Viren, Spyware, Datenschutz 11.241 Themen, 94.650 Beiträge

Verfolgung starten Optionen

hide Key?

(Anonym) / 6 Antworten / Flachansicht Nickles

Hallo,

ich habe da so einen trojaner gefunden der wohl folgendes Feature hat: Er versteckt den Registryeintrag komplett von allen Registrytools. Hier ein Auszug aus der Hilfedatei:

zitat:
----------------------------------------------------------------------...Original coded by Solar Eclipse.
In the original source was only the Function to Hide for RegEnumKeys, but that was enough to understand what happend and how.

THANKS Solar Eclips !

Now i add a Hook on RegOpenKey , what makes the Registry Key
full stealth to any Registy Tool.

Yes, any Tool !
Not only Regedit.exe.
----------------------------------------------------------------------

Das was wohl dieser Solar Eclips programmiert war wohl was in ASM. Nun meine Frage welcher Trojaner bietet auch so einen Stealth Modus für seinen Registryeintrag in der Registry?

bei Antwort benachrichtigen
humbug. die registry-dateien sind kein ausführbarer code, also kann kein ... (Anonym)
Da sieht man mal wieder wie dämlich doch die nickles user sind, ... (Anonym)
schwaller, lad dir eins der freeware registrytools runter, die die registry ... (Anonym)
na wo hast du denn diese weißheit her? registry protector arbeitet in der ... (Anonym)
winreg.h LONG RegCreateKeyEx HKEY hKey, ..., LPSECURITY_ATTRIBUTES ... (Anonym)
(Anonym) Nachtrag zu: „winreg.h LONG RegCreateKeyEx HKEY hKey, ..., LPSECURITY_ATTRIBUTES...“
Optionen

tztztz...was du da kopiert hast ist die includedatei für wine, nicht für die win32api
die korrekte zeile für die win32api heißt:
RegCreateKeyEx
RegCreateKeyEx( $hKey, $sSubKey, $uZero, $sClass, $uOpts, $uAccess, $pSecAttr, $ohNewKey, $ouDisp )

Creates a new Registry subkey. Returns a true value if successful and a false value [and sets $^E/regLastError()] on failure.
$hKey is the handle to a Registry key [either HKEY_* or from a previous call].

$sSubKey is the name of the new subkey to be created.

$iZero is reserved for future use and should always be specified as 0.

$sClass is a string to be used as the class for the new subkey. We are not aware of any current use for Registry key class information so the empty string, "", should usually be used here.

$iOpts is a numeric value containing bits that control options used while creating the new subkey. REG_OPTION_NON_VOLATILE is the default. REG_OPTION_VOLATILE [which is ignored on Windows 95] means the data stored under this key is not kept in a file and will not be preserved when the system reboots. REG_OPTION_BACKUP_RESTORE [also ignored on Windows 95] means ignore the $iAccess parameter and try to open the new key with the access required to backup or restore the key.

$iAccess is a numeric mask of bits specifying what type of access is desired when opening the new subkey. See RegOpenKeyEx().

$pSecAttr is a SECURITY_ATTRIBUTES structure packed into a Perl string which controls whether the returned handle can be inherited by child processes. Normally you would pass [] for this parameter to have NULL passed to the underlying API indicating that the handle cannot be inherited. If not under Windows95, then $pSecAttr also allows you to specify SECURITY_DESCRIPTOR that controls which users will have what type of access to the new key -- otherwise the new key inherits its security from its parent key.

$phKey will be set to the handle to be used to access the new subkey if the call succeeds.

$piDisp will be set to either REG_CREATED_NEW_KEY or REG_OPENED_EXISTING_KEY to indicate for which reason the call succeeded. Can be specified as [] if you don't care.

If $phKey and $piDisp start out as integers, then they will probably remain unchanged if the call fails

bei Antwort benachrichtigen