Windows内核注册表管理与HIVE文件解析<\/h1>

1. 注册表基础概念<\/h2>
注册表是Windows操作系统中的核心数据库，用于存储系统和应用程序的配置信息。它具有层次结构，包含键(Key)和值(Value)。<\/p>

1.1 主要根键<\/h3>

HKEY_LOCAL_MACHINE (HKLM)<\/li>
HKEY_CURRENT_USER (HKCU)<\/li>
HKEY_CLASSES_ROOT (HKCR)<\/li>
HKEY_USERS (HKU)<\/li>

HKEY_CURRENT_CONFIG (HKCC)<\/li> <\/ul>

1.2 恶意软件常见注册表操作<\/h3>

持久化<\/strong>：通过Run键实现自启动

HKLM\Software\Microsoft\Windows\CurrentVersion\Run<\/li>
HKCU\Software\Microsoft\Windows\CurrentVersion\Run<\/li> <\/ul> <\/li>
隐藏自身<\/strong>：修改Explorer设置隐藏文件\/进程<\/li>
修改系统配置<\/strong>：禁用任务管理器、安全中心等<\/li>
应用程序劫持<\/strong>：修改文件关联<\/li>
信息收集<\/strong>：窃取用户凭据和系统配置<\/li> <\/ol>
2. 内核API注册表操作<\/h2>
2.1 常用内核API函数<\/h3>
2.1.1 创建\/打开注册表项<\/h4>
NTSTATUS ZwCreateKey<\/span>( <\/span><\/span> PHANDLE KeyHandle, <\/span><\/span> ACCESS_MASK DesiredAccess, <\/span><\/span> POBJECT_ATTRIBUTES ObjectAttributes, <\/span><\/span> ULONG TitleIndex, <\/span><\/span> PUNICODE_STRING Class, <\/span><\/span> ULONG CreateOptions, <\/span><\/span> PULONG Disposition <\/span><\/span>); <\/span><\/span> <\/span><\/span>NTSTATUS ZwOpenKey<\/span>( <\/span><\/span> PHANDLE KeyHandle, <\/span><\/span> ACCESS_MASK DesiredAccess, <\/span><\/span> POBJECT_ATTRIBUTES ObjectAttributes <\/span><\/span>); <\/span><\/span><\/code><\/pre>示例代码：<\/p> HANDLE hKey; <\/span><\/span>UNICODE_STRING regPath; <\/span><\/span>RtlInitUnicodeString(&<\/span>regPath, L<\/span>"<\/span>\\<\/span>Registry<\/span>\\<\/span>Machine<\/span>\\<\/span>Software<\/span>\\<\/span>MyKey"<\/span>); <\/span><\/span>OBJECT_ATTRIBUTES objAttr; <\/span><\/span>InitializeObjectAttributes(&<\/span>objAttr, &<\/span>regPath, OBJ_CASE_INSENSITIVE, NULL, NULL); <\/span><\/span>NTSTATUS status =<\/span> ZwCreateKey(&<\/span>hKey, KEY_ALL_ACCESS, &<\/span>objAttr, 0<\/span>, NULL, 0<\/span>, NULL); <\/span><\/span><\/code><\/pre>2.1.2 删除注册表项\/值<\/h4> NTSTATUS ZwDeleteKey<\/span>(HANDLE KeyHandle); <\/span><\/span>NTSTATUS ZwDeleteValueKey<\/span>(HANDLE KeyHandle, PUNICODE_STRING ValueName); <\/span><\/span><\/code><\/pre>2.1.3 设置注册表值<\/h4> NTSTATUS ZwSetValueKey<\/span>( <\/span><\/span> HANDLE KeyHandle, <\/span><\/span> PUNICODE_STRING ValueName, <\/span><\/span> ULONG TitleIndex, <\/span><\/span> ULONG Type, <\/span><\/span> PVOID Data, <\/span><\/span> ULONG DataSize <\/span><\/span>); <\/span><\/span><\/code><\/pre>示例代码：<\/p> UNICODE_STRING valueName; <\/span><\/span>RtlInitUnicodeString(&<\/span>valueName, L<\/span>"MyValue"<\/span>); <\/span><\/span>DWORD data =<\/span> 1<\/span>; <\/span><\/span>NTSTATUS status =<\/span> ZwSetValueKey(hKey, &<\/span>valueName, 0<\/span>, REG_DWORD, &<\/span>data, sizeof<\/span>(data)); <\/span><\/span><\/code><\/pre>2.1.4 查询注册表值<\/h4> NTSTATUS ZwQueryValueKey<\/span>( <\/span><\/span> HANDLE KeyHandle, <\/span><\/span> PUNICODE_STRING ValueName, <\/span><\/span> KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, <\/span><\/span> PVOID KeyValueInformation, <\/span><\/span> ULONG Length, <\/span><\/span> PULONG ResultLength <\/span><\/span>); <\/span><\/span><\/code><\/pre>2.2 实现注册表持久化<\/h3> 完整示例代码：<\/p> #include<\/span> <ntddk.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>VOID ShowError<\/span>(PUCHAR pszText, NTSTATUS ntStatus) { <\/span><\/span> DbgPrint("%s Error[0x%X]<\/span>\n<\/span>"<\/span>, pszText, ntStatus); <\/span><\/span>} <\/span><\/span> <\/span><\/span>BOOLEAN SetRegistryAutoRun<\/span>(PUNICODE_STRING ustrExecutablePath) { <\/span><\/span> HANDLE hKey =<\/span> NULL; <\/span><\/span> OBJECT_ATTRIBUTES objectAttributes; <\/span><\/span> UNICODE_STRING ustrKeyPath, ustrValueName; <\/span><\/span> NTSTATUS status; <\/span><\/span> <\/span><\/span> RtlInitUnicodeString(&<\/span>ustrKeyPath, L<\/span>"<\/span>\\<\/span>Registry<\/span>\\<\/span>Machine<\/span>\\<\/span>Software<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>CurrentVersion<\/span>\\<\/span>Run"<\/span>); <\/span><\/span> InitializeObjectAttributes(&<\/span>objectAttributes, &<\/span>ustrKeyPath, OBJ_CASE_INSENSITIVE, NULL, NULL); <\/span><\/span> <\/span><\/span> status =<\/span> ZwOpenKey(&<\/span>hKey, KEY_ALL_ACCESS, &<\/span>objectAttributes); <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> ShowError("ZwOpenKey"<\/span>, status); <\/span><\/span> return<\/span> FALSE; <\/span><\/span> } <\/span><\/span> <\/span><\/span> RtlInitUnicodeString(&<\/span>ustrValueName, L<\/span>"MyPersistentApp"<\/span>); <\/span><\/span> status =<\/span> ZwSetValueKey(hKey, &<\/span>ustrValueName, 0<\/span>, REG_SZ, ustrExecutablePath-><\/span>Buffer, ustrExecutablePath-><\/span>Length); <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> ZwClose(hKey); <\/span><\/span> ShowError("ZwSetValueKey"<\/span>, status); <\/span><\/span> return<\/span> FALSE; <\/span><\/span> } <\/span><\/span> <\/span><\/span> ZwClose(hKey); <\/span><\/span> DbgPrint("Successfully set auto-run entry.<\/span>\n<\/span>"<\/span>); <\/span><\/span> return<\/span> TRUE; <\/span><\/span>} <\/span><\/span> <\/span><\/span>NTSTATUS DriverEntry<\/span>(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) { <\/span><\/span> UNICODE_STRING ustrExecutablePath; <\/span><\/span> RtlInitUnicodeString(&<\/span>ustrExecutablePath, L<\/span>"C:<\/span>\\<\/span>Path<\/span>\\<\/span>To<\/span>\\<\/span>YourApp.exe"<\/span>); <\/span><\/span> SetRegistryAutoRun(&<\/span>ustrExecutablePath); <\/span><\/span> return<\/span> STATUS_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3. HIVE文件格式解析<\/h2> 3.1 HIVE文件基础<\/h3> HIVE文件是注册表在磁盘上的存储形式，位于%SystemRoot%\System32\Config<\/code>目录下。每个HIVE文件代表一棵注册表树。<\/p> 3.2 HIVE文件结构<\/h3> 3.2.1 Header结构<\/h4> Signature<\/strong>(0x0): "regf"标识<\/li> 主\/次序列号<\/strong>(0x4,0x8): 校验完整性<\/li> 最后写入时间<\/strong>(0xC): 8字节Windows文件时间<\/li> 主\/次版本号<\/strong>(0x14,0x18)<\/li> 文件类型<\/strong>(0x1C): 0x0标准类型，0x1事务日志<\/li> 根键偏移量<\/strong>(0x24): RootCell的相对偏移<\/li> 文件长度<\/strong>(0x28): 不包括Header的大小<\/li> 文件名<\/strong>(0x30): Unicode字符串<\/li> <\/ul> 3.2.2 HBIN块<\/h4> Signature<\/strong>(0x0): "hbin"标识<\/li> 文件偏移<\/strong>(0x4): 相对于第一个HBIN块的偏移<\/li> 数据大小<\/strong>(0x8): HBIN块大小(通常4096字节)<\/li> <\/ul> 3.2.3 Cell单元<\/h4> 包含在HBIN块内，由以下记录组成：<\/p> nk记录<\/strong>: 描述注册表项<\/li> vk记录<\/strong>: 描述注册表值<\/li> sk记录<\/strong>: 描述安全权限数据<\/li> <\/ol> 3.3 记录类型详解<\/h3> 3.3.1 nk记录(注册表项)<\/h4> 签名<\/strong>(0x4): "nk"(0x6B6E)<\/li> 最后修改时间<\/strong>(0x8): 8字节<\/li> 父项偏移量<\/strong>(0x14): 0xFFFFFFFF表示无父项<\/li> 子项数量<\/strong>(0x18)<\/li> 子项列表偏移量<\/strong>(0x20)<\/li> vk数量<\/strong>(0x28)<\/li> vk列表偏移量<\/strong>(0x2C)<\/li> sk索引<\/strong>(0x30)<\/li> 名称长度<\/strong>(0x4C)<\/li> 键名称<\/strong>(0x50): ASCII字符串<\/li> <\/ul> 3.3.2 vk记录(注册表值)<\/h4> 签名<\/strong>(0x4): "vk"(0x6B76)<\/li> 名称长度<\/strong>(0x6)<\/li> 数据长度<\/strong>(0x8)<\/li> 数据<\/strong>(0xC)<\/li> 数据类型<\/strong>(0x10): REG_SZ(0x1)<\/li> REG_EXPAND_SZ(0x2)<\/li> REG_BINARY(0x3)<\/li> REG_DWORD(0x4)<\/li> REG_MULTI_SZ(0x7)<\/li> <\/ul> <\/li> 名称<\/strong>(0x18): ASCII字符串<\/li> <\/ul> 3.3.3 sk记录(安全信息)<\/h4> Flink<\/strong>(0x8): 下一条sk记录偏移<\/li> Blink<\/strong>(0xC): 上一条sk记录偏移<\/li> <\/ul> 3.3.4 List记录<\/h4> lf\/lh<\/strong>: 子项集合(lf按字母序，lh哈希表)<\/li> li\/ri<\/strong>: 子项存储(li简单，ri分块)<\/li> db<\/strong>: 已删除项记录<\/li> <\/ol> 3.4 HIVE文件解析实践<\/h3> 3.4.1 驱动框架<\/h4> #include<\/span> <ntddk.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>VOID DriverUnload<\/span>(_In_ PDRIVER_OBJECT DriverObject) { <\/span><\/span> UNREFERENCED_PARAMETER(DriverObject); <\/span><\/span> DbgPrint("HIVE解析驱动卸载!<\/span>\n<\/span>"<\/span>); <\/span><\/span>} <\/span><\/span> <\/span><\/span>NTSTATUS DriverEntry<\/span>(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) { <\/span><\/span> UNREFERENCED_PARAMETER(RegistryPath); <\/span><\/span> DriverObject-><\/span>DriverUnload =<\/span> DriverUnload; <\/span><\/span> DbgPrint("HIVE解析驱动加载成功!<\/span>\n<\/span>"<\/span>); <\/span><\/span> return<\/span> STATUS_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.4.2 文件读取功能<\/h4> NTSTATUS ReadFile<\/span>(_In_ PUNICODE_STRING FileName, _Out_ PVOID*<\/span> Buffer, _Out_ ULONG*<\/span> FileSize) { <\/span><\/span> HANDLE fileHandle; <\/span><\/span> IO_STATUS_BLOCK ioStatusBlock; <\/span><\/span> OBJECT_ATTRIBUTES objectAttributes; <\/span><\/span> NTSTATUS status; <\/span><\/span> FILE_STANDARD_INFORMATION fileInfo; <\/span><\/span> <\/span><\/span> InitializeObjectAttributes(&<\/span>objectAttributes, FileName, OBJ_KERNEL_HANDLE, NULL, NULL); <\/span><\/span> status =<\/span> ZwCreateFile(&<\/span>fileHandle, GENERIC_READ, &<\/span>objectAttributes, &<\/span>ioStatusBlock, NULL, <\/span><\/span> FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, <\/span><\/span> FILE_NON_DIRECTORY_FILE |<\/span> FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0<\/span>); <\/span><\/span> <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> DbgPrint("打开文件失败,状态码: 0x%08x<\/span>\n<\/span>"<\/span>, status); <\/span><\/span> return<\/span> status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> status =<\/span> ZwQueryInformationFile(fileHandle, &<\/span>ioStatusBlock, &<\/span>fileInfo, sizeof<\/span>(fileInfo), FileStandardInformation); <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> ZwClose(fileHandle); <\/span><\/span> return<\/span> status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> *<\/span>FileSize =<\/span> fileInfo.EndOfFile.LowPart; <\/span><\/span> *<\/span>Buffer =<\/span> ExAllocatePoolWithTag(NonPagedPool, *<\/span>FileSize, '<\/span>Hive'<\/span>); <\/span><\/span> <\/span><\/span> if<\/span> (*<\/span>Buffer ==<\/span> NULL) { <\/span><\/span> ZwClose(fileHandle); <\/span><\/span> return<\/span> STATUS_INSUFFICIENT_RESOURCES; <\/span><\/span> } <\/span><\/span> <\/span><\/span> status =<\/span> ZwReadFile(fileHandle, NULL, NULL, NULL, &<\/span>ioStatusBlock, *<\/span>Buffer, *<\/span>FileSize, NULL, NULL); <\/span><\/span> if<\/span> (!<\/span>NT_SUCCESS(status)) { <\/span><\/span> ExFreePoolWithTag(*<\/span>Buffer, '<\/span>Hive'<\/span>); <\/span><\/span> ZwClose(fileHandle); <\/span><\/span> return<\/span> status; <\/span><\/span> } <\/span><\/span> <\/span><\/span> ZwClose(fileHandle); <\/span><\/span> return<\/span> status; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.4.3 HIVE头部解析<\/h4> typedef<\/span> struct<\/span> _HIVE_HEADER { <\/span><\/span> CHAR Signature[4<\/span>]; \/\/ "regf" <\/span><\/span><\/span><\/span> ULONG Sequence1; \/\/ 序列号 <\/span><\/span><\/span><\/span> ULONG Sequence2; \/\/ 序列号 <\/span><\/span><\/span><\/span> ULONG RootCellOffset; \/\/ RootCell的偏移 <\/span><\/span><\/span><\/span> ULONG HiveBinsDataSize; \/\/ hbin数据的大小 <\/span><\/span><\/span><\/span> ULONG ClusteringFactor; <\/span><\/span> \/\/ 其他字段... <\/span><\/span><\/span><\/span>} HIVE_HEADER, *<\/span>PHIVE_HEADER; <\/span><\/span> <\/span><\/span>NTSTATUS ParseHiveHeader<\/span>(_In_ PVOID Buffer, _Out_ ULONG*<\/span> RootCellOffset) { <\/span><\/span> PHIVE_HEADER hiveHeader =<\/span> (PHIVE_HEADER)Buffer; <\/span><\/span> <\/span><\/span> if<\/span> (RtlCompareMemory(hiveHeader-><\/span>Signature, "regf"<\/span>, 4<\/span>) !=<\/span> 4<\/span>) { <\/span><\/span> DbgPrint("HIVE文件签名错误!<\/span>\n<\/span>"<\/span>); <\/span><\/span> return<\/span> STATUS_INVALID_PARAMETER; <\/span><\/span> } <\/span><\/span> <\/span><\/span> *<\/span>RootCellOffset =<\/span> hiveHeader-><\/span>RootCellOffset; <\/span><\/span> DbgPrint("RootCell Offset: 0x%08x<\/span>\n<\/span>"<\/span>, *<\/span>RootCellOffset); <\/span><\/span> return<\/span> STATUS_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.4.4 nk记录解析<\/h4> NTSTATUS ParseNkRecord<\/span>(_In_ PVOID Buffer, _In_ ULONG Offset) { <\/span><\/span> PNK_RECORD nkRecord =<\/span> (PNK_RECORD)((PUCHAR)Buffer +<\/span> Offset); <\/span><\/span> <\/span><\/span> if<\/span> (nkRecord-><\/span>Signature !=<\/span> 0x6B6E<\/span>) { \/\/ "nk" <\/span><\/span><\/span><\/span> DbgPrint("NK记录签名错误!<\/span>\n<\/span>"<\/span>); <\/span><\/span> return<\/span> STATUS_INVALID_PARAMETER; <\/span><\/span> } <\/span><\/span> <\/span><\/span> DbgPrint("NK记录解析成功!子键数量: %u, 键值数量: %u<\/span>\n<\/span>"<\/span>, <\/span><\/span> nkRecord-><\/span>SubkeyCount, nkRecord-><\/span>ValueCount); <\/span><\/span> return<\/span> STATUS_SUCCESS; <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 总结<\/h2> 本文详细介绍了Windows内核中注册表操作的两种方式：<\/p> 通过内核API函数直接操作注册表<\/li> 通过解析底层的HIVE文件格式间接操作注册表<\/li> <\/ol> 对于安全研究而言，理解HIVE文件格式尤为重要，因为它比API操作更难被检测和监控。通过分析HIVE文件结构，可以深入理解注册表的存储机制，为注册表取证和安全分析提供基础。<\/p>

Windows内核注册表管理与HIVE文件解析<\/h1>

1. 注册表基础概念<\/h2> 注册表是Windows操作系统中的核心数据库，用于存储系统和应用程序的配置信息。它具有层次结构，包含键(Key)和值(Value)。<\/p>

2. 内核API注册表操作<\/h2>

2.1 常用内核API函数<\/h3>

3. HIVE文件格式解析<\/h2>

3.1 HIVE文件基础<\/h3> HIVE文件是注册表在磁盘上的存储形式，位于%SystemRoot%\System32\Config<\/code>目录下。每个HIVE文件代表一棵注册表树。<\/p>

3.3 记录类型详解<\/h3>

3.4 HIVE文件解析实践<\/h3>

1. 注册表基础概念<\/h2>
注册表是Windows操作系统中的核心数据库，用于存储系统和应用程序的配置信息。它具有层次结构，包含键(Key)和值(Value)。<\/p>

3.1 HIVE文件基础<\/h3>
HIVE文件是注册表在磁盘上的存储形式，位于`%SystemRoot%\System32\Config<\/code>目录下。每个HIVE文件代表一棵注册表树。<\/p>`