PureBasic Forums - English

Does anyone know how to read a disk sector into memory?

For example to search a disk for deleted data.

Interrupts are provided within the DOS environment for permitting access to disk drives. The interrupts, which are essentially procedures within the operating system, give you the means of identifying many things about the hardware in the system, and can give you low level access to much of what is there. Even in a Windows world, access to DOS interrups should still be supported, especially in a DOS compatability box.

I have no idea of why you want to try to do this, because the results are not what you expect most times. You have to transact the Directory structure to find out where directories and files start, then trace them through the chain of links for any given file. You also have to deal with Long File Names, which take up directory space, And you may have to deal with the particulars of the FAT16, FAT32, or NTFS hard drive formats as well. About the only people who need to get down to the sector level is someone trying to write some sort of archival or retrieval process, someone who wants to tamper with a drive, or someone who is specifically interested in the boot sector or master boot sector, possibly for creating a mutli-boot record. However, all these things have been done before, so there is little sence to it.

The only SAFE drives to play with in this manner are likely the removable ones, such as floppy disks, Jaz or Zip cartridges, or CDs. For one thing, they are not going to wipe out your whole directory structure if you mess up. For another, their formats are relatively uncomplicated and more amendable to exploration.

Still, this is not the sort of activity I would recommend to most people, and the people best qualified to do this work would not be asking this question on a forum intended for beginners. In other words, you are getting in over your head if you came here for an answer.

the people best qualified to do this work would not be asking this question on a forum intended for beginners. In other words, you are getting in over your head if you came here for an answer.

I agree but one point to remember is that people who post in the beginners section are not necessarily beginners, sometimes people either have had no previous experience with a certain field of programing or they like to hear others views on a different approach. After all no-one knows everything, right? well atleast we don't yet remember the 'people best qualified' had to do it a first time too.

I have no idea of why you want to try to do this.

For the reason I gave.

Does anyone know if a sector can be written to memory without danger of damaging the disk content?

I thought there might be a Windows API function that did this. If the only way is to directly access the bios with machine code then I'm not interested (too dangerous).

Assuming that you want to just read a disk sector, are you aware that the sector size varies by the media, and that in order to access the disk, you normally have to deal with clusters, not sectors, and that on top of that, the drive controller may have to adapt the request via a process I seem to recall as abbreviated as LHA? In other words, assuming that you can read as single sector of disk, how can you be sure what it relates to, where it actually resides on the drive, or what it represents? (Unless. of course, it has some bit of readable text inside)

Never mind, some people stick by their guns even in the face of reason and valid arguments. If you want to use Interrupts and API calls to achieve your ends, then I suggest you research those on forums and sites devoted to the topic. There are several, some related to VisualBASIC, some to C/C++, some to other languages, including assembler. Find a thread that talks about Disk I/O and details how they did it in that instance. Get a listing or book on WindowsAPI and Interrupts, and bone up on it. Start on something innocious, such as reading directories and files, then try to determine where the current sector is. You have positioning statements for the drive, which if you can make them work, should take you to the right area of the drive. See what commands exist to read or write to and from the drive. Find out how to set up a region of memory to act as a buffer to catch the data. You are going to quickly find that a roll-your-own approach just doesn't cut it, because prodedures already exist in memory to make much of these things happen for you, but there are a necessary sequence of calls needed in order to make it happen as intended. Be aware that the operating system is very sensitive to some of the things you do, and may regard your activity as unacceptable or even dangerous. It may classify your program as malware, or you may have other antii-virus or anti-trojan software running that may get into the game. You may violate the integrity of the system to the point where it either abruptly terminates your program, crashes with a blue screen of death, or forces a re-examination of you hard drive on the next reboot.

If you just want to know what a sector looks like on a disk, just get a related manual and read up on the subject. It's only 256 bytes of data that could represent almost anything, and which an only be understood when found in its original context. Unless, like I said, you chance on some part of a text file.

You don't have to be defensive -- just don't act stupedly.

in my hexeditor-snippet you can access sectors from harddisk:

viewtopic.php?p=28164&highlight=hexeditor#28164

Thanks Rings, unfortunately your snippet won't run on my Win98 system. I get "compiler isn't ready", I guess I have a missing file or something.

I looked at your code. It seems to be accessing files, not what I wanted.

I want to read sectors marked as free in the FAT, so that I can recover data from deleted files. I fully appreciate that this data will be fragmented and include binary data from the OS such as file descriptors and sector pointers. However much of the user data will be recognisable, and that's why I want to do this.

Thanks D'Oldefoxx for your advice.

geoff wrote:Thanks Rings, unfortunately your snippet won't run on my Win98 system. I get "compiler isn't ready", I guess I have a missing file or something.

I looked at your code. It seems to be accessing files, not what I wanted.

I want to read sectors marked as free in the FAT, so that I can recover data from deleted files. I fully appreciate that this data will be fragmented and include binary data from the OS such as file descriptors and sector pointers. However much of the user data will be recognisable, and that's why I want to do this.

Thanks D'Oldefoxx for your advice.

Yes. under w89 you have not the normal access to drives like in my example for the Win-NT OS's .
And i can access the harddisk , not only files.
If you put in Filename.s "\\.\C:" instead of a real filename you have full control to the harddisk.I do not know if that also works under the W89, never tested it( and will never do ) .

too bad you are using an old W89 OS. time for an upgrade

Even if you being with deleted directory entiries, which have the first character in the file name OR'd with 128 as a flag that the files is deleted,
you have a problem with (1) Undeleting that file, and (2) recovering all the secots associated with it. The first problem, of undeleting the file by changing the first character back, will fail if another file of the same name has since been created. It should also fail if any of the freed secotrs have teen assigned to a different file -- but the system does not check for this, so it is necessary for you to map the sectors and make sure that they are still intact and last associated with the deleted file. If you decide to try to tackle the freed sectors, you still have a problem of determiining which are freed and which are not - but the FAT keeps track of this for you, so that should not be a problem -- unless your FAT table has become corrupted. Another technique is to try to write a file that just gets bigger and bigger until it takes all the free sectors , and overrite their contents - but there is risk that some other process will suddenly need additional sectors (perhaps an automatic Log keeper), and put you in an out-of-disk space situation. You might be able to balance this activity between a couple of different temporary files, perhaps tracking changes in the FAT as a way of seeing when you have completed one section before you relase it back into the wild by deleting it. Of course, using this approach, I do not see any good way to avoind a lot of duplicated effort.

Of course you know that programs that overwrite freed sectors so ensure no data can be extracted later, and to be totally fank and candid, while I can see some of the obsticles they have to face and deal with, I do not know how they got passed them. If you can get into a DOS command state and LOCK the drive, you can avoid having the system or other processes interfere with your efforts. As to how those other program work, either the commercial or freeware/shareware products, I would suggest you search for any that provide extensive documentation and/or source code. That would be your best source of information. This is my last effort to assist on this thread, so be thankful you won't hear from me again.

Rings wrote:Yes. under w89 you have not the normal access to drives like in my example for the Win-NT OS's .
And i can access the harddisk , not only files.
If you put in Filename.s "\\.\C:" instead of a real filename you have full control to the harddisk.I do not know if that also works under the W89, never tested it( and will never do ) .

Yes I see, use CreateFile_() with filename "\\.\c:"
Unfortunately this only works for NT, according to the Win32 API Ref.

D'Oldefoxx wrote:Another technique is to try to write a file that just gets bigger and bigger until it takes all the free sectors , and overrite their contents

But I want to read the existing content of the sectors, or clusters. If I overwrite the contents then presumably I can't read them?

Is there a way to open a new file with a specified size without overwriting the existing data on the sectors that the new file comprises?

D'Oldefoxx wrote:the drive controller may have to adapt the request via a process I seem to recall as abbreviated as LHA?

LBA - Large Block Access