注册表操作监控x86
来源:互联网 发布:java开源门户网站 编辑:程序博客网 时间:2024/05/20 16:13
Hook_ZwSetValueKey
#include "precomp.h"#pragma pack(1)typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase;} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;#pragma pack()__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]#define SDT SYSTEMSERVICE#define KSDT KeServiceDescriptorTablevoid StartHook(void);void RemoveHook(void);NTSTATUS Hook_NtSetValueKey( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize);typedef NTSTATUS (*ZWSETVALUEKEY)( IN HANDLE KeyHandle, IN PUNICODE_STRING ValueName, IN ULONG TitleIndex OPTIONAL, IN ULONG Type, IN PVOID Data, IN ULONG DataSize);static ZWSETVALUEKEY OldZwSetValueKey;NTSTATUS Hook_NtSetValueKey(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName,IN ULONG TitleIndex OPTIONAL,IN ULONG Type,IN PVOID Data,IN ULONG DataSize){NTSTATUS status = STATUS_SUCCESS;BOOL skipOriginal = FALSE;UNICODE_STRING CapturedName;WCHAR wszPath[MAX_PATH] = {0};R3_RESULT CallBackResult = R3Result_Pass;__try{UNICODE_STRING keyName;UNICODE_STRING uTarget;RtlZeroMemory(&keyName, sizeof(UNICODE_STRING));RtlZeroMemory(&uTarget, sizeof(UNICODE_STRING));if((ExGetPreviousMode() == KernelMode) || (ValueName == NULL)){skipOriginal = TRUE;status = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);return status;}if(MyProbeKeyHandle(KeyHandle, KEY_SET_VALUE) == FALSE){skipOriginal = TRUE;status = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);return status;}if(MyObQueryObjectName(KeyHandle, &keyName, TRUE) == FALSE){skipOriginal = TRUE;status = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);return status;}uTarget.Buffer = wszPath;uTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);RtlCopyUnicodeString(&uTarget, &keyName);RtlFreeUnicodeString(&keyName);if (L'\\' != uTarget.Buffer[uTarget.Length/sizeof(WCHAR) - 1])RtlAppendUnicodeToString(&uTarget, L"\\");CapturedName = ProbeAndReadUnicodeString(ValueName);ProbeForRead(CapturedName.Buffer,CapturedName.Length,sizeof(WCHAR));RtlAppendUnicodeStringToString(&uTarget, &CapturedName);DbgPrint("Key:%wZ\n", &uTarget);if (CallBackResult == R3Result_Block){return STATUS_ACCESS_DENIED;}}__except(EXCEPTION_EXECUTE_HANDLER){}if(skipOriginal)return status;return OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);}NTSTATUS Hook_ZwCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength );#pragma alloc_text(PAGE, Hook_ZwCreateFile)typedef NTSTATUS (*ZWCREATEFILE)( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength );static ZWCREATEFILE OldZwCreateFile;NTSTATUS Hook_ZwCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ){ NTSTATUS rc; rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength); return rc;}void StartHook (void){ //获取未导出的服务函数索引号 HANDLE hFile; PCHAR pDllFile; ULONG ulSize; ULONG ulByteReaded; __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } OldZwSetValueKey = (ZWSETVALUEKEY) InterlockedExchange((PLONG) &SDT(ZwSetValueKey), (LONG)Hook_NtSetValueKey); OldZwCreateFile = (ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile), (LONG)Hook_ZwCreateFile); //关闭 __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax } return ;}void RemoveHook (void){ __asm { push eax mov eax, CR0 and eax, 0FFFEFFFFh mov CR0, eax pop eax } InterlockedExchange( (PLONG) &SDT(ZwSetValueKey), (LONG) OldZwSetValueKey); InterlockedExchange( (PLONG) &SDT(ZwCreateFile), (LONG) OldZwCreateFile); __asm { push eax mov eax, CR0 or eax, NOT 0FFFEFFFFh mov CR0, eax pop eax }} 0 0
- 注册表操作监控x86
- 注册表监控
- 注册表监控
- RegistryCallback routine(CmRegisterCallback 注册表操作监控介绍)
- 注册表处理之注册表监控
- 驱动加载监控x86
- 进程创建监控x86
- VC++实现注册表监控
- VC++实现注册表监控
- VC++实现注册表监控
- 注册表R0监控
- VC 实现注册表监控
- VC 实现注册表监控
- 操作注册表
- 注册表操作
- 注册表操作
- 操作注册表
- 注册表操作
- eclipse注释乱码
- 深度神经网络导论Introduction to Deep Neural Networks
- RoboCup2D team_logo
- python全局变量的使用错误
- 10w分区表,hive能跑,sparksql运行也完全能跑起来
- 注册表操作监控x86
- ndk 开发系列
- sql中行列互换
- 如何给CentOS安装字体库
- Scala变长数组简单操作
- linux简单操作
- js中ajax的执行过程及其优缺点分析
- 数组1
- ubuntu 15.10 安装matlab2014b
