Non-workstation version, fast formatting of ReFS file system partitions.
"refs-format.js"
/* https://github.com/nblog/my-fridajs-example/blob/dev/aobscan.ts */
class addr_transform {
#moduleName = ''
constructor(moduleName='') {
this.#moduleName = moduleName || Process.enumerateModules()[0].name;
};
module() { return Process.getModuleByName(this.#moduleName); };
base() { return this.module().base; };
va(rva) { return this.base().add(rva); };
rva(va) { return Number(va.sub(this.base()).and(0x7fffffff)); };
imm8(addr) { return addr.readU8(); };
imm16(addr) { return addr.readU16(); };
imm32(addr) { return addr.readU32(); };
imm64(addr) { return addr.readU64(); }
mem32(addr) { return this.rva(addr.add(addr.readS32()).add(4)); };
call(addr) { return this.mem32(addr.add(1)); };
equal(addr, cmd='call') {
let info = Instruction.parse(addr);
return [ info.mnemonic, info.opStr ].join(' ').includes(cmd.toLowerCase());
};
aobscan(pattern) {
for (const m of this.module().enumerateRanges('--x')) {
let match = Memory.scanSync(m.base, m.size, pattern);
if (0 < match.length) return match;
}
return [];
};
}
Module.load('uRefs.dll')
const FormatEx = Module.getExportByName('uRefs.dll', 'FormatEx');
console.log(`found: ${FormatEx}`);
const m = Memory.scanSync(FormatEx, 256, 'E8 ?? ?? ?? ?? 85 C0');
console.log(`${'uRefs::FormatEx'}: ${JSON.stringify(m)}`);
const helper = new addr_transform('uRefs.dll');
let IsRefsFormatEnabled = helper.va(helper.call(m[0].address));
console.log(`${'uRefs::IsRefsFormatEnabled'}: ${IsRefsFormatEnabled}`);
Interceptor.attach(IsRefsFormatEnabled, {
onEnter: function (args) { },
onLeave: function (retval) { retval.replace(1); }
});
/*
frida -l "refs-format.js" -f %SystemRoot%\System32\format.com /FS:ReFS /Y /Q /V: E:
fsutil fsinfo refsinfo E: | FIND "REFS "
*/
Install python and install the dependency python -m pip install -U frida frida-tools, start cmd with administrator to begin