To implement this attack:
- Create a REG_SZ entry named AppInit_DLLs that and set it to the full path to the malicious DLL.
- Create a REG_DWORD entry named LoadAppInit_DLLs set to 1.
之前網頁被 searchqu 綁架,searchqu 利用 AppInit_DLLs 進行 dll injection 攻擊,因此我寫一個小程式來移除 searchqu (當然你也可以開 regedit 直接把 registry key 幹掉)。
Header file:
#include <string>
class DllInjectionReg {
public:
static std::wstring Read();
static void Delete();
};
Source file:
#include "module/dll_injection_reg.h"
#include "base/win/reg.h"
using base::win::RegKey;
const wchar_t* kSubKey =
L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows";
// static
std::wstring DllInjectionReg::Read() {
RegKey key(HKEY_LOCAL_MACHINE, kSubKey, KEY_READ);
std::wstring result;
key.ReadValue(L"AppInit_DLLs", &result);
return result;
}
// static
void DllInjectionReg::Delete() {
RegKey key(HKEY_LOCAL_MACHINE, kSubKey, KEY_ALL_ACCESS);
key.DeleteValue(L"AppInit_DLLs");
key.DeleteValue(L"LoadAppInit_DLLs");
}
沒有留言:
張貼留言