收藏
下载资源

2022年硬盘分区文件系统FAT分析示例 .pdf

上传人:H****o 文档编号:33391483 上传时间:2022-08-10 格式:PDF 页数:5 大小:53.86KB
返回 下载 相关 举报
2022年硬盘分区文件系统FAT分析示例 .pdf_第1页
第1页 / 共5页
2022年硬盘分区文件系统FAT分析示例 .pdf_第2页
第2页 / 共5页
点击查看更多>>
资源描述

《2022年硬盘分区文件系统FAT分析示例 .pdf》由会员分享,可在线阅读,更多相关《2022年硬盘分区文件系统FAT分析示例 .pdf(5页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。

1、硬盘分区文件系统FAT32 分析示例车生兵著1、获得硬盘80H 分区 C:的 BPB 数据结构Microsoft(R) Windows 98 (C)Copyright Microsoft Corp 1981-1999. C:WINDOWSCD C:DEBUG -L 7C00 2 0 1 -D 7C02 l58 126C:7C00 90 4D 53 57 49 4E-34 2E 31 00 02 08 20 00 .X.MSWIN4.1. . 126C:7C10 02 00 00 00 00 F8 00 00-3F 00 FF 00 3F 00 00 00 .?.?. 126C:7C20 A0

2、C5 52 01 8C 54 00 00-00 00 00 00 02 00 00 00 .R.T. 126C:7C30 01 00 06 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:7C40 80 00 29 13 11 3C 1E 4E-4F 20 4E 41 4D 45 20 20 .).NO NAME 126C:7C50 20 20 46 41 54 33 32 20-20 20 FAT32 3. - 2、分析 BPB 数据,获得C:逻辑扇区的分布情况簇号逻辑扇区号扇区块名称长度备注0000H 0000H 保留扇区0020H 0001H

3、0020H FAT1 548CH 54ACH FAT2 548CH 0002H A938H 根目录起始簇号0008H 0003H A940H 数据区第一簇0008H 0008H 3、读取 C:根目录数据,找到文件NTLDR 的 FDT -L 1000 2 A938 8 -D 1380 L80 126C:1380 4E 54 4C 44 52 20 20 20-20 20 20 27 08 00 A2 20NTLDR .126C:1390D3 2E 67 38 02 00 A2 20- D3 2E 9A 00 A0 5F 03 00.g8. ._.126C:13A0 4E 54 44 45 54

4、 45 43 54-43 4F 4D 27 00 00 A2 20 NTDETECTCOM. 126C:13B0 D3 2E 67 38 02 00 A2 20-D3 2E D0 00 A4 87 00 00 .g8. . 126C:13C0 42 4F 4F 54 4C 4F 47 20-50 52 56 22 00 00 00 00 BOOTLOG PRV. 126C:13D0 00 00 65 38 00 00 40 88-65 38 75 07 6E DE 00 00 .e8.e8u.n. 126C:13E0 42 4F 4F 54 20 20 20 20-2D 2D 2D 06 18

5、 59 C4 54 BOOT -.Y.T 126C:13F0 63 38 65 38 04 00 BD 55-63 38 02 5A DB 00 00 00 c8e8.Uc8.Z. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 1 页,共 5 页 - - - - - - - - - -4、分析文件NTLDR 的 FDT ,得到文件的长度,占用簇数和起始簇号 文件长度: 0003 5FA0H 字节 , 即: 0000 01B0H 扇区( 432 扇区) 文件起始簇号:0002 009

6、AH 文件占用簇数:0000 0036H( 即: 54 簇) 最后一簇占用扇区数:0000 0008H,最后一扇区占用字节数:01A0H ,即: 416 字节 文件属性:只读+隐含 +系统 +存档 文件名: NTLDR 5、计算文件NTLDR 簇链在 FAT1 和 FAT2 中的起始扇区,读出扇区数据 计算公式:(簇号字节数/ 簇号)字节数/ 扇区 =商(相对扇区号): 余数(扇区内偏移) 计算相对扇区号过程:(0002 009AH 0004H) 0200H = 0401H :0068H 计算逻辑扇区号过程:FAT1:0020H+0401H=0421H, 即 FAT1中,该簇链链首在C:逻辑扇

7、区0421H号扇区偏移0068H处。 FAT2:54ACH+0401H=58ADH,即 FAT2中,该簇链链首在C:逻辑扇区58ADH号扇区偏移0068H处。 读入 FAT1中簇链链首数据:-L 2000 2 421 2 -D 2000 L180 126C:2000 81 00 02 00 82 00 02 00-83 00 02 00 84 00 02 00 126C:2010 85 00 02 00 86 00 02 00-87 00 02 00 88 00 02 00 126C:2020 89 00 02 00 8A 00 02 00-8B 00 02 00 8C 00 02 00 12

8、6C:2030 8D 00 02 00 8E 00 02 00-8F 00 02 00 90 00 02 00 126C:2040 91 00 02 00 92 00 02 00-93 00 02 00 94 00 02 00 126C:2050 95 00 02 00 96 00 02 00-97 00 02 00 98 00 02 00 126C:2060 99 00 02 00 FF FF FF 0F-9B 00 02 00 9C 00 02 00 % 簇链链首位置126C:2070 9D 00 02 00 9E 00 02 00-9F 00 02 00 A0 00 02 00 126C

9、:2080 A1 00 02 00 A2 00 02 00-A3 00 02 00 A4 00 02 00 126C:2090 A5 00 02 00 A6 00 02 00-A7 00 02 00 A8 00 02 00 126C:20A0 A9 00 02 00 AA 00 02 00-AB 00 02 00 AC 00 02 00 126C:20B0 AD 00 02 00 AE 00 02 00-AF 00 02 00 B0 00 02 00 126C:20C0 B1 00 02 00 B2 00 02 00-B3 00 02 00 B4 00 02 00 126C:20D0 B5 0

10、0 02 00 B6 00 02 00-B7 00 02 00 B8 00 02 00 126C:20E0 B9 00 02 00 BA 00 02 00-BB 00 02 00 BC 00 02 00 126C:20F0 BD 00 02 00 BE 00 02 00-BF 00 02 00 C0 00 02 00 126C:2100 C1 00 02 00 C2 00 02 00-C3 00 02 00 C4 00 02 00 126C:2110 C5 00 02 00 C6 00 02 00-C7 00 02 00 C8 00 02 00 126C:2120 C9 00 02 00 CA

11、 00 02 00-CB 00 02 00 CC 00 02 00 126C:2130 CD 00 02 00 CE 00 02 00-CF 00 02 00 FF FF FF 0F % 簇链链尾位置名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 2 页,共 5 页 - - - - - - - - - 126C:2140 D1 00 02 00 D2 00 02 00-D3 00 02 00 D4 00 02 00 126C:2150 D5 00 02 00 D6 00 02 00-

12、D7 00 02 00 D8 00 02 00 126C:2160 FF FF FF 0F 6A 6B 02 00-DB 00 02 00 DC 00 02 00 126C:2170 DD 00 02 00 DE 00 02 00-DF 00 02 00 E0 00 02 00 - 6、分析 FAT 簇链数据,得到簇链 根据 FAT1读出的数据,得到NTLDR起始簇号为: 0002 009AH。 根据 FAT1读出的数据,得到NTLDR结束簇号为: 0002 00CFH。 计算得到 NTLDR 占用的簇数为:0002 00CFH - 0002 009AH + 0000 0001H = 0000

13、 0036H 刚好和分析FDT得到的结果吻合。 这样, NTLDR的簇链为: 0002 009AH 到 0002 00CFH 。7、根据簇链计算文件NTLDR第一个扇区和最后一个扇区的分区逻辑扇区号 第 i 簇逻辑扇区号的计算公式为:(i - 2)扇区数 / 簇+第 2 簇起始逻辑扇区号 第 0002 009AH 簇第一扇区逻辑扇区号的计算过程为:(0002 009AH 0000 0002H )0000 0008H + 0000 A938H = 0010 ADF8H第 0002 00CFH 簇第一扇区逻辑扇区号的计算过程为:(0002 00CFH 0000 0002H )0000 0008H

14、+ 0000 A938H = 0010 AFA0H 第 0002 00CFH 簇最后一扇区逻辑扇区号的计算过程为:0010 AFA0H + 0000 0007H = 0010 AFA7H 8、读出文件NTLDR 第一个扇区和最后一个扇区的数据 读出第 0002 009AH 簇第一个扇区的数据-l 4000 2 10adf8 1 -d 4000 L200 126C:4000 E9 C3 01 52 53 68 00 60-07 33 DB 8B 4C 03 C7 45 .RSh.3.L.E 126C:4010 0A 00 00 89 4D 08 8B 44-0B 3D 80 00 76 1F 5

15、1 B8 .M.D.=.v.Q. 126C:4020 80 00 FF 5D 04 59 68 00-70 07 33 DB 8B 44 0B 2D .Yh.p.3.D.- 126C:4030 80 00 81 C1 80 00 89 4D-08 83 55 0A 00 FF 5D 04 .M.U. 126C:4040 5A 33 DB B8 00 60 8E E0-B8 00 70 8E E8 0E 07 B4 Z3.p. 126C:4050 80 52 8A 44 02 2A 64 02-83 FA FF 75 05 5A 5A E9 .R.D.*d.u.ZZ. 126C:4060 64

16、01 8B CA E8 87 00 41-3B D1 75 11 80 FC 00 75 d.A;.u.u 126C:4070 04 B4 80 EB 08 02 44 02-2A 64 02 EB E5 59 52 8B .D.*d.YR. 126C:4080 D1 B9 0A 00 53 50 52 51-FF 1D 73 43 B8 01 00 8A .SPRQ.sC. 126C:4090 44 19 CD 13 33 C0 8A 44-19 CD 13 33 C0 48 75 FD D.3.D.3.Hu. 126C:40A0 59 5A 58 5B 49 75 DD 0E-1F BE

17、BC 00 AC 0A C0 74 YZXIu.t 126C:40B0 09 B4 0E BB 07 00 CD 10-EB F2 EB FE 0D 0A 44 69 .Di 126C:40C0 73 6B 20 49 2F 4F 20 65-72 72 6F 72 0D 0A 00 59 sk I/O error.Y 126C:40D0 5A 58 5B 5A 8A C8 32 ED-C1 E1 09 03 D9 74 03 E9 ZXZ.2.t. 名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - -

18、- - - 第 3 页,共 5 页 - - - - - - - - - 126C:40E0 6F FF 8C C0 05 00 10 8E-C0 B4 80 E9 63 FF 53 E8 o.c.S. 126C:40F0 3D 00 73 21 8B DA D1 EA-9C 03 DA 64 8B 17 9D 72 =.s!.d.r 126C:4100 06 81 E2 FF 0F EB 03 C1-EA 04 81 FA F8 0F 72 1D .r. 126C:4110 BA FF FF EB 18 03 D2 72-07 8B DA 64 8B 17 EB 05 .r.d. 126C:4

19、120 8B DA 65 8B 17 83 FA F8-72 03 BA FF FF 5B C3 66 .e.r.f 126C:4130 50 66 53 66 51 66 52 66-0F B7 4C 08 0B C9 0F 85 PfSfQfRf.L. 126C:4140 04 00 66 8B 4C 15 66 0F-B6 5C 05 66 0F B7 44 0B .f.L.f.f.D. 126C:4150 66 F7 E3 66 2B C8 66 0F-B7 44 06 66 C1 E0 05 66 f.f+.f.D.f.f 126C:4160 8B D0 66 81 E2 00 00

20、 FF-FF F7 34 66 2B C8 66 0F .f.4f+.f. 126C:4170 B7 44 03 66 2B C8 66 8B-C1 66 0F B6 4C 02 66 33 .D.f+.f.f.L.f3 126C:4180 D2 66 F7 F1 66 3D F7 0F-00 00 0F 83 03 00 F9 EB .f.f=. 126C:4190 01 F8 66 5A 66 59 66 5B-66 58 C3 50 53 51 B9 04 .fZfYffX.PSQ. 126C:41A0 00 C1 C2 04 B4 0E BB 07-00 8A C2 24 0F 04

21、30 3C .$.0 126C:41B0 39 76 02 04 07 CD 10 E2-E8 B4 0E B0 20 BB 07 00 9v. . 126C:41C0 CD 10 59 5B 58 C3 BB C0-2A C1 EB 04 8C C8 03 C3 .YX.*. 126C:41D0 8E D0 BC 28 15 52 8E D8-8E C0 66 0F B7 D0 66 C1 .(.R.f.f. 126C:41E0 E2 04 66 81 C2 D0 1D 00-00 66 89 16 BE 0C 33 ED .f.f.3. 126C:41F0 66 0F B7 ED 66 0

22、F B7 E4-8C 1E BC 15 E8 45 18 66 f.f.E.f 读出第 0002 00CFH 簇最后一扇区数据:-L 3000 2 10AFA7 1 -D 3000 L200 126C:3000 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3030 00 00 00 00 00

23、 00 00 00-00 00 00 00 00 00 00 00 . 126C:3040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3080 00 00 00 00 00

24、 00 00 00-00 00 00 00 00 00 00 00 . 126C:3090 01 00 00 00 10 01 00 00-00 00 21 00 6F 73 6C 6F .!.oslo 126C:30A0 61 64 65 72 2E 64 62 67-00 61 64 65 72 2E 65 78 ader.dbg.ader.ex 126C:30B0 65 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 e. 126C:30C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 12

25、6C:30D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:30E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:30F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3100 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3110 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 12

26、6C:3120 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3130 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3140 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3150 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 名师

27、资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 4 页,共 5 页 - - - - - - - - - 126C:3170 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:3190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:31A0 00 0

28、0 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:31B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:31C0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:31D0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:31E0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 126C:31F0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 . 注意:灰色部分非NTLDR 的有效数据。最后一扇区有0060H 字节的空闲。名师资料总结 - - -精品资料欢迎下载 - - - - - - - - - - - - - - - - - - 名师精心整理 - - - - - - - 第 5 页,共 5 页 - - - - - - - - -

展开阅读全文
相关资源
相关搜索

当前位置:首页 > 技术资料 > 技术总结

本站为文档C TO C交易模式,本站只提供存储空间、用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。本站仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知淘文阁网,我们立即给予删除!客服QQ:136780468 微信:18945177775 电话:18904686070

工信部备案号:黑ICP备15003705号© 2020-2023 www.taowenge.com 淘文阁