Results 1 to 8 of 8

Thread: MBR analysis

  1. #1

    MBR analysis

    Hi guys,
    I want to analyse a MBR which is corrupted by malware, does anyone have experience in analysing MBR , any tips or best starting point for analyis would be much appreciated.

    Thanks in advance
    Charlie

  2. #2
    Hey,

    Fixing your MBR would require GMER or similar, however I don't know about analysis.. maybe seeing where it is located and dump the thing
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  3. #3
    Howdy,

    It would seem to me that the drive would have to be slaved in order to try it.

    I have never thought of doing it.

    Woodmann
    Learn Or Die.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Hi

    As Silkut mentions GMER, you probably want to start by comparing with the MBR rootkit analysis from here

    http://www2.gmer.net/mbr/


    Also, since it would be nice to know what the original MBR code was, and if you don't have a backup of that, you can fortunately extract it from the system file system32/dmadmin.exe. See here for details

    An Examination of the Windows 2000 ( NT5.0 ) and Windows XP ( NT5.1 ) MBR ( Master Boot Record )

    http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm
    http://mirror.href.com/thestarman/asm/mbr/Win2kmbr.htm (mirror)

    Briefly, search for the signature bytes "2C 44 63" in dmadmin.exe then copy the valid code above that (for me it's 12Ch bytes beginning with 33 C0..) and disassemble as a binary file in IDA. Chances are it will match the analysis in the article.

    Comparing both these MBR code analyses with what you have should give you a good head start. Good luck.

    Kayaker

  5. #5
    that was very helpful . I will go through the different stuff you have posted. Fixing an MBR isn't an issue as we can fix the MBR using any bootable disk, i was asking this to analyse a infected MBR . Thanks again


    charlie

  6. #6
    Hey,

    Personally I've used BOCHS for debugging the infected MBR (with http://www.turboirc.com/asm/ (see Tools section) BOCHS debugger GUI extention, but I think you'll have to e-mail the author to get it currently).
    Also, the Ralf Brown's Int List came in verrryy handy! (http://www.ctyme.com/rbrown.htm)

    Anyway, good luck & have fun
    gynvael.coldwind//vx

  7. #7
    you can compare the good mbr and infected ones using hexworkshop if I remembered well
    esther


    Reverse the code,Reverse Your Minds First

  8. #8
    you can just dump the mbr under linux with

    dd if=/dev/sda of=/home/yourname/mbr.bin count=1

    and after that you might disassemble the mbr.bin

Similar Threads

  1. Ollydbg analysis
    By simonzack in forum The Newbie Forum
    Replies: 3
    Last Post: May 19th, 2009, 05:37
  2. More packer analysis
    By OpenRCE_Saphex in forum Blogs Forum
    Replies: 0
    Last Post: January 10th, 2008, 08:10
  3. On batch analysis
    By Hex Blog in forum Blogs Forum
    Replies: 0
    Last Post: November 14th, 2007, 00:35
  4. Help on checksum analysis
    By akimp3 in forum RCE Cryptographics
    Replies: 8
    Last Post: July 16th, 2007, 08:17
  5. bad assembly analysis
    By Necr0Potenc3 in forum Bugs
    Replies: 3
    Last Post: February 10th, 2005, 05:06

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •