(old)Puppy Linux Discussion Forum

My computer's MBR may have been changed by a virus. I don't want to reboot under Windows until I verify that the MBR is OK. I know some Windows tools I could use to read the MBR and save the output to a file for review, but I want something I can run from puppy (Lucid-5.2.5). Can anyone recommend a Linux tool and create a PET that allows me to do the same?

I could just invoke ms-sys to write a new MBR but I need to know what is there.

use the file command

DPUP5520 wrote:use the file command

B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?

file MBR or file mbr or what to write in terminal?

nooby wrote:

DPUP5520 wrote:use the file command

B.K. Johnson maybe know such but all of us that don't get what a Manual file says about the file command. Could you give a suggestion what gives a reasonable result?

file MBR or file mbr or what to write in terminal?

The first think with any external utility is to use the --help to get a brief summary.

As you need consult the man and info pages for more detail.

http://linux.die.net/man/1/file

Normally typing file foobar is all you need.

For a boot sector you can file /dev/sda for mbr on /dev/sda

I think you will get more details by making a file as shown above by rcrsn51 and then running file mbr.bin

~

Thanks. I guess me too chicken to try. DD is a dangerous thing to use?

1. I used the code given by rcrsn51 to make the mbr.bin file in my /00 folder.

2. Here's what I did:
(a) Ran Xfe and navigated to the /00 folder.
(b) Ran a terminal window whilst working in the /00 folder.
(c) Copied and pasted the code... From the thread to the terminal command line, and hit <Enter>.
The file mbr.bin was created in the /00 folder.

3. Then in the same terminal window...
I ran the command... And the following info was displayed:
mbr.bin: x86 boot sector, mbr; partition 2: ID=0xf, starthead 0, startsector 12289725, 7630875 sectors
Not really what I want.

QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file?

Sylvander wrote:Not really what I want.

QUESTION:
4. How do I read the makeup of my MBR?
Using the mbr.bin file?

What do you want to know about it? The MBR is just a small block of binary code. There are web sites that will show you the standard code for various versions of Windows.

rcrsn51 wrote:

Code: Select all

dd if=/dev/sda of=mbr.bin bs=512 count=1

For an explanation of rcrsn51's post see

http://www.miljan.org/main/2007/09/05/e ... -read-mbr/

For an explanation of the mbr/bootloader process, see

http://oldfield.wattle.id.au/luv/boot.html

In my experience, merely repairing the mbr will restore a drive's functionality, provided the fat table is not corrupted....then you'll need more help

Also see M$

http://support.microsoft.com/default.as ... bContent=1

Aitch

B.K. Johnson, if all you really want to know is whether the MBR was compromised, maybe this would work: make a file of the existing MBR using rcrsn51's program, reinstall the MBR using Windows, then run rcrsn51's program again and compare the resulting file with the first file. That would show the difference between the two MBRs. If there is no difference, or only a few bits here and there, it seems unlikely that your MBR was compromised. Although I've read that malware written in machine language can be as small as only a few bytes.

Although I've read that malware written in machine language can be as small as only a few bytes.

Just enough to point the boot process to a different address, eh?

Aitch

Sorry I wasn't around earlier to explain myself but as Flash pointed out if it was a piece of malware written in machine code/assembly language it would be nearly impossible to detect without having an original mbr to compare it to.

It has been said that machine code is so unreadable that the Copyright Office cannot even identify whether a particular encoded program is an original work of authorship.

1. "What do you want to know about it?"
See the mbr code/contents displayed in this post by Paul Komski.
If someone were to be able to copy his mbr at 2 points in time...
[Before and after possible infection?]
And then display them both...
They might be able to detect changes in the code.
I'd like to explore a method of doing that, if it isn't too difficult.

Puppy has the "cmp" command for comparing two files.

"Puppy has the "cmp" command for comparing two files."
Good, but it would be nice to be able to also view both...
"A picture is worth a thousand words"...
"Seeing is believing".
How to display them?

Then you need a hex editor. I'm sure there is one available for Puppy.

[Edit] Or you could just use

I want to add, if anyone what to have a base MBR file to test against, the base file needs updating every time one repartitions his hard disk.

~

rcrsn51 wrote:Then you need a hex editor. I'm sure there is one available for Puppy.

[Edit] Or you could just use

Code: Select all

hexdump mbr.bin

This is a nice easy/small hex editor

1. "Then you need a hex editor. I'm sure there is one available for Puppy."
(a) Ended up using wishbinvu-2009.pet [wishbinvu was recommended by Bugman], then installing tk-8.5.6.pet & tcl-8.5.6-v1.pet linked HERE.

(b) So now the program runs OK from the installed entry in the "Menu->Utility->General Utilities->Wish Binary Viewer".
Has a rather nice colorful [Orange] GUI!
Used it to "Open" the mbr.bin file and was given the kind of display I want [the code content as seen in the screenshots below].
Was then able to save a copy with a name specified by me.
Would it be possible to use a file-content-comparison program to display differences?

If you get "Trojan:Win32/Popureb.E"

http://blogs.technet.com/b/mmpc/archive ... stead.aspx

fix the MBR first, and then restore/reinstall the system