OpenBSD support

[ffries]

Hello,

First of all, congratulations for this great project. Modern viruses hook on using BIOS or microcode, so it is nice to have a bootcade parser to parse BIOS mbr. I dream we could have the same tools for networking microcode.

I only migrated to OpenBSD recently, for learning purpose, so pardon my ignorance. OpenBSD is meant to be secure, but would rather like to be able to test my MBR.

i know that bootcode_parser does not support OpenBSD, but would you be interested for surpporting OpenBSD?

Under OpenBSD, the boot is a 3-stage process:

• Master Boot Record (MBR) and GUID Partition Table (GPT). The fdisk(8) man page contains the details.
• Partition Boot Record (PBR). The first 512 bytes of the boot disk's OpenBSD partition contain the first stage boot loader biosboot(8). It is installed by the installboot(8) utility.
• Second stage boot loader /boot. The PBR loads the boot(8) program which has the task of locating and loading the kernel.

I have been trying to use bootcode_parser with OpenBSD 6.2 x64 standard install:

er.py --type MBR --input /usr/mdec/mbr
WARNING - [/usr/mdec/mbr] [MBR] No known code signature were found, this is highly suspicious.
WARNING - [/usr/mdec/mbr] [MBR] Suspicious behaviours were detected: [u'Invalid string offset: 0x0', u'JMP or CALL before relocation', u'Unknown Interrupt : 0x16']

Do you think it would be possible/interesting to add a signature for OpenBSD mbr? The fact is that it jumps to a second stage boot.

What do I need to submit a signature and does it make sense?

Kind regards,

[ffries]

I'd like to give a try porting to OpenBSD, adding support for MBR/PBR, please tell me if this makes sense.

[sc-anssi]

Having a signature for OpenBSD makes perfect sense from what I can understand of its boot process.
You'll need to reverse engineer the MBR and PBR to properly whitelist its code section(s) so as to make a signature from it.
If you can provide a sample MBR and PBR, I can take a look.