MS-DOS Disk Structure Analysis Using DOS DEBUG ============================================== by Alan Pinck The information which we have been considering can be applied to specific disk structures. This helps to provide an understanding of how the Operating System can perform the required "logical" to "physical" I/O translation. It also can provide the basis for low-level disk maintenance and recovery (although that is beyond the scope of the material presented here). Loading Physical Sectors into Memory using DEBUG ================================================ The same L command used to load files in DEBUG, with the addition of parameters can be used to load physical sectors of a disk into memory: -L memory_address drive# drive_sector# number_of_sectors_to_load * Examples: L 0 0 0 7 or L 0 0 e0 1 * memory_address is as for any other DEBUG command * drive# is 0 for A:; 1 for B:; 2 for C:; and 3 for D: * drive_sector# is the sequential absolute number of the sector counting from the boot sector which is numbered as drive_sector# 0 (this is not the sector number within the track). * number_of_sectors_to_load is what it says it is. Be careful not to load more than 64K worth of sectors into DEBUG! Some versions of DEBUG can only address 64K segments. That's only 128 (80h) 512-byte sectors from a floppy; much less from a hard disk. Loading and Examining a Sample Boot Sector ========================================== C:\> DEBUG -L 0000 2 0 1 -D 0000 001F 1026:0000 EB 3C 90 4D 53 44 4F 53-35 2E 30 00 02 04 01 00 .<.MSDOS5.0..... 1026:0010 02 00 02 00 00 F8 F8 00-11 00 10 00 11 00 00 00 ................ From previously provided information on decoding the BOOT block we get these numbers: * 000Bh/2 bytes per sector: 200h = 512(dec) * 000Dh/1 sectors per allocation unit: 4 * 0010h/1 number of copies of FAT: 2 * 0011h/2 number of root directory entries: 200h = 512(dec) at 20h (32 dec) bytes per entry --> 10h entries per sector --> 20h (32 dec) sectors for root directory * 0016h/2 number of sectors per FAT: 00F8h = 248(dec) * 0018h/2 number of sectors per track: 11h = 17(dec) * 001Ah/2 number of heads: 10h = 16(dec) Boot: one sector (always!) sector 0 ---------------------- -------------------- -------------------- FAT (2 copies): 2xF8h=1F0h; sectors 1 - 1F0h Directory: 20h sectors; sectors 1F1h - 210h File Allocation Space: 4 per alloc cluster sectors 211h + For this specific disk, we can load and examine the (beginning of) the directory space given the previously derived information: -L 0000 2 1F1 1 -D 0000 00FF 1026:0000 49 4F 20 20 20 20 20 20-53 59 53 07 00 00 00 00 IO SYS..... 1026:0010 00 00 00 00 00 00 00 28-89 16 02 00 96 82 00 00 .......(........ 1026:0020 4D 53 44 4F 53 20 20 20-53 59 53 07 00 00 00 00 MSDOS SYS..... 1026:0030 00 00 00 00 00 00 00 28-89 16 13 00 12 92 00 00 .......(........ 1026:0040 43 4F 4D 4D 41 4E 44 20-43 4F 4D 20 00 00 00 00 COMMAND COM .... 1026:0050 00 00 00 00 00 00 00 28-89 16 40 00 E5 BA 00 00 .......(..@..... 1026:0060 43 4F 4E 46 49 47 20 20-53 59 53 20 00 00 00 00 CONFIG SYS .... 1026:0070 00 00 00 00 00 00 F9 96-CD 22 18 0A 2A 01 00 00 ........."..*... 1026:0080 41 55 54 4F 45 58 45 43-4F 4C 44 20 00 00 00 00 AUTOEXECOLD .... 1026:0090 00 00 00 00 00 00 2E 77-66 1D 83 A1 45 01 00 00 .......wf...E... 1026:00A0 44 4F 53 20 20 20 20 20-20 20 20 10 00 00 00 00 DOS ..... 1026:00B0 00 00 00 00 00 00 1A 40-99 19 53 00 00 00 00 00 .......@..S..... 1026:00C0 4D 53 2D 44 4F 53 5F 35-20 20 20 28 00 00 00 00 MS-DOS_5 (.... 1026:00D0 00 00 00 00 00 00 56 41-99 19 00 00 00 00 00 00 ......VA........ 1026:00E0 57 49 4E 41 32 30 20 20-33 38 36 20 00 00 00 00 WINA20 386 .... 1026:00F0 00 00 00 00 00 00 00 28-89 16 83 04 85 24 00 00 .......(.....$.. Within a directory entry, we use these offsets: * 00h - 07h: Primary name * 08h - 0Ah: Extension * 0Bh: Attribute byte - bits 7-6: unused - 5: archive required - 4: subdirectory - 3: volume label - 2: system - 1: hidden - 0: read only * 0Ch - 15h: (Reserved) * 16h - 17h: Time * 18h - 19h: Date * 1Ah - 1Bh: Starting Cluster number * 1Ch - 1Fh: Size (bytes) Directory entry example 1: ========================== 1026:0020 4D 53 44 4F 53 20 20 20-53 59 53 07 00 00 00 00 MSDOS SYS..... 1026:0030 00 00 00 00 00 00 00 28-89 16 13 00 12 92 00 00 .......(........ Primary name: MSDOS Extension: SYS Attribute: 07h = 0000 0111 (bin) System, Hidden, Read Only Starting Cluster: 0013h Size: 00009212h (37394 decimal) bytes Directory entry example 2: ========================== 1026:0080 41 55 54 4F 45 58 45 43-4F 4C 44 20 00 00 00 00 AUTOEXECOLD .... 1026:0090 00 00 00 00 00 00 2E 77-66 1D 83 A1 45 01 00 00 .......wf...E... Primary name: AUTOEXEC Extension: OLD Attribute: 20h = 0010 0000 (bin) Archive required (modified since last backup) Starting Cluster: A183h Size: 00000145h (325 decimal) bytes Note that since AUTOEXEC.OLD is not a hidden file, the size can be verified using a standard DIR command: C:\>DIR AUTOEXEC.OLD Volume in drive C is MS-DOS_5 Volume Serial Number is 1999-4156 Directory of C:\ AUTOEXEC OLD 325 11-06-94 2:57p 1 file(s) 325 bytes 6340608 bytes free Furthermore, given previous information from the boot sector: File allocation space starts at sector 211h and there are 4 sectors per allocation unit; Plus the knowledge that the first cluster number for the file allocation space is cluster number 2; We can duplicate the activity of the Operating System in locating this file. Based on its starting cluster number of A183h, it should begin in memory at sector: 211h + (A183h - 2) * 4 = 28815h Loading this sector into memory and examining it gives: -L 0000 2 28815 1 -D 0000 1026:0000 40 45 43 48 4F 20 4F 46-46 0D 0A 53 45 54 20 43 @ECHO OFF..SET C 1026:0010 4F 4D 53 50 45 43 3D 43-3A 5C 44 4F 53 5C 43 4F OMSPEC=C:\DOS\CO 1026:0020 4D 4D 41 4E 44 2E 43 4F-4D 0D 0A 50 52 4F 4D 50 MMAND.COM..PROMP 1026:0030 54 20 24 70 24 67 0D 0A-50 41 54 48 20 43 3A 5C T $p$g..PATH C:\ 1026:0040 57 49 4E 44 4F 57 53 2E-33 30 30 3B 43 3A 5C 42 WINDOWS.300;C:\B 1026:0050 41 54 3B 43 3A 5C 44 4F-53 3B 63 3A 5C 75 74 69 AT;C:\DOS;c:\uti 1026:0060 6C 3B 63 3A 5C 3B 43 3A-5C 6D 61 73 6D 0D 0A 53 l;c:\;C:\masm..S 1026:0070 45 54 20 54 45 4D 50 3D-43 3A 5C 0D 0A 54 4F 47 ET TEMP=C:\..TOG As it happens, this is a pure ASCII text file, so we can verify this by using the MS-DOS TYPE command: C:\>TYPE AUTOEXEC.OLD @ECHO OFF SET COMSPEC=C:\DOS\COMMAND.COM PROMPT $p$g PATH C:\WINDOWS.300;C:\BAT;C:\DOS;c:\util;c:\;C:\masm SET TEMP=C:\ ...etc... Directory entry example 3: ========================== 1026:00A0 44 4F 53 20 20 20 20 20-20 20 20 10 00 00 00 00 DOS ..... 1026:00B0 00 00 00 00 00 00 1A 40-99 19 53 00 00 00 00 00 .......@..S..... Primary name: DOS Extension: (none) Attribute: 10h = 0001 0000 (bin) Subirectory Starting Cluster: 0053h Size: 00000000h bytes (which is not actually true) Again we can duplicate the activity of the Operating System in locating this directory. Based on its starting cluster number of 0053h, it should begin in memory at sector: 211h + (0053h - 2) * 4 = 355h Loading this sector into memory and examining it gives: -L 0000 2 355 1 -D 0000 00FF 1026:0000 2E 20 20 20 20 20 20 20-20 20 20 10 00 00 00 00 . ..... 1026:0010 00 00 00 00 00 00 1A 40-99 19 53 00 00 00 00 00 .......@..S..... 1026:0020 2E 2E 20 20 20 20 20 20-20 20 20 10 00 00 00 00 .. ..... 1026:0030 00 00 00 00 00 00 1A 40-99 19 00 00 00 00 00 00 .......@........ 1026:0040 43 4F 55 4E 54 52 59 20-53 59 53 20 00 00 00 00 COUNTRY SYS .... 1026:0050 00 00 00 00 00 00 00 28-89 16 2B 00 AD 42 00 00 .......(..+..B.. 1026:0060 45 47 41 20 20 20 20 20-53 59 53 20 00 00 00 00 EGA SYS .... 1026:0070 00 00 00 00 00 00 00 28-89 16 34 00 15 13 00 00 .......(..4..... 1026:0080 46 4F 52 4D 41 54 20 20-43 4F 4D 20 00 00 00 00 FORMAT COM .... 1026:0090 00 00 00 00 00 00 00 28-89 16 37 00 8F 80 00 00 .......(..7..... 1026:00A0 4B 45 59 42 20 20 20 20-43 4F 4D 20 00 00 00 00 KEYB COM .... 1026:00B0 00 00 00 00 00 00 00 28-89 16 5E 00 8A 3A 00 00 .......(..^..:.. 1026:00C0 4B 45 59 42 4F 41 52 44-53 59 53 20 00 00 00 00 KEYBOARDSYS .... 1026:00D0 00 00 00 00 00 00 00 28-89 16 66 00 89 87 00 00 .......(..f..... 1026:00E0 4E 4C 53 46 55 4E 43 20-45 58 45 20 00 00 00 00 NLSFUNC EXE .... 1026:00F0 00 00 00 00 00 00 00 28-89 16 77 00 8C 1B 00 00 .......(..w..... Although the first two entries appear a little unusual, this is obviously another directory structure. The first entry has a "Primary name" that is just a "dot"; notice that its "First cluster number" is 0053h, the cluster number of this subdirectory itself. The second entry has a "Primary name" that is two "dots"; notice that its "First cluster number" is 0000h, the cluster number of the "root" directory, its "parent". The single dot (.) and double dot (..) notation should be familiar to anyone who has worked in either MS-DOS or UNIX (as used in the command: cd ..). They are simply convenient names for the current and parent directories. Directory entry example 4: ========================== 1026:00C0 4D 53 2D 44 4F 53 5F 35-20 20 20 28 00 00 00 00 MS-DOS_5 (.... 1026:00D0 00 00 00 00 00 00 56 41-99 19 00 00 00 00 00 00 ......VA........ Name: MS-DOS_5 Attribute: 28h = 0010 1000 (bin) Archive required, Volume label Starting Cluster: 0000h Size: 00000000h bytes This is the disk volume label as reported (for example) by the DIR command. There should only be one of these on any disk. Edited by: Ian Allen Original by: Alan T. Pinck From: