{
	"id": "4923d16e-763b-412f-a58a-9a0259068190",
	"created_at": "2026-04-06T00:08:08.399435Z",
	"updated_at": "2026-04-10T03:21:46.874957Z",
	"deleted_at": null,
	"sha1_hash": "ad6d9a1ed6fbc592da1f92c5b310b9db5bfe18fb",
	"title": "Virtual File Systems for Beginners",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108005,
	"plain_text": "Virtual File Systems for Beginners\r\nBy Marcus Hutchins\r\nPublished: 2014-11-28 · Archived: 2026-04-05 13:33:08 UTC\r\nA virtual File System (VFS), sometimes referred to as a Hidden File System, is a storage technique most\r\ncommonly used by kernel mode malware, usually to store components outside of the existing filesystem. By using\r\na virtual filesystem, malware developers can both bypass antivirus scanners as well as complicating work for\r\nforensic experts.\r\nFilesystem Basics\r\nIf you’re running Windows and not using hardware from the 90s, or have your OS installed on a flash drive;\r\nchances are, you’re using the New Technology File System (NTFS). In order to understand how a VFS benefits\r\nmalware developers, first we need to dive into a bit of filesystem basics.\r\nIn this example we have a disk containing only one partition (which runs Windows).\r\nThe Master Boot Record (MBR) gives the system information about the partition, such as its start sector\r\nand size.\r\nThe Volume Boot Record (VBR) is the primary boot code and will load and Windows bootloader and\r\nexecute it; The VBR is the first sector within the NTFS partition.\r\n$BOOT is the boot area and contains the Windows boot loader.\r\n$MFT is the Master File Table and tells the system where to find files within the filesystem.\r\nAntivirus Scans A full system scan will go through every file in the master file table and scan it, additionally the\r\nantivirus can hook the filesystem driver and scan files on creation / write. If somebody didn’t want a file to be\r\nscanned, not adding an entry to the MFT would be a good start. Unfortunately, if sectors within the partition are\r\nnot referenced by the MFT, they are assumed unused and likely to be overwritten as more files are written to the\r\ndisk.\r\nMalware Forensics There are lots of techniques used when analyzing an infected system; however, looking for\r\nnew/modified files is a common starting point for an analyst. To speed up file deletion, the system simply deletes\r\nthe file’s record in the MFT but leaves the actual file intact, this way the sectors can be overwritten by an new file\r\nand the system doesn’t have to waste time zeroing out the old one. Due to the fact there’s going to be random data\r\nhttps://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html\r\nPage 1 of 5\n\nleft by deleted files all over the disk, it’s very easy for an encrypted virtual filesystem to hide, further complicating\r\nanalysis.\r\nObviously if we can’t write directly to free sectors within the partition for fear of them being overwritten, then\r\nwe’re going to have to write our VFS outside of the partition; What makes this possible is the fact that there is\r\nunused reserves space on both ends of the disk.\r\nDisk Basics\r\nSpace after the MBR A disk platter is divided into tracks which are divided into sectors; a single sector is 512\r\nbytes in size and there are a fixed number of sectors per a track. As technology advanced the physical size of\r\nsectors got smaller so more sectors could be fit onto a single track; however, the MBR field that describes the\r\nnumber of sectors is 6 bits in size, thus can only support numbers 0 – 63, limiting the sectors per track to 63.\r\nEventually, someone figured out that the the closer to the edge of the disk you get, the longer the tracks are and the\r\nmore sectors the can hold. Nowadays the number of sectors per a track varies depending on how far away from\r\nthe spindle the track is, making the sectors per a track field of the MBR totally meaningless; For compatibility\r\nreason, disks with more than 63 sectors per a track will just leave the value set at 63, the same goes for SSDs or\r\nother media that doesn’t have tracks.\r\nFor optimization reasons when partitioning the disk, the Windows partition manager will read the sectors per track\r\nvalue and align the partition on the track boundary (63 sectors per track vmeans that the MBR will be sector 0\r\ntrack 0, while the start of the partition will be sector 0 track 1, leaving 62 sectors of unused space between the\r\nMBR and first partition).\r\nThe only problem with aligning the partition to 63 virtual (512kb) sectors is if the disk internally used 4kb sectors,\r\nthen there’s going to be a huge performance penalty because 63 * 512 is not a multiple of 4kb, so the OS will\r\nconstantly be writing across sector boundaries and wasting time with unnecessary Read-Modify-Write cycles. In\r\nWindows Vista and onward Microsoft addresses this issue by starting the partition on the 2048th sector (leaving 1\r\nMB of reserved space and 4kb aligning the partition), nobody is exactly sure why they chose to leave so much\r\nspace, but when it comes to malware, 1 MB is a lot of storage.\r\nSpace at then end of the disk Because the space at the start of the disk can be pretty small and isn’t guaranteed\r\non GPT systems, the space at the end may be a better bet. When allocating a partition, the Windows partition\r\nmanager will end the partition before the end of the disk to leave space for dynamic disk information. As it\r\nhappens, dynamic disks are incredibly rare on most computers because they’re only used for software RAID and\r\nother black magic, which leave between 1 mb and 100 mb of space at the end of the disk.\r\nVirtual File System\r\nThe location of the Virtual File System depends on the space needed and the system specifications, here’s a quick\r\noverview of the reserved space.\r\nStart Of Disk\r\nhttps://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html\r\nPage 2 of 5\n\nOn XP systems using the MBR partition format you are guaranteed 62 sectors (31.7 KB) of space between\r\nthe MBR and the first partition.\r\nOn Vista+ systems using the MBR partition format you are guaranteed 2047 sectors (1 MB) of space\r\nbetween the MBR and the first partition.\r\nBecause the GUID Partition Table (GPT) is of variable size and not restricted to 1 sector like the MBR, it is\r\nuncertain how much space will be available on systems using the GPT.\r\nOther than by the GPT, this space is never used by windows.\r\nEnd Of Disk\r\nBetween 1 MB and 100 MB, there doesn’t appear to be any OS specifications for the exact size so the\r\nvariation is likely to do with disk geometry (Ex: 1 disk track is reserved).\r\nSome of the space can be used for dynamic disk information (most system do not use dynamic disks unless\r\nusing software RAID).\r\nContrary to popular belief, a VFS can be created and accessed by a user mode application, as long as it is running\r\nas administrator. To prevent malware from bypassing kernel code signing, raw disk access was “disabled” in vista\r\nand onward; however, there is an exception for boot sectors and sectors residing outside of the filesystem (both\r\nreserved areas reside outside the filesystem), enabling user mode access to the VFS. Although, direct user mode\r\naccess is possible, most malware tends to manage the VFS from a kernel driver and expose an API to user mode\r\ncomponents for reading/writing via the driver; This allows the VFS to be hidden from normal applications and\r\nother drivers.\r\nhttps://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html\r\nPage 3 of 5\n\nIt’s quite common for a VFS driver to send requests directly to the lowest level disk driver (the disk miniport), as a\r\nresult the disk read/write requests cannot be intercepted by the antivirus or any standard disk monitors, providing\r\nbetter stealth. Although you could write standard files using this method, ntfs.sys handles the NTFS specification,\r\nso you’d have to create your own ntfs driver which would be a lot of work especially as NTFS is not fully\r\ndocumented by Microsoft.\r\nThe actual format of the VFS is entirely dependent on the developer, some have chosen to use FAT32 with RC4\r\nencryption, whilst others use custom file systems with modified encryption algorithms. Almost always the VFS is\r\nencrypted in an attempt to make the data look like random leftover bytes and not executables or log files.\r\nhttps://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html\r\nPage 4 of 5\n\nBootkits most commonly use a VFS because it reduces the attack surface to a single point of attack: The infected\r\nbootloader reads the rootkit driver from the VFS and loads it into the kernel long before the antivirus, leaving the\r\nkernel driver time to install hooks and cover its tracks before the OS even initializes. A bootkit using a VFS driver\r\nhas only one weakness: The infected boot record; this can be easily resolved by using the bootkit’s driver to hook\r\nthe disk miniport and spoof read/write requests to the boot sector, tricking the AV into thinking the boot sector\r\ncontains the original Windows boot code, the same method can also be used to just display empty sectors if\r\nsomething other than the rootkit tries to read the VFS.\r\nSource: https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html\r\nhttps://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html"
	],
	"report_names": [
		"virtual-file-systems-for-beginners.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434088,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ad6d9a1ed6fbc592da1f92c5b310b9db5bfe18fb.pdf",
		"text": "https://archive.orkl.eu/ad6d9a1ed6fbc592da1f92c5b310b9db5bfe18fb.txt",
		"img": "https://archive.orkl.eu/ad6d9a1ed6fbc592da1f92c5b310b9db5bfe18fb.jpg"
	}
}