注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

驱动对注册表的相关操作  

2012-03-03 13:06:38|  分类: window驱动学习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
(1)RtlRegTest()
VOID RtlRegTest()
{
//创建子项目
NTSTATUS status;
ULONG value = 100;
WCHAR* szString = L"Hello DDK";
RTL_QUERY_REGISTRY_TABLE paramTable[2];
ULONG defaultData = 0;
ULONG uQueryValue;


status = RtlCreateRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK\\PandaZheng");

if (NT_SUCCESS(status))
{
DbgPrint("Create the item successfully...\n");
}

//检查某项是否存在
status = RtlCheckRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK\\PandaZheng");

if (NT_SUCCESS(status))
{
DbgPrint("The Item is Exist...\n");
}

//写入REG_DWORD的数据
status = RtlWriteRegistryValue(RTL_REGISTRY_SERVICES,
L"HelloDDK\\PandaZheng",
L"DWORD_Value",
REG_DWORD,
&value,
sizeof(value));

if (NT_SUCCESS(status))
{
DbgPrint("Write the DWORD value successfully...\n");
}

status = RtlWriteRegistryValue(RTL_REGISTRY_SERVICES,
L"HelloDDK\\PandaZheng",
L"SZ_Value",
REG_SZ,
szString,
wcslen(szString)*2 + 2);

if (NT_SUCCESS(status))
{
DbgPrint("Write The REG_SZ Value Successfaully...\n");
}

RtlZeroMemory(paramTable,sizeof(paramTable));
paramTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
paramTable[0].Name = L"DWORD_Value";
paramTable[0].EntryContext = &uQueryValue;
paramTable[0].DefaultType = REG_DWORD;
paramTable[0].DefaultData = &defaultData;
paramTable[0].DefaultLength = sizeof(ULONG);

//查询REG_DWORD的数据
status = RtlQueryRegistryValues(RTL_REGISTRY_SERVICES,
L"HelloDDK\\PandaZheng",
paramTable,
NULL,
NULL);

if (NT_SUCCESS(status))
{
DbgPrint("Query the Item successfully...\n");
DbgPrint("The Item is : %d\n",uQueryValue);
}

//删除子键
status = RtlDeleteRegistryValue(RTL_REGISTRY_SERVICES,
L"HelloDDK\\PandaZheng",
L"DWORD_Value");

if (NT_SUCCESS(status))
{
DbgPrint("Delete The Value successfully...\n");
}
}

(2)Zw系列函数
#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\PandaZheng"
#define MY_REG_SOFTWARE_KEY_NAME2 L"\\Registry\\Machine\\Software\\PandaZheng\\SubItem"


VOID CreateKeyTest()
{
//创建或打开某注册表项目
UNICODE_STRING RegUnicodeString,subRegUnicodeString;
HANDLE hRegister,hSubRegister;
NTSTATUS status;
OBJECT_ATTRIBUTES ObjectAttributes,subObjectAttributes;
ULONG ulResult;

//初始化UNICODE_STRING
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);

//初始化objectattributes
InitializeObjectAttributes(&ObjectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);

status = ZwCreateKey(&hRegister,
KEY_ALL_ACCESS,
&ObjectAttributes,
0,
NULL,
REG_OPTION_NON_VOLATILE,
&ulResult);

if (NT_SUCCESS(status))
{
//判断是新创建,还是已经被创建
if (ulResult == REG_CREATED_NEW_KEY)
{
DbgPrint("The Register item is Created New...\n");
}
else if(ulResult == REG_OPENED_EXISTING_KEY)
{
DbgPrint("The Register Item is Exiting...\n");
}
}

//创建或打开注册表子项
RtlInitUnicodeString(&subRegUnicodeString,L"SubItem");
InitializeObjectAttributes(&subObjectAttributes,&subRegUnicodeString,OBJ_CASE_INSENSITIVE,hRegister,NULL);
status = ZwCreateKey(&hSubRegister,
KEY_ALL_ACCESS,
&subObjectAttributes,
0,
NULL,
REG_OPTION_NON_VOLATILE,
&ulResult);

if (NT_SUCCESS(status))
{
if (ulResult == REG_CREATED_NEW_KEY)
{
DbgPrint("The Sub Register item is Created...\n");
}
else if (ulResult == REG_OPENED_EXISTING_KEY)
{
DbgPrint("The Sub Register Item is Exiting...\n");
}
}

//关闭注册表句柄
ZwClose(hRegister);
ZwClose(hSubRegister);
}

VOID OpenRegTest()
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
NTSTATUS status;
OBJECT_ATTRIBUTES ObjectAttributes;

RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
InitializeObjectAttributes(&ObjectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);

status = ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&ObjectAttributes);

if (NT_SUCCESS(status))
{
DbgPrint("Open Register Successfully\n");
}

ZwClose(hRegister);
}

VOID SetRegTest()
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS status;
UNICODE_STRING ValueName;
ULONG ulValue = 1000;
WCHAR* strValue = L"Hello World";
UCHAR buffer[10];

//初始化UNICODE_STRING
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
//初始化OBJECT_ATTRIBUTES
InitializeObjectAttributes(&ObjectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);

//打开注册表
status = ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&ObjectAttributes);

if (NT_SUCCESS(status))
{
DbgPrint("Open Key Successfully...\n");
}

RtlInitUnicodeString(&ValueName,L"REG_DWORD Value");


//设置REG_DWORD子键
status = ZwSetValueKey(hRegister,
&ValueName,
0,
REG_DWORD,
&ulValue,
sizeof(ulValue));

if (NT_SUCCESS(status))
{
DbgPrint("Set REG_DWORD Key Successfully...\n");
}

RtlInitUnicodeString(&ValueName,L"REG_SZ Value");

//设置REG_SZ子键
status = ZwSetValueKey(hRegister,
&ValueName,
0,
REG_SZ,
strValue,
wcslen(strValue)*2 + 2);

if (NT_SUCCESS(status))
{
DbgPrint("Set  REG_SZ Key Successfully...\n");
}

RtlFillMemory(buffer,sizeof(buffer),0xFF);

RtlInitUnicodeString(&ValueName,L"REG_BINARY Value");

//设置REG_MULTI_SZ子键
status = ZwSetValueKey(hRegister,
&ValueName,
0,
REG_BINARY,
buffer,
sizeof(buffer));

if (NT_SUCCESS(status))
{
DbgPrint("Set REG_BINARY Key Successfully...\n");
}

//关闭注册表
ZwClose(hRegister);
}

VOID QueryRegTest()
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS status;
UNICODE_STRING ValueName;
ULONG ulSize;
PKEY_VALUE_PARTIAL_INFORMATION pvpi;
PULONG pulValue;

//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);

//初始化OBJECT_ATTRIBUTES
InitializeObjectAttributes(&ObjectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);

status = ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&ObjectAttributes);

if (NT_SUCCESS(status))
{
DbgPrint("Open Register Successfully...\n");
}

RtlInitUnicodeString(&ValueName,L"REG_DWORD Value");

status = ZwQueryValueKey(hRegister,
&ValueName,
KeyValuePartialInformation,
NULL,
0,
&ulSize);

if (status == STATUS_OBJECT_NAME_NOT_FOUND || ulSize == 0)
{
ZwClose(hRegister);
DbgPrint("The item is not exist...\n");
}

pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);

status = ZwQueryValueKey(hRegister,
&ValueName,
KeyValuePartialInformation,
pvpi,
ulSize,
&ulSize);

if (!NT_SUCCESS(status))
{
ZwClose(hRegister);
DbgPrint("Read Register Error\n");
}

//判断是否为REG_DWORD类型
if (pvpi->Type == REG_DWORD && pvpi->DataLength == sizeof(ULONG))
{
pulValue = (PULONG)pvpi->Data;
DbgPrint("The Value: %d\n",*pulValue);
}

ExFreePool(pvpi);

RtlInitUnicodeString(&ValueName,L"REG_SZ Value");
status = ZwQueryValueKey(hRegister,
&ValueName,
KeyValuePartialInformation,
NULL,
0,
&ulSize);

if (status == STATUS_OBJECT_NAME_NOT_FOUND || ulSize == 0)
{
ZwClose(hRegister);
DbgPrint("The Item is not exist\n");
}

pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);

status = ZwQueryValueKey(hRegister,
&ValueName,
KeyValuePartialInformation,
pvpi,
ulSize,
&ulSize);

if (!NT_SUCCESS(status))
{
ZwClose(hRegister);
DbgPrint("Read Register Error\n");
}

if (pvpi->Type == REG_SZ)
{
DbgPrint("The Value: %s\n",pvpi->Data);
}

ZwClose(hRegister);
}

VOID EnumerateSubItemRegTest()
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS status;
ULONG ulSize,i;
PKEY_BASIC_INFORMATION pbi;
UNICODE_STRING uniKeyName;
PKEY_FULL_INFORMATION pfi;

//初始化UNICODE_STRING
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME);
InitializeObjectAttributes(&ObjectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);

status = ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&ObjectAttributes);

if (NT_SUCCESS(status))
{
DbgPrint("Open Register Successfully\n");
}

ZwQueryKey(hRegister,
KeyFullInformation,
NULL,
0,
&ulSize);

pfi = (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);

//第二次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的数据
ZwQueryKey(hRegister,
KeyFullInformation,
pfi,
ulSize,
&ulSize);

for(i=0 ; i<pfi->SubKeys ; i++)
{
//第一次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的长度
ZwEnumerateKey(hRegister,
i,
KeyBasicInformation,
NULL,
0,
&ulSize);

pbi = (PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);

//第二次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的数据
ZwEnumerateKey(hRegister,
i,
KeyBasicInformation,
pbi,
ulSize,
&ulSize);

uniKeyName.Buffer = uniKeyName.MaximumLength = (USHORT)pbi->NameLength;

DbgPrint("The %d sub item name: %wZ\n",&uniKeyName);

ExFreePool(pbi);
}

ExFreePool(pfi);

ZwClose(hRegister);
}

VOID EnumerateSubValueRegTest()
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS status;
ULONG ulSize;
PKEY_FULL_INFORMATION pfi;
UNICODE_STRING uniKeyName;
PKEY_VALUE_BASIC_INFORMATION pvbi;
ULONG i;

//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,
MY_REG_SOFTWARE_KEY_NAME);

//初始化ObjectAttributes
InitializeObjectAttributes(&ObjectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);

//打开注册表
status = ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&ObjectAttributes);

if (NT_SUCCESS(status))
{
DbgPrint("Open Register Successully!\n");
}


ZwQueryKey(hRegister,
KeyFullInformation,
NULL,
0,
&ulSize);

pfi = (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);

ZwQueryKey(hRegister,
KeyFullInformation,
pfi,
ulSize,
&ulSize);

for(i=0 ; i<pfi->Values ; i++)
{
ZwEnumerateValueKey(hRegister,
i,
KeyValueBasicInformation,
NULL,
0,
&ulSize);

pvbi = (PKEY_VALUE_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);

ZwEnumerateValueKey(hRegister,
i,
KeyValueBasicInformation,
pvbi,
ulSize,
&ulSize);

uniKeyName.Length = uniKeyName.MaximumLength = (USHORT)pvbi->NameLength;

uniKeyName.Buffer = pvbi->Name;

DbgPrint("The %d sub value name: %wZ\n",i,&uniKeyName);

if (pvbi->Type == REG_SZ)
{
DbgPrint("The Sub Value Type: REG_SZ\n");
}
else if(pvbi->Type == REG_MULTI_SZ)
{
DbgPrint("The Sub Value Type: REG_MULTI_SZ\n");
}
else if(pvbi->Type == REG_DWORD)
{
DbgPrint("The Sub Value Type: REG_DWORD\n");
}
else if(pvbi->Type == REG_BINARY)
{
DbgPrint("The Sub Value Type: REG_BINARY\n");
}

ExFreePool(pvbi);
}

ExFreePool(pfi);

ZwClose(hRegister);
}

VOID DeleteItemRegTest()
{
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
NTSTATUS status;
OBJECT_ATTRIBUTES ObjectAttributes;

//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME2);

//初始化ObjectAttributes
InitializeObjectAttributes(&ObjectAttributes,&RegUnicodeString,OBJ_CASE_INSENSITIVE,NULL,NULL);

//打开注册表
status = ZwOpenKey(&hRegister,
KEY_ALL_ACCESS,
&ObjectAttributes);

if (NT_SUCCESS(status))
{
DbgPrint("Open Register Successfully...\n");
}

status = ZwDeleteKey(hRegister);

if (NT_SUCCESS(status))
{
DbgPrint("Delete the item successfully...\n");
}
else if(status == STATUS_ACCESS_DENIED)
{
DbgPrint("STATUS_ACCESS_DENIED\n");
}
else if(status == STATUS_INVALID_HANDLE)
{
DbgPrint("STATUS_INVALID_HANDLE\n");
}
else
{
DbgPrint("MayBe the item has sub item to delete\n");
}

ZwClose(hRegister);
}

  评论这张
 
阅读(365)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017