Old BIOS enabled devices used what is called a MBR for detecting bootable devices, however these have major security flaws. With the relaxed security for what was all devices malware started to be packaged with Bootkits. BIOS was made in 1975, and the first malware designed to exploit the MBR was developed in 2005 designed to attack Windows XP.

As stated earlier the MBR for BIOS was very insecure. For refrence the only way to know if a disk was a vaild bootable using BIOS was the last twelve bytes of a fivehundred and twelve disk sector containing a signature of a bootable disk path. There is no default way to ensure that the bootable data within the MBR is legitamite on an OS level, meaning that malware would inject special code within the first 500 bytes and leave the last 12 to the bootable image alone. This would allow malware to run before the computer even loaded the Kernel, which lots of AV (Anti Virus) and EDR (Endpoint Detection and Response) programs use to run with privleges above the OS in hopes of detecting malware.

For learning more about BIOS and MBRs please Click here.

For learning more about Bootkits please Click here.

Description

ErroxPerms is a MBR bootkit stager, it directly accesses the first MBR on Windows devices and replaces the entire MBR with custom code that is packaged inside of the program when it's being compiled. This allows for the malware to be quickly changed due to the small program size (roughly twenty one kilobytes compiled). Below you can find the steps needed for clearing the MBR;

  1. Open handle to target disk
  2. Get a file pointer to the disk handle
  3. Write the data over the MBR
  4. Free file pointer
  5. Close disk handle

Surprisingly a basic gcc compiled Windows C file using the Windows 31 API is not detected by WindowsDefender or many major AV solutions.

This project is currently in development, meaning this page may be behind on information.

Project future

Hangman is going to be transitioning from a C program to Rust and use the Windows 31 api in the same way for MBR based attacks, however it is also being updated to try and attack UEFI enabled devices to increase the devices it can be used on for research. It is safe to say that the source code for Hangman will not be released any time soon, at least the code for attacking UEFI devices, the MBR editing software has already been published on Github under ErroxMalware

For accessing ErroxMalware, please Click here

Socials:

Special thanks to:

And I do really mean thanks. Due to your support, testing, and advice regarding my programs it is possible that I even program! If it wasnt for your help, I would be working towards becoming an auto-mechanic (it's true)