[File] [PATCH] of Magdir/filesystems for 2nd NTFS sector; update+extensions *.bin

Sat Apr 20 22:11:40 UTC 2019

Hello,

some days ago i run file command version 5.36 on sets of second NTFS
file system sectors (*-2.bin). Most are identified by rules inside
Magdir/filesystems based on infos on
https://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm
Unfortunately some like ramdisc150MB-2.bin are not detected and i got an
output like:

hda10-2.bin:        Microsoft Windows XP/VISTA bootloader NTLDR
hda2-CMLDR-2.bin:   Microsoft Windows XP/VISTA bootloader CMLDR
hdb2-ldr-2.bin:     Microsoft Windows XP/VISTA bootloader $LDR$
hde3-peboot-2.bin:  Microsoft Windows XP/VISTA bootloader PELDR
ramdisc150MB-2.bin: data
ramdisc150MB.bin:   DOS/MBR boot sector, code offset 0x52+2,
 OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8,
 sectors/track 32, heads 64, hidden sectors 128,
 dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor)
 ; NTFS, sectors/track 32, sectors 301055, $MFT start cluster 12544,
 $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246),
 clusters/index block 1, serial number 0809e9bb79e9ba3e6
hda10-NTLDR.bin:    DOS/MBR boot sector, code offset 0x52+2,
 OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8,
 sectors/track 63, heads 255, hidden sectors 63,
 dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor)
 ; NTFS, sectors/track 63, sectors 43712801, $MFT start cluster 786432,
 $MFTMirror start cluster 2732050, bytes/RecordSegment 2^(-1*246),
 clusters/index block 1, serial number 0de4c15b94c158d81
 ; containsMicrosoft Windows XP/VISTA bootloader NTLDR

Furthermore with --extension option only ??? is displayed.

In Microsoft's sector recognition starts with looking for byte sequences
for assembler instructions short JUMP y2;NOP;NOP
 0x056		ulelong&0xFFFF0FFF	0x909002EB
Unfortunately some are not detected, because there other jump
instructions instead Jump 12h; nop; nop (0xEB129090) is used.
I am not an assembler programmer. So i am not able to understand
what is going on in these unusual sectors.
These sectors are found on NTFS formatted RAM discs created by
software found on
http://memory.dataram.com/products-and-services/software/ramdisk
This starts with other jump instruction "JMP C000;NOP". This is
expressed by line
 0x056		ulelong			0x9000c0e9	NTFS
Afterward now print filename extension by line
 !:ext		bin
Afterwards for both call sub routine to check for more characteristics
of second NTFS sector and then display loader name
 >0		use		ntfs-sector2
 0		name		ntfs-sector2
There now first check for number of utf16 characters of loader name by line
 >0		uleshort	<8
Then again check for jump instructions, because subroutine can be called
from other places by line
 >>0x056		ulelong&0xFF0000FD	0x900000E9
Now display UTF16 loader names like NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR.
First display 5 characters by line
 >>>0x002		lestring16	x	bootstrap %-5.5s
For loader name like BOOTMGR check for 7 character length and then
display remaining 2 characters by line
 >>>0		uleshort	7
 >>>>0x0c	lestring16	x	\b%-2.2s

I also changed text to something like "bootstrap NTLDR" instead
"Microsoft Windows XP/VISTA bootloader NTLDR" because the meaning was
misleading. The code in first NTFS sectors is something like first stage
boot loader part, which then loads second stage loader like NTLDR.

Normally second NTFS sectors is not stored alone, but is comes after 512
byte sized DOS boot sector as part of NFTS file system. This was done by
 looking for jump instructions part by lines
 >>>>>>>>>0x258	ulelong&0x00009090	=0x00009090
 >>>>>>>>>>&-92		indirect	x	\b; contains
Now i changed order of recognition magic lines. So look for UTF16 loader
name termination sequences CTRL-D and $. First make a jump with boot
loader name size by
 >>>>>>>>>(0x200.s*2)	ubyte				x
Then jump 1 block forward into second NTFS sector and check for
terminating bytes sequences by line
 >>>>>>>>>>&0x1FF ulequad&0x0000FFffFFffFF00 0x0000002400040000
If 2nd NTFS sector is found then assume whole NTFS file system.
This gets other file name extension, expressed by line
 !:ext		img/bin/ntfs
Then call new sub routine by line
 >>>>>>>>>>>0x200	use	 		ntfs-sector2

After applying the above mentioned modifications by patch
file-5.36-filesystem-ntfs2.diff then all inspected examples are now
described like:

hda10-2.bin:        NTFS bootstrap NTLDR
hda2-CMLDR-2.bin:   NTFS bootstrap CMLDR
hdb2-ldr-2.bin:     NTFS bootstrap $LDR$
hde3-peboot-2.bin:  NTFS bootstrap PELDR
ramdisc150MB-2.bin: NTFS bootstrap BOOTMGR
ramdisc150MB.bin:   DOS/MBR boot sector, code offset 0x52+2,
 OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8,
 sectors/track 32, heads 64, hidden sectors 128,
 dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor)
 ; NTFS, sectors/track 32, sectors 301055, $MFT start cluster 12544,
 $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246),
 clusters/index block 1, serial number 0809e9bb79e9ba3e6
 ; contains bootstrap BOOTMGR
hda10-NTLDR.bin:    DOS/MBR boot sector, code offset 0x52+2,
 OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8,
 sectors/track 63, heads 255, hidden sectors 63,
 dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor)
 ; NTFS, sectors/track 63, sectors 43712801, $MFT start cluster 786432,
 $MFTMirror start cluster 2732050, bytes/RecordSegment 2^(-1*246),
 clusters/index block 1, serial number 0de4c15b94c158d81
 ; contains bootstrap NTLDR


I hope my diff file can be applied in future version of file utility.

With best wishes
Jörg Jenderek





















-------------- next part --------------

--- file-5.36/magic/Magdir/filesystems.old	2018-12-10 21:06:53 +0000
+++ file-5.36/magic/Magdir/filesystems	2019-04-20 18:58:36 +0000
@@ -1541,14 +1541,35 @@
 #>>>>>>>>>80	ulelong		=0		\b, checksum 0x%x=0 (usual)
->>>>>>>>>0x258	ulelong&0x00009090	=0x00009090
->>>>>>>>>>&-92		indirect	x	\b; contains
-# For 2nd NTFS sector added by Joerg Jenderek at Jan 2013
+# unicode loadername size jump
+>>>>>>>>>(0x200.s*2)	ubyte				x
+# in next sector loadername terminated by unicode CTRL-D and $
+>>>>>>>>>>&0x1FF	ulequad&0x0000FFffFFffFF00	0x0000002400040000 \b; contains
+# if 2nd NTFS sectors is found then assume whole filesystem
+#!:mime		application/x-raw-disk-image
+!:ext		img/bin/ntfs
+>>>>>>>>>>>0x200	use				ntfs-sector2
+
+# For 2nd NTFS sector added by Joerg Jenderek at Jan 2013, Mar 2019
 # http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm
-# unused assembler instructions JMP y2;NOP;NOP
-0x056		ulelong&0xFFFF0FFF	0x909002EB
-# unicode loadername terminated by CTRL-D
->(0.s*2)	ulelong&0xFFFFFF00	0x00040000
+# unused assembler instructions short JMP y2;NOP;NOP
+0x056		ulelong&0xFFFF0FFF	0x909002EB	NTFS
+#!:mime		application/octet-stream
+!:ext		bin
+>0		use		ntfs-sector2
+# http://memory.dataram.com/products-and-services/software/ramdisk
+# assembler instructions JMP C000;NOP
+0x056		ulelong			0x9000c0e9	NTFS
+#!:mime		application/octet-stream
+!:ext		bin
+>0		use		ntfs-sector2
+# check for characteristics of second NTFS sector and then display loader name
+0		name		ntfs-sector2
+# number of utf16 characters of loadername
+>0		uleshort	<8
+# unused assembler instructions JMP y2;NOP;NOP or JMP C000;NOP
+>>0x056		ulelong&0xFF0000FD	0x900000E9
 # loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR
->>0x002		lestring16	x	Microsoft Windows XP/VISTA bootloader %-5.5s
->>0x12		string		$
->>>0x0c		lestring16	x	\b%-2.2s
+>>>0x002		lestring16	x	bootstrap %-5.5s
+# check for 7 character length of loader name like BOOTMGR
+>>>0		uleshort	7
+>>>>0x0c	lestring16	x	\b%-2.2s
 ### DOS,NTFS boot sectors end
