Sign in to follow this  
honold

zeroing out mbr from inside windows...CAS?

Recommended Posts

addressing cas in the topic because i figure he's the most likely to know

anybody know of any legit mechanisms (ints, api calls, whatever) one can use to write anything to the mbr while windows 2000/xp is actually running? i get railroaded by windows using every method i know of, 32bit or not

Share this post


Link to post
Share on other sites

hDevice = CreateFile(".PhysicalDrive1",

                      GENERIC_READ | GENERIC_WRITE,

                      FILE_SHARE_READ | FILE_SHARE_WRITE, 

                      NULL, 

                      OPEN_EXISTING,

                      0,       

                      NULL);  

Will give you a handle to the (second)physical drive, rather than one of the partitions. You can read from it, and write to it like a normal file.

Of course, this requires Admin privilages, and is very dangerous.

Share this post


Link to post
Share on other sites

THANKS MAN!

if it's being treated as a file, how would i go about zeroing out JUST the mbr? all i want to do is render the system unbootable

Share this post


Link to post
Share on other sites

unsigned char MBR[512];

DWORD bytesWritten;



memset( MBR, 0, 512 );

WriteFile( hDevice, MBR, 0x1be, &bytesWritten, NULL );

That should do it. If you were clever, you would write a 446 byte program to display something interesting like "Booting from disk has been disabled".

In fact, simply adding MBR[0]=0xcd; MBR[1]=0x18; will insert the opcodes for int 18h, which will return control to the BIOS. In this case, you can boot to the network for example, even if the disk is the first device in the BIOS boot order. Replacing the 0x1be with 512, will erase the partition table as well, so be sure of what you are doing.

The participants in this exchange are trained professionals, in a closed environment. Do NOT try this at home!

Share this post


Link to post
Share on other sites
unsigned char MBR[512];

DWORD bytesWritten;



memset( MBR, 0, 512 );

WriteFile( hDevice, MBR, 0x1be, &bytesWritten, NULL );

That should do it.  If you were clever, you would write a 446 byte program to display something interesting like "Booting from disk has been disabled".

In fact, simply adding MBR[0]=0xcd; MBR[1]=0x18; will insert the opcodes for int 18h, which will return control to the BIOS.  In this case, you can boot to the network for example, even if the disk is the first device in the BIOS boot order.  Replacing the 0x1be with 512, will erase the partition table as well, so be sure of what you are doing.

The participants in this exchange are trained professionals, in a closed environment.  Do NOT try this at home!

Don't forget the 0x55AA or the system won't recognize the MBR as valid.

Share this post


Link to post
Share on other sites
Don't forget the 0x55AA or the system won't recognize the MBR as valid.

The code snippet I provided doesn't touch the last two bytes.

Share this post


Link to post
Share on other sites
Don't forget the 0x55AA or the system won't recognize the MBR as valid.

The code snippet I provided doesn't touch the last two bytes.

Tis true. Add then "if you over right the entire boot sector." I mentioned that because of the adventure I had trying to build an MBR. It wasn't easy finding such documentation years ago, and I lost most of my hair in the process. :)

Share this post


Link to post
Share on other sites
arigato

Sounds like something tastey....

More importantly... Looking at the big picture is one of you guys trying to write a new virus or something to erase people's harddrives??? 8O

Share this post


Link to post
Share on other sites
The participants in this exchange are trained professionals, in a closed environment. Do NOT try this at home!

I tried this on my grandma's pacemaker and lets just say it was lucky I had a 9V battery handy. You'll be contacted by my lawyers shortly.

-Chris

Share this post


Link to post
Share on other sites

allow me to prefrace by saying I AM NOT A DEVELOPER! i am a network monkey. now i will continue.

i'm getting error 87 (the parameter is incorrect). if i change the physicaldevice to a file, it will succeed, and i can clearly see that the file was written to, so it's not a bad parameter to writefile right? need help :)

p.s. to those interested, i'm actually doing this for the exact example cas mentioned: blowing out the mbr in an existing system so that it won't boot from the hdd and will pass to the secondary boot device in the bios (cdrom, lan, whatever) so that it will do an unattended install from there

//

// mbr_erase.cpp :

// The "main" file for the mbr_erase application

//

#include <windows.h>

#include <iostream>

#include <string>

using namespace std;

static string getLastErrorMessage()

{

LPVOID lpMsgBuf;

FormatMessage(

FORMAT_MESSAGE_ALLOCATE_BUFFER |

FORMAT_MESSAGE_FROM_SYSTEM |

FORMAT_MESSAGE_IGNORE_INSERTS,

NULL,

GetLastError(),

MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language

(LPTSTR) &lpMsgBuf,

0,

NULL

);

string message = (const char*)lpMsgBuf;

LocalFree( lpMsgBuf );

return message;

}

int error( const string& msg )

{

cerr << msg << ": " << getLastErrorMessage() << endl;

return -1;

}

int main(int argc, char* argv[])

{

HANDLE hDevice = CreateFile(".PhysicalDrive0",

GENERIC_READ | GENERIC_WRITE,

FILE_SHARE_READ | FILE_SHARE_WRITE,

NULL,

OPEN_EXISTING,

0,

NULL);

if ( hDevice == INVALID_HANDLE_VALUE )

return error("Failed to open PhysicalDrive");

unsigned char MBR[512];

DWORD bytesWritten;

memset(MBR,0, sizeof(MBR));

MBR[0] = 0xcd;

MBR[1] = 0x18;

if ( WriteFile(hDevice, (LPVOID)MBR, (DWORD)0x1be, &bytesWritten, NULL ) == FALSE )

return error("write failed");

cout << "we thinks we did it" << endl;

return 0;

}

Share this post


Link to post
Share on other sites

Try:

BOOL ExitWindowsEx(EWX_REBOOT, SHTDN_REASON_MINOR_RECONFIG);

You can add "EWX_FORCEIFHUNG" to the first parameter if you want programs that aren't shutting themselves down to be terminated. The second parameter is the reason for the shutdown. I believe that has more to do with the system logs and administration than actually technically changing the process of rebooting. The first parameter can be replaced with "EWX_POWEROFF" if you want to power down rather than actually restart.

Share this post


Link to post
Share on other sites
i'm getting error 87 (the parameter is incorrect).

Sorry.

Though it was not specified in the CreateFile parameters, the system wants to open the physical drive as FILE_FLAG_NO_BUFFERING. This means you must read and write a full sector at a time. On some systems, this might require that your buffer be aligned as well.

Allocate your MBR buffer with VirtualAlloc, and read a full 512 bytes. Clear the first 0x1be bytes, and set bytes 0 and 1 as before. Call SetFilePointer( hDevice, 0, NULL, FILE_BEGIN ) to return to the beginning of the disk, then write out the full 512 bytes.

That should do it.

This is what I get for writing code from memory.

I used to rewrite MBRs when creating boot media for NT Embedded systems. I have never rewritten my system MBR however (for obvious reasons). Let me know how it goes.

BTW Does this qualify as more than just noise, with the actual intention to solve somebody’s problem? ;)

Share this post


Link to post
Share on other sites

takes an asshole to know one :)

as amusing as most of it was, you really did seem to go overboard for a bit there with the hypertechinically subtle jabs with no intention of actually helping the asker. it could have helped, but most of it was so below-the-radar on sarcasm and technical you had to know most of it would have gone over their heads. a good example is the (funny) thread you linked. i especially liked the 'enduring solution/we're still awaiting your contribution' post.

you're one of those guys that would go to compusa and ask for a 'db25 to db9 straight rs232' instead of a null modem cable, not explain what it is in a way that they could understand, and then find the cable in front of them just to make them feel like an ass, right? :)

Share this post


Link to post
Share on other sites

i'll let you know how it goes

really appreciate it. for what it's worth, i trust your opinion on code (esp device/kernel) more than anybody else i 'know'.

Share this post


Link to post
Share on other sites
you're one of those guys that would go to compusa and ask for a ...

But straight != null. (you're just baiting me, I am sure)

Now for an admission. I used to be one of those guys at CompUSA, over a decade ago, when the chain was new. I was a tech, and rarely worked on the floor.

I still remember a story they told, about an employee discussing some software at a store in California. He was recommending a program to a customer, and insisted that it would solve their program. When a woman overheard, and disagreed, the employee blew her off. He insisted she didn't know what she was talking about.

She turned out to be the original author of the program he was recommending.

Personally, I try to take it easy on the guys on the floor.

Share this post


Link to post
Share on other sites

i made the mistake of asking a strangely stomach-balled fat woman when her baby was due once and made her run out of best buy crying. the really fun part was she left her pc there, and i had to call her (and talk to her husband) to let her know.

i learned my lesson. now when i talk to women on the street or whatever i say, 'hey you're pretty fat,' and DON'T assume they're pregnant.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this