Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Mon 14 Oct 2019, 23:37
All times are UTC - 4
 Forum index » House Training » Users ( For the regulars )
How to use DD to copy Win7 MBR & VBR?
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [8 Posts]  
Author Message
andrew01

Joined: 03 Dec 2018
Posts: 4

PostPosted: Mon 03 Dec 2018, 23:40    Post subject:  How to use DD to copy Win7 MBR & VBR?
Subject description: Can I use PuppyLinux and DD command to make a true copy of the MBR & VBR on my HDD?
 

PROBLEM -- I want to check my Windows 7 system periodically for potential rootkit viruses. However, any check from within Windows is vulnerable to defeat by a rootkit. So I would prefer to boot a lightweight OS from CDROM - to make reliable copies of MBR & VBR (disk sectors) and bootmgr (file on Windows NTFS drive C) for subsequent checking/analysis.

SOLUTION? -- Is PuppyLinux a good solution for this? Can I use the Linux DD command to clone those items to files on my hard drive? From what I have seen so far, I think/hope the answers are both yes!

NOTES
"reliable copies" -- copying from outside Windows should defeat any potential interference from a rootkit.
"subsequent checking/analysis" -- eg. file hash and/or hex editor; I could do this in Windows, because any rootkit present would not think to interfere with the copies.
"disk sectors" -- MBR: first sector on the disk, and VBR: first 16 sectors on the Windows partition (so as to include the bootloader code).
PupRescue - I have seen this, but it's designed for far more than I need.

I presume I would mount the C drive in Linux (I have some idea of how to do this), for DD to read the bootmgr file, and write the various copies. However, I have fairly minimal Linux experience and none using DD (apart from a quick look at the manual), so any specific help would be great.
Thanks, Andrew
Back to top
View user's profile Send private message 
p310don

Joined: 19 May 2009
Posts: 1417
Location: Brisbane, Australia

PostPosted: Tue 04 Dec 2018, 00:40    Post subject:  

First warning. Be careful with DD. The if and of command are easily mixed up.

Is it possible you're overthinking things? I have very limited knowledge about viruses etc, but you can probably just run a scan from a live puppy..
Back to top
View user's profile Send private message 
andrew01

Joined: 03 Dec 2018
Posts: 4

PostPosted: Tue 04 Dec 2018, 01:28    Post subject:  

Thanks for your prompt reply.

I do realise DD can be very dangerous if not used with extreme care.

Rootkits are the most difficult viruses by far, and I have all other bases pretty well covered. So I'm pretty sure that *reliably* cloning those items is a good solution for my situation.

As I understand it, DD is capable of what I want, Puppy can handle NTFS, I can burn its ISO to CDROM (so that can't be infected), etc.

Is there anything that would prevent my suggested approach from working?
eg. How robust is NTFS support in Linux? - I have a vague recall that it wasn't in the early days (I am probably way out of date on that now!)
Thanks, Andrew
Back to top
View user's profile Send private message 
bigpup


Joined: 11 Oct 2009
Posts: 12722
Location: S.C. USA

PostPosted: Tue 04 Dec 2018, 11:43    Post subject:  

This is what is used to support ntfs.

Quote:
NTFS-3G
supports all operations for writing files: files of any size can be created, modified, renamed, moved, or deleted on NTFS partitions. Transparent compression is supported, as well as system-level encryption.[5] Support to modify access control lists and permissions is available.[6] NTFS partitions are mounted using the Filesystem in Userspace (FUSE) interface. According to its man page, NTFS-3G supports hard links and symbolic links.

NTFS-3G supports partial NTFS journaling, so if an unexpected computer failure leaves the file system in an inconsistent state, the volume can be repaired. As of 2009, a volume having an unclean journal file is recovered and mounted by default. The ‘norecover’ mount option can be used to disable this behavior.

_________________
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected Shocked
YaPI(any iso installer) http://www.murga-linux.com/puppy/viewtopic.php?t=107601
Back to top
View user's profile Send private message 
mikeb


Joined: 23 Nov 2006
Posts: 11270

PostPosted: Tue 04 Dec 2018, 11:53    Post subject:  

Bootice is a very useful tool to have around for things like this,

mike
Back to top
View user's profile Send private message 
Burn_IT


Joined: 12 Aug 2006
Posts: 3569
Location: Tamworth UK

PostPosted: Tue 04 Dec 2018, 12:28    Post subject:  

Any check from the affected disk will be vulnerable whether it is Windows, Linux , or even no OS.
The safest way of all would be to put the suspect drive into a removable caddy, boot without the drive in the machine, and mount it AFTER the software has been loaded.

_________________
"Just think of it as leaving early to avoid the rush" - T Pratchett
Back to top
View user's profile Send private message 
andrew01

Joined: 03 Dec 2018
Posts: 4

PostPosted: Tue 04 Dec 2018, 13:49    Post subject:  

Firstly, many thanks for such quick and helpful replies.

NTFS-3G -- sounds like that will be fine then. (I do also have a FAT32 partition I can write to if needed).
Bootice -- not sure it will do the main thing I need here, as it runs from Windows, so could be subverted (ie. a rootkit virus could intercept reads of the MBR, etc). However, it could be a useful extra.

"Any check from the affected disk will be vulnerable..."
My install plan (ie. day 1):
1. Clean re-install Win 7 (immediately after re-flashing the BIOS) -- so I know the HDD is clean (uninfected)
2. Use Win 7 to burn the Puppy ISO to CDROM -- so I know the Puppy CD is also clean (and will stay that way, as it's a CDROM)
3. Make ("known good") copies of the "vitals" (ie. MBR, VBR+, bootmgr), and SHA256 hashes of them (for convenience)
(I write "VBR+" to denote the VBR and 15 subsequent sectors).
Operations plan (ie. ongoing):
- Periodically use Puppy CD to check the vitals are uninfected, by comparing with the known good copies/values.

"... The safest way of all would be to put the suspect drive into a removable caddy ..."
That would be impractical on a routine (periodic) basis, and I think(?) my procedure above is reasonably robust. BUT it could be worth doing if say the SHA256 hashes change unexpectedly.

Any further thoughts/comments most welcome.
I am continuing research in parallel, esp. to brush up my rather basic Linux knowledge.
Thanks, Andrew
Back to top
View user's profile Send private message 
andrew01

Joined: 03 Dec 2018
Posts: 4

PostPosted: Tue 04 Dec 2018, 17:23    Post subject:  

LINUX COMMANDS
I think? these are the most important commands I'll need.
Please do let me know if something looks wrong!
Thanks, Andrew
ps. For DD, do I need to specify bs=512 explicitly? (as I think that's already the default)

PREP
fdisk -l -- list my partition info
mkdir /mnt/win7 -- make a mount point for my Windows C drive
mount -t ntfs /dev/sda1 /mnt/win7 -- mount it
mount | grep sda1 -- check it mounted ok
cd /mnt/win7 -- make it the current directory
ls -- list its contents (to be sure I'm in the right place, and that I can see the bootmgr file here)
mkdir boot-bak -- make a subdirectory for backup images of the "vitals" (ie. MBR, VBR+, bootmgr)

COPYING
dd if=/dev/sda of=boot-bak/MBR.img bs=512 count=1 -- copy the MBR
dd if=/dev/sda1 of=boot-bak/VBR+.img bs=512 count=16 -- copy the VBR+ (from first partition)
dd if=/dev/sda of=boot-bak/VBR+.skip63.img bs=512 skip=63 count=16 -- copy the VBR+ again, (but using its disk offset this time)
dd if=bootmgr of=boot-bak/bootmgr -- copy the bootmgr file
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [8 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » House Training » Users ( For the regulars )
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0796s ][ Queries: 12 (0.0106s) ][ GZIP on ]