728x90
Greetings. Years ago I was messing around with Windows MBR (VXHeaven thread) and got stuck while trying to write a modified copy back to the disk. I'm calling this "Part 1" because I'm still stuck at this and plan to get back on my research.
Anyways, it will be a short post, just to share where I was at that time.
using System;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;
using System.IO;
namespace MBR
{
class MainClass
{
[DllImport("Kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
static extern uint SetFilePointer(
[In] SafeFileHandle hFile,
[In] int lDistanceToMove,
[Out] out int lpDistanceToMoveHigh,
[In] EMoveMethod dwMoveMethod);
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
static extern SafeFileHandle CreateFile(string lpFileName, uint dwDesiredAccess,
uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition,
uint dwFlagsAndAttributes, IntPtr hTemplateFile);
[DllImport("kernel32", SetLastError = true)]
internal extern static int ReadFile(SafeFileHandle handle, byte[] bytes,
int numBytesToRead, out int numBytesRead, IntPtr overlapped_MustBeZero);
public enum EMoveMethod : uint
{
Begin = 0,
Current = 1,
End = 2
}
public static void Main (string[] args)
{
Console.Title = "MBR Dumper";
Console.WriteLine ("Dump MBR to raw.bin? (Y or N)");
string ans = Console.ReadLine ();
if (ans == "Y" || ans == "y") {
Console.WriteLine("\nDumping...");
Dump ();
Console.WriteLine("Done!");
Console.ReadKey (true);
} else {
Environment.Exit (0);
}
}
public static void Dump() {
uint GENERIC_READ = 0x80000000;
uint OPEN_EXISTING = 3;
SafeFileHandle handleValue = CreateFile (@"\\.\PHYSICALDRIVE0", GENERIC_READ, 0, IntPtr.Zero, OPEN_EXISTING, 0, IntPtr.Zero);
if (handleValue.IsInvalid) {
Marshal.ThrowExceptionForHR (Marshal.GetHRForLastWin32Error ());
}
int offset = int.Parse ("0", System.Globalization.NumberStyles.HexNumber);
int size = int.Parse ("200", System.Globalization.NumberStyles.HexNumber);
byte[] buf = new byte[size];
int read = 0;
int moveToHigh;
SetFilePointer (handleValue, offset, out moveToHigh, EMoveMethod.Begin);
ReadFile (handleValue, buf, size, out read, IntPtr.Zero);
FileStream myStream = File.OpenWrite ("raw.bin");
myStream.Write (buf, 0, size);
myStream.Flush ();
myStream.Close ();
handleValue.Close ();
}
}
}That's it, MBR will be dumped to "raw.bin" in your current application directory. You can open it with a text editor or even better, a hex editor and modify as you wish. I will keep my work on this and if I ever find a way to write it back to the disk (tried several things already, no luck), I will post a Part 2.
728x90
'security_downloads' 카테고리의 다른 글
| Memory Forensics Of Network Devices (0) | 2015.04.17 |
|---|---|
| Recreating the AC/DC Thunderstruck Worm with PowerShell and Metasploit (0) | 2015.04.17 |
| Exploiting the Superfish certificate (0) | 2015.02.21 |
| Distributed Denial Of Service (DDoS) for Beginners (0) | 2015.01.19 |
| Is this URL safe? Hiding malware in plain sight from online scanners. (0) | 2014.12.21 |