Log in

View Full Version : MBR analysis


charlie
September 11th, 2010, 15:23
Hi guys,
I want to analyse a MBR which is corrupted by malware, does anyone have experience in analysing MBR , any tips or best starting point for analyis would be much appreciated.

Thanks in advance
Charlie

Silkut
September 11th, 2010, 17:02
Hey,

Fixing your MBR would require GMER or similar, however I don't know about analysis.. maybe seeing where it is located and dump the thing

Woodmann
September 11th, 2010, 18:42
Howdy,

It would seem to me that the drive would have to be slaved in order to try it.

I have never thought of doing it.

Woodmann

Kayaker
September 11th, 2010, 23:39
Hi

As Silkut mentions GMER, you probably want to start by comparing with the MBR rootkit analysis from here

http://www2.gmer.net/mbr/


Also, since it would be nice to know what the original MBR code was, and if you don't have a backup of that, you can fortunately extract it from the system file system32/dmadmin.exe. See here for details

An Examination of the Windows 2000 ( NT5.0 ) and Windows XP ( NT5.1 ) MBR ( Master Boot Record )

http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm
http://mirror.href.com/thestarman/asm/mbr/Win2kmbr.htm (mirror)

Briefly, search for the signature bytes "2C 44 63" in dmadmin.exe then copy the valid code above that (for me it's 12Ch bytes beginning with 33 C0..) and disassemble as a binary file in IDA. Chances are it will match the analysis in the article.

Comparing both these MBR code analyses with what you have should give you a good head start. Good luck.

Kayaker

charlie
September 12th, 2010, 06:14
that was very helpful . I will go through the different stuff you have posted. Fixing an MBR isn't an issue as we can fix the MBR using any bootable disk, i was asking this to analyse a infected MBR . Thanks again


charlie

Gynvael
September 12th, 2010, 10:01
Hey,

Personally I've used BOCHS for debugging the infected MBR (with http://www.turboirc.com/asm/ (see Tools section) BOCHS debugger GUI extention, but I think you'll have to e-mail the author to get it currently).
Also, the Ralf Brown's Int List came in verrryy handy! (http://www.ctyme.com/rbrown.htm)

Anyway, good luck & have fun

esther
September 12th, 2010, 11:17
you can compare the good mbr and infected ones using hexworkshop if I remembered well

joblack
October 19th, 2010, 19:42
you can just dump the mbr under linux with

dd if=/dev/sda of=/home/yourname/mbr.bin count=1

and after that you might disassemble the mbr.bin