注册表的增删查改操作基本上是恶意代码的常规操作,但是对注册表的操作通常会留下痕迹,导致被发现,最后被清理掉 .对于驱动模块更是如此,驱动程序的入口函数的第二个参数就是注册表路径,当驱动加载后该值会被写到相应的位置,这是为了隐藏自己,要将与之相关的表项都删掉.下面是一段反汇编代码:
int __stdcall DeleteKey(POBJECT_ATTRIBUTES ObjectAttributes)
DeleteKey proc near
var_24 = OBJECT_ATTRIBUTES ptr -24h;
var_C = word ptr -0Ch
var_A = word ptr -0Ah
var_8 = dword ptr -8
ObjectAttributes= dword ptr 8;传入的参数,包含要操作对象的一些信息,这里就是注册表名字信息
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
mov esi, 100h
push edi
mov eax, esi
call __alloca_probe_16
and [ebp+var_24.RootDirectory], 0 ;初始化RootDirectory
xor eax, eax
mov [ebp+var_C], ax
mov ebx, esp
push [ebp+ObjectAttributes] ; ObjectAttributes
mov eax, esi
mov [ebp+var_A], ax
lea eax, [ebx+10h]
mov [ebp+var_8], eax
lea eax, [ebp+var_C]
mov [ebp+var_24.ObjectName], eax
xor eax, eax
mov [ebp+var_24.Length], 18h
mov [ebp+var_24.Attributes], 40h
lea edi, [ebp+var_24.SecurityDescriptor]
stosd
stosd
push 0F003Fh ; DesiredAccess
lea eax, [ebp+var_24.RootDirectory];RootDirectory被当成Handle用
push eax ; KeyHandle
xor edi, edi
call ds:ZwOpenKey;打开要操作的注册表
test eax, eax
jl short loc_10004C60
mov edi, ds:ZwEnumerateKey
jmp short loc_10004C32
loc_10004C1D:
mov ax, [ebx+0Ch]
mov [ebp+var_C], ax
lea eax, [ebp+var_24]
push eax ; ObjectAttributes
call DeleteKey
test eax, eax
jz short loc_10004C45
loc_10004C32:
lea eax, [ebp+ObjectAttributes]
push eax ; ResultLength
push esi ; Length
push ebx ; KeyInformation
push 0 ; KeyInformationClass
push 0 ; Index
push [ebp+var_24.RootDirectory] ; KeyHandle
call edi ; ZwEnumerateKey 遍历子项
test eax, eax
jge short loc_10004C1D;还有表项,往回走,去loc_10004c1d 接着调用自己DeleteKey()
loc_10004C45:
push [ebp+var_24.RootDirectory] ; KeyHandle
call ds:ZwDeleteKey
push [ebp+var_24.RootDirectory] ; Handle
xor ecx, ecx
test eax, eax
setnl cl ;操作成功,设cl=1
mov edi, ecx
call ds:ZwClose
loc_10004C60:
mov eax, edi
lea esp, [ebp-34h]
pop edi
pop esi
pop ebx
leave
retn 4
DeleteKey endp