[How-To] HEX dump raw data of a drive sector (PowerShell hybrid)

[aGerman]

The "drivedump" macro wraps Win32 API functions to read the data of a drive sector. It supports both logical and physical drives.
Logical drives are specified by the drive letter and a colon (e.g. "C:").
Physical disk drives are specified by "PhysicalDriveN" where N is for its zero-based index (e.g. "PhysicalDrive0").
The sector to be dumped is specified by a zero-based index.
The macro writes the hexadecimal expression of the bytes as two hex digits each in separate lines.
The size of raw data read from a drive must be aligned to the size of a sector. You don't have to worry, the code will determine the sector size.
System drives require elevated execution.

Steffen

Code: Select all

@echo off &setlocal
:: NOTE: Run as Administrator!

:: Ensure that the script path is the current directory when elevated.
cd /d "%~dp0"

:: Initialize the drivedump macro.
call :init_drivedump

:: Read the second sector (index 1) of the logical drive "C:" and write the HEX
:: dump into the console window.
%drivedump% "C:" 1
echo errorlevel %errorlevel%
pause

:: Read the first sector (index 0) of the physical drive "PhysicalDrive0" and
:: redirect the HEX dump into a file. The parentheses are critical.
>"dump_0.txt" (%drivedump% "PhysicalDrive0")
echo errorlevel %errorlevel%
pause

:: See how many hex bytes (lines) we have in the dump file. This should always
:: be the size of a sector (usually 512).
for %%i in ("dump_0.txt") do set /a "hexbytes=%%~zi/4"
echo hexbytes %hexbytes%
pause

:: Formatting is easy because we have every byte in a separate line. E.g.:
:: Concatenate all hex bytes of the dumped sector into a contiguous string.
setlocal EnableDelayedExpansion
set "hexstr="
<"dump_0.txt" (
  for /l %%i in (1 1 %hexbytes%) do (
    set /p "ln="
    set "hexstr=!hexstr!!ln!"
  )
)
echo !hexstr!
endlocal
pause

:: clean up
del "dump_0.txt"
exit /b


:init_drivedump
:: -- BRIEF --
::  Create a HEX dump of a sector of a drive. Each hexadecimal expression of a
::   byte consists of two digits and is written to a new line.
::   NOTE: Certain drives require the script to be executed as Administrator.
:: -- SYNTAX --
::  %drivedump% "drive" [sector_index]
::    drive          Logical drive (such as "C:"), or physical disk drive (such
::                    as "PhysicalDrive0").
::    sector_index   (optional) Zero-based index of the sector to be read.
::                    Default index is 0.
:: -- RETURN --
::  0   The HEX dump has been created.
::  1   The HEX dump has not been created.
:: -- EXAMPLE --
::  %drivedump% "C:" 0
setlocal DisableDelayedExpansion
set drivedump=for %%- in (1 2) do if %%-==2 (^
%=% for /f "tokens=1,2" %%. in ("^^!p^^! 0") do endlocal^&powershell.exe -nop -ep Bypass -c ^"^
%===% $w=Add-Type -Name pInv -PassThru -MemberDefinition '^
%=====% [DllImport(\"kernel32.dll\")] public static extern IntPtr CreateFile(string name,int acc,int share,IntPtr sec,int how,int flags,IntPtr nil);^
%=====% [DllImport(\"kernel32.dll\")] public static extern int DeviceIoControl(IntPtr h,int ctrl,IntPtr i,int iSiz,int[] o,int oSiz,ref int cb,IntPtr nil);^
%=====% [DllImport(\"kernel32.dll\")] public static extern int SetFilePointerEx(IntPtr h,Int64 mov,IntPtr nil,int start);^
%=====% [DllImport(\"kernel32.dll\")] public static extern int ReadFile(IntPtr h,byte[] o,int siz,ref int cb,IntPtr nil);^
%=====% [DllImport(\"kernel32.dll\")] public static extern void CloseHandle(IntPtr h);';^
%===% $p0=[IntPtr]::Zero;$geo=New-Object int[] 6;$cb=0;^
%===% $d=$w::CreateFile(\"\\.\%%~.\",0x80000000,7,$p0,3,0,$p0);^
%===% if($d -eq [IntPtr]-1){exit 1}^
%===% if(-not $w::DeviceIoControl($d,458752,$p0,0,$geo,24,[ref]$cb,$p0)){$w::CloseHandle($d);exit 1}^
%===% $b=New-Object byte[] $geo[5];^
%===% if(-not $w::SetFilePointerEx($d,[Int64]%%~/*$geo[5],$p0,0) -or -not $w::ReadFile($d,$b,$geo[5],[ref]$cb,$p0)){$w::CloseHandle($d);exit 1}^
%===% $w::CloseHandle($d);^
%===% ($b^^^^^^^|foreach{$_.ToString('X2')}) -join \"`r`n\";exit 0^"^
%=% ) else setlocal EnableDelayedExpansion^&set p=
endlocal&set "drivedump=%drivedump%"
if !!# neq # set "drivedump=%drivedump:^^!=!%"
exit /b

:: The macro wraps Win32 API functions in a PowerShell code. Those functions are
::  capable to get information about a drive, and read raw data of a sector.
:: A few words about abstruse things in the macro code:
::  Array geo is a substitude for the DISK_GEOMETRY structure,
::   geo[5] represents the BytesPerSector member.
::  Magic numbers used:
::  - CreateFile() function
::     0x80000000  GENERIC_READ
::     7  FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE
::     3  OPEN_EXISTING
::  - DeviceIoControl() function
::     458752  IOCTL_DISK_GET_DRIVE_GEOMETRY
::     24  size of geo in bytes
::  - SetFilePointerEx() function
::     0  FILE_BEGIN

[Izya Kurvitch]

Thanks a lot for your answer, but is it possible to realize code without powershell? I haven't it on my computer...)

[aGerman]

PowerShell ships with Windows 7 and can be installed on Vista and XP. If this is no option you have to find a 3rd party app for this task.

Steffen

[Izya Kurvitch]

Ok. Thank you for advice.

[aGerman]

If you trust me, use the lightweight executable in the attached zip file. It bahaves pretty much the same as the macro code above.

That's how you may use it:

Code: Select all

@echo off &setlocal EnableExtensions EnableDelayedExpansion
cd /d "%~dp0"

set "hex="
for /f "tokens=1* delims=[]" %%i in ('drivedump.exe "PhysicalDrive0" 0 ^| find /n /v ""') do (
  set "hex=!hex!%%j"
  if %%i==512 goto escape
)
:escape

echo !hex!
pause

Since I know that you only want a certain number of bytes in your hex string, you should update the 512 in the code accordingly.

Steffen

[jfl]

Doing this in a script is an impressive achievement... But calling the WIN32 APIs directly in C is far more efficient!

My old sector.exe tool, available in the System Tools Library, allows dumping disk sectors as hexadecimal, copying them to and from files, etc. I've even used it multiple times to clone disks when I bought a new larger drive for my laptop. (Including the one I'm using now )
For example, to dump the boot sector on your first hard disk, and cherry on the cake, decode the partition table, simply run in an Administrator cmd shell:

Code: Select all

sector hd0:

To dump sector # 0x1234, run:

Code: Select all

sector hd0: : 1234

To get a help screen with all options, run:

Code: Select all

sector -?

Use with great caution, and double-check your arguments more than once, as with incorrect arguments, it can potentially severely damage your hard disk, or even erase it altogether! In case of doubt, use the -X option to do a simulation.

Call for help:
I've added the ability to read/write floppy disks a few years ago. (Which allows making disk images of old floppys, or copying images back to floppys.)
Still on my 20-years-old to-do list: Add reading/writing CD-ROMs, and other optical drives.

Another related tool in the System Tools Library that might be useful for seeing what's on your disk is gpt.exe: As its name implies, gpt.exe decodes the GPT (GUID Partition Table) on your hard disk.
Again, call for help: Add options to select another disk; Add the ability to dump the backup GPT; Find partition names if they're not stored in the GPT itself; ...

[aGerman]

But calling the WIN32 APIs directly in C is far more efficient!

Full ACK

Call for help:

Hmm. As much as I'd like to help out - I'm afraid I don't know enough about those structures and I haven't even had an optical drive for many years now.

Steffen

[Izya Kurvitch]

If you trust me, use the lightweight executable in the attached zip file. It bahaves pretty much the same as the macro code above.

That's how you may use it:

Code: Select all

@echo off &setlocal EnableExtensions EnableDelayedExpansion
cd /d "%~dp0"

set "hex="
for /f "tokens=1* delims=[]" %%i in ('drivedump.exe "PhysicalDrive0" 0 ^| find /n /v ""') do (
  set "hex=!hex!%%j"
  if %%i==512 goto escape
)
:escape

echo !hex!
pause

Since I know that you only want a certain number of bytes in your hex string, you should update the 512 in the code accordingly.

Steffen

aGerman, sorry for long answer, I've just read your post... Really empressive!!! It's exectly what I need, thank you very match, you really help me

[Izya Kurvitch]

Doing this in a script is an impressive achievement... But calling the WIN32 APIs directly in C is far more efficient!

My old sector.exe tool, available in the System Tools Library, allows dumping disk sectors as hexadecimal, copying them to and from files, etc. I've even used it multiple times to clone disks when I bought a new larger drive for my laptop. (Including the one I'm using now )
For example, to dump the boot sector on your first hard disk, and cherry on the cake, decode the partition table, simply run in an Administrator cmd shell:

Code: Select all

sector hd0:

To dump sector # 0x1234, run:

Code: Select all

sector hd0: : 1234

To get a help screen with all options, run:

Code: Select all

sector -?

Use with great caution, and double-check your arguments more than once, as with incorrect arguments, it can potentially severely damage your hard disk, or even erase it altogether! In case of doubt, use the -X option to do a simulation.

Call for help:
I've added the ability to read/write floppy disks a few years ago. (Which allows making disk images of old floppys, or copying images back to floppys.)
Still on my 20-years-old to-do list: Add reading/writing CD-ROMs, and other optical drives.

Another related tool in the System Tools Library that might be useful for seeing what's on your disk is gpt.exe: As its name implies, gpt.exe decodes the GPT (GUID Partition Table) on your hard disk.
Again, call for help: Add options to select another disk; Add the ability to dump the backup GPT; Find partition names if they're not stored in the GPT itself; ...

Thank you, Jean-Francois, for your time! Steffen right, really powerful pack for all cases of life, works very fast! I've been trying use it since yesterday but haven't found an option of one line outputing... For example, I need to dump first 32 bytes of MBR sector which is counted as dec, not hex (sector number 64, not 40). It must look as d50c9ff1437f0fc6557759bb3275c267, is it possible?

[jfl]

Thank you, Jean-Francois, for your time! Steffen right, really powerful pack for all cases of life, works very fast! I've been trying use it since yesterday but haven't found an option of one line outputing... For example, I need to dump first 32 bytes of MBR sector which is counted as dec, not hex (sector number 64, not 40). It must look as d50c9ff1437f0fc6557759bb3275c267, is it possible?

Yes, sounds like a good idea. I'll add that to my TODO list.
Also, I plan to eventually change the order of the arguments, because as it is now, it's confusing to many people.
It'd be easier and safer to have something like: sector DEVICE ORIGIN NUMBER [DEVICE ORIGIN]
(That is with all input options first, followed by output options.)

[Izya Kurvitch]

If you trust me, use the lightweight executable in the attached zip file. It bahaves pretty much the same as the macro code above.

That's how you may use it:

Code: Select all

@echo off &setlocal EnableExtensions EnableDelayedExpansion
cd /d "%~dp0"

set "hex="
for /f "tokens=1* delims=[]" %%i in ('drivedump.exe "PhysicalDrive0" 0 ^| find /n /v ""') do (
  set "hex=!hex!%%j"
  if %%i==512 goto escape
)
:escape

echo !hex!
pause

Since I know that you only want a certain number of bytes in your hex string, you should update the 512 in the code accordingly.

Steffen

aGerman, sorry for long answer, I've just read your post... Really empressive!!! It's exectly what I need, thank you very match, you really help me

Need help Steffen... Was trying to edit sector data with dfsee.exe and banged against some restrictions - this command dfswin.exe -b -w- -Q disk !disk №!#0#edit -p:0x0000 -h:'!nn...290n!' can't do it wich means that edit command can't proccess 145 bytes... But if there're only 144 bytes to be replace (dfswin.exe -b -w- -Q disk !disk №!#0#edit -p:0x0000 -h:'!nn...288n!') - it works! Is there a way to replace for example 511 bytes in sector with edit command or maybe with other utility? (Need exactly replace command, not restore, which replaces hole sector). Thanks.

[aGerman]

I don't know anything about dfswin.exe and I never updated raw data of a drive section. (I wouldn't even know what I'm doing and rather destroy the drive.)
However, if you're able to replace 144 bytes at once, wouldn't it be a possibility to replace more bytes in successive calls of dfswin?

Steffen

[Izya Kurvitch]

Dfswin.exe it's a cmd-version of dfsee.exe which is a generic disk, partition and filesystem utility for maintenance and data-recovery. Yes it's possible to devide this task to several ones but cutten possibilities remind me circumcision...