反病毒工具之注册表监视器(VC DLL源码)

最新推荐文章于 2012-10-24 15:26:00 发布

chenhui530

最新推荐文章于 2012-10-24 15:26:00 发布

阅读量1w

点赞数

分类专栏： VC原创 VC文章文章标签： dll 工具 winapi attributes string hook

本文链接：https://blog.csdn.net/chenhui530/article/details/2079118

版权

这篇博客介绍了如何使用VC++编写一个DLL来实现注册表监控，通过HOOK技术拦截并控制NtSetValueKey、NtDeleteKey、NtCreateKey和NtDeleteValueKey等关键API函数。源码中定义了HOOK核心类CHookInfo，展示了如何备份原函数、构造JMP指令以及如何开启和关闭HOOK。此外，还实现了DLL的入口点函数、安装和卸载钩子以及代理函数，以便在特定注册表路径下对注册表操作进行监控和控制。

摘要由CSDN通过智能技术生成

核心HOOK API类,理论上可以HOOK 任何使用STDCALL声明的API函数

// HookInfo.h: interface for the CHookInfo class.
//
//

#if !defined(AFX_HOOKINFO_H__D44F115C_76F1_4CC7_BD61_4C393417DA10__INCLUDED_)
#define AFX_HOOKINFO_H__D44F115C_76F1_4CC7_BD61_4C393417DA10__INCLUDED_

#if _MSC_VER > 1000
#pragma once
#endif // _MSC_VER > 1000

typedef struct _HOOKSTRUCT
{
    FARPROC pfFunAddr; //用于保存API函数地址
    BYTE    OldCode[5]; //保存原API前5个字节
    BYTE    NewCode[5]; //JMP XXXX其中XXXXJMP的地址
}HOOKSTRUCT;

class CHookInfo
{
public:
//HOOK 处理函数
CHookInfo(char *strDllName, char *strFunName, DWORD dwMyFunAddr);
virtual ~CHookInfo(); //析构函数
HOOKSTRUCT *pHook; //HOOK结构
void HookStatus(BOOL blnHook); //关闭/打开HOOK状态
};

CHookInfo::CHookInfo(char *strDllName, char *strFunName, DWORD dwMyFunAddr)
{
pHook = new HOOKSTRUCT;
    HMODULE hModule = LoadLibrary(strDllName);
//纪录函数地址
    pHook->pfFunAddr = GetProcAddress(hModule,strFunName);
FreeLibrary(hModule);
    if(pHook->pfFunAddr == NULL)
        return ;
//备份原函数的前5个字节，一般的WIN32 API以__stdcall声明的API理论上都可以这样进行HOOK
    memcpy(pHook->OldCode, pHook->pfFunAddr, 5);
    pHook->NewCode[0] = 0xe9; //构造JMP
    DWORD dwJmpAddr = dwMyFunAddr - (DWORD)pHook->pfFunAddr - 5; //计算JMP地址
    memcpy(&pHook->NewCode[1], &dwJmpAddr, 4);
HookStatus(TRUE);//开始进行HOOK
}

CHookInfo::~CHookInfo()
{
//关闭HOOK恢复原函数
HookStatus(FALSE);
}

void CHookInfo::HookStatus(BOOL blnHook)
{
if(blnHook)
WriteProcessMemory((HANDLE)-1, pHook->pfFunAddr, pHook->NewCode, 5, 0);//替换函数地址
else
WriteProcessMemory((HANDLE)-1, pHook->pfFunAddr, pHook->OldCode, 5, 0);//还原函数地址
}
#endif // !defined(AFX_HOOKINFO_H__1967D554_7A9F_40C5_9D86_5899019EB3CD__INCLUDED_)

DLL程序代码,消息传递使用了自定义消息的方式

// RegistryInfo.cpp : Defines the entry point for the DLL application.
//

#include "stdafx.h"
#include <stdlib.h>
#include "HookInfo.h"
#define STATUS_SUCCESS (0)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
#define ObjectNameInformation (1)
#define BLOCKSIZE (0x1000)
#define CurrentProcessHandle ((HANDLE)(0xFFFFFFFF))
#define STATUS_INFO_LEN_MISMATCH 0xC0000004

typedef unsigned long NTSTATUS;
typedef unsigned long SYSTEM_INFORMATION_CLASS;
typedef unsigned long OBJECT_INFORMATION_CLASS;

typedef struct
{
USHORT Length;
USHORT MaxLen;
USHORT *Buffer;
}UNICODE_STRING, *PUNICODE_STRING;

typedef struct _OBJECT_NAME_INFORMATION { // Information Class 1
UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;

typedef struct _OBJECT_ATTRIBUTES
{
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;
    PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef NTSTATUS (WINAPI *NTSETVALUEKEY)(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName,IN ULONG TitleIndex,IN ULONG type1,IN PVOID Data,IN ULONG DataSize);
NTSETVALUEKEY NtSetValueKey = NULL;

typedef NTSTATUS (WINAPI *NTDELETEVALUEKEY)(IN HANDLE KeyHandle,IN PUNICODE_STRING ValueName);
NTDELETEVALUEKEY NtDeleteValueKey = NULL;

typedef NTSTATUS (WINAPI *NTDELETEKEY)(IN HANDLE KeyHandle);
NTDELETEKEY NtDeleteKey = NULL;

typedef NTSTATUS (WINAPI *NTCREATEKEY)(OUT PHANDLE pKeyHandle,IN ACCESS_MASK D