How to check Windows MBR code from Linux?

For discussions about security.
Message
Author
B.K. Johnson
Posts: 807
Joined: Mon 12 Oct 2009, 17:11

How to check Windows MBR code from Linux?

#1 Post by B.K. Johnson »

My computer's MBR may have been changed by a virus. I don't want to reboot under Windows until I verify that the MBR is OK. I know some Windows tools I could use to read the MBR and save the output to a file for review, but I want something I can run from puppy (Lucid-5.2.5). Can anyone recommend a Linux tool and create a PET that allows me to do the same?

I could just invoke ms-sys to write a new MBR but I need to know what is there.

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#2 Post by DPUP5520 »

use the file command
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#3 Post by nooby »

DPUP5520 wrote:use the file command
B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?

file MBR or file mbr or what to write in terminal?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#4 Post by rcrsn51 »

Code: Select all

dd if=/dev/sda of=mbr.bin bs=512 count=1

Bruce B

#5 Post by Bruce B »

nooby wrote:
DPUP5520 wrote:use the file command
B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?

file MBR or file mbr or what to write in terminal?
The first think with any external utility is to use the --help to get a brief summary.

As you need consult the man and info pages for more detail.

http://linux.die.net/man/1/file

Normally typing file foobar is all you need.

For a boot sector you can file /dev/sda for mbr on /dev/sda

I think you will get more details by making a file as shown above by rcrsn51 and then running file mbr.bin

~

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#6 Post by nooby »

Thanks. I guess me too chicken to try. DD is a dangerous thing to use?
I use Google Search on Puppy Forum
not an ideal solution though

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#7 Post by Sylvander »

1. I used the code given by rcrsn51 to make the mbr.bin file in my /00 folder.

2. Here's what I did:
(a) Ran Xfe and navigated to the /00 folder.
(b) Ran a terminal window whilst working in the /00 folder.
(c) Copied and pasted the code...

Code: Select all

dd if=/dev/sda of=mbr.bin bs=512 count=1
From the thread to the terminal command line, and hit <Enter>.
The file mbr.bin was created in the /00 folder.

3. Then in the same terminal window...
I ran the command...

Code: Select all

file mbr.bin
And the following info was displayed:
mbr.bin: x86 boot sector, mbr; partition 2: ID=0xf, starthead 0, startsector 12289725, 7630875 sectors
Not really what I want. :(

QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file?

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#8 Post by rcrsn51 »

Sylvander wrote:Not really what I want.

QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file?
What do you want to know about it? The MBR is just a small block of binary code. There are web sites that will show you the standard code for various versions of Windows.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#9 Post by Aitch »

rcrsn51 wrote:

Code: Select all

dd if=/dev/sda of=mbr.bin bs=512 count=1
For an explanation of rcrsn51's post see

http://www.miljan.org/main/2007/09/05/e ... -read-mbr/

For an explanation of the mbr/bootloader process, see

http://oldfield.wattle.id.au/luv/boot.html

In my experience, merely repairing the mbr will restore a drive's functionality, provided the fat table is not corrupted....then you'll need more help

Also see M$

http://support.microsoft.com/default.as ... bContent=1

Aitch :)

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#10 Post by Flash »

B.K. Johnson, if all you really want to know is whether the MBR was compromised, maybe this would work: make a file of the existing MBR using rcrsn51's program, reinstall the MBR using Windows, then run rcrsn51's program again and compare the resulting file with the first file. That would show the difference between the two MBRs. If there is no difference, or only a few bits here and there, it seems unlikely that your MBR was compromised. Although I've read that malware written in machine language can be as small as only a few bytes. :twisted:
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69321][color=blue]Puppy Help 101 - an interactive tutorial for Lupu 5.25[/color][/url]

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#11 Post by Aitch »

Although I've read that malware written in machine language can be as small as only a few bytes. :twisted:
Just enough to point the boot process to a different address, eh?

Aitch :)

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#12 Post by DPUP5520 »

Sorry I wasn't around earlier to explain myself but as Flash pointed out if it was a piece of malware written in machine code/assembly language it would be nearly impossible to detect without having an original mbr to compare it to.
It has been said that machine code is so unreadable that the Copyright Office cannot even identify whether a particular encoded program is an original work of authorship.
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#13 Post by Sylvander »

1. "What do you want to know about it?"
See the mbr code/contents displayed in this post by Paul Komski.
If someone were to be able to copy his mbr at 2 points in time...
[Before and after possible infection?]
And then display them both...
They might be able to detect changes in the code.
I'd like to explore a method of doing that, if it isn't too difficult.

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#14 Post by rcrsn51 »

Puppy has the "cmp" command for comparing two files.

Code: Select all

cmp mbr.bin.old mbr.bin.new

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#15 Post by Sylvander »

"Puppy has the "cmp" command for comparing two files."
Good, but it would be nice to be able to also view both...
"A picture is worth a thousand words"...
"Seeing is believing".
How to display them?

User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#16 Post by rcrsn51 »

Then you need a hex editor. I'm sure there is one available for Puppy.

[Edit] Or you could just use

Code: Select all

hexdump mbr.bin

Bruce B

#17 Post by Bruce B »

I want to add, if anyone what to have a base MBR file to test against, the base file needs updating every time one repartitions his hard disk.

~

DPUP5520
Posts: 800
Joined: Wed 16 Feb 2011, 05:38

#18 Post by DPUP5520 »

rcrsn51 wrote:Then you need a hex editor. I'm sure there is one available for Puppy.

[Edit] Or you could just use

Code: Select all

hexdump mbr.bin

This is a nice easy/small hex editor
Attachments
shed-1.15.pet
(15.44 KiB) Downloaded 576 times
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=69651][b][i]PupRescue 2.5[/i][/b][/url]
[url=http://www.murga-linux.com/puppy/viewtopic.php?t=72178][b][i]Puppy Crypt 528[/i][/b][/url]

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#19 Post by Sylvander »

1. "Then you need a hex editor. I'm sure there is one available for Puppy."
(a) Ended up using wishbinvu-2009.pet [wishbinvu was recommended by Bugman], then installing tk-8.5.6.pet & tcl-8.5.6-v1.pet linked HERE.

(b) So now the program runs OK from the installed entry in the "Menu->Utility->General Utilities->Wish Binary Viewer".
Has a rather nice colorful [Orange] GUI! :D
Used it to "Open" the mbr.bin file and was given the kind of display I want [the code content as seen in the screenshots below].
Was then able to save a copy with a name specified by me.
Would it be possible to use a file-content-comparison program to display differences?
Attachments
00.jpg
(52.76 KiB) Downloaded 1003 times
01.jpg
(47.62 KiB) Downloaded 1005 times

User avatar
d4p
Posts: 439
Joined: Tue 13 Mar 2007, 02:30

#20 Post by d4p »

If you get "Trojan:Win32/Popureb.E"

http://blogs.technet.com/b/mmpc/archive ... stead.aspx

fix the MBR first, and then restore/reinstall the system

Post Reply