bootcode_parser is a Python script designed to perform a quick offline analysis of the boot records used by BIOS based systems (UEFI is not supported). It is intended to help the analyst triaging individual boot record dumps or whole disk images. The latter is preferred since it allows the script to perform additional checks that would not be possible on individual dumps alone. This script only detects anomalies that have to be manually investigated by an analyst. Because it works with a whitelist mechanism it will be able to detect a wide range of malicious codes, but it will also detect legitimate (encryption software, etc…) or benign modification of the boot records. This topic has been presented during a talk at the French conference CORI&IN 2017.


usage: [-h] –type {VBR,MBR,IPL,IMG} –input INPUT
[INPUT …] [–offset OFFSET] [–sector-size SECTOR_SIZE] [–whitelist WHITELIST] [–logLevel {DEBUG,INFO,WARNING,ERROR,CRITICAL}]
  -h, –help —  show this help message and exit
  –type {VBR,MBR,IPL,IMG} — Type of boot record: MBR, VBR or IPL. Or whole disk image.
  –input INPUT [INPUT …] — Input file(s) to check
  –offset OFFSET — Offset in bytes at which the boot record was dumped. Required only for VBR. Without it, some heuristics to detect malicious VBR will not work.
  –sector-size SECTOR_SIZE — Disk sector size in bytes. Only applies for disk image input. Defaults to 512.
  –whitelist WHITELIST — CSV file containing whitelisted boot record signatures. Without it, the boot record will always be flagged as suspicious. Defaults to ./data/bootrecord_whitelist.csv
  –logLevel {DEBUG,INFO,WARNING,ERROR,CRITICAL} — Show debug messages according to the level provided.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s