Jump to content











Photo
- - - - -

GrubDOS question


  • Please log in to reply
6 replies to this topic

#1 RatHat

RatHat
  • Members
  • 4 posts
  •  
    Thailand

Posted 02 February 2009 - 03:40 AM

Hi there,

I find the concept of using a separate DOS to boot a computer fascinating, and would like to pose a question.

As a helper on an AntiMalware site, the idea of being able to use an independent DOS language, makes me wonder if it can be used in removing malware.

Many files that malware use are hidden from the Windows API. Is it possible that GrubDOS could be used to boot a machine, search for and then delete files that are normally hidden to Windows?

Regards,
RatHat

#2 amalux

amalux

    Platinum Member

  • Tutorial Writer
  • 2813 posts
  •  
    United States

Posted 02 February 2009 - 04:19 AM

Hi there,

I find the concept of using a separate DOS to boot a computer fascinating, and would like to pose a question.

As a helper on an AntiMalware site, the idea of being able to use an independent DOS language, makes me wonder if it can be used in removing malware.

Many files that malware use are hidden from the Windows API. Is it possible that GrubDOS could be used to boot a machine, search for and then delete files that are normally hidden to Windows?

Regards,
RatHat

Hi RatHat, welcome :cheers:

There are av progs that run from dos, like fprotdos and f-secure etc. but afaik, they don't work any better than the windows version. What usually happens is the virus/mw corrupts the windows installed version so you can't use it normally from a windows desktop but you can use it from a PE desktop like LiveXP B)

#3 RatHat

RatHat
  • Members
  • 4 posts
  •  
    Thailand

Posted 02 February 2009 - 04:25 AM

Hi amalux,

Yes there are many different tools that will use the reboot of a machine to remove malware before the main system files are loaded, however they can also have difficulties, with rootkits for example.

What I am interested in is whether there is an independent operating system that could be downloaded and run from a CD or USB, that does not require any of the Windows architecture to start the machine.

If this is possible, and it could read the Windows file system, then there is a possibility that it could be used to delete files that are normally hidden.

Regards,
RatHat

#4 amalux

amalux

    Platinum Member

  • Tutorial Writer
  • 2813 posts
  •  
    United States

Posted 02 February 2009 - 05:20 AM

Hi amalux,

Yes there are many different tools that will use the reboot of a machine to remove malware before the main system files are loaded, however they can also have difficulties, with rootkits for example.

What I am interested in is whether there is an independent operating system that could be downloaded and run from a CD or USB, that does not require any of the Windows architecture to start the machine.

If this is possible, and it could read the Windows file system, then there is a possibility that it could be used to delete files that are normally hidden.

Regards,
RatHat

So you're saying that a PE boot disk like LiveXP, VistaPE (or BartPE ftm) which boot independent of hdd installed os, would not work for this because they are based on windows arch? Is there a test for this? A 'dummy rootkit' that could placed in a host system and scanned from PE to confirm your suspicion? I find it hard to believe that no virus/rk scanner (designed for windows) has found a way to check for these hidden files :cheers:

#5 RatHat

RatHat
  • Members
  • 4 posts
  •  
    Thailand

Posted 02 February 2009 - 07:42 AM

There are rootkit scanners that will find and delete hidden and super hidden files, GMER and IceSword to name but two of them. Many anti malware tools use the boot to delete difficult files before they are loaded by Windows. This is the normal strategy for removing malware, from downloaders, keyloggers to rootkits.

I am not really familiar with LiveXP, VistaPE, or BartPE ftm, so unable to comment on these. I know I will need to learn more about them.

It is the concept, maybe it is impossible, that a completely independent OS could be used to boot an infected machine to a command prompt, where a search function could be used to look at the Windows files, and then a delete function be used to wipe them.

I don't know if this if feasible, and would imagine that if it was, someone would have already done it, but the concept is intriguing to me.

#6 amalux

amalux

    Platinum Member

  • Tutorial Writer
  • 2813 posts
  •  
    United States

Posted 02 February 2009 - 09:10 AM

That term 'completely independent OS' isn't so clear I guess, you can't get more independent than PE (LiveXP etc.), you can boot the computer with the infected hard drive removed i.e no hard drive required! Everything is loaded into RAM and booted from there (and we know RAM is safe), you can even remove the boot media (CD, UFD etc.) and still have a fully functioning OS, complete with GUI desktop (looks and feels like XP) and whatever programs you've included for the task at hand. You can even open a command window and run your DOS programs if you wish so I'm pretty sure you can do what you propose from LiveXP or similar; why don't you give it a try? See my signature for tutorial and links to pre-setup builds, most have some anti-virus progs included but you can easily add more if needed :cheers:

#7 RatHat

RatHat
  • Members
  • 4 posts
  •  
    Thailand

Posted 02 February 2009 - 10:22 AM

I will do. Thanks for explaining it to me. I guess you see my idea, so lets see how it pans out.

Regards,
RatHat




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users