VX Heavens

New era of bootsectorviruses #2: El Torito ISO infection at FAT32

SPTH
Ready Rangers Liberation Front [6]
April 2005

Index

0. Intro
1. Theory / Idea
2. MBR: Master Boot Record
3. Partition's Bootsector
4. Root Directory
5. Find data at the Harddisk
6. El Torito ISO
7. Last words

0) Intro

This second tutorial about bootsectorviruses is about a very unusual topic: CD-ROM bootsector infection. How could we infect a bootsector of a CD-ROM? Via infecting bootable Images. The bootable CD-ROM images are called El Torito ISO-9660. This standart is very common, and used in many programs like Ahead Nero Burning ROM. El Torito ISOs are spread via the internet zB via Emule (Knoppix, Windows Installation CD-ROM, ...). Before reading this tutorial, it would be of some value to read the first article about this topic as I will not repeat too much. Well, let's start!

1) Theory / Idea

What do we want? Infecting a CD-ROM's bootsector. We will manage it via infecting the Image file, as I've already told you. But how can we find image files??? We have to write our own FAT32 FileSystem Driver. Sounds hard, but it is not if you know what exectly to do (all you will know after this tutorial :D). After finding the ISO file, we have to check if it's ready to infect and where we have to infect it (it has a much more complicated structure as raw-data-image-files). When we found the right place, we have no more problems. OK, you should know now, what we will do, just let us do it now...

2) MBR: Master Boot Record

The Master Boot Record is the first physical sector of the Harddisk. Here we also get the information about the partition's start sector at the HD. So first thing we have to do after loading the virus is to load the MBR into the memory. Let's say, offset 0x2000:

Load MBR - Source

What is important: DL = drive number (bit 7 set for hard disk) 1000 0000 = 0x80 = HD

Now we have the MBR in memory at adresse 0x2000:0x0, what next? We have to understand the stucture of the MBR:

What we need is the Partitiontable, to get the start of the partitions. The table is splitted into 4 parts (=4 partitions) with the same size (16 byte). One entry of the Partitiontable looks like that:

Here we just need two values: CHS Start for reading the Bootsector of the partition and LBA Start for Sector calculation later on. So what to do for reading the partition's bootsector? See:

Load Partition's BS - Source

3) Partition's Bootsector

The partition now gives us the needed values for the root directory. First we have to know the calculation for the Root Directory (which tooked me several days to find it, as nobody seemed to know that):

(boot sector)+(number of fats)*(sectors per fat)+(reserved sectors)+(root cluster-2)*(sectors per cluster)

And where are these offsets:

At this point I have to thank Octavio, a member in the MenuetOS forum, for this calculation and the offsets. Without you nobody could read this!

Let's see the code for getting the values:

Get Cluster for Root_Directory - Source ]

At this calculation we got the all values for the Root_Directory Cluster, which means that we have to get the real sector in connection with the value [LBA] at the harddisk of this root directory. [LBA] represents the cluster of the root directory. Now comes the calculation listed above (ClusterNum -> SectorNum).

getLBA - Source

What we have now in EAX is the sector number on the harddisk (NOT the same as partition!!!). But we can not read it, as we don't know the Cylinder, Head and Sector for INT 0x13/AH=2. So first we have to calculate this values. How to calculate this values? (thanks to Jack Dobiash)

This is the standart, but for HDs you can use the 2 highest byte of the sector also for cylinders. This allows 63 Sectors, 255 Heads and 1023 Cylinder.

The following list is copyed by Ralf Brown's Interrupt List:

INT 13 - DISK - READ SECTOR(S) INTO MEMORY

• AH = 02h
• AL = number of sectors to read (must be nonzero)
• CH = low eight bits of cylinder number
• CL = sector number 1-63 (bits 0-5) high two bits of cylinder (bits 6-7, hard disk only)
• DH = head number
• DL = drive number (bit 7 set for hard disk)
• ES:BX -> data buffer

You should understand it, see the source of this function now:

CHS - Source

Now you have the important values in [sector], [head] and [cylinder]. Just read it now.

4) Root Directory

The FAT32 root directory has some differents to the FAT12 root directory. Every file entry has, in normal cases, 32 bytes of data. Just if the file uses a long word, the data is longer (but we can easiely ignore that). Most things I've already descripted in the previous article, so there is no need to copy these infos.

See the list of the 32 bytes of a file:

(*) = Already descriped in 'New era of bootsectorvirus #1'

5) Find data at the Harddisk

Now we know, how the FAT32 root directory looks like. And now: How to get a file of an entry, which we want?

First, we have to compair the two words of the cluster number, so we have the real dword:

dword - Source

Now we have the cluster number in eax. To read them, we first have to get the LBA number (sector number at partition) and then calculate the CHS for the INT 13 / AH=0x2||0x3. We already know the function getLBA and CHS, so there is no need to write them down again. See the code for reading a file into memory:

Read File - Source

What we have now is the first sector of the file in memory starting at offset 0x3000:0x0.

6) El Torito ISO

El Torito is the bootable format of CD-ROM images (ISO). This is the image we want to infect. :) First enormous important thing to know is, that a sector at a CD-ROM is 0x800 bytes long, not like the sectors at the HD, which are 0x200 bytes long. Then it's important to know, that the boot-sector of CD-ROMs is not the first sector, as it's at floppies or HDs.

In this article I just write about 'Single Boot-Image Configuration'. See the short graphic about the structure of this kind of files:

                +-------------------------+
     Sector 0:  |          SYSTEM         |
                |         (UNUSED)        |
                |-------------------------|
     Sector 16: |      Primary Volume     |
                |-------------------------|
     Sector 17: |    Boot Record Volume   |-------+
                |-------------------------|       |
                |                         |       |
                |-------------------------|       |
                |                         |       |
                |-------------------------|       |
                |                         |       |
                |-------------------------|       |
                | Set Termination Volume  |       |
                |-------------------------|       |
                |     Boot Catalog        | <-----+ 
                |                         |-------+
                |-------------------------|       |
                |  Bootable Disk Image    | <-----+
                |-------------------------|
                |      CD-ROM Image       |
                +-------------------------+

We see, which parts we need to read to get the Bootable Disk Image. First we need to read the Boot Record Volume to get the pointer to the Boot Catalog. This Boot Catalog finally points to the Bootable Disk Image.

Now let's read the Boot Record Volume. It is at the 17th sector. Remember: The 17th Sector of a CD-ROM (image) is the 17*4th (68th) sector of the harddisk! To know what to do next, we need further infos about the Boot Record Volume:

You can see our pointer now. The pointer uses the number of CD-ROM sectors which means, that you have to muliplicate it with 4, to get the HD sector. Then you add the sector number of the filestart, and you have the real sector number, which we have to read next.

The Boot Catalog is splittet in some different parts, see the structure now:

Next comes the Initial/Default Entry, add 0x20 to the offset.

The Value at 8-0xB (Load RBA) is the pointer to the sector of the boot sector of the ISO file. We have to get this sector, and we have it.

Now we can overwrite this sector and the following sectors with our virus. Everything is ready now. Finally! :)

7) Last words

Finally, the first CD-ROM bootsector virus has been finished, and the information to write it has been published with this article. There would be another undiscovered technique going hand in hand with this one: Network Boot viruses using BOOTP. But I doubt that I will make that one soon, as I'm bored of the OS-developing currently :). At this point I also want to say 'hi' to LiTlLe VxW, who has published an article called 'Boot CD infection' in 29a#8 in january 2005. The article was unfortunatly just theoretically - I did not used any information by his article :). Here are some articles which may be useful for reading, if you want to make a CD-ROM bootsector virus:

• FAT: Gerneral Overview of On-Disk Formation by Microsoft Corporation
• Volume and File Structure of CDROM for Information Interchange
• "El Torito" Bootable CD-ROM Format Specification

Well, the discoverment on this topic used six months, and now it is ending. It was an interesting topic, and I hope that you are (at least partly :D) interested in it! See you soon out there, and don't forget: Never stopp fooling the establishment :)

                                                  - - - - - - - - - - - - - - -
                                                    Second Part To Hell/[rRlf]  
                                                    www.spth.de.vu
                                                    spth@priest.com
                                                    written from Jan 2005 - April 2005

                                                    ...surrealistic viruswriter...
                                                  - - - - - - - - - - - - - - -