check hosts file
/**************************************
/* 作者:半斤八兩
/* 博客:http://cnblogs.com/bjblcracked
/* 日期:2013-08-12 22:44
/**************************************
只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
不知道大家有没有遇到过这种情况.
改了本地hosts,仍然没有效果.
本来以为是病毒 lsp bho了,
查看后,都没有,觉得很奇怪.
在网上搜了一下,得知 hosts 由svchost.exe 进程控制.
启动参数是 "-k NetworkService"
用winhex搜索一下 "drivers\etc"
查看结果是 drivers\htc\xxxxxx 发现hosts 被改变了.
那么只要改回来就好了.
写了一个小程序,可以查看是否被修改, 和恢复 hosts 的小程序
1 // CheckHosts.cpp : Defines the entry point for the console application. 2 // 3 4 #include "stdafx.h" 5 #include <windows.h> 6 #include <stdlib.h> 7 8 #define ProcessBasicInformation 0 9 10 typedef struct 11 { 12 USHORT Length; 13 USHORT MaximumLength; 14 PWSTR Buffer; 15 } UNICODE_STRING, *PUNICODE_STRING; 16 17 typedef struct 18 { 19 ULONG AllocationSize; 20 ULONG ActualSize; 21 ULONG Flags; 22 ULONG Unknown1; 23 UNICODE_STRING Unknown2; 24 HANDLE InputHandle; 25 HANDLE OutputHandle; 26 HANDLE ErrorHandle; 27 UNICODE_STRING CurrentDirectory; 28 HANDLE CurrentDirectoryHandle; 29 UNICODE_STRING SearchPaths; 30 UNICODE_STRING ApplicationName; 31 UNICODE_STRING CommandLine; 32 PVOID EnvironmentBlock; 33 ULONG Unknown[9]; 34 UNICODE_STRING Unknown3; 35 UNICODE_STRING Unknown4; 36 UNICODE_STRING Unknown5; 37 UNICODE_STRING Unknown6; 38 } PROCESS_PARAMETERS, *PPROCESS_PARAMETERS; 39 40 typedef struct 41 { 42 ULONG AllocationSize; 43 ULONG Unknown1; 44 HINSTANCE ProcessHinstance; 45 PVOID ListDlls; 46 PPROCESS_PARAMETERS ProcessParameters; 47 ULONG Unknown2; 48 HANDLE Heap; 49 } PEB, *PPEB; 50 51 typedef struct 52 { 53 DWORD ExitStatus; 54 PPEB PebBaseAddress; 55 DWORD AffinityMask; 56 DWORD BasePriority; 57 ULONG UniqueProcessId; 58 ULONG InheritedFromUniqueProcessId; 59 } PROCESS_BASIC_INFORMATION; 60 61 62 63 typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG); 64 65 66 PROCNTQSIP NtQueryInformationProcess; 67 68 BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen); 69 70 71 bool AdjustProcessTokenPrivilege() 72 { 73 HANDLE hToken; 74 LUID sedebugnameValue; 75 TOKEN_PRIVILEGES tkp; 76 77 if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 78 { 79 return false; 80 } 81 82 if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) 83 { 84 MessageBox(NULL, "LookupPrivilegeValue fail" ,"fail", MB_OK | MB_ICONINFORMATION); 85 CloseHandle(hToken); 86 return false; 87 } 88 89 tkp.PrivilegeCount = 1; 90 tkp.Privileges[0].Luid = sedebugnameValue; 91 tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 92 93 if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) 94 { 95 CloseHandle(hToken); 96 return false; 97 } 98 99 return true; 100 } 101 102 void IsDisplayParameter() 103 { 104 system("cls"); 105 puts("---------------------------------------------"); 106 puts("- 1 查看当前hosts文件名 -"); 107 puts("- 2 恢复hosts原来文件名 -"); 108 puts("---------------------------------------------"); 109 } 110 111 112 void main(int argc, char* argv[]) 113 { 114 system("color 0a & title 半斤八兩"); 115 116 DWORD dwIndex = 0; 117 118 IsDisplayParameter(); 119 120 while(TRUE) 121 { 122 scanf("%d", &dwIndex); 123 124 if(dwIndex == 1 || dwIndex == 2) 125 { 126 break; 127 } 128 else 129 { 130 IsDisplayParameter(); 131 } 132 133 // fflush 134 while((dwIndex = getchar()) != '\n'); 135 } 136 137 NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress( 138 GetModuleHandle("ntdll"), 139 "NtQueryInformationProcess" 140 ); 141 142 if (!NtQueryInformationProcess) 143 return; 144 145 AdjustProcessTokenPrivilege(); 146 147 148 WCHAR wstr[MAXBYTE] = {0}; 149 150 for(int i = 4; i < 0x270f; i += 4) 151 { 152 // get program parameter 153 if (GetProcessCmdLine(i, wstr, sizeof(wstr))) 154 { 155 wprintf(L"PID: [%lu]\r\nparameter: [%s]\r\n\r\n", i, wstr); 156 } 157 158 159 // check hosts process parameter 160 if(NULL != wcsstr(wstr, L"-k NetworkService")) 161 { 162 HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, i); 163 164 165 if (!hProcess) 166 { 167 puts("if (!hProcess)"); 168 return; 169 } 170 171 MEMORY_BASIC_INFORMATION tagMemoryInfo = {0}; 172 PBYTE pAddress = NULL; 173 BYTE *lpBuf = new BYTE[1]; 174 DWORD dwBufSize = 1; 175 176 177 while(TRUE) 178 { 179 if(sizeof(tagMemoryInfo) != 180 VirtualQueryEx(hProcess, pAddress, &tagMemoryInfo, sizeof(tagMemoryInfo))) 181 { 182 break; 183 } 184 185 if (MEM_COMMIT != tagMemoryInfo.State || 0 == tagMemoryInfo.Protect 186 || (PAGE_GUARD & tagMemoryInfo.Protect) != 0 187 || (PAGE_NOACCESS & tagMemoryInfo.Protect) != 0) 188 { 189 pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize); 190 continue; 191 } 192 193 194 if (tagMemoryInfo.RegionSize > dwBufSize) 195 { 196 delete [] lpBuf; 197 dwBufSize = tagMemoryInfo.RegionSize; 198 lpBuf = new BYTE[dwBufSize]; 199 } 200 201 202 if (FALSE == ReadProcessMemory(hProcess, tagMemoryInfo.BaseAddress, 203 lpBuf, (DWORD)tagMemoryInfo.RegionSize, NULL)) 204 { 205 pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize); 206 continue ; 207 } 208 209 210 DWORD dwSearchSize = strlen("drivers\\etc\\"); 211 SIZE_T nMax = tagMemoryInfo.RegionSize - dwSearchSize; 212 213 for (SIZE_T i = 0; i <= nMax; i++) 214 { 215 // check hosts value 216 if (0 == memcmp("drivers\\etc\\", &lpBuf[i], dwSearchSize - 1)) 217 { 218 DWORD dwAddress = (DWORD)tagMemoryInfo.BaseAddress + i; 219 220 // if(dwIndex == 3) 221 // { 222 // WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\bjbl", strlen("drivers\\etc\\bjbl"), NULL); 223 // 224 // puts("恭喜, 修改成功!!!"); 225 // 226 // system("pause"); 227 // 228 // return; 229 // } 230 if(dwIndex == 2) 231 { 232 WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\hosts", strlen("drivers\\etc\\hosts"), NULL); 233 234 puts("恭喜, 恢復成功!!!"); 235 236 system("pause"); 237 238 return; 239 } 240 else if(dwIndex == 1) 241 { 242 char szBuf[MAXBYTE] = {0}; 243 244 sprintf(szBuf, "----====found: [%s]===---", &lpBuf[i]); 245 246 puts(szBuf); 247 248 system("pause"); 249 250 return; 251 } 252 253 i += dwSearchSize - 1; 254 } 255 } 256 257 pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize); 258 } 259 260 CloseHandle (hProcess); 261 262 puts("ok"); 263 } 264 } 265 266 } 267 268 BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen) 269 { 270 LONG status; 271 HANDLE hProcess; 272 PROCESS_BASIC_INFORMATION pbi; 273 PEB Peb; 274 PROCESS_PARAMETERS ProcParam; 275 DWORD dwDummy; 276 DWORD dwSize; 277 LPVOID lpAddress; 278 BOOL bRet = FALSE; 279 280 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,dwId); 281 if (!hProcess) 282 return FALSE; 283 284 status = NtQueryInformationProcess( hProcess, 285 ProcessBasicInformation, 286 (PVOID)&pbi, 287 sizeof(PROCESS_BASIC_INFORMATION), 288 NULL 289 ); 290 291 292 if (status) 293 goto cleanup; 294 295 if (!ReadProcessMemory( hProcess, 296 pbi.PebBaseAddress, 297 &Peb, 298 sizeof(PEB), 299 &dwDummy 300 ) 301 ) 302 goto cleanup; 303 304 if (!ReadProcessMemory( hProcess, 305 Peb.ProcessParameters, 306 &ProcParam, 307 sizeof(PROCESS_PARAMETERS), 308 &dwDummy 309 ) 310 ) 311 goto cleanup; 312 313 lpAddress = ProcParam.CommandLine.Buffer; 314 dwSize = ProcParam.CommandLine.Length; 315 316 if (dwBufLen<dwSize) 317 goto cleanup; 318 319 if (!ReadProcessMemory( hProcess, 320 lpAddress, 321 wBuf, 322 dwSize, 323 &dwDummy 324 ) 325 ) 326 goto cleanup; 327 328 bRet = TRUE; 329 cleanup: 330 CloseHandle (hProcess); 331 332 return bRet; 333 }
程序在 win732 xp32 测试通过.
下载链接:看雪学院