Expand description
Boot-sector / MBR malware plaintext markers.
Single source of truth for documented boot-sector-malware byte markers, for
forensic tools that scan an MBR/VBR boot-code area (e.g. mbr-forensic).
Markers are matched as substrings anywhere in the boot code, so each needs
only the literal bytes — no fragile fixed offsets.
The seed set is deliberately limited to publicly-documented historical
markers so that no pattern here is fabricated. Operators extend
BOOTKIT_MARKERS with vetted markers from their own threat intel.
Sources:
- “Stoned” boot-sector virus (1987) — taunt strings
"Your PC is now Stoned!"and"LEGALISE MARIJUANA": F-Secure / virus encyclopedia descriptions; https://en.wikipedia.org/wiki/Stoned_(computer_virus)
Structs§
- Bootkit
Marker - One boot-sector-malware marker: a family
nameand the literalneedlebytes that, if present anywhere in the boot code, identify it. - Stash
Sector - A sector where a documented MBR bootkit stashes the original MBR or a payload.
Constants§
- BOOTKIT_
MARKERS - Seed table of documented boot-sector-malware markers (see module docs).
- EXPECTED_
BOOT_ INTERRUPT_ VECTORS - BIOS real-mode interrupt vectors a legitimate MBR/VBR boot stub is expected to
invoke: video
0x10, disk0x13, blocking0x18, time0x1a. Anintto any other vector in disassembled boot code is a suspicious indicator (ANSSI). - ORIGINAL_
MBR_ STASH_ SECTORS - LBAs where documented MBR bootkits stash the original MBR or payload sectors.
- PACKED_
BOOT_ CODE_ ENTROPY_ STRONG - Entropy above which packing/encryption is strongly indicated.
- PACKED_
BOOT_ CODE_ ENTROPY_ SUSPECT - Boot-code Shannon entropy (bits/byte) above which the 446-byte code area is suspected packed/encrypted (triage only — borrowed from general packer literature; self-decrypting stubs can sit below it).
- TRAC
K0_ GAP - The legacy ‘track-0 gap’ — LBAs 1..=62, between the MBR (LBA 0) and the first conventionally-aligned partition at LBA 63. A classic stash region; any hidden MBR-shaped sector here is suspicious.
Functions§
- scan
- Scan
boot_codefor every known marker, returning the distinct family names that matched, in table order (each family reported at most once). - stash_
sectors_ at - Documented stash entries whose
lbaequalslba(a sector may be used by more than one family / for more than one purpose). The returned iterator is lazy — collect or inspect it.