Mal-ware Modified Partitions (Visible in Linux, Not Windows) - Are There More?

manpreet Best Answer 3 years ago

While using diskpart in Windows 10, I am able to see only one partition which i've created and installed Windows in a .vhdx file, but this is the only visible partition seen using that utility while booted from installation media. I decided to see what a Dr. Web rescue CD/USB showed and what I found doen't make sense. First, I used the command fdisk /dev/sda and the results matched diskpart but when I ran fdisk /dev/sda1, it appears that there are four additional/sub partitions and are sized (somehow) much larger than the 500G HDD i have in the machine.

What has been done with the partitioning and how is it possible to have partitions that are significantly larger than the capacity of the physical drive?

How can I check if there are other partitions on the drive that are not visible?

Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 9603D5A0-AAEE-41B0-96E0-813FB368B872

Device     Start       End   Sectors  Size Type
/dev/sda1   2048 204802047 204800000 97.7G Microsoft basic data

Command (m for help): 


root@drweb:~# fdisk /dev/sda1

Welcome to fdisk (util-linux 2.27.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): p
Disk /dev/sda1: 97.7 GiB, 104857600000 bytes, 204800000 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x6e697373

Device      Boot      Start        End    Sectors   Size Id Type
/dev/sda1p1      1936269394 3772285809 1836016416 875.5G 4f QNX4.x 3rd part
/dev/sda1p2      1917848077 2462285169  544437093 259.6G 73 unknown
/dev/sda1p3      1818575915 2362751050  544175136 259.5G 2b unknown
/dev/sda1p4      2844524554 2844579527      54974  26.9M 61 SpeedStor

Partition table entries are not in disk order.

Command (m for help): v
Partition 1: overlaps partition 2.
Partition 1: overlaps partition 3.
Partition 2: overlaps partition 3.
Partition 1: overlaps partition 4.
Total allocated sectors 3463497636 greater than the maximum 204800000.


Command (m for help): i
Partition number (1-4, default 4): 1

         Device: /dev/sda1p1
          Start: 1936269394
            End: 3772285809
        Sectors: 1836016416
      Cylinders: 114287
           Size: 875.5G
             Id: 4f
           Type: QNX4.x 3rd part
    Start-C/H/S: 335/2/10
      End-C/H/S: 327/13/84
          Attrs: 0d

Command (m for help): i   
Partition number (1-4, default 4): 2

         Device: /dev/sda1p2
          Start: 1917848077
            End: 2462285169
        Sectors: 544437093
      Cylinders: 33890
           Size: 259.6G
             Id: 73
           Type: unknown
    Start-C/H/S: 371/37/114
      End-C/H/S: 256/36/101
          Attrs: 70

Command (m for help): i
Partition number (1-4, default 4): 3

         Device: /dev/sda1p3
          Start: 1818575915
            End: 2362751050
        Sectors: 544175136
      Cylinders: 33874
           Size: 259.5G
             Id: 2b
           Type: unknown
    Start-C/H/S: 364/50/116
      End-C/H/S: 372/44/65
          Attrs: 43

Command (m for help): i
Partition number (1-4, default 4): 4

         Device: /dev/sda1p4
          Start: 2844524554
            End: 2844579527
        Sectors: 54974
      Cylinders: 4
           Size: 26.9M
             Id: 61
           Type: SpeedStor
    Start-C/H/S: 372/51/101
      End-C/H/S: 269/52/114
          Attrs: 72