hash 计算接口 Crypto API (证书,对称加密,非对称加密,编码和解码)
CryptAcquireContext
CryptCreateHash
CryptReleaseContext
CryptHashData
CryptDestroyHash
CryptGetHashParam
注册表操作接口
RegEnumKeyEx
RegEnumValueW
RegOpenKeyExW
RegQueryValueExW
RegQueryInfoKeyW
服务注册表的路径:\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
AutoRuns 和 AutoRuncs 下载地址
https://learn.microsoft.com/zh-cn/sysinternals/downloads/autoruns
目标:
1、在上次课的基础上把所有枚举出来的进程以及进程模块的文件hash值[MD5 sha-1,sha256]计算出来;存在父进程id的进程一并把父进程信息给关联起来一并输出;涉及运行中文件的打开,可以考虑先复制到其他地方再读取内容进行计算。
2、使用注册表接口,把注册表中的服务信息枚举出来,并输出关联的二进制路径,思考一下使用服务接口枚举的服务和注册表枚举的服务如何关联。
3、使用注册表接口,枚举当前计算启动项信息,启动项注册表路径自己查阅资料。
扩展内容:可以在进程,模块hash的基础上增加文件签名校验:参考内容链接:https://blog.csdn.net/StanfordZhang/article/details/8255605
1、hash CRC32–开销比较小 ,MD5,SHA1,SHA256 --运行开销,自定义的简单hash ,oxxxdxg.exe 长度,第一个字符是0 第四个字符是d 第六个是g 存在碰撞的可能。FFFFXAC VALUE ^ KEY = ENCODE;ENCODE ^ KEY = VALUE;
1231234535–》calc_proc—>data_spect
运行时解密。
框架原始的串 --》calc——proc -》FFFFXAC ollydbg.exe
注册表,这个就是WINDOWS 自带的数据库,或者说是一个配置库。
自启动
总结:白名单技术。云查(网络接口)
先给三个代码
1、在上次课的基础上把所有枚举出来的进程以及进程模块的文件hash值
[MD5 sha-1,sha256]计算出来;存在父进程id的进程一并把父进程信息给关联起来一并输出;
涉及运行中文件的打开,可以考虑先复制到其他地方再读取内容进行计算。
//第一部分计算
#include
#include
#include
#include
#include
#include
#include
#include
#include
// 计算文件的哈希值
std::string CalculateHash(const wchar_t* filePath, const char* hashAlgorithm)
{
std::string hashValue;
HANDLE hFile = CreateFile(filePath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_FLAG_SEQUENTIAL_SCAN, NULL);
if (hFile != INVALID_HANDLE_VALUE)
{
HCRYPTPROV hProv = NULL;
HCRYPTHASH hHash = NULL;
if (CryptAcquireContext(&hProv, NULL, MS_DEF_PROV, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
{
if (CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))
{
const DWORD bufferSize = 8192;
BYTE buffer[bufferSize];
DWORD bytesRead;
while (ReadFile(hFile, buffer, bufferSize, &bytesRead, NULL) && bytesRead > 0)
{
CryptHashData(hHash, buffer, bytesRead, 0);
}
DWORD cbHashSize = 0;
DWORD hashSize = sizeof(DWORD);
if (CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&cbHashSize, &hashSize, 0))
{
std::vector<BYTE> hashBuffer(cbHashSize);
if (CryptGetHashParam(hHash, HP_HASHVAL, &hashBuffer[0], &cbHashSize, 0))
{
char hexChar[] = "0123456789ABCDEF";
hashValue.reserve(2 * cbHashSize);
for (DWORD i = 0; i < cbHashSize; ++i)
{
hashValue.push_back(hexChar[hashBuffer[i] >> 4]);
hashValue.push_back(hexChar[hashBuffer[i] & 0xF]);
}
}
}
CryptDestroyHash(hHash);
}
CryptReleaseContext(hProv, 0);
}
CloseHandle(hFile);
}
return hashValue;
}
int main()
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
// 获取进程快照
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("创建进程快照失败!错误码:%d\n", GetLastError());
return 1;
}
// 设置进程快照结构体大小
pe32.dwSize = sizeof(PROCESSENTRY32);
// 获取第一个进程的信息
if (!Process32First(hProcessSnap, &pe32))
{
printf("获取第一个进程信息失败!错误码:%d\n", GetLastError());
CloseHandle(hProcessSnap);
return 1;
}
// 遍历进程快照,输出每个进程内的System32路径下的模块
do
{
HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pe32.th32ProcessID);
if (hProcess)
{
HMODULE hMods[1024];
DWORD cbNeeded;
// 获取模块句柄数组
if (EnumProcessModules(hProcess, hMods, sizeof(hMods), &cbNeeded))
{
// 获取模块路径
for (unsigned int i = 0; i < cbNeeded / sizeof(HMODULE); i++)
{
wchar_t szModuleName[MAX_PATH];
if (GetModuleFileNameEx(hProcess, hMods[i], szModuleName, MAX_PATH))
{
// 判断模块路径是否位于System32目录下
if (wcsstr(szModuleName, L"\\System32\\") != NULL)
{
std::string md5Hash = CalculateHash(szModuleName, "MD5");
std::string sha1Hash = CalculateHash(szModuleName, "SHA1");
std::string sha256Hash = CalculateHash(szModuleName, "SHA256");
printf("进程ID: %d\n", pe32.th32ProcessID);
printf("父进程ID: %d\n", pe32.th32ParentProcessID);
printf("模块路径: %ls\n", szModuleName);
printf("MD5 哈希值: %s\n",(md5Hash.empty() ? "计算失败" : md5Hash.c_str()));
printf("SHA1 哈希值: %s\n", (sha1Hash.empty() ? "计算失败" : sha1Hash.c_str()));
printf("SHA256 哈希值: %s\n\n", (sha256Hash.empty() ? "计算失败" : sha256Hash.c_str()));
}
}
}
}
CloseHandle(hProcess);
}
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return 0;
}
//使用注册表接口,把注册表中的服务信息枚举出来,并输出关联的二进制路径
#include
#include
#include
void EnumerateServices()
{
HKEY hKey;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services", 0, KEY_READ, &hKey) == ERROR_SUCCESS)
{
DWORD numSubKeys;
if (RegQueryInfoKeyW(hKey, NULL, NULL, NULL, &numSubKeys, NULL, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
for (DWORD i = 0; i < numSubKeys; i++)
{
WCHAR serviceName[MAX_PATH];
DWORD serviceNameSize = MAX_PATH;
if (RegEnumKeyExW(hKey, i, serviceName, &serviceNameSize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
HKEY hServiceKey;
if (RegOpenKeyExW(hKey, serviceName, 0, KEY_READ | KEY_WOW64_64KEY, &hServiceKey) == ERROR_SUCCESS)
{
WCHAR imagePath[MAX_PATH];
DWORD imagePathSize = MAX_PATH;
if (RegQueryValueExW(hServiceKey, L"ImagePath", NULL, NULL, reinterpret_cast<LPBYTE>(imagePath), &imagePathSize) == ERROR_SUCCESS)
{
std::wcout << "Service Name: " << serviceName << std::endl;
std::wcout << "Binary Path: " << imagePath << std::endl;
std::wcout << std::endl;
}
RegCloseKey(hServiceKey);
}
}
}
}
RegCloseKey(hKey);
}
}
int main()
{
EnumerateServices();
return 0;
}
2、使用注册表接口,把注册表中的服务信息枚举出来,并输出关联的二进制路径,思考一下使用服务接口枚举的服务和注册表枚举的服务如何关联
#include
#include
#include
void EnumerateServices()
{
HKEY hKey;
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SYSTEM\\CurrentControlSet\\Services", 0, KEY_READ, &hKey) == ERROR_SUCCESS)
{
DWORD numSubKeys;
if (RegQueryInfoKeyW(hKey, NULL, NULL, NULL, &numSubKeys, NULL, NULL, NULL, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
for (DWORD i = 0; i < numSubKeys; i++)
{
WCHAR serviceName[MAX_PATH];
DWORD serviceNameSize = MAX_PATH;
if (RegEnumKeyExW(hKey, i, serviceName, &serviceNameSize, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
HKEY hServiceKey;
if (RegOpenKeyExW(hKey, serviceName, 0, KEY_READ | KEY_WOW64_64KEY, &hServiceKey) == ERROR_SUCCESS)
{
WCHAR imagePath[MAX_PATH];
DWORD imagePathSize = MAX_PATH;
if (RegQueryValueExW(hServiceKey, L"ImagePath", NULL, NULL, reinterpret_cast<LPBYTE>(imagePath), &imagePathSize) == ERROR_SUCCESS)
{
std::wcout << "Service Name: " << serviceName << std::endl;
std::wcout << "Binary Path: " << imagePath << std::endl;
std::wcout << std::endl;
}
RegCloseKey(hServiceKey);
}
}
}
}
RegCloseKey(hKey);
}
}
int main()
{
EnumerateServices();
return 0;
}
3、使用注册表接口,枚举当前计算启动项信息
#include
#include
#include
void EnumerateStartupItems()
{
HKEY hKey;
// 枚举HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run键的值
if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_READ, &hKey) == ERROR_SUCCESS)
{
DWORD numValues;
if (RegQueryInfoKeyW(hKey, NULL, NULL, NULL, NULL, NULL, NULL, &numValues, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
for (DWORD i = 0; i < numValues; i++)
{
WCHAR valueName[MAX_PATH];
DWORD valueNameSize = MAX_PATH;
BYTE data[MAX_PATH];
DWORD dataSize = MAX_PATH;
DWORD valueType;
if (RegEnumValueW(hKey, i, valueName, &valueNameSize, NULL, &valueType, data, &dataSize) == ERROR_SUCCESS)
{
if (valueType == REG_SZ)
{
std::wcout << "Value Name: " << valueName << std::endl;
std::wcout << "Binary Path: " << reinterpret_cast<WCHAR*>(data) << std::endl;
std::wcout << std::endl;
}
}
}
}
RegCloseKey(hKey);
}
// 枚举HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run键的值
if (RegOpenKeyExW(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_READ, &hKey) == ERROR_SUCCESS)
{
DWORD numValues;
if (RegQueryInfoKeyW(hKey, NULL, NULL, NULL, NULL, NULL, NULL, &numValues, NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
{
for (DWORD i = 0; i < numValues; i++)
{
WCHAR valueName[MAX_PATH];
DWORD valueNameSize = MAX_PATH;
BYTE data[MAX_PATH];
DWORD dataSize = MAX_PATH;
DWORD valueType;
if (RegEnumValueW(hKey, i, valueName, &valueNameSize, NULL, &valueType, data, &dataSize) == ERROR_SUCCESS)
{
if (valueType == REG_SZ)
{
std::wcout << "Value Name: " << valueName << std::endl;
std::wcout << "Binary Path: " << reinterpret_cast<WCHAR*>(data) << std::endl;
std::wcout << std::endl;
}
}
}
}
RegCloseKey(hKey);
}
}
int main()
{
EnumerateStartupItems();
return 0;
}