木马隐藏技术(1) -- 注册表

此为《木马技术揭秘与防御》系列读书笔记


 1. Userinit

位置:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Userinit 的键值:C:\WINDOWS\system32\userinit.exe,   

在逗号后添加要启动的文件即可

2.AutoRun.inf 自启动

AutoRun 语法: http://hi.baidu.com/tonado/blog/item/40d4d8111bfe1f15b9127b94.html

可以设置光盘、磁盘的自启动,还可以修改右键菜单条目

3.组策略

gpedit.msc -> 用户配置 - 管理模板 - 系统 - 登陆

在右边选择“在系统登陆时运行这些程序” - 设置选项可 - 已启用 - 显示 - 添加 - 填入完整的程序路径

该方法对应的注册表路径为:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

4.其他位置

a) 注册表的 Load 键值:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

b) windows中加载的服务:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

c) windows shell:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 下的shell字符串类型键值,默认值为explorer.exe(在xp sp3 上没找到)

d) bootExecute: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager 默认值为 autocheck autochk *  (原书此处漏掉了control)

e) 最常用的位置:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

 


注册表操作的相关函数

1.创建

 

LONG WINAPI RegCreateKeyEx(
  __in        HKEY hKey,
  __in        LPCTSTR lpSubKey,
  __reserved  DWORD Reserved,   //This parameter is reserved and must be zero.
  __in_opt    LPTSTR lpClass,   
  __in        DWORD dwOptions,  // 默认值:REG_OPTION_NON_VOLATILE 
  __in        REGSAM samDesired,
  __in_opt    LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  __out       PHKEY phkResult,
  __out_opt   LPDWORD lpdwDisposition //REG_CREATED_NEW_KEY | REG_OPENED_EXISTING_KEY
);

 

LONG WINAPI RegOpenKeyEx(
  __in        HKEY hKey,
  __in_opt    LPCTSTR lpSubKey,
  __reserved  DWORD ulOptions,  //this parameter is reserved and must be zero.
  __in        REGSAM samDesired, //KEY_ALL_ACCESS (0xF003F) 懒的话直接给全部权限
  __out       PHKEY phkResult
);

这两个函数的hKey 取值为:

  • HKEY_CLASSES_ROOT 
  • HKEY_CURRENT_CONFIG 
  • HKEY_CURRENT_USER 
  • HKEY_LOCAL_MACHINE  
  • HKEY_USERS

2.修改

LONG WINAPI RegQueryValueEx(
  __in         HKEY hKey,
  __in_opt     LPCTSTR lpValueName,
  __reserved   LPDWORD lpReserved,
  __out_opt    LPDWORD lpType,
  __out_opt    LPBYTE lpData,  //A pointer to a buffer that receives the value's data. This parameter can be NULL if the data is not required.
  __inout_opt  LPDWORD lpcbData  //contains the size of the data copied to lpData.
);
LONG WINAPI RegSetKeyValue(
  __in      HKEY hKey,
  __in_opt  LPCTSTR lpSubKey,
  __in_opt  LPCTSTR lpValueName,
  __in      DWORD dwType,  //字符串:REG_SZ
  __in_opt  LPCVOID lpData,
  __in      DWORD cbData
);
LONG WINAPI RegSetValueEx(
  __in        HKEY hKey,
  __in_opt    LPCTSTR lpValueName,
  __reserved  DWORD Reserved,
  __in        DWORD dwType,
  __in        const BYTE *lpData,
  __in        DWORD cbData
);
LONG WINAPI RegDeleteValue(
  __in      HKEY hKey,
  __in_opt  LPCTSTR lpValueName  //The registry value to be removed. If this parameter is NULL or an empty string, the value set by the RegSetValue function is removed.
);

 

3.关闭

LONG WINAPI RegCloseKey(
  __in  HKEY hKey
);

 


 

代码片段

读取注册表中的CPU信息:

#include <windows.h>
#include <stdio.h>
#include <string>
#include <iostream>

using namespace std;
int main()
{
    HKEY hKey;
    string subKey = "HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0";
    long lRet;

    lRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE,subKey.c_str(),0,KEY_ALL_ACCESS,&hKey);
    if(lRet == ERROR_SUCCESS){
        cout<<"Read success"<<endl;
        TCHAR tchRet[100];
        DWORD dSize = sizeof(tchRet);
        lRet = RegQueryValueEx(hKey,"ProcessorNameString",0,NULL,(LPBYTE)tchRet,&dSize);
        if(lRet == ERROR_SUCCESS){
            cout<<"CPU info:\n"<<tchRet<<endl;
        }else{
            cout<<"Unknown CPU type"<<endl;
        }
    }else{
        cout<<"Read ERROR"<<endl;
    }
    
    RegCloseKey(hKey);
    return 0;
}

向注册表启动项写入数据 -- 实现程序的自启动:

这里使用4.e)中的HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run实现

 

#include <iostream>
#include <string>
#include <windows.h>

using namespace std;

int main()
{
    HKEY hRoot = HKEY_LOCAL_MACHINE;
    string subKey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
    HKEY hKey;
    DWORD dwDisposition = REG_OPTION_NON_VOLATILE;

    LONG lRet = RegCreateKeyEx(hRoot,subKey.c_str(),0,NULL,REG_OPTION_NON_VOLATILE ,KEY_ALL_ACCESS,NULL,&hKey,&dwDisposition);
    if(lRet != ERROR_SUCCESS){
        return 1;
    }
    char szModule[MAX_PATH];
    GetModuleFileName(NULL,szModule,MAX_PATH);
    lRet = RegSetValueEx(hKey,"SelfRunDemo",0,REG_SZ,(BYTE *)szModule,strlen(szModule));
    if(lRet == ERROR_SUCCESS){
        cout<<"Write Succes!"<<endl;
    }else{
        cout<<"Write Failed"<<endl;
    }

    RegCloseKey(hKey);

    return 0;
}

 

 效果如图:

 

 

posted @ 2012-08-07 10:45  handt  阅读(716)  评论(0编辑  收藏  举报