Hi all,
I would like to know a bit more about the MBR's bootcode.
Are (legitimate) bootcode all the same for each disk or does it change with the OS or some other parameters ?
I am not talking about fancy bootcodes like dual boot etc., just default bootcode from a Windows machine you'd buy in a computer store for example.
Next question would be is there an easy way, without reverse engineering the bootcode, to be sure it's a legitimate one and not a rootkit/malware ? Any tool for that ?
Thank you.
Not long ago, I wrote some Perl code that would parse through the first sectors of a disk image, looking for indications of MBR infectors. My public, open source research had indicated that many MBR infectors would copy the original MBR to a (one, or even two) sectors between 0 and 63.
What I didn't do was take it one step further, parsing the actual MBR boot code instructions to look at the JMP instruction that indicates that the system was infected via the MBR…there are a number of sites on the web that do an disassembly of the code, so you could use that as a reference.
Are (legitimate) bootcode all the same for each disk or does it change with the OS or some other parameters ?
Good question.
There are lots of differences – you can do a pretty decent fingerprinting from MBR code or VBR code or both.
It changes mainly with version of 'format.exe' or equivalent. Such fingerprinting doesn't give you much, though – I mean most OS installation allow you to keep existing boot code. What you do get is a way to ensure that you don't miss a dual-booter, or FDE product or something tricky that boots from something else than the currently active drive. Or perhaps something unusual like Nec boot code with more than 4 primary partitions – which otherwise would look as if you had an unaccounted-for partition on the disk.
Next question would be is there an easy way, without reverse engineering the bootcode, to be sure it's a legitimate one and not a rootkit/malware ? Any tool for that ?
No. And none that I know.
However, by just hashing the code part and checking that against known hashes, you can decide if you need to take a look over an unknown MBR in case it does something out of the ordinary. If you have the hashes from MBR code from, say, MSDOS 2.11 to Windows 8 you have covered something like 90%, I believe.
You still will get surprises. Like Atari floppies used for Windows, which had me very puzzled, until I realized that I wasn't looking at x86 code. I spent a lot of time on that quite neeedlessly, and I wished that there had been some way to pass on a signature to help the next person faced with the same problem. (I think file(1) does it now, though.)
Thank you guys for the tips -)
Just in case
http//
jaclaz