check hosts file

/**************************************
/* 作者:半斤八兩
/* 博客:http://cnblogs.com/bjblcracked
/* 日期:2013-08-12  22:44
/**************************************



只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!

不知道大家有没有遇到过这种情况.
改了本地hosts,仍然没有效果.
本来以为是病毒 lsp bho了,
查看后,都没有,觉得很奇怪.

在网上搜了一下,得知 hosts 由svchost.exe 进程控制.
启动参数是 "-k NetworkService"
用winhex搜索一下 "drivers\etc" 
查看结果是 drivers\htc\xxxxxx 发现hosts 被改变了.
那么只要改回来就好了.

写了一个小程序,可以查看是否被修改, 和恢复 hosts 的小程序

 

  1 // CheckHosts.cpp : Defines the entry point for the console application.
  2 //
  3 
  4 #include "stdafx.h"
  5 #include <windows.h>
  6 #include <stdlib.h>
  7 
  8 #define ProcessBasicInformation 0
  9 
 10 typedef struct
 11 {
 12     USHORT Length;
 13     USHORT MaximumLength;
 14     PWSTR  Buffer;
 15 } UNICODE_STRING, *PUNICODE_STRING;
 16 
 17 typedef struct
 18 {
 19     ULONG          AllocationSize;
 20     ULONG          ActualSize;
 21     ULONG          Flags;
 22     ULONG          Unknown1;
 23     UNICODE_STRING Unknown2;
 24     HANDLE         InputHandle;
 25     HANDLE         OutputHandle;
 26     HANDLE         ErrorHandle;
 27     UNICODE_STRING CurrentDirectory;
 28     HANDLE         CurrentDirectoryHandle;
 29     UNICODE_STRING SearchPaths;
 30     UNICODE_STRING ApplicationName;
 31     UNICODE_STRING CommandLine;
 32     PVOID          EnvironmentBlock;
 33     ULONG          Unknown[9];
 34     UNICODE_STRING Unknown3;
 35     UNICODE_STRING Unknown4;
 36     UNICODE_STRING Unknown5;
 37     UNICODE_STRING Unknown6;
 38 } PROCESS_PARAMETERS, *PPROCESS_PARAMETERS;
 39 
 40 typedef struct
 41 {
 42     ULONG               AllocationSize;
 43     ULONG               Unknown1;
 44     HINSTANCE           ProcessHinstance;
 45     PVOID               ListDlls;
 46     PPROCESS_PARAMETERS ProcessParameters;
 47     ULONG               Unknown2;
 48     HANDLE              Heap;
 49 } PEB, *PPEB;
 50 
 51 typedef struct
 52 {
 53     DWORD ExitStatus;
 54     PPEB  PebBaseAddress;
 55     DWORD AffinityMask;
 56     DWORD BasePriority;
 57     ULONG UniqueProcessId;
 58     ULONG InheritedFromUniqueProcessId;
 59 }   PROCESS_BASIC_INFORMATION;
 60 
 61 
 62 
 63 typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG);
 64 
 65 
 66 PROCNTQSIP NtQueryInformationProcess;
 67 
 68 BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen);
 69 
 70 
 71 bool AdjustProcessTokenPrivilege()
 72 {
 73     HANDLE hToken;
 74     LUID sedebugnameValue;
 75     TOKEN_PRIVILEGES tkp;
 76     
 77     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
 78     {
 79         return false;
 80     }
 81     
 82     if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue))
 83     {
 84         MessageBox(NULL, "LookupPrivilegeValue fail" ,"fail", MB_OK | MB_ICONINFORMATION);
 85         CloseHandle(hToken);
 86         return false;
 87     }
 88     
 89     tkp.PrivilegeCount = 1;
 90     tkp.Privileges[0].Luid = sedebugnameValue;
 91     tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
 92     
 93     if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL))
 94     {
 95         CloseHandle(hToken);
 96         return false;
 97     }
 98     
 99     return true;
100 }
101 
102 void IsDisplayParameter()
103 {
104     system("cls");
105     puts("---------------------------------------------");
106     puts("-           1 查看当前hosts文件名           -");
107     puts("-           2 恢复hosts原来文件名           -");
108     puts("---------------------------------------------");
109 }
110 
111 
112 void main(int argc, char* argv[])
113 {
114     system("color 0a & title 半斤八兩");
115 
116     DWORD dwIndex = 0;
117 
118     IsDisplayParameter();
119 
120     while(TRUE)
121     {
122         scanf("%d", &dwIndex);
123         
124         if(dwIndex == 1 || dwIndex == 2)
125         {
126             break;
127         }
128         else
129         {
130             IsDisplayParameter();
131         }
132 
133         // fflush
134         while((dwIndex = getchar()) != '\n');
135     }
136 
137     NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(
138         GetModuleHandle("ntdll"),
139         "NtQueryInformationProcess"
140         );
141     
142     if (!NtQueryInformationProcess)
143         return;
144 
145     AdjustProcessTokenPrivilege();
146 
147     
148     WCHAR wstr[MAXBYTE] = {0};
149     
150     for(int i = 4; i < 0x270f; i += 4)
151     {
152         // get program parameter
153         if (GetProcessCmdLine(i, wstr, sizeof(wstr)))
154         {
155             wprintf(L"PID: [%lu]\r\nparameter: [%s]\r\n\r\n", i, wstr);
156         }
157         
158 
159         // check hosts process parameter
160         if(NULL != wcsstr(wstr, L"-k NetworkService"))
161         {
162             HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, i);
163 
164 
165             if (!hProcess)
166             {
167                 puts("if (!hProcess)");
168                 return;
169             }
170 
171             MEMORY_BASIC_INFORMATION tagMemoryInfo = {0};
172             PBYTE pAddress = NULL;
173             BYTE *lpBuf = new BYTE[1];
174             DWORD dwBufSize = 1;
175 
176 
177             while(TRUE)
178             {
179                 if(sizeof(tagMemoryInfo) != 
180                     VirtualQueryEx(hProcess, pAddress, &tagMemoryInfo, sizeof(tagMemoryInfo)))
181                 {
182                     break;
183                 }
184                 
185                 if (MEM_COMMIT != tagMemoryInfo.State || 0 == tagMemoryInfo.Protect
186                     || (PAGE_GUARD & tagMemoryInfo.Protect) != 0
187                     || (PAGE_NOACCESS & tagMemoryInfo.Protect) != 0)
188                 {
189                     pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);
190                     continue;
191                 }
192 
193 
194                 if (tagMemoryInfo.RegionSize > dwBufSize)
195                 {
196                     delete [] lpBuf;
197                     dwBufSize = tagMemoryInfo.RegionSize;
198                     lpBuf = new BYTE[dwBufSize];
199                 }
200 
201 
202                 if (FALSE == ReadProcessMemory(hProcess, tagMemoryInfo.BaseAddress,
203                     lpBuf, (DWORD)tagMemoryInfo.RegionSize, NULL))
204                 {
205                     pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);
206                     continue ;
207                 }
208 
209 
210                 DWORD dwSearchSize = strlen("drivers\\etc\\");
211                 SIZE_T nMax = tagMemoryInfo.RegionSize - dwSearchSize;
212 
213                 for (SIZE_T i = 0; i <= nMax; i++)
214                 {
215                     // check hosts value
216                     if (0 == memcmp("drivers\\etc\\", &lpBuf[i], dwSearchSize - 1))
217                     {
218                         DWORD dwAddress = (DWORD)tagMemoryInfo.BaseAddress + i;
219 
220 //                         if(dwIndex == 3)
221 //                         {
222 //                             WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\bjbl", strlen("drivers\\etc\\bjbl"), NULL);
223 // 
224 //                             puts("恭喜, 修改成功!!!");
225 //                             
226 //                             system("pause");
227 // 
228 //                             return;
229 //                         }
230                         if(dwIndex == 2)
231                         {
232                             WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\hosts", strlen("drivers\\etc\\hosts"), NULL);
233 
234                             puts("恭喜, 恢復成功!!!");
235 
236                             system("pause");
237 
238                             return;
239                         }
240                         else if(dwIndex == 1)
241                         {
242                             char szBuf[MAXBYTE] = {0};
243 
244                             sprintf(szBuf, "----====found: [%s]===---", &lpBuf[i]);
245 
246                             puts(szBuf);
247 
248                             system("pause");
249 
250                             return;
251                         }
252 
253                         i += dwSearchSize - 1;
254                     }
255                 }
256 
257                 pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);
258             }
259 
260             CloseHandle (hProcess);
261 
262             puts("ok");
263         }
264     }
265     
266 }
267 
268 BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen)
269 {
270     LONG                      status;
271     HANDLE                    hProcess;
272     PROCESS_BASIC_INFORMATION pbi;
273     PEB                       Peb;
274     PROCESS_PARAMETERS        ProcParam;
275     DWORD                     dwDummy;
276     DWORD                     dwSize;
277     LPVOID                    lpAddress;
278     BOOL                      bRet = FALSE;
279     
280     hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,dwId);
281     if (!hProcess)
282         return FALSE;
283     
284     status = NtQueryInformationProcess( hProcess,
285         ProcessBasicInformation,
286         (PVOID)&pbi,
287         sizeof(PROCESS_BASIC_INFORMATION),
288         NULL
289         );
290     
291     
292     if (status)
293         goto cleanup;
294     
295     if (!ReadProcessMemory( hProcess,
296         pbi.PebBaseAddress,
297         &Peb,
298         sizeof(PEB),
299         &dwDummy
300         )
301         )
302         goto cleanup;
303     
304     if (!ReadProcessMemory( hProcess,
305         Peb.ProcessParameters,
306         &ProcParam,
307         sizeof(PROCESS_PARAMETERS),
308         &dwDummy
309         )
310         )
311         goto cleanup;
312     
313     lpAddress = ProcParam.CommandLine.Buffer;
314     dwSize = ProcParam.CommandLine.Length;
315     
316     if (dwBufLen<dwSize)
317         goto cleanup;
318     
319     if (!ReadProcessMemory( hProcess,
320         lpAddress,
321         wBuf,
322         dwSize,
323         &dwDummy
324         )
325         )
326         goto cleanup;
327     
328     bRet = TRUE;
329 cleanup:
330     CloseHandle (hProcess);
331     
332     return bRet;
333 }

 程序在 win732 xp32 测试通过. 

 

下载链接:看雪学院

posted @ 2013-08-12 23:02  半斤八兩  阅读(708)  评论(0编辑  收藏  举报