bpb.cpp

含：分析物理磁盘的分区表和各分区的bootsector for bitlocker以及WINDOWS下设备枚举.

	
	printf("\n\ndump_BIOS_PARAMETER_BLOCK ...");	
	printf(dispFormatStr, "Jumpto", bin2string(3, pBPB->Jumpto));
	printf(dispFormatStr, "OemID", getString(8, pBPB->OemID));
	printf(dispFormatInt, "BytesPerSector", pBPB->BytesPerSector);		
	printf(dispFormatInt, "SectorsPerCluster", pBPB->SectorsPerCluster);
	printf(dispFormatInt, "ReservedSectors", pBPB->ReservedSectors);
	printf(dispFormatInt, "NumberOfFats", pBPB->NumberOfFats);
	printf(dispFormatInt, "RootEntry", pBPB->RootEntry);
	printf(dispFormatInt, "TotalSectors", pBPB->TotalSectors);
	printf(dispFormatInt, "MediaType", pBPB->MediaType);
	printf(dispFormatInt, "SectorsPerFat", pBPB->SectorsPerFat);
	printf(dispFormatInt, "SectorsPerTrack", pBPB->SectorsPerTrack);
	printf(dispFormatInt, "Heads", pBPB->Heads);
	printf(dispFormatInt, "HiddenSectors", pBPB->HiddenSectors);
	printf(dispFormatInt, "LargeSectors", pBPB->LargeSectors);	
	
	printf(dispFormatIntD, "ClusterSize(B)", pBPB->SectorsPerCluster * pBPB->BytesPerSector);	
	printf(dispFormatIntD, "TrackSize(B)", pBPB->SectorsPerTrack * pBPB->BytesPerSector);
	
	totalSize = pBPB->SectorsPerFat;
	totalSize *= pBPB->BytesPerSector;
	printf(dispFormatIntL, "FatTableSize(B)", totalSize);
		
	totalSize = pBPB->TotalSectors ? pBPB->TotalSectors : pBPB->LargeSectors;
	//totalSize += pBPB->ReservedSectors;
	totalSize *= pBPB->BytesPerSector;
	totalSize /=1024;
	printf(dispFormatIntL, "TotalSize(KB)", totalSize);	
}	

void dump_FAT16_SECTION(FAT16_SECTION *pFat16Section)
{
	if(pFat16Section == NULL)
		return;
	printf("\n\ndump_FAT16_SECTION ...");	
	printf(dispFormatInt, "DriveType", pFat16Section->DriveType);	
	printf(dispFormatInt, "Reserved", pFat16Section->Reserved);	
	printf(dispFormatInt, "ExtBootSignature", pFat16Section->ExtBootSignature);	
	printf(dispFormatInt, "VolumeSerialNumber", pFat16Section->VolumeSerialNumber);	
	printf(dispFormatStr, "VolumeLabel", bin2string(11, pFat16Section->VolumeLabel));	
	printf(dispFormatStr, "FileSystem", bin2string(8, pFat16Section->FileSystem));			
}

void dump_FAT32_SECTION(FAT32_SECTION *pFat32Section)
{
	FAT16_SECTION *pFat16Section;
	if(pFat32Section == NULL)
		return;
	printf("\n\ndump_FAT32_SECTION ...");	
	printf(dispFormatInt, "SectorsPerFat", pFat32Section->SectorsPerFat);	
	printf(dispFormatInt, "Flags", pFat32Section->ExtendFlags);	
	printf(dispFormatInt, "Version", pFat32Section->Version);	
	printf(dispFormatInt, "RootDir1st", pFat32Section->RootDir1st);	
	printf(dispFormatInt, "FsInfoSector", pFat32Section->FsInfoSector);	
	printf(dispFormatInt, "BackupBootSector", pFat32Section->BackupBootSector);	
	printf(dispFormatStr, "reserved", bin2string(12, pFat32Section->reserved));
	pFat16Section = (FAT16_SECTION *)&pFat32Section[1];
	dump_FAT16_SECTION(pFat16Section);
}

void dumpBootBlockFat(unsigned char *buffer)
{
	BIOS_PARAMETER_BLOCK *pBPB;
	FAT16_SECTION *pFat16Section;
	FAT32_SECTION *pFat32Section;
	
	pBPB = (BIOS_PARAMETER_BLOCK *)buffer;
	dump_BIOS_PARAMETER_BLOCK(pBPB);
	
	pFat16Section = (FAT16_SECTION *)&pBPB[1];
	pFat32Section = (FAT32_SECTION *)&pBPB[1];
	if((pFat16Section->ExtBootSignature==0x28)||(pFat16Section->ExtBootSignature==0x29))
	{
		dump_FAT16_SECTION(pFat16Section);
	}
	else
	{
		dump_FAT32_SECTION(pFat32Section);
	}
}
			
void dumpBootBlock(BOOT_BLOCK *pBB)
{
	if(pBB == NULL)
		return;
	
	printf("\n\ndumpBootBlock ...");	
	printf(dispFormatStr, "Jump", bin2string(3, pBB->Jump));
	printf(dispFormatStr, "Format", getString(8, pBB->Format));	
	printf(dispFormatInt, "BytesPerSector", pBB->BytesPerSector );
	printf(dispFormatInt, "SectorsPerCluster", pBB->SectorsPerCluster );
	printf(dispFormatInt, "BootSectors", pBB->BootSectors );
	printf(dispFormatInt, "Mbz1", pBB->Mbz1 );
	printf(dispFormatInt, "Mbz2", pBB->Mbz2 );
	printf(dispFormatInt, "Reserved1", pBB->Reserved1 );
	printf(dispFormatInt, "MediaType", pBB->MediaType );
	printf(dispFormatInt, "Mbz3", pBB->Mbz3 );
	printf(dispFormatInt, "SectorsPerTrack", pBB->SectorsPerTrack );
	printf(dispFormatInt, "NumberOfHeads", pBB->NumberOfHeads );
	printf(dispFormatInt, "PartitionOffset", pBB->PartitionOffset );
	printf(dispFormatInt, "Reserved2.0", pBB->Reserved2[0] );
	printf(dispFormatInt, "Reserved2.1", pBB->Reserved2[1] );
	printf(dispFormatIntH, "TotalSectors", pBB->TotalSectors );
	printf(dispFormatIntH, "MftStartLcn", pBB->MftStartLcn );
	printf(dispFormatIntH, "Mft2StartLcn", pBB->Mft2StartLcn );
	printf(dispFormatInt, "ClustersPerFileRecord", pBB->ClustersPerFileRecord );
	printf(dispFormatInt, "ClustersPerIndexBlock", pBB->ClustersPerIndexBlock );
	printf(dispFormatIntH, "VolumeSerialNumber", pBB->VolumeSerialNumber );	
	printf(dispFormatInt, "CheckSum", pBB->CheckSum );
	
	//printf(dispFormatInt, "Code", pBB->Code );	
	printf(dispFormatInt, "BootSignature", pBB->BootSignature );	
}

void dumpDiskPartInfo(DISK_PART *pDiskPart)
{
	if(pDiskPart == NULL)
		return;
		
	printf("\n\ndumpDiskPartInfo ...");	
	printf(dispFormatInt, "Flag", pDiskPart->Flag);
	if(pDiskPart->Flag == 0x80)
		printf(" (Active)");
	printf(dispFormatInt, "StartTrack", pDiskPart->StartTrack);
	printf(dispFormatInt, "StartSector", pDiskPart->StartSector);
	printf(dispFormatInt, "StartCylinder", pDiskPart->StartCylinder);
	printf(dispFormatInt, "SysFlag", pDiskPart->SysFlag);
	printf(dispFormatInt, "EndTrack", pDiskPart->EndTrack);
	printf(dispFormatInt, "EndSector", pDiskPart->EndSector);	
	printf(dispFormatInt, "EndCylinder", pDiskPart->EndCylinder);	
	printf(dispFormatInt, "SectorAddress", pDiskPart->SectorAddress);	
	printf(dispFormatInt, "NumberOfSector", pDiskPart->NumberOfSector);	
	
	printf("\n  DiskSize: %3d,%03d(MB)",pDiskPart->NumberOfSector/2/1024/1000, (pDiskPart->NumberOfSector/2/1024)%1000);

}
		
void dumpBPB(BPB *pBpb)
{
	if(pBpb == NULL)
		return;
		
	printf("\n\ndumpBPB ...");		
	printf(dispFormatStr, "Signature", getString(8, pBpb->Signature));
	printf(dispFormatInt, "BytesPerSector", pBpb->BytesPerSector);
	printf(dispFormatInt, "SectorsPerCluster", pBpb->SectorsPerCluster);
	printf(dispFormatInt, "ReservedClusters", pBpb->ReservedClusters);
	printf(dispFormatInt, "FatCount", pBpb->FatCount);
	printf(dispFormatInt, "RootEntries", pBpb->RootEntries);
	printf(dispFormatInt, "Sectors", pBpb->Sectors);
	printf(dispFormatInt, "MediaType", pBpb->MediaType);
	printf(dispFormatInt, "SectorsPerFat", pBpb->SectorsPerFat);	
	printf(dispFormatInt, "SectorsPerTrack", pBpb->SectorsPerTrack);
	printf(dispFormatInt, "NumberOfTrackHead", pBpb->NumberOfTrackHead);
	printf(dispFormatInt, "NumberOfHiddenSectors", pBpb->NumberOfHiddenSectors);
	printf(dispFormatInt, "LargeSectors", pBpb->LargeSectors);	
	printf(dispFormatInt, "NumberOfPhyDriver", pBpb->NumberOfPhyDriver);
	printf(dispFormatInt, "SignOfExtBoot", pBpb->SignOfExtBoot);
	printf(dispFormatInt, "SerialOfVolume", pBpb->SerialOfVolume);
	printf(dispFormatStr, "LabelOfVolume", bin2string(11, pBpb->LabelOfVolume));	
	printf(dispFormatInt, "SerialOfFileSystem", pBpb->SerialOfFileSystem);
	printf(dispFormatInt, "MetadataLcn", pBpb->MetadataLcn[0]);
	printf(dispFormatInt, "MetadataLcn", pBpb->MetadataLcn[1]);				
}

void dumpBPB_NTFS(NTFS_BOOT_SECTOR *pBpb)
{
	if(pBpb == NULL)
		return;
		
	printf("\n\ndumpBPB_NTFS ...");	
	printf(dispFormatStr, "Jumpto", bin2string(3, pBpb->Jumpto));
	printf(dispFormatStr, "OemID", getString(8, pBpb->OemID));
	printf(dispFormatInt, "SecInByte", pBpb->SecInByte);
	printf(dispFormatInt, "SecPerClr", pBpb->SecPerClr);	
	printf(dispFormatInt, "ResSct", pBpb->ResSct);	
	printf(dispFormatStr, "NtRevers0", bin2string(5, pBpb->NtRevers0));
	printf(dispFormatInt, "FormatID", pBpb->FormatID);	
	printf(dispFormatInt, "SecPerFat", pBpb->SecPerFat);	
	printf(dispFormatInt, "SecPerTrk", pBpb->SecPerTrk);	
	printf(dispFormatInt, "Sides", pBpb->Sides);	
	printf(dispFormatInt, "Hsector", pBpb->Hsector);	
	printf(dispFormatInt, "BigTotalSec", pBpb->BigTotalSec);	
	printf(dispFormatInt, "BigSecPerFat", pBpb->BigSecPerFat);	
	printf(dispFormatInt, "TotalSecLow", pBpb->TotalSecLow);	
	printf(dispFormatInt, "TotalSecHigh", pBpb->TotalSecHigh);	
	printf(dispFormatInt, "MftBeginClustL", pBpb->MftBeginClustL);	
	printf(dispFormatInt, "MftBeginClustH", pBpb->MftBeginClustH);	
	printf(dispFormatInt, "MirBeginClustL", pBpb->MirBeginClustL);	
	printf(dispFormatInt, "MirBeginClustH", pBpb->MirBeginClustH);
	printf(dispFormatInt, "ClustPerRec", pBpb->ClustPerRec);
	printf(dispFormatInt, "ClustPerIndex", pBpb->ClustPerIndex);
	printf(dispFormatInt, "NtSerialNoL", pBpb->NtSerialNoL);
	printf(dispFormatInt, "NtSerialNoH", pBpb->NtSerialNoH);
	printf(dispFormatInt, "NtCheckSum", pBpb->NtCheckSum);
}

int detectBitLockDriver(BPB *pBpb)
{

	if(pBpb == NULL)
		return 0;
		
	if((!memcmp(pBpb->Signature,"-FVE-FS-", 8)) /*|| (!memcmp(pBpb->Signature,"NTFS", 4))*/ )
		if((pBpb->SectorsPerCluster==1) || (pBpb->SectorsPerCluster==2) || 
		   (pBpb->SectorsPerCluster==4) || (pBpb->SectorsPerCluster==8) || 
		   (pBpb->SectorsPerCluster==0x10) || (pBpb->SectorsPerCluster==0x20) || 
		   (pBpb->SectorsPerCluster==0x40) || (pBpb->SectorsPerCluster==0x80))
		   if(pBpb->ReservedClusters==0)
			   if(pBpb->FatCount==0)
				   if(pBpb->RootEntries==0)
					   if(pBpb->Sectors==0)
						   if(pBpb->SectorsPerFat==0)
							   if(pBpb->LargeSectors==0)
							   		return 1;
							   	else
							   		printf("\n  pBpb->LargeSectors = %d", pBpb->LargeSectors);
							else
								printf("\n  pBpb->SectorsPerFat = %d", pBpb->SectorsPerFat);
						else
							printf("\n  pBpb->Sectors = %d", pBpb->Sectors);
					else
						printf("\n  pBpb->RootEntries = %d", pBpb->RootEntries);
				else
					printf("\n  pBpb->FatCount = %d", pBpb->FatCount);
			else
				printf("\n  pBpb->ReservedClusters = %d", pBpb->ReservedClusters);
		else
			printf("\n  pBpb->SectorsPerCluster = %d", pBpb->SectorsPerCluster);	
	else
		printf("\n  pBpb->Signature = %s", bin2string(8, pBpb->Signature));
																		
	return 0;	
}