Shulou(Shulou.com)06/01 Report--

2.33GB 's sql database is encrypted with the suffix. [mr.hacker@tutanota.com]

In recent days, the database of an all-in-one card integrated management platform has been encrypted by the blackmail virus, because only the sql database of the whole server is important, and the customer refuses to pay the ransom to the extortion virus. Customers contact Darth Technology in the hope that Darth Technology can help repair the database.

As more and more customers have been affected by the blackmail virus, the Darth Technology database repair team also hopes to use this case to show the entire process of repairing the sql database encrypted by the blackmail virus, in order to help more companies threatened by the blackmail virus to reduce at any time.

I. preparation work before SQL database repair

1.1 Environmental preparation:

1. Operating system: windows server2016 or 2019 is recommended

2. SQL database environment: install from 2000 (how to install, there are corresponding tutorials online), install in turn according to the version, you can install SQL Server2000, 2005, 2008, 2008R2, 2012, 2014, 2016, 2017, 2019, etc.

3. Hard disk: repairing SQL database requires high reading and writing of hard disk. It is recommended to use SSD solid state disk with M.2 interface (NVMe protocol).

Memory: above 64GB is recommended

1.2 determine the version of the SQL Server database?

If the customer can accurately provide the version of the SQL database, there is no need to test the version by ourselves. if the customer is not sure, we can also judge for ourselves, open the mdf file of the sql database with winhex, jump to sector 144, look at the two bytes of 00012060X4 and 00012060X5, and look at the corresponding value of 16BIT, we can accurately judge the version of the SQL database. Accurately determine the SQL version to determine the version of the output environment we need to choose when repairing the database.

Please take a look at the figure below. The value of the example library in this case is 661.The version is SQL SERVER 2008R2.

Figure 1: determine the database version

The number of internal database versions corresponding to different SQL database versions is as follows:

SQL Server database version corresponding to the internal database version (digital) SQL Server 2017869SQL Server 2016852SQL Server 2014782SQL Server 2012706SQL Server2012 CTP1684SQL Server 2008 R2665SQL Server 2008661SQL Server 2005with vardecimal enabled612SQL Server 2005611SQL Server 2000539SQL Server 7.0515

Note: if the first 2048 or 4096 sectors are destroyed by a virus, the customer will be required to provide a specific database version.

1.3 detect SQL database files to determine the success rate of repair

1. Open the Darth SQL database repair software and click "check File" to test the degree of database damage.

Figure 2: detecting the damage rate of database files

After opening the test file dialog box, click "Select File" to select the appropriate directory, and then click "start Detection".

Figure 3: detecting the damage rate of database files

At the end of the scan, focus on the number and proportion of error pages and empty pages. If the ratio of empty pages to bad pages is less than 5%, the success rate of database repair is higher.

Figure 4: detecting the damage rate of database files

Please look at the figure, the empty page of this case is 4720, accounting for 1.5%, the error page (damaged page) is 142, accounting for almost zero, so it can be judged that the success rate of database repair is very high!

II. SQL database repair process

1. About the reference library (why do you need a reference library? ):

Due to the uncertainty of the damage of the SQL database, it is very possible that if the system table structure, stored procedures and other important parameters are damaged, if we have a good old backup of the same structure, the Darth software can extract the good table structure and fill in the database.

2. About the built-in table structure (the dialog box is optional when Darth opens the database file):

Darth software has built-in dozens of versions of the table structure of Kingdee, Useyou, housekeeper, Chao, Sixun and other brands. in the absence of a reference database with the same structure, you can choose the built-in table structure as the reference library. in order to improve the accuracy and success rate of database repair.

3. The process of repairing SQL database by Darth software.

Select "Open File" in the Dax software interface, select the damaged sql database that needs to be repaired and the good database with the same structure as the bad database as the reference database, and begin to repair the damaged SQL database.

Figure 5: open the database file that needs to be repaired

Figure 6: open the database file that needs to be repaired

After selecting the damaged SQL database files that need to be repaired, select a good library with the same table structure as a reference.

Figure 7: necessary options for database repair

If the customer can provide the old backup as a reference, give priority to the old backup as a reference.

If the customer is unable to provide an old backup as a reference, you can choose the built-in version of Darth software as a reference.

If there is no built-in Dax software, you can create an empty library with the same structure in the customer's database environment as a reference.

Therefore, the priority of the reference library is as follows: good old backup of the same database > good library with the same structure > the same built-in version of Darth software > empty library with the same table structure newly built in the same environment.

Figure 8: automatic parsing of database files

When the selection is complete, click "start recovery"!

Darth software will automatically repair, depending on the size and the degree of damage, usually in a few minutes to complete the deployment.

After the SQL database is expanded, you can view the repair results and data of the database in the Darth software interface. As shown below: all tables are shown in the red box on the left, and the parsing results report of the repaired database file is shown in the blue box on the right.

Figure 9: database file parsing result report

Double-click a table from the left column, and you can see the repaired data in the table on the right. At this point, you can check whether the important table data is correct.

Figure 10: check whether the table data is correct

Open SQL Server2008R2, log in to SQL SERVER, attach the reference library (copy a copy in advance), and then empty the table data in the reference library as the receiving library.

Figure 11: open the reference database in sql server

Figure 12: attached reference library (clearing table data as receiving library)

Figure 13: attached reference library (clearing table data as receiving library)

Figure 14: attached reference library (clearing table data as receiving library)

After the attachment is completed, right-select the library and select "New query" to enter the instruction to complete the removal of table data.

Figure 15: create a new query (clear the table data as the receiving library)

Clear the table data:

Clearing table data, preserving views, stored procedures, functions, and retaining table constraints, triggers, etc., can reserve a good shell for the failed database and import bad database data into this shell. Sometimes good results can be achieved in the recovery of databases such as user friends and Kingdee.

There are two ways to clear table data:

One method uses delete from [table name], which is slow for large databases and produces large log information, but for small libraries, the speed can be ignored.

The other is truncate table [table name], which is fast, but cannot clear table data with foreign keys.

When clearing table data, you can use a combination of two methods.

Disable all constraints when clearing table data, and enable constraints again when the cleanup is complete.

1. Use truncate table [table name] to clear table data and exclude tables with foreign key attributes. The clean statement is obtained as follows:

Use [name of the library to be operated]

Select

'alter table ['+ name+'] nocheck constraint all; alter table ['+ name+'] disable trigger all

Truncate table ['+ name+'];'

+ 'alter table [' + name +'] enable trigger all; alter table ['+ name +'] check constraint all

Go'

From sysobjects where id not in (select parent_object_id from sys.foreign_keys) and id not in (select referenced_object_id from sys.foreign_keys) and type='U'

The result of the above SQL statement is run again in the SQL query analyzer.

2. Clear the table data statement with delete from [Table name] to get the following

Use [name of the library to be operated]

SELECT 'alter table [' + object_name (id) +'] nocheck constraint all; alter table ['+ object_name (id) +'] disable trigger all

Delete from ['+ object_name (id) +'];'+'

Alter table ['+ object_name (id) +'] enable trigger all; alter table ['+ object_name (id) +'] check constraint all

Go'

TableName from sysobjects where type='U'

3, some MS SQL Server query analyzer, for the go after the above statement, the copy does not automatically wrap, you can save the running results to the text file, after the query analyzer is opened, it will automatically wrap. If you do not wrap automatically, the sql statement executes an error.

4. You may encounter some tables that cannot be cleared, check which tables are associated with foreign keys, disable the constraints of the two tables at the same time, and then use delete from [table name]. After that, the constraints of the two tables will be restored at the same time.

5. Check whether the data has been cleared successfully and thoroughly, and check the number of records with the following statement:

Use [name of the library to be operated]

SELECT object_name (i.id) TableName

Rows as RowCnt

FROM sysindexes i

INNER JOIN sysObjects o

ON (o.id = i.id AND o.xType ='U')

WHERE indid

0

ORDER BY RowCnt desc

Figure 16: emptying the table data of the reference library

Then from the blue box below, stand-alone "TableName", after selecting all tables, right-click copy

Figure 17: emptying the table data of the reference library as the receiving library

After copying, paste all the copied contents in the above instruction bar

Figure 18: emptying the table data of the reference library as the receiving library

Punctuate the cursor to the original position, and then select execute

Figure 19: emptying the table data of the reference library as the receiving library

After waiting for the instruction to be executed, use the top query instruction to query the results. Generally, after 2-3 times of execution, all table data will be cleared (individual cases that cannot be cleared need to clear the data one by one)

Figure 20: emptying the table data of the reference library as the receiving library

Figure 21: emptying the table data of the reference library as the receiving library

After the table data is cleared, import the data into the target library with the software, and select "Export data" in the software interface.

Figure-22: export the database

The connection settings interface pops up. The server name defaults to 127.0.0.1 (if there are many SQL SERVER versions of the machine, you need to add "\ SQL version number" after it, such as 127.0.0.1\ SQL2000 or 127.0.0.1\ SQL2008R2 to specify the output environment.)

The database name enters the name of the target library that clears the table data.

Figure-23: database connection settings

Click OK and continue to pop up the selection interface. In general, you can select all data types and start exporting the data.

Figure-24: export the database

During the export process, all the tables already exist in the target library.

Figure-25: automatically create tables and export databases

After you have created all the tables, you begin to export data automatically.

Figure-26: export the database

The number of exported time root tables is related to the database size. In order to improve the efficiency of export, it is recommended that you use high-speed SSD solid state disk and large memory.

After the export is completed, a report of the export results will be generated

Figure 27: generate a result report after exporting the database

Since then, the database repair export has been completed

Finally, let's verify that the repaired database is complete. After verification, the customer's all-in-one card integrated management system has been perfectly restored successfully!

Figure 28: verify the success of the repaired database in the application system of the all-in-one card integrated management platform

After the database repair is completed, the MDF file and LDF file will be generated automatically, and the verification work can be completed by importing the database into the application.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.