0

I am just starting out with Python scripting and I am trying to write a program that will parse through a provided MBR but I'm not sure how to start.

I want to write a program that will parse a portion of the MBR's partition table. The first partition entry is located at the address 1BE. Print out the status byte (1 byte located at the starting address), the partition type (1 byte located at the address 1BE + 4) and the address of the first sector in the partition (1BE + 8).

Any help would be greatly appreciated!

Segismundo101
  • 11
  • 1

2 Answers2

0

Batteries included. Use the array or struct module.

Or else one of these (but here they're likely overkill):

jhermann
  • 2,071
  • 13
  • 17
  • Hello thank you for your help with my dilemma... I kind of understand that I need to utilize the struct module but no matter how many times I read up on it I still don't understand it. – Segismundo101 Feb 02 '18 at 22:29
0

I know this is a very old question, but I came here looking for an answer and the only one here did not answer the question itself very well. I believe I have a proper understanding of the question and answer at this point; So, starting with the first part which is the status address. A status address is typically something like: 0x80, which is an active status flag, and is only a byte long. This can be found with the following lines:

import struct # This is where we get our bytearray() structure

mbr = bytearray() # We want each index of our array to be a byte

binary_file = open(file, 'rb')

mbr = binary_file.read(512) # The first 512 bytes are the first sector, which is the MBR
 
status_flag = mbr[0x1BE]

The status flag is only a single byte, and because we know it is located at the address 0x1BE we are able to simply pull that index from the MBR array (what we gathered when we read the file but broken into 1 byte chunks). Another way to read 0x1BE could be as the integer 446; so we are really looking at the byte stored in the index mbr[446] in the example above (Because we start with 0x Python knows to interpret it as a hex value, so 446 is 0x1BE).

Moving onto the second part, similarly to the first part, the partition type is a single byte stored at the address 0x1BE+4 or 0x1C2. So, to find this, much like with the status byte, we are able to simply do:

partition_type = mbr[0x1C2]

Because the partition type is also just a byte, and each index of our mbr array is a byte, we can simply pull the value at the address 0x1C2.

As for the last part, the address of the first sector is a 4-byte value that starts at the address: 0x1BE+8 or 0x1C6. Because it is bytes, we know that it ends at the address 0x1BE+12 or 0x1CA. So, to find this, we can do the following:

first_sector_addr = struct.unpack('<I', mbr[0x1C6:0x1CA])
'''
    For the line above, we are using the unpack function also
    included with the struct import. This function takes two
    primary arguments: the byte order/size/alignment, and the
    data to read (https://docs.python.org/3/library/struct.html).
    We must read the data as little-endian and as an unsigned int
    (https://thestarman.pcministry.com/asm/mbr/PartTables.htm).
'''

Once we have all of the variables collected (status_flag, partition_type, first_sector_addr) we can print each of them to the screen. I recommend printing the first two as hex values as these are what are used for identification. For example, if the partition type has the hex value 0x83 it is a Linux Native file system (https://thestarman.pcministry.com/asm/mbr/PartTypes.htm)

https://thestarman.pcministry.com/asm/mbr/PartTables.htm https://en.wikipedia.org/wiki/Master_boot_record#Sector_layout

https://www.ijais.org/research/volume10/number8/sadi-2016-ijais-451541.pdf

(Last link will prompt for pdf download, but is a useful resource on MBR. I think that is why I had to post it as code rather than text)

Dharman
  • 30,962
  • 25
  • 85
  • 135
Anon0nyx
  • 1
  • 2