They also sometimes hook INT 13/15 interruption handlers to filter memory and disk access, and protect the infected MBR/VBR as well as the kernel driver. Volume Boot RecordĪ bootkit will typically replace any assembly part (MBR/VBR) by a specially crafted one, to copy in memory and execute the code of a malicious driver. The bootloader will in the end start to load the first component of the Windows operating system. VBR contains 2 distinct assembly parts, called bootstrap and bootloader. VBR also defines several things about the partition, and contains assembly code executed when called. The bootstrap will perform several checks, and in the end will jump to the VBR bootstrap of the bootable partition, located at the sector 0 of the partition. Master Boot Record MBR bootstrap assembly code MBR also contains an assembly (16 bits) bootstrap, executed when the system starts. MBR describes how many partitions are defined on the hard drive, if they are bootable, their size plus location, and the filesystem used on them. Below is a picture of what it looks like. Boot processĪs seen in the picture above, the first component to be called is the Master Boot Record (MBR), which is the sector 0 of a physical hard drive. Here’s the boot sequence of a classic machine (ESET courtesy).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |