#include <ntddk.h>
#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\125096"
#define MY_REG_SOFTWARE_KEY_NAME1 L"\\Registry\\Machine\\Software\\125096\\SubItem"
void Unload(IN PDRIVER_OBJECT DriverObject);
void CreateRegTest(void); //创建注册表
void OpenRegTest(void); //打开注册表
void SetRegTest(void); //写注册表
void DeleteItemRegTest(void); //删除注册表项
void QueryRegTest(void); //查询注册表
void EnumerateSubItemRegText(void); //枚举子项
void EnumetrateSubValueRegTest(void);//枚举键值
void RtlRegTest(void); //注册表测试
#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
unsigned i;
DbgPrint("Hello from 1!\n");
DriverObject->DriverUnload =Unload;
//#if DBG
// _asm int 3
//#endif
CreateRegTest();
OpenRegTest();
SetRegTest();
QueryRegTest();
EnumerateSubItemRegText();
EnumetrateSubValueRegTest();
DeleteItemRegTest();
RtlRegTest();
return STATUS_SUCCESS;
}
void Unload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Goodbye from 1!\n");
}
void CreateRegTest(void)
{
//创建或打开某注册表项
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
//初始化objectAttributes
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//创建或打开注册表项目
ULONG ulResult;
NTSTATUS ntStatus=ZwCreateKey(&hRegister,
KEY_ALL_ACCESS,
&objectAttributes,
NULL,
NULL,
REG_OPTION_NON_VOLATILE,
&ulResult);
if (hRegister==NULL || ntStatus != STATUS_SUCCESS)
{
DbgPrint(TEXT("创建或者打开注册表失败"));
return;
}
if (ulResult==REG_CREATED_NEW_KEY)
{
DbgPrint(TEXT("这是一个新的项被创建"));
}
else if (ulResult ==REG_OPENED_EXISTING_KEY)
{
DbgPrint(TEXT("当前注册表项已经被创建"));
}
//创建或打开某注册表项目的子项
UNICODE_STRING subRegUnicodeString;
HANDLE hSubRegister;
//初始化UNIOCDE_STRING字符串
RtlInitUnicodeString(&subRegUnicodeString,L"SubItem");
//初始化subobjectAttributes
OBJECT_ATTRIBUTES subObjectAttributes;
InitializeObjectAttributes(&subObjectAttributes,
&subRegUnicodeString,
OBJ_CASE_INSENSITIVE,
hRegister,
NULL);
//创建或带打开注册表项
ntStatus=ZwCreateKey(&hSubRegister,
KEY_ALL_ACCESS,
&subObjectAttributes,
NULL,
NULL,
REG_OPTION_NON_VOLATILE,
&ulResult);
if (hSubRegister==NULL || ntStatus != STATUS_SUCCESS)
{
DbgPrint(TEXT("创建或者打开注册表失败"));
return;
}
if (ulResult==REG_CREATED_NEW_KEY)
{
DbgPrint(TEXT("这是一个新的项被创建"));
}
else if (ulResult ==REG_OPENED_EXISTING_KEY)
{
DbgPrint(TEXT("当前注册表项已经被创建"));
}
//关闭注册表句柄
ZwClose(hRegister);
ZwClose(hSubRegister);
return;
}
//打开注册表
void OpenRegTest(void)
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister=NULL;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME1);
//初始化objectAttributes
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开注册表
NTSTATUS ntStatus=ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&objectAttributes);
if (hRegister==NULL || ntStatus!=STATUS_SUCCESS)
{
DbgPrint(TEXT("打开注册表失败"));
return;
}
//删除注册表
ntStatus=ZwDeleteKey(hRegister);
if (ntStatus==STATUS_SUCCESS)
{
DbgPrint(TEXT("注册表删除成功"));
}
else if (ntStatus==STATUS_ACCESS_DENIED)
{
DbgPrint(TEXT("拒绝访问"));
}
else if (ntStatus==STATUS_INVALID_HANDLE)
{
DbgPrint(TEXT("无效的句柄"));
}
else
{
DbgPrint(TEXT("打我PG我不乖"));
}
ZwClose(hRegister);
return;
}
//写注册表
void SetRegTest(void)
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
//初始化UNICODE_STRING
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
//初始化objectAttributes
OBJECT_ATTRIBUTES objectAttribues;
InitializeObjectAttributes(&objectAttribues,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开注册表
NTSTATUS ntstatus=ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&objectAttribues);
if (hRegister==NULL || ntstatus!= STATUS_SUCCESS)
{
DbgPrint(TEXT("注册表打开失败"));
return;
}
//初始化ValueName
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName,L"REG_DWORD value");
//设置REG_DWORD子健
ULONG ulValue=1000;
ZwSetValueKey(hRegister,&ValueName,0,REG_DWORD,&ulValue,sizeof(ulValue));
//初始化ValueName
RtlInitUnicodeString(&ValueName,L"REG_SZ value");
WCHAR* strValue=L"hello world";
//设置REG_SZ子健
ZwSetValueKey(hRegister,&ValueName,0,REG_SZ,strValue,wcslen(strValue)*2+2);
//初始化ValueName
RtlInitUnicodeString(&ValueName,L"REG_BINARY value");
UCHAR buffer[10]={0};
RtlFillMemory(buffer,sizeof(buffer),0XFF);
//设置REG_MULTI_SZ子健
ZwSetValueKey(hRegister,&ValueName,0,REG_BINARY,buffer,sizeof(buffer));
//关闭注册表句柄
ZwClose(hRegister);
return;
}
//删除注册表项
void DeleteItemRegTest(void)
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister=NULL;
//#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\125096\\SubItem"
//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
//初始化objectAttributes
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开注册表
NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes);
if (ntStatus!=STATUS_SUCCESS || hRegister==NULL)
{
DbgPrint(TEXT("打开注册表失败"));
}
ntStatus=ZwDeleteKey(hRegister);
if (ntStatus==STATUS_SUCCESS)
{
DbgPrint(TEXT("删除成功"));
}
else if (ntStatus==STATUS_ACCESS_DENIED)
{
DbgPrint(TEXT("拒绝访问"));
}
else if (ntStatus==STATUS_INVALID_HANDLE)
{
DbgPrint(TEXT("无效的句柄"));
}
else
{
DbgPrint(TEXT("这不科学"));
}
ZwClose(hRegister);
return;
}
void QueryRegTest(void)
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister=NULL;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
//初始化objectarrtibutes
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开注册表
NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes);
if (hRegister==NULL || ntStatus!=STATUS_SUCCESS)
{
DbgPrint(TEXT("打开注册表失败"));
}
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName,L"REG_DWORD value");
//读取REG_DWORD子健
ULONG ulSize=0;
ntStatus=ZwQueryValueKey(hRegister,
&ValueName,
KeyValuePartialInformation,
NULL,NULL,&ulSize);
if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0)
{
ZwClose(hRegister);
DbgPrint(TEXT("读取注册表失败"));
return;
}
PKEY_VALUE_PARTIAL_INFORMATION pvpi=(PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ntStatus=ZwQueryValueKey(hRegister,
&ValueName,
KeyValuePartialInformation,
pvpi,
ulSize,
&ulSize);
if (ntStatus!=STATUS_SUCCESS)
{
ZwClose(hRegister);
DbgPrint(TEXT("读取注册表失败2"));
return;
}
//判断是否为REG_DWORD类型
if (pvpi->Type==REG_DWORD && pvpi->DataLength==sizeof(ULONG))
{
PULONG pulValue=(PULONG)pvpi->Data;
DbgPrint(TEXT("%d\n"),*pulValue);
}
ExFreePool(pvpi);
//初始化ValueName
RtlInitUnicodeString(&ValueName,L"REG_SZ value");
//读取REG_SZ子健
ntStatus=ZwQueryValueKey(hRegister,
&ValueName,
KeyValuePartialInformation,
NULL,
NULL,
&ulSize);
if (ntStatus==STATUS_OBJECT_PATH_NOT_FOUND || ulSize==0)
{
ZwClose(hRegister);
DbgPrint(TEXT("读取注册表失败3"));
return;
}
pvpi=(PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ntStatus=ZwQueryValueKey(hRegister,&ValueName,KeyValuePartialInformation,pvpi,ulSize,&ulSize);
if (ntStatus!=STATUS_SUCCESS)
{
ZwClose(hRegister);
DbgPrint(TEXT("读取注册表失败4"));
return;
}
//判断是否为REG_SZ类型
if (pvpi->Type==REG_SZ)
{
DbgPrint(TEXT("%S\n"),pvpi->Data);
}
ZwClose(hRegister);
return;
}
//枚举注册表子项
void EnumerateSubItemRegText(void)
{
UNICODE_STRING RegUnicodeSting;
HANDLE hRegister=NULL;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeSting,MY_REG_SOFTWARE_KEY_NAME);
//初始化objectAttributes
OBJECT_ATTRIBUTES objectttributes;
InitializeObjectAttributes(&objectttributes,
&RegUnicodeSting,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开注册表
NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectttributes);
if (hRegister==NULL || ntStatus!= STATUS_SUCCESS)
{
DbgPrint(TEXT("打开注册表失败\n"));
return;
}
ULONG ulSize=0;
//第一次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的长度
ZwQueryKey(hRegister,
KeyFullInformation,
NULL,
0,
&ulSize);
//第二次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的数据
PKEY_FULL_INFORMATION pfi=(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ZwQueryKey(hRegister,
KeyFullInformation,
pfi,
ulSize,
&ulSize);
for (ULONG i=0;i<pfi->SubKeys;i++)
{
//第一次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的长度
ZwEnumerateKey(hRegister,
i,
KeyBasicInformation,
NULL,
NULL,
&ulSize);
PKEY_BASIC_INFORMATION pbi=(PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);
//第二次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的数据
ZwEnumerateKey(hRegister,
i,
KeyBasicInformation,
pbi,
ulSize,
&ulSize);
UNICODE_STRING uniKeyName;
uniKeyName.Length=
uniKeyName.MaximumLength=(USHORT)pbi->NameLength;
uniKeyName.Buffer=pbi->Name;
DbgPrint(TEXT("%wZ\n"),i,&uniKeyName);
ExFreePool(pbi);
}
ExFreePool(pfi);
ZwClose(hRegister);
return;
}
//枚举键值
void EnumetrateSubValueRegTest(void)
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister=NULL;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
//初始化objectAttributes
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//打开注册表
NTSTATUS ntstatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes);
if (hRegister==NULL || ntstatus!=STATUS_SUCCESS)
{
DbgPrint(TEXT("打开注册表失败"));
return;
}
ULONG ulSize=0;
ZwQueryKey(hRegister,
KeyFullInformation,
NULL,
NULL,
&ulSize);
PKEY_FULL_INFORMATION pfi=(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize);
for (ULONG i=0;i<pfi->Values;i++)
{
ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,NULL,NULL,&ulSize);
PKEY_VALUE_BASIC_INFORMATION pvbi=(PKEY_VALUE_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,pvbi,ulSize,&ulSize);
UNICODE_STRING uniKeyName;
uniKeyName.Length=
uniKeyName.MaximumLength=(USHORT)pvbi->NameLength;
uniKeyName.Buffer=pvbi->Name;
DbgPrint(TEXT("%wZ\n"),i,&uniKeyName);
if (pvbi->Type==REG_SZ)
{
DbgPrint(TEXT("the sub value type:REG_SZ\n"));
}
else if (pvbi->Type==REG_MULTI_SZ)
{
DbgPrint(TEXT("the sub value type:REG_MULTI_SZ\n"));
}
else if(pvbi->Type==REG_DWORD)
{
DbgPrint(TEXT("the sub value type:REG_DWORD\n"));
}
else if (pvbi->Type==REG_BINARY)
{
DbgPrint(TEXT("the sub value type:REG_BINARY\n"));
}
else
{
DbgPrint(TEXT("the sub value type:not type\n"));
}
ExFreePool(pvbi);
}
ExFreePool(pfi);
ZwClose(hRegister);
return;
}
//注册表测试
void RtlRegTest(void)
{
//创建子项目
NTSTATUS ntStatus=RtlCreateRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK");
//NTSTATUS ntStatus=RtlCreateRegistryKey(RTL_REGISTRY_ABSOLUTE,L"\\Registry\\Machine\\SOFTWARE\\125096");
if (ntStatus!=STATUS_SUCCESS)
{
DbgPrint(TEXT("创建失败"));
}
else
{
DbgPrint(TEXT("创建成功"));
}
//检查某项是否存在
ntStatus=RtlCheckRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK");
if (ntStatus!=STATUS_SUCCESS)
{
DbgPrint(TEXT("不存在哈"));
}
//写入REG_DWORD的数据
ULONG value1=100;
ntStatus=RtlWriteRegistryValue(RTL_REGISTRY_SERVICES,
L"HelloDDK",
L"DWORD_VALUE",
REG_DWORD,
&value1,
sizeof(value1));
if (ntStatus!=STATUS_SUCCESS)
{
DbgPrint(TEXT("写入失败"));
}
//写入REG_SZ的数据
PWCHAR szString=L"Hello DDK";
ntStatus=RtlWriteRegistryValue(RTL_REGISTRY_SERVICES,
L"HelloDDK",
L"SZ_VALUE",
REG_SZ,
szString,
wcslen(szString)*2+2);
if (ntStatus!=STATUS_SUCCESS)
{
DbgPrint(TEXT("写入失败2"));
}
RTL_QUERY_REGISTRY_TABLE paramTable[2]={0};
RtlZeroMemory(paramTable,sizeof(paramTable));
ULONG defaultData=0;
ULONG uQueryValue=0;
paramTable[0].Flags=RTL_QUERY_REGISTRY_DIRECT;
paramTable[0].Name=L"DWORD_VALUE";
paramTable[0].EntryContext=&uQueryValue;
paramTable[0].DefaultType=REG_DWORD;
paramTable[0].DefaultData=&defaultData;
paramTable[0].DefaultLength=sizeof(ULONG);
//查询REG_DWORD的数据
ntStatus=RtlQueryRegistryValues(RTL_REGISTRY_SERVICES,
L"HelloDDK",
paramTable,
NULL,
NULL);
if (ntStatus==STATUS_SUCCESS)
{
DbgPrint(TEXT("The item is:%d\n",uQueryValue));
}
//删除子健
ntStatus=RtlDeleteRegistryValue(RTL_REGISTRY_SERVICES,
L"HelloDDK",
L"DWORD_VALUE");
if (ntStatus==STATUS_SUCCESS)
{
DbgPrint(TEXT("删除成功"));
}
return;
}
注册表操作
最新推荐文章于 2019-09-30 23:05:13 发布