Reference path :
\\Registry\\Machine\\Software\\Test
<> Create registry directory
HANDLE create_regedit_dir(UNICODE_STRING registryPath) { // initialization
OBJECT_ATTRIBUTES objectAttributes= { 0 }; InitializeObjectAttributes( &
objectAttributes, // return OBJECT_ATTRIBUTES Structure pointer ®istryPath, // Registry path
OBJ_CASE_INSENSITIVE, // The second parameter is not case sensitive NULL, // Handle to the root object directory NULL // Security Descriptors ); //
Create registry directory HANDLE h_register = NULL; ULONG create_or_open = 0; if (ZwCreateKey( &
h_register, // Pointer to receive registry key handle KEY_ALL_ACCESS, // Access rights &objectAttributes, //
OBJECT_ATTRIBUTES object 0, // The device and driver set this parameter to 0 NULL, // Registry key object class name
REG_OPTION_NON_VOLATILE, // Restart reservation ,( No reservation :REG_OPTION_VOLATILE) &create_or_open //
Create a new registry , Or open the existing registry ) != STATUS_SUCCESS) { DbgPrint("[LYSM] ZwCreateKey failed. \n"
); goto badEnd; } return h_register; badEnd: if(h_register) ZwClose(h_register);
return 0; }
<> Open existing registry directory
HANDLE open_regedit_dir(UNICODE_STRING registryPath) { // initialization
OBJECT_ATTRIBUTES objectAttributes= { 0 }; InitializeObjectAttributes( &
objectAttributes, // return OBJECT_ATTRIBUTES Structure pointer ®istryPath, // Registry path
OBJ_CASE_INSENSITIVE, // The second parameter is not case sensitive NULL, // Handle to the root object directory NULL // Security Descriptors ); //
Open registry key HANDLE h_register = NULL; if (ZwOpenKey( &h_register, // Receive registry key handle
KEY_ALL_ACCESS, // Access rights &objectAttributes // OBJECT_ATTRIBUTES object ) !=
STATUS_SUCCESS) { DbgPrint("[LYSM] ZwOpenKey failed. \n"); goto badEnd; } return
h_register; badEnd: if (h_register) ZwClose(h_register); return 0; }
<> Read the registry
BOOLEAN get_regedit_value(HANDLE hReg, UNICODE_STRING keyName) { ULONG size = 0
; PKEY_VALUE_PARTIAL_INFORMATION pvpi = NULL; // Gets the buffer size required to receive the registry key
ZwQueryValueKey(hReg,&keyName, KeyValuePartialInformation,0,0,&size); if (size
== 0) { DbgPrint("[LYSM] ZwQueryValueKey [1] failed. \n"); goto badEnd; }
DbgPrint("[LYSM] size:%d. \n", size); // Read the registry pvpi = (
PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool, size); if (pvpi == NULL
) { DbgPrint("[LYSM] ExAllocatePool failed. \n"); goto badEnd; } if (
ZwQueryValueKey( hReg, // Registry handle &keyName, // Registry key name KeyValuePartialInformation,
// Read some information pvpi, // Buffer pointer to receive information size, // Buffer size &size // Actual received message length ) !=
STATUS_SUCCESS) { DbgPrint("[LYSM] ZwQueryValueKey [2] failed. \n"); goto badEnd
; } DbgPrint("[LYSM] size:%d. \n", size); // Printing switch (pvpi->Type) { case
REG_SZ: DbgPrint("[LYSM] REG_SZ:%S \n",pvpi->Data); break; case REG_BINARY: for
(INT i = 0; i < pvpi->DataLength; i++) { DbgPrint("[LYSM] REG_BINARY:%x \n", *(
PUCHAR)((ULONG64)pvpi->Data + i)); } break; case REG_DWORD: DbgPrint("[LYSM]
REG_DWORD:%x \n", *(PDWORD32)pvpi->Data); break; case REG_QWORD: DbgPrint(
"[LYSM] REG_QWORD:%p \n", *(PDWORD64)pvpi->Data); break; case REG_MULTI_SZ:
DbgPrint("[LYSM] REG_MULTI_SZ:%S \n",pvpi->Data); break; case REG_EXPAND_SZ:
DbgPrint("[LYSM] REG_EXPAND_SZ:%S \n", pvpi->Data); break; default: break; }
return TRUE; badEnd: if (pvpi) { ExFreePool(pvpi); } return FALSE; }
<> Write registry (REG_SZ take as an example )
BOOLEAN set_regedit_value(HANDLE hReg, UNICODE_STRING keyName,WCHAR value[]) {
if (ZwSetValueKey( hReg, // Registry handle &keyName, // Registry key name 0, // The device and driver set this parameter to zero REG_SZ,
// Key type value, // Value to modify (wcslen(value) + 1) * sizeof(WCHAR) // length ) !=
STATUS_SUCCESS) { DbgPrint("[LYSM] ZwSetValueKey failed. \n"); return FALSE; }
return TRUE; }

Technology
©2019-2020 Toolsou All rights reserved,
Image format conversion Count the number of letters (java Language implementation ) Using orthogonal table method to design test cases One is called “ Asking for the train ” A small village Finally got the train VaR - Value at risk - Monte Carlo method - Python How to build data security system ?python: Convert a file to a binary file (binary)vue use vue-clipboard2 Realize the function of copy link 13. solve git Merge conflict uniapp Summary of page value transfer