Partition Table Editing

The following document describes the basics of making changes to the partition table. Using this information it is easy to hide and unhide partitions.

Layout of the Partition Table

The partition table is located on the first physical sector of each hard disk. This is head 0, cylinder 0, sector 1. The first sector on the first hard disk is is also referred to the MBR (master boot record). It can be accessed using INT 13 / AH = 02.

Ralf Brown's interrupt list gives a full description of the first sector:

Format of hard disk master boot sector:
Offset	Size	Description	(Table 0547)
 00h 446 BYTEs	Master bootstrap loader code
1BEh 16 BYTEs	partition record for partition 1 (see #0548)
1CEh 16 BYTEs	partition record for partition 2
1DEh 16 BYTEs	partition record for partition 3
1EEh 16 BYTEs	partition record for partition 4
1FEh	WORD	signature, AA55h indicates valid boot block

What we are interested in are the 4 partition records. As you can see there are only 4 of them. Windows/DOS typically uses up two of these records, one for a primary DOS partition, and one for an extended DOS partition (which itself can have other logical drives in it). Logical drives are described inside the DOS extended partition, not in the partition table above.

The Master bootstrap loader code on the first hard disk is executed by the BIOS when the computer boots. Its purpose is to scan the partition table and boot from the first active partition.

So what does each of these partition records look like? Well, once again Ralf Brown's interrupt list provides the answer:

Format of partition record:
Offset	Size	Description	(Table 0548)
 00h	BYTE	boot indicator (80h = active partition)                (*)
 01h	BYTE	partition start head
 02h	BYTE	partition start sector (bits 0-5)
 03h	BYTE	partition start track (bits 8,9 in bits 6,7 of sector)
 04h	BYTE	operating system indicator (see #0549)                 (*)
 05h	BYTE	partition end head
 06h	BYTE	partition end sector (bits 0-5)
 07h	BYTE	partition end track (bits 8,9 in bits 6,7 of sector)
 08h	DWORD	sectors preceding partition
 0Ch	DWORD	length of partition in sectors

The values which are safe to modify are labelled above with a (*). The other values are concerned with where the partition starts and ends on the hard disk, and I wouldn't recommend changing them unless you deliberately want to cause some damage.

Boot Indicator

What is this value? If you have used FDISK before, you will know that you can have one primary partition on your first hard disk (drive C:) and that it needs to be set active before DOS will boot from it. This byte value simply determines whether a partition is marked as active (80h = active, 00h = not active). This is checked by the Master bootstrap loader code to determine which partition to boot from.

Operating System Indicator

This byte value determines the type of a partition. How does DOS know whether a partition is a primary or extended partition? It checks this value in the partition table. Some values are listed below (the complete list is found in Ralf Brown's interrupt list):

 00h	empty
 05h	DOS 3.3+ extended partition
 06h	DOS 3.31+ Large File System (16-bit FAT, over 32M)
 07h	Windows NT NTFS
 0Bh	Windows 95 with 32-bit FAT
 0Ch	Windows 95 with 32-bit FAT (using LBA-mode INT 13 extensions)
 0Eh	logical-block-addressable VFAT (same as 06h but using LBA-mode INT 13)
 0Fh	logical-block-addressable VFAT (same as 05h but using LBA-mode INT 13)
 82h	Linux Swap partition
 83h	Linux native file system (ext2fs/xiafs)

Examining an existing Partition Table

The following shows the last 80 bytes of an existing Master boot sector:

[offset]
000001B0   028E FFE6 90EB FD00 0000 0000 0000 8001
000001C0   0100 067F 3F81 3F00 0000 C1FE 0F00 0000
000001D0   0182 057F BF6B 00FF 0F00 004B 3C00 0000
000001E0   0000 0000 0000 0000 0000 0000 0000 0000
000001F0   0000 0000 0000 0000 0000 0000 0000 55AA

Note the bytes 55 AA (which is the same as the word AA55) at the end of the sector - this indicates to the BIOS "yep, you can boot from me". The first partition record starts at offset 1BEh, and is 16 bytes long:

000001B0                                      8001
000001C0   0100 067F 3F81 3F00 0000 C1FE 0F00

Notice the first byte (80h) which indicates this is an active partition. Also take note of the fifth byte (06h) which indicates this is a DOS 3.31+ Large File System. This is also called the Primary Partition in DOS.

The second partition record is as follows:

000001C0                                      0000
000001D0   0182 057F BF6B 00FF 0F00 004B 3C00

Here the partition type is 05h, or a DOS 3.3+ extended partition. This looks like a typical DOS only machine. The other two partitions have the partition type as 0, and thus are unused entries.

Go ahead and have a look at your own partition table. If you are unsure how to write some code to read the MBR, readmbr.asm is a small example program.

How to hide a Partition

Armed with the above knowledge, you should be able to make simple changes to the partition table. Just write a little program to read in the MBR, modify the partition table, then write the MBR back to disk. You will need to read and write the entire MBR because it is not possible to read / write only part of a sector.

The simplest way to hide a partition is to replace its type. So for a DOS Extended partition, you can change the partition type from 05h (DOS Extended) to 82h (Linux Swap). DOS will then see a non-DOS partition, and ignore it! Later, when you want to unhide the partition, just search for the Linux Swap partition (82h) and replace its type with DOS Extended (05h). Of course if you run Linux while such a partition is hidden, you can expect to lose the entire hidden partition.

Just make sure you pick a partition type which is not going to conflict with existing operating systems. Something like E5h ("officially listed as reserved") or E7h (unused) will work well in general.

You can download some sample code to hide and unhide a DOS extended partition. In addition to handling partition type 05h, this code checks for the type

 0Fh	logical-block-addressable VFAT (same as 05h but using LBA-mode INT 13)

On LBA-enabled BIOSes, creating an extended partition using DOS 7+ will create a type 0Fh partition.

Shortcomings

The downside of this method is, while DOS does not recognize a non-DOS partition, it still shows up as a 'Non-DOS' partition in FDISK and can be deleted. One way to avoid this is to set the type of a hidden partition to 00h, but then your programs will not be able to identify a partition which was previously hidden.

A better, but more difficult way, is to store the partition information somewhere else, and set all 16 bytes of the partition record to 00 (just like an unused partition). You could store the original partition information somewhere on the second, third, fourth, etc. sector of the hard disk. Your first partition usually starts on cylinder 0, side 1, sector 1. Sectors 2, 3, 4, etc. on cylinder 0, side 0 are unused (unless you have some security program or virus on your computer, which may use these sectors to store its own data).

These are just some thoughts to make a better, 'Idiot-proof' partition hider.