|
|
|
|
| Captive: The first free NTFS read/write filesystem for GNU/Linux |
|
|
|
This project has no intentions to reverse engineer and document the filesystem data structures themselves since they are being encapsulated by the filesystem driver. For these reasons the resources available in projects such as Linux NTFS get out of any possible use. This project goal is to provide fully compatible API interface to the rest of the W32 system to persuade the filesystem driver it is running in the native Microsoft Windows XP environment.
All the W32 filesystem drivers are running in the W32 kernel address space and this area of W32 API is not much documented by Microsoft. Some API functions are not documented at all and the others are documented insufficiently for a their possibly needed reimplementation from scratch. Documentation being consulted primarily consists of MSDN (Microsoft Developer Network) Kernel-Mode Driver Architecture: Windows DDK documentation and also various other 3rd party documentation resources such as The NT Cache Manager Description, Learn About NT's File-system Cache, NT File System Developers mailing list archives including various fulltext searches through Internet from case to case.
Sometimes no sufficient documentation was found and some code behaviour had to be reverse engineered directly from the binaries of ntoskrnl.exe, cdfs.sys, fastfat.sys and primarily ntfs.sys. Up to now the code was disassembled by IDA Freeware and by dumpbin.exe of Microsoft Visual Studio. dumpbin.exe is fortunately able to interpret debug symbols from W32 .PDB (Program DataBase) debug information files.
You should use the following options for dumpbin.exe:
dumpbin.exe /all /rawdata:none /disasm /pdbpath:verbose FILENAME.SYS
You should see the following line in the output:
PDB file found at '.\FILENAME.pdb'
WinDbg is downloadable from: http://www.microsoft.com/whdc/ddk/debugging/installx86.mspx
This is (the only?) tool able to debug filesystem drivers incl. ntfs.sys. You will need two computers running Microsoft Windows — one computer will run WinDbg while the other one will be frozen in remote Windows NT kernel debug mode. It does not matter which Microsoft Windows version will be run on the WinDbg side. Your goal is to successfuly connect WinDbg:
 |
The most easy way to setup two computers is to use commercial VMware Workstation where you can run two virtual machines simultaneously on single PC hardware and you can connect them by a virtual serial port provided by VMware.
 |
You should setup WinDbg according to:
 |
 |
Symbols should point to the directory where reside files extracted from the symbol archive for your version of Microsoft Windows. In the case of the recommended Microsoft Windows XP Service Pack 1 Checked Build you should use: http://msdl.microsoft.com/download/symbols/packages/windowsxp/xpsp1sym_x86_chk.exe
# Rename xpsp1sym_x86_chk.exe contents .pdb files for WinDbg
for i in *.pdb*;do ext="`echo $i|sed 's/^.*\.pdb\.\(.*\)$/\1/'`";if [ "$i" = "$ext" ];then echo "BAD:$i";break;fi;base="`echo $i|sed 's/\(\.pdb\)\..*$/\1/'`";echo "md $ext";echo "move /-y $i $ext\$base";done|sort -u|sed 's/$/'`echo -ne '\r'`'/g' >/tmp/rename.bat
The resulting rename.bat for xpsp1sym_x86_chk.exe can be found at: xpsp1sym_x86_chk-rename.bat.zip (26.1KB)
The resulting directory should contain at least sys\ntfs.pdb and exe\ntoskrnl.pdb.
Your successfuly connected target (after the steps described below) should look like:
 |
 |
You must use the following options in your c:\boot.init command-line:
/debug /debugport=COM1 /baudrate=115200
After booting this boot.ini-entry should freeze at this point (if no WinDbg is waiting in the other virtual machine):
 |
|
|
EOF