在网上闲逛寻找如何读/写MFT的解释我找到了以下部分:( http://www.installsetupconfig.com/win32programming/1996%20AppE_apnilife.pdf )
它是什么意思“他们不准备处理IRP_MJ_READ请求”需要什么样的准备? 什么是IRP_MJ_READ? “使用ZwCreateSection和ZwMapViewOfSection映射特殊文件然后读取映射数据”如何解决问题? 这意味着什么“文件没有准备好处理文件对象的最后一个句柄关闭时生成的IRP_MJ_CLEANUP请求”又是什么准备? 什么是IRP_MJ_CLEANUP? “将特殊文件的打开句柄复制到一个永不终止的进程中”如何解决问题?如果NtfsProtectSystemFiles设置为FALSE,则可以打开特殊文件。 但是,尝试执行此操作时存在一些缺点:由于许多特殊文件在安装卷时以特殊方式打开,因此它们不准备处理因调用ZwReadFile而导致的IRP_MJ_READ请求,以及系统如果收到此类请求,则会崩溃。 可以通过使用ZwCreateSection和ZwMapViewOfSection映射特殊文件然后读取映射数据来读取这些特殊文件。 另一个问题是一些特殊文件没有准备好处理在关闭文件对象的最后一个句柄时生成的IRP_MJ_CLEANUP请求,并且如果收到这样的请求,则系统崩溃。 唯一的选择是将特殊文件的打开句柄复制到一个永不终止的进程(例如系统进程)。
While wandering the web looking for explanations of how to read/write MFT I found the folowing section:(http://www.installsetupconfig.com/win32programming/1996%20AppE_apnilife.pdf)
What does it mean “they are not prepared to handle the IRP_MJ_READ requests” what kind of preparation is needed? What is IRP_MJ_READ? “Mapping the special file with ZwCreateSection and ZwMapViewOfSection and then reading the mapped data” How does that solve the problem? What does it means “files are not prepared to handle the IRP_MJ_CLEANUP request that is generated when the last handle to a file object is closed” again what is that preparation? What is IRP_MJ_CLEANUP? “Duplicate the open handle to the special file into a process that never terminates” How does that solve the problem?If NtfsProtectSystemFiles is set to FALSE, then the special files can be opened. There are, however, some drawbacks associated with attempting to do this: Because many of the special files are opened in a special way when mounting the volume, they are not prepared to handle the IRP_MJ_READ requests resulting from a call to ZwReadFile, and the system crashes if such a request is received. These special files can be read by mapping the special file with ZwCreateSection and ZwMapViewOfSection and then reading the mapped data. A further problem is that a few of the special files are not prepared to handle the IRP_MJ_CLEANUP request that is generated when the last handle to a file object is closed, and the system crashes if such a request is received. The only option is to duplicate the open handle to the special file into a process that never terminates (such as the system process).
最满意答案
这是旧数据(从1996年开始)。 而且有点不正确。 从那以后,世界一直在前进。
您可以尝试打开\ $ MFT来读取MFT但是获取正确的访问位可能会有问题。 你也可以写它们,但那真是玩火。 文件系统不希望它的数据结构在没有它的参与的情况下被修改。
打开分区raw并直接遍历磁盘结构你会好得多。
That's old data (from 1996). And more than a little incorrect. The world has moved on since then.
You might try opening \$MFT to read the MFT but getting the access bits right might be problematic. You can also write them but that's really playing with fire. The file system does not expect that it's data structures will be modified without it's involvement.
You are much better off opening the partition raw and walking the disk structures directly.
更多推荐
发布评论