『楼 主』:
转贴李家芳的《硬盘分区表详解 》
使用 LLM 解释/回答一下
硬盘主引导扇区 = 硬盘主引导记录(MBR)+ 硬盘分区表(DPT)
--------------------------------------------------------------
物理位置:0面0道1扇区(clindyer 0, side 0, sector 1)
大小: 512字节
其中:MBR 446字节(0000--01BD),DPT 64字节(01BE--01FD),结束标志2字节(55 AA)
功能:MBR通过检查DPT分区信息引导系统跳转至DBR;
读取: 使用NORTON DISKEDIT, 在OBJECT菜单中选择DRIVE——>PHYSICAL DISK-—HARD DISK, 然后, 在OBJECT菜单中选择DISK PARTITION TABLE即可读取, 并使用TOOLS菜单中的 WRITE OBJECT TO 选项存入指定文件备份;
写入: 使用NORTON DISKEDIT, 在OBJECT菜单中选择DRIVE——>FLOOPY DISK, 选择备份的DPT文件, 然后使用TOOLS菜单中的WRITE OBJECT TO——>PHYSICAL SECTOR 选项写入 001 (clindyer 0, side 0, sector 1);
详解:
000H--08AH MBR启动程序(寻找引导分区)
08BH--0D9H MBR启动字符串
0DAH--1BCH 保留("0")
1BEH--1FDH 硬盘分区表
1FEH--1FFH 结束标志(55AA)
活动分区引导扇区(DBR)
--------------------------
物理位置:1面0道1扇区(clindyer 0, side 1, sector 1)
大小: FAT16 1扇区 512字节 FAT32 3扇区 1536字节
功能:包含机器CMOS等信息(0000--0059), 核对该信息并引导指定的系统文件, 如NTLDR等;
读取: 使用NORTON DISKEDIT, 在OBJECT菜单中选择DRIVE——>LOGICAL DISK-—DISK C,
然后, 在OBJECT菜单中选择BOOT RECORD即可读取, 并使用TOOLS菜单中的
WRITE OBJECT TO 选项存入指定文件备份;
写入: 使用NORTON DISKEDIT, 在OBJECT菜单中选择DRIVE——>FLOOPY DISK, 选择备份的DBR文件, 然后使用TOOLS菜单中的WRITE OBJECT TO——>PHYSICAL SECTOR 选项写入011 (clindyer 0, side 1, sector 1);
详解:
000H--002H 3 BYTE的跳转指令(去启动程序, 跳到03EH)
003H--03DH BIOS参数区
03EH--19DH DOS启动程序
19EH--1E5H 开机字符串
1E6H--1FDH 文件名(IO.SYS, MSDOS.SYS)
1FEH--1FFH 结束标记(55AA)
硬盘分区表(DPT)
---------------------
偏移地址 字节数 含义分析
01BE 1 分区类型:00表示非活动分区:80表示活动分区;其他为无效分区。
01BF~01C1 3 *分区的起始地址(面/扇区/磁道),通常第一分区的起始地址开始于1面0道1扇区,因此这三个字节应为010100
01C2 1 #分区的操作系统的类型。
01C3~01C5 3 *该分区的结束地址(面/扇/道)
01C6~01C9 4 该分区起始逻辑扇区
01CA~01CD 4 该分区占用的总扇区数
注释: * 注意分区的起始地址(面/扇区/磁道)和结束地址(面/扇/道)中字节分配:
00000000 01000001 00010101
^^^^^^^^ ==~~~~~~ ========
^ 面(磁头) 8 位
~ 扇区 6 位
= 磁道 10 位
# 分区的操作系统类型(文件格式标志码)
4---DOS FAT16 32M
7---NTFS(OS/2)
83---LINUX>64M
DPT 总共64字节(01BE--01FD), 如上所示每个分区占16个字节, 所以可以表示四个分区, 这也就是为什么一个磁盘的主分区和扩展分区之和总共只能有四个的原因.
逻辑驱动器
-----------
扩展分区的信息位于以上所示的硬盘分区表(DPT)中, 而逻辑驱动器的信息则位于扩展分区的起始扇区, 即该分区的起始地址(面/扇区/磁道)所对应的扇区, 该扇区中的信息与硬盘主引导扇区的区别是不包含MBR, 而16字节的分区信息则表示的是逻辑驱动器的起始和结束地址等.
所以, 在磁盘仅含有一个主分区, 一个扩展分区(包含多个逻辑驱动器)的情况下, 即使由于病毒或其他原因导致硬盘主引导扇区的数据丢失(包括DPT), 也可以通过逻辑驱动器的数据来恢复整个硬盘.
例如: 以下是一个硬盘的分区情况.
道 面 扇 道 面 扇 起始扇(逻辑) 结束扇 总共扇区
MBR 0 0 1 - - - - - -
C 0 1 1 276 239 63 63 4,188,239 4,188,177
扩 277 0 1 554 239 63 4,188,240 8,391,599 4,203,360
D 277 1 1 554 239 63 4,188,303 8,391,599 4,203,297
如果主分区表损坏, 则可以通过手工查找扩展分区表中所包含的逻辑驱动器数据, 在本例中就是D盘所对应的数据, 然后将其起始扇(逻辑)减去63就是所对应的扩展分区的起始扇(逻辑), 将其起始地址(面/扇区/磁道)改为0面就是扩展分区的起始地址. 然后通过扩展分区就可以得到主分区C的信息, 然后就可以使用DISK/MBR命令和手工填写分区表恢复整个硬盘.
实际使用这种方法比较麻烦, 如果知道每个分区的大小, 则可以通过使用 PQ MAGIC 5 将磁盘重新分区为原来大小(注意: 千万不能应用, 我们只是通过它来获得数据), 并查看INFO来获得以上数据, 记录以后取消该分区操作, 然后使用NORTON DISK 2000手工修改DPT表, 恢复整个硬盘.
该例所对应的分区表数据:
80 01
01 00 06 EF 7F 14 3F 00 00 00 11 E8 3F 00 00 00
41 15 05 EF BF 2A 50 E8 3F 00 60 23 40 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
扩展分区表数据:
00 01
41 15 07 EF BF 2A 8F E8 3F 00 21 23 40 00
注意: 逻辑起始扇区和总共分区数是左边为低位, 如该例的扩展分区的起始地址为50 E8 3F 00转换十进制时要先变为00 3F E8 50, 总共占用分区数60 23 40 00要先变为00 40 23 60, 同理当手工填写该值时也要进行高低位转换.
Hard Disk Master Boot Sector = Hard Disk Master Boot Record (MBR) + Hard Disk Partition Table (DPT)
--------------------------------------------------------------
Physical location: Cylinder 0, Side 0, Sector 1
Size: 512 bytes
Among them: MBR 446 bytes (0000--01BD), DPT 64 bytes (01BE--01FD), ending flag 2 bytes (55 AA)
Function: The MBR guides the system to jump to the DBR by checking the DPT partition information;
Reading: Use NORTON DISKEDIT, select DRIVE——>PHYSICAL DISK-—HARD DISK in the OBJECT menu, then select DISK PARTITION TABLE in the OBJECT menu to read, and use the WRITE OBJECT TO option in the TOOLS menu to save to a specified file for backup;
Writing: Use NORTON DISKEDIT, select DRIVE——>FLOOPY DISK in the OBJECT menu, select the backed-up DPT file, then use the WRITE OBJECT TO——>PHYSICAL SECTOR option in the TOOLS menu to write to 001 (Cylinder 0, Side 0, Sector 1);
Detailed explanation:
000H--08AH MBR boot program (find boot partition)
08BH--0D9H MBR boot string
0DAH--1BCH Reserved ("0")
1BEH--1FDH Hard disk partition table
1FEH--1FFH Ending flag (55AA)
Active Partition Boot Sector (DBR)
--------------------------
Physical location: Cylinder 0, Side 1, Sector 1
Size: FAT16 1 sector 512 bytes, FAT32 3 sectors 1536 bytes
Function: Contains machine CMOS and other information (0000--0059), checks this information and boots the specified system file, such as NTLDR, etc.;
Reading: Use NORTON DISKEDIT, select DRIVE——>LOGICAL DISK-—DISK C in the OBJECT menu, then select BOOT RECORD in the OBJECT menu to read, and use the WRITE OBJECT TO option in the TOOLS menu to save to a specified file for backup;
Writing: Use NORTON DISKEDIT, select DRIVE——>FLOOPY DISK in the OBJECT menu, select the backed-up DBR file, then use the WRITE OBJECT TO——>PHYSICAL SECTOR option in the TOOLS menu to write to 011 (Cylinder 0, Side 1, Sector 1);
Detailed explanation:
000H--002H 3-byte jump instruction (go to boot program, jump to 03EH)
003H--03DH BIOS parameter area
03EH--19DH DOS boot program
19EH--1E5H Boot string
1E6H--1FDH File name (IO.SYS, MSDOS.SYS)
1FEH--1FFH Ending mark (55AA)
Hard Disk Partition Table (DPT)
---------------------
Offset address Number of bytes Meaning analysis
01BE 1 Partition type: 00 means inactive partition; 80 means active partition; others are invalid partitions.
01BF~01C1 3 *Starting address of the partition (side/sector/cylinder), usually the starting address of the first partition starts at Side 1, Cylinder 0, Sector 1, so these three bytes should be 010100
01C2 1 #Type of the operating system of the partition.
01C3~01C5 3 *Ending address of the partition (side/sector/cylinder)
01C6~01C9 4 Starting logical sector of the partition
01CA~01CD 4 Total number of sectors occupied by the partition
Note: * Pay attention to the byte allocation in the starting address (side/sector/cylinder) and ending address (side/sector/cylinder) of the partition:
00000000 01000001 00010101
^^^^^^^^ ==~~~~~~ ========
^ Side (head) 8 bits
~ Sector 6 bits
= Cylinder 10 bits
# Operating system type of the partition (file format flag code)
4---DOS FAT16 32M
7---NTFS(OS/2)
83---LINUX>64M
The DPT is a total of 64 bytes (01BE--01FD). As shown above, each partition occupies 16 bytes, so it can represent four partitions. This is why the sum of the primary partition and the extended partition of a disk can only be four in total.
Logical Drive
-----------
The information of the extended partition is located in the hard disk partition table (DPT) shown above, and the information of the logical drive is located in the starting sector of the extended partition, that is, the sector corresponding to the starting address (side/sector/cylinder) of the partition. The information in this sector is different from the hard disk master boot sector in that it does not contain the MBR, and the 16-byte partition information represents the starting and ending addresses of the logical drive, etc.
Therefore, in the case where the disk only contains one primary partition and one extended partition (including multiple logical drives), even if the data of the hard disk master boot sector (including DPT) is lost due to a virus or other reasons, the entire hard disk can be restored through the data of the logical drive.
For example: The following is a partition situation of a hard disk.
Cylinder Side Sector Cylinder Side Sector Starting sector (logical) Ending sector Total sectors
MBR 0 0 1 - - - - - -
C 0 1 1 276 239 63 63 4,188,239 4,188,177
Extended 277 0 1 554 239 63 4,188,240 8,391,599 4,203,360
D 277 1 1 554 239 63 4,188,303 8,391,599 4,203,297
If the primary partition table is damaged, the data of the logical drive contained in the extended partition table can be manually found. In this example, it is the data corresponding to drive D. Then subtract 63 from its starting sector (logical) to get the starting sector (logical) of the corresponding extended partition, and change its starting address (side) to 0 to get the starting address of the extended partition. Then, through the extended partition, the information of the primary partition C can be obtained, and then the entire hard disk can be restored by using the DISK/MBR command and manually filling in the partition table.
It is relatively troublesome to actually use this method. If the size of each partition is known, the disk can be repartitioned to the original size by using PQ MAGIC 5 (note: never apply it, we just get data through it), and view INFO to obtain the above data, record it, then cancel the partition operation, and then manually modify the DPT table by using NORTON DISK 2000 to restore the entire hard disk.
The partition table data corresponding to this example:
80 01
01 00 06 EF 7F 14 3F 00 00 00 11 E8 3F 00 00 00
41 15 05 EF BF 2A 50 E8 3F 00 60 23 40 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA
Extended partition table data:
00 01
41 15 07 EF BF 2A 8F E8 3F 00 21 23 40 00
Note: The logical starting sector and the total number of partitions are low-byte first. For example, when converting the starting address of the extended partition 50 E8 3F 00 to decimal, it should be changed to 00 3F E8 50 first. The total number of occupied partitions 60 23 40 00 should be changed to 00 40 23 60 first. Similarly, when manually filling in this value, the high-low byte conversion should also be performed.
|
