# $Id$ # Captive project doc Reverse Engineering page Perl template. # Copyright (C) 2003-2005 Jan Kratochvil # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; exactly version 2 of June 1991 is required # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA package project::captive::doc::Reverse; require 5.6.0; # at least 'use warnings;' but we need some 5.6.0+ modules anyway our $VERSION=do { my @r=(q$Revision$=~/\d+/g); sprintf "%d.".("%03d"x$#r),@r; }; our $CVS_ID=q$Id$; use strict; use warnings; use My::Web; sub handler { BEGIN { Wuse 'project::captive::doc::Macros'; } project::captive::doc::Macros->init( "title"=>'Captive NTFS Developer Documentation: Reverse Engineering', "rel_prev"=>'Components.pm', "rel_next"=>'CacheManager.pm', ); print <<"HERE";

Reverse Engineering

This project has no intentions to reverse engineer and document the filesystem data structures themselves since they are being encapsulated by the filesystem driver. For these reasons the resources available in projects such as $LinuxNTFS get out of any possible use. This project goal is to provide fully compatible API interface to the rest of the W32 system to persuade the filesystem driver it is running in the native Microsoft Windows XP environment.

All the W32 filesystem drivers are running in the W32 kernel address space and this area of W32 API is not much documented by Microsoft. Some API functions are not documented at all and the others are documented insufficiently for a their possibly needed reimplementation from scratch. Documentation being consulted primarily consists of @{[ a_href 'http://msdn.microsoft.com/library/default.asp?url=/library/en-us/kmarch/hh/kmarch/kmhdr_6enb.asp','MSDN (Microsoft Developer Network) Kernel-Mode Driver Architecture: Windows DDK' ]} documentation and also various other 3rd party documentation resources such as @{[ a_href 'http://www.osr.com/ntinsider/1996/cacheman.htm', 'The NT Cache Manager Description' ]}, @{[ a_href 'http://www.winntmag.com/Articles/Print.cfm?ArticleID=3864', 'Learn About NT'."'".'s File-system Cache' ]}, @{[ a_href 'http://www.ntfsd.org/archive/', 'NT File System Developers mailing list archives' ]} including various @{[ a_href 'http://www.google.com/search?q=site%3Amicrosoft.com','fulltext searches' ]} through Internet from case to case.

Sometimes no sufficient documentation was found and some code behaviour had to be reverse engineered directly from the binaries of ntoskrnl.exe, cdfs.sys, fastfat.sys and primarily ntfs.sys. Up to now the code was disassembled by @{[ a_href 'http://www.simtel.net/pub/pd/29498.html','IDA Freeware' ]} and by dumpbin.exe of Microsoft Visual Studio. dumpbin.exe is fortunately able to interpret debug symbols from W32 .PDB (Program DataBase) debug information files.

dumpbin.exe

You should use the following options for dumpbin.exe:

dumpbin.exe /all /rawdata:none /disasm /pdbpath:verbose FILENAME.SYS

You should see the following line in the output:

PDB file found at '.\\FILENAME.pdb'

WinDbg Windows NT kernel debugging

WinDbg is downloadable from: @{[ a_href 'http://www.microsoft.com/whdc/ddk/debugging/installx86.mspx' ]}

This is (the only?) tool able to debug filesystem drivers incl. ntfs.sys. You will need two computers running Microsoft Windows — one computer will run WinDbg while the other one will be frozen in remote Windows NT kernel debug mode. It does not matter which Microsoft Windows version will be run on the WinDbg side. Your goal is to successfuly connect WinDbg:

@{[ doc_img 'ntdebug-ntfs.png','WinDbg Remote NT Kernel NTFS Debugging' ]}

The most easy way to setup two computers is to use commercial @{[ a_href 'http://www.vmware.com/download/workstation.html','VMware Workstation' ]} where you can run two virtual machines simultaneously on single PC hardware and you can connect them by a virtual serial port provided by VMware.

WinDbg side setup

@{[ doc_img 'ntdebug-vmware-windbg.png', 'VMware virtual serial port' .' of WinDbg side' ]}

You should setup WinDbg according to:

@{[ doc_img 'ntdebug-windbg-port.png','Port settings of WinDbg' ]} @{[ doc_img 'ntdebug-windbg-sym.png','Symbols files location of WinDbg' ]}

Symbols should point to the directory where reside files extracted from the symbol archive for your version of Microsoft Windows. In the case of the recommended Microsoft Windows XP Service Pack 1 Checked Build you should use: @{[ a_href 'http://msdl.microsoft.com/download/symbols/packages/windowsxp/xpsp1sym_x86_chk.exe' ]}

# Rename xpsp1sym_x86_chk.exe contents .pdb files for WinDbg
@{[ escapeHTML(q{for i in *.pdb*;do ext="`echo $i|sed 's/^.*\.pdb\.$.*$$/\1/'`";if [ "$i" = "$ext" ];then echo "BAD:$i";break;fi;base="`echo $i|sed 's/$\.pdb$\..*$/\1/'`";echo "md $ext";echo "move /-y $i $ext\\$base";done|sort -u|sed 's/$/'`echo -ne '\r'`'/g' >/tmp/rename.bat}) ]}

The resulting rename.bat for xpsp1sym_x86_chk.exe can be found at: @{[ a_href 'xpsp1sym_x86_chk-rename.bat.zip' ]}

The resulting directory should contain at least sys\\ntfs.pdb and exe\\ntoskrnl.pdb.

Your successfuly connected target (after the steps described below) should look like:

@{[ doc_img 'ntdebug-windbg-boot.png','Successfuly connected WinDbg' ]}

Setup of the side being kernel-debugged

@{[ doc_img 'ntdebug-vmware-xpdebug.png', 'VMware virtual serial port' .' of the side being kernel-debugged' ]}

You must use the following options in your c:\\boot.init command-line:

/debug /debugport=COM1 /baudrate=115200

After booting this boot.ini-entry should freeze at this point (if no WinDbg is waiting in the other virtual machine):

@{[ doc_img 'ntdebug-wait.png','Side being kernel-debugged waiting for WinDbg' ]} HERE exit; } 1;