|
1 | | -# MBD3-Partial |
2 | | -MoonBridge/DTAAE3.0 Partial Code Functionality Reveal |
| 1 | +# MoonBridge/DTAAE3 Partial |
| 2 | +***USE ONLY FOR EDUCATIONAL PURPOSES*** |
| 3 | + |
| 4 | +This is the Github Repo for the partial code of the Bootkit/Exploit/Backdoor **MoonBridge**, also known as **DTAAE 3.0** or **2.5** |
| 5 | + |
| 6 | +*It modifies files that might be hard to change due to Security Restrictions, all changes are applied after a Restart* |
| 7 | +*Using a mix of* ***Assembly*** *and ***C*** with* ***Windows APIs***. |
| 8 | + |
| 9 | +# Infection Process |
| 10 | + |
| 11 | +- Create a *read-only handle* to the file we want to modify using **CreateFileW**. |
| 12 | + |
| 13 | +- Use **DeviceIoControl** with **FSCTL_GET_RETRIEVAL_POINTERS** using the handle from before. |
| 14 | + |
| 15 | +- Get the **Starting Cluster Offset** from the output buffer. |
| 16 | + |
| 17 | +- Get the amount of **Sectors per Cluster** and multiply it with the **Starting Offset** to convert *Clusters* to *Sectors*. |
| 18 | + |
| 19 | +- Create a handle to **PhysicalDrive0** and make a copy of the *MBR* into a buffer. |
| 20 | + |
| 21 | +- Add the **Custom MBR** into the buffer and store the *File Offset* with each *Partition Start Offset* from the *Original MBR*. |
| 22 | + |
| 23 | +- Set the **File Pointer** to the *Start of the Disk*. |
| 24 | + |
| 25 | +- Write the **1024 bytes** (Modified MBR + Windows MBR Backup) into the Disk. |
| 26 | + |
| 27 | +- **Restart** to apply the changes. |
| 28 | + |
| 29 | +# Building |
| 30 | +*This MoonBridge version was compiled with **CLion 2025.2** using the **C 23 Standard***. |
| 31 | + |
| 32 | +You can compile this with tools such as **Visual Studio**, **GCC**/**MinGW**, etc, just make sure that it has access to "**windows.h**" |
| 33 | +And that you run it with **Administrator Rights**. The included **CMakeLists.txt** has the '-m32' flag used to build a **32-bit** EXE, |
| 34 | +So if you are going to use it check that your compiler supports **x86** or *delete those lines using a text editor*. |
| 35 | + |
| 36 | +For the MBR use **NASM** or similar to produce a *16-bit binary*, remember to convert it to **Hexadecimal** and paste it into the *'mbr'* |
| 37 | +*Array* in the *C Program* |
| 38 | + |
| 39 | +# Notes |
| 40 | +- The ability to evade AVs isn't included in this version, nor the UEFI bootloader or original MBR. |
| 41 | + |
| 42 | +- The code used here wipes the first bytes of the file "*C:\Windows\System32\LogonUI.exe*" although it can be changed to corrupt other files, |
| 43 | + or add other data into the same file. |
| 44 | + |
| 45 | +- While its not needed due to the *MIT License*, it would still be nice if you add a **link** to this repo so more people can know about this tool ;) |
0 commit comments