# Cross-Platform Physical Disk Dumper Utility
A specialized low-level utility designed to analyze physical storage devices on Windows and Linux systems. By bypassing the filesystem layer, this tool interacts directly with raw disk sectors to facilitate deep forensic examination and structural validation.
It serves as a critical companion for ROSE SWE antivirus solutions (including rms, mpscan, rhbvs and VirScan Plus). The workflow involves dumping raw disk sectors to .bin files, which are then scanned by these virus scanners to detect malware residing in unallocated space, MBR, boot sectors, or hidden partitions that traditional file-scanning methods might miss.
This tool provides a precise snapshot of the physical layout of every disk connected to the system. It is designed to assist developers and system administrators in:
mbrdumper is written in Go and compiles to native executables for both Windows and Linux:
\\.\PhysicalDriveX device paths/dev/sdX to read raw sectorsBoth implementations are built from a single codebase using Go build tags (//go:build windows and //go:build linux), ensuring consistent functionality across platforms. The tool is compatible with 64-bit architectures on both operating systems.
Windows: Automatically detects and lists all accessible \\.\PhysicalDriveX devices on the system.
Linux: Enumerates disks by accessing /dev/sdX device files (where X is a, b, c, etc.). The -d flag maps disk numbers to letters (0 → sda, 1 → sdb, etc.).
| Feature | Description |
|---|---|
| Partition Scheme Detection | Automatically identifies whether a disk uses MBR or GPT partitioning |
| Capacity & Offset Reporting | Displays total disk capacity and calculates precise partition start/end offsets |
| Type Identification | Displays human-readable partition type names (e.g., "EFI System", "Linux Root (x86-64)", "NTFS/exFAT") for both MBR and GPT partitions, with fallback to hex codes or GUIDs for unknown types |
| Target | Size | Description |
|---|---|---|
| MBR | 8KB (16 sectors) | Captures the boot code and partition table |
| GPT | Variable | Automatically extracts the GPT Header and Partition Table if detected |
| Partitions | 8KB each | Dumps the first 8KB of every detected partition for immediate header analysis |
.bin files are created with permissions (0666 equivalent) to ensure they remain readable by standard user accounts after creation, facilitating easy handoff to scanning tools| Limitation | Details |
|---|---|
| Stealth Malware | This tool performs a static dump of physical sectors. It does not currently include active evasion techniques to bypass stealth viruses, Rootkits, or MBR-based bootkits that actively hide their presence from the OS or low-level readers |
| Read-Only Operation | While the tool reads raw sectors, it does not modify disk data. However, users should exercise caution when running low-level utilities on production systems |
┌─────────────┐ ┌──────────────┐ ┌─────────────┐ ┌─────────────┐
│ Execute │ ──► │ Analyze │ ──► │ Dump │ ──► │ Scan │
└─────────────┘ └──────────────┘ └─────────────┘ └─────────────┘
│ │ │ │
▼ ▼ ▼ ▼
Run with Admin Review console Generates .bin Pass to ROSE SWE
privileges output for files for malware scanners
partition schemes MBR/GPT/partitions (rms, mpscan,
VirScan Plus)
| Platform | Requirements |
|---|---|
| Windows | OS: Windows XP SP3 or later (32-bit or 64-bit) Privileges: Administrator rights required for physical drive access Dependencies: None (standalone executable) |
| Linux | OS: Linux (kernel 2.6+) Privileges: Root privileges required for physical drive access Dependencies: None (statically linked executable) |
⚠️ Important: This tool operates at the sector level. Ensure you are reading from the correct device identifier to avoid accidental data modification or system instability.
⚠️ Elevated Privileges Required: This tool requires elevated privileges (Administrator on Windows, root on Linux) to open handles to physical drives.
Administrative Privileges Required
Windows restricts raw disk access to elevated processes. You must run this tool from an Administrator terminal.
mbrdumper.exe.Root Privileges Required
Linux restricts raw disk access to the root user. Run this tool with sudo or as the root user.
mbrdumper.sudo ./mbrdumper [options] or run as root.| Option | Aliases | Purpose | Example |
|---|---|---|---|
-h |
-?, --help |
Display help and usage information | mbrdumper -h |
-l |
--list |
List all known GPT and MBR partition types | mbrdumper -l |
-d |
--disk N |
Analyze only disk number N (0-based) | mbrdumper -d 0 |
-o |
--output DIR |
Specify output directory for binary dumps. Must exist! | mbrdumper -o C:\\Dumps |
-n |
--no-dump |
Skip binary file creation, show partition info only | mbrdumper -n |
-v |
--verbose |
Enable verbose output with additional details | mbrdumper -v |
Windows:
# Show help
mbrdumper -h
mbrdumper --help
mbrdumper -?
# List all known partition types (sorted)
mbrdumper -l
mbrdumper --list
# Analyze disk 0 only
mbrdumper -d 0
mbrdumper --disk 1
# Quick analysis without creating binary files
mbrdumper -n
# Save dumps to custom directory
mbrdumper -o C:\Dumps
mbrdumper -d 0 --output D:\Analysis
# Combine options: disk 1, custom output, verbose, no binary dumps
mbrdumper -d 1 -o C:\Dumps -n -v
Linux:
# Show help (as root)
sudo ./mbrdumper -h
sudo ./mbrdumper --help
# List all known partition types (sorted)
sudo ./mbrdumper -l
sudo ./mbrdumper --list
# Analyze disk 0 only (/dev/sda)
sudo ./mbrdumper -d 0
# Quick analysis without creating binary files
sudo ./mbrdumper -n
# Save dumps to custom directory
sudo ./mbrdumper -o /tmp/dumps
sudo ./mbrdumper -d 0 --output /mnt/analysis
# Combine options: disk 1, custom output, verbose, no binary dumps
sudo ./mbrdumper -d 1 -o /tmp/dumps -n -v
Windows 11/64, physical hardware
MBRDumper.exe
=======================================================
| PHYSICAL DISK ANALYZER & DUMPER CLI UTILITY (Windows) |
=======================================================
(c) by ROSE SWE, Ralph Roth - $Revision: 1.11 $
[✓] Administrator elevation confirmed.
DISK #0 =====
Path: \\.\PhysicalDrive0
Total Size: 476.94 GB
Scheme: GPT
----------------------------------------------------
[+] Saved: [disk0_mbr_8k.bin]
[+] Saved: [disk0_gpt_table.bin]
No. Type Offset (Bytes) Size
1 EFI System 1048576 100.00 MB
[+] Saved: [disk0_part1_8k.bin]
2 Microsoft Reserved 105906176 16.00 MB
[+] Saved: [disk0_part2_8k.bin]
3 Basic Data 122683392 475.97 GB
[+] Saved: [disk0_part3_8k.bin]
4 Windows Recovery 511188140032 878.00 MB
[+] Saved: [disk0_part4_8k.bin]
MBRDumper.exe -n
=======================================================
| PHYSICAL DISK ANALYZER & DUMPER CLI UTILITY (Windows) |
=======================================================
(c) by ROSE SWE, Ralph Roth - $Revision: 1.11 $
[✓] Administrator elevation confirmed.
DISK #0 =====
Path: \\.\PhysicalDrive0
Total Size: 476.94 GB
Scheme: GPT
----------------------------------------------------
No. Type Offset (Bytes) Size
1 EFI System 1048576 100.00 MB
2 Microsoft Reserved 105906176 16.00 MB
3 Basic Data 122683392 475.97 GB
4 Windows Recovery 511188140032 878.00 MB
Windows 8.1, KVM Image
C:\temp\windows>MBRDumper.exe -n
=======================================================
| PHYSICAL DISK ANALYZER & DUMPER CLI UTILITY (Windows) |
=======================================================
(c) by ROSE SWE, Ralph Roth - $Revision: 1.11 $
[✓] Administrator elevation confirmed.
DISK #0 =====
Path: \\.\PhysicalDrive0
Total Size: 71.00 GB
Scheme: MBR
----------------------------------------------------
No. Type Offset (Bytes) Size
1 NTFS/exFAT 1048576 350.00 MB
2 NTFS/exFAT 368050176 70.66 GB
0 [Empty Partition]
0 [Empty Partition]
DISK #1 =====
Path: \\.\PhysicalDrive1
Total Size: 32.00 GB
Scheme: MBR
----------------------------------------------------
No. Type Offset (Bytes) Size
1 NTFS/exFAT 1048576 12.47 GB
2 NTFS/exFAT 13386121216 19.53 GB
0 [Empty Partition]
0 [Empty Partition]
Ubuntu 22.04 LTS, physical hardware
$ sudo ./mbrdumper
=======================================================
| PHYSICAL DISK ANALYZER & DUMPER CLI UTILITY (Linux) |
=======================================================
(c) by ROSE SWE, Ralph Roth - $Revision: 1.11 $
[✓] Root privilege confirmed.
DISK #0 =====
Path: /dev/sda
Total Size: 238.47 GB
Scheme: (MBR/GPT detection requires parsing)
--------------------------------------------------
[+] Saved: [disk0_mbr_8k.bin]
[+] Saved: [disk0_gpt_table.bin]
No. Type Offset (Bytes) Size
1 EFI System 1048576 512.00 MB
[+] Saved: [disk0_part1_8k.bin]
2 Linux Root (x86-64) 538017792 237.96 GB
[+] Saved: [disk0_part2_8k.bin]
DISK #1 =====
Path: /dev/sdb
Total Size: 1024.00 GB
Scheme: (MBR/GPT detection requires parsing)
--------------------------------------------------
[+] Saved: [disk1_mbr_8k.bin]
No. Type Offset (Bytes) Size
1 Linux Filesystem 1048576 1023.99 GB
[+] Saved: [disk1_part1_8k.bin]
Ubuntu 22.04 LTS with
-n(no binary dumps)
$ sudo ./mbrdumper -d 0 -n
=======================================================
| PHYSICAL DISK ANALYZER & DUMPER CLI UTILITY (Linux) |
=======================================================
(c) by ROSE SWE, Ralph Roth - $Revision: 1.11 $
[✓] Root privilege confirmed.
DISK #0 =====
Path: /dev/sda
Total Size: 238.47 GB
Scheme: (MBR/GPT detection requires parsing)
--------------------------------------------------
No. Type Offset (Bytes) Size
1 EFI System 1048576 512.00 MB
2 Linux Root (x86-64) 538017792 237.96 GB
By default, the program generates binary files in the current working directory. Use the -o or --output flag to specify a custom output directory.
diskN_mbr_8k.bin: The first 8KB of Disk N (MBR/PMBR structure).diskN_gpt_table.bin: The GPT structure (if applicable, includes header and partition entries).diskN_partM_8k.bin: The first 8KB of Partition M on Disk N (boot sector or filesystem header).Use the -n or --no-dump flag to skip binary file generation and only display partition information.
The utility includes comprehensive lookup tables for both MBR and GPT partition types. Use mbrdumper -l or mbrdumper --list to display all supported partition types (sorted alphabetically for GPT, numerically for MBR).
Includes: EFI System, Microsoft Reserved, Basic Data, Windows Recovery, Linux Root (x86/x86-64/ARM/ARM64), Linux Swap, Linux Home, Linux Extended Boot, Linux Plain dm-crypt, Linux LUKS, Apple APFS/HFS+/UFS/Boot, Apple RAID, FreeBSD (Boot/Data/Swap/UFS/VINUM/ZFS), OpenBSD, NetBSD (Swap/FFS/LFS/RAID), Solaris, Ceph (OSD/Journal/Block), VMware VMFS, ChromeOS (Kernel/Rootfs), and more.
Includes: FAT12/16/32 (including hidden variants and LBA), Extended/Extended LBA, NTFS/exFAT, HPFS, Linux (Swap, Ext4, LVM, RAID, PA-RISC boot), Linux Extended, BSD variants (FreeBSD, OpenBSD, NetBSD, Darwin), Solaris, AIX, IBM GPFS, Minix, BeFS, Plan 9, PartitionMagic, EZ-Drive, OnTrack variants, SpeedStor, VMware (VMFS/VMKCORE), and many legacy system types.
This tool performs read-only operations on physical sectors. It does not modify the disk structure or write data to the physical drives. Third party solutions may trigger a false positive when the program tries to access the disks.
Windows:
When you run this on Windows, make sure you're running it from a folder where the Administrator has write permissions (like C:\Dumps\ or a dedicated project folder), otherwise the saveToFile function might hit a "Permission Denied" error when trying to write the binary files to disk.
Linux:
When running on Linux with sudo, output files are created with permissions 0666 (readable/writable by all users) to ensure they remain accessible after the sudo command completes. Ensure you have sufficient disk space in the output directory.