31:
236:-formatted media (newer versions do not). Boot code for other platforms or CPUs should not use this signature, since this may lead to a crash when the BIOS passes execution to the boot sector assuming that it contains valid executable code. Nevertheless, some media for other platforms erroneously contain the signature, anyway, rendering this check not 100% reliable in practice.
243:(but not by the original IBM PC and some other machines). Even more so, it is also checked by most MBR boot loaders before passing control to the boot sector. Some BIOSes (like the IBM PC/AT) perform the check only for fixed disk/removable drives, while for floppies and superfloppies, it is enough to start with a byte greater or equal to
381:
in the bootable partitions. Depending on the BIOS, attempts to write to the protected sector may be blocked with or without user interaction. Most BIOSes, however, will display a popup message giving the user a chance to override the setting. The BIOS option is disabled by default because the message
345:
storage device, is not required to immediately load any bootstrap code for an OS, if ever. The BIOS merely passes control to whatever exists there, as long as the sector meets the very simple qualification of having the boot record signature of 0x55, 0xAA in its last two bytes. This is why it is easy
255:
on floppies. Since old boot sectors (e.g., very old CP/M-86 and DOS media) sometimes do not feature this signature despite the fact that they can be booted successfully, the check can be disabled in some environments. If the BIOS or MBR code does not detect a valid boot sector and therefore cannot
179:
In case a boot sector receives physical damage, the hard disk will no longer be bootable, unless used with a custom BIOS that defines a non-damaged sector as the boot sector. However, since the very first sector additionally contains data regarding the partitioning of the hard disk, the hard disk
334:, that will be a VBR. If the device is a hard disk, that will be an MBR. It is the code in the MBR which generally understands disk partitioning, and in turn, is responsible for loading and running the VBR of whichever primary partition is set to boot (the
434:
One FDISK utility written to be aware of BIOS boot sector protection features is DR-DOS' FDISK R2.31 (and higher), which will detect this scenario and display additional interactive messages to guide the user through it. In contrast to other
211:
been partitioned, or the first sector of an individual partition on a data storage device that has been partitioned. It may contain code to load an operating system (or other standalone program) installed on that device or within that
228:). This signature indicates the presence of at least a dummy boot loader which is safe to be executed, even if it may not be able actually to load an operating system. It does not indicate a particular (or even the presence of)
256:
pass execution to the boot sector code, it will try the next boot device in the row. If they all fail it will typically display an error message and invoke INT 18h. This will either start up optional resident software in ROM (
350:(programs stored elsewhere on the device which can run without an operating system), allowing users a number of choices in what occurs next. With this kind of freedom, abuse often occurs in the form of boot sector viruses.
382:
may not be displayed correctly in graphics mode and blocking access to the MBR may cause problems with operating system setup programs or disk access, encryption or partitioning tools like
188:
A disk can be partitioned into multiple partitions and, on conventional systems, it is expected to be. There are two definitions on how to store the information regarding the partitioning:
397:
has also developed malware that attempts to modify the boot sector in order to load additional drivers to be used by other malware. Another
Malware that overwrites boot sector is the
330:
is ignorant of the distinction between VBRs and MBRs, and of partitioning. The firmware simply loads and runs the first sector of the storage device. If the device is a floppy or
38:
distributed over sectors of a hard disk. When GRUB is installed on a hard disk, boot.img is written into the boot sector of that hard disk. boot.img has a size of only 446 bytes.
107:
The purpose of chain loading first a firmware (e.g., the BIOS), then some code contained in the boot sector, and then, for example, an operating system, is maximal flexibility.
386:, which may not have been written to be aware of that possibility, causing them to abort ungracefully and possibly leaving the disk partitioning in an inconsistent state.
726:
300:
IBM mainframe computers place a small amount of boot code in the first and second track of the first cylinder of the disk, and the root directory, called the
702:
599:
216:
The presence of an IBM PC compatible boot loader for x86-CPUs in the boot sector is by convention indicated by a two-byte hexadecimal sequence
623:
247:
and the first nine words not to contain the same value, before the boot sector is accepted as valid, thereby avoiding the explicit test for
393:
attempts to gain administrative privileges on an operating system, and then would attempt to overwrite the boot sector of a computer. The
369:
often includes an option to prevent software from writing to the first sector of any attached hard drives; it could thereby protect the
89:
Usually, the first sector of the hard disk is the boot sector, regardless of sector size (512 or 4096 bytes) and partitioning flavor (
653:
734:
526:
501:
358:
Since code in the boot sector is executed automatically, boot sectors have historically been a common attack vector for
167:) directly. Additionally, the UEFI specification also contains "secure boot", which basically wants the UEFI code to be
547:
509:
495:
789:
574:
768:
341:
Furthermore, whatever is stored in the first sector of a floppy diskette, USB device, hard disk or any other
439:
utilities, DR-DOS FDISK is not only a partitioning tool, but can also format freshly created partitions as
346:
to replace the usual bootstrap code found in an MBR with more complex loaders, even large multi-functional
394:
276:
294:
710:
261:
307:
Other (non IBM-compatible) PC systems may have different boot sector formats on their disk devices.
301:
240:
200:. The MBR sector may contain code to locate the active partition and invoke its volume boot record.
232:
or operating system, although some old versions of DOS 3 relied on it in their process to detect
304:, is also located at the fixed location of the third track of the first cylinder of the disk.
233:
197:
338:
partition). The VBR then loads a second-stage bootloader from another location on the disk.
164:
94:
71:
657:
8:
260:), reboot the system via INT 19h after user confirmation or cause the system to halt the
51:
759:
686:
415:
409:
378:
370:
204:
193:
128:
124:
90:
21:
17:
505:
323:
272:
116:
180:
will become entirely unusable except when used in conjunction with custom software.
123:
selects a boot device, then copies the first sector from the device (which may be a
799:
168:
16:
This article is about the generic concept of boot sectors. For the MBR in PCs, see
750:
390:
374:
331:
132:
75:
359:
136:
600:"In an era of global malware attacks, what happens if there's no kill switch?"
794:
783:
290:
282:
624:"CIA Developed Windows Malware That Alters Boot Sector to Load More Malware"
286:
155:
via CSM) does not rely on boot sectors, UEFI system loads the boot loader (
67:
63:
220:(called the boot sector signature) at the end of the boot sector (offsets
772:
673:
366:
229:
59:
47:
239:
The signature is checked for by most system BIOSes since (at least) the
30:
257:
104:
is inter-operability between firmware and various operating systems.
55:
687:"Inexpensive boot sector virus detection and prevention techniques"
160:
79:
35:
347:
317:
196:(MBR) is the first sector of a data storage device that has been
575:"New Ransomware Variant "Nyetya" Compromises Systems Worldwide"
142:
471:
271:
CD-ROMs usually have their own structure of boot sectors; for
139:
0x7C00. On other systems, the process may be quite different.
554:
451:. This reduces the risk to accidentally format wrong volumes.
436:
383:
207:(VBR) is the first sector of a data storage device that has
707:
398:
327:
148:
120:
83:
267:
Systems not following the above described design are:
110:
100:
The purpose of defining one particular sector as the
769:"Bootsector assembly code with detailed explanation"
674:"How to Protect Boot Sector from Viruses in Windows"
293:disks where data on Track 1, Sector 0 began with a
751:"Sample to build a boot program on x86 real mode"
377:from being overwritten accidentally, but not the
781:
548:"Intel Desktop Boards BIOS Settings Dictionary"
760:"Writing boot sector code using GNU Assembler"
428:
748:
174:
143:Unified Extensible Firmware Interface (UEFI)
724:
766:
651:
497:Commodore 128 Programmer's Reference Guide
27:Sector of a persistent data storage device
700:
684:
34:This example show various components of
29:
782:
353:
757:
671:
524:
183:
111:The IBM PC and compatible computers
13:
14:
811:
645:
525:Smith, Roderick W. (2010-04-14).
264:process until the next power-up.
500:. Bantam Books. 1986. pp.
628:Information Security Newspaper
616:
592:
567:
540:
518:
488:
464:
297:corresponding to string "CBM".
131:or any executable code), into
1:
457:
365:To combat this behavior, the
74:(RAM) and then executed by a
311:
7:
403:
389:As an example, the malware
275:systems this is subject to
10:
816:
685:Denny Lin (15 June 1994).
579:blog.talosintelligence.com
448:
444:
440:
315:
20:. For the VBR in PCs, see
15:
727:"Glossary of Virus Terms"
175:Damage to the boot sector
422:
302:Volume Table of Contents
277:El Torito specifications
66:, etc.) which contains
39:
790:Computer file systems
703:"Boot sector viruses"
654:"Boot sector viruses"
316:Further information:
33:
165:EFI system partition
72:random-access memory
527:"Migrate to GRUB 2"
472:"UEFI - OSDev Wiki"
379:volume boot records
354:Boot-sector viruses
52:data storage device
416:Volume boot record
410:Master boot record
371:master boot record
205:volume boot record
194:master boot record
70:to be loaded into
40:
22:Volume Boot Record
18:Master Boot Record
725:Arman Catacutan.
324:IBM PC compatible
273:IBM PC compatible
117:IBM PC compatible
807:
776:
771:. Archived from
767:Pierre Ancelot.
763:
754:
745:
743:
742:
733:. Archived from
721:
719:
718:
709:. Archived from
697:
695:
693:
681:
668:
666:
665:
656:. Archived from
652:Mary Landesman.
639:
638:
636:
635:
620:
614:
613:
611:
610:
596:
590:
589:
587:
586:
571:
565:
564:
562:
561:
552:
544:
538:
537:
535:
534:
522:
516:
515:
492:
486:
485:
483:
482:
468:
452:
432:
360:computer viruses
184:Partition tables
169:digitally signed
50:of a persistent
815:
814:
810:
809:
808:
806:
805:
804:
780:
779:
740:
738:
716:
714:
701:Kaspersky Lab.
691:
689:
663:
661:
648:
643:
642:
633:
631:
622:
621:
617:
608:
606:
598:
597:
593:
584:
582:
573:
572:
568:
559:
557:
550:
546:
545:
541:
532:
530:
523:
519:
512:
494:
493:
489:
480:
478:
470:
469:
465:
460:
455:
433:
429:
425:
406:
375:partition table
373:containing the
356:
332:USB flash drive
320:
314:
254:
250:
246:
227:
223:
219:
186:
177:
157:EFI application
145:
133:physical memory
113:
76:computer system
28:
25:
12:
11:
5:
813:
803:
802:
797:
792:
778:
777:
775:on 2013-01-29.
764:
755:
749:Greg O'Keefe.
746:
722:
698:
682:
669:
647:
646:External links
644:
641:
640:
615:
591:
581:. 27 June 2017
566:
539:
517:
510:
487:
476:wiki.osdev.org
462:
461:
459:
456:
454:
453:
426:
424:
421:
420:
419:
413:
405:
402:
355:
352:
326:machines, the
313:
310:
309:
308:
305:
298:
280:
252:
248:
244:
225:
221:
217:
214:
213:
201:
185:
182:
176:
173:
144:
141:
137:memory address
112:
109:
26:
9:
6:
4:
3:
2:
812:
801:
798:
796:
793:
791:
788:
787:
785:
774:
770:
765:
761:
756:
752:
747:
737:on 2006-12-11
736:
732:
728:
723:
713:on 2007-08-22
712:
708:
704:
699:
688:
683:
679:
678:KnowledgeBase
675:
670:
660:on 2011-07-07
659:
655:
650:
649:
629:
625:
619:
605:
601:
595:
580:
576:
570:
556:
549:
543:
528:
521:
513:
511:0-553-34292-4
507:
503:
499:
498:
491:
477:
473:
467:
463:
450:
446:
442:
438:
431:
427:
417:
414:
411:
408:
407:
401:
400:
396:
392:
387:
385:
380:
376:
372:
368:
363:
361:
351:
349:
348:boot managers
344:
339:
337:
333:
329:
325:
319:
306:
303:
299:
296:
292:
291:Commodore DOS
288:
284:
281:
278:
274:
270:
269:
268:
265:
263:
262:bootstrapping
259:
242:
237:
235:
231:
210:
206:
202:
199:
195:
191:
190:
189:
181:
172:
170:
166:
162:
158:
154:
150:
140:
138:
134:
130:
126:
122:
119:machine, the
118:
108:
105:
103:
98:
96:
92:
87:
85:
81:
77:
73:
69:
65:
61:
57:
53:
49:
45:
37:
32:
23:
19:
773:the original
739:. Retrieved
735:the original
731:Boot Viruses
730:
715:. Retrieved
711:the original
706:
690:. Retrieved
677:
662:. Retrieved
658:the original
632:. Retrieved
630:. 2017-09-01
627:
618:
607:. Retrieved
603:
594:
583:. Retrieved
578:
569:
558:. Retrieved
542:
531:. Retrieved
520:
496:
490:
479:. Retrieved
475:
466:
430:
388:
364:
357:
342:
340:
335:
321:
295:magic number
289:software on
266:
238:
215:
208:
187:
178:
156:
152:
146:
114:
106:
101:
99:
88:
78:'s built-in
68:machine code
64:optical disc
43:
41:
758:Susam Pal.
672:Microsoft.
367:system BIOS
230:file system
198:partitioned
153:legacy boot
102:boot sector
82:(e.g., the
60:floppy disk
44:boot sector
784:Categories
741:2006-11-07
717:2006-06-05
664:2006-08-18
634:2018-05-28
609:2018-05-28
585:2018-05-28
560:2013-09-01
533:2013-03-05
481:2020-09-26
458:References
212:partition.
163:or in the
692:13 August
529:. Ibm.com
312:Operation
258:ROM BASIC
241:IBM PC/AT
218:0x55 0xAA
56:hard disk
604:CIO Dive
404:See also
391:NotPetya
343:bootable
161:USB disk
159:file in
80:firmware
36:GNU GRUB
800:Booting
318:Booting
54:(e.g.,
46:is the
508:
504:–667.
336:active
115:On an
48:sector
555:Intel
551:(PDF)
449:FAT32
445:FAT16
441:FAT12
437:FDISK
423:Notes
418:(VBR)
412:(MBR)
384:FDISK
226:0x1FF
222:0x1FE
151:(not
795:BIOS
694:2015
506:ISBN
399:MEMZ
328:BIOS
283:C128
253:0xAA
249:0x55
224:and
149:UEFI
147:The
121:BIOS
84:BIOS
502:446
447:or
395:CIA
322:On
287:C64
285:or
245:06h
234:FAT
209:not
135:at
129:VBR
125:MBR
97:).
95:GPT
93:or
91:MBR
86:).
786::
729:.
705:.
676:.
626:.
602:.
577:.
553:.
474:.
443:,
362:.
251:,
203:A
192:A
171:.
127:,
62:,
58:,
42:A
762:.
753:.
744:.
720:.
696:.
680:.
667:.
637:.
612:.
588:.
563:.
536:.
514:.
484:.
279:.
24:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
