Computer viruses and Internal Structures

Since the beginning of the ghost virus, the virus using MBR techniques has become increasingly popular. To analyze such viruses, it is inevitable that basic knowledge such as MBR and disk boot will be used. Therefore, I used the rest time to sort out some things and hoped to help students who want to study or understand the technique. The article itself does not have any technical content, but it is just a little physical activity. I hope you can understand it.
The following describes the structure of a hard disk:
1. MBR (Master Boot Record)
The first physical sector of the hard disk is MBR. When we choose to start from the hard disk, bois reads the boot code from this sector. MBR key data can be divided into three parts:
(1) Pilot code
(2) Partition Table
(3) End mark (55AA)

The partition table is used to manage the partition of the entire disk space. It starts from the 0x1 be offset of MBR and has four table items, each of which has 16 bytes. Therefore, up to four primary partitions can be created. (To overcome this limit, Microsoft has designed a way to expand partitions. The so-called extended partitions are just a common partition pointed to in a partition table, but they have a special structure inside their own partitions, so that we can separate multiple logical partitions. The drive d, e, and f we usually see are actually the logical partitions of the extended partition. You can use winhex to view your partition table, you will find that there are only two items, one representing the C drive partition, and the other representing the extended partition of the sum of all other drives, unless you have divided the other primary partitions)
The partition table item structure is listed as follows for reference:

2. DBR
The first sector of each primary partition stores the DBR of another boot sector. The "Partition Boot Sector" is also called "DOS Boot Sector ". The purpose of this sector is to read ntldr for further guidance. This sector also ends with the "55AA" mark.

3. Extended partitions
Let's take a closer look at the structure of extended partitions. We usually take credit for dividing multiple logical disks.
As mentioned above, an extended partition has its own special structure to implement multiple partitions. The obvious difference between it and a common primary partition is that its first sector is not stored in DBR, it is a sector called virtual MBR. Virtual MBR is called because it has a similar structure with MBR. The structure is also in three parts:
(1) All 0
(2) Partition Table
(3) 55AA
It does not guide the code, instead of all 0. The Partition Table offset is also at 0x1BE, which is four. It only uses the first two items. The last two items are all 0. The first option points to a logical drive (logical partition) such as a drive D. The second option points to the next virtual MBR (if there are still logical partitions ). In this way, a chain is formed, breaking through the limit on the number of partitions. The extended partition itself does not have DBR, and its DBR is the first sector of the logical partition in each of its children. You can think of an extended partition as an independent hard disk, but the partitioning organization is changed to a linked list, which may be easy to understand. I forgot one thing. I remember the concept of a hard disk logical lock. The principle is to change the chain table of the logical partition into a ring, so that an endless loop occurs when the system traverses the chain table.

The above text description is messy. The following is a structure chart for your convenience. In the figure, the hard disk is divided into two primary partitions and one extended partition.



The boot process starting from MBR in windows is described as follows: MBR> active partition DBR> Ntldr> boot. ini Start Menu> load system.
The disk structure is sorted out first. I hope it will be helpful to you. If any errors are found, please correct them :)