[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Lost partition tables on ide-hd + ahci drive
|
From: |
Mike Maslenkin |
|
Subject: |
Re: Lost partition tables on ide-hd + ahci drive |
|
Date: |
Sat, 18 Feb 2023 00:22:12 +0300 |
I think it's guest memory again. IMHO It's a part of a memory pool and
not real IO data (unless this was pagefile data).
The first 16 bytes look like POOL_HEADER structure.
The first dump contained signature from FilterManager and the latest
contains two structures from Ntfs.
It's not clear to me what exact data after header structure, but in
case of Ntfs it looks like doubly linked list element
with Flink/Blink pointers: 60 a5 a6 d4 0c a8 ff ff, - is a
0xffffa80cd4a6a560, and 30 15 d9 e6 0c a8 ff ff = 0xffffa80ce6d91530.
The first Ntfs, looks like a final element of something, while the
second is a middle part of something else.
That is why I think it is not real IO (i.e disk data sent by guest
NTFS driver). IMHO.
I can not tell anything about dma-reentracy issues, but yes, i would
start to look at check_cmd() function call sequence.
The most interesting is why Sector Count = 1. I thought about race
with IDE reset where registers initialized with
value SATA_SIGNATURE_DISK = 0x00000101, but this means LBA=1 as well...
Regards,
Mike
On Fri, Feb 17, 2023 at 4:40 PM Fiona Ebner <f.ebner@proxmox.com> wrote:
>
> Am 16.02.23 um 15:17 schrieb Mike Maslenkin:
> > Does additional comparison make a sense here: check for LBA == 0 and
> > then check MBR signature bytes.
> > Additionally it’s easy to check buffer_is_zero() result or even print
> > FIS contents under these conditions.
> > Data looks like a part of guest memory of 64bit Windows.
>
> Just today we got a new dump [0], and it's very similar. Again only 512
> bytes and again guest memory?
>
> > febner@enia ~/Downloads % hexdump -C dump.raw
> > 00000000 00 03 22 00 4e 74 46 73 da 4c a3 1c 3b f5 7d 19
> > |..".NtFs.L..;.}.|
> > 00000010 60 a5 a6 d4 0c a8 ff ff 30 15 d9 e6 0c a8 ff ff
> > |`.......0.......|
> > 00000020 5c 00 53 00 6f 00 66 00 74 00 77 00 61 00 72 00
> > |\.S.o.f.t.w.a.r.|
> > 00000030 65 00 44 00 69 00 73 00 74 00 72 00 69 00 62 00
> > |e.D.i.s.t.r.i.b.|
> > 00000040 75 00 74 00 69 00 6f 00 6e 00 5c 00 44 00 6f 00
> > |u.t.i.o.n.\.D.o.|
> > 00000050 77 00 6e 00 6c 00 6f 00 61 00 64 00 5c 00 37 00
> > |w.n.l.o.a.d.\.7.|
> > 00000060 33 00 63 00 36 00 33 00 65 00 32 00 64 00 37 00
> > |3.c.6.3.e.2.d.7.|
> > 00000070 66 00 66 00 38 00 66 00 36 00 35 00 31 00 31 00
> > |f.f.8.f.6.5.1.1.|
> > 00000080 39 00 36 00 63 00 65 00 61 00 31 00 65 00 30 00
> > |9.6.c.e.a.1.e.0.|
> > 00000090 39 00 66 00 66 00 36 00 32 00 30 00 65 00 5c 00
> > |9.f.f.6.2.0.e.\.|
> > 000000a0 69 00 6e 00 73 00 74 00 5c 00 70 00 61 00 63 00
> > |i.n.s.t.\.p.a.c.|
> > 000000b0 6b 00 61 00 67 00 65 00 5f 00 39 00 31 00 37 00
> > |k.a.g.e._.9.1.7.|
> > 000000c0 31 00 5f 00 66 00 6f 00 72 00 5f 00 6b 00 62 00
> > |1._.f.o.r._.k.b.|
> > 000000d0 35 00 30 00 32 00 32 00 38 00 33 00 38 00 7e 00
> > |5.0.2.2.8.3.8.~.|
> > 000000e0 33 00 31 00 62 00 66 00 33 00 38 00 35 00 36 00
> > |3.1.b.f.3.8.5.6.|
> > 000000f0 61 00 64 00 33 00 36 00 34 00 65 00 33 00 35 00
> > |a.d.3.6.4.e.3.5.|
> > 00000100 7e 00 61 00 6d 00 64 00 36 00 34 00 7e 00 7e 00
> > |~.a.m.d.6.4.~.~.|
> > 00000110 31 00 30 00 2e 00 30 00 2e 00 31 00 2e 00 31 00
> > |1.0...0...1...1.|
> > 00000120 33 00 2e 00 63 00 61 00 74 00 1d 08 0d a8 ff ff
> > |3...c.a.t.......|
> > 00000130 13 03 0f 00 4e 74 46 73 ea 4d a3 1c 3b f5 7d 19
> > |....NtFs.M..;.}.|
> > 00000140 90 05 4d 0f 0d a8 ff ff a0 0c 55 0d 0d a8 ff ff
> > |..M.......U.....|
> > 00000150 43 52 4f 53 4f 46 54 2d 57 49 4e 44 4f 57 53 2d
> > |CROSOFT-WINDOWS-|
> > 00000160 44 2e 2e 2d 57 49 4e 50 52 4f 56 49 44 45 52 53
> > |D..-WINPROVIDERS|
> > 00000170 2d 41 53 53 4f 43 5f 33 31 42 46 33 38 35 36 41
> > |-ASSOC_31BF3856A|
> > 00000180 0c 03 67 00 70 00 73 00 63 00 72 00 69 00 70 00
> > |..g.p.s.c.r.i.p.|
> > 00000190 74 00 2e 00 65 00 78 00 65 00 37 00 36 00 34 00
> > |t...e.x.e.7.6.4.|
> > 000001a0 37 00 62 00 33 00 36 00 30 00 30 00 63 00 64 00
> > |7.b.3.6.0.0.c.d.|
> > 000001b0 65 00 30 00 34 00 31 00 35 00 39 00 35 00 32 00
> > |e.0.4.1.5.9.5.2.|
> > 000001c0 31 00 2e 00 74 00 6d 00 70 00 47 00 50 00 53 00
> > |1...t.m.p.G.P.S.|
> > 000001d0 43 00 52 00 49 00 50 00 54 00 2e 00 45 00 58 00
> > |C.R.I.P.T...E.X.|
> > 000001e0 45 00 37 00 36 00 34 00 37 00 42 00 33 00 36 00
> > |E.7.6.4.7.B.3.6.|
> > 000001f0 30 00 30 00 43 00 44 00 45 00 30 00 34 00 31 00
> > |0.0.C.D.E.0.4.1.|
> > 00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> > |................|
> > *
> > 00100000
>
> [0]:
> https://forum.proxmox.com/threads/not-a-bootable-disk-vm-ms-server-2016.122849/post-534473
>
- Lost partition tables on ide-hd + ahci drive, Fiona Ebner, 2023/02/02
- Re: Lost partition tables on ide-hd + ahci drive, John Snow, 2023/02/14
- Re: Lost partition tables on ide-hd + ahci drive, Fiona Ebner, 2023/02/15
- Re: Lost partition tables on ide-hd + ahci drive, Mike Maslenkin, 2023/02/16
- Re: Lost partition tables on ide-hd + ahci drive, Fiona Ebner, 2023/02/16
- Re: Lost partition tables on ide-hd + ahci drive, Mike Maslenkin, 2023/02/16
- Re: Lost partition tables on ide-hd + ahci drive, Fiona Ebner, 2023/02/17
- Re: Lost partition tables on ide-hd + ahci drive, Fiona Ebner, 2023/02/17
- Re: Lost partition tables on ide-hd + ahci drive,
Mike Maslenkin <=
- Re: Lost partition tables on ide-hd + ahci drive, Aaron Lauterer, 2023/02/17