![]() ![]() Bochs brings a CLI and GUI debugger and is very useful to debug our MBR code. Originally written by Kevin Lawton in 1994 is still being actively maintained today and last April version 2.6.9 was released. ![]() Bochs is an open source, fully fledged x86 emulator. To perform dynamic analysis of the MBR code we will use Bochs. We can look at the instructions and perform static analysis but we can also perform dynamic analysis by running the MBR code, combining both worlds we will have better understanding – or at least we can try. Read the assembly instructions and understand what it does. Now, this is the hard part of the analysis. ![]() This can be done using radare, objdump or ndisasm. We can start by extracting the MBR into a binary file and convert it to assembly instructions. So, we are interested in the code execution instructions. The last 66 bytes (0x1be through 0x1fd) contain the partition table and are equal to the original MBR. On the right side you have the EternalPetya MBR, the first 147 bytes (0x00 through 0x92) contain executable code. The picture below illustrates the difference between the original MBR and the EternalPetya MBR. ![]() Next, I moved the VMDK files to a Linux machine where I used QEMU to convert the VMDK images to RAW format.įollowing that I could start the analysis and look at the MBR differences. Then, I shutdown the Windows 7 virtual machine and used vmware-vdiskmanager.exe utility to create a single VMDK file from the disk state before and after the infection. The scheduled task created by the malware restarted the operating system and a ransom note appeared. Following that, we waited 10 minutes for the infection to complete. We created a snapshot of the victim machine before the infection. One running with Windows 7 and another running REMnux. Our setup consisted of 2 Virtual Machines. We know that EternalPetya main component is a DLL and we can launch it and infect a Windows machine by running “ rundll32.exe petya.dll, #1 10”. Now, that we have a brief overview about the boot process, how can we extract and analyze the MBR? More specifically the MBR that is used by EternalPetya? Well, we infect a victim machine on a controlled and isolated environment. The VBR is a bootloader program that will find the Windows BootMgr program and executes it All this happens in 16-bits real-mode. In the Microsoft world, when the MBR code is executed, its role is to find an active partition, read its first sector, which contains the VBR code, load it into memory and transfer execution into it. This means only 446-bytes are available to implement a MBR. The MBR follows a standard and its structure contains executable code, the partition table (64-bytes) with the locations of the primary partitions and finally 2-bytes with 0xAA55 signature. What happens next is dependable on the MBR implementation code i.e., different operating systems have different MBR code Nonetheless, the code needs to fit in the 512-bytes available at disk sector. Then, the instruction pointer register is transferred into that memory location and the CPU will start executing the MBR code. By convention the code will be loaded into the real-mode address 0000:7c00. If the bootable device is a hard drive, the BIOS reads the sector 1, track 0, head 0 and if contains a valid MBR (valid means that the sector ends with bytes 0xAA55) it will load that sector into a fixed memory location. Then, the BIOS attempts to find a bootable device. The computers that rely on BIOS flash memory instead of the new EFI standard, when they boot, the BIOS code is executed and, among other things, the code performs a series of routines that perform hardware checks i.e., Power-On-Self-Tests (POST). Before we roll up our sleeves let’s do a quick review on how the MBR is used by today’s computers during the boot process. This article shows my approach to extract the MBR using digital forensic techniques and then analyze the MBR using Bochs. One aspect of the malware that raised my interest was the ability to overwrite the Master Boot Record (MBR) and launch a custom bootloader. A malware specimen that uses a combined arms approach and maximizes its capabilities by using different techniques to sabotage business operations. NoPetya or EternalPetya has kept the security community pretty busy last week. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |