Diskflt.sys 치료 코드

language/C# 2014.08.27 10:33 posted by muhan56


  



using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Runtime.InteropServices; using System.IO; using Microsoft.Win32; using Microsoft.Win32.SafeHandles; namespace diskflt_unload { class Program { #region [DllImport("kernel32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] static extern bool CloseHandle(IntPtr hObject); //CheckDiskFltInfected [DllImport("advapi32.dll", EntryPoint = "OpenSCManagerW", ExactSpelling = true, CharSet = CharSet.Unicode, SetLastError = true)] internal static extern IntPtr OpenSCManager( string machineName, string databaseName, uint dwAccess); [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] static extern IntPtr OpenService(IntPtr hSCManager, string lpServiceName, uint dwDesiredAccess); [DllImport("advapi32.dll")] private static extern int QueryServiceStatus(IntPtr hService, ref SERVICE_STATUS lpServiceStatus); [DllImport("advapi32.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] static extern bool CloseServiceHandle(IntPtr hSCObject); [StructLayout(LayoutKind.Sequential)] public struct SERVICE_STATUS { public int dwServiceType; public int dwCurrentState; public int dwControlsAccepted; public int dwWin32ExitCode; public int dwServiceSpecificExitCode; public int dwCheckPoint; public int dwWaitHint; } //SysFileLoad [DllImport("kernel32.dll")] static extern bool FlushViewOfFile(IntPtr lpBaseAddress, uint dwNumberOfBytesToFlush); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr GetModuleHandle(string lpModuleName); [DllImport("kernel32.dll", SetLastError = true)] [PreserveSig] public static extern uint GetModuleFileName ( [In] IntPtr hModule, [Out] StringBuilder lpFilename, [In][MarshalAs(UnmanagedType.U4)] int nSize ); [DllImport("advapi32.dll", EntryPoint = "RegCreateKeyA", CharSet = CharSet.Ansi, SetLastError = true, ExactSpelling = true)] private static extern int RegCreateKey(int hKey, [MarshalAs(UnmanagedType.VBByRefStr)] ref string lpSubKey, ref int phkResult); [DllImport("advapi32.dll", SetLastError = true)] static extern int RegSetValueEx( IntPtr hKey, [MarshalAs(UnmanagedType.LPStr)] string lpValueName, int Reserved, Microsoft.Win32.RegistryValueKind dwType, [MarshalAs(UnmanagedType.LPStr)] string lpData, int cbData); [DllImport("advapi32.dll", SetLastError = true)] private static extern int StartService(IntPtr hService, int dwNumServiceArgs, int lpServiceArgVectors); [DllImport("kernel32.dll", SetLastError = true)] static extern bool UnmapViewOfFile(IntPtr lpBaseAddress); [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] private static extern IntPtr CreateService( IntPtr hSCManager, string lpServiceName, string lpDisplayName, ServiceAccessRights dwDesiredAccess, int dwServiceType, ServiceBootFlag dwStartType, ServiceError dwErrorControl, string lpBinaryPathName, string lpLoadOrderGroup, IntPtr lpdwTagId, string lpDependencies, string lp, string lpPassword); [Flags] public enum ServiceAccessRights { QueryConfig = 0x1, ChangeConfig = 0x2, QueryStatus = 0x4, EnumerateDependants = 0x8, Start = 0x10, Stop = 0x20, PauseContinue = 0x40, Interrogate = 0x80, UserDefinedControl = 0x100, Delete = 0x00010000, StandardRightsRequired = 0xF0000, AllAccess = (StandardRightsRequired | QueryConfig | ChangeConfig | QueryStatus | EnumerateDependants | Start | Stop | PauseContinue | Interrogate | UserDefinedControl) } public enum ServiceBootFlag { Start = 0x00000000, SystemStart = 0x00000001, AutoStart = 0x00000002, DemandStart = 0x00000003, Disabled = 0x00000004 } public enum ServiceError { Ignore = 0x00000000, Normal = 0x00000001, Severe = 0x00000002, Critical = 0x00000003 } [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern int GetLastError(); //DiskFltPatch [DllImport("kernel32", SetLastError = true)] internal static extern IntPtr CreateFile( string lpFileName, uint dwDesiredAccess, uint dwShareMode, IntPtr lpSecurityAttributes, uint dwCreationDisposition, uint dwFlagsAndAttributes, IntPtr hTemplateFile); [DllImport("kernel32.dll", SetLastError = false, CharSet = CharSet.Auto)] static extern bool DeviceIoControl( IntPtr driveHandle, uint ctrlCode, IntPtr inBuffer, int inBufferSize, IntPtr outBuffer, int outBufferSize, ref uint bytesReturned, IntPtr overlapped); //uint bytesReturned; [DllImport("kernel32.dll", SetLastError = true)] static extern IntPtr CreateFileMapping(IntPtr hFile, IntPtr lpFileMappingAttributes, uint flProtect, uint dwMaximumSizeHigh, uint dwMaximumSizeLow, string lpName); [DllImport("kernel32.dll", SetLastError = true)] static extern IntPtr MapViewOfFile(IntPtr hFileMappingObject, uint dwDesiredAccess, uint dwFileOffsetHigh, uint dwFileOffsetLow, uint dwNumberOfBytesToMap); [DllImport("kernel32.dll")] static extern uint GetFileSize(IntPtr hFile, IntPtr lpFileSizeHigh); #endregion static void Main(string[] args) { //감염체크 포함 /* if (CheckDiskFltInfected() == true) { Console.WriteLine("[find DiskFlt!]"); if (SysFileLoad() == true) { Console.WriteLine("[sysload ok]"); if (DiskFltPatch() == true) { //DeleteDiskFltUnInstallSys(); Console.WriteLine("[DiskFlt Patch Success!]"); Console.WriteLine("Reboot은 셀프 'ㅅ')v"); Console.ReadLine(); return; } } } //DeleteDiskFltUnInstallSys(); Console.WriteLine("프로그램 종료"); Console.ReadLine(); */ //감염체크 미포함 if (SysFileLoad() == true) { Console.WriteLine("[sysload ok]"); if (DiskFltPatch() == true) { DeleteDiskFltUnInstallSys(); Console.WriteLine("[DiskFlt Patch Success!]"); Console.WriteLine("Reboot은 셀프"); Console.ReadLine(); return; } } DeleteDiskFltUnInstallSys(); Console.WriteLine("프로그램 종료"); Console.ReadLine(); } static bool CheckDiskFltInfected() { SERVICE_STATUS _ServiceStatus = new SERVICE_STATUS(); IntPtr hOpenSCM = OpenSCManager(null, null, 0x80000000); if ((int)hOpenSCM > 0) { IntPtr hService = OpenService(hOpenSCM, "diskflt", 0x80000000); if ((int)hService > 0) { if (QueryServiceStatus(hService, ref _ServiceStatus) == 1 && _ServiceStatus.dwCurrentState == 4) { CloseServiceHandle(hService); CloseServiceHandle(hOpenSCM); return true; } CloseServiceHandle(hService); } CloseServiceHandle(hOpenSCM); } return false; } static bool SysFileLoad() { //현재 경로 가져오기 StringBuilder builder = new StringBuilder(260); IntPtr hModule = GetModuleHandle("dll.dll"); GetModuleFileName(hModule, builder, 260); CloseHandle(hModule); //리턴된 현재 경로를 string 형변환 string NowPath = builder.ToString(); // 해당 파일의 확장자를 변환 FileInfo ExeFile = new FileInfo(NowPath); //exe 를 sys로 변경 NowPath = NowPath.Replace(ExeFile.Extension, ".sys"); //만약 실행된 프로그램과 동일한 경로에 SYS 파일이 존재하는 경우 FileInfo SysFile = new FileInfo(NowPath); //SYS 파일 유무체크 if (SysFile.Exists == true) { //OpenSCManager IntPtr hOpenSCM = OpenSCManager(null, null, 0x0002); if ((int)hOpenSCM > 1) { //SYS 파일 로드를 위하여 서비스 생성 IntPtr hCreateService = CreateService( hOpenSCM, "DiskFltUninstall", "DiskFltUninstall", ServiceAccessRights.AllAccess, 0x00000001, //SERVICE_KERNEL_DRIVER ServiceBootFlag.DemandStart, ServiceError.Normal, NowPath, null, IntPtr.Zero, null, null, null); if ((int)hCreateService > 0) { //핸들 닫기 CloseServiceHandle(hCreateService); //서비스 찾기 (DiskFltDrvPatch) IntPtr hService = OpenService(hOpenSCM, "DiskFltUninstall", 0xF01FF); if ((int)hService > 1) { // 서비스 동작 StartService(hService, 0, 0); CloseServiceHandle(hService); CloseServiceHandle(hOpenSCM); return true; } CloseServiceHandle(hService); CloseServiceHandle(hOpenSCM); } CloseServiceHandle(hOpenSCM); } } return false; } static unsafe bool DiskFltPatch() { IntPtr v0 = CreateFile("\\\\.\\DiskFlt", 0xc0000000, 0, IntPtr.Zero, 0x03, 0x80, IntPtr.Zero); if ((int)v0 > 0) { //핸들닫기 CloseHandle(v0); //시스템 폴더 경로 가져오기 string DiskFltPath = Environment.SystemDirectory + "\\drivers\\diskflt.sys"; //string DiskFltPath = @"C:\Windows\SysWOW64\drivers\diskflt.sys"; Console.WriteLine("DiskFltPath : {0}", DiskFltPath); //diskflt.sys 접근 IntPtr hDiskFlt = CreateFile(DiskFltPath, 0xc0000000, 0, IntPtr.Zero, 0x03, 0x80, IntPtr.Zero); //diskflt.sys 파일 사이즈 uint DiskFltSize = GetFileSize(hDiskFlt, IntPtr.Zero); if ((int)DiskFltSize > 0) { //diskflt.sys 의 CreateFileMApping IntPtr hDiskFltCFM = CreateFileMapping(hDiskFlt, IntPtr.Zero, 0x04, 0, 0, null); if ((int)hDiskFltCFM > 0) { CloseHandle(hDiskFlt); ////diskflt.sys 의 MapViewOfFile IntPtr hDiskFltMVOF = MapViewOfFile(hDiskFltCFM, 0x02, 0, 0, 0); if ((int)hDiskFltMVOF > 0) { CloseHandle(hDiskFltCFM); //dbggerdbgger변수의 16 진수들은 [dbgger][dbgger]를 뜻한다. byte[] dbggerdbgger = new byte[] { 0x5B, 0x64, 0x62, 0x67, 0x67, 0x65, 0x72, 0x5D, 0x5B, 0x64, 0x62, 0x67, 0x67, 0x65, 0x72, 0x5D }; //Diskflt 중간부분에 패치할 바이너리 byte[] BinaryPatchCode = new byte[] { 0x8c, 0xf8, 0xc8, 0x9d, 0x06, 0xe9, 0xdd, 0x30, 0x42, 0x6d, 0x01, 0xc7, 0x32, 0xcf, 0x3f, 0xf5 }; //DiskFlt 주소 값 byte* DiskFltBinary = (byte*)hDiskFltMVOF.ToPointer(); //[dbgger][dbgger] 찾기 for (int a = 0; a <= (int)DiskFltSize; a++) { //검색 시간을 줄이기 위한 필터 if (*(DiskFltBinary + a) == dbggerdbgger[0] && *(DiskFltBinary + a + 8) == dbggerdbgger[8]) { //[dbgger][dbgger] 문자열이 순서대로 존재하는지 체크 for (int b = 0; b != dbggerdbgger.Length; b++) { if (*(DiskFltBinary + a + b) == dbggerdbgger[b] && dbggerdbgger.Length - 1 == b) { //바이너리 패치 *(DiskFltBinary + a + 34) = 0x00; *(DiskFltBinary + a + 58 + 0) = BinaryPatchCode[0]; *(DiskFltBinary + a + 58 + 1) = BinaryPatchCode[1]; *(DiskFltBinary + a + 58 + 2) = BinaryPatchCode[2]; *(DiskFltBinary + a + 58 + 3) = BinaryPatchCode[3]; *(DiskFltBinary + a + 58 + 4) = BinaryPatchCode[4]; *(DiskFltBinary + a + 58 + 5) = BinaryPatchCode[5]; *(DiskFltBinary + a + 58 + 6) = BinaryPatchCode[6]; *(DiskFltBinary + a + 58 + 7) = BinaryPatchCode[7]; *(DiskFltBinary + a + 58 + 8) = BinaryPatchCode[8]; *(DiskFltBinary + a + 58 + 9) = BinaryPatchCode[9]; *(DiskFltBinary + a + 58 + 10) = BinaryPatchCode[10]; *(DiskFltBinary + a + 58 + 11) = BinaryPatchCode[11]; *(DiskFltBinary + a + 58 + 12) = BinaryPatchCode[12]; *(DiskFltBinary + a + 58 + 13) = BinaryPatchCode[13]; *(DiskFltBinary + a + 58 + 14) = BinaryPatchCode[14]; *(DiskFltBinary + a + 58 + 15) = BinaryPatchCode[15]; break; } } } } //SYS 파일 CheckSum 변경. int PEaddr = (*(DiskFltBinary + 0x3F) * 0x1000000) + (*(DiskFltBinary + 0x3E) * 0x10000) + (*(DiskFltBinary + 0x3D) * 0x100) + (*(DiskFltBinary + 0x3C)); *(DiskFltBinary + PEaddr + 0x58) = 0xDD; *(DiskFltBinary + PEaddr + 0x59) = 0x57; *(DiskFltBinary + PEaddr + 0x5A) = 0x02; *(DiskFltBinary + PEaddr + 0x5B) = 0x00; //Diskflt 파일 FlushViewOfFile IntPtr v3 = CreateFile("\\\\.\\DiskFlt", 0xC0000000, 0, IntPtr.Zero, 0x03, 0x80u, IntPtr.Zero); uint bytesReturned = 0; if ((int)v3 > 0) { IntPtr sptr = Marshal.StringToHGlobalAnsi("wowocock"); bool v5 = DeviceIoControl(v3, 0x80002000, sptr, 0x08, IntPtr.Zero, 0, ref bytesReturned, IntPtr.Zero); if (v5 == true) { FlushViewOfFile(hDiskFltMVOF, 0); DeviceIoControl(v3, 0x80002004, IntPtr.Zero, 0, IntPtr.Zero, 0, ref bytesReturned, IntPtr.Zero); UnmapViewOfFile(hDiskFltMVOF); CloseHandle(v3); CloseHandle(sptr); CloseHandle(hDiskFltMVOF); return true; } CloseHandle(v3); CloseHandle(sptr); CloseHandle(hDiskFltMVOF); } } CloseHandle(hDiskFltCFM); } } } return false; } //pass static void DeleteDiskFltUnInstallSys() { RegistryKey Rk = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services\\DiskFltUninstall"); if (Rk != null) { Registry.LocalMachine.DeleteSubKey(@"SYSTEM\\CurrentControlSet\\Services\\DiskFltUninstall\\Enum"); Registry.LocalMachine.DeleteSubKey(@"SYSTEM\\CurrentControlSet\\Services\\DiskFltUninstall\\Security"); Registry.LocalMachine.DeleteSubKey(@"SYSTEM\\CurrentControlSet\\Services\\DiskFltUninstall"); } } //pass static bool DeleteDiskFltReg() { //diskflt.sys 경로 가져오기. string DiskFltPath = Environment.SystemDirectory + "\\drivers\\diskflt.sys"; FileInfo fDiskFlt = new FileInfo(DiskFltPath); //파일삭제 fDiskFlt.Delete(); RegistryKey regDiskFltService = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Services", true); if (regDiskFltService != null) { regDiskFltService.DeleteSubKey("diskflt"); regDiskFltService.Close(); RegistryKey regDiskFltUpperFilter = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318}", true); if (regDiskFltUpperFilter != null) { string UpperFiltersList = (string)regDiskFltUpperFilter.GetValue("UpperFilters"); if (UpperFiltersList != null) { UpperFiltersList.Replace("diskflt", ""); return true; } } regDiskFltUpperFilter.Close(); } regDiskFltService.Close(); return false; } } }



'language > C#' 카테고리의 다른 글

[.Net] 크로스 스레드(Cross Thread) 오류 해결을 위한 인보크(Invoke)  (0) 2017.09.29
전역 후킹  (0) 2014.08.29
Diskflt.sys 치료 코드  (0) 2014.08.27
디어셈블러  (0) 2013.08.23
[C#] VisualStudio 디버깅 중 Memory 영역을 보는 방법  (0) 2013.07.04
C# DataGridView  (0) 2013.06.05