本来打算公布些源代码的,后来想想,放出来又被别人A去卖钱,何必呢?真有兴趣的朋友自然也会交换.

最后,祝愿中国的病毒越来越邪恶,没有你们的邪恶就没有乐趣的存在.感谢CCTV,感谢狗日报,感谢百度,是你们给了我一个八卦的平台.

Virtual Machine Anti-Rootkit可行性分析:
1.操作系统将在我们的Anti-Rootkit虚拟环境中运行:随着硬件设备性能和用户安全意识的不断提高，相信用不了多久，基于虚
拟机的安全防范会得到重视（可行）
2.可靠稳定的模拟系统:Xen、VMware、Virual PC是一些可靠稳定的产品，然而，对于我个人而言写一款这样的东西显然是件不
靠谱的事(不可行）
3.特殊虚拟指令的处理:一个初步简单的例子是IDT GDT SDT的处理,针对特定Virtual Machine Rootkit做出反应(可行)

总结:见标题前4个字节

例子代码：
typedef struct _EFLAGS                //虚拟的EFLAGS
{
    unsigned Reserved1     :10;
    unsigned ID            :1;        // 识别标识
    unsigned VIP           :1;        // 虚拟中断pending
    unsigned VIF           :1;        // 虚拟中断 flag
    unsigned AC            :1;        // 检测队列标识
    unsigned VM            :1;        // 8086模式
    unsigned RF            :1;        // 恢复标识
    unsigned Reserved2     :1;
    unsigned NT            :1;       
    unsigned IOPL          :2;        // I/O特权级别
    unsigned OF            :1;
    unsigned DF            :1;
    unsigned IF            :1;       
    unsigned TF            :1;       
    unsigned SF            :1;       
    unsigned ZF            :1;       
    unsigned Reserved3     :1;
    unsigned AF            :1;       
    unsigned Reserved4     :1;
    unsigned PF            :1;       
    unsigned Reserved5     :1;
    unsigned CF            :1;        // 进位标识 [Bit 0]

} EFLAGS;

typedef struct _MSR                   //MSR结构
{
    ULONG        Hi;
    ULONG        Lo;

} MSR;

typedef struct _IA32_VMX_BASIC_MSR
{

    unsigned RevId            :32;    // Bits 31...0 contain the VMCS revision identifier
    unsigned szVmxOnRegion :12;    // Bits 43...32 report # of bytes for VMXON region
    unsigned RegionClear    :1;        // Bit 44 set only if bits 32-43 are clear
    unsigned Reserved1        :3;        // Undefined
    unsigned PhyAddrWidth    :1;        // Physical address width for referencing VMXON, VMCS, etc.
    unsigned DualMon        :1;        // Reports whether the processor supports dual-monitor
                                    // treatment of SMI and SMM
    unsigned MemType        :4;        // Memory type that the processor uses to access the VMCS
    unsigned VmExitReport    :1;        // Reports weather the procesor reports info in the VM-exit
                                    // instruction information field on VM exits due to execution
                                    // of the INS and OUTS instructions
    unsigned Reserved2        :9;        // Undefined

} IA32_VMX_BASIC_MSR;

typedef struct _IA32_FEATURE_CONTROL_MSR
{
    unsigned Lock            :1;        // Bit 0 is the lock bit - cannot be modified once lock is set
    unsigned Reserved1        :1;        // Undefined
    unsigned EnableVmxon    :1;        // Bit 2. If this bit is clear, VMXON causes a general protection exception
    unsigned Reserved2        :29;    // Undefined
    unsigned Reserved3        :32;    // Undefined

} IA32_FEATURE_CONTROL_MSR;
有事，下次接着来，抱歉了.

void RestoreTcpipIRP()
{
UNICODE_STRING DeviceName;
PDRIVER_OBJECT DriverObject;
NTSTATUS status;
DWORD ret;
KIRQL OldIrql;
ULONG TempDisp ;
ULONG DirverEntry ;
ULONG i ;
ULONG TcpDispatch =0;
ULONG TcpDeviceControlDispatch =0 ;
ULONG TempAddr =0 ;
UNICODE_STRING TcpipDriverFileName ;
OBJECT_ATTRIBUTES oba ;
HANDLE hTcpipFile ;
IO_STATUS_BLOCK IoStatusBlock ;
HANDLE hTcpipSection ;
PVOID BaseAddress =NULL ;
SIZE_T nSize = 0 ;
ULONG Ppeheader ;
ULONG pEntryPoint ;
ULONG TcpipBase ;
ULONG ImageBase ;
RtlInitUnicodeString(&TcpipDriverFileName , L"\\SystemRoot\\System32\\Drivers\\Tcpip.sys") ;
RtlInitUnicodeString(&DeviceName,L\\Driver\\Tcpip);
status = ObReferenceObjectByName(
&DeviceName,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&DriverObject);
KDMSG(("Geth the tcpip driver object = %08x", DriverObject));
if (DriverObject)
{
     TcpipBase = MyGetModuleBaseAddress("tcpip.sys");   \\自己去得到吧,我没提供
     if (!TcpipBase)
     {
         KDMSG(("can't get the base address of the tcpip.sys \n"));
         return ;
     }
     InitializeObjectAttributes(&oba ,
         &TcpipDriverFileName,
         OBJ_CASE_INSENSITIVE,
         NULL,
         NULL
         );  
     status = ZwCreateFile (&hTcpipFile ,
         FILE_EXECUTE | SYNCHRONIZE ,
         &oba,
         &IoStatusBlock,
         NULL,
         FILE_ATTRIBUTE_NORMAL ,
         FILE_SHARE_READ ,
         FILE_OPEN_IF,
         FILE_SYNCHRONOUS_IO_NONALERT,
         NULL,
         0
         );
     if (!NT_SUCCESS(status))
     {
         KDMSG(("Open the tcp ip file failed!\n"));
         return ;
     }
     InitializeObjectAttributes(&oba,
         NULL,
         OBJ_CASE_INSENSITIVE,
         NULL,
         NULL);
     status = ZwCreateSection (&hTcpipSection ,
         SECTION_ALL_ACCESS,
         &oba,
         NULL,
         PAGE_EXECUTE,
         0x1000000,
         hTcpipFile );

     if (!NT_SUCCESS(status ))
     {
         KDMSG (("create the tcpip section failed!\n"));
         if (hTcpipFile)
             ZwClose(hTcpipFile);

         return ;
     }

     status = ZwMapViewOfSection(hTcpipSection,
         NtCurrentProcess(),
         &BaseAddress ,
         0,
         1000,
         NULL,
         &nSize,
         ViewShare ,
         MEM_TOP_DOWN,
         PAGE_READWRITE
         );
    
     if (!NT_SUCCESS(status))
     {
         KDMSG(("Map view the tcpip section failed!\n"));
         if (hTcpipSection)
             ZwClose(hTcpipSection);
         if (hTcpipFile)
             ZwClose(hTcpipFile);

         return ;
     }
     Ppeheader = *(ULONG*)((ULONG)BaseAddress+0x3c);
     pEntryPoint = *(ULONG*)((ULONG)BaseAddress+Ppeheader+0x28);
     DirverEntry = (ULONG)BaseAddress+pEntryPoint ;
     ImageBase = *(ULONG*)((ULONG)BaseAddress+Ppeheader+0x34);
    
     //DirverEntry = DriverObject->DriverInit ;
    
     if (DirverEntry)    
     {
         for (i = DirverEntry ; i < DirverEntry + SearchDepth ; i++)
         {
//             if (MmIsAddressValid((PVOID)i))
//             {
                 if (*(BYTE*)i == 0x8d && *(BYTE*)(i+1) == 0x7e &&
                     *(BYTE*)(i+2) == 0x38 && *(BYTE*)(i+3) == 0xf3 &&
                     *(BYTE*)(i+4) == 0xab)
                 {
//                     if (MmIsAddressValid((PVOID)(i-4)))
//                     {
                         if (MmIsAddressValid((PVOID)(*(ULONG*)(i-4) + TcpipBase - ImageBase)))
                         {
                             TcpDispatch = *(ULONG*)(i-4) + TcpipBase - ImageBase;
                             TempAddr = i;    
                             break ;
                         }
                        
/*                     }*/
    
                 }
                
             }
            
         }
        
         //find code =8d 7e 38 f3 ab
         //lea edi,[esi+38h]
         //rep stosd

         if (TempAddr && TcpDispatch)
         {
             for (i = TempAddr ; i < TempAddr +0x30 ; i++)
             {
//                 if (MmIsAddressValid((PVOID)i))
//                 {
                     if (*(BYTE*)i == 0xc7 && *(BYTE*)(i+1) == 0x46 && *(BYTE*)(i+2) == 0x74)
                     {
                         if (MmIsAddressValid((PVOID)(*(ULONG*)(i+3) + TcpipBase - ImageBase)))
                         {
                             TcpDeviceControlDispatch = *(ULONG*)(i+3) + TcpipBase - ImageBase;
                             break;
                         }
                     }
/*                 }*/
                
             }
            
         }
         if (TcpDispatch)
         {
             KeAcquireSpinLock(&SDTSpinLock , &OldIrql);
             WPOFF();
             for (i = 0 ; i <=IRP_MJ_MAXIMUM_FUNCTION ; i++)
             {
                 DriverObject->MajorFunction = TcpDispatch ;
                
             }
             if (TcpDeviceControlDispatch)
             {
                 DriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = TcpDeviceControlDispatch ;

             }
             WPON();
             KeReleaseSpinLock(&SDTSpinLock , OldIrql);

         }
         ObfDereferenceObject(DriverObject);
        
        
     }
     ZwUnmapViewOfSection(NtCurrentProcess(),
         BaseAddress);
     if (hTcpipSection)
     {
         ZwClose(hTcpipSection);
     }
     if (hTcpipFile)
     {
         ZwClose(hTcpipFile);
     }
return ;

}

hook,当然要hook,我要ho完了再ok.

恩,给个例子吧.麻烦你下次专业点,连CPU也hook掉算了

DWORD CheckInlineHook(DWORD dw_addr)
{
BYTE opcode = *((PBYTE)(dw_addr));
DWORD hook = 0;
WORD desc = 0;
if((opcode == 0xe8)||(opcode ==0xe9))
{
   hook |= *((PBYTE)(dw_addr+1))<<0;
   hook |= *((PBYTE)(dw_addr+2))<<8;
   hook |= *((PBYTE)(dw_addr+3))<<16;
   hook |= *((PBYTE)(dw_addr+4))<<24;
   hook += 5+dw_addr;
}
else
   if(opcode == 0xea)
   {
    hook |= *((PBYTE)(dw_addr+1))<<0;
    hook |= *((PBYTE)(dw_addr+2))<<8;
    hook |= *((PBYTE)(dw_addr+3))<<16;
    hook |= *((PBYTE)(dw_addr+4))<<24;
    desc = *((WORD*)(dw_addr+5);
   }
   if(hook != 0)
   {
    if((hook<g_ntoskrnl.Base) || (hook>g_ntoskrnl.End)
     hook = hook;
    else
     hook =0;
   }
   return hook;
}

最后,我不得不再次强调检测hook的重要性,否则你所做的一切都是徒劳.

先看一下ring3的方法吧

void Cxxx::FileDelete(CString FilePath)
{
BOOL bRet = SetFileAttributes(FilePath,FILE_ATTRIBUTE_ARCHIVE);// 设置目标程序为存档属性
// 在临时目录产生产生两个随机的文件
CString strReplaceFile[2];
char szWinDir[256] = {0};
::GetTempPath(256,szWinDir);
szWinDir[strlen(szWinDir)] = '\\';

for(int i = 0; i < 2; i ++)
{
   char szTemp[256] = {0};
   GetTempFileName(szWinDir,_T ("♂"),0,szTemp);
   strReplaceFile[i] = szTemp;
   HANDLE hFile = CreateFile(strReplaceFile[i],GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_TEMPORARY,NULL);
   if(hFile == (HANDLE)-1)
   {
    MessageBox(NULL,"文件粉碎失败!","文件操作",MB_OK);
    return ;
   }
   ::CloseHandle(hFile);
}
// 替换目标文件
typedef BOOL   (__stdcall *PREPLACEFILE)(LPCTSTR lpReplacedFileName,LPCTSTR lpReplacementFileName,LPCTSTR lpBackupFileName,DWORD dwReplaceFlags,LPVOID lpExclude,LPVOID lpReserved);

HMODULE hKernel32 = GetModuleHandle("kernel32.dll");
ASSERT(hKernel32);
PREPLACEFILE pFnReplacefile = (PREPLACEFILE)GetProcAddress(hKernel32,"ReplaceFileA");
if(pFnReplacefile == NULL)
{
   MessageBox(NULL,"您的系统不支持删除正在执行的文件!","文件操作",MB_OK);
//   MessageBox(NULL,"删除文件失败!","文件操作",MB_OK);
   return;
}
bRet = pFnReplacefile(FilePath,strReplaceFile[0],strReplaceFile[1],3,0,0);
if(!bRet)
{
//   CString strError;
//   strError.Format("%d删除文件失败",GetLastError());
//   PrintLog(strError);
//   MessageBox(NULL,strError,"文件操作",MB_OK);
   return;
}
bRet = DeleteFile(FilePath);
if(!bRet)
{
   MessageBox(NULL,"删除正在执行的文件失败!","文件操作",MB_OK);
   return;
}

}
下面是ring0的方法.

BOOLEAN SKillDeleteFile(IN HANDLE   FileHandle)
{
     NTSTATUS         ntStatus = STATUS_SUCCESS;
     PFILE_OBJECT     fileObject;
     PDEVICE_OBJECT   DeviceObject;
     PIRP             Irp;
     KEVENT           event;
     FILE_DISPOSITION_INFORMATION   FileInformation;
     IO_STATUS_BLOCK ioStatus;
     PIO_STACK_LOCATION irpSp;

     ntStatus = ObReferenceObjectByHandle(FileHandle,
         DELETE,
         *IoFileObjectType,
         KernelMode,
         &fileObject,
         NULL);

     if (!NT_SUCCESS(ntStatus))
     {
         return FALSE;
     }

     DeviceObject = IoGetRelatedDeviceObject(fileObject);
     Irp = IoAllocateIrp(DeviceObject->StackSize, TRUE);

     if (Irp == NULL)
     {
         ObDereferenceObject(fileObject);
         return FALSE;
     }

     KeInitializeEvent(&event, SynchronizationEvent, FALSE);
    
     FileInformation.DeleteFile = TRUE;

     Irp->AssociatedIrp.SystemBuffer = &FileInformation;
     Irp->UserEvent = &event;
     Irp->UserIosb = &ioStatus;
     Irp->Tail.Overlay.OriginalFileObject = fileObject;
     Irp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread();
     Irp->RequestorMode = KernelMode;
    
     irpSp = IoGetNextIrpStackLocation(Irp);
     irpSp->MajorFunction = IRP_MJ_SET_INFORMATION;
     irpSp->DeviceObject = DeviceObject;
     irpSp->FileObject = fileObject;
     irpSp->Parameters.SetFile.Length = sizeof(FILE_DISPOSITION_INFORMATION);
     irpSp->Parameters.SetFile.FileInformationClass = FileDispositionInformation;
     irpSp->Parameters.SetFile.FileObject = fileObject;

     IoSetCompletionRoutine(
             Irp,
             SkillSetFileCompletion,
             &event,
             TRUE,
             TRUE,
             TRUE);

     IoCallDriver(DeviceObject, Irp);

     KeWaitForSingleObject(&event, Executive, KernelMode, TRUE, NULL);

     ObDereferenceObject(fileObject);

     return TRUE;
}

伟大的人民警察在出击逮捕抓获罪犯的同时,又不得不顾及自身的安全.更何况是我们小小anti事业,警察和罪犯的区别是什么?对,都是带有危险性器械的(刀,枪类).不废话了,抗打测试现在开始.

#include "ntddk.h"

WCHAR gDeviceName[]=L"\\Device\\AntiantiClose";
WCHAR gDosDeviceName[]=L"\\??\\AntiantiClose";
//定义一下
NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(IN PHANDLE ProcessHandle,ACCESS_MASK MASK,POBJECT_ATTRIBUTES attr,PCLIENT_ID cid1);

typedef NTSTATUS (*PZwTerminateProcess)(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
typedef NTSTATUS (*PZwOpenProcess)(IN PHANDLE ProcessHandle,ACCESS_MASK MASK,POBJECT_ATTRIBUTES attr,PCLIENT_ID cid1);

typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;

NTSYSAPI   ServiceDescriptorTableEntry_t KeServiceDescriptorTable;

//used for SSDT hook
PMDL   g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
PZwTerminateProcess         Old_ZwTerminateProcess = NULL;
PZwOpenProcess     Old_ZwOpenProcess = NULL;

// used for state keeping
PEPROCESS PEPROCESS2PROTECTED = 0;

//used for SSDT hook
#define SYSTEMSERVICE(_function)   KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )        \
_Orig = (PVOID) InterlockedExchange( (PLONG) \
&MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

#define UNHOOK_SYSCALL(_Func, _Hook, _Orig )   \
InterlockedExchange((PLONG)            \
&MappedSystemCallTable[SYSCALL_INDEX(_Func)], (LONG) _Hook)
//函数定义部分
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);
void HookSSDTTable();
void UnHookSSDTTable();
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
//hook掉关闭
NTSTATUS NTAPI NewZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus)
{
PEPROCESS process_to_kill;
if (ObReferenceObjectByHandle(ProcessHandle,GENERIC_READ,NULL,KernelMode,
   &process_to_kill,0) == STATUS_SUCCESS){
  
   if ( PEPROCESS2PROTECTED== process_to_kill &&
    PsGetCurrentProcess() != process_to_kill) return STATUS_ACCESS_DENIED;
}
return   Old_ZwTerminateProcess(ProcessHandle,ExitStatus);
}

NTSTATUS NTAPI NewZwOpenProcess(IN PHANDLE ProcessHandle,ACCESS_MASK MASK,POBJECT_ATTRIBUTES attr,PCLIENT_ID cid1)
{
PEPROCESS process_to_kill,EProcess;
NTSTATUS ans;
// DbgPrint("%x",PsGetCurrentProcess());
PsLookupProcessByProcessId( *(ULONG *)cid1, &EProcess);
if ((MASK != 0x401 ) && (MASK != 0x400 ) && PEPROCESS2PROTECTED== EProcess &&
   PsGetCurrentProcess() != EProcess) return STATUS_ACCESS_DENIED;

return Old_ZwOpenProcess(ProcessHandle,MASK,attr,cid1);
}

void HookSSDTTable()
{
Old_ZwTerminateProcess =(PZwTerminateProcess)(SYSTEMSERVICE(ZwTerminateProcess));
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
   return;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
DbgPrint("Hooked!\n");
HOOK_SYSCALL( ZwTerminateProcess, NewZwTerminateProcess, Old_ZwTerminateProcess );
HOOK_SYSCALL( ZwOpenProcess, NewZwOpenProcess, Old_ZwOpenProcess );  
}

void UnHookSSDTTable()
{
if (Old_ZwTerminateProcess)
{
   UNHOOK_SYSCALL( ZwTerminateProcess, Old_ZwTerminateProcess, NewZwTerminateProcess );
   UNHOOK_SYSCALL( ZwOpenProcess, Old_ZwOpenProcess, NewZwOpenProcess );
}
if(g_pmdlSystemCall)
{
   MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
   IoFreeMdl(g_pmdlSystemCall);
}
}

NTSTATUS   DriverEntry( IN PDRIVER_OBJECT DriverObject,   IN PUNICODE_STRING RegistryPath )
{
UNICODE_STRING DeviceName;
UNICODE_STRING DosDeviceName;
PDEVICE_OBJECT pDeviceObject=NULL;
NTSTATUS Status;
RtlInitUnicodeString(&DeviceName,gDeviceName);
RtlInitUnicodeString(&DosDeviceName,gDosDeviceName);
IoCreateDevice(DriverObject,0,&DeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&pDeviceObject);
pDeviceObject->Flags|=DO_BUFFERED_IO;
Status = IoCreateSymbolicLink(&DosDeviceName,&DeviceName);
if(Status)
   DbgPrint("IoCreateSymbolicLink Return %0x\n",Status);
else
{
   DbgPrint("ok\n");
}
HookSSDTTable();             //开始HOOK
return STATUS_SUCCESS;
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
NTSTATUS status;
UNICODE_STRING DosDeviceName;
UnHookSSDTTable();           //恢复HOOK
RtlInitUnicodeString(&DosDeviceName,gDosDeviceName);
if(DriverObject->DeviceObject)
   IoDeleteDevice(DriverObject->DeviceObject);
status = IoDeleteSymbolicLink(&DosDeviceName);
if(status)
   DbgPrint("IoDeleteSymbolicLink Return %0x\n",status);
}

好了,上面的例子代码你看一定会说这种只有菜B才用的方法,作为终极对抗它是菜鸟,你或许可以写个虚拟机boot引导之类的.整天hook来hook去的没什么意思.

再发个强点点的吧

#include <ntddk.h>
#include "windef.h"

NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
       IN ULONG           ProcessId,
       OUT PEPROCESS      *Process
);

PEPROCESS eProcess;
ULONG CR0VALUE = 0;
void DisableProtection()
{
__asm
{
     mov eax,cr0
     mov CR0VALUE,eax
     and eax,0xfffeffff
     mov cr0,eax
}
}

void EnableProtection()
{
__asm
{
     mov eax,CR0VALUE
     mov cr0,eax
}
}

__declspec(naked) NTSTATUS ProxyPspTerminateThreadByPointer(IN PETHREAD Thread, IN NTSTATUS ExitStatus, IN BOOLEAN DirectTerminate)
{
      __asm
           {
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
                   _emit 0x90
           }
}

NTSTATUS     MyPspTerminateThreadByPointer(IN PETHREAD Thread, IN NTSTATUS ExitStatus, IN BOOLEAN DirectTerminate)
{
     NTSTATUS      ntStatus;
     ULONG             tmpVal;  
     tmpVal = (ULONG) ( (char *)Thread + 0x22c);  
     tmpVal = *(ULONG *)tmpVal;  
     if(tmpVal==(ULONG)eProcess)
     {
      //return STATUS_ACCESS_DENIED;
      return STATUS_SUCCESS;
     }  
     ntStatus = ProxyPspTerminateThreadByPointer(Thread, ExitStatus, DirectTerminate);  
     return ntStatus;
}

void Unload( PDRIVER_OBJECT DriverObject )
{
     UNICODE_STRING usDosDeviceName;
     KdPrint(( "AntiClose_Unload called!\r\n" ));
     RtlInitUnicodeString( &usDosDeviceName, L"\\DosDevices\\AntiClose" );
     IoDeleteSymbolicLink( &usDosDeviceName );
     IoDeleteDevice( DriverObject->DeviceObject );
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject , IN PUNICODE_STRING RegistryPath)
{
NTSTATUS       ntStatus;
KIRQL         oldIrql;  
ULONG     *PspTerminateThreadByPointer = (ULONG *)0x804a9b86;
BYTE g_cHookCode[5] = { 0xe9, 0, 0, 0, 0 };
BYTE g_cOrigCode[12] = { 0 };
BYTE jmp_orig_code[12] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
_asm int 3;
DriverObject -> DriverUnload = Unload;     //
ntStatus = PsLookupProcessByProcessId(280, &eProcess);
if(NT_SUCCESS(ntStatus))
{
     ObDereferenceObject(eProcess);
}

RtlCopyMemory(g_cOrigCode, (BYTE*)PspTerminateThreadByPointer, 10);
*( (ULONG*)(g_cHookCode+1) ) = (ULONG)MyPspTerminateThreadByPointer - (ULONG)PspTerminateThreadByPointer - 5;
DisableProtection();
oldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE*)PspTerminateThreadByPointer, g_cHookCode, 5);
*( (ULONG*)(jmp_orig_code+1) ) = (ULONG)((BYTE*)PspTerminateThreadByPointer + 11);
RtlCopyMemory((BYTE*)ProxyPspTerminateThreadByPointer, g_cOrigCode, 11);
RtlCopyMemory((BYTE*)ProxyPspTerminateThreadByPointer+11, jmp_orig_code, 11);
KeLowerIrql(oldIrql);
EnableProtection();  
      return STATUS_SUCCESS;
}

还是那句老话,在anti别人前先看别人有没有先anti你.如果你先被anti了则恢复hook,在这里也建议大家做个hook monitor.或者hook保护.关于hive操作的文章本来就少,我还就没怎么琢磨过服务的事丢个地址自己看啦http://www.xfocus.net/articles/200505/802.html

hive的操作函数在ntreg.h里定义,自己找吧!我给个简单的例子.

void Cxxx::ShowHideService(struct hive *hdesc, char *path, int vofs, int type)
{
m_list.DeleteAllItems();
struct nk_key *key;
int nkofs;
struct ex_data ex;
int count = 0, countri = 0;
//wHAT I ADD
void *data;
int nkofs_cat;
int serviceno;
serviceno = 1;
CString HiddenName,StartHiddenType,HiddenServiceDr,HiddenTol;
nkofs = ChkReg.trav_path(hdesc, vofs, path, 0);
if(!nkofs)
{
   char szTrace[128];
   sprintf(szTrace, "nk_ls: Key <%s> not found\n",path);
   TRACE0(szTrace);
   abort();
   return;
}
nkofs += 4;
key = (struct nk_key *)(hdesc->buffer + nkofs);
if (key->id != 0x6b6e)
{
   TRACE0("Error: Not a 'nk' node!\n");
   ChkReg.debugit(hdesc->buffer,hdesc->size);
}
int nHideServiceTotal = 0;
if (key->no_subkeys)
{

  
         while ((ChkReg.ex_next_n(hdesc, nkofs, &count, &countri, &ex) > 0)) {
    if(!CompareHive(ex.name) )
    {
     nohideservice = 0;
     if(!(serviceno - 1))
     {    
      nkofs_cat = ChkReg.trav_path(hdesc, vofs, ex.name, 0);
      HiddenName.Format("%s",ex.name);
      m_list.InsertItem(nHideServiceTotal, "");
      m_list.SetItemText(nHideServiceTotal,0,HiddenName);
     
      char szServicePath[MAX_PATH];
      memset(szServicePath, 0, MAX_PATH);
      ShowPathImage(hdesc, nkofs_cat + 4, "ImagePath", szServicePath);
      m_list.SetItemText(nHideServiceTotal, 4, szServicePath);
      data = (void *)ChkReg.get_val_data(hdesc, nkofs_cat + 4, "Start", 0 );
      if( data != NULL)
      {   
       switch(*(unsigned short *)data)
       {
       case 0:
        StartHiddenType = "引导启动";
        m_list.SetItemText(nHideServiceTotal,3,StartHiddenType);
        break;
       case 1:
        StartHiddenType = "系统启动";
        m_list.SetItemText(nHideServiceTotal,3,StartHiddenType);
        break;
       case 2:
        StartHiddenType = "自动启动";
        m_list.SetItemText(nHideServiceTotal,3,StartHiddenType);
        break;
       case 3:
        StartHiddenType = "手动启动";
        m_list.SetItemText(nHideServiceTotal,3,StartHiddenType);
        break;
       case 4:
        StartHiddenType ="没有启动";
        m_list.SetItemText(nHideServiceTotal,3,StartHiddenType);
        break;
       default:
        StartHiddenType = "未知类型";
        m_list.SetItemText(nHideServiceTotal,3,StartHiddenType);        
       }
       if( *(unsigned short *)data != 4 )
       {
        ChkReg.put_dword(hdesc, nkofs_cat + 4, "Start", 4);
        ischange = 1;
       }                                                
      }                   
      data = (void *)ChkReg.get_val_data(hdesc, nkofs_cat + 4, "Type", 0 );
      if( data != NULL)
      {
       if(*(unsigned short *)data & 1)
        HiddenServiceDr = "木马! 内核驱动文件";
       m_list.SetItemText(nHideServiceTotal,5,HiddenServiceDr);                             
       if(*(unsigned short *)data & 2)
        HiddenServiceDr = "木马! 文件系统驱动";
       m_list.SetItemText(nHideServiceTotal,5,HiddenServiceDr);                         
      
       if(*(unsigned short *)data & 8)
        HiddenServiceDr = "木马!注册表配置驱动文件";
       m_list.SetItemText(nHideServiceTotal,5,HiddenServiceDr);                           
      
       if(*(unsigned short *)data & 16)
        HiddenServiceDr = "木马! 进程文件";
       m_list.SetItemText(nHideServiceTotal,5,HiddenServiceDr);                          
      
       if(*(unsigned short *)data & 32)
        HiddenServiceDr = "木马! 共享类型的进程";
       m_list.SetItemText(nHideServiceTotal,5,HiddenServiceDr);                            
      
       if(*(unsigned short *)data & 256)
        HiddenServiceDr = "木马!动态类型的进程";
       m_list.SetItemText(nHideServiceTotal,5,HiddenServiceDr);                              
      
      }
      nHideServiceTotal ++;
     }
    }
    FREE(ex.name);
   }
  
}
if(0 == nHideServiceTotal)
{
   HiddenTol.Format("没有检测到隐藏服务:)");
   this->OnView();
}
else
{
   HiddenTol.Format("共发现%d个隐藏服务", nHideServiceTotal);
}
MessageBox(HiddenTol, "提示", MB_OK);
}

//少女式卸载,1参数为PID,2参数为dll名称

int UnInjectDll(ULONG dwProcessId,CString DllName)
{

const DWORD dwThreadSize = 4096;
     Quanxian->EnablePriv();   //提升权限的,这个函数你自己写吧,贴出来占地方
//以下为创建远程线程做准备
// 取得LoadLibraryA函数的地址，我们将以它作为远程线程函数启动
HMODULE hModule=::GetModuleHandle("kernel32.dll");
LPTHREAD_START_ROUTINE pfnStartRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "GetModuleHandleA");
LPTHREAD_START_ROUTINE pfnFreeRoutine = (LPTHREAD_START_ROUTINE)::GetProcAddress(hModule, "FreeLibrary");
char DllPath[MAX_PATH];
memset(DllPath, 0, MAX_PATH);
int nSel = m_modulelist.GetSelectionMark();
m_modulelist.GetItemText(nSel, 0, DllPath, MAX_PATH);
// 在目标进程中申请空间，存放字符串szDllName，作为远程线程的参数
int cbSize = (strlen(DllPath) + 1);
//以上为创建远程线程做准备

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
if(NULL != hProcess)
{  
   DWORD dwHandle;
   LPVOID lpRemoteDllName = ::VirtualAllocEx(hProcess, NULL, cbSize, MEM_COMMIT, PAGE_READWRITE);
   ::WriteProcessMemory(hProcess, lpRemoteDllName, DllPath, cbSize, NULL);   
   // 启动远程线程，并立刻运行
   HANDLE hRemoteThread = ::CreateRemoteThread(hProcess, NULL, 0, pfnStartRoutine, lpRemoteDllName, 0, NULL);
   if(hRemoteThread == NULL)
   {
    CloseHandle(hProcess);
    return FALSE;
   }
   // 等待目标线程运行结束，即LoadLibraryA函数返回
   ::WaitForSingleObject(hRemoteThread, INFINITE);    
   GetExitCodeThread( hRemoteThread, &dwHandle );
   // 释放目标进程中申请的空间
  
   VirtualFreeEx( hProcess, lpRemoteDllName, cbSize, MEM_RELEASE|MEM_DECOMMIT);
  
   ::CloseHandle(hRemoteThread);
  
   hRemoteThread = CreateRemoteThread( hProcess, NULL, 0,
    (LPTHREAD_START_ROUTINE)pfnFreeRoutine, (LPVOID)dwHandle, 0, &dwProcessId );
   // 等待FreeLibrary卸载完毕
   WaitForSingleObject( hRemoteThread, INFINITE );
   CloseHandle( hRemoteThread );
   CloseHandle(hProcess);
   m_modulelist.DeleteItem(nSel);
}
     return 0;

}

//少妇式卸载

typedef DWORD (_stdcall *XXXNtUnmapViewOfSection)( HANDLE hProcess, PVOID Address);

void UnloadNtdll()
{
PVOID   NtdllAddress;
HANDLE   hProcess;
XXXNtUnmapViewOfSection NtUnmapViewOfSection;
HWND   hWindow;
BOOL   bRet = TRUE;

hWindow = FindWindow( NULL, "你要找的名称");

hProcess = OpenProcess( PROCESS_VM_OPERATION, FALSE, PID号);

NtUnmapViewOfSection = (XXXNtUnmapViewOfSection)GetProcAddress( GetModuleHandle("你要卸载的dll文件"), "NtUnmapViewOfSection" );

NtdllAddress = (PVOID)NtUnmapViewOfSection;

NtUnmapViewOfSection( hProcess, NtdllAddress);

CloseHandle( hProcess );

PostMessage( hWindow, WM_MOUSEMOVE, 0 , 0);

}