Jan Kratochvil
Projects Products GIT Resume Contact
UNIX UNIX-devel Web Amiga MS-Windows MS-DOS Patches
Captive: The first free NTFS read/write filesystem for GNU/Linux


Previous document Parent Next document

Reverse Engineering

This project has no intentions to reverse engineer and document the filesystem data structures themselves since they are being encapsulated by the filesystem driver. For these reasons the resources available in projects such as Linux NTFS get out of any possible use. This project goal is to provide fully compatible API interface to the rest of the W32 system to persuade the filesystem driver it is running in the native Microsoft Windows XP environment.

All the W32 filesystem drivers are running in the W32 kernel address space and this area of W32 API is not much documented by Microsoft. Some API functions are not documented at all and the others are documented insufficiently for a their possibly needed reimplementation from scratch. Documentation being consulted primarily consists of MSDN (Microsoft Developer Network) Kernel-Mode Driver Architecture: Windows DDK documentation and also various other 3rd party documentation resources such as The NT Cache Manager Description, Learn About NT's File-system Cache, NT File System Developers mailing list archives including various fulltext searches through Internet from case to case.

Sometimes no sufficient documentation was found and some code behaviour had to be reverse engineered directly from the binaries of ntoskrnl.exe, cdfs.sys, fastfat.sys and primarily ntfs.sys. Up to now the code was disassembled by IDA Freeware and by dumpbin.exe of Microsoft Visual Studio. dumpbin.exe is fortunately able to interpret debug symbols from W32 .PDB (Program DataBase) debug information files.


You should use the following options for dumpbin.exe:

dumpbin.exe /all /rawdata:none /disasm /pdbpath:verbose FILENAME.SYS

You should see the following line in the output:

PDB file found at '.\FILENAME.pdb'

WinDbg Windows NT kernel debugging

WinDbg is downloadable from: http://www.microsoft.com/whdc/ddk/debugging/installx86.mspx

This is (the only?) tool able to debug filesystem drivers incl. ntfs.sys. You will need two computers running Microsoft Windows — one computer will run WinDbg while the other one will be frozen in remote Windows NT kernel debug mode. It does not matter which Microsoft Windows version will be run on the WinDbg side. Your goal is to successfuly connect WinDbg:

WinDbg Remote NT Kernel NTFS Debugging
WinDbg Remote NT Kernel NTFS Debugging


The most easy way to setup two computers is to use commercial VMware Workstation where you can run two virtual machines simultaneously on single PC hardware and you can connect them by a virtual serial port provided by VMware.

WinDbg side setup

VMware virtual serial port of WinDbg side
VMware virtual serial port of WinDbg side


You should setup WinDbg according to:

Port settings of WinDbg
Port settings of WinDbg


Symbols files location of WinDbg
Symbols files location of WinDbg


Symbols should point to the directory where reside files extracted from the symbol archive for your version of Microsoft Windows. In the case of the recommended Microsoft Windows XP Service Pack 1 Checked Build you should use: http://msdl.microsoft.com/download/symbols/packages/windowsxp/xpsp1sym_x86_chk.exe

# Rename xpsp1sym_x86_chk.exe contents .pdb files for WinDbg
for i in *.pdb*;do ext="`echo $i|sed 's/^.*\.pdb\.\(.*\)$/\1/'`";if [ "$i" = "$ext" ];then echo "BAD:$i";break;fi;base="`echo $i|sed 's/\(\.pdb\)\..*$/\1/'`";echo "md $ext";echo "move /-y $i $ext\$base";done|sort -u|sed 's/$/'`echo -ne '\r'`'/g' >/tmp/rename.bat

The resulting rename.bat for xpsp1sym_x86_chk.exe can be found at: xpsp1sym_x86_chk-rename.bat.zip (26.1KB)

The resulting directory should contain at least sys\ntfs.pdb and exe\ntoskrnl.pdb.

Your successfuly connected target (after the steps described below) should look like:

Successfuly connected WinDbg
Successfuly connected WinDbg


Setup of the side being kernel-debugged

VMware virtual serial port of the side being kernel-debugged
VMware virtual serial port of the side being kernel-debugged


You must use the following options in your c:\boot.init command-line:

/debug /debugport=COM1 /baudrate=115200

After booting this boot.ini-entry should freeze at this point (if no WinDbg is waiting in the other virtual machine):

Side being kernel-debugged waiting for WinDbg
Side being kernel-debugged waiting for WinDbg




Previous document Next document