Author |
Message |
B.K. Johnson
Joined: 12 Oct 2009 Posts: 651
|
Posted: Wed 29 Jun 2011, 01:51 Post subject:
How to check Windows MBR code from Linux? Subject description: Checking for boot sector viruses |
|
My computer's MBR may have been changed by a virus. I don't want to reboot under Windows until I verify that the MBR is OK. I know some Windows tools I could use to read the MBR and save the output to a file for review, but I want something I can run from puppy (Lucid-5.2.5). Can anyone recommend a Linux tool and create a PET that allows me to do the same?
I could just invoke ms-sys to write a new MBR but I need to know what is there.
|
Back to top
|
|
 |
DPUP5520
Joined: 16 Feb 2011 Posts: 813
|
Posted: Wed 29 Jun 2011, 02:18 Post subject:
|
|
use the file command
_________________ PupRescue 2.5
Puppy Crypt 528
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Wed 29 Jun 2011, 02:31 Post subject:
|
|
DPUP5520 wrote: | use the file command |
B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?
file MBR or file mbr or what to write in terminal?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
rcrsn51

Joined: 05 Sep 2006 Posts: 11889 Location: Stratford, Ontario
|
Posted: Wed 29 Jun 2011, 04:04 Post subject:
|
|
Code: | dd if=/dev/sda of=mbr.bin bs=512 count=1 |
|
Back to top
|
|
 |
Bruce B
Joined: 18 May 2005 Posts: 11488 Location: The Peoples Republic of California
|
Posted: Wed 29 Jun 2011, 06:42 Post subject:
|
|
nooby wrote: | DPUP5520 wrote: | use the file command |
B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?
file MBR or file mbr or what to write in terminal? |
The first think with any external utility is to use the --help to get a brief summary.
As you need consult the man and info pages for more detail.
http://linux.die.net/man/1/file
Normally typing file foobar is all you need.
For a boot sector you can file /dev/sda for mbr on /dev/sda
I think you will get more details by making a file as shown above by rcrsn51 and then running file mbr.bin
~
_________________ New! Puppy Linux Links Page
|
Back to top
|
|
 |
nooby
Joined: 29 Jun 2008 Posts: 10548 Location: SwedenEurope
|
Posted: Wed 29 Jun 2011, 08:43 Post subject:
|
|
Thanks. I guess me too chicken to try. DD is a dangerous thing to use?
_________________ I use Google Search on Puppy Forum
not an ideal solution though
|
Back to top
|
|
 |
Sylvander
Joined: 15 Dec 2008 Posts: 4327 Location: West Lothian, Scotland, UK
|
Posted: Wed 29 Jun 2011, 09:04 Post subject:
|
|
1. I used the code given by rcrsn51 to make the mbr.bin file in my /00 folder.
2. Here's what I did:
(a) Ran Xfe and navigated to the /00 folder.
(b) Ran a terminal window whilst working in the /00 folder.
(c) Copied and pasted the code...
Code: | dd if=/dev/sda of=mbr.bin bs=512 count=1 |
From the thread to the terminal command line, and hit <Enter>.
The file mbr.bin was created in the /00 folder.
3. Then in the same terminal window...
I ran the command...
And the following info was displayed:
mbr.bin: x86 boot sector, mbr; partition 2: ID=0xf, starthead 0, startsector 12289725, 7630875 sectors
Not really what I want.
QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file?
|
Back to top
|
|
 |
rcrsn51

Joined: 05 Sep 2006 Posts: 11889 Location: Stratford, Ontario
|
Posted: Wed 29 Jun 2011, 09:26 Post subject:
|
|
Sylvander wrote: | Not really what I want.
QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file? |
What do you want to know about it? The MBR is just a small block of binary code. There are web sites that will show you the standard code for various versions of Windows.
|
Back to top
|
|
 |
Aitch

Joined: 04 Apr 2007 Posts: 6815 Location: Chatham, Kent, UK
|
Posted: Wed 29 Jun 2011, 09:42 Post subject:
|
|
rcrsn51 wrote: | Code: | dd if=/dev/sda of=mbr.bin bs=512 count=1 |
|
For an explanation of rcrsn51's post see
http://www.miljan.org/main/2007/09/05/easy-way-to-read-mbr/
For an explanation of the mbr/bootloader process, see
http://oldfield.wattle.id.au/luv/boot.html
In my experience, merely repairing the mbr will restore a drive's functionality, provided the fat table is not corrupted....then you'll need more help
Also see M$
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q69/0/13.ASP&NoWebContent=1
Aitch
|
Back to top
|
|
 |
Flash
Official Dog Handler

Joined: 04 May 2005 Posts: 12813 Location: Arizona USA
|
Posted: Wed 29 Jun 2011, 10:24 Post subject:
|
|
B.K. Johnson, if all you really want to know is whether the MBR was compromised, maybe this would work: make a file of the existing MBR using rcrsn51's program, reinstall the MBR using Windows, then run rcrsn51's program again and compare the resulting file with the first file. That would show the difference between the two MBRs. If there is no difference, or only a few bits here and there, it seems unlikely that your MBR was compromised. Although I've read that malware written in machine language can be as small as only a few bytes.
_________________ Puppy Help 101 - an interactive tutorial for Lupu 5.25
|
Back to top
|
|
 |
Aitch

Joined: 04 Apr 2007 Posts: 6815 Location: Chatham, Kent, UK
|
Posted: Wed 29 Jun 2011, 10:50 Post subject:
|
|
Quote: | Although I've read that malware written in machine language can be as small as only a few bytes. |
Just enough to point the boot process to a different address, eh?
Aitch
|
Back to top
|
|
 |
DPUP5520
Joined: 16 Feb 2011 Posts: 813
|
Posted: Wed 29 Jun 2011, 11:23 Post subject:
|
|
Sorry I wasn't around earlier to explain myself but as Flash pointed out if it was a piece of malware written in machine code/assembly language it would be nearly impossible to detect without having an original mbr to compare it to.
Quote: | It has been said that machine code is so unreadable that the Copyright Office cannot even identify whether a particular encoded program is an original work of authorship. |
_________________ PupRescue 2.5
Puppy Crypt 528
|
Back to top
|
|
 |
Sylvander
Joined: 15 Dec 2008 Posts: 4327 Location: West Lothian, Scotland, UK
|
Posted: Wed 29 Jun 2011, 11:25 Post subject:
|
|
1. "What do you want to know about it?"
See the mbr code/contents displayed in this post by Paul Komski.
If someone were to be able to copy his mbr at 2 points in time...
[Before and after possible infection?]
And then display them both...
They might be able to detect changes in the code.
I'd like to explore a method of doing that, if it isn't too difficult.
|
Back to top
|
|
 |
rcrsn51

Joined: 05 Sep 2006 Posts: 11889 Location: Stratford, Ontario
|
Posted: Wed 29 Jun 2011, 11:30 Post subject:
|
|
Puppy has the "cmp" command for comparing two files.
Code: | cmp mbr.bin.old mbr.bin.new |
|
Back to top
|
|
 |
Sylvander
Joined: 15 Dec 2008 Posts: 4327 Location: West Lothian, Scotland, UK
|
Posted: Wed 29 Jun 2011, 11:34 Post subject:
|
|
"Puppy has the "cmp" command for comparing two files."
Good, but it would be nice to be able to also view both...
"A picture is worth a thousand words"...
"Seeing is believing".
How to display them?
|
Back to top
|
|
 |
|