Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenBSD support #4

Open
ffries opened this issue Nov 23, 2017 · 2 comments
Open

OpenBSD support #4

ffries opened this issue Nov 23, 2017 · 2 comments

Comments

@ffries
Copy link

ffries commented Nov 23, 2017

Hello,

First of all, congratulations for this great project. Modern viruses hook on using BIOS or microcode, so it is nice to have a bootcade parser to parse BIOS mbr. I dream we could have the same tools for networking microcode.

I only migrated to OpenBSD recently, for learning purpose, so pardon my ignorance. OpenBSD is meant to be secure, but would rather like to be able to test my MBR.

i know that bootcode_parser does not support OpenBSD, but would you be interested for surpporting OpenBSD?

Under OpenBSD, the boot is a 3-stage process:

  • Master Boot Record (MBR) and GUID Partition Table (GPT). The fdisk(8) man page contains the details.
  • Partition Boot Record (PBR). The first 512 bytes of the boot disk's OpenBSD partition contain the first stage boot loader biosboot(8). It is installed by the installboot(8) utility.
  • Second stage boot loader /boot. The PBR loads the boot(8) program which has the task of locating and loading the kernel.

I have been trying to use bootcode_parser with OpenBSD 6.2 x64 standard install:

er.py --type MBR --input /usr/mdec/mbr
WARNING - [/usr/mdec/mbr] [MBR] No known code signature were found, this is highly suspicious.
WARNING - [/usr/mdec/mbr] [MBR] Suspicious behaviours were detected: [u'Invalid string offset: 0x0', u'JMP or CALL before relocation', u'Unknown Interrupt : 0x16']

Do you think it would be possible/interesting to add a signature for OpenBSD mbr? The fact is that it jumps to a second stage boot.

What do I need to submit a signature and does it make sense?

Kind regards,

@ffries
Copy link
Author

ffries commented Nov 23, 2017

I'd like to give a try porting to OpenBSD, adding support for MBR/PBR, please tell me if this makes sense.

@sc-anssi
Copy link
Contributor

sc-anssi commented Dec 4, 2017

Having a signature for OpenBSD makes perfect sense from what I can understand of its boot process.
You'll need to reverse engineer the MBR and PBR to properly whitelist its code section(s) so as to make a signature from it.
If you can provide a sample MBR and PBR, I can take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants