CSDN上的好帖子比较多,但关于注册表监控方面的似乎少见,于是兄弟便来
一、WINDOWS9X 部分
目前有关注册表监控的例子大多需要VTOOLSD的支持,在没有VTOOLSD的
情况下,编此类程序就需要一点汇编知识了,本文就没有使用VTOOLSD,本人也不太
喜欢使用它。
监控注册表实际上就是拦截如下几个系统服务:(具体参数见DDK DOCUMENTS)。
Begin_Hook_table:
RegOpenKey
RegCloseKey
RegCreateKey
RegDeleteKey
RegEnumKey
RegEnumValue
RegFlushKey
RegQueryInfoKey
RegQueryValue
RegQueryValueEx
RegSetValue
RegSetValueEx
RegRemapPreDefKey
RegQueryMultipleValues
RegCreateDynKey
End_Hook_table:
微软的编译器提供了一套接管VMM服务例程的标准, 例如接管RegOpenKey,:
1、首先声明准备接管函数HookRegOpenKey
BeginProc HookRegOpenKey, service, hook_proc, RealRegOpenKey, locked
ArgVar hkey, DWORD
ArgVar lpszSubKey, DWORD
ArgVar phkResult, DWORD
EnterProc
push dword ptr phkResult ;
push dword ptr lpszSubKey ;
push dword ptr hkey ;= invoke RealRegOpenKey, hkey, lpszSubKey, phkResult
call [RealRegOpenKey] ;
;; add esp, 12
LeaveProc
Return
EndProc HookRegOpenKey
2、用VMM服务Hook_Device_Service来联上我们的函数
GetVxdServiceOrdinal eax, _RegOpenKey
mov esi, OFFSET32 HookRegOpenKey ; points to the hook procedure to install
VMMCall Hook_Device_Service
jc @F ;;fail
mov RealRegOpenKey, esi ;for safe
@@:
3、用VMM服务Unhook_Device_Service来卸载我们的函数
getvxdserviceordinal eax, _RegOpenKey
mov esi, OFFSET32 HookRegOpenKey ; points to the hook procedure to install
VMMCall Unhook_Device_Service
一、工程文件:
与标准工程没有太多差别,采用C与汇编混合编程, DEF文件略;
# Requires:
# VC++ 5.0以上的编译器
# 98ddk
# VXDWRAPS.CLB (from Beta-3 DDK or newer), 如不用sprintf之类的函数则不需。
DEVICE = RegMon
OBJS = devctl.obj regmon.obj hook.obj msg.obj
CVXDFLAGS = -Zdp -Gs -Zp -c -DIS_32 -Zl -DDEBLEVEL=1 -DDEBUG
ASM = ml
AFLAGS = -coff -DBLD_COFF -DIS_32 -nologo -W3 -Zd -c -Cx -DMASM6 -DINITLOG -DDEBLEVEL=1 -DDEBUG
ASMENV = ML
all: $(DEVICE).vxd
regmon.obj: regmon.c
cl $(CVXDFLAGS) %s
.asm.obj:
set $(ASMENV)=$(AFLAGS)
$(ASM) -Fo$*.obj $<
$(DEVICE).sym: $(DEVICE).map
mapsym -s $(DEVICE).map
$(DEVICE).map: $(DEVICE).vxd
$(DEVICE).vxd: $(OBJS)
link @<<$(DEVICE).LNK /DEF:<<$(DEVICE).DEF
/VXD /NOD
/OUT:$(DEVICE).vxd
/MAP:$(DEVICE).map
$(OBJS) vxdwraps.clb
二、hook.asm, 由于较多,只列举几个:
BeginProc HookRegOpenKey, service, hook_proc, RealRegOpenKey, locked
ArgVar hkey, DWORD
ArgVar lpszSubKey, DWORD
ArgVar phkResult, DWORD
EnterProc
push dword ptr phkResult
push dword ptr lpszSubKey
push dword ptr hkey
call [RealRegOpenKey]
LeaveProc
Return
EndProc HookRegOpenKey
BeginProc HookRegCloseKey, service, hook_proc, RealRegCloseKey, locked
ArgVar hKey, DWORD
EnterProc
push dword ptr hKey
call [RealRegCloseKey]
LeaveProc
Return
EndProc HookRegCloseKey
BeginProc HookRegCreateKey, service, hook_proc, RealRegCreateKey, locked
jmp [RealRegCreateKey]
EndProc HookRegCreateKey
BeginProc HookRegDeleteKey, service, hook_proc, RealRegDeleteKey, locked
jmp [RealRegDeleteKey]
EndProc HookRegDeleteKey
........
........
starthook proc public C uses ebx ecx edx
getvxdserviceordinal eax, _RegOpenKey
mov esi, OFFSET32 HookRegOpenKey ; points to the hook procedure to install
VMMCall Hook_Device_Service
jc @F ;;fail
mov RealRegOpenKey, esi
@@:
getvxdserviceordinal eax, _RegCloseKey
mov esi, OFFSET32 HookRegCloseKey ; points to the hook procedure to install
VMMCall Hook_Device_Service
jc @F ;;fail
mov RealRegCloseKey, esi
@@:
getvxdserviceordinal eax, _RegCreateKey
mov esi, OFFSET32 HookRegCreateKey ; points to the hook procedure to install
VMMCall Hook_Device_Service
jc @F ;;fail
mov RealRegCreateKey, esi
..............
..............
@@:
getvxdserviceordinal eax, _RegCreateDynKey
mov esi, OFFSET32 HookRegCreateDynKey ; points to the hook procedure to install
VMMCall Hook_Device_Service
jc @F
mov RealRegCreateDynKey, esi
@@:
ret
starthook endp
stophook proc public C uses ebx ecx edx
.if RealRegOpenKey != 0
getvxdserviceordinal eax, _RegOpenKey
mov esi, OFFSET32 HookRegOpenKey ; points to the hook procedure to install
VMMCall Unhook_Device_Service
.endif
.if RealRegCloseKey != 0
getvxdserviceordinal eax, _RegCloseKey
mov esi, OFFSET32 HookRegCloseKey ; points to the hook procedure to install
VMMCall Unhook_Device_Service
.endif
......
......
ret
stophook endp
三、regmon.c, 部分:
DWORD OnDeviceIoControl(PDIOCPARAMETERS p)
{
DWORD retc=0;
switch (p->dwIoControlCode)
{
case CMD_GET_VERSION:
{
break;
}
case CMD_START_HOOK:
{
starthook();
break;
}
case CMD_STOP_HOOK:
{
stophook();
break;
}
default:
break;
}
return 0;
}
OnSysDynamicDeviceInit()
{
return TRUE;
}
OnSysDynamicDeviceExit()
{
stophook();
return TRUE;
}
其它文件略。写文章较累,就不多加注释了,希望可以看的懂。
至于NT部分改天补上。
本文地址:http://com.8s8s.com/it/it29946.htm