Request Help

Request Help

We would love to hear from you! Please fill out this form or call us
Call: 866-438-6932

The Black Art of Data Recovery: BIOS, MBR, VIRUS

Virus programmers, although destructive, were at one time some of the most innovative programmers in the industry. They exploited the very core of an operating system, and could do magic with the BIOS and MBR. The virus writer of present is just some hack script writer who has no understanding of the true nature of the relationship between the BIOS, and the MBR. These words try to shed some light on the boot up sequence, and the susceptibility we all share.

Over the years many things in the world of computers has changed. We have gone from command line, to GEM, to a windowed GUI type of operating system. A stick of memory used to be one hundred dollars for 1 MB, now its seventy five dollars for 1024 MB. A forty megabyte hard drive was $1000.00. Now you can get 750 gigabytes worth of hard drive for two hundred and fifty dollars. We have gone from 8 bit (XT), 16 bit (286) 32 bit (386), and finally 64 bit (EMT 64) central processing units.

With all of this obviously monumental progress, one of the most important functions of the computer has never changed. The boot sequence. Oh yes, it may have been enhanced, there may have been little items added here and there, but the focal point of the boot up process has never changed. Let’s take a quick look at the steps in booting a PC.

When you switch on your PC immediately the BIOS takes over. In its process it does what is called a POST (Power On Self Test). The POST is a set of diagnostics that will test the hardware of your computer. Examples would be memory, bus, CPU, ports, PCI bridge, and the like. Through the use of checksum, and data echoing the POST can tell if something is amiss in your hardware. If the POST finds something wrong, and considers it a fatal error, the boot process will be halted, and a series of beeps may be given. These beeps, depending upon the BIOS developer, will guide you in diagnosing your fatal error. The beeps are used because many times an error in the hardware will make it so the video cannot be used. The POST is much more comprehensive than is being presented here; however, this set of articles is about data recovery and not how to diagnose your POST process.

Master Boot Record

The BIOS has found a HDD that is in the list of bootable devices. The BIOS will then load the first sector of that HDD into memory. Just as a point reference a sector is defined as 512 bytes of data. So, once again, the sector is loaded into memory. You may ask yourself, “Self, where exactly in memory does the BIOS load the MBR?”. An excellent question! From nearly the beginning of the PC industry. From the dawn of the BIOS, it has been scribed by the ancients that the MBR will be loaded into memory location 0000:7C00. (Drum Roll, cut to Yul Brenner laughing maniacally shouting “So let it be written, so let it be done!”. He was a good Ramses but Charlton Heston was a great Moses!)

bios mbr virus

In addition, there are some BIOS’ that will perform a small test on the MBR to see if it is valid. The test is to make sure there is a 0x55, and a 0xAA in bytes 510, and 511 respectively. If those bytes are not present, some BIOS will stop the boot process for that HDD and continue onto an alternative device. If all devices fail, then an appropriate error message will be displayed.

Boot Failure: System Halted is the choice of Award BIOS. If , however, the MBR is loaded and passes all of the BIOS testing INT 0x19 is called and a jump to memory location 0000:7C00 is performed. There, control of the entire PC is passed to the MBR. Awesome!

3 Responses to “The Black Art of Data Recovery: BIOS, MBR, VIRUS”

  1. SKiLLa June 26, 2007 4:20 pm #

    Awesome article. Brings back the old days of lowlevel IO and writing your own boot-routines, copy protections and recovery 🙂

    I remember having a crashed HDD which wasn’t recognized by the PC BIOS at all anymore. Analysing the disk using non-PC hardware (and a WinHex clone) showed a corrupted MBR en Partition Table. Just fixing the ID bytes fixed all the problems and made the disk – without any dataloss – usable again …

    And now, at least 10 years laters I read your article about this being ‘normal’ 🙂

  2. kh_ee2006 February 25, 2008 8:40 pm #

    thanks

Trackbacks/Pingbacks

  1. Fast Registry Repair » Blog Archive » Window 98 Registry Repair - Computer virus help please> - June 14, 2007

    […] The Black Art of Data Recovery: BIOS, MBR, VIRUSWith all of this obviously monumental progress, one of the most important functions of the computer has never changed. The boot sequence. Oh yes, it may have been enhanced, there may have been little items added here and there, … […]

Leave a Reply