 |
Puppy Linux Discussion Forum Puppy HOME page : puppylinux.com "THE" alternative forum : puppylinux.info
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in|
The time now is Sun 01 Mar 2015, 12:42 All times are UTC - 4 |
 Forum index » Off-Topic Area » Security |
|
How to check Windows MBR code from Linux?
|
 
|
View previous topic :: View next topic |
| Page 1 of 2 [23 Posts] | Goto page: 1, 2 Next |
| Author | Message | ||||||
|---|---|---|---|---|---|---|---|
|
B.K. Johnson
Joined: 12 Oct 2009 Posts: 177 |
My computer's MBR may have been changed by a virus. I don't want to reboot under Windows until I verify that the MBR is OK. I know some Windows tools I could use to read the MBR and save the output to a file for review, but I want something I can run from puppy (Lucid-5.2.5). Can anyone recommend a Linux tool and create a PET that allows me to do the same? I could just invoke ms-sys to write a new MBR but I need to know what is there. |
||||||
|
|||||||
 |
|||||||
|
DPUP5520
Joined: 16 Feb 2011 Posts: 802 |
use the file command _________________ PupRescue 2.5 Puppy Crypt 528 |
||||||
|
|||||||
|
|||||||
|
nooby
Joined: 29 Jun 2008 Posts: 10557 Location: SwedenEurope |
B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result? file MBR or file mbr or what to write in terminal? _________________ I use Google Search on Puppy Forum not an ideal solution though |
||||||
|
|||||||
|
|||||||
rcrsn51
 Joined: 05 Sep 2006 Posts: 9680 Location: Stratford, Ontario |
|
||||||
|
|||||||
|
|||||||
Bruce B
 Joined: 18 May 2005 Posts: 11132 Location: The Peoples Republic of California |
The first think with any external utility is to use the --help to get a brief summary. As you need consult the man and info pages for more detail. http://linux.die.net/man/1/file Normally typing file foobar is all you need. For a boot sector you can file /dev/sda for mbr on /dev/sda I think you will get more details by making a file as shown above by rcrsn51 and then running file mbr.bin ~ _________________ New! Puppy Linux Links Page |
||||||
|
|||||||
|
|||||||
|
nooby
Joined: 29 Jun 2008 Posts: 10557 Location: SwedenEurope |
Thanks. I guess me too chicken to try. DD is a dangerous thing to use? _________________ I use Google Search on Puppy Forum not an ideal solution though |
||||||
|
|||||||
|
|||||||
|
Sylvander
Joined: 15 Dec 2008 Posts: 3603 Location: West Lothian, Scotland, UK |
1. I used the code given by rcrsn51 to make the mbr.bin file in my /00 folder. 2. Here's what I did: (a) Ran Xfe and navigated to the /00 folder. (b) Ran a terminal window whilst working in the /00 folder. (c) Copied and pasted the code...
From the thread to the terminal command line, and hit <Enter>. The file mbr.bin was created in the /00 folder. 3. Then in the same terminal window... I ran the command...
And the following info was displayed: mbr.bin: x86 boot sector, mbr; partition 2: ID=0xf, starthead 0, startsector 12289725, 7630875 sectors Not really what I want. 
QUESTION: 4. How do I read the makeup of my MBR? Using the mbr.bin file? |
||||||
|
|||||||
|
|||||||
|
rcrsn51
Joined: 05 Sep 2006 Posts: 9680 Location: Stratford, Ontario |
What do you want to know about it? The MBR is just a small block of binary code. There are web sites that will show you the standard code for various versions of Windows. |
||||||
|
|||||||
|
|||||||
Aitch
 Joined: 04 Apr 2007 Posts: 6825 Location: Chatham, Kent, UK |
For an explanation of rcrsn51's post see http://www.miljan.org/main/2007/09/05/easy-way-to-read-mbr/ For an explanation of the mbr/bootloader process, see http://oldfield.wattle.id.au/luv/boot.html In my experience, merely repairing the mbr will restore a drive's functionality, provided the fat table is not corrupted....then you'll need more help Also see M$ http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q69/0/13.ASP&NoWebContent=1 Aitch 
|
||||||
|
|||||||
|
|||||||
|
Flash
Official Dog Handler  Joined: 04 May 2005 Posts: 11271 Location: Arizona USA |
B.K. Johnson, if all you really want to know is whether the MBR was compromised, maybe this would work: make a file of the existing MBR using rcrsn51's program, reinstall the MBR using Windows, then run rcrsn51's program again and compare the resulting file with the first file. That would show the difference between the two MBRs. If there is no difference, or only a few bits here and there, it seems unlikely that your MBR was compromised. Although I've read that malware written in machine language can be as small as only a few bytes. 
_________________ Puppy Help 101 - an interactive tutorial for Lupu 5.25 |
||||||
|
|||||||
|
|||||||
|
Aitch
Joined: 04 Apr 2007 Posts: 6825 Location: Chatham, Kent, UK |
Just enough to point the boot process to a different address, eh? Aitch
|
||||||
|
|||||||
|
|||||||
|
DPUP5520
Joined: 16 Feb 2011 Posts: 802 |
Sorry I wasn't around earlier to explain myself but as Flash pointed out if it was a piece of malware written in machine code/assembly language it would be nearly impossible to detect without having an original mbr to compare it to.
_________________ PupRescue 2.5 Puppy Crypt 528 |
||||||
|
|||||||
|
|||||||
|
Sylvander
Joined: 15 Dec 2008 Posts: 3603 Location: West Lothian, Scotland, UK |
1. "What do you want to know about it?" See the mbr code/contents displayed in this post by Paul Komski. If someone were to be able to copy his mbr at 2 points in time... [Before and after possible infection?] And then display them both... They might be able to detect changes in the code. I'd like to explore a method of doing that, if it isn't too difficult. |
||||||
|
|||||||
|
|||||||
|
rcrsn51
Joined: 05 Sep 2006 Posts: 9680 Location: Stratford, Ontario |
Puppy has the "cmp" command for comparing two files.
|
||||||
|
|||||||
|
|||||||
|
Sylvander
Joined: 15 Dec 2008 Posts: 3603 Location: West Lothian, Scotland, UK |
"Puppy has the "cmp" command for comparing two files." Good, but it would be nice to be able to also view both... "A picture is worth a thousand words"... "Seeing is believing". How to display them? |
||||||
|
|||||||
|
|||||||
How to check Windows MBR code from Linux?
| Page 1 of 2 [23 Posts] | Goto page: 1, 2 Next |
|
|
View previous topic :: View next topic |
|
Forum index » Off-Topic Area » Security |
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum |
Powered by phpBB © 2001, 2005 phpBB Group