Evil Maid CHKDSK : Steal users password with fake CHKDSK

This is s simple 512-byte MBR program that pretends to be Windows CHKDSK. It asks the user for a password, writes that password back to the media it booted from, renders that media unbootable, and reboots.

NOTE: Windows helpfully prompts the user to format the drive when its inserted, or when they first log in after the password has been captured. I don’t think this can be considered a serious tool until that’s fixed, but I’ve used literally every byte of the MBR – the next version stable version probably won’t be 512 bytes 🙂

Terminal capture of using it with QEMU: http://ascii.io/a/1201

Video demonstration on a Windows laptop: https://www.youtube.com/watch?v=tull5_Ctz8M

To assemble

nasm -f bin bootloader.asm -o bootme

To install on a disk

dd if=./bootme of=/dev/<device>

To extract the saved password

dd if=/dev/<device> count=1 bs=512 > dump.hex ; xxd dump.hex



NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"