"Warp" <war### [at] tagpovrayorg> wrote
> Orchid XP v7 <voi### [at] devnull> wrote:

> > No - it displays a message during the POST sequence. (And waits for a
> > keypress.)

>   What's that?

You push down on a key until it registers or bottoms out. There's usually an
audible click too.

Post a reply to this message

Invisible wrote:
> More interesting is that it can touch the MBR from Windoze in the first 
> place...

Why's that interesting? Run "diskpart" (which comes with Windows) and 
tell it to look at the MBR.  Or google mbrfix, and have a program 
that'll read *and* write.

Indeed, read the first 512 bytes from the file \\.\physicaldisk0 to look 
at your MBR.  I just couldn't get it to open for writing.

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

Warp wrote:
>   And how would it detect at that stage if something modified the MBR?

It stores in the CMOS the checksum of the previous MBR.

> And even if it did, wouldn't it be too late? The modification and thus
> the damage already happened.

MBRs are pretty standard. You know your system is hosed, so instead of 
continuing you boot the CD and rewrite the MBR. :-)

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

somebody wrote:
> "Warp" <war### [at] tagpovrayorg> wrote
>> Orchid XP v7 <voi### [at] devnull> wrote:
> 
>>> No - it displays a message during the POST sequence. (And waits for a
>>> keypress.)
> 
>>   What's that?
> 
> You push down on a key until it registers or bottoms out. There's usually an
> audible click too.

BURN!  :-)

-- 
   Darren New / San Diego, CA, USA (PST)
     "That's pretty. Where's that?"
          "It's the Age of Channelwood."
     "We should go there on vacation some time."

Post a reply to this message

scott wrote:
>> http://www.f-secure.com/weblog/archives/00001393.html
> 
> Don't most BIOSs have some "prevent write to MBR" function?  Would malware 
> like this be able to get around that?

This only applies to software that uses the BIOS for disk I/O. Basically
this means bootloaders and somtimes first-level bootstrap routines (DOS
also). Modern OS's always have their own hardware drivers for disks.

Basically anything that can gain supervisor privileges on a windows system
can do whatever it wants with the hardware, even bypassing the OS's own
driver if need be (the latter requires that it understand the hardware of
course).

Post a reply to this message

>> True. But I'd wager that MBR protection is probably turned off on most
>> machines out there.
>
>  What actually happens if some software (for example an OS installer)
> tries to modify the MBR and it has been bios-protected?

ON mine I get a blue screen alerting me that something is trying to 
overwrite the MBR, and do I want to allow the write or not.

Post a reply to this message

>> I believe what it *actually* does is yell "hey, somebody changed this!"
>
>  How does it do that? The bios cannot have sufficient info about the
> graphics card in order to show a message on screen, especially if the
> graphics card is currently in non-vga mode.

I would imagine it goes something like this:

Interrupt 13 handler (file I/O) code inside BIOS:

Check if trying to write to MBR (always on the same place)
If not, write as usual to the drive, return
Change screen mode to 720x480 (or whatever that one is the BIOS uses at 
startup) using an interrupt 10 call
Display some text on the sceeen using the same routines as the BIOS setup 
screen etc
Wait for keyboard input (note this totally hangs the system)
If user agrees, write the data as normal to the disc
If not, just exit the interrupt handler

Post a reply to this message

On Thu, 13 Mar 2008 09:51:41 +0100, scott wrote:
> I would imagine it goes something like this:
>
> Interrupt 13 handler (file I/O) code inside BIOS:

No modern OS uses 16-bit BIOS interrupts.

I have understood so that the MBR write protection simply
discards any writes addressing the MBR, silently.

-- 
Joel Yliluoma - http://iki.fi/bisqwit/

Post a reply to this message

>> I would imagine it goes something like this:
>>
>> Interrupt 13 handler (file I/O) code inside BIOS:
>
> No modern OS uses 16-bit BIOS interrupts.

Well yeh I doubt it does, but that's how I understood the BIOS MBR 
write-protect feature to work that I'd seen in the past on my system.

Post a reply to this message

Jim Henderson <nos### [at] nospamcom> wrote:
> POST = Power On Self Test.  I'm really surprised you don't know that, 
> it's a very common thing for people who work with computers to know. 

  I program computers, I don't build them.

-- 
                                                          - Warp

Post a reply to this message