Bootcode_parser – Boot Record Parser For MBR, VBR, IPL

Bootcode_parser is a Python script designed to perform a quick offline analysis of the boot records used by BIOS based systems (UEFI is not supported). It is intended to help the analyst triaging individual boot record dumps or whole disk images. The latter is preferred since it allows the script to perform additional checks that would not be possible on individual dumps alone.

Bootcode_parser - Boot Record Parser For MBR, VBR and IPL
Bootcode_parser – Boot Record Parser For MBR, VBR and IPL

The script is based on the fact that boot records contain code sections that do not vary much from a machine to another. The differences can be identified and understood by performing a static analysis.

This script merely implements the results of these analyses and tries to narrow down these “invariant” codes and hash them. The hash is then compared to a whitelist of known good signatures that has to be built by the analyst (an example is given, but it is advised to build its own). If no record is found in the whitelist then the boot record must be investigated by the analyst. In this case, static analysis is the only way to decide whether the boot record has been infected or not.

The output can be one of the following:

  • [INFO] messages mean the boot record was found in the whitelist
  • [WARNING] messages mean the boot record or the boot sequence (when providing a whole disk image) needs to be investigated
  • [ERROR] messages mean the script could not finish its operation, generally because the sample’s structure could not be validated
  • [DEBUG] messages (displayed with --logLevel DEBUG) can be used to show internal details of the process of verification and display the newly calculated hash of an unknown boot record

You can read more and download this tool over here: https://github.com/ANSSI-FR/bootcode_parser

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments