A Disk
Editor View of
the NTFS Boot Sector
and "Bootstrap Code"
for Windows 2000 and XP
[ Code from Windows 2000 (SP4 or
+) or Windows XP (SP2 or +) VBRs ]
Web Presentation and Text are Copyright © 2004, 2009 by
Daniel B. Sedory
NOT to be reproduced in any form without Permission of
the Author !
Like all previous MS Boot Records (all
the way back to MS-DOS 2.00), the first three bytes have often
been called the Jump Instruction. But only the first two
bytes (EB 52 in this case) have ever been used to form the actual
JMP (Jump) instruction* to the rest of the
executable x86 (PC) Assembly code; the third byte (90h)
is just a NOP instruction ('No Op' or do nothing). The next 8
bytes are the "OEM ID" or System Name ("NTFS"
and four blank spaces); followed by the BPB
(BIOS Parameter Block).
Although this _
NTFS BPB _ does have many fields
in common with the FAT16 and FAT32 Boot Records; such as Bytes
per Sector, Sectors per Cluster, etc. and even the old Media Descriptor
byte (F8), it does not contain either the "System ID"
or "Volume Label" fields, nor any system file names. You will,
however, find a number of system files such as NTOSKRNL.EXE and BOOT.INI mentioned
in the code which follows the initial Boot Sector; we'll have more to say about
that below.
Furthermore, the old 4-byte "Volume Serial
Number" has been replaced with a new eight-byte
NTFS Volume Serial Number (for more details on the NTFS BPB, see
the NTFS
Boot Record page).
Absolute Sector 63 (Cylinder 0, Head 1, Sector 1)
NTFS BPB "OEM ID"
| |
0 1 2 3 4 5 6 7 8 9 A B C| D E F |
0000: EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 .R.NTFS .....
0010: 00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00 ........?...?...
0020: 00 00 00 00 80 00 80 00 AE 39 D7 00 00 00 00 00 .........9......
0030: 04 00 00 00 00 00 00 00 8D EF 00 00 00 00 00 00 ................
0040: F6 00 00 00 01 00 00 00 FC 5D E1 A4 99 E1 A4 B4 .........]......
0050: 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07 .....3.....|....
0060: 8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00 ..........3.....
0070: 10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4 ..S.h..hj....$..
0080: 08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 ...s......f...@f
0090: 0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F .....?.......Af.
00A0: B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A ..f..f. ...A..U.
00B0: 16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01 .$...r...U.u....
00C0: 74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66 t......f`..f...f
00D0: 03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A ....f;. ...:..fj
00E0: 00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00 .fP.Sfh.....>...
00F0: 0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00 ........>.....a.
0100: B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07 .B..$.......fX[.
0110: 66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00 fXfX..-f3.f.....
0120: 66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36 f......f..f....6
0130: 1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8 ......$.........
0140: 01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66 ........... ...f
0150: FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61 ..........o...fa
0160: C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE ................
0170: B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 .....<.t........
0180: EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 .....A disk read
0190: 20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00 error occurred.
01A0: 0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69 ..NTLDR is missi
01B0: 6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F ng...NTLDR is co
01C0: 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73 mpressed...Press
01D0: 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
01E0: 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00 restart........
01F0: 00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA ..............U.
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
The last 125 bytes of the Boot Record's first sector
contain Error Messages, the Message Offset
bytes and the Word-sized signature ID (or Magic
number) of AA55h. Remember that hex Words (numerical data
requiring more than a single byte) for Intel x86 CPUs are always stored in memory
with the Lowest-byte first and the Highest-byte last to make CPU processing
quicker!
Each Error Message begins with
the Hex bytes 0Dh
and 0Ah which are a
Carriage Return and Line Feed, and ends with a 00h
byte making these what's commonly known in various programming languages as
zero-terminated strings or 'sz' strings (the string plus a zero byte).
The six physical sectors directly following
the NTFS Boot Sector, contain the code which interfaces with the NTLDR
file in order to boot up an OS partition under Windows NT or 2000.
This code is still necessary when booting up a Windows XP or 2003
OS (even though the NTLDR file does not appear to exist anywhere in
these OS partitions).
The first sector of this Bootstrap Code
(which we've also called the NTLDR Section elsewhere) looks
like this (Hex offsets begin at start of NTLDR Section):
Absolute Sector 64 (Cylinder 0, Head 1, Sector 2)
Off. 0 1 2 3 4 5 6 7 8 9 A B C D E F
0000 05 00 4E 00 54 00 4C 00 44 00 52 00 04 00 24 00 ..N.T.L.D.R...$.
0010 49 00 33 00 30 00 00 E0 00 00 00 30 00 00 00 00 I.3.0......0....
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0050 00 00 00 00 00 00 EB 12 90 90 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 8C C8 8E D8 C1 E0 ................
0070 04 FA 8B E0 FB E8 03 FE 66 0F B7 06 0B 00 66 0F ........f.....f.
0080 B6 1E 0D 00 66 F7 E3 66 A3 4E 02 66 8B 0E 40 00 ....f..f.N.f..@.
0090 80 F9 00 0F 8F 0E 00 F6 D9 66 B8 01 00 00 00 66 .........f.....f
00A0 D3 E0 EB 08 90 66 A1 4E 02 66 F7 E1 66 A3 52 02 .....f.N.f..f.R.
00B0 66 0F B7 1E 0B 00 66 33 D2 66 F7 F3 66 A3 56 02 f.....f3.f..f.V.
00C0 E8 71 04 66 8B 0E 4A 02 66 89 0E 22 02 66 03 0E .q.f..J.f..".f..
00D0 52 02 66 89 0E 26 02 66 03 0E 52 02 66 89 0E 2A R.f..&.f..R.f..*
00E0 02 66 03 0E 52 02 66 89 0E 3A 02 66 03 0E 52 02 .f..R.f..:.f..R.
00F0 66 89 0E 42 02 66 B8 90 00 00 00 66 8B 0E 22 02 f..B.f.....f..".
0100 E8 5F 09 66 0B C0 0F 84 57 FE 66 A3 2E 02 66 B8 ._.f....W.f...f.
0110 A0 00 00 00 66 8B 0E 26 02 E8 46 09 66 A3 32 02 ....f..&..F.f.2.
0120 66 B8 B0 00 00 00 66 8B 0E 2A 02 E8 34 09 66 A3 f.....f..*..4.f.
0130 36 02 66 A1 2E 02 66 0B C0 0F 84 24 FE 67 80 78 6.f...f....$.g.x
0140 08 00 0F 85 1B FE 67 66 8D 50 10 67 03 42 04 67 ......gf.P.g.B.g
0150 66 0F B6 48 0C 66 89 0E 62 02 67 66 8B 48 08 66 f..H.f..b.gf.H.f
0160 89 0E 5E 02 66 A1 5E 02 66 0F B7 0E 0B 00 66 33 ..^.f.^.f.....f3
0170 D2 66 F7 F1 66 A3 66 02 66 A1 42 02 66 03 06 5E .f..f.f.f.B.f..^
0180 02 66 A3 46 02 66 83 3E 32 02 00 0F 84 1D 00 66 .f.F.f.>2......f
0190 83 3E 36 02 00 0F 84 C8 FD 66 8B 1E 36 02 1E 07 .>6......f..6...
01A0 66 8B 3E 46 02 66 A1 2A 02 E8 BC 01 66 0F B7 0E f.>F.f.*....f...
01B0 00 02 66 B8 02 02 00 00 E8 FE 07 66 0B C0 0F 84 ..f........f....
01C0 A8 09 67 66 8B 00 1E 07 66 8B 3E 3A 02 E8 31 06 ..gf....f.>:..1.
01D0 66 A1 3A 02 66 BB 20 00 00 00 66 B9 00 00 00 00 f.:.f. ...f.....
01E0 66 BA 00 00 00 00 E8 D6 00 66 85 C0 0F 85 23 00 f........f....#.
01F0 66 A1 3A 02 66 BB 80 00 00 00 66 B9 00 00 00 00 f.:.f.....f.....
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
Code
execution passes from the Boot sector of a bootable NTFS
volume to offset 6Ah of the NTLDR Bootstrap code (see
above).
The bytes "8C C8" comprise its
first CPU instruction: MOV
AX,CS.
|
Although the exact
purpose of each byte in the area with a RED background
has not yet been determined, it's essentially used by the Bootstrap Code to
store intermediate calculations and data about the partition.
The first time
we examined this code, we thought there was a jump into this sector at
offset 56h -- since there's a JMP instruction there (EB 12;
followed by 90 90) which could provide an easy
way to pass program execution to offset 6Ah (which begins with a "mov
ax,cs" instruction). However, upon examining the code
(see the page NTLDR Section Disassembled
for more information), we found program execution jumps directly into
this sector at offset 6Ah (from the NTFS Boot Record). So, were left
to speculate as to why the four bytes (at offset 56h) were placed there.
The last sector
(the 6th sector of the "Bootstrap Code"; the 7th sector of the entire
"NTFS Boot Record") will appear as follows
(Hex offsets are from start of NTLDR Section, so offset 0D75h is the
last byte of the code):
Absolute Sector 69 (Cylinder 0, Head 1, Sector 7)
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000C00 10 67 66 8B 42 18 66 33 D2 66 F7 36 5E 02 66 33 .gf.B.f3.f.6^.f3
000C10 F6 66 50 66 56 66 58 66 5E 66 3B C6 0F 84 3A 00 .fPfVfXf^f;...:.
000C20 66 56 66 40 66 50 66 48 E8 1B FE 72 E8 E8 EB FD fVf@fPfH...r....
000C30 66 5A 66 5E 66 59 66 5B 66 53 66 51 66 56 66 52 fZf^fYf[fSfQfVfR
000C40 66 A1 42 02 67 66 8D 40 18 E8 D0 F8 66 0B C0 74 f.B.gf.@....f..t
000C50 C4 66 59 66 59 66 59 66 59 C3 66 59 66 59 66 33 .fYfYfYfY.fYfYf3
000C60 C0 C3 66 51 66 50 66 B8 05 00 00 00 1E 07 66 8B ..fQfPf.......f.
000C70 F9 E8 8D FD 66 8B C1 66 BB 20 00 00 00 66 B9 00 ....f..f. ...f..
000C80 00 00 00 66 BA 00 00 00 00 E8 33 F8 66 5B 66 59 ...f......3.f[fY
000C90 66 85 C0 0F 85 15 00 66 8B C1 66 0F B7 0E 0C 02 f......f..f.....
000CA0 66 BA 0E 02 00 00 E8 16 F8 EB 33 90 66 33 D2 66 f.........3.f3.f
000CB0 8B C1 66 8B CB 66 50 66 53 E8 23 00 66 5B 66 5F ..f..fPfS.#.f[f_
000CC0 66 0B C0 0F 84 17 00 1E 07 E8 35 FD 66 8B C7 66 f.........5.f..f
000CD0 0F B7 0E 0C 02 66 BA 0E 02 00 00 E8 E1 F7 C3 66 .....f.........f
000CE0 52 66 51 66 BB 20 00 00 00 66 B9 00 00 00 00 66 RfQf. ...f.....f
000CF0 BA 00 00 00 00 E8 C7 F7 66 0B C0 0F 84 63 00 66 ........f....c.f
000D00 8B D8 1E 07 66 8B 3E 16 02 66 33 C0 E8 59 F8 1E ....f.>..f3..Y..
000D10 07 66 8B 1E 16 02 66 59 66 5A 26 66 39 0F 0F 85 .f....fYfZ&f9...
000D20 0C 00 26 66 39 57 08 0F 84 31 00 EB 13 90 26 66 ..&f9W...1....&f
000D30 83 3F FF 0F 84 2F 00 26 83 7F 04 00 0F 84 26 00 .?.../.&......&.
000D40 26 66 0F B7 47 04 03 D8 8B C3 25 00 80 74 CB 8C &f..G.....%..t..
000D50 C0 05 00 08 8E C0 81 E3 FF 7F EB BE 26 66 8B 47 ............&f.G
000D60 10 C3 66 59 66 5A 66 33 C0 C3 A0 F9 01 E9 F4 F3 ..fYfZf3........
000D70 A0 FA 01 E9 EE F3 00 00 00 00 00 00 00 00 00 00 ...............
000D80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000D90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000DA0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000DB0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000DC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
* Note on JUMP
Instruction: Although Microsoft has always used two-byte SHORT jumps (which
begin with the byte EB) in their Boot Records, one could just as easily
use a jump of the DIRECT form which begins with the byte E9 and requires
three bytes. For example, the EB 52 90 (two-byte SHORT jump plus
the 'Do Nothing' byte) in this Boot Record could just as easily have been replaced
by the three bytes: E9 51 00 (all three of which are part of the
Direct JMP instruction vs. the two-byte Short JMP instruction).
Updated: December 20, 2004 (20.12.2004).
Updated: January 25, 2009 (25.01.2009).
Last Update: January 29, 2009 (29.01.2009).
You can write to me using this: online
reply form. (It opens
in a new window.)
BACK
TO: NTFS Boot Record Secrets
asm/mbr/
MBR and Boot Records Index Page
The Starman's
Realm Index Page