OpenBSD support
ffries opened this issue · 2 comments
Hello,
First of all, congratulations for this great project. Modern viruses hook on using BIOS or microcode, so it is nice to have a bootcade parser to parse BIOS mbr. I dream we could have the same tools for networking microcode.
I only migrated to OpenBSD recently, for learning purpose, so pardon my ignorance. OpenBSD is meant to be secure, but would rather like to be able to test my MBR.
i know that bootcode_parser does not support OpenBSD, but would you be interested for surpporting OpenBSD?
Under OpenBSD, the boot is a 3-stage process:
- Master Boot Record (MBR) and GUID Partition Table (GPT). The fdisk(8) man page contains the details.
- Partition Boot Record (PBR). The first 512 bytes of the boot disk's OpenBSD partition contain the first stage boot loader biosboot(8). It is installed by the installboot(8) utility.
- Second stage boot loader /boot. The PBR loads the boot(8) program which has the task of locating and loading the kernel.
I have been trying to use bootcode_parser with OpenBSD 6.2 x64 standard install:
er.py --type MBR --input /usr/mdec/mbr
WARNING - [/usr/mdec/mbr] [MBR] No known code signature were found, this is highly suspicious.
WARNING - [/usr/mdec/mbr] [MBR] Suspicious behaviours were detected: [u'Invalid string offset: 0x0', u'JMP or CALL before relocation', u'Unknown Interrupt : 0x16']
Do you think it would be possible/interesting to add a signature for OpenBSD mbr? The fact is that it jumps to a second stage boot.
What do I need to submit a signature and does it make sense?
Kind regards,
I'd like to give a try porting to OpenBSD, adding support for MBR/PBR, please tell me if this makes sense.
Having a signature for OpenBSD makes perfect sense from what I can understand of its boot process.
You'll need to reverse engineer the MBR and PBR to properly whitelist its code section(s) so as to make a signature from it.
If you can provide a sample MBR and PBR, I can take a look.