db 'Master Boot Record Wrote by DiskMan Ver1.30',0
code:7D20                 db 98h dup(0)           ; not use space
code:7DB8 s_Zmzm          db 'ZmZm',0             ; not use data, can set any data if you like
code:7DBD                 db    0
code:7DBE First_Item_DPT  db  80h                 ; statue
code:7DBF                 db    1                 ; 开始头
code:7DC0                 dw 1                    ; 开始扇区
code:7DC2                 db    7                 ; 分区类型指示
code:7DC3                 db 0FEh                 ; 结束头
code:7DC4                 dw 0CCFFh               ; 结束扇
code:7DC6                 dd 3Fh                  ; 扇区在前的分区 1
code:7DCA                 dd 0EE834Eh
code:7DCE Second_Item_DPT db    0                 ; statue
code:7DCF                 db    0
code:7DD0                 dw 0CDC1h
code:7DD2                 db  0Fh
code:7DD3                 db 0FEh ; ?
code:7DD4                 dw 0FFFFh
code:7DD6                 dd 0EE838Dh
code:7DDA                 dd 3BB47F9h
code:7DDE T_Item_DPT      db 10h dup(0)
code:7DEE F_Item_DPT      db 10h dup(0)
code:7DFE MBR_Flag        db  55h ; U
code:7DFF                 db 0AAh ; ?
code:7DFF code            ends
code:7DFF                 end start
3.DBR详细分析
代码:
code:7C00 ; File Name   : D:\DBR.COM
code:7C00 ; Format      : MS-DOS COM-file
code:7C00 ; Base Address: 1000h Range: 10100h-10300h Loaded length: 200h
code:7C00
code:7C00                 .686p
code:7C00                 .mmx
code:7C00                 .model tiny
code:7C00
code:7C00 ; ###########################################################################
code:7C00
code:7C00 ; Segment type: Pure code
code:7C00 code          segment byte public 'CODE' use16
code:7C00                 assume cs:code
code:7C00                 org 7C00h
code:7C00                 assume es:nothing, ss:nothing, ds:code, fs:nothing, gs:nothing
code:7C00
code:7C00 ; =============== S U B R O U T I N E =======================================
code:7C00
code:7C00                 public start
code:7C00 start           proc far
code:7C00                 jmp     short begin
code:7C00
code:7C02 ; ---------------------------------------------------------------------------
code:7C02                 nop
code:7C02
code:7C02 ; ---------------------------------------------------------------------------
code:7C03 sz_Ntfs         db 'NTFS    ',0
code:7C0C                 db 2, 8, 7 dup(0), 0F8h, 2 dup(0), 3Fh, 0, 0FFh, 0, 3Fh, 7 dup(0), 80h, 0, 80h, 0, 4Dh
code:7C0C                 db 83h, 0EEh, 7 dup(0), 0Ch, 5 dup(0), 10h, 7 dup(0), 0F6h, 3 dup(0), 1, 3 dup(0), 61h
code:7C0C                 db 0F5h, 0B9h, 0B3h, 2Fh, 0F6h, 33h, 13h, 4 dup(0)
code:7C54 ; ---------------------------------------------------------------------------
code:7C54
code:7C54 begin:           
code:7C54                 cli
code:7C55                 xor     ax, ax
code:7C57                 mov     ss, ax
code:7C59                 mov     sp, 7C00h
code:7C5C                 sti
code:7C5D                 mov     ax, 7C0h 
code:7C60                 mov     ds, ax
code:7C62                 assume ds:nothing
code:7C62                 call    GetCurrentDriveParaments
code:7C62
code:7C65                 mov     ax, 0D00h 
code:7C68                 mov     es, ax
code:7C6A                 xor     bx, bx
code:7C6C                 mov     byte ptr ds:0Eh, 10h
code:7C71                 call    ReadDiskSectors
code:7C71
code:7C74                 push    0D00h 
code:7C77                 push    26Ah 
code:7C7A                 retf
code:7C7A
code:7C7A start           endp 
code:7C7A
code:7C7B ; =============== S U B R O U T I N E =======================================
code:7C7B
code:7C7B GetCurrentDriveParaments proc near      
code:7C7B                 mov     dl, ds:24h      ; DL = drive number,Why must use ds:24h Memory?
code:7C7F                 mov     ah, 8
code:7C81                 int     13h
code:7C83                 jnb     short success   
code:7C83
code:7C85                 mov     cx, 0FFFFh
code:7C88                 mov     dh, cl
code:7C88
code:7C8A success:                              
code:7C8A                 movzx   eax, dh         ; why now can use 'EAX' register,but it in use 16?
code:7C8E                 inc     ax
code:7C8F                 movzx   edx, cl         
code:7C93                 and     dl, 3Fh
code:7C96                 mul     dx
code:7C98                 xchg    cl, ch
code:7C9A                 shr     ch, 6
code:7C9D                 inc     cx
code:7C9E                 movzx   ecx, cx
code:7CA2                 mul     ecx
code:7CA5                 mov     ds:20h, eax
code:7CA9                 retn
code:7CA9
code:7CA9 GetCurrentDriveParaments endp
code:7CA9
code:7CAA ; =============== S U B R O U T I N E =======================================
code:7CAA
code:7CAA CheckExtenInt13 proc near               
code:7CAA                 mov     ah, 41h
code:7CAC                 mov     bx, 55AAh
code:7CAF                 mov     dl, ds:24h
code:7CB3                 int     13h
code:7CB5                 jb      short exit
code:7CB5
code:7CB7                 cmp     bx, 0AA55h
code:7CBB                 jnz     short exit
code:7CBB
code:7CBD                 test    cl, 1
code:7CC0                 jz      short exit
code:7CC0
code:7CC2                 inc     byte ptr ds:14h ; set a flage
code:7CC6 exit:                                  
code:7CC6                 retn
code:7CC6
code:7CC6 CheckExtenInt13 endp
code:7CC6
code:7CC7 ; =============== S U B R O U T I N E =======================================
code:7CC7
code:7CC7 ReadDiskSectors proc near               
code:7CC7                 pushad
code:7CC9                 push    ds
code:7CCA                 push    es
code:7CCB continue_work:                     
code:7CCB                 mov     eax, ds:10h
code:7CCF                 add     eax, ds:1Ch
code:7CD4                 cmp     eax, ds:20h
code:7CD9                 jb      read_disk_sectors
code:7CD9
code:7CDD                 push    ds
code:7CDE                 push    large 0
code:7CE1                 push    eax
code:7CE3                 push    es
code:7CE4                 push    bx
code:7CE5                 push    large 10010h
code:7CEB                 cmp     byte ptr ds:14h, 0 ; check a flage
code:7CF0                 jnz     continue
code:7CF0
code:7CF4                 call    CheckExtenInt13
code:7CF4
code:7CF7                 cmp     byte ptr ds:14h, 0 ; check a flage
code:7CFC                 jz      cant_continue
code:7D00 continue:                           
code:7D00                 mov     ah, 42h
code:7D02                 mov     dl, ds:24h
code:7D06                 push    ss
code:7D07                 pop     ds
code:7D08                 mov     si, sp
code:7D0A                 int     13h
code:7D0C                 pop     eax
code:7D0E                 pop     bx
code:7D0F                 pop     es
code:7D10                 pop     eax
code:7D12                 pop     eax
code:7D14                 pop     ds
code:7D15                 jmp     short exit
code:7D15
code:7D17 ; ---------------------------------------------------------------------------
code:7D17 read_disk_sectors:                    
code:7D17                 xor     edx, edx
code:7D1A                 movzx   ecx, word ptr ds:18h
code:7D20                 div     ecx
code:7D23                 inc     dl
code:7D25                 mov     cl, dl
code:7D27                 mov     edx, eax
code:7D2A                 shr     edx, 10h
code:7D2E                 div     word ptr ds:1Ah
code:7D32                 xchg    dl, dh          ; DH = head
code:7D34                 mov     dl, ds:24h      ; ES:BX -> buffer to fill
code:7D38                 mov     ch, al          ; CH = track
code:7D3A                 shl     ah, 6           ; DL = drive
code:7D3D                 or      cl, ah          ; CL = sector
code:7D3F                 mov     ax, 201h        ; AL = number of sectors to read
code:7D42                 int     13h
code:7D42
code:7D44 exit:   
code:7D44                 jb      cant_continue
code:7D44
code:7D48                 mov     ax, es
code:7D4A                 add     ax, 20h
code:7D4D                 mov     es, ax
code:7D4F                 inc     dword ptr ds:10h
code:7D54                 dec     word ptr ds:0Eh
code:7D58                 jnz     continue_work
code:7D58
code:7D5C                 pop     es
code:7D5D                 pop     ds
code:7D5E                 popad
code:7D60                 retn
code:7D60
code:7D61 ; ---------------------------------------------------------------------------
code:7D61
code:7D61 cant_continue:                    
code:7D61                                        
code:7D61                 mov     al, ds:1F8h
code:7D64                 call    PrintErrorMessage
code:7D64
code:7D67                 mov     al, ds:1FBh
code:7D6A                 call    PrintErrorMessage
code:7D6A
code:7D6D                 sti
code:7D6D
code:7D6E no_end:                                
code:7D6E                 jmp     short no_end
code:7D6E
code:7D6E ReadDiskSectors endp
code:7D6E
code:7D70 ; =============== S U B R O U T I N E =======================================
code:7D70
code:7D70 PrintErrorMessage proc near           
code:7D70                                       
code:7D70                 mov     ah, 1
code:7D72                 mov     si, ax
code:7D72
code:7D74
code:7D74 continue:                           
code:7D74                 lodsb
code:7D75                 cmp     al, 0
code:7D77                 jz      short exit
code:7D77
code:7D79                 mov     ah, 0Eh
code:7D7B                 mov     bx, 7
code:7D7E                 int     10h             
code:7D7E                                         
code:7D80                 jmp     short continue
code:7D80
code:7D82 ; ---------------------------------------------------------------------------
code:7D82 exit:                                 
code:7D82                 retn
code:7D82
code:7D82 PrintErrorMessage endp
code:7D82
code:7D82 ; ---------------------------------------------------------------------------
code:7D83                 db 0Dh, 0Ah
code:7D85 sz_DiskReadError db 'A disk read error occurred',0
code:7DA0                 db 0Dh, 0Ah
code:7DA2 sz_NtldrIsMissing db 'NTLDR is missing',0
code:7DB3                 db 0Dh, 0Ah
code:7DB5 sz_NtldrIsCompressed db 'NTLDR is compressed',0
code:7DC9                 db 0Dh, 0Ah
code:7DCB sz_PressCtrlAltDel db 'Press Ctrl+Alt+Del to restart',0Dh,0Ah,0
code:7DEB                 db 0Dh dup(0), 83h, 0A0h, 0B3h, 0C9h, 2 dup(0), 55h, 0AAh
code:7DEB code          ends
code:7DEB
code:7DEB                 end start

posted on 2009-12-26 16:35 风一样的离去 阅读(1787) 评论(0)  编辑 收藏 引用


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   博问   Chat2DB   管理