check hosts file-白红宇

check hosts file

阅读量：5313 次

发布时间：2019-06-14

本文共 9807 字，大约阅读时间需要 32 分钟。

/**************************************

/* 作者:半斤八兩

/* 博客:

/* 日期:2013-08-12 22:44

/**************************************

只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!

不知道大家有没有遇到过这种情况.

改了本地hosts,仍然没有效果.

本来以为是病毒 lsp bho了,

查看后,都没有,觉得很奇怪.

在网上搜了一下,得知 hosts 由svchost.exe 进程控制.

启动参数是 "-k NetworkService"

用winhex搜索一下 "drivers\etc"

查看结果是 drivers\htc\xxxxxx 发现hosts 被改变了.

那么只要改回来就好了.

写了一个小程序,可以查看是否被修改, 和恢复 hosts 的小程序

1 // CheckHosts.cpp : Defines the entry point for the console application.  2 //  3   4 #include "stdafx.h"  5 #include 
     
        6 #include 
      
         7   8 #define ProcessBasicInformation 0  9  10 typedef struct 11 { 12     USHORT Length; 13     USHORT MaximumLength; 14     PWSTR  Buffer; 15 } UNICODE_STRING, *PUNICODE_STRING; 16  17 typedef struct 18 { 19     ULONG          AllocationSize; 20     ULONG          ActualSize; 21     ULONG          Flags; 22     ULONG          Unknown1; 23     UNICODE_STRING Unknown2; 24     HANDLE         InputHandle; 25     HANDLE         OutputHandle; 26     HANDLE         ErrorHandle; 27     UNICODE_STRING CurrentDirectory; 28     HANDLE         CurrentDirectoryHandle; 29     UNICODE_STRING SearchPaths; 30     UNICODE_STRING ApplicationName; 31     UNICODE_STRING CommandLine; 32     PVOID          EnvironmentBlock; 33     ULONG          Unknown[9]; 34     UNICODE_STRING Unknown3; 35     UNICODE_STRING Unknown4; 36     UNICODE_STRING Unknown5; 37     UNICODE_STRING Unknown6; 38 } PROCESS_PARAMETERS, *PPROCESS_PARAMETERS; 39  40 typedef struct 41 { 42     ULONG               AllocationSize; 43     ULONG               Unknown1; 44     HINSTANCE           ProcessHinstance; 45     PVOID               ListDlls; 46     PPROCESS_PARAMETERS ProcessParameters; 47     ULONG               Unknown2; 48     HANDLE              Heap; 49 } PEB, *PPEB; 50  51 typedef struct 52 { 53     DWORD ExitStatus; 54     PPEB  PebBaseAddress; 55     DWORD AffinityMask; 56     DWORD BasePriority; 57     ULONG UniqueProcessId; 58     ULONG InheritedFromUniqueProcessId; 59 }   PROCESS_BASIC_INFORMATION; 60  61  62  63 typedef LONG (WINAPI *PROCNTQSIP)(HANDLE,UINT,PVOID,ULONG,PULONG); 64  65  66 PROCNTQSIP NtQueryInformationProcess; 67  68 BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen); 69  70  71 bool AdjustProcessTokenPrivilege() 72 { 73     HANDLE hToken; 74     LUID sedebugnameValue; 75     TOKEN_PRIVILEGES tkp; 76      77     if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) 78     { 79         return false; 80     } 81      82     if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &sedebugnameValue)) 83     { 84         MessageBox(NULL, "LookupPrivilegeValue fail" ,"fail", MB_OK | MB_ICONINFORMATION); 85         CloseHandle(hToken); 86         return false; 87     } 88      89     tkp.PrivilegeCount = 1; 90     tkp.Privileges[0].Luid = sedebugnameValue; 91     tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 92      93     if (!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) 94     { 95         CloseHandle(hToken); 96         return false; 97     } 98      99     return true;100 }101 102 void IsDisplayParameter()103 {104     system("cls");105     puts("---------------------------------------------");106     puts("-           1 查看当前hosts文件名           -");107     puts("-           2 恢复hosts原来文件名           -");108     puts("---------------------------------------------");109 }110 111 112 void main(int argc, char* argv[])113 {114     system("color 0a & title 半斤八兩");115 116     DWORD dwIndex = 0;117 118     IsDisplayParameter();119 120     while(TRUE)121     {122         scanf("%d", &dwIndex);123         124         if(dwIndex == 1 || dwIndex == 2)125         {126             break;127         }128         else129         {130             IsDisplayParameter();131         }132 133         // fflush134         while((dwIndex = getchar()) != '\n');135     }136 137     NtQueryInformationProcess = (PROCNTQSIP)GetProcAddress(138         GetModuleHandle("ntdll"),139         "NtQueryInformationProcess"140         );141     142     if (!NtQueryInformationProcess)143         return;144 145     AdjustProcessTokenPrivilege();146 147     148     WCHAR wstr[MAXBYTE] = {
   0};149     150     for(int i = 4; i < 0x270f; i += 4)151     {152         // get program parameter153         if (GetProcessCmdLine(i, wstr, sizeof(wstr)))154         {155             wprintf(L"PID: [%lu]\r\nparameter: [%s]\r\n\r\n", i, wstr);156         }157         158 159         // check hosts process parameter160         if(NULL != wcsstr(wstr, L"-k NetworkService"))161         {162             HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, i);163 164 165             if (!hProcess)166             {167                 puts("if (!hProcess)");168                 return;169             }170 171             MEMORY_BASIC_INFORMATION tagMemoryInfo = {
   0};172             PBYTE pAddress = NULL;173             BYTE *lpBuf = new BYTE[1];174             DWORD dwBufSize = 1;175 176 177             while(TRUE)178             {179                 if(sizeof(tagMemoryInfo) != 180                     VirtualQueryEx(hProcess, pAddress, &tagMemoryInfo, sizeof(tagMemoryInfo)))181                 {182                     break;183                 }184                 185                 if (MEM_COMMIT != tagMemoryInfo.State || 0 == tagMemoryInfo.Protect186                     || (PAGE_GUARD & tagMemoryInfo.Protect) != 0187                     || (PAGE_NOACCESS & tagMemoryInfo.Protect) != 0)188                 {189                     pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);190                     continue;191                 }192 193 194                 if (tagMemoryInfo.RegionSize > dwBufSize)195                 {196                     delete [] lpBuf;197                     dwBufSize = tagMemoryInfo.RegionSize;198                     lpBuf = new BYTE[dwBufSize];199                 }200 201 202                 if (FALSE == ReadProcessMemory(hProcess, tagMemoryInfo.BaseAddress,203                     lpBuf, (DWORD)tagMemoryInfo.RegionSize, NULL))204                 {205                     pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);206                     continue ;207                 }208 209 210                 DWORD dwSearchSize = strlen("drivers\\etc\\");211                 SIZE_T nMax = tagMemoryInfo.RegionSize - dwSearchSize;212 213                 for (SIZE_T i = 0; i <= nMax; i++)214                 {215                     // check hosts value216                     if (0 == memcmp("drivers\\etc\\", &lpBuf[i], dwSearchSize - 1))217                     {218                         DWORD dwAddress = (DWORD)tagMemoryInfo.BaseAddress + i;219 220 //                         if(dwIndex == 3)221 //                         {222 //                             WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\bjbl", strlen("drivers\\etc\\bjbl"), NULL);223 // 224 //                             puts("恭喜, 修改成功!!!");225 //                             226 //                             system("pause");227 // 228 //                             return;229 //                         }230                         if(dwIndex == 2)231                         {232                             WriteProcessMemory(hProcess, (PVOID)dwAddress, "drivers\\etc\\hosts", strlen("drivers\\etc\\hosts"), NULL);233 234                             puts("恭喜, 恢復成功!!!");235 236                             system("pause");237 238                             return;239                         }240                         else if(dwIndex == 1)241                         {242                             char szBuf[MAXBYTE] = {
   0};243 244                             sprintf(szBuf, "----====found: [%s]===---", &lpBuf[i]);245 246                             puts(szBuf);247 248                             system("pause");249 250                             return;251                         }252 253                         i += dwSearchSize - 1;254                     }255                 }256 257                 pAddress = ((PBYTE)tagMemoryInfo.BaseAddress + tagMemoryInfo.RegionSize);258             }259 260             CloseHandle (hProcess);261 262             puts("ok");263         }264     }265     266 }267 268 BOOL GetProcessCmdLine(DWORD dwId,LPWSTR wBuf,DWORD dwBufLen)269 {270     LONG                      status;271     HANDLE                    hProcess;272     PROCESS_BASIC_INFORMATION pbi;273     PEB                       Peb;274     PROCESS_PARAMETERS        ProcParam;275     DWORD                     dwDummy;276     DWORD                     dwSize;277     LPVOID                    lpAddress;278     BOOL                      bRet = FALSE;279     280     hProcess = OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,dwId);281     if (!hProcess)282         return FALSE;283     284     status = NtQueryInformationProcess( hProcess,285         ProcessBasicInformation,286         (PVOID)&pbi,287         sizeof(PROCESS_BASIC_INFORMATION),288         NULL289         );290     291     292     if (status)293         goto cleanup;294     295     if (!ReadProcessMemory( hProcess,296         pbi.PebBaseAddress,297         &Peb,298         sizeof(PEB),299         &dwDummy300         )301         )302         goto cleanup;303     304     if (!ReadProcessMemory( hProcess,305         Peb.ProcessParameters,306         &ProcParam,307         sizeof(PROCESS_PARAMETERS),308         &dwDummy309         )310         )311         goto cleanup;312     313     lpAddress = ProcParam.CommandLine.Buffer;314     dwSize = ProcParam.CommandLine.Length;315     316     if (dwBufLen

程序在 win732 xp32 测试通过.

下载链接:

转载于:https://www.cnblogs.com/BjblCracked/p/3254212.html

你可能感兴趣的文章

linux下Rtree的安装

查看>>

【Java】剑指offer(53-2) 0到n-1中缺失的数字