Presentation: Writing a Boot Scan Engine

Abstract

In my second document I want to describe how to write a Virus Boot Scan Engine. I have worked out some concepts for a Boot Scan Engine and want to present them here. There are various facts to consider when writing a Virus Boot Scan Engine, i.e. what to scan or how to, if a virus is found and how to restore the boot sectors. This document is written from scratch - written from my notes I've made on my scratchpad during train journeys to my work.

- Peter Kleissner, Software Engineer (August 2008)

The basic concept

Behind the Boot Scan are two necessary tasks:

  1. Determination if Bootkit is installed
  2. Scan and identify Binaries to Bootkits

Task 1 also includes removing the Bootkit (restoring original MBR, Partition Table, Partition Boot Sector, Boot files). As you may have noticed, this tasks are closely beside, in both tasks data (once the boot sectors, the other some input binary) has to be classified as Boot Virus or not. This leads to modularized development, at Windows level this would be handled in librarys where both tasks are accessing the same functions of the library.

Considering the tasks we have 2 software parts:

The code scans and checks:

All Boot Sectors:

  1. Master Boot Records
  2. Partition Boot Records
  3. Partition Bootloaders
  4. Bootloaders

Windows Boot Files:

  1. ntoskrnl.exe
  2. winload.exe
  3. pagefile.sys
  4. ...

Windows Boot Configuration:

  1. Boot.ini
  2. Boot Configuration Data
  3. ...

(making an Integrity Check of them to verify them)

Heuristic Boot Sector Check

- Scan for common code patterns

i.e. int 13h hook
compare valid MBRs with Boot Viruses to create these heuristic patterns

- Make black/white list

database with checksum/hashes

- Make list of Boot Viruses and how they work

- maybe make instant report of used resources

Interrupts, Ports, DMA Channels, Devices, IRQs
FPU, MMX, 3DNow!, SSEn

Programming an internal "Boot Sector Analyzer" tool which makes this report. The program could also be working in a connection with a boot virus database, where all the boot viruses are stored with binaries, source code, dumps, hashes and metadata.

Boot Virus Removal

  1. make copy of MBR and Partition Table
  2. if Boot Virus was found, temp-copy the Partition Table
  3. restore the MBR
  4. if temp-copy Partition Table is invalid restore original, else keep new one

If no backup has been made and a Bootkit was detected, restore the default boot sectors (maybe also using a database where Microsoft's and other system software vendors boot sectors are stored) and verify the Partition Table.

Conclusion

This document is more a presentation than a documentation, which comes through the fact I wanted to make a presentation from my notes for the management. Anyway I think it's a good basic concept starting for a boot scan engine. If you have any questions, suggestions or feedback feel free to contact me under Peter@Kleissner.at. Also if you have any interest in developing the boot scan engine or co-development work, write me. Thank you.