找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
查看: 4379|回复: 3

【转】RING3直接读写磁盘扇区

[复制链接]
发表于 2015-1-15 19:46:38 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
FROM: http://www.kernelmode.info/forum/viewtopic.php?f=15&t=3677
Author: EP_X0FF
  1. #include <windows.h>
  2. #include "prtl.h"

  3. #define IOCTL_SCSI_BASE                 FILE_DEVICE_CONTROLLER
  4. #define FILE_DEVICE_CONTROLLER          0x00000004
  5. #define IOCTL_ATA_PASS_THROUGH_DIRECT   CTL_CODE(IOCTL_SCSI_BASE, 0x040c, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)

  6. #define ATA_FLAGS_DRDY_REQUIRED         (1 << 0)
  7. #define ATA_FLAGS_DATA_IN               (1 << 1)
  8. #define ATA_FLAGS_DATA_OUT              (1 << 2)
  9. #define ATA_FLAGS_48BIT_COMMAND         (1 << 3)
  10. #define ATA_FLAGS_USE_DMA               (1 << 4)
  11. #define ATA_FLAGS_NO_MULTIPLE           (1 << 5)

  12. typedef struct _ATA_PASS_THROUGH_DIRECT
  13. {
  14.     USHORT Length;
  15.     USHORT AtaFlags;
  16.     UCHAR PathId;
  17.     UCHAR TargetId;
  18.     UCHAR Lun;
  19.     UCHAR ReservedAsUchar;
  20.     ULONG DataTransferLength;
  21.     ULONG TimeOutValue;
  22.     ULONG ReservedAsUlong;
  23.     PVOID DataBuffer;
  24.     UCHAR PreviousTaskFile[8];
  25.     UCHAR CurrentTaskFile[8];
  26. } ATA_PASS_THROUGH_DIRECT, *PATA_PASS_THROUGH_DIRECT;

  27. #define INBUFFER_SIZE 1024*1024

  28. int IsFileInfested(LPCTSTR FileName, LPVOID RawData, DWORD BufferSize)
  29. {
  30.    ATA_PASS_THROUGH_DIRECT      dio, dioOut;
  31.    STARTING_VCN_INPUT_BUFFER   base;
  32.    RETRIEVAL_POINTERS_BUFFER   *ptrs;
  33.    VOLUME_DISK_EXTENTS         ext;
  34.    LARGE_INTEGER            ofs, lofs;
  35.    __int64                  i, k;

  36.    HANDLE   f = INVALID_HANDLE_VALUE;
  37.    DWORD   iobytes, SectorsPerCluster = 0, BytesPerSector = 0, c, p = 0;
  38.    TCHAR   drive[8] = TEXT("\\\\.\\X:\");
  39.    WORD    DevId[256] = {0};
  40.    USHORT  AtaFlags;
  41.    UCHAR   AtaCommand;

  42.    drive[4] = FileName[0];
  43.    if ( !GetDiskFreeSpace(&drive[4], &SectorsPerCluster, &BytesPerSector, NULL, NULL) )
  44.       return -1;

  45.    ptrs = (RETRIEVAL_POINTERS_BUFFER *)VirtualAlloc(NULL, INBUFFER_SIZE, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
  46.    while ( ptrs != NULL ) {
  47.       f = CreateFile(FileName, GENERIC_READ | SYNCHRONIZE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
  48.       if ( f == INVALID_HANDLE_VALUE )
  49.          break;
  50.       base.StartingVcn.QuadPart = 0;
  51.       if ( !DeviceIoControl(f, FSCTL_GET_RETRIEVAL_POINTERS, &base, sizeof(base), ptrs, INBUFFER_SIZE, &iobytes, NULL) )
  52.          break;
  53.       CloseHandle(f);

  54.       drive[6] = 0;
  55.       f = CreateFile(drive, GENERIC_READ | SYNCHRONIZE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, 0, NULL);
  56.       if ( f == INVALID_HANDLE_VALUE )
  57.          break;
  58.       if ( !DeviceIoControl(f, IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS, NULL, 0, &ext, sizeof(ext), &iobytes, NULL) )
  59.          break;
  60.       CloseHandle(f);

  61.       f = CreateFile(TEXT("\\\\.\\PHYSICALDRIVE0"), GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
  62.       if ( f == INVALID_HANDLE_VALUE )
  63.          break;

  64.       ext.Extents[0].StartingOffset.QuadPart /= BytesPerSector;
  65.       lofs.QuadPart = 0;

  66.       memset(&DevId, 0, sizeof(DevId));
  67.       memset(&dio, 0, sizeof(dio));
  68.       dio.Length = sizeof(dio);
  69.       dio.AtaFlags = ATA_FLAGS_DRDY_REQUIRED | ATA_FLAGS_DATA_IN;
  70.       dio.DataTransferLength = 512;
  71.       dio.TimeOutValue = 1;
  72.       dio.DataBuffer = &DevId;
  73.       dio.CurrentTaskFile[6] = 0xEC;
  74.       DeviceIoControl(f, IOCTL_ATA_PASS_THROUGH_DIRECT, &dio, sizeof(dio), &dioOut, sizeof(dioOut), &iobytes, NULL);

  75.       if ((DevId[83] & 0x400) != 0) {
  76.          AtaCommand = 0x25;
  77.          AtaFlags = ATA_FLAGS_DRDY_REQUIRED | ATA_FLAGS_USE_DMA | ATA_FLAGS_DATA_IN | ATA_FLAGS_48BIT_COMMAND;
  78.       } else {
  79.          AtaCommand = 0xC8;
  80.          AtaFlags = ATA_FLAGS_DRDY_REQUIRED | ATA_FLAGS_USE_DMA | ATA_FLAGS_DATA_IN;
  81.       }


  82.       for (c=0; c<ptrs->ExtentCount; c+=1) {
  83.          ofs.QuadPart = ext.Extents[0].StartingOffset.QuadPart + (ptrs->Extents[c].Lcn.QuadPart*SectorsPerCluster);
  84.          k = ptrs->Extents[c].NextVcn.QuadPart - lofs.QuadPart;

  85.          if ( p+(BytesPerSector*SectorsPerCluster) > BufferSize )
  86.             break;

  87.          for (i=0; i<k; i+=1) {
  88.             if ( p+(BytesPerSector*SectorsPerCluster) > BufferSize )
  89.                break;
  90.             lofs.QuadPart = ofs.QuadPart + i*SectorsPerCluster;

  91.             memset(&dio, 0, sizeof(dio));
  92.             dio.Length = sizeof(dio);
  93.             dio.AtaFlags = AtaFlags;
  94.             dio.DataTransferLength = BytesPerSector*SectorsPerCluster;
  95.             dio.TimeOutValue = 1;
  96.             dio.DataBuffer = ((LPBYTE)RawData)+p;

  97.             dio.PreviousTaskFile[2] = (lofs.QuadPart >> 24) & 0xff;
  98.             dio.PreviousTaskFile[3] = (lofs.QuadPart >> 32) & 0xff;
  99.             dio.PreviousTaskFile[4] = (lofs.QuadPart >> 40) & 0xff;

  100.             dio.CurrentTaskFile[1] = (UCHAR)SectorsPerCluster;
  101.             dio.CurrentTaskFile[2] = lofs.QuadPart & 0xff;
  102.             dio.CurrentTaskFile[3] = (lofs.QuadPart >> 8) & 0xff;
  103.             dio.CurrentTaskFile[4] = (lofs.QuadPart >> 16) & 0xff;
  104.             
  105.             if (AtaCommand == 0xC8) {
  106.                dio.CurrentTaskFile[5] = 0x40 | ((lofs.QuadPart >> 24) & 0x0f);
  107.             } else {
  108.                dio.CurrentTaskFile[5] = 0x40;
  109.             }
  110.             
  111.             dio.CurrentTaskFile[5] = 0x40;

  112.             dio.CurrentTaskFile[6] = AtaCommand;
  113.             DeviceIoControl(f, IOCTL_ATA_PASS_THROUGH_DIRECT, &dio, sizeof(dio), &dioOut, sizeof(dioOut), &iobytes, NULL);
  114.             p+=(BytesPerSector*SectorsPerCluster);
  115.          }
  116.          lofs.QuadPart = ptrs->Extents[c].NextVcn.QuadPart;
  117.       }
  118.       CloseHandle(f);

  119.       VirtualFree(ptrs, 0, MEM_RELEASE);
  120.       return 0;
  121.    }

  122.    if ( f != INVALID_HANDLE_VALUE )
  123.       CloseHandle(f);
  124.    if ( ptrs != NULL )
  125.       VirtualFree(ptrs, 0, MEM_RELEASE);
  126.    return -1;
  127. }

  128. #define sFileName TEXT("C:\\WINDOWS\\system32\\drivers\\fltmgr.sys")

  129. void main()
  130. {
  131.    LPVOID buffer;
  132.    HANDLE   f;
  133.    DWORD   iobytes, fsize = 0;

  134.    

  135.    f = CreateFile(sFileName, GENERIC_READ | SYNCHRONIZE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
  136.    if ( f != INVALID_HANDLE_VALUE ) {
  137.       fsize = GetFileSize(f, NULL);
  138.       CloseHandle(f);
  139.    }

  140.    buffer = VirtualAlloc(NULL, fsize, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
  141.    memset(buffer, 0xcc, fsize);

  142.    IsFileInfested(sFileName, buffer, fsize);
  143.    f = CreateFile(TEXT("Z:\\TEMP\\4321.dmp"), GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, 0, NULL);
  144.    if (f != INVALID_HANDLE_VALUE) {
  145.       WriteFile(f, buffer, fsize, &iobytes, NULL);
  146.       CloseHandle(f);
  147.    }
  148.    Sleep(0);
  149. }
复制代码
但EP_X0FF表示:Do you understrand with current hardware + newest Windows installed in EFI mode all legacy BIOS bootkits are no longer work? And after few years computers with BIOS you can only see in the scrapyard?

翻译过来就是:现在的硬件+最新的Windows在EFI模式下,所有的BIOS bootkit将不再有效你造吗?几年后,你只能在废料厂找到有BIOS的电脑。(他说的BIOS指的是Legacy方式引导的电脑。)
回复

使用道具 举报

 楼主| 发表于 2015-1-21 03:51:31 来自手机 | 显示全部楼层
我觉得……现在“坚持”用XP的人还是很多,恐怕完全淘汰Legacy Boot要很久以后喽
回复 赞! 靠!

使用道具 举报

发表于 2016-6-3 17:15:15 | 显示全部楼层
ring3说明是用户级别的程序?这样也可读写磁盘扇区?

话说谢谢楼主的搬运,不搬运压根不知道有这回事,知道了或许可以自己研究一下~
回复 赞! 靠!

使用道具 举报

发表于 2017-2-22 10:59:47 | 显示全部楼层
谢谢楼主分享,意思就是UEFI的不起作用了吗?
回复 赞! 靠!

使用道具 举报

本版积分规则

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-11-23 16:21 , Processed in 0.034871 second(s), 25 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表