Make your own free website on Tripod.com
searchSignature

 
  1  #include <windows.h>
  2  #include <winioctl.h>
  3  #include <stdio.h>
  4
  5  int main(int argc,char *argv[]){
  6          BOOL            result;
  7          HANDLE          rawDevice;
  8          LPCTSTR         deviceName;
  9          char            *buffer;
 10          int             driveNumber;
 11          union{
 12                  unsigned long long ull;
 13                  unsigned long ul[2];
 14          }startSector;
 15          int             sectorsPerBlock;
 16          int             numberOfBytesRead;
 17          int             i,j,k,l,m;
 18          int             match;
 19          unsigned        searchBuffer[512*2];
 20
 21
 22
 23
 24          /*
 25           * Everything inside this do while...to have a single exit point!
 26           */
 27          do{
 28
 29                  /*
 30                   * Usage:
 31                   *      RawSearch drive skip block_size [signature]
 32                   *
 33                   *      drive:          0 for PhysicalDrive0, 1 for PhysicalDrive1 etc
 34                   *      skip:           Number of sectors to skip
 35                   *      block_size:     Sectors to read at a time
 36                   *      signature:      What to look for in the sectors. Pairs
 37                   *                      of numbers are expected, the first number being the
 38                   *                      offset within the sector and the second one being the
 39                   *                      value.
 40                   */
 41                  if(argc < 5 || argc&1){
 42                          printf("Error: Incorrect usage.");
 43                          printf("\n\
 44  Usage:\n\
 45          %s drive skip block_size [signature]\n\
 46  \n\
 47          drive:          0 for PhysicalDrive0, 1 for PhysicalDrive1 etc\n\n\
 48          skip:           Number of sectors to skip\n\n\
 49          block_size:     Sectors to read at a time\n\n\
 50          signature:      What to look for in the sectors. Pairs\n\
 51                          of numbers are expected, the first number being the\n\
 52                          offset within the sector and the second one being the\n\
 53                          value.\n\n",argv[0]);
 54                          break;
 55
 56                  }
 57
 58                  /*
 59                   * Allocate 256 bytes for the device name
 60                   */
 61                  deviceName=(LPCTSTR)malloc(256);
 62
 63                  driveNumber=atoi(argv[1]);
 64                  sprintf(deviceName,"\\\\.\\PhysicalDrive%d",driveNumber);
 65                  startSector.ull=atoll(argv[2]);
 66                  sectorsPerBlock=atoi(argv[3]);
 67
 68                  for(i=0;i<512*2;i++)searchBuffer[i]=0;
 69                  for(i=4;i<argc-1;i+=2){
 70                          searchBuffer[i-4]=atoi(argv[i]);
 71                          searchBuffer[i-4+1]=atoi(argv[i+1]);
 72
 73                          printf("%d -> %d\n", searchBuffer[i-4],searchBuffer[i-4+1]);
 74                  }
 75
 76                  if(sectorsPerBlock < 1){
 77                          printf("sectors per block must be greater than 0\n");
 78                          break;
 79                  }
 80
 81
 82                  /*
 83                   * Check
 84                   * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/base/createfile.asp
 85                   * for details on the parameters to CreateFile
 86                   *
 87                   * Just a point here, don't know the reason though, you have to give
 88                   * both read and write access in order for this CreateFile to succeed
 89                   */
 90                  rawDevice = CreateFile(deviceName,  // drive to open
 91                                  FILE_SHARE_READ | FILE_SHARE_WRITE, // no access to the drive
 92                                  0,
 93                                  NULL,             // default security attributes
 94                                  OPEN_EXISTING,    // disposition
 95                                  0,                // file attributes
 96                                  NULL);            // do not copy file attributes
 97
 98
 99
100                  /*
101                   * If CreateFile returns INVALID_HANDLE_VALUE then we know that
102                   * it failed...gotta bail out
103                   */
104                  if (rawDevice == INVALID_HANDLE_VALUE){
105                          printf("Could not open the device\n");
106                          break;
107                  }
108
109                  printf("%s has been opened successfully\n",deviceName);
110
111                  buffer=(LPVOID)malloc(512*sectorsPerBlock);
112
113                  if(buffer==NULL){
114                          printf("Could not allocate the buffer\n");
115                          break;
116                  }
117
118                  startSector.ull*=512;
119                  SetFilePointer(rawDevice, startSector.ul[0], &startSector.ul[1], FILE_BEGIN);
120
121                  //for(l=0;l<2;l++){                     
122                  while(1){
123                          result=ReadFile(rawDevice, (LPVOID)buffer, 512*sectorsPerBlock, &numberOfBytesRead,(LPOVERLAPPED)NULL);
124                          if(!result){
125                                  printf("Error while reading\n");
126                                  break;
127                          }
128                          //for(i=0;i<512*2;i++){
129                          //      printf("%d ",searchBuffer[i]);
130                          //}
131                          //printf("\n---\n");
132                          //for(i=0;i<512;i++){
133                          //      printf("%d(%02X) ",buffer[i],buffer[i]&0xff);
134                          //}
135                          k=0;
136                          for(i=0;i<sectorsPerBlock;i++){
137                                  match=1;
138                                  for(j=0;j<512*2;j+=2){
139                                          if(searchBuffer[j]==0)break;
140                                          //printf("Looking for %d at %d %d k=%d\n",searchBuffer[j+1],searchBuffer[j],buffer[k+searchBuffer[j]],k);
141                                          if((unsigned char)buffer[k+searchBuffer[j]] != searchBuffer[j+1]){
142                                                  match=0;
143                                                  break;
144                                          }
145                                  }
146                                  if(match){
147                                          printf("Sector number %016X matched the signature\n",startSector.ull+(k/512));
148                                  }
149                                  k+=512;
150                          }
151                          startSector.ull+=sectorsPerBlock;
152                          //break;
153                  }
154          }while(0);
155
156
157          return 0;
158
159
160  }