确定我的 MBR 代码中有什么程序

确定我的 MBR 代码中有什么程序

我在 Macbook Pro 上进行了大量分区/双启动。现在我已经安装了 Mac OS X 和 Ubuntu 12.04,Grub 安装在 Ubuntu 分区上。

我想知道 - 我的 MBR 中的代码(前 446 个字节)是什么?由于 Mac 使用 EFI 和 GUID 分区,因此 MBR 只是保护性/混合 MBR(在我的例子中,它是混合 MBR)。

问:如何识别 MBR 中的程序(基于其十六进制转储)?有某种签名吗?我猜这是grub但我做了一个十六进制转储它与我在中找到的代码不匹配本文详细介绍了 Grub MBR(“第一阶段”)代码。

编辑:我正在运行 rEFInd,一个 EFI 启动管理器程序。它是一个 EFI 应用程序,因此驻留在我的 EFI 系统分区上。该程序是在启动后立即运行的,但我认为它不会在 MBR 的 446 字节中放置任何代码。

EDIT2:我应该补充一点,我也安装了 Windows 进行双启动。

答案1

我想我已经找到了答案:我相信它是 Windows 启动代码。根据 hexdump ( "Invalid partition table.Error loading operating system.Missing operating system.") 中的可读 ASCII,我能够进行 Google 搜索并找到一个讨论 Windows 引导加载程序的站点。我的十六进制转储与 Windows 7 引导加载程序相匹配,详细信息请参见http://thestarman.pcministry.com/asm/mbr/W7MBR.htm#CODE。这是有道理的,因为我过去在我的计算机上安装过 Windows 7。

答案2

实用性ms-sys不仅可以识别MBR和PBR引导代码的许多变体,还可以根据需要编写它们。

Usage:
        ms-sys [options] [device]
Options:
    -1, --fat12     Write a FAT12 floppy boot record to device
    -2, --fat32nt5  Write a FAT32 partition NT5.0 boot record to device
    -8, --fat32nt6  Write a FAT32 partition NT6.0 boot record to device
    -x, --exfatnt6  Write a EXFAT partition NT6.0 boot record to device
    -e, --fat32pe   Write a FAT32 partition PE boot record to device
    -3, --fat32     Write a FAT32 partition DOS boot record to device
    -4, --fat32free Write a FAT32 partition FreeDOS boot record to device
    -5, --fat16free Write a FAT16 partition FreeDOS boot record to device
    -6, --fat16     Write a FAT16 partition DOS boot record to device
    -n, --ntfs      Write a NTFS partition Windows 7 boot record to device
    -o, --fat16ros  Write a FAT16 partition ReactOS boot record to device
    -c, --fat32ros  Write a FAT32 partition ReactOS boot record to device
    -q, --fat32kos  Write a FAT32 partition KolibriOS boot record to device
    -l, --wipelabel Reset partition disk label in boot record
    -p, --partition Write partition info (hidden sectors, heads and drive id)
                    to boot record
    -H, --heads <n> Manually set number of heads if partition info is written
    -B, --bps <n>   Manually set number of bytes per sector (default 512)
    -O, --writeoem <s>   Write OEM ID string <s> to file system
    -S, --writewds <x>   Write Windows Disk Signature hexadecimal <x> to MBR
    -7, --mbr7      Write a Windows 7 MBR to device
    -i, --mbrvista  Write a Windows Vista MBR to device
    -m, --mbr       Write a Windows 2000/XP/2003 MBR to device
    -9, --mbr95b    Write a Windows 95B/98/98SE/ME MBR to device
    -d, --mbrdos    Write a DOS/Windows NT MBR to device
    -s, --mbrsyslinux    Write a Syslinux MBR to device
    -t, --mbrgptsyslinux Write a Syslinux GPT MBR to device
    -a, --mbrreactos     Write a ReactOS MBR to device
    -k, --mbrkolibrios   Write a KolibriOS MBR to device
    -r, --mbrrufus  Write a Rufus MBR to device
    -g, --mbrgrub4dos    Write a Grub4Dos MBR to device
    -b, --mbrgrub2  Write a Grub 2 MBR to device
    -z, --mbrzero   Write an empty (zeroed) MBR to device
    -f, --force     Force writing of boot record
    -h, --help      Display this help and exit
    -v, --version   Show program version
    -w, --write     Write automatically selected boot record to device

    Default         Inspect current boot record

Warning: Writing the wrong kind of boot record to a device might
destroy partition information or file system!

检查模式下的使用示例(纯 UEFI 系统上的典型结果):

# ms-sys /dev/sda                # MBR of an UEFI-bootable disk
/dev/sda has an x86 boot sector,
it is a zeroed non-bootable master boot record, like the one this
program creates with the switch -z on a hard disk device.

# ms-sys /dev/sda1              # PBR of an UEFI ESP
/dev/sda1 has a FAT32 file system.
/dev/sda1 has an x86 boot sector,
it is an unknown boot record
The OEM ID is mkfs.fat

答案3

了解 MBR 技术的另一种方法是启动信息脚本最初发布于源锻造

看起来字节0x80可以0x81用来识别 MBR 代码:

  case ${Bytes80_to_81} in
    0069) BST='ISOhybrid (Syslinux 3.72-3.73)';;
    010f) BST='HP Recovery';;
    019d) BST='BSD4.4: FAT32';;
    0211) BST='Dell Utility: FAT16';;
    0488) BST="Grub2's core.img";;

启动信息脚本#L2595

以下命令从磁盘读取字节0x80和:0x81

sudo hexdump -v -s 0x80 -n 2 -e '2/1 "%x" "\n"' /dev/sdXY
#   hexdump - ASCII, decimal, hexadecimal, octal dump
#       -v               => Cause hexdump to display all input data.
#       -s offset        => Skip offset bytes from the beginning of the input.
#       -n length        => Interpret only length bytes of input.
#       -e format_string => Specify a format string to be used for displaying data:
#           2/1  => number of bytes substited by %x / iteration count for the whole format string.
#           "%x" => Will be substituted with bytes, number of bytes is specified by first number, here 2.
#           \n   => Append line break
#       /dev/sdXY        => Input file.

来源和案例表德语 ubuntu 用户 wiki

答案4

您可以将磁盘/分区的前几 KiB 复制到文件中,然后让 strings(1) 或 objdump(1) 释放该文件以找出其中的内容。

相关内容