在Windows NT/2000/XP/3000操作系统中,当需要加载user32.dll的程序启动时,user32.dll会加载注册表键HKEY_LOCAL_MACHINESoftwareMicrosoftwindowsNTCurrentVresionWindowsAppInit_Dlls下边列出的所有模块,所以,可以将外挂模块写在AppInit_Dlls键下,待程序启动后,再将痕迹清除
注:系统需要重启后才能实现
// Reginject.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <Windows.h>
#define DSTKEY "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
BOOL RegInject(char* DllFullPath);
int _tmain(int argc, _TCHAR* argv[])
{
char DllFullPath[MAX_PATH] = "D:\Hook.dll";
BOOL bOk = RegInject(DllFullPath);
if (bOk)
{
printf("/n Registry inject success!
");
}
else
{
printf("/n Registry inject fail!
");
}
getchar();
getchar();
return 0;
}
//
//利用AppInit_Dlls键值会被user32.dll调用LoadLibrary所加载
//
BOOL RegInject(char* DllFullPath)
{
BOOL bOk = FALSE;
HKEY hKey = NULL;
LONG Return;
BYTE cDllPath[MAX_PATH] = {0};
OutputDebugString("[!] RegInject Enter...");
Return = RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
DSTKEY,
0,
KEY_ALL_ACCESS,
&hKey);
if(Return != ERROR_SUCCESS)
{
OutputDebugString("[-] RegOpenKeyEx Error!
");
goto Exit;
}
memcpy((void*)cDllPath, DllFullPath, strlen(DllFullPath)+1);
Return = RegSetValueEx(
hKey,
"AppInit_DLLs",
0,
REG_SZ,
cDllPath,
strlen((char*)cDllPath)+1
);
if(Return != ERROR_SUCCESS)
{
OutputDebugString("[-] RegSetKeyValue Error!
");
goto Exit;
}
OutputDebugString("[!] RegInject Exit...");
bOk = TRUE;
Exit:
if(hKey)
RegCloseKey(hKey);
return bOk;
}