Knowledge about MBR (Master Guide record ~~~

A good security tool is also essential to combat MBR viruses,
I just got started. What's wrong? Hope you guys can advise me ~~~

The hard disk has 0 cylinders, 0 heads, and 1-sector names as the primary Boot Sector,
Is the first sector that must be read when the computer accesses the hard disk after it is started,
Its 3D address on the hard disk is (cylindrical, Head, Sector) = (0, 0, 1)

MBR composition:
The primary Boot Record MBR for one sector of a hard disk is composed of four parts, as shown in Table 1-1-1.
·Master GuideProgram(Offset 0000h--0088h), which is responsible for loading from the active partition and running the system boot program.
·Error information data Zone, The offset 0089h--00e1h is the error message, and 00e2h--01bdh is all 0 bytes.
·Partition Table(DPT, disk partition table) contains four partition items. The offset address is 01beh--01fdh,
Each partition table item is 16 bytes long. A total of 64 bytes are partition item 1, partition item 2, partition item 3, and partition item 4.
·Ending flag, The two byte values of the Offset address 01fe--01ff are the end mark 55aa. If this mark is incorrect, the system cannot start.

0000-0088	Master Boot Record main Bootstrap program	Master Boot Program
0089-01bd	error information data zone	data zone
01be-01cd	partition item 1 (16 bytes)	Partition Table
01ce-01dd	Partition Item 2 (16 bytes)
01de-01ed	Partition Item 3 (16 bytes)
01ee-01fd	Partition Item 4 (16 bytes)
01fe	55	End mark
01ff	AA

Partition Information Structure in MBR:

Storage byte	Content and meaning
1st bytes	pilot flag. If the value is 80 h, it indicates the active partition. If the value is H, it indicates the non-active partition.
2nd, 3, 4 bytes	Start head, Fan area, and cylindrical Number of the partition. Where: head number -- 2nd bytes; fan id -- 6 lower bits of 3rd bytes; the cylinder number, which is 3rd bytes in height, 2 bytes in height, and 8 bytes in 4th bytes.
5th bytes	partition type. 00 h -- indicates that the partition is not used (that is, it is not specified ); 06h--fat16 basic partition; 0bh--fat32 basic partition; 05 h -- extended partition; 07h--ntfs partition; 0fh -- (LBA mode) extended partition (83h is LINUX partition, etc ).
6th, 7, 8 bytes	End head, Fan area, and Cylinder Number of the current partition. Where: Head number-6th bytes; Fan area number-6-bit lower than 7th bytes; Cylinder Number-2-plus 7th bytes in height.
9th, 10, 11, 12 bytes	Number of slice used before this partition.
13th, 14, 15, 16 bytes	The total number of sectors in the current partition.

For example

If the information of a partition in the hard disk partition table is as follows:
80 01 01 00 07 Fe FF 3f 00 00 80 9d 84 1e

We can see that
"80"Is a partition activation sign, indicating that the system can be guided;
"01 01 00"Indicates that the start part is 01, the start part is 01, And the start part is 00;
"07"It indicates that the partition system type is NTFS. Other commonly used types include 04 (fat16) and 0b (FAT32 );
"Fe FF"Indicates that the end of the partition is 254, the end of the partition is 63, and the end of the partition is 1023;
"3f 00 00 00"Indicates that the relative slice number of the first slice is 63;
"80 9d 84 1E"Indicates that the total number of sectors is 512007552.

I have learned so much for the moment, and I have time to continue the analysis ~~~ Read the full text

Category:View comments by default