注册表操作

来源：互联网发布：国内云计算公司排名编辑：程序博客网时间：2024/06/03 21:45
#include <ntddk.h>#define MY_REG_SOFTWARE_KEY_NAMEL"\\Registry\\Machine\\Software\\125096"#define MY_REG_SOFTWARE_KEY_NAME1L"\\Registry\\Machine\\Software\\125096\\SubItem"void Unload(IN PDRIVER_OBJECT DriverObject);void CreateRegTest(void);//创建注册表void OpenRegTest(void);//打开注册表void SetRegTest(void);//写注册表void DeleteItemRegTest(void);//删除注册表项void QueryRegTest(void);//查询注册表void EnumerateSubItemRegText(void); //枚举子项void EnumetrateSubValueRegTest(void);//枚举键值void RtlRegTest(void);//注册表测试#ifdef __cplusplusextern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath);#endifNTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath){unsigned i;DbgPrint("Hello from 1!\n");DriverObject->DriverUnload =Unload;//#if DBG//_asm int 3//#endifCreateRegTest();OpenRegTest();SetRegTest();QueryRegTest();EnumerateSubItemRegText();EnumetrateSubValueRegTest();DeleteItemRegTest();RtlRegTest();return STATUS_SUCCESS;}void Unload(IN PDRIVER_OBJECT DriverObject){DbgPrint("Goodbye from 1!\n");}void CreateRegTest(void){//创建或打开某注册表项UNICODE_STRING RegUnicodeString;HANDLE hRegister;//初始化UNICODE_STRING字符串RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);//初始化objectAttributesOBJECT_ATTRIBUTES objectAttributes;InitializeObjectAttributes(&objectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);//创建或打开注册表项目ULONG ulResult;NTSTATUS ntStatus=ZwCreateKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes,  NULL,  NULL,  REG_OPTION_NON_VOLATILE,  &ulResult);if (hRegister==NULL || ntStatus != STATUS_SUCCESS){DbgPrint(TEXT("创建或者打开注册表失败"));return;}if (ulResult==REG_CREATED_NEW_KEY){DbgPrint(TEXT("这是一个新的项被创建"));}else if (ulResult ==REG_OPENED_EXISTING_KEY){DbgPrint(TEXT("当前注册表项已经被创建"));}//创建或打开某注册表项目的子项UNICODE_STRING subRegUnicodeString;HANDLE hSubRegister;//初始化UNIOCDE_STRING字符串RtlInitUnicodeString(&subRegUnicodeString,L"SubItem");//初始化subobjectAttributesOBJECT_ATTRIBUTES subObjectAttributes;InitializeObjectAttributes(&subObjectAttributes,&subRegUnicodeString,OBJ_CASE_INSENSITIVE,hRegister,NULL);//创建或带打开注册表项ntStatus=ZwCreateKey(&hSubRegister,KEY_ALL_ACCESS,&subObjectAttributes,NULL,NULL,REG_OPTION_NON_VOLATILE,&ulResult);if (hSubRegister==NULL || ntStatus != STATUS_SUCCESS){DbgPrint(TEXT("创建或者打开注册表失败"));return;}if (ulResult==REG_CREATED_NEW_KEY){DbgPrint(TEXT("这是一个新的项被创建"));}else if (ulResult ==REG_OPENED_EXISTING_KEY){DbgPrint(TEXT("当前注册表项已经被创建"));}//关闭注册表句柄ZwClose(hRegister);ZwClose(hSubRegister);return;}//打开注册表void OpenRegTest(void){UNICODE_STRING RegUnicodeString;HANDLE hRegister=NULL;//初始化UNICODE_STRING字符串RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME1);//初始化objectAttributesOBJECT_ATTRIBUTES objectAttributes;InitializeObjectAttributes(&objectAttributes,   &RegUnicodeString,   OBJ_CASE_INSENSITIVE,   NULL,   NULL);//打开注册表NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes);if (hRegister==NULL || ntStatus!=STATUS_SUCCESS){DbgPrint(TEXT("打开注册表失败"));return;}//删除注册表ntStatus=ZwDeleteKey(hRegister);if (ntStatus==STATUS_SUCCESS){DbgPrint(TEXT("注册表删除成功"));}else if (ntStatus==STATUS_ACCESS_DENIED){DbgPrint(TEXT("拒绝访问"));}else if (ntStatus==STATUS_INVALID_HANDLE){DbgPrint(TEXT("无效的句柄"));}else{DbgPrint(TEXT("打我PG我不乖"));}ZwClose(hRegister);return;}//写注册表void SetRegTest(void){UNICODE_STRING RegUnicodeString;HANDLE hRegister;//初始化UNICODE_STRINGRtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);//初始化objectAttributesOBJECT_ATTRIBUTES objectAttribues;InitializeObjectAttributes(&objectAttribues,   &RegUnicodeString,   OBJ_CASE_INSENSITIVE,   NULL,   NULL);//打开注册表NTSTATUS ntstatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttribues);if (hRegister==NULL || ntstatus!= STATUS_SUCCESS){DbgPrint(TEXT("注册表打开失败"));return;}//初始化ValueNameUNICODE_STRING ValueName;RtlInitUnicodeString(&ValueName,L"REG_DWORD value");//设置REG_DWORD子健ULONG ulValue=1000;ZwSetValueKey(hRegister,&ValueName,0,REG_DWORD,&ulValue,sizeof(ulValue));//初始化ValueNameRtlInitUnicodeString(&ValueName,L"REG_SZ value");WCHAR* strValue=L"hello world";//设置REG_SZ子健ZwSetValueKey(hRegister,&ValueName,0,REG_SZ,strValue,wcslen(strValue)*2+2);//初始化ValueNameRtlInitUnicodeString(&ValueName,L"REG_BINARY value");UCHAR buffer[10]={0};RtlFillMemory(buffer,sizeof(buffer),0XFF);//设置REG_MULTI_SZ子健ZwSetValueKey(hRegister,&ValueName,0,REG_BINARY,buffer,sizeof(buffer));//关闭注册表句柄ZwClose(hRegister);return;}//删除注册表项void DeleteItemRegTest(void){UNICODE_STRING RegUnicodeString;HANDLE hRegister=NULL;//#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\125096\\SubItem"//初始化UNICODE_STRING字符串RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);//初始化objectAttributesOBJECT_ATTRIBUTES objectAttributes;InitializeObjectAttributes(&objectAttributes,   &RegUnicodeString,   OBJ_CASE_INSENSITIVE,   NULL,   NULL);//打开注册表NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes);if (ntStatus!=STATUS_SUCCESS || hRegister==NULL){DbgPrint(TEXT("打开注册表失败"));}ntStatus=ZwDeleteKey(hRegister);if (ntStatus==STATUS_SUCCESS){DbgPrint(TEXT("删除成功"));}else if (ntStatus==STATUS_ACCESS_DENIED){DbgPrint(TEXT("拒绝访问"));}else if (ntStatus==STATUS_INVALID_HANDLE){DbgPrint(TEXT("无效的句柄"));}else{DbgPrint(TEXT("这不科学"));}ZwClose(hRegister);return;}void QueryRegTest(void){UNICODE_STRING RegUnicodeString;HANDLE hRegister=NULL;//初始化UNICODE_STRING字符串RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);//初始化objectarrtibutesOBJECT_ATTRIBUTES objectAttributes;InitializeObjectAttributes(&objectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);//打开注册表NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes);if (hRegister==NULL || ntStatus!=STATUS_SUCCESS){DbgPrint(TEXT("打开注册表失败"));}UNICODE_STRING ValueName;RtlInitUnicodeString(&ValueName,L"REG_DWORD value");//读取REG_DWORD子健ULONG ulSize=0;ntStatus=ZwQueryValueKey(hRegister,&ValueName,KeyValuePartialInformation,NULL,NULL,&ulSize);if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0){ZwClose(hRegister);DbgPrint(TEXT("读取注册表失败"));return;}PKEY_VALUE_PARTIAL_INFORMATION pvpi=(PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);ntStatus=ZwQueryValueKey(hRegister,&ValueName,KeyValuePartialInformation,pvpi,ulSize,&ulSize);if (ntStatus!=STATUS_SUCCESS){ZwClose(hRegister);DbgPrint(TEXT("读取注册表失败2"));return;}//判断是否为REG_DWORD类型if (pvpi->Type==REG_DWORD && pvpi->DataLength==sizeof(ULONG)){PULONG pulValue=(PULONG)pvpi->Data;DbgPrint(TEXT("%d\n"),*pulValue);}ExFreePool(pvpi);//初始化ValueNameRtlInitUnicodeString(&ValueName,L"REG_SZ value");//读取REG_SZ子健ntStatus=ZwQueryValueKey(hRegister,&ValueName,KeyValuePartialInformation,NULL,NULL,&ulSize);if (ntStatus==STATUS_OBJECT_PATH_NOT_FOUND || ulSize==0){ZwClose(hRegister);DbgPrint(TEXT("读取注册表失败3"));return;}pvpi=(PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);ntStatus=ZwQueryValueKey(hRegister,&ValueName,KeyValuePartialInformation,pvpi,ulSize,&ulSize);if (ntStatus!=STATUS_SUCCESS){ZwClose(hRegister);DbgPrint(TEXT("读取注册表失败4"));return;}//判断是否为REG_SZ类型if (pvpi->Type==REG_SZ){DbgPrint(TEXT("%S\n"),pvpi->Data);}ZwClose(hRegister);return;}//枚举注册表子项void EnumerateSubItemRegText(void){UNICODE_STRING RegUnicodeSting;HANDLE hRegister=NULL;//初始化UNICODE_STRING字符串 RtlInitUnicodeString(&RegUnicodeSting,MY_REG_SOFTWARE_KEY_NAME); //初始化objectAttributes OBJECT_ATTRIBUTES objectttributes; InitializeObjectAttributes(&objectttributes,&RegUnicodeSting,OBJ_CASE_INSENSITIVE,NULL,NULL); //打开注册表 NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectttributes); if (hRegister==NULL || ntStatus!= STATUS_SUCCESS) { DbgPrint(TEXT("打开注册表失败\n")); return; } ULONG ulSize=0; //第一次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的长度 ZwQueryKey(hRegister,KeyFullInformation,NULL,0,&ulSize); //第二次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的数据 PKEY_FULL_INFORMATION pfi=(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize); ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize); for (ULONG i=0;i<pfi->SubKeys;i++) { //第一次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的长度 ZwEnumerateKey(hRegister,i,KeyBasicInformation,NULL,NULL,&ulSize); PKEY_BASIC_INFORMATION pbi=(PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize); //第二次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的数据 ZwEnumerateKey(hRegister,i,KeyBasicInformation,pbi,ulSize,&ulSize); UNICODE_STRING uniKeyName; uniKeyName.Length= uniKeyName.MaximumLength=(USHORT)pbi->NameLength; uniKeyName.Buffer=pbi->Name; DbgPrint(TEXT("%wZ\n"),i,&uniKeyName); ExFreePool(pbi); } ExFreePool(pfi); ZwClose(hRegister);return;}//枚举键值void EnumetrateSubValueRegTest(void){UNICODE_STRING RegUnicodeString;HANDLE hRegister=NULL;//初始化UNICODE_STRING字符串RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);//初始化objectAttributesOBJECT_ATTRIBUTES objectAttributes;InitializeObjectAttributes(&objectAttributes,   &RegUnicodeString,   OBJ_CASE_INSENSITIVE,   NULL,   NULL);//打开注册表NTSTATUS ntstatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes);if (hRegister==NULL || ntstatus!=STATUS_SUCCESS){DbgPrint(TEXT("打开注册表失败"));return;}ULONG ulSize=0;ZwQueryKey(hRegister,   KeyFullInformation,   NULL,   NULL,   &ulSize);PKEY_FULL_INFORMATION pfi=(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize);for (ULONG i=0;i<pfi->Values;i++){ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,NULL,NULL,&ulSize);PKEY_VALUE_BASIC_INFORMATION pvbi=(PKEY_VALUE_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,pvbi,ulSize,&ulSize);UNICODE_STRING uniKeyName;uniKeyName.Length=uniKeyName.MaximumLength=(USHORT)pvbi->NameLength;uniKeyName.Buffer=pvbi->Name;DbgPrint(TEXT("%wZ\n"),i,&uniKeyName);if (pvbi->Type==REG_SZ){DbgPrint(TEXT("the sub value type:REG_SZ\n"));}else if (pvbi->Type==REG_MULTI_SZ){DbgPrint(TEXT("the sub value type:REG_MULTI_SZ\n"));}else if(pvbi->Type==REG_DWORD){DbgPrint(TEXT("the sub value type:REG_DWORD\n"));}else if (pvbi->Type==REG_BINARY){DbgPrint(TEXT("the sub value type:REG_BINARY\n"));}else{DbgPrint(TEXT("the sub value type:not type\n"));}ExFreePool(pvbi);}ExFreePool(pfi);ZwClose(hRegister);return;}//注册表测试void RtlRegTest(void){//创建子项目NTSTATUS ntStatus=RtlCreateRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK");//NTSTATUS ntStatus=RtlCreateRegistryKey(RTL_REGISTRY_ABSOLUTE,L"\\Registry\\Machine\\SOFTWARE\\125096");if (ntStatus!=STATUS_SUCCESS){DbgPrint(TEXT("创建失败"));}else{DbgPrint(TEXT("创建成功"));}//检查某项是否存在ntStatus=RtlCheckRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK");if (ntStatus!=STATUS_SUCCESS){DbgPrint(TEXT("不存在哈"));}//写入REG_DWORD的数据ULONG value1=100;ntStatus=RtlWriteRegistryValue(RTL_REGISTRY_SERVICES,   L"HelloDDK",   L"DWORD_VALUE",   REG_DWORD,   &value1,   sizeof(value1));if (ntStatus!=STATUS_SUCCESS){DbgPrint(TEXT("写入失败"));}//写入REG_SZ的数据PWCHAR szString=L"Hello DDK";ntStatus=RtlWriteRegistryValue(RTL_REGISTRY_SERVICES,   L"HelloDDK",   L"SZ_VALUE",   REG_SZ,   szString,   wcslen(szString)*2+2);if (ntStatus!=STATUS_SUCCESS){DbgPrint(TEXT("写入失败2"));}RTL_QUERY_REGISTRY_TABLE paramTable[2]={0};RtlZeroMemory(paramTable,sizeof(paramTable));ULONG defaultData=0;ULONG uQueryValue=0;paramTable[0].Flags=RTL_QUERY_REGISTRY_DIRECT;paramTable[0].Name=L"DWORD_VALUE";paramTable[0].EntryContext=&uQueryValue;paramTable[0].DefaultType=REG_DWORD;paramTable[0].DefaultData=&defaultData;paramTable[0].DefaultLength=sizeof(ULONG);//查询REG_DWORD的数据ntStatus=RtlQueryRegistryValues(RTL_REGISTRY_SERVICES,L"HelloDDK",paramTable,NULL,NULL);if (ntStatus==STATUS_SUCCESS){DbgPrint(TEXT("The item is:%d\n",uQueryValue));}//删除子健ntStatus=RtlDeleteRegistryValue(RTL_REGISTRY_SERVICES,L"HelloDDK",L"DWORD_VALUE");if (ntStatus==STATUS_SUCCESS){DbgPrint(TEXT("删除成功"));}return;}
0 0