19 replies to this topic

[Kirkx]

Is it possible to "true hide" partitions with Grub4Dos?

I've been using Boot-US boot manager for a while and they recommend "true hiding" on multiboot systems with Windows XP, Vista, 7 and 8. Windows will see "true hidden" partition as unformatted (unless you remove the drive letter before "true hiding"):

 

http://www.boot-us.com/gloss08.htm

 

Here are a few screenshots from my system:
 

(hd0,0) - NTFS 3.1, true hidden: http://img38.imagesh...8/9140/08xf.png

(hd0,1) - NTFS 3.1, active: http://img811.images...1/2798/p889.png

(hd0,2) - NTFS 3.1, true hidden: http://img854.images...4/6218/t5t2.png

Edited by Kirkx, 01 February 2014 - 09:53 AM.

[steve6375]

I am not sure what boot-us means. It says you must change the ID in both the boot sector and the 'partition ID'??? But the only place the partition ID is located is in the MBR (or if a logical partition, in the extended partition table structure) - anyone know what they mean?

 

As for hiding using grub4dos, use the hide and unhide commands (diddy's list of commands 2009 slightly outdated, is here).

[MedEvil]

"True Hide" means that they don't just set the partition to hide, but also change the partition ID to something Windows can't recognize.
They do the same with the boot sector. Only that they don't change the ID, but the magic byte, so that Windows can not recognize it either.

That's necessary, because newer Windows versions ignore the hidden flag and keep nosing around where they shouldn't.

[steve6375]

But the partition type/partition ID is in the boot sector??? Where else can it be?

What is the 'magic byte'? where is it?

When you say 'set the partition to hide' - how/where is this done? Do you mean by changing the Windows registry?

 

I don't understand. Leaving out any registry stuff and just from a non-OS point of view. There is only the first sector (MBR+partition table) that holds the primary partitions and their type? Or is there something else somewhere that I have missed?

[MedEvil]

The partition table holds the partition ID. For instance type 07h means NTFS, type 17h means Hidden NTFS.
But newer Windows version (don't know if it started with Vista or Win7) don't care anymore about the hidden flag. They check the boot sector anyway for a valid M$ bootsector and if they find one, they will mount the partition regardless of the flag.
So one has to either change the whole bootsector or simply overwrite the signature (magic byte), which Windows uses to identify the bootsector as a M$ one.

[steve6375]

You mean the two AA 55 magic bytes at the end of the PBR?

MS use 27h for hidden NTFS not 17h. The hidden recovery ptn on a Windows system is type 27h. As long as a drive letter is not assigned to it, Windows will not show it.

[MedEvil]

You mean the two AA 55 magic bytes at the end of the PBR?

No i mean the OEM ID. Which is actually 8 byte long, but changing just one byte will invalidate it for Windows.

Components of a Boot Sector

The MBR transfers CPU execution to the boot sector, so the first three bytes of the boot sector must be valid, executable x 86-based CPU instructions. This includes a jump instruction that skips the next several nonexecutable bytes.

Following the jump instruction is the 8-byte OEM ID, a string of characters that identifies the name and version number of the operating system that formatted the volume. To preserve compatibility with MS-DOS, Windows 2000 records "MSDOS5.0" in this field on FAT16 and FAT32 disks. On NTFS disks, Windows 2000 records "NTFS."

Note

You may also see the OEM ID "MSWIN4.0" on disks formatted by Windows 95 and "MSWIN4.1" on disks formatted by Windows 95 OSR2 and Windows 98. Windows 2000 does not use the OEM ID field in the boot sector except for verifying NTFS volumes.

Following the OEM ID is the BPB, which provides information that enables the executable boot code to locate Ntldr. The BPB always starts at the same offset, so standard parameters are in a known location. Disk size and geometry variables are encapsulated in the BPB. Because the first part of the boot sector is an x86 jump instruction, the BPB can be extended in the future by appending new information at the end. The jump instruction needs only a minor adjustment to accommodate this change. The BPB is stored in a packed (unaligned) format.

MS use 27h for hidden NTFS not 17h. The hidden recovery ptn on a Windows system is type 27h.

Wrong and right. 27h is a hidden recovery partition of NTFS. 17h is a hidden NTFS partition.
Your bootmanager will change 07h to 17h on a partition, which should not be shown / mounted not 27h.

[steve6375]

ah OK, so rather than un-assigning the drive letter within Windows, you can mangle the Volume ID so it doesn't recognise the volume when Windows boots.

 

If you mangle the Volume ID and set the type to 17h then Windows sees an unformatted partition.

 

But what if you mangle the Volume ID and set the type to 27h instead of 17h - would Windows see it at all???

[steve6375]

So it should be possible to true hide under grub4dos

 

1. Use the hide command to change the ptn ID

2. Swap over the first two bytes of the Volume Serial number in the PBR

 

On an NTFS partition this would be at offset  0x48, on FAT32 0x43.

 

So this would mean we would have to find the PBR by reading the MBR, get the start of the PBR, read it into memory, determine the type of BPB (FAT32 or NTFS), change over the 2 bytes at 0x48 or 0x43, write back the PBR.

 

This is perfectly possible.

 

What would be the best way to determine partition type - just from the lower 4 bits of the Partition type ID number or maybe that bytes 0x3 to -x10 of the PBR are 'NTFS    '???

[MedEvil]

2. Swap over the first two bytes of the Volume Serial number in the PBR

Nope wrong.
Windows uses the volume serial number to identify the volume. If you change it, Windows assumes it found a new volume and does not avoid it like the plague , like we want to.
Make Windows believe it found a partition of another OS, like Linux for instance.

[dog]

I used to hide partitions with partnew, but some OS installers will assume that apparently unpartitioned space is actually empty, so it's not without risk...

http://reboot.pro/to...erly-using-g4d/

[steve6375]

yes, having a 0 ID partition entry can cause Windows to re-arrange the partition table!

 

e.g.

start

1 = 07

2 = 0c

3= 17

4= Extended ptn 0F

 

Now knock out ptn 3

1 = 07
2 = 0c
3= 0
4= Extended ptn 0F

 

Now do something in Windows - like run diskpart and then just  exit

1 = 07
2 = 0c
3= Extended ptn 0F

4 = empty

[steve6375]

Maybe this will work for you...

 

True Hide?

title HIDE HD0,1
set PTN=(hd0,1)
debug 2
# HIDE hd0,1
cat --locate=NTFS --replace=ntfs --skip=3 --length=8 %PTN%+1 > nul
cat --locate=MS --replace=ms --skip=3 --length=8 %PTN%+1 > nul
cat --locate=OS --replace=os --skip=3 --length=8 %PTN%+1 > nul
cat --locate=IBM --replace=ibm --skip=3 --length=8 %PTN%+1 > nul
cat --locate=FAT --replace=fat --skip=3 --length=8 %PTN%+1 > nul
# make magic bytes invalid
cat --locate=\x55\xaa --replace=\x15\xaa --skip=510  %PTN%+1 > nul
cat --locate=\x55\xaa --replace=\x15\xaa --skip=510  %PTN%1+1 > nul
# set partition type in MBR to hidden
hide %PTN%
pause
errorcheck off
boot
title UNHIDE HD0,1
set PTN=(hd0,1)
debug 2
#UNHIDE
cat --locate=ntfs --replace=NTFS --skip=3 --length=8 %PTN%+1 > nul
cat --locate=ms --replace=MS --skip=3 --length=8 %PTN%+1 > nul
cat --locate=os --replace=OS --skip=3 --length=8 %PTN%+1 > nul
cat --locate=ibm --replace=IBM --skip=3 --length=8 %PTN%+1 > nul
cat --locate=fat --replace=FAT --skip=3 --length=8 %PTN%+1 > nul
cat --locate=\x15\xaa --replace=\x55\xaa --skip=510  %PTN%+1 > nul
cat --locate=\x15\xaa --replace=\x55\xaa --skip=510  %PTN%1+1 > nul
unhide %PTN%
pause
errorcheck off
boot

[Kirkx]

Thanks Steve. Your code works like a charm. I have tested it on a primary ntfs partition (hd1,2) and on a logical ntfs partition (hd0,16). Both "true hiding" and "true unhiding" works ok. Also, there are no conflicts with Boot-US bootloader in MBR, so both methods of true hiding can be used depending on circumstances. On the screenshots below the primary ntfs partition /dev/sdb3 is "true hidden" using your code:

 

http://i.imgur.com/S4ObecS.png

 

http://i.imgur.com/LTr4RVA.png

 

At this point I'm focusing only on ntfs partitions because true hiding is only really needed when you have a few instances of Windows OS installed on different partitions. Windows is known to snoop around the hard disk and ignore the standard hidden flag. I assume that for true hiding Windows only the cat line with NTFS from your original code is needed:

 

title True Hide NTFS (hd1,2) & Boot Windows XP on (hd0,0)
set PTN=(hd1,2)
debug 2
cat --locate=NTFS --replace=ntfs --skip=3 --length=8 %PTN%+1 > nul
# make magic bytes invalid
cat --locate=\x55\xaa --replace=\x15\xaa --skip=510  %PTN%+1 > nul
cat --locate=\x55\xaa --replace=\x15\xaa --skip=510  %PTN%1+1 > nul
# set hidden flag in MBR
hide %PTN%
pause
errorcheck off
chainloader (hd0,0)/ntldr
 

With debug level set to 2 I didn't get any error messages when true hiding a logical partition. With the primary the errors were as follows. Are they safe to ignore?

 

Warning: MBR cylinders (60802) is not equal to the BIOS one (1023)

Warning: MBR total sectors (976773120) is greater than the BIOS one (16434495). Some buggy BIOSes could hang when you access sectors exceeding the BIOS limit.

Partition (1,2) successfully set hidden

Edited by Kirkx, 12 January 2015 - 06:58 AM.

[steve6375]

It sounds like you have an old BIOS with a 8GB limit?

If it works, then it works!

Set debug to 1 or 0 to get rid of the messages.

 

Yes, for NTFS partitions, only the NTFS cat line is needed.

 

Question: Are the two last Magic Byte lines needed???

[Kirkx]

Steve6375: It sounds like you have an old BIOS with a 8GB limit?

inxi -Fxz

BIOS: Phoenix version: 3.15, date: 01/25/2007

[steve6375]

Is there a later version for your board? If not, don't worry.

[steve6375]

Could you use a disk editor or similar tool  to list the data in the PBR and PBR+1 (e.g. RMPrepUSB - Drive Info - P1)  if P1 is the hidden partition.

 

then I can see what Boot-US does to the PBR exactly?  Does it change Magic Bytes in both 1st and 2nd sector of PBR for instance?

Thanks 

Steve

[steve6375]

The Hide/Unhide code above doesn't work on FAT32 and FAT16 drives (partitions are not hidden from Windows).

 

Attached is the Mark 2 version, which seems to work fine for FAT16, FAT32, NTFS and (I think) exFAT.

 

Note that the partitions and files inside the partitions are still accessible from grub4dos.

Here is the improved menu which will not list extended partitions, only Primary and Logical ones - attached is a larger version for more partitions.

iftitle [parttype (hd0,1) ;; set /A p=%@retval% ;; if not %p%==0x0F && calc %p%&0x10^0x10] TRUE HIDE HD0,1\n Hide 2nd partition on first hard disk
call /%grub%/true_hide.g4b (hd0,1)
pause
# Reload main menu
configfile (md)0xa000+0x50

iftitle [parttype (hd0,1) ;; set /A p=%@retval% ;; if not %p%==0x0F && calc %p%&0x10] TRUE UNHIDE HD0,1\n Unhide 2nd partition on first hard disk
call /%grub%/true_unhide.g4b (hd0,1)
pause
# Reload main menu
configfile (md)0xa000+0x50

Attached Files

•  Hide_UnHide_Mk2.zip   1.84KB   455 downloads
•  True_Hide_Unhide_Menu.zip   719bytes   451 downloads

[steve6375]

A few minor bugs found!

empty partitions cause a Hide menu to be displayed

set PTN=  should be at the end of the g4b batch file and not before the cat command which uses %PTN%!

 

Menu now does not display if ptn is empty!

iftitle [parttype (hd0,1) &; set /A p=%@retval% &; if not %p%==0x0F && calc %p%&0x10^0x10] TRUE HIDE HD0,1\n Hide 2nd partition on first hard disk
call /%grub%/true_hide.g4b (hd0,1)
pause
# Reload main menu
configfile /menu/lst

iftitle [parttype (hd0,1) &; set /A p=%@retval% &; if not %p%==0x0F && calc %p%&0x10] TRUE UNHIDE HD0,1\n Unhide 2nd partition on first hard disk
call /%grub%/true_unhide.g4b (hd0,1)
pause
# Reload main menu
configfile /menu.lst

See Tutorial #130

Attached Files

•  TRUE_HIDE_g4b_mk3.zip   1.65KB   472 downloads