在筆者前一篇文章《驅動開發:內核列舉Registry注冊表回呼》中實作了對注冊表的列舉,本章將實作對注冊表的監控,不同于32位系統在64位系統中,微軟為我們提供了兩個針對注冊表的專用內核監控函式,通過這兩個函式可以在不劫持內核API的前提下實作對注冊表增加,洗掉,創建等事件的有效監控,注冊表監視通常會通過CmRegisterCallback創建監控事件并傳入自己的回呼函式,與該創建對應的是CmUnRegisterCallback當注冊表監控結束后可用于注銷回呼,
- CmRegisterCallback 設定注冊表回呼
- CmUnRegisterCallback 注銷注冊表回呼
默認情況下CmRegisterCallback需傳入三個引數,引數一回呼函式地址,引數二空余,引數三回呼句柄,微軟定義如下,
// 署名權
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: [email protected]
// 引數1:回呼函式地址
// 引數2:無作用
// 引數3:回呼句柄
NTSTATUS CmRegisterCallback(
[in] PEX_CALLBACK_FUNCTION Function,
[in, optional] PVOID Context,
[out] PLARGE_INTEGER Cookie
);
自定義注冊表回呼函式MyLySharkCallback需要保留三個引數,CallbackContext回呼背景關系,Argument1是操作型別,Argument2定義詳細結構體指標,
NTSTATUS MyLySharkCallback(_In_ PVOID CallbackContext, _In_opt_ PVOID Argument1, _In_opt_ PVOID Argument2)
在自定義回呼函式內Argument1則可獲取到操作型別,型別是一個REG_NOTIFY_CLASS列舉結構,微軟對其的具體定義如下所示,
// 署名權
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: [email protected]
typedef enum _REG_NOTIFY_CLASS {
RegNtDeleteKey,
RegNtPreDeleteKey = RegNtDeleteKey,
RegNtSetValueKey,
RegNtPreSetValueKey = RegNtSetValueKey,
RegNtDeleteValueKey,
RegNtPreDeleteValueKey = RegNtDeleteValueKey,
RegNtSetInformationKey,
RegNtPreSetInformationKey = RegNtSetInformationKey,
RegNtRenameKey,
RegNtPreRenameKey = RegNtRenameKey,
RegNtEnumerateKey,
RegNtPreEnumerateKey = RegNtEnumerateKey,
RegNtEnumerateValueKey,
RegNtPreEnumerateValueKey = RegNtEnumerateValueKey,
RegNtQueryKey,
RegNtPreQueryKey = RegNtQueryKey,
RegNtQueryValueKey,
RegNtPreQueryValueKey = RegNtQueryValueKey,
RegNtQueryMultipleValueKey,
RegNtPreQueryMultipleValueKey = RegNtQueryMultipleValueKey,
RegNtPreCreateKey,
RegNtPostCreateKey,
RegNtPreOpenKey,
RegNtPostOpenKey,
RegNtKeyHandleClose,
RegNtPreKeyHandleClose = RegNtKeyHandleClose,
//
// .Net only
//
RegNtPostDeleteKey,
RegNtPostSetValueKey,
RegNtPostDeleteValueKey,
RegNtPostSetInformationKey,
RegNtPostRenameKey,
RegNtPostEnumerateKey,
RegNtPostEnumerateValueKey,
RegNtPostQueryKey,
RegNtPostQueryValueKey,
RegNtPostQueryMultipleValueKey,
RegNtPostKeyHandleClose,
RegNtPreCreateKeyEx,
RegNtPostCreateKeyEx,
RegNtPreOpenKeyEx,
RegNtPostOpenKeyEx,
//
// new to Windows Vista
//
RegNtPreFlushKey,
RegNtPostFlushKey,
RegNtPreLoadKey,
RegNtPostLoadKey,
RegNtPreUnLoadKey,
RegNtPostUnLoadKey,
RegNtPreQueryKeySecurity,
RegNtPostQueryKeySecurity,
RegNtPreSetKeySecurity,
RegNtPostSetKeySecurity,
//
// per-object context cleanup
//
RegNtCallbackObjectContextCleanup,
//
// new in Vista SP2
//
RegNtPreRestoreKey,
RegNtPostRestoreKey,
RegNtPreSaveKey,
RegNtPostSaveKey,
RegNtPreReplaceKey,
RegNtPostReplaceKey,
MaxRegNtNotifyClass //should always be the last enum
} REG_NOTIFY_CLASS;
其中對于注冊表最常用的監控項為以下幾種型別,當然為了實作監控則我們必須要使用之前,如果使用之后則只能起到監視而無法做到監控的目的,
- RegNtPreCreateKey 創建注冊表之前
- RegNtPreOpenKey 打開注冊表之前
- RegNtPreDeleteKey 洗掉注冊表之前
- RegNtPreDeleteValueKey 洗掉鍵值之前
- RegNtPreSetValueKey 修改注冊表之前
如果需要實作監視則,首先CmRegisterCallback注冊一個自定義回呼,當有訊息時則觸發MyLySharkCallback其內部獲取到lOperateType操作型別,并通過switch選擇不同的處理例程,每個處理例程都通過GetFullPath得到注冊表完整路徑,并列印出來,這段代碼實作如下,
// 署名權
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: [email protected]
#include <ntifs.h>
#include <windef.h>
// 未匯出函式宣告 pEProcess -> PID
PUCHAR PsGetProcessImageFileName(PEPROCESS pEProcess);
NTSTATUS ObQueryNameString(
_In_ PVOID Object,
_Out_writes_bytes_opt_(Length) POBJECT_NAME_INFORMATION ObjectNameInfo,
_In_ ULONG Length,
_Out_ PULONG ReturnLength
);
// 注冊表回呼Cookie
LARGE_INTEGER g_liRegCookie;
// 獲取注冊表完整路徑
BOOLEAN GetFullPath(PUNICODE_STRING pRegistryPath, PVOID pRegistryObject)
{
// 判斷資料地址是否有效
if ((FALSE == MmIsAddressValid(pRegistryObject)) ||
(NULL == pRegistryObject))
{
return FALSE;
}
// 申請記憶體
ULONG ulSize = 512;
PVOID lpObjectNameInfo = ExAllocatePool(NonPagedPool, ulSize);
if (NULL == lpObjectNameInfo)
{
return FALSE;
}
// 獲取注冊表路徑
ULONG ulRetLen = 0;
NTSTATUS status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)lpObjectNameInfo, ulSize, &ulRetLen);
if (!NT_SUCCESS(status))
{
ExFreePool(lpObjectNameInfo);
return FALSE;
}
// 復制
RtlCopyUnicodeString(pRegistryPath, (PUNICODE_STRING)lpObjectNameInfo);
// 釋放記憶體
ExFreePool(lpObjectNameInfo);
return TRUE;
}
// 注冊表回呼函式
NTSTATUS MyLySharkCallback(_In_ PVOID CallbackContext, _In_opt_ PVOID Argument1, _In_opt_ PVOID Argument2)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrRegPath;
// 獲取操作型別
LONG lOperateType = (REG_NOTIFY_CLASS)Argument1;
// 申請記憶體
ustrRegPath.Length = 0;
ustrRegPath.MaximumLength = 1024 * sizeof(WCHAR);
ustrRegPath.Buffer = ExAllocatePool(NonPagedPool, ustrRegPath.MaximumLength);
if (NULL == ustrRegPath.Buffer)
{
return status;
}
RtlZeroMemory(ustrRegPath.Buffer, ustrRegPath.MaximumLength);
// 判斷操作
switch (lOperateType)
{
// 創建注冊表之前
case RegNtPreCreateKey:
{
// 獲取注冊表路徑
GetFullPath(&ustrRegPath, ((PREG_CREATE_KEY_INFORMATION)Argument2)->RootObject);
DbgPrint("[創建注冊表][%wZ][%wZ]\n", &ustrRegPath, ((PREG_CREATE_KEY_INFORMATION)Argument2)->CompleteName);
break;
}
// 打開注冊表之前
case RegNtPreOpenKey:
{
// 獲取注冊表路徑
GetFullPath(&ustrRegPath, ((PREG_CREATE_KEY_INFORMATION)Argument2)->RootObject);
DbgPrint("[打開注冊表][%wZ][%wZ]\n", &ustrRegPath, ((PREG_CREATE_KEY_INFORMATION)Argument2)->CompleteName);
break;
}
// 洗掉鍵之前
case RegNtPreDeleteKey:
{
// 獲取注冊表路徑
GetFullPath(&ustrRegPath, ((PREG_DELETE_KEY_INFORMATION)Argument2)->Object);
DbgPrint("[洗掉鍵][%wZ] \n", &ustrRegPath);
break;
}
// 洗掉鍵值之前
case RegNtPreDeleteValueKey:
{
// 獲取注冊表路徑
GetFullPath(&ustrRegPath, ((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2)->Object);
DbgPrint("[洗掉鍵值][%wZ][%wZ] \n", &ustrRegPath, ((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2)->ValueName);
// 獲取當前行程, 即操作注冊表的行程
PEPROCESS pEProcess = PsGetCurrentProcess();
if (NULL != pEProcess)
{
UCHAR *lpszProcessName = PsGetProcessImageFileName(pEProcess);
if (NULL != lpszProcessName)
{
DbgPrint("行程 [%s] 洗掉了鍵值對 \n", lpszProcessName);
}
}
break;
}
// 修改鍵值之前
case RegNtPreSetValueKey:
{
// 獲取注冊表路徑
GetFullPath(&ustrRegPath, ((PREG_SET_VALUE_KEY_INFORMATION)Argument2)->Object);
DbgPrint("[修改鍵值][%wZ][%wZ] \n", &ustrRegPath, ((PREG_SET_VALUE_KEY_INFORMATION)Argument2)->ValueName);
break;
}
default:
break;
}
// 釋放記憶體
if (NULL != ustrRegPath.Buffer)
{
ExFreePool(ustrRegPath.Buffer);
ustrRegPath.Buffer = NULL;
}
return status;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("Uninstall Driver Is OK \n"));
// 注銷當前注冊表回呼
if (0 < g_liRegCookie.QuadPart)
{
CmUnRegisterCallback(g_liRegCookie);
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint(("hello lyshark.com \n"));
// 設定注冊表回呼
NTSTATUS status = CmRegisterCallback(MyLySharkCallback, NULL, &g_liRegCookie);
if (!NT_SUCCESS(status))
{
g_liRegCookie.QuadPart = 0;
return status;
}
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
運行驅動程式,則會輸出當前系統中所有針對注冊表的操作,如下圖所示,
如上的代碼只能實作注冊表項的監視,而如果需要監控則需要在回呼函式MyLySharkCallback判斷,如果指定注冊表項是需要保護的則直接回傳status = STATUS_ACCESS_DENIED;從而達到保護注冊表的目的,核心代碼如下所示,
// 反注冊表洗掉回呼
NTSTATUS MyLySharkCallback(_In_ PVOID CallbackContext, _In_opt_ PVOID Argument1, _In_opt_ PVOID Argument2)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrRegPath;
// 獲取操作型別
LONG lOperateType = (REG_NOTIFY_CLASS)Argument1;
ustrRegPath.Length = 0;
ustrRegPath.MaximumLength = 1024 * sizeof(WCHAR);
ustrRegPath.Buffer = ExAllocatePool(NonPagedPool, ustrRegPath.MaximumLength);
if (NULL == ustrRegPath.Buffer)
{
return status;
}
RtlZeroMemory(ustrRegPath.Buffer, ustrRegPath.MaximumLength);
// 判斷操作
switch (lOperateType)
{
// 洗掉鍵值之前
case RegNtPreDeleteValueKey:
{
// 獲取注冊表路徑
GetFullPath(&ustrRegPath, ((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2)->Object);
DbgPrint("[洗掉鍵值][%wZ][%wZ]\n", &ustrRegPath, ((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2)->ValueName);
// 如果要洗掉指定注冊表項則拒絕
PWCH pszRegister = L"\\REGISTRY\\MACHINE\\SOFTWARE\\lyshark.com";
if (wcscmp(ustrRegPath.Buffer, pszRegister) == 0)
{
DbgPrint("[lyshark] 注冊表項洗掉操作已被攔截! \n");
// 拒絕操作
status = STATUS_ACCESS_DENIED;
}
break;
}
default:
break;
}
// 釋放記憶體
if (NULL != ustrRegPath.Buffer)
{
ExFreePool(ustrRegPath.Buffer);
ustrRegPath.Buffer = NULL;
}
return status;
}
運行驅動程式,然后我們嘗試洗掉\\LyShark\HKEY_LOCAL_MACHINE\SOFTWARE\lyshark.com里面的子項,則會提示如下資訊,
當然這里的RegNtPreDeleteValueKey是指的洗掉操作,如果將其替換成RegNtPreSetValueKey,那么只有當注冊表被創建才會攔截,此時就會變成攔截創建,
// 攔截創建操作
NTSTATUS MyLySharkCallback(_In_ PVOID CallbackContext, _In_opt_ PVOID Argument1, _In_opt_ PVOID Argument2)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrRegPath;
// 獲取操作型別
LONG lOperateType = (REG_NOTIFY_CLASS)Argument1;
// 申請記憶體
ustrRegPath.Length = 0;
ustrRegPath.MaximumLength = 1024 * sizeof(WCHAR);
ustrRegPath.Buffer = ExAllocatePool(NonPagedPool, ustrRegPath.MaximumLength);
if (NULL == ustrRegPath.Buffer)
{
return status;
}
RtlZeroMemory(ustrRegPath.Buffer, ustrRegPath.MaximumLength);
// 判斷操作
switch (lOperateType)
{
// 修改鍵值之前
case RegNtPreSetValueKey:
{
// 獲取注冊表路徑
GetFullPath(&ustrRegPath, ((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2)->Object);
// 攔截創建
PWCH pszRegister = L"\\REGISTRY\\MACHINE\\SOFTWARE\\lyshark.com";
if (wcscmp(ustrRegPath.Buffer, pszRegister) == 0)
{
DbgPrint("[lyshark] 注冊表項創建操作已被攔截! \n");
status = STATUS_ACCESS_DENIED;
}
break;
}
default:
break;
}
// 釋放記憶體
if (NULL != ustrRegPath.Buffer)
{
ExFreePool(ustrRegPath.Buffer);
ustrRegPath.Buffer = NULL;
}
return status;
}
加載驅動保護,然后我們嘗試在\\LyShark\HKEY_LOCAL_MACHINE\SOFTWARE\lyshark.com里面創建一個子項,則會提示創建失敗,
文章出處:https://www.cnblogs.com/LyShark/p/16820778.html
著作權宣告:本博客文章與代碼均為學習時整理的筆記,文章 [均為原創] 作品,轉載請 [添加出處] ,您添加出處是我創作的動力!
轉載文章請遵守《中華人民共和國著作權法》相關法律規定或遵守《署名CC BY-ND 4.0國際》規范,合理合規攜帶原創出處轉載,如果不攜帶文章出處,并惡意轉載多篇原創文章被本人發現,本人保留起訴權!
轉載請註明出處,本文鏈接:https://www.uj5u.com/houduan/521771.html
標籤:C