How to use DD to copy Win7 MBR & VBR?

Using applications, configuring, problems
Post Reply
Message
Author
andrew01
Posts: 4
Joined: Tue 04 Dec 2018, 02:36

How to use DD to copy Win7 MBR & VBR?

#1 Post by andrew01 »

PROBLEM -- I want to check my Windows 7 system periodically for potential rootkit viruses. However, any check from within Windows is vulnerable to defeat by a rootkit. So I would prefer to boot a lightweight OS from CDROM - to make reliable copies of MBR & VBR (disk sectors) and bootmgr (file on Windows NTFS drive C) for subsequent checking/analysis.

SOLUTION? -- Is PuppyLinux a good solution for this? Can I use the Linux DD command to clone those items to files on my hard drive? From what I have seen so far, I think/hope the answers are both yes!

NOTES
"reliable copies" -- copying from outside Windows should defeat any potential interference from a rootkit.
"subsequent checking/analysis" -- eg. file hash and/or hex editor; I could do this in Windows, because any rootkit present would not think to interfere with the copies.
"disk sectors" -- MBR: first sector on the disk, and VBR: first 16 sectors on the Windows partition (so as to include the bootloader code).
PupRescue - I have seen this, but it's designed for far more than I need.

I presume I would mount the C drive in Linux (I have some idea of how to do this), for DD to read the bootmgr file, and write the various copies. However, I have fairly minimal Linux experience and none using DD (apart from a quick look at the manual), so any specific help would be great.
Thanks, Andrew

p310don
Posts: 1492
Joined: Tue 19 May 2009, 23:11
Location: Brisbane, Australia

#2 Post by p310don »

First warning. Be careful with DD. The if and of command are easily mixed up.

Is it possible you're overthinking things? I have very limited knowledge about viruses etc, but you can probably just run a scan from a live puppy..

andrew01
Posts: 4
Joined: Tue 04 Dec 2018, 02:36

#3 Post by andrew01 »

Thanks for your prompt reply.

I do realise DD can be very dangerous if not used with extreme care.

Rootkits are the most difficult viruses by far, and I have all other bases pretty well covered. So I'm pretty sure that *reliably* cloning those items is a good solution for my situation.

As I understand it, DD is capable of what I want, Puppy can handle NTFS, I can burn its ISO to CDROM (so that can't be infected), etc.

Is there anything that would prevent my suggested approach from working?
eg. How robust is NTFS support in Linux? - I have a vague recall that it wasn't in the early days (I am probably way out of date on that now!)
Thanks, Andrew

User avatar
bigpup
Posts: 13886
Joined: Sun 11 Oct 2009, 18:15
Location: S.C. USA

#4 Post by bigpup »

This is what is used to support ntfs.
NTFS-3G
supports all operations for writing files: files of any size can be created, modified, renamed, moved, or deleted on NTFS partitions. Transparent compression is supported, as well as system-level encryption.[5] Support to modify access control lists and permissions is available.[6] NTFS partitions are mounted using the Filesystem in Userspace (FUSE) interface. According to its man page, NTFS-3G supports hard links and symbolic links.

NTFS-3G supports partial NTFS journaling, so if an unexpected computer failure leaves the file system in an inconsistent state, the volume can be repaired. As of 2009, a volume having an unclean journal file is recovered and mounted by default. The ‘norecover’ mount option can be used to disable this behavior.
The things they do not tell you, are usually the clue to solving the problem.
When I was a kid I wanted to be older.... This is not what I expected :shock:
YaPI(any iso installer)

User avatar
mikeb
Posts: 11297
Joined: Thu 23 Nov 2006, 13:56

#5 Post by mikeb »

Bootice is a very useful tool to have around for things like this,

mike

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#6 Post by Burn_IT »

Any check from the affected disk will be vulnerable whether it is Windows, Linux , or even no OS.
The safest way of all would be to put the suspect drive into a removable caddy, boot without the drive in the machine, and mount it AFTER the software has been loaded.
"Just think of it as leaving early to avoid the rush" - T Pratchett

andrew01
Posts: 4
Joined: Tue 04 Dec 2018, 02:36

#7 Post by andrew01 »

Firstly, many thanks for such quick and helpful replies.

NTFS-3G -- sounds like that will be fine then. (I do also have a FAT32 partition I can write to if needed).
Bootice -- not sure it will do the main thing I need here, as it runs from Windows, so could be subverted (ie. a rootkit virus could intercept reads of the MBR, etc). However, it could be a useful extra.

"Any check from the affected disk will be vulnerable..."
My install plan (ie. day 1):
1. Clean re-install Win 7 (immediately after re-flashing the BIOS) -- so I know the HDD is clean (uninfected)
2. Use Win 7 to burn the Puppy ISO to CDROM -- so I know the Puppy CD is also clean (and will stay that way, as it's a CDROM)
3. Make ("known good") copies of the "vitals" (ie. MBR, VBR+, bootmgr), and SHA256 hashes of them (for convenience)
(I write "VBR+" to denote the VBR and 15 subsequent sectors).
Operations plan (ie. ongoing):
- Periodically use Puppy CD to check the vitals are uninfected, by comparing with the known good copies/values.

"... The safest way of all would be to put the suspect drive into a removable caddy ..."
That would be impractical on a routine (periodic) basis, and I think(?) my procedure above is reasonably robust. BUT it could be worth doing if say the SHA256 hashes change unexpectedly.

Any further thoughts/comments most welcome.
I am continuing research in parallel, esp. to brush up my rather basic Linux knowledge.
Thanks, Andrew

andrew01
Posts: 4
Joined: Tue 04 Dec 2018, 02:36

#8 Post by andrew01 »

LINUX COMMANDS
I think? these are the most important commands I'll need.
Please do let me know if something looks wrong!
Thanks, Andrew
ps. For DD, do I need to specify bs=512 explicitly? (as I think that's already the default)

PREP
fdisk -l -- list my partition info
mkdir /mnt/win7 -- make a mount point for my Windows C drive
mount -t ntfs /dev/sda1 /mnt/win7 -- mount it
mount | grep sda1 -- check it mounted ok
cd /mnt/win7 -- make it the current directory
ls -- list its contents (to be sure I'm in the right place, and that I can see the bootmgr file here)
mkdir boot-bak -- make a subdirectory for backup images of the "vitals" (ie. MBR, VBR+, bootmgr)

COPYING
dd if=/dev/sda of=boot-bak/MBR.img bs=512 count=1 -- copy the MBR
dd if=/dev/sda1 of=boot-bak/VBR+.img bs=512 count=16 -- copy the VBR+ (from first partition)
dd if=/dev/sda of=boot-bak/VBR+.skip63.img bs=512 skip=63 count=16 -- copy the VBR+ again, (but using its disk offset this time)
dd if=bootmgr of=boot-bak/bootmgr -- copy the bootmgr file

Post Reply