Reverse-engineering MenuetOS 64: primary boot loader

Now that we have the MenuetOS 64 disk image file (M6414490.IMG), it is time to analyze! We will analyze the image file both statically and dynamically. Static analysis is reading and analyzing code without running it, whereas dynamic analysis is running the code and watching how it changes registers and memory during execution. Each analysis mode compliments the other; there are some things that can only be discerned through code execution, like register values or stack layout at a specific point in time during execution. Static analysis is useful for “filling in the blanks” when executing code to understand what the code should do next (or just did). Since MenuetOS 64 is written in Intel x64 assembly, our static analysis will consist of memory mapped disassembly in Ghidra. After reading this post, readers should understand how to launch a MenuetOS 64 virtual machine using QEMU as well as how to attach a debugger (gdb) to QEMU in order to debug while code is executing. Also, readers should understand how MenuetOS 64 begins the boot process as control of execution is passed to MenuetOS 64 code from the virtualization firmware.

↫ Nicholas Starke

This is an old post – from late 2022 – but a great read nonetheless, and considering MenuetOS doesn’t change very much from year to year, it’s still mostly relevant.


  1. 2024-06-10 3:54 pm
    • 2024-06-11 2:14 am

Leave a Reply