我写的IFEO映像劫持软件

Posted on 2007-09-01 11:20  Samson小天  阅读(1201)  评论(0编辑  收藏  举报

   首先我们来简单的了解下IFEO,我不全抄网上的了,需要全文的把下面的关键字在google上搜下就看到原文了
资料如下:
   所谓的映像劫持(IFEO)就是Image File Execution Options,位于注册表的HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options由于这个项主要是用来调试程序用的,对一般用户意义不大。默认是只有管理员和local system有权读写修改。

   接下来我们看一下WINDOWS NT程序运行机理:
   WINDOWS NT系统在试图执行一个从命令行调用的可执行文件运行请求时,先会检查运行程序是不是可执行文件,如果是的话,再检查格式的,然后就会检查是否存在(IFEO就会检查)。如果不存在的话,它会提示系统找不到文件或者是“指定的路径不正确”等等。把这些键删除后,程序就可以运行!
    这个程序还是比较简单的,就涉及了遍历Image File Execution Options读出被劫持的程序,添加到LISTBOX中。代码如下:

        protected void RefreshListBox()
        
{
            
this.listBox_IFEO.Items.Clear();
            
string[] subkeyNames;
            RegistryKey hkml 
= Registry.LocalMachine;
            RegistryKey IFEO 
= hkml.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"true);
            subkeyNames 
= IFEO.GetSubKeyNames();
            
foreach (string keyName in subkeyNames)
            
{
                
this.listBox_IFEO.Items.Add(keyName);
            }

        }


    劫持部分是检查Image File Execution Options是否存在当前想劫持的程序,有就提示,没有就劫持。这段代码我写的好乱啊...郁闷的说。没脸在这里公布,我只把关键代码贴出来:
                    RegistryKey hkml = Registry.LocalMachine;
                    RegistryKey IFEO = hkml.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", true);
                    RegistryKey aimdir = IFEO.CreateSubKey(Deny_App);
                    aimdir.SetValue("Debugger", tovalue);
   删除也就是简单的遍历,然后删除相应键就可以了
                string[] DeleteReg;
                string UnDo_IFEO_Name = this.listBox_IFEO.SelectedItem.ToString();
                RegistryKey hkml = Registry.LocalMachine;
                RegistryKey IFEO = hkml.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options", true);
                DeleteReg = IFEO.GetSubKeyNames();
                foreach (string aimKey in DeleteReg)
                {
                    if (aimKey == UnDo_IFEO_Name)
                    {
                        IFEO.DeleteSubKeyTree(UnDo_IFEO_Name);
                    }
                }
关键代码就是这样了。

下面给出程序的下载地址(暑假才开始学的,有bug请多多见谅,欢迎提出意见):
http://cid-856b7a1fbf560755.skydrive.live.com/self.aspx/My%20free%20softwares/IFEOhijack.rar

Copyright © 2024 Samson小天
Powered by .NET 9.0 on Kubernetes