Saturday, April 21, 2012

MBR Parser

With the increase in MBR infectors, I've decided to release a script I wrote that parses the MBR as well as hashes and disassembles the bootcode. I've found that MBR bootcode is pretty stable across systems of the same OS, so this script should allow you to quickly check for any discrepancies on a system.

You of course need Python and Distorm to use this script.

A shortened example output can be seen below:

$ python mbr_parser.py -f mbr.bin Disk signature: 96-80-96-80 Bootcode md5: 4ad444d4e7efce9485a94186c3f4b157 Bootcode Disassembly: 00000000: 33c0 XOR AX, AX 00000002: 8ed0 MOV SS, AX 00000004: bc007c MOV SP, 0x7c00 00000007: fb STI 00000008: 50 PUSH AX 00000009: 07 POP ES 0000000a: 50 PUSH AX 0000000b: 1f POP DS 0000000c: fc CLD 0000000d: 50 PUSH AX 0000000e: be007c MOV SI, 0x7c00 00000011: bf0006 MOV DI, 0x600 00000014: b90002 MOV CX, 0x200 00000017: f3a4 REP MOVSB 00000019: bf1e06 MOV DI, 0x61e 0000001c: 57 PUSH DI 0000001d: cb RETF 0000001e: b441 MOV AH, 0x41 00000020: b280 MOV DL, 0x80 00000022: bbaa55 MOV BX, 0x55aa 00000025: cd13 INT 0x13 00000027: 81fb55aa CMP BX, 0xaa55 0000002b: 7530 JNZ 0x5d 0000002d: f6c101 TEST CL, 0x1 00000030: 742b JZ 0x5d 00000032: be0008 MOV SI, 0x800 00000035: c7041000 MOV WORD [SI], 0x10 00000039: c744020600 MOV WORD [SI+0x2], 0x6 [snip] 000001b2: 0000 ADD [BX+SI], AL 000001b4: 002c ADD [SI], CH 000001b6: 44 INC SP 000001b7: 63 DB 0x63 ===== Partition Table #1 ===== Boot flag: 0x80 (Bootable) Partition type: 0x7 (NTFS) Starting Sector (LBA): 0x3f (63) Starting CHS: Cylinder: 0 Head: 1 Sector: 1 Ending CHS: Cylinder: 520 Head: 254 Sector: 63 Size in sectors: 0x7fb68a (8369802) ===== Partition Table #2 ===== Boot flag: 0x0 Partition type: 0x0 (Empty) Starting Sector (LBA): 0x0 (0) Starting CHS: Cylinder: 0 Head: 0 Sector: 0 Ending CHS: Cylinder: 0 Head: 0 Sector: 0 Size in sectors: 0x0 (0) ===== Partition Table #3 ===== Boot flag: 0x0 Partition type: 0x0 (Empty) Starting Sector (LBA): 0x0 (0) Starting CHS: Cylinder: 0 Head: 0 Sector: 0 Ending CHS: Cylinder: 0 Head: 0 Sector: 0 Size in sectors: 0x0 (0) ===== Partition Table #4 ===== Boot flag: 0x0 Partition type: 0x0 (Empty) Starting Sector (LBA): 0x0 (0) Starting CHS: Cylinder: 0 Head: 0 Sector: 0 Ending CHS: Cylinder: 0 Head: 0 Sector: 0 Size in sectors: 0x0 (0)

Update: Fixed output to 16bit assembly. Thanks for the feedback!

The script can be found here.