比较简单,就是往同一个路径的两个注册表键值写入你的东西,没啥实用性,不过测试DLL时可以用一下
void CInjectDemoDlg::OnBnClickedBtnReg() { WCHAR szSubKey[] = L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"; TCHAR szData[MAX_PATH] = _T(""); GetCurrentDirectory(MAX_PATH, szData); _tcscat_s(szData, _T("\MyDll.dll")); HKEY hkRet; if (ERROR_SUCCESS != ::RegOpenKeyEx(HKEY_LOCAL_MACHINE, szSubKey, 0, KEY_ALL_ACCESS, &hkRet)) return; // 打开键失败 if (!EnableTargetPriv(SE_DEBUG_NAME)) return; // 提权失败 RegSetValueEx(hkRet, L"AppInit_DLLs", 0, REG_SZ, (BYTE*)szData, (_tcslen(szData) + 1)*sizeof(TCHAR)); DWORD dwLoadApp = 1; RegSetValueEx(hkRet, L"LoadAppInit_DLLs", 0, REG_DWORD, (BYTE*)&dwLoadApp, sizeof(DWORD)); RegCloseKey(hkRet); }
卸载时键值里数值清空即可
// 卸载注册表注入 VOID CInjectDemoDlg::ERegInject() { WCHAR szSubKey[] = L"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"; TCHAR szData[] = _T(""); HKEY hkRet; if (ERROR_SUCCESS != ::RegOpenKeyEx(HKEY_LOCAL_MACHINE, szSubKey, 0, KEY_ALL_ACCESS, &hkRet)) return; // 打开键失败 if (!EnableTargetPriv(SE_DEBUG_NAME)) return; // 提权失败 RegSetValueEx(hkRet, L"AppInit_DLLs", 0, REG_SZ, (BYTE*)szData, (_tcslen(szData) + 1)*sizeof(TCHAR)); DWORD dwLoadApp = 0; RegSetValueEx(hkRet, L"LoadAppInit_DLLs", 0, REG_DWORD, (BYTE*)&dwLoadApp, sizeof(DWORD)); RegCloseKey(hkRet); return; }
里边的提权函数代码
// 提权函数 by SYC BOOL EnableTargetPriv(LPTSTR lpszPrivilege) { HANDLE hToken = NULL; TOKEN_PRIVILEGES tkp = { 0 }; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { return FALSE; } if (!LookupPrivilegeValue(NULL, lpszPrivilege, &tkp.Privileges[0].Luid)) { CloseHandle(hToken); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { CloseHandle(hToken); return FALSE; } return TRUE; }