USE ONLY FOR EDUCATIONAL PURPOSES
This is the Github Repo for the partial code of the Bootkit/Exploit/Backdoor MoonBridge, also known as DTAAE 3.0 or 2.5
It modifies files that might be hard to change due to Security Restrictions, all changes are applied after a Restart
Using a mix of Assembly and C with Windows APIs.
-
Create a read-only handle to the file we want to modify using CreateFileW.
-
Use DeviceIoControl with FSCTL_GET_RETRIEVAL_POINTERS using the handle from before.
-
Get the Starting Cluster Offset from the output buffer.
-
Get the amount of Sectors per Cluster and multiply it with the Starting Offset to convert Clusters to Sectors.
-
Create a handle to PhysicalDrive0 and make a copy of the MBR into a buffer.
-
Add the Custom MBR into the buffer and store the File Offset with each Partition Start Offset from the Original MBR.
-
Set the File Pointer to the Start of the Disk.
-
Write the 1024 bytes (Modified MBR + Windows MBR Backup) into the Disk.
-
Restart to apply the changes.
This MoonBridge version was compiled with CLion 2025.2 using the C 23 Standard.
You can compile this with tools such as Visual Studio, GCC/MinGW, etc, just make sure that it has access to "windows.h"
And that you run it with Administrator Rights. The included CMakeLists.txt has the '-m32' flag used to build a 32-bit EXE,
So if you are going to use it check that your compiler supports x86 or delete those lines using a text editor.
For the MBR use NASM or similar to produce a 16-bit binary, remember to convert it to Hexadecimal and paste it into the 'mbr'
Array in the C Program
-
The ability to evade AVs isn't included in this version, nor the UEFI bootloader or original MBR.
-
The code used here wipes the first bytes of the file "C:\Windows\System32\LogonUI.exe" although it can be changed to corrupt other files, or add other data into the same file.
-
While its not needed due to the MIT License, it would still be nice if you add a link to this repo so more people can know about this tool ;)