-
Notifications
You must be signed in to change notification settings - Fork 1
/
k0r0pt-0x01-Hacking_the_boot_sector.txt
executable file
·554 lines (433 loc) · 21.5 KB
/
k0r0pt-0x01-Hacking_the_boot_sector.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
.o0O_ k0r0pt Issue 0x01 _O0o.
(\===========================/)
|=--------------------+=<] [>=+---------------------=|
|=--------------------+=<] Hacking the Boot Sector [>=+---------------------=|
|=--------------------+=<] Sudo [>=+---------------------=|
|=------------------+=<] [email protected] [>=+-------------------=|
|=--------------------+=<] [>=+---------------------=|
(/___________________________\)
Okay, this seems to be the first article to the first edition of the ezine
k0r0pt. Like this article, all articles will be divided into sections. This
article is about hacking the boot sector.
0x01 Introduction
0x02 Details
0x03 Programming
0x04 Programs
0x05 Outtro
0x06 References
0x07 Disclaimer
.o# 0x01 Introduction #o.
The boot sector has always amused me, and I have always tried to know how it
all worked. How the computer sprang up after power, and how it detected all
those Operating Systems I had. But after a lot of going through stuffs and
research, I could find out less about it, until one day, when I got a paper
about it, and only then I understood that I was not even aware what to search
for. This paper [1], was about The Boot Sector, how it worked and how to control
it. Since then I have gone through a couple or so papers on the topic, and a
dozen programs illustrating how to use the computer after boot up. The how to
use part, I was familiar with, as it consisted of BIOS interrupts, about which
I had read while learning assembly & C, and VGA and mouse programming in DOS.
And after that, I did a lot of research on using the computer after booting it.
This paper is theory, which I came to know about from the references I've
mentioned, and my own research, which I have included below. To understand those
programs, you must be aware of assembly language, which if you're not, you can
learn from the Internet as there are thousands of tutorials out there.
Another thing that I must tell before going any further, is that I have used
two Operating Systems in this research. One is Linux, which runs on my laptop,
that happens to be lacking a floppy drive, which I used to boot the other
computer, which happens to be running "Microsoft Windows". Sad but true. This is
also because, I didn't have a floppy drive in my laptop, otherwise I'd have done
it in Linux. So, I used the command line utility Debug for MS-DOS, in order to
write to boot sector of the floppy drive. This article will be doing the same.
Although I have used Linux for the assembling part, you can do that in Windows
as well, in case you use Windows. But in that case, you'd only use the nasm, or
some other equivalent assembler for DOS/Windows, like TASM or A386. But if
you're more comfortable with the GAS, I'd suggest you do it on Linux, but in
which case, you'd have to do the conversion to AT&T format. Keeping in mind,
that people are more familiar with the Intel assembler syntax, I'd code in the
Intel syntax. Also, dd can be used on Linux to write to the boot sector. But I
know little about how to use it. So, I'd leave that upto you to discover.
.o# 0x02 Details #o.
When you power on the computer, it executes the BIOS, which is located at
memory location F000:FFF0. This BIOS is what we also call Basic Input Output
System. This BIOS is stored in Electrically Programmable ROM Chips inside the
computer. The BIOS then takes control and performs the Power On Self Test,
popularly known as the POST. This actually tests for all hardwares and checks
them for integrity. It checks the Video card BIOS, and executes it. It is
located at memory address 0xC000. Then after checking for other ROM BIOSes, it
executes the hard disk BIOS located at 0xC8000. This BIOS is what loads the
Operating System.
Back then, the boot sector was made with one objective in mind. That was to
enable one computer to run multiple Operating Systems. The boot sector, like all
other sectors in a hard disk is 512 Bytes long. So, whatever we put in the boot
sector must be 512 Bytes at max. No more than that. However, these standards
were laid down by ATA, and only apply to hard disks. in case of other devices,
it won't apply ([1]). However, to my surprise, I found a controversy to this
fact, while trying to write a 2048 byte code to the first 4 sectors of my floppy
disk, only to discover that the code was not executing at all. So, what comes
out, is that we only have 512 bytes at our disposal, and we must load another
program from disk, if we have to execute something bigger than that.
If I use the debug utility in DOS, to dump the memory address f000:fff0, it
would show something like this:
-d f000:fff0
F000:FFF0 CD 19 E0 00 F0 31 31 2F-32 36 2F 39 39 00 FC 81 .....
A valid boot Sector must terminate with the two bytes 0xAA55. If a valid Boot
Sector is found, the code is loaded into 0000:7C00. Repeating what I said
before, as it is merely 512 bytes, that the boot sector code can have, it can't
do much. So you must make sure that you write small code, or just execute some
other program from it, which is also done in Boot Loaders and Operating Systems.
About writing the code to a magnetic disk, you could simply insert a floppy
inside your Windows box, and type w 100 0 0 1 inside DEBUG. This will write the
code at 100th location of device 0, which is also the floppy drive A:, from
sector 0 to 1.
.o# 0x03 Programming #o.
About the programming part, you could use just the raw code to do the job. No
need to link the assembled code, as you're not using it on any OS. You'd be
executing it before executing anything else. So, you'd just begin writing, and
start doing what you want to do.
In my programs, I've either used BIOS interrupts or have just accessed VGA
addresses to do different kinds of things. You could alternatively do many other
things. And since there is no other thing in memory, your program will run fast
like hell. I assume you have basic knowledge of BIOS interrupts. But if you
haven't, fret not because I have well commented code. Alternatively, you could
just look for documents out there, that describe the various interrupts I have
used. Those will contain full documentation of all the things that can be done
with that interrupt.
The first program that I have illustrated here is the classic boot sector
program, which you can find just by searching for that. Here, all I do is get
control and use BIOS interrupts to print a string. The pre START section does
something cryptic though, which is not necessary in normal programs.
jmp 0x07C0:START
Here, we just change the offset, which is actually 0000:7c00 to 07c0:START.
We do this because it is easier to handle zero offset this way. Then we use the
BIOS interrupt 0x10 with ah=0x00 to switch to a video mode. al=0x03 specifies
that it is text mode. That is 80x25 and 16 colors. The next step is to print a
string stored in memory inside MSG. The comments should explain what's going on.
After that, for the reboot, we just make a far jump to 0x0000:0xFFFF. This is
the memory location where the reboot code is stored, which is executed after the
jump.
The second program just prints out a rectangle on the left end of the screen.
We simply draw four lines to make a rectangle. The upper left corner of the
screen being 0,0, and the coordinates increasing as we go right and down, we
draw the lines at x=50, x=100, y=0 and y=200. To draw the lines, we use the
simple algorithm of plotting points on the line. We have used int 0x10 for this.
In the graphic initialization, we have used al=0x13, which specifies the vga 256
color mode, which is also known as the graphics mode. As you can see, that we
did not make a jump to 0x07c0:START in this program, because we're not using any
variables in this program. That is, we do not use any memory references here. So
we do not need to change address space. We also do not change ds and es because
of this reason.
After that, ah specifies that we're plotting a pixel. al specifies the color.
bh specifies the memory page, which is 0x00.cx and dx are the x and y
coordinates respectively. We go through a loop, as you can see, to change these
coordinates.
The third program is the last program that I've included in this section for
the graphics part. It is called gfx2.asm. It prints out colors by just
incrementing them. We first take one color and draw a vertical line. Then we
draw another vertical line on its right side, after incrementing the color. Then
we draw another in a similar manner. In this manner, we get what we used to get
in olden days' TV transmissions. Vertical color patches. Also, remember that
0x13 switches to 320x200 with 256 colors.
The graphic programs will run faster after the boot, simply because there
won't be anything else in the memory. So, we have no competition. It simply
works great, and it is fun to work with graphics.
The last program is a classic boot loader, or a bootstrap utility, which
explains how 512 bytes are not enough, and how this limit can be bypassed. We
read out the floppy disk, where we had written the program ldprogram.asm at the
sector number 4. We read that sector, and read 2 sectors starting at sector 4.
The start of the code must be understandable by now, because that's what's been
happenning in the last few programs. I'll illustrate the disk read part. Here we
use the 0x13 BIOS interrupt. We first move 0x0202 to ax. ah is set to 0x02,
which says read some sectors from a disk. al says that 2 sectors are to be read.
cx specify the track and the sector. As we had written 2 sectors starting from
the fourth sector, we set it to 0x0004. dh specifies the head position, which is
0x00 and dl specifies the drive, that is the device that has to be used. 0x00 is
for first floppy drive. So we set dl to 0x00. And finally ES:BX is the
segment:offset of the buffer where the data is to be loaded. We set the offset
to 0x0000, and do not touch the segment part. Now our program is loaded in the
memory location es:bx, which is, es*0x10+bx. We calculate this up and make a
jump to that location. Thus, we succeed in executing our program, and break the
512 byte barrier. Now we are free to do a lot of things, that are beyond these
512 bytes. The rest of the code is no different from the other programs. So,
we'd move on to our program ldprogram.asm.
This program is simply printing a long string, which easily crosses the 512
bytes limit, because the string itself is above 600 bytes in length. In fact the
program is 1004 bytes, after it is assembled. We'd write this program to the 4th
sector of the floppy by using w 100 0 4 2 in the DEBUG program. Again, this is
because the floppy drive is drive 0, writing starts at sector number 4, and
continues upto 2 consecutive sectors, which provide a space of 1024 bytes, where
our program snuggles comfortably. As the rest of the code needs no explanation,
we'd directly go on to understand the Print logo part. Here everything is the
same as in program 1. But the part which is confusing is why did I add 0x0202 to
bp. Well I did it because I noticed that without it, the msg started somewhere
well before the actual string, and printed gibberish before printing the string.
Turned that was 0x0202 characters before the actual string.
.o# 0x04 Programs #o.
<++++> bs1.asm
; This program is licensed under the GNU General Public Licence v3.
;
; https://www.github.com/k0r0pt/hackingTheBootSector
;
; Author: Sudo <[email protected]>
; Sample asm program, that prints a string with BIOS interrupt 0x10, and then
; makes a far jump to 0000:FFFF to reboot the computer. We tell the processor,
; that the variable declarations are in the same place, as there is code. So, we
; copy the contents of CODE SEGMENT register to DATA SEGMENT register. And then
; we also copy CS to ES
jmp 0x07C0:START ; Program starts executing at 0000:7C00
; But it would be easier to handle offset 0
; So, we make a far jump to 0x07C0:START
MSG DB 'Sudo ru135!',13,10,'fuX0r j00!!!',0
START:
push CS ; We copy CS to DS, to tell processor, that
pop DS ; variables are in the same place as program
; code.
; update ES also
push CS ; We copy CS to ES again.
pop ES
; MY working code start here
MOV AX,0x0003 ; Switch to text mode AH asks processor to
INT 0x10 ; change video mode. AL is set to 0x03, which is
; the text mode. INT then executes this up.
; Print String
MOV AX,0x1301 ; Print a string AH is to print string. AL
MOV BX,0x0001 ; specifies that the string consists of
MOV CX,0x1b ; printable characters. CX has string length
MOV BP,MSG ; BP points to the string.
INT 0x10 ; Calling this interrupt reads registers and
; prints the string.
; Wait for key press
MOV AH,0x00 ; INT 0x16 reads AH, and sees it is to wait for
INT 0x16 ; a keypress
; Reboot
DB 0xEA ; We simply declare the bytes. 0xEA is to make
DW 0x0000 ; far jumps. The next two bytes specify the
DW 0xFFFF ; segment and offset of memory address to jump
; to
TIMES 510-($-$$) DB 0 ; Fill remaining space
SIGNATURE DW 0xAA55 ; 0xAA55 tells BIOS
; that boot sector routine ends.
<---->
<++++> gfx1.asm
; This program is licensed under the GNU General Public Licence v3.
;
; https://www.github.com/k0r0pt/hackingTheBootSector
;
; Author: Sudo <[email protected]>
; Sample asm program, that prints a rectangle in BIOS 256 color graphics mode
; and then makes a far jump to 0000:FFFF to reboot the computer.
START:
mov ax,0x0013 ; Switch to 256 color VGA mode
int 0x10
; Set BG White
mov ah, 0x07
mov bh, 0x01
int 0x10
mov cx, 200
LOOP_4_LINE1:
mov ah, 0x0c
mov al, 0x0f
mov bh, 0x00
mov dx, 50
SUB cx, 0x01
int 0x10
jnz LOOP_4_LINE1
mov cx, 200
LOOP_4_LINE2:
mov ah, 0x0c
mov al, 0x0f
mov bh, 0x00
mov dx, 100
sub cx, 0x01
int 0x10
jnz LOOP_4_LINE2
mov dx, 100
LOOP_4_LINE3:
mov ah, 0x0c
mov al, 0x0f
mov bh, 0x00
mov cx, 0
sub dx, 0x01
int 0x10
mov ax, dx
sub ax, 50
jnz LOOP_4_LINE3
mov dx, 100
LOOP_4_LINE4:
mov ah, 0x0c
mov al, 0x0f
mov bh, 0x00
mov cx, 200
sub dx, 0x01
int 0x10
mov ax, dx
sub ax, 50
jnz LOOP_4_LINE4
WAIT_FOR_KEY_PRESS:
mov ah,0x00
int 0x16
REBOOT:
db 0xEA
dw 0x0000
dw 0xFFFF
times 510-($-$$) db 0
SIGNATURE dw 0xaa55
<---->
<++++> gfx2.asm
; This program is licensed under the GNU General Public Licence v3.
;
; https://www.github.com/k0r0pt/hackingTheBootSector
;
; Author: Sudo <[email protected]>
; Sample asm program, that prints colors as you'd see in those olden TV
; transmissions in BIOS 256 color graphics mode and then makes a far jump to
; 0000:FFFF to reboot the computer.
START:
mov ax,0x0013
int 0x10
; Set BG White
mov ah, 0x07
mov bh, 0x01
int 0x10
mov cx, 0
mov al, 0x00
mov bh, 0x00
LOOP_4_X:
mov dx, 0
LOOP_4_Y:
mov ah, 0x0c
int 0x10
add dx, 0x01
mov si, 199
sub si, dx
jnz LOOP_4_Y
add cx, 0x01
inc al
mov si, 319
sub si, cx
jnz LOOP_4_X
WAIT_FOR_KEY_PRESS:
mov ah,0x00
int 0x16
REBOOT:
db 0xEA
dw 0x0000
dw 0xFFFF
times 510-($-$$) db 0
SIGNATURE dw 0xaa55
<---->
<++++> bsx.asm
; This program is licensed under the GNU General Public Licence v3.
;
; https://www.github.com/k0r0pt/hackingTheBootSector
;
; Author: Sudo <[email protected]>
; Sample asm program, that prints a string with BIOS interrupt 0x10, and then
; makes a far jump to 0000:FFFF to reboot the computer. We tell the processor,
; that the variable declarations are in the same place, as there is code. So, we
; copy the contents of CODE SEGMENT register to DATA SEGMENT register. And then
; we also copy CS to ES
jmp 0x07C0:START
START:
push cs ; We copy CS to DS, to tell processor, that
pop ds ; variables are in the same place as program
; code.
; update es also
push cs ; We copy CS to ES again.
pop es
; MY working code start here
mov ax, 0x0003 ; Switch to text mode AH asks processor to
int 0x10 ; change video mode. AL is set to 0x03, which is
; the text mode. INT then executes this up.
; Now read sector 4 from floppy disk, where the next program is located
mov ax, 0x0202
mov cx, 0x0004
mov dx, 0x0000
mov bx, 0x0000
int 0x13
mov ax, es
mov bx, ax
mov di, 0x10
mult:
add ax, bx
dec di
jnz mult
add ax, 0x0000
jmp ax ; Jump control to our program
times 510-($-$$) db 0 ; Fill remaining space
signature DW 0xAA55 ; 0xAA55 tells BIOS
; that boot sector routine ends.
<---->
<++++> ldprogram.asm
; This program is licensed under the GNU General Public Licence v3.
;
; https://www.github.com/k0r0pt/hackingTheBootSector
;
; Author: Sudo <[email protected]>
; Sample asm program 2, that prints a logo with BIOS interrupt 0x10, and then
; makes a far jump to 0000:FFFF to reboot the computer. We tell the processor,
; that the variable declarations are in the same place, as there is code. So, we
; copy the contents of CODE SEGMENT register to DATA SEGMENT register. And then
; we also copy CS to ES. This program is executed by our bootsector example
; program 2.
jmp START
msg db 10,13,\
' XX %XX% %XX%',10,13,\
' XX SXXXXS SXXXXS XX',10,13,\
' XX ;X% %X; ;X% %X; XX',10,13,\
' XX tXX. %X. .X% XX %XXX %X. .X% XX.%XS: XXXXXXX',10,13,\
' XX ;XX. SX XS XXSXXXX SX XS XXSXXXX. XXXXXXX',10,13,\
' XX;XX. XX %% XX XX%. XX %% XX XX% %X% XX',10,13,\
' XXXX; XX %% XX XX XX %% XX XX XS XX',10,13,\
' XXXXX SX XS XX SX XS XX XX XX',10,13,\
' XX tX% %X. .X% XX %X. .X% XX XS XX',10,13,\
' XX XX: ;X% %X; XX ;X% %X; XX% %X% XX.',10,13,\
' XX ;XS SXXXXS XX SXXXXS XXSXXXX. %XXXX',10,13,\
' XX SXt %XX% XX %XX% XX %XS: .%XXX',10,13,\
' XX',10,13,\
' XX',10,13,\
' XX',10,13,0
START:
push cs ; We copy CS to DS, to tell processor, that
pop ds ; variables are in the same place as program
; code.
; update es also
push cs ; We copy CS to ES again.
pop es
; MY working code start here
mov ax, 0x0003 ; Switch to text mode AH asks processor to
int 0x10 ; change video mode. AL is set to 0x03, which is
; the text mode.
; Print Logo
mov bx, 0x0004
mov cx, 0x03c5
mov bp, msg
add bp, 0x0202
mov ax, 0x1301
int 0x10
; Wait for key press
mov ah,0x00 ; INT 0x16 reads AH, and sees it is to wait for
int 0x16 ; a keypress
; Reboot
db 0xea ; We simply declare the bytes. 0xEA is to make
dw 0x0000 ; far jumps. The next two bytes specify the
dw 0xffff ; segment and offset of memory address to jump
; to
<---->
.o# 0x05 Outtro #o.
Well, it seems that my article has come to an end after all. Before I say
goodbye, I'd like to let all my readers know, that this was my first article to
the underground, and I hope everyone loves my work.
And enjoy hacking. It's the only fun part of our lives!
.o# 0x06 References #o.
1. The Boot Sector by Ralph http://blacksun.box.sk
http://awc.rejects.net
http://web.textfiles.com/hacking/boot.txt
2. Writing Boot Sector Code by Susam Pal
http://susam.in/articles/boot-sector-code/
.o# 0x07 Disclaimer #o.
The information contained within this file is purely for educational and
informational purposes. If this text is used for illicit purposes or causes any
type of damages and/or harm in any direct and/or indirect manner, neither the
author nor the k0r0pt staff can be held responsible.
-- Knowledge is responsibility. Use it wisely --