Debugging MBR : IDA Pro and Bochs Emulator

This post will explain how to setup Bochs Emulator to debug MBR. I will be taking NotPetya\Petya ransomware MBR as an example.

Take dump of Physical Drive whose MBR is overwritten by NotPetya\Petya ransomware by its malicious MBR.
dd utility for windows can be used for this purpose.Command to dump the disk is as shown below.
dd.exe if=\\?\Device\Harddisk0\DR0 of=<output file path> bs=512k --size --progress

if = input file
of = output file
bs = read and write bytes at a time

Configuring Bochs Emulator.
Go to installation directory of Bochs Emulator and open file bochsrc and provide below information.
1.Disk Geometry
2.Boot Drive

Disk Geometry setting contain Cylinder,Head and Sector (CHS) value of disk.
# ATA controller for hard disks and cdroms
ata0-master: type=disk, path="winxp0.img", mode=flat, cylinders=124830, heads=16, spt=63

where path is dump of disk taken using dd utility.

Boot Drive setting contain bootable drive type.
# This defines the boot sequence. Now you can specify up to 3 boot drives,
# which can be 'floppy', 'disk', 'cdrom' or 'network' (boot ROM).
boot: disk

once above settings are done run below command to verify your configuration.
bochsdbg.exe -f bochsrc -q
if no panic error is thrown that means configuration is successful.

Load the bochsrc file in IDA Pro and you will see MBR instructions.

set breakpoint on first instruction and select Debugger Local Bochs Debugger .


Popular posts from this blog

VIrtual Machine Detection Techniques

Analyzing ATM Malwares

DoublePulsar Backdoor

Google CTF 2017 : Android RE Challenge

Samsung CTF : Chicken or Egg Reversing Challenge

FireEye FLARE CTF 2017 : APK Challenge 8

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

NotPetya\Petya : Overwriting System MBR

WannaCry Encryption Flow