IDA Tip: MBR Analysis

2016.09.27
Alice, Special Cyber Service Team

title1

 IDA Pro has a feature of cooperating with Bochs virtual machine that enables users to analyze code executed before an operating system is booted up. Recently I had an opportunity to test this feature in practice. This post shows how to use this feature in a real-life scenario.


 A few months ago, my co-worker gave me a copy of Petya ransomware that gained attention for its low level feature of encrypting MBRs. Even though I'm not a malware analyst, as a reverse engineering enthusiast, I thought I would try analyzing some of the code with IDA.


 First off, I uploaded the binary to VirusTotal to make sure it's a true copy of Petya. Then I ran it on my victim machine running Windows 7. The machine rebooted immediately after installation and after a fake chkdisk, an ASCII art of a skull appeared on a red screen.





 Cool. That's what's expected of Petya. Then I specified the copy of the flat hard disk image as a boot disk image of the Bochs emulator. Again, the skull showed up. That meant the infected MBR was running properly on Bochs.



 Next, I loaded the bochsrc configuration file into IDA. It automatically selected IDA loader appropriately and showed the disassembled code in MBR. I could start debugging the code under the Bochs debugger and see how it worked.



 Bochs plugin for IDA is a neat way of analyzing low level code such as MBR and bootloader using IDA. It should be useful not only for reverse engineers but OS developers.


 Happy reversing!



ページトップにページトップへ


執筆者一覧 (Authors)


space

執筆者一覧 (Authors)


space

所在地

本店:

〒103-0013
東京都中央区日本橋人形町
1丁目14番8号 郵船水天宮前ビル6階
地図はコチラMapはコチラ

TEL : 03-5649-1961(代表)


赤坂オフィス:

〒107-0052
東京都港区赤坂2丁目17番7号
赤坂溜池タワー9階
地図はコチラMapはコチラ

TEL : 03-6861-5172

三井物産セキュアディレクション株式会社

MBSDロゴ

サイトマップ

所在地

本店:

〒103-0013
東京都中央区日本橋人形町
1丁目14番8号 郵船水天宮前ビル6階
地図はコチラMapはコチラ

TEL : 03-5649-1961(代表)


赤坂オフィス:

〒107-0052
東京都港区赤坂2丁目17番7号
赤坂溜池タワー9階
地図はコチラMapはコチラ

TEL : 03-6861-5172