注册表项相当于文件夹,注册表子项子文件夹(类似目录)。
1、创建关闭
ZwCreateKey
2、打开
ZwOpenKey
3、添加、修改、注册表键值
ZwSetValueKey
4、查询
ZwQueryValueKey
来查询注册表项。
1)用ZwQueryValueKey 获取数据结构的长度。
2)分配如此长度的内存。
3)再次调用ZwQueryValueKey 查询。
4)回收内存。
5、枚举子项
用ZwQueryKey与ZwEnumerateKey 来枚举子项。
ZwQueryKey获取某注册表项究竟有多少个子项,而ZwEnumerateKey 针对第几个子项获取该子项的具体信息。
我们发现,凡是调用有长度的函数,一般都是两次调用,第一次调用来获得具体查询(使用该函数)需要的内存需要多大长度,第二次调用时来查询具体信息。
6、枚举子键
通过ZwQueryKey与ZwEnumerateValueKey来枚举子键。
7、删除子项
ZwDeleteKey
只能删除没有子项的项目。
8、其它
DDK中定义了一些运行时函数来简化上面的操作。
RtlCreateRegistryKey 创建注册表
RtlCheckRegistryKey checks for the existence of a given named key in the registry
RtlWriteRegistryValue 写注册表
RtlDeleteRegistryValue 删除注册表- #include "ntddk.h"
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- NTSTATUS MyEnumerateKey(ULONG SubKeys);
- #pragma PAGEDCODE
- NTSTATUS MyCreateKey()
- {
- NTSTATUS Status;
- HANDLE hRegister;
- OBJECT_ATTRIBUTES ObjAttr;
- UNICODE_STRING usKeyName;
- ULONG Disposition;
- RtlInitUnicodeString(&usKeyName, L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\MyKeys");
- InitializeObjectAttributes(&ObjAttr, &usKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);
- Status = ZwCreateKey(&hRegister, KEY_ALL_ACCESS, &ObjAttr, 0, NULL,
- REG_OPTION_NON_VOLATILE, &Disposition);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- if (Disposition == REG_CREATED_NEW_KEY)
- {
- KdPrint(("create key!\n"));
- }
- else
- {
- KdPrint(("open key!\n"));
- }
- ZwClose(hRegister);
- return Status;
- }
- #pragma PAGEDCODE
- NTSTATUS MyOpenKey()
- {
- NTSTATUS Status;
- HANDLE hRegister;
- OBJECT_ATTRIBUTES ObjAttr;
- UNICODE_STRING usKeyName, usValueKeyName;
- ULONG ValueKey;
- RtlInitUnicodeString(&usKeyName, L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\MyKeys");
- RtlInitUnicodeString(&usValueKeyName, L"MyValueKey");
- InitializeObjectAttributes(&ObjAttr, &usKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);
- Status = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &ObjAttr);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- KdPrint(("open key success!\n"));
- ValueKey = 10;
- Status = ZwSetValueKey(hRegister, &usValueKeyName, 0, REG_DWORD, &ValueKey, sizeof(ULONG));
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- ZwClose(hRegister);
- return Status;
- }
- #pragma PAGEDCODE
- NTSTATUS MyQueryValueKey()
- {
- NTSTATUS Status;
- HANDLE hRegister;
- OBJECT_ATTRIBUTES ObjAttr;
- UNICODE_STRING usKeyName, usValueKeyName;
- ULONG ResultLength;
- PKEY_VALUE_BASIC_INFORMATION pKeyValueBasicInfo;
- RtlInitUnicodeString(&usKeyName, L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\FltMgr");
- RtlInitUnicodeString(&usValueKeyName, L"Type");
- InitializeObjectAttributes(&ObjAttr, &usKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);
- Status = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &ObjAttr);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- Status = ZwQueryValueKey(hRegister, &usValueKeyName, KeyValueBasicInformation,
- NULL, 0, &ResultLength);
- if (!NT_SUCCESS(Status) && Status != STATUS_BUFFER_TOO_SMALL)
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- pKeyValueBasicInfo = (PKEY_VALUE_BASIC_INFORMATION)ExAllocatePool(PagedPool, ResultLength);
- Status = ZwQueryValueKey(hRegister, &usValueKeyName, KeyValueBasicInformation,
- pKeyValueBasicInfo, ResultLength, &ResultLength);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
-
- KdPrint(("Type: %d", pKeyValueBasicInfo->Type));
- KdPrint(("Name: %S", pKeyValueBasicInfo->Name));
- ZwClose(hRegister);
- ExFreePool(pKeyValueBasicInfo);
-
- return Status;
- }
- #pragma PAGEDCODE
- NTSTATUS MyQueryKey()
- {
- NTSTATUS Status;
- HANDLE hRegister;
- OBJECT_ATTRIBUTES ObjAttr;
- UNICODE_STRING usKeyName;
- ULONG ResultLength;
- PKEY_FULL_INFORMATION pKeyFullInfo;
- RtlInitUnicodeString(&usKeyName, L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\FltMgr");
-
- InitializeObjectAttributes(&ObjAttr, &usKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);
- Status = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &ObjAttr);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- Status = ZwQueryKey(hRegister, KeyFullInformation,
- NULL, 0, &ResultLength);
- if (!NT_SUCCESS(Status) && Status != STATUS_BUFFER_TOO_SMALL)
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- pKeyFullInfo = (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool, ResultLength);
- Status = ZwQueryKey(hRegister, KeyFullInformation,
- pKeyFullInfo, ResultLength, &ResultLength);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- KdPrint(("Subkey: %d", pKeyFullInfo->SubKeys));
- MyEnumerateKey(pKeyFullInfo->SubKeys);
- ZwClose(hRegister);
- ExFreePool(pKeyFullInfo);
- return Status;
- }
- #pragma PAGEDCODE
- NTSTATUS MyEnumerateKey(ULONG SubKeys)
- {
- NTSTATUS Status;
- HANDLE hRegister;
- OBJECT_ATTRIBUTES ObjAttr;
- UNICODE_STRING usKeyName;
- ULONG ResultLength;
- PKEY_BASIC_INFORMATION pKeyBasicInfo;
- ULONG Index;
- RtlInitUnicodeString(&usKeyName, L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Services\\FltMgr");
- InitializeObjectAttributes(&ObjAttr, &usKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);
- Status = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &ObjAttr);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- for (Index = 0; Index < SubKeys; Index++)
- {
- Status = ZwEnumerateKey(hRegister, Index, KeyBasicInformation, NULL, 0, &ResultLength);
- if (!NT_SUCCESS(Status) && Status != STATUS_BUFFER_TOO_SMALL)
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- pKeyBasicInfo = (PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool, ResultLength);
- Status = ZwEnumerateKey(hRegister, Index, KeyBasicInformation, pKeyBasicInfo, ResultLength, &ResultLength);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("Failed Code:%X", Status));
- return Status;
- }
- KdPrint(("Name:%S\n", pKeyBasicInfo->Name));
- ExFreePool(pKeyBasicInfo);
- }
-
- ZwClose(hRegister);
- return Status;
- }
- #pragma PAGEDCODE
- VOID MyDriverUnload(IN PDRIVER_OBJECT pDriverObject)
- {
- KdPrint(("DriverEntry unLoading...\n"));
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- KdPrint(("%wZ\n", RegistryPath));
- MyQueryKey();
- pDriverObject->DriverUnload = MyDriverUnload;
- return status;
- }
复制代码 |