The general program does not directly access the disk. After all, there is a file system (FileSystem) to help us organize the files easily, but sometimes we must access the disk, because the file system hides the low-level implementation, Linux people like to call the file system “virtual” File system (VFS), in fact, the reason is here, for example, we copy a file from one partition to another (in fact, it is to read files from one partition and then write files to another partition, of course, is generally segmented Read or write, or use virtual memory (linear address space) to map files), we do not need to care about the organization of the partition on the disk, such as MBR format or GPT format, and do not need to care about the partition to organize the data, regardless of It is FAT32, NTFS, exFAT, ext2/3/4 format, etc. This is the charm of the file system. Cough, pull a bit far away, return to the topic, our goal is to bypass the file system, directly access the sectors on the disk, just like the PE disk maker on the market, you can write the boot program to the main U disk The boot sector (the first sector, typically 512 bytes).
Demonstrate reading out the main boot sector of the first disk. If you write, replace ReadFile with WriteFile, and then change the code slightly.Do not scribble with the BIOS boot system, ah, write the broken MBR can not guide the system, the repair is very troublesome, It is not afraid to use the UEFI boot system to write casually, because UEFI does not load the bootloader from the MBR, which is one of the reasons for the UEFI native immune ghost virus.
code show as below:

View plain
1. #include “stdafx.h”
2. #include<Windows.h>
4. //Parameter: the output string pointer, starting position, length
5. / / return value: the size of the read
6. DWORD ReadDisk (unsigned char* & out, DWORD start, DWORD size)
7. {
8. OVERLAPPED over = { 0 };
9. over.Offset = start;
11. if (handle == INVALID_HANDLE_VALUE) return 0;
12. unsigned char* buffer = new unsigned char[size + 1];
13. DWORD readsize;
14. if (ReadFile(handle, buffer, size, &readsize, &over) == 0)
15. {
16. CloseHandle(handle);
17. return 0;
18. }
19. buffer[size] = 0;
20. out = buffer;
21. //delete [] buffer;
22. //Note that you need to free your memory here.
23. CloseHandle(handle);
24. return size;
25. }
26. int _tmain(int argc, _TCHAR* argv[])
27. {
28. unsigned char* a;
29. DWORD len=ReadDisk(a, 0, 512);
30. if (len){
31. for (int i = 0; i < len; i++){
32. printf(“%02X “, a[i]);
33. }
35. getchar();
36. return 0;

There are several places to note in the code:
1. “\\.\PhysicalDrive0” represents the first physical disk, “\\.\PhysicalDrive1” represents the second physical disk, is not case sensitive, and so on. Also don’t forget that C/C++ string escaping should be written as \\\\.\\
2. The dwCreationDisposition parameter must have the OPEN_EXISTING flag. Don’t ask me why, Microsoft said so, don’t trust MSDN.
3. MSDN said that if the read and write is a volume device, dwShareMode must have FILE_SHARE_WRITE flag, but read and write disk devices on the w10 system will not fail if you do not add this flag, but it will not be on w8.1, as to why not Ask me, ask Microsoft.
4. If you use uefi boot, then your mbr more than 400 bytes may be blank, the blogger for some special reasons (convenient to load u disk mbr boot), specifically changed to BIOS boot, so the boot program in mbr It’s not empty, so if you run the code and find that the first 400 bytes are 0, don’t think it’s wrong.
Special reminder: Read and write physical disk requires administrator rights, how to obtain administrator rights to see here, do not toss because of failure to pay attention to this operation.
In addition, you are not allowed to learn to take the virus! Do the virus at your own risk!
We read and write the “disk” device just like reading and writing a file. In fact, I/O requests for read and write operations are sent to the dispatch function registered by the driver of the “disk” device.
By the way, Microsoft provides the basic hardware drivers for Windows. Regardless of the type of disk, IDE disks, SCSI disks, SATA disks, or disks that are attached from USB are abstracted into a disk device with a unified interface. Therefore, The above code is available as long as the disk you are using is a type supported by Microsoft, or if the hardware vendor provides a driver!
Back to the topic, we opened the disk device by opening “\\.\PhysicalDrive0”. If you follow the blog posts of the previous articles, you will find that this is not a symbolic connection. Yes, this is the symbol of the disk device. connection. At the same time, the “volume” is also the device, the volume is the device created by Windows on the partition on the disk, which is the a disk, b disk, c disk listed in “this computer” (file resource manager), yes, volume Just a logical concept, there is no such thing as a “volume” on our computer, but Windows has created a device for it (not strictly created by the operating system, the task of creating a device is not an operating system, it should be said that Microsoft For the basic device driver provided by Windows), for example, the device name of the c drive is generally “\Device\HarddiskVolume1”, the symbolic connection name is “\??\C:” (under R0) and “\\.\C” :” (R3), in fact, the * disk we see is the symbolic link in the driver development! Using the device manager to modify the drive letter is to inform the volume driver to delete and re-create the symbolic link.