WEB开发网
开发学院操作系统Windows XP ObjectType HOOK干涉注册表操作 阅读

ObjectType HOOK干涉注册表操作

 2008-02-26 09:23:07 来源:WEB开发网   
核心提示: PVOIDOldParseKey;//安装HOOKvoidInstallAdvRegHook(){UNICODE_STRINGRegPath;OBJECT_ATTRIBUTESoba;HANDLERegKeyHandle;NTSTATUSstatus;PVOIDKeyObject;PMYO

   PVOIDOldParseKey;
  //安装HOOK
  voidInstallAdvRegHook()
  {
  UNICODE_STRINGRegPath;
  OBJECT_ATTRIBUTESoba;
  HANDLERegKeyHandle;
  NTSTATUSstatus;
  PVOIDKeyObject;
  PMYOBJECT_TYPECmpKeyObjectType;
  RtlInitUnicodeString(&RegPath,L"RegistryMachineSystem");
  InitializeObjectAttributes(&oba,
  &RegPath,
  OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,
  0,
  0);
  RegKeyHandle=0;
  status=ZwOpenKey(&RegKeyHandle,KEY_QUERY_VALUE,&oba);
  if(!NT_SUCCESS(status))
  {
  KDMSG(("openthesystemkeyfailed!
"));
  return;
  }
  //首先随便打开一个注册表键,得到对象
  status=ObReferenceObjectByHandle(RegKeyHandle,
  GENERIC_READ,
  NULL,
  KernelMode,
  &KeyObject,
  0);
  if(!NT_SUCCESS(status))
  {
  KDMSG(("referencethekeyobjectfailed!
"));
  ZwClose(RegKeyHandle);
  return;
  }
  __asm
  {
  pusheax
  moveax,KeyObject
  moveax,[eax-0x10]
  movCmpKeyObjectType,eax
  popeax
  }
  KDMSG(("keyobjecttype:%08x
",CmpKeyObjectType));
  //getthekeyobjecttype
  //获得注册表键对象类型,即CmpKeyObjectType
  OldParseKey=CmpKeyObjectType->TypeInfo.ParseProcedure;
  KDMSG(("keyparseProcedureroutine:%08x
",OldParseKey));
  if(!MmIsAddressValid(OldParseKey))
  {
  ObDereferenceObject(KeyObject);
  ZwClose(RegKeyHandle);
  return;
  }
  //保存原始的ParseProcedure
  CmpKeyObjectType->TypeInfo.ParseProcedure=(ULONG)FakeParseKey;
  //进行HOOK
  ObDereferenceObject(KeyObject);
  ZwClose(RegKeyHandle);
  return;
  }
  //HOOK函数
  NTSTATUSFakeParseKey(POBJECT_DIRECTORYRootDirectory,
  POBJECT_TYPEObjectType,
  PACCESS_STATEAccessState,
  KPROCESSOR_MODEAccessCheckMode,
  ULONGAttributes,
  PUNICODE_STRINGObjectName,
  PUNICODE_STRINGRemainingName,
  PVOIDParseContext,
  PSECURITY_QUALITY_OF_SERVICESecurityQos,
  PVOID*Object)
  {
  NTSTATUSstat;
  WCHARName[300];
  RtlCopyMemory(Name,ObjectName->Buffer,ObjectName->MaximumLength);
  _wcsupr(Name);
  if(wcsstr(Name,L"RUN"))
  {
  //检查是不是要保护的注册表键
  returnSTATUS_OBJECT_NAME_NOT_FOUND;
  }
  __asm
  {
  pusheax
  pushObject
  pushSecurityQos
  pushParseContext
  pushRemainingName
  pushObjectName
  pushAttributes
  movzxeax,AccessCheckMode
  pusheax
  pushAccessState
  pushObjectType
  pushRootDirectory
  callOldParseKey
  movstat,eax
  popeax
  }
  returnstat;
  }

上一页  1 2 3 

Tags:ObjectType HOOK 干涉

编辑录入:爽爽 [复制链接] [打 印]
赞助商链接