内核修改注册表和API修改注册表非常相似,仅仅只是相似。这里贴出来我自己通过查找资料写出来的注册表操作代码!方法我就不多说了,这些事学习心得,所以会有很多注释,有基础的人都能看懂!有些地方不是很完善,希望大家指出来!
这里分为Mykey.h文件 和 Mykey.cpp文件!
代码才是最好的说明!
| | | | |
| | | | |
\/ \/ \/ \/ \/
//************************
//Mykey.h
//***********************
///
/// Copyright (c) 2012 - <fsjaky>
///
/// Original filename: MyKey.h
/// Project : MyKey
/// Date of creation : <see MyKey.cpp>
/// Author(s) :fsjaky
/// Purpose : only study only share!
/// Blog : http://blog.csdn.net/fsjaky
///
///
#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\Mzf"
#pragma INITCODE
//***********************************
//函数名:MyCreatKey()
//参数:无
//功能:创建一个注册表项
//***********************************
VOID MyCreatKey()
{
UNICODE_STRING Father_Key; //父键
//初始化父键 也就是上面的宏定义
RtlInitUnicodeString(&Father_Key, MY_REG_SOFTWARE_KEY_NAME);
OBJECT_ATTRIBUTES objAttribute ={0};
//初始化 OBJECT_ATTRIBUTES
InitializeObjectAttributes(&objAttribute, &Father_Key, OBJ_CASE_INSENSITIVE, NULL, NULL);
HANDLE hKey;
ULONG Des;
NTSTATUS status = ZwCreateKey(
&hKey,
KEY_ALL_ACCESS,
&objAttribute,
NULL, NULL,
REG_OPTION_NON_VOLATILE, &Des);
if (NT_SUCCESS(status))
{
if (Des == REG_CREATED_NEW_KEY)
{
KdPrint(("新建注册表项!\n"));
}
else
{
KdPrint(("要创建的注册表项已经存在!\n"));
}
}
//打开或创建注册表子项
UNICODE_STRING Son_Key; //子键
//初始化子键
RtlInitUnicodeString(&Son_Key, L"SubKey");
OBJECT_ATTRIBUTES subObjAttribute;
//注意最后第二个参数,为父键的句柄 小心易错 父键的句柄hKey
InitializeObjectAttributes( &subObjAttribute, &Son_Key, OBJ_CASE_INSENSITIVE, hKey, NULL);
HANDLE hSubKey;//
ULONG subDes;
status = ZwCreateKey(&hSubKey, KEY_ALL_ACCESS, &subObjAttribute,
NULL, NULL, REG_OPTION_NON_VOLATILE, &subDes);
if (NT_SUCCESS(status))
{
if (subDes == REG_CREATED_NEW_KEY)
{
KdPrint(("新建注册表子项!\n"));
}
else
{
KdPrint(("要创建的注册表子项已经存在!\n"));
//return STATUS_UNSUCCESS;
}
}
//关闭注册表句柄
ZwClose(hKey);
ZwClose(hSubKey);
//return status;
}
HANDLE MyOpenKey()
{
HANDLE my_key = NULL;
NTSTATUS status;
// 定义要获取的路径 并初始化
UNICODE_STRING my_key_path = RTL_CONSTANT_STRING(MY_REG_SOFTWARE_KEY_NAME);
OBJECT_ATTRIBUTES subObjAttribute = { 0 };
// 初始化OBJECT_ATTRIBUTE
InitializeObjectAttributes(
&subObjAttribute,
&my_key_path,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
// 接下来是打开Key
status = ZwOpenKey(&my_key,KEY_READ,&subObjAttribute);
if(NT_SUCCESS(status))
{
KdPrint(("打开成功\n"));
}
else
{
KdPrint(("打开失败\n"));
}
ZwClose(my_key);
return my_key;
}
//NTSTATUS SetKeyWorld(HANDLE hKey)
NTSTATUS SetKeyWorld(HANDLE hKey)
{
hKey=NULL;
//初始化注册表项
UNICODE_STRING MyKey;
RtlInitUnicodeString(&MyKey, MY_REG_SOFTWARE_KEY_NAME);
//初始化OBJECT_ATTRIBUTES结构
OBJECT_ATTRIBUTES ObjectAttributes ={0};
InitializeObjectAttributes( &ObjectAttributes, &MyKey,
OBJ_CASE_INSENSITIVE, NULL, NULL);
//调用自己的函数 打开注册表项
NTSTATUS status = ZwOpenKey(&hKey, GENERIC_ALL, &ObjectAttributes);
if (!NT_SUCCESS(status))
{
KdPrint(("打开注册表项失败!\n"));
return status;
}
//初始化valueName
UNICODE_STRING valueTestName;
RtlInitUnicodeString(&valueTestName, L"valueName REG_DWORD");
//设置REG_DWORD键值 四字节整数
ULONG uMyValue = 100;
status = ZwSetValueKey(hKey, &valueTestName, 0, REG_DWORD, &uMyValue, sizeof(uMyValue));
if (!NT_SUCCESS(status))
{
KdPrint(("设置REG_DWORD键值失败!\n"));
return status;
}
else
{
KdPrint(("设置REG_DWORD键值成功!\n"));
}
//设置REG_SZ键值 以空结束的UNICODE字符串
RtlInitUnicodeString(&valueTestName, L"valueName REG_SZ");
WCHAR* str = L"MyKeyWordTest";
status = ZwSetValueKey(hKey, &valueTestName, 0, REG_SZ, str, wcslen(str)*2 + 2);
if (!NT_SUCCESS(status))
{
KdPrint(("设置REG_SZ键值失败!\n"));
return status;
}
else
{
KdPrint(("设置REG_SZ键值成功!\n"));
}
//设置REG_BINARY键值 二进制数据
RtlInitUnicodeString(&valueTestName, L"valueName REG_BINARY");
UCHAR buffer[10];
RtlFillMemory(buffer, sizeof(buffer), 0x01); //01填充
status = ZwSetValueKey(hKey, &valueTestName, 0, REG_BINARY, buffer, sizeof(buffer));
if (!NT_SUCCESS(status))
{
KdPrint(("设置REG_BINARY键值失败!\n"));
return status;
}
else
{
KdPrint(("设置REG_BINARY键值成功!\n"));
}
//关闭注册表句柄
ZwClose(hKey);
return status;
}
VOID Unload(IN OUT PDRIVER_OBJECT Driverobject)
{
KdPrint(("Driver Unload\n"));
//return STATUS_SUCCESS;
}
VOID MyDetKey()
{
HANDLE hKey=NULL;
//初始化注册表项
HANDLE hSonKey; //子键
UNICODE_STRING MyKey;
RtlInitUnicodeString(&MyKey, MY_REG_SOFTWARE_KEY_NAME);
//初始化OBJECT_ATTRIBUTES结构
OBJECT_ATTRIBUTES ObjectAttributes ={0};
InitializeObjectAttributes( &ObjectAttributes, &MyKey,
OBJ_CASE_INSENSITIVE, NULL, NULL);
//调用自己的函数 打开注册表项
NTSTATUS status = ZwOpenKey(&hKey, GENERIC_ALL, &ObjectAttributes);
if (!NT_SUCCESS(status))
{
KdPrint(("打开注册表项失败!\n"));
//return status;
}
status = ZwDeleteKey( hKey );
if(!NT_SUCCESS(status))
{
KdPrint(("含有子项,需先删除子项"));
UNICODE_STRING Son_Key; //子键
//初始化子键
RtlInitUnicodeString(&Son_Key, L"SubKey");
OBJECT_ATTRIBUTES subObjAttribute;
//注意最后第二个参数,为父键的句柄 小心易错 父键的句柄hKey
InitializeObjectAttributes( &subObjAttribute, &Son_Key, OBJ_CASE_INSENSITIVE, hKey, NULL);
//打开子键
status = ZwOpenKey(&hSonKey, GENERIC_ALL, &ObjectAttributes);
if(!NT_SUCCESS(status))
{
KdPrint(("打开子项失败\n"));
}
else
{
status = ZwDeleteKey( hSonKey );
if(!NT_SUCCESS(status))
{
KdPrint(("删除子项失败\n"));
}
else
{
//再删除父键
status = ZwDeleteKey( hKey );
}
}
}
else{
KdPrint(("删除成功\n"));
}
ZwClose(hSonKey);
ZwClose(hKey);
//RtlDeleteRegistryValue();
}
/***********************************************\/\/\/\/\/*****************************************************/
//********************
//Mykey.cpp
//********************
///
/// Original filename: MyKey.cpp
/// Project : MyKey
/// Date of creation : 2012-03-06
/// Author(s) : fsjaky
///
/// Purpose : only study only share!
/// Blog : http://blog.csdn.net/fsjaky
///
// $Id$
#ifdef __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
}; // extern "C"
#endif
#include "MyKey.h"
#ifdef __cplusplus
extern "C" {
#endif
NTSTATUS DriverEntry(
IN OUT PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hOpenkey =NULL;
//MyCreatKey();
hOpenkey = MyOpenKey();
//KdPrint(("The Open Key Is:%wZ\n",(PUNICODE_STRING)hOpenkey));
//SetKeyWorld(hOpenkey);
MyDetKey();
DriverObject->DriverUnload =Unload;//DriverUnload = MyUnload;
return STATUS_SUCCESS;
}
#ifdef __cplusplus
}; // extern "C"
#endif