Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 26 Nov 2014, 19:07
All times are UTC - 4
 Forum index » Off-Topic Area » Security
How to check Windows MBR code from Linux?
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Author Message
B.K. Johnson

Joined: 12 Oct 2009
Posts: 147

PostPosted: Wed 29 Jun 2011, 01:51    Post_subject:  How to check Windows MBR code from Linux?
Sub_title: Checking for boot sector viruses
 

My computer's MBR may have been changed by a virus. I don't want to reboot under Windows until I verify that the MBR is OK. I know some Windows tools I could use to read the MBR and save the output to a file for review, but I want something I can run from puppy (Lucid-5.2.5). Can anyone recommend a Linux tool and create a PET that allows me to do the same?

I could just invoke ms-sys to write a new MBR but I need to know what is there.
Back to top
View user's profile Send_private_message 
DPUP5520

Joined: 16 Feb 2011
Posts: 801

PostPosted: Wed 29 Jun 2011, 02:18    Post_subject:  

use the file command
_________________
PupRescue 2.5
Puppy Crypt 528
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 29 Jun 2011, 02:31    Post_subject:  

DPUP5520 wrote:
use the file command


B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?

file MBR or file mbr or what to write in terminal?

_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9260
Location: Stratford, Ontario

PostPosted: Wed 29 Jun 2011, 04:04    Post_subject:  

Code:
dd if=/dev/sda of=mbr.bin bs=512 count=1
Back to top
View user's profile Send_private_message 
Bruce B


Joined: 18 May 2005
Posts: 11131
Location: The Peoples Republic of California

PostPosted: Wed 29 Jun 2011, 06:42    Post_subject:  

nooby wrote:
DPUP5520 wrote:
use the file command


B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?

file MBR or file mbr or what to write in terminal?


The first think with any external utility is to use the --help to get a brief summary.

As you need consult the man and info pages for more detail.

http://linux.die.net/man/1/file

Normally typing file foobar is all you need.

For a boot sector you can file /dev/sda for mbr on /dev/sda

I think you will get more details by making a file as shown above by rcrsn51 and then running file mbr.bin

~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send_private_message 
nooby

Joined: 29 Jun 2008
Posts: 10557
Location: SwedenEurope

PostPosted: Wed 29 Jun 2011, 08:43    Post_subject:  

Thanks. I guess me too chicken to try. DD is a dangerous thing to use?
_________________
I use Google Search on Puppy Forum
not an ideal solution though
Back to top
View user's profile Send_private_message 
Sylvander

Joined: 15 Dec 2008
Posts: 3518
Location: West Lothian, Scotland, UK

PostPosted: Wed 29 Jun 2011, 09:04    Post_subject:  

1. I used the code given by rcrsn51 to make the mbr.bin file in my /00 folder.

2. Here's what I did:
(a) Ran Xfe and navigated to the /00 folder.
(b) Ran a terminal window whilst working in the /00 folder.
(c) Copied and pasted the code...
Code:
dd if=/dev/sda of=mbr.bin bs=512 count=1

From the thread to the terminal command line, and hit <Enter>.
The file mbr.bin was created in the /00 folder.

3. Then in the same terminal window...
I ran the command...
Code:
file mbr.bin

And the following info was displayed:
mbr.bin: x86 boot sector, mbr; partition 2: ID=0xf, starthead 0, startsector 12289725, 7630875 sectors
Not really what I want. Sad

QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file?
Back to top
View user's profile Send_private_message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9260
Location: Stratford, Ontario

PostPosted: Wed 29 Jun 2011, 09:26    Post_subject:  

Sylvander wrote:
Not really what I want.

QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file?

What do you want to know about it? The MBR is just a small block of binary code. There are web sites that will show you the standard code for various versions of Windows.
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Wed 29 Jun 2011, 09:42    Post_subject:  

rcrsn51 wrote:
Code:
dd if=/dev/sda of=mbr.bin bs=512 count=1


For an explanation of rcrsn51's post see

http://www.miljan.org/main/2007/09/05/easy-way-to-read-mbr/

For an explanation of the mbr/bootloader process, see

http://oldfield.wattle.id.au/luv/boot.html

In my experience, merely repairing the mbr will restore a drive's functionality, provided the fat table is not corrupted....then you'll need more help

Also see M$

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q69/0/13.ASP&NoWebContent=1

Aitch Smile
Back to top
View user's profile Send_private_message 
Flash
Official Dog Handler


Joined: 04 May 2005
Posts: 11164
Location: Arizona USA

PostPosted: Wed 29 Jun 2011, 10:24    Post_subject:  

B.K. Johnson, if all you really want to know is whether the MBR was compromised, maybe this would work: make a file of the existing MBR using rcrsn51's program, reinstall the MBR using Windows, then run rcrsn51's program again and compare the resulting file with the first file. That would show the difference between the two MBRs. If there is no difference, or only a few bits here and there, it seems unlikely that your MBR was compromised. Although I've read that malware written in machine language can be as small as only a few bytes. Twisted Evil
_________________
Puppy Help 101 - an interactive tutorial for Lupu 5.25
Back to top
View user's profile Send_private_message 
Aitch


Joined: 04 Apr 2007
Posts: 6825
Location: Chatham, Kent, UK

PostPosted: Wed 29 Jun 2011, 10:50    Post_subject:  

Quote:
Although I've read that malware written in machine language can be as small as only a few bytes. Twisted Evil


Just enough to point the boot process to a different address, eh?

Aitch Smile
Back to top
View user's profile Send_private_message 
DPUP5520

Joined: 16 Feb 2011
Posts: 801

PostPosted: Wed 29 Jun 2011, 11:23    Post_subject:  

Sorry I wasn't around earlier to explain myself but as Flash pointed out if it was a piece of malware written in machine code/assembly language it would be nearly impossible to detect without having an original mbr to compare it to.

Quote:
It has been said that machine code is so unreadable that the Copyright Office cannot even identify whether a particular encoded program is an original work of authorship.

_________________
PupRescue 2.5
Puppy Crypt 528
Back to top
View user's profile Send_private_message 
Sylvander

Joined: 15 Dec 2008
Posts: 3518
Location: West Lothian, Scotland, UK

PostPosted: Wed 29 Jun 2011, 11:25    Post_subject:  

1. "What do you want to know about it?"
See the mbr code/contents displayed in this post by Paul Komski.
If someone were to be able to copy his mbr at 2 points in time...
[Before and after possible infection?]
And then display them both...
They might be able to detect changes in the code.
I'd like to explore a method of doing that, if it isn't too difficult.
Back to top
View user's profile Send_private_message 
rcrsn51


Joined: 05 Sep 2006
Posts: 9260
Location: Stratford, Ontario

PostPosted: Wed 29 Jun 2011, 11:30    Post_subject:  

Puppy has the "cmp" command for comparing two files.
Code:
cmp mbr.bin.old mbr.bin.new
Back to top
View user's profile Send_private_message 
Sylvander

Joined: 15 Dec 2008
Posts: 3518
Location: West Lothian, Scotland, UK

PostPosted: Wed 29 Jun 2011, 11:34    Post_subject:  

"Puppy has the "cmp" command for comparing two files."
Good, but it would be nice to be able to also view both...
"A picture is worth a thousand words"...
"Seeing is believing".
How to display them?
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0843s ][ Queries: 13 (0.0046s) ][ GZIP on ]