https://github.com/davidbuchanan314/pwn-mbr

A simple MBR hijack demonstration
https://github.com/davidbuchanan314/pwn-mbr

bootloader hooking mbr

Last synced: 4 months ago
JSON representation

A simple MBR hijack demonstration

• Host: GitHub
• URL: https://github.com/davidbuchanan314/pwn-mbr
• Owner: DavidBuchanan314
• License: mit
• Created: 2016-10-03T21:59:11.000Z (over 8 years ago)
• Default Branch: master
• Last Pushed: 2022-10-22T17:20:33.000Z (over 2 years ago)
• Last Synced: 2024-12-09T17:07:39.602Z (5 months ago)
• Topics: bootloader, hooking, mbr
• Language: C
• Size: 910 KB
• Stars: 176
• Watchers: 13
• Forks: 44
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# pwn-mbr

A simple MBR hijack demonstration

## Principles of operation:

### Phase 1: Injection

1. A malicious binary is run with root privileges.

2. The original MBR is copied to the next "free" location (first sector found containing only zeroes) on the disk, before the first partition. A magic number is appended, so that it can be found later.

3. The boot sector is overwritten with "malicious" code.

### Phase 2: Execution

1. Next time the machine is rebooted, the BIOS starts execution of the payload.

2. In this example, the text "MBR PWNED!" is written to the screen a few hundred times.

3. The payload locates the backup of the original boot sector (via the magic number) and copies it over to where it would normally reside in memory (`0x7C00`). However, this is where the payload is initially running from, so it copies itself elsewhere first.

4. Finally, the payload jumps back to `0x7C00`, resuming normal boot operations.

## Notes:

- Only works on BIOS/legacy boot systems.

- Although this demo doesn't do anything malicious, it is very possible that it corrupts your filesystem, so only run it on a dedicated VM unless you're very brave.

## Demo:

![Demo](https://github.com/DavidBuchanan314/pwn-mbr/raw/master/demo.gif)