注册表操作监控x86
Hook_ZwSetValueKey#include "precomp.h"
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport)ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
#define SDT SYSTEMSERVICE
#define KSDT KeServiceDescriptorTable
void StartHook(void);
void RemoveHook(void);
NTSTATUS Hook_NtSetValueKey(
IN HANDLEKeyHandle,
IN PUNICODE_STRINGValueName,
IN ULONGTitleIndexOPTIONAL,
IN ULONGType,
IN PVOIDData,
IN ULONGDataSize);
typedef NTSTATUS (*ZWSETVALUEKEY)(
IN HANDLEKeyHandle,
IN PUNICODE_STRINGValueName,
IN ULONGTitleIndexOPTIONAL,
IN ULONGType,
IN PVOIDData,
IN ULONGDataSize
);
static ZWSETVALUEKEY OldZwSetValueKey;
NTSTATUS Hook_NtSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex OPTIONAL,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
)
{
NTSTATUS status = STATUS_SUCCESS;
BOOL skipOriginal = FALSE;
UNICODE_STRING CapturedName;
WCHAR wszPath = {0};
R3_RESULT CallBackResult = R3Result_Pass;
__try
{
UNICODE_STRING keyName;
UNICODE_STRING uTarget;
RtlZeroMemory(&keyName, sizeof(UNICODE_STRING));
RtlZeroMemory(&uTarget, sizeof(UNICODE_STRING));
if((ExGetPreviousMode() == KernelMode) ||
(ValueName == NULL))
{
skipOriginal = TRUE;
status =OldZwSetValueKey(KeyHandle,
ValueName,
TitleIndex,
Type,
Data,
DataSize);
return status;
}
if(MyProbeKeyHandle(KeyHandle, KEY_SET_VALUE) == FALSE)
{
skipOriginal = TRUE;
status =OldZwSetValueKey(KeyHandle,
ValueName,
TitleIndex,
Type,
Data,
DataSize);
return status;
}
if(MyObQueryObjectName(KeyHandle, &keyName, TRUE) == FALSE)
{
skipOriginal = TRUE;
status =OldZwSetValueKey(KeyHandle,
ValueName,
TitleIndex,
Type,
Data,
DataSize);
return status;
}
uTarget.Buffer = wszPath;
uTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
RtlCopyUnicodeString(&uTarget, &keyName);
RtlFreeUnicodeString(&keyName);
if (L'\\' != uTarget.Buffer)
RtlAppendUnicodeToString(&uTarget, L"\\");
CapturedName = ProbeAndReadUnicodeString(ValueName);
ProbeForRead(CapturedName.Buffer,
CapturedName.Length,
sizeof(WCHAR));
RtlAppendUnicodeStringToString(&uTarget, &CapturedName);
DbgPrint("Key:%wZ\n", &uTarget);
if (CallBackResult == R3Result_Block)
{
return STATUS_ACCESS_DENIED;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
if(skipOriginal)
return status;
return OldZwSetValueKey(KeyHandle,
ValueName,
TitleIndex,
Type,
Data,
DataSize);
}
NTSTATUS Hook_ZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTESObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength );
#pragma alloc_text(PAGE, Hook_ZwCreateFile)
typedef NTSTATUS (*ZWCREATEFILE)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTESObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength );
static ZWCREATEFILE OldZwCreateFile;
NTSTATUS Hook_ZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTESObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength )
{
NTSTATUS rc;
rc = OldZwCreateFile(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,
CreateOptions,EaBuffer,EaLength);
return rc;
}
void StartHook (void)
{
//获取未导出的服务函数索引号
HANDLE hFile;
PCHAR pDllFile;
ULONGulSize;
ULONGulByteReaded;
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
OldZwSetValueKey = (ZWSETVALUEKEY) InterlockedExchange((PLONG)
&SDT(ZwSetValueKey),
(LONG)Hook_NtSetValueKey);
OldZwCreateFile = (ZWCREATEFILE)InterlockedExchange((PLONG)&SDT(ZwCreateFile),
(LONG)Hook_ZwCreateFile);
//关闭
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
return ;
}
void RemoveHook (void)
{
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
InterlockedExchange( (PLONG) &SDT(ZwSetValueKey),(LONG) OldZwSetValueKey);
InterlockedExchange( (PLONG) &SDT(ZwCreateFile),(LONG) OldZwCreateFile);
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
页:
[1]