Kaspersky Rescue Disk 10 PXE Boot

At the time of writing the current Rescue ISO is 10.0.32.17

Full credit to Veniamin Gvozdikov who did all the hard work, most of this is taken from his page here http://zlonet.ru/page/kaspersky-rescue-10-pxe/ however there are some alterations/fixes added by me and more examples.

=Download pre-built=

These are the pre-built patched PXE bootable Kaspersky 10 files ready to go!

rescue.igz (initramdisk)

rescue (kernel)

These are the patch files if you are rebuilding it yourself

kaspersky.patch

kaspersky2.patch

=Background=

This is rather like an onion;

To begin with;

kernel: boot/rescue init: boot/rescue.igz [lzma compressed cpio archive] real system: rescue/LiveOS/squasfs.img > ext3.img AV files : rescue/bases

Repacking gives even more onion layers, the bit to get your head round....

i.e. ext3.img real main filesystem (fixed) packed inside squashfs.img (recreated) & bases inside image.squashfs (created) inside rescue.igz (recreated)

kernel: rescue (same) init: rescue.igz > image.squashfs > (rescue/bases & LiveOS/squasfs.img > ext3.img )

=Get Kaspersky 10 AV ISO=

This file is updated daily with latest AV defs

$ wget -P /tmp "http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso" --2014-07-01 10:56:51-- http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso Resolving rescuedisk.kaspersky-labs.com (rescuedisk.kaspersky-labs.com)... 80.239.169.147, 130.117.190.147, 193.45.6.4 Connecting to rescuedisk.kaspersky-labs.com (rescuedisk.kaspersky-labs.com)|80.239.169.147|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 404781056 (386M) [application/octet-stream] Saving to: ‘/tmp/kav_rescue_10.iso’

33% [======================================>                                                                               ] 133,971,893 5.25MB/s  eta 50s

=Extract ISO=

$ 7z x /tmp/kav_rescue_10.iso -o/tmp/iso

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov  2010-11-18 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: /tmp/kav_rescue_10.iso

Extracting boot Extracting boot/System.map-rescue Extracting boot/grub  Extracting rescue/help/SimpChinese/help.chm Extracting [BOOT]/Bootable_NoEmulation.img

Everything is Ok

Folders: 48 Files: 5123 Size:      398377782 Compressed: 404781056

/tmp/iso$ tree -h -L 2 /tmp /tmp ├── [ 220] iso │   ├── [ 120] boot │   ├── [ 60]  [BOOT] │   ├── [2.0K] boot.catalog │   ├── [2.8M] efi.img │   ├── [  0]  livecd │   └── [ 160] rescue └── [386M] kav_rescue_10.iso

=Extract the initramdisk=

/tmp/iso/new$ lzcat -S lz /tmp/iso/boot/rescue.igz | cpio -idu 49750 blocks

/tmp/iso/new$ tree -L 1 . ├── bin ├── dev ├── etc ├── init ├── lib ├── proc ├── root ├── run ├── sbin ├── sys ├── sysroot ├── tmp ├── usr └── var

13 directories, 1 file

=Extract the ext3 filesystem=

$ unsquashfs -d /tmp/iso/squashfs-root /tmp/iso/rescue/LiveOS/squashfs.img Parallel unsquashfs: Using 4 processors 1 inodes (474 blocks) to write

[===============================================================================================================================================-] 474/474 100% created 1 files created 2 directories created 0 symlinks created 0 devices created 0 fifos

=Mount the ext3 filesystem from extract squashfs.img=

$ udisks --mount /dev/loop0 Mounted /org/freedesktop/UDisks/devices/loop0 at /media/85dd4ebe-fd1b-420b-8d20-bef37149b4ec

=Patch the init, sbin/dmsquash-live-root and .bash_profile=


 * .bash_profile patch stops a race condition where startx is trying to run before the X server is up (Kaspersky should fix this properly!)
 * init and dmsquash patches alter the boot scripts to load the main system image and such from inside the initramdisk (rescue.igz) rather than externally.

Save this patch somewhere, assuming to /tmp/iso/kaspersky.patch

Apply with

$ patch -p0 --directory="/tmp/iso/new" < /tmp/iso/kaspersky.patch patching file sbin/dmsquash-live-root patching file init

This is the 1st patch file contents --- init.orig	2014-07-01 13:19:12.433091000 +0100 +++ init	2014-07-01 13:19:41.429091928 +0100 @@ -289,7 +289,7 @@ if ! ismounted "/run/initramfs/live"; then CDROM_DEVICES="/dev/sr*" -   for i in $CDROM_DEVICES +   for i in "/image.squashfs" do        /sbin/dmsquash-live-root $i if ismounted "/run/initramfs/live"; then --- sbin/dmsquash-live-root.orig	2014-07-01 13:18:24.465089465 +0100 +++ sbin/dmsquash-live-root	2014-07-01 13:19:03.869090726 +0100 @@ -46,9 +46,7 @@ det_img_fs { -   local _img="$1" _loop=$(losetup -f) _fs -   losetup $_loop $_img; _fs=$(det_fs $_loop); losetup -d $_loop -   echo $_fs +   echo squashfs } for arg in $CMDLINE; do case $arg in ro|rw) liverw=$arg ;; esac; done @@ -62,7 +60,6 @@        auto) die "cannot mount live image (unknown filesystem type)" ;; *) FSIMG=$livedev ;;    esac -else     mount -n -t $fstype -o ${liverw:-ro} $livedev /run/initramfs/live     if [ "$?" != "0" ]; then         die "Failed to mount block device of live image"
 * 1) determine filesystem type for a filesystem image

(Be mounted with root ownership of the enclosed files, hence need sudo)

$ sudo patch -p0 --directory="/media/85dd4ebe-fd1b-420b-8d20-bef37149b4ec" < /tmp/iso/kaspersky2.patch patching file root/.bash_profile

This is the 2nd patch file contents

--- /media/85dd4ebe-fd1b-420b-8d20-bef37149b4ec/root/.bash_profile.orig	2014-07-03 15:18:22.000000000 +0100 +++ /media/85dd4ebe-fd1b-420b-8d20-bef37149b4ec/root/.bash_profile	2014-07-03 15:18:41.000000000 +0100 @@ -29,6 +29,7 @@ 			pkill plymouthd #mkxf86config.sh >>${log} 2>&1 echo "forcexorg" > /root/xserver.cfg +			sleep 5 startx >>${log} 2>&1 if [ $? -ne 0 ] ; then wizard

=Unmount the ext3 filesystem=

=Repack the ext3 filesystem=

$ mksquashfs /tmp/iso/squashfs-root /tmp/iso/rescue/LiveOS/squashfs.img -noappend -comp xz -b 1048576 -all-root Parallel mksquashfs: Using 4 processors Creating 4.0 filesystem on rescue/LiveOS/squashfs.img, block size 1048576. [===============================================================================================================================================\] 474/474 100%

Exportable Squashfs 4.0 filesystem, xz compressed, data block size 1048576 compressed data, compressed metadata, compressed fragments, compressed xattrs duplicates are removed Filesystem size 127846.50 Kbytes (124.85 Mbytes) 26.34% of uncompressed filesystem size (485366.14 Kbytes) Inode table size 1398 bytes (1.37 Kbytes) 70.11% of uncompressed inode table size (1994 bytes) Directory table size 58 bytes (0.06 Kbytes) 100.00% of uncompressed directory table size (58 bytes) Number of duplicate files found 0 Number of inodes 3 Number of files 1 Number of fragments 0 Number of symbolic links 0 Number of device nodes 0 Number of fifo nodes 0 Number of socket nodes 0 Number of directories 2 Number of ids (unique uids + gids) 1 Number of uids 1 root (0) Number of gids 1 root (0)

=Create Squash of rescue parts=

Add the rescue folder and livecd file to a squashfs archive image.squashfs (yes this does contain the already squashed ext3 filesystem!) - these will then be packed back into a new rescue.igz

$ tree -h -L 2 /tmp/iso /tmp/iso ├── [ 120] boot │   ├── [ 200] grub │   ├── [3.6M] rescue │   ├── [8.1M] rescue.igz │   └── [2.1M] System.map-rescue ├── [ 60]  [BOOT] │   └── [2.0K] Bootable_NoEmulation.img ├── [2.0K] boot.catalog ├── [2.8M] efi.img ├── [  0]  livecd ├── [ 340] new │   ├── [ 600] bin │   ├── [ 40]  dev │   ├── [ 220] etc │   ├── [357M] image.squashfs │   ├── [ 13K] init │   ├── [1.2K] lib │   ├── [ 40]  proc │   ├── [ 40]  root │   ├── [ 100] run │   ├── [ 660] sbin │   ├── [ 40]  sys │   ├── [ 40]  sysroot │   ├── [ 40]  tmp │   ├── [ 120] usr │   └── [ 100] var ├── [ 160] rescue │   ├── [ 100] backup │   ├── [ 84K] bases │   ├── [ 23]  BASES.ID │   ├── [ 220]  help │   ├── [ 12]  KRD.VERSION │   └── [ 60]  LiveOS └── [ 60]  squashfs-root └── [ 60]  LiveOS

24 directories, 11 files

=Repack initramdisk aka rescue.igz=

This creates a lzma compressed cpio archive of /tmp/iso/new folder will take a few minutes as it is now containing the AV defs and main filesystem

cd /tmp/iso/new find ./ -print | cpio --owner 0.0 --quiet -H newc -o | lzma -zc > /tmp/rescue.igz

=Copy kernel to same place as initramdisk= cp /tmp/iso/boot/rescue /tmp

You should now have all the files like this

w$ tree -h -L 1 /tmp /tmp ├── [ 220] iso ├── [386M] kav_rescue_10.iso ├── [3.6M] rescue └── [365M] rescue.igz

3 directories, 5 files

=Test in QEMU=

Using 1.5Gb RAM

Boot kernel and init
$ qemu-system-i386 -enable-kvm -m 1536 -kernel /tmp/rescue -initrd /tmp/rescue.igz -append "root=live kav_lang=en udev liveimg doscsi nomodeset"

ISO boot
(Just to cehck it is the same!)

$ qemu-system-i386 -enable-kvm -m 1536 -cdrom /tmp/kav_rescue_10.iso