註冊表的增刪查改操作基本上是惡意代碼的常規操作,但是對註冊表的操作通常會留下痕跡,導致被發現,最後被清理掉 .對於驅動模塊更是如此,驅動程序的入口函數的第二個參數就是註冊表路徑,當驅動加載後該值會被寫到相應的位置,這是爲了隱藏自己,要將與之相關的表項都刪掉.下面是一段反彙編代碼:
int __stdcall DeleteKey(POBJECT_ATTRIBUTES ObjectAttributes)
DeleteKey proc near
var_24 = OBJECT_ATTRIBUTES ptr -24h;
var_C = word ptr -0Ch
var_A = word ptr -0Ah
var_8 = dword ptr -8
ObjectAttributes= dword ptr 8;傳入的參數,包含要操作對象的一些信息,這裏就是註冊表名字信息
push ebp
mov ebp, esp
sub esp, 28h
push ebx
push esi
mov esi, 100h
push edi
mov eax, esi
call __alloca_probe_16
and [ebp+var_24.RootDirectory], 0 ;初始化RootDirectory
xor eax, eax
mov [ebp+var_C], ax
mov ebx, esp
push [ebp+ObjectAttributes] ; ObjectAttributes
mov eax, esi
mov [ebp+var_A], ax
lea eax, [ebx+10h]
mov [ebp+var_8], eax
lea eax, [ebp+var_C]
mov [ebp+var_24.ObjectName], eax
xor eax, eax
mov [ebp+var_24.Length], 18h
mov [ebp+var_24.Attributes], 40h
lea edi, [ebp+var_24.SecurityDescriptor]
stosd
stosd
push 0F003Fh ; DesiredAccess
lea eax, [ebp+var_24.RootDirectory];RootDirectory被當成Handle用
push eax ; KeyHandle
xor edi, edi
call ds:ZwOpenKey;打開要操作的註冊表
test eax, eax
jl short loc_10004C60
mov edi, ds:ZwEnumerateKey
jmp short loc_10004C32
loc_10004C1D:
mov ax, [ebx+0Ch]
mov [ebp+var_C], ax
lea eax, [ebp+var_24]
push eax ; ObjectAttributes
call DeleteKey
test eax, eax
jz short loc_10004C45
loc_10004C32:
lea eax, [ebp+ObjectAttributes]
push eax ; ResultLength
push esi ; Length
push ebx ; KeyInformation
push 0 ; KeyInformationClass
push 0 ; Index
push [ebp+var_24.RootDirectory] ; KeyHandle
call edi ; ZwEnumerateKey 遍歷子項
test eax, eax
jge short loc_10004C1D;還有表項,往回走,去loc_10004c1d 接着調用自己DeleteKey()
loc_10004C45:
push [ebp+var_24.RootDirectory] ; KeyHandle
call ds:ZwDeleteKey
push [ebp+var_24.RootDirectory] ; Handle
xor ecx, ecx
test eax, eax
setnl cl ;操作成功,設cl=1
mov edi, ecx
call ds:ZwClose
loc_10004C60:
mov eax, edi
lea esp, [ebp-34h]
pop edi
pop esi
pop ebx
leave
retn 4
DeleteKey endp