注册表操作
2015-07-18 00:45
561 查看
#include <ntddk.h> #define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\125096" #define MY_REG_SOFTWARE_KEY_NAME1 L"\\Registry\\Machine\\Software\\125096\\SubItem" void Unload(IN PDRIVER_OBJECT DriverObject); void CreateRegTest(void); //创建注册表 void OpenRegTest(void); //打开注册表 void SetRegTest(void); //写注册表 void DeleteItemRegTest(void); //删除注册表项 void QueryRegTest(void); //查询注册表 void EnumerateSubItemRegText(void); //枚举子项 void EnumetrateSubValueRegTest(void);//枚举键值 void RtlRegTest(void); //注册表测试 #ifdef __cplusplus extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath); #endif NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { unsigned i; DbgPrint("Hello from 1!\n"); DriverObject->DriverUnload =Unload; //#if DBG // _asm int 3 //#endif CreateRegTest(); OpenRegTest(); SetRegTest(); QueryRegTest(); EnumerateSubItemRegText(); EnumetrateSubValueRegTest(); DeleteItemRegTest(); RtlRegTest(); return STATUS_SUCCESS; } void Unload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("Goodbye from 1!\n"); } void CreateRegTest(void) { //创建或打开某注册表项 UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING字符串 RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME); //初始化objectAttributes OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); //创建或打开注册表项目 ULONG ulResult; NTSTATUS ntStatus=ZwCreateKey(&hRegister, KEY_ALL_ACCESS, &objectAttributes, NULL, NULL, REG_OPTION_NON_VOLATILE, &ulResult); if (hRegister==NULL || ntStatus != STATUS_SUCCESS) { DbgPrint(TEXT("创建或者打开注册表失败")); return; } if (ulResult==REG_CREATED_NEW_KEY) { DbgPrint(TEXT("这是一个新的项被创建")); } else if (ulResult ==REG_OPENED_EXISTING_KEY) { DbgPrint(TEXT("当前注册表项已经被创建")); } //创建或打开某注册表项目的子项 UNICODE_STRING subRegUnicodeString; HANDLE hSubRegister; //初始化UNIOCDE_STRING字符串 RtlInitUnicodeString(&subRegUnicodeString,L"SubItem"); //初始化subobjectAttributes OBJECT_ATTRIBUTES subObjectAttributes; InitializeObjectAttributes(&subObjectAttributes, &subRegUnicodeString, OBJ_CASE_INSENSITIVE, hRegister, NULL); //创建或带打开注册表项 ntStatus=ZwCreateKey(&hSubRegister, KEY_ALL_ACCESS, &subObjectAttributes, NULL, NULL, REG_OPTION_NON_VOLATILE, &ulResult); if (hSubRegister==NULL || ntStatus != STATUS_SUCCESS) { DbgPrint(TEXT("创建或者打开注册表失败")); return; } if (ulResult==REG_CREATED_NEW_KEY) { DbgPrint(TEXT("这是一个新的项被创建")); } else if (ulResult ==REG_OPENED_EXISTING_KEY) { DbgPrint(TEXT("当前注册表项已经被创建")); } //关闭注册表句柄 ZwClose(hRegister); ZwClose(hSubRegister); return; } //打开注册表 void OpenRegTest(void) { UNICODE_STRING RegUnicodeString; HANDLE hRegister=NULL; //初始化UNICODE_STRING字符串 RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME1); //初始化objectAttributes OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); //打开注册表 NTSTATUS ntStatus=ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &objectAttributes); if (hRegister==NULL || ntStatus!=STATUS_SUCCESS) { DbgPrint(TEXT("打开注册表失败")); return; } //删除注册表 ntStatus=ZwDeleteKey(hRegister); if (ntStatus==STATUS_SUCCESS) { DbgPrint(TEXT("注册表删除成功")); } else if (ntStatus==STATUS_ACCESS_DENIED) { DbgPrint(TEXT("拒绝访问")); } else if (ntStatus==STATUS_INVALID_HANDLE) { DbgPrint(TEXT("无效的句柄")); } else { DbgPrint(TEXT("打我PG我不乖")); } ZwClose(hRegister); return; } //写注册表 void SetRegTest(void) { UNICODE_STRING RegUnicodeString; HANDLE hRegister; //初始化UNICODE_STRING RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME); //初始化objectAttributes OBJECT_ATTRIBUTES objectAttribues; InitializeObjectAttributes(&objectAttribues, &RegUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); //打开注册表 NTSTATUS ntstatus=ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &objectAttribues); if (hRegister==NULL || ntstatus!= STATUS_SUCCESS) { DbgPrint(TEXT("注册表打开失败")); return; } //初始化ValueName UNICODE_STRING ValueName; RtlInitUnicodeString(&ValueName,L"REG_DWORD value"); //设置REG_DWORD子健 ULONG ulValue=1000; ZwSetValueKey(hRegister,&ValueName,0,REG_DWORD,&ulValue,sizeof(ulValue)); //初始化ValueName RtlInitUnicodeString(&ValueName,L"REG_SZ value"); WCHAR* strValue=L"hello world"; //设置REG_SZ子健 ZwSetValueKey(hRegister,&ValueName,0,REG_SZ,strValue,wcslen(strValue)*2+2); //初始化ValueName RtlInitUnicodeString(&ValueName,L"REG_BINARY value"); UCHAR buffer[10]={0}; RtlFillMemory(buffer,sizeof(buffer),0XFF); //设置REG_MULTI_SZ子健 ZwSetValueKey(hRegister,&ValueName,0,REG_BINARY,buffer,sizeof(buffer)); //关闭注册表句柄 ZwClose(hRegister); return; } //删除注册表项 void DeleteItemRegTest(void) { UNICODE_STRING RegUnicodeString; HANDLE hRegister=NULL; //#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\125096\\SubItem" //初始化UNICODE_STRING字符串 RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME); //初始化objectAttributes OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); //打开注册表 NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes); if (ntStatus!=STATUS_SUCCESS || hRegister==NULL) { DbgPrint(TEXT("打开注册表失败")); } ntStatus=ZwDeleteKey(hRegister); if (ntStatus==STATUS_SUCCESS) { DbgPrint(TEXT("删除成功")); } else if (ntStatus==STATUS_ACCESS_DENIED) { DbgPrint(TEXT("拒绝访问")); } else if (ntStatus==STATUS_INVALID_HANDLE) { DbgPrint(TEXT("无效的句柄")); } else { DbgPrint(TEXT("这不科学")); } ZwClose(hRegister); return; } void QueryRegTest(void) { UNICODE_STRING RegUnicodeString; HANDLE hRegister=NULL; //初始化UNICODE_STRING字符串 RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME); //初始化objectarrtibutes OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); //打开注册表 NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes); if (hRegister==NULL || ntStatus!=STATUS_SUCCESS) { DbgPrint(TEXT("打开注册表失败")); } UNICODE_STRING ValueName; RtlInitUnicodeString(&ValueName,L"REG_DWORD value"); //读取REG_DWORD子健 ULONG ulSize=0; ntStatus=ZwQueryValueKey(hRegister, &ValueName, KeyValuePartialInformation, NULL,NULL,&ulSize); if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0) { ZwClose(hRegister); DbgPrint(TEXT("读取注册表失败")); return; } PKEY_VALUE_PARTIAL_INFORMATION pvpi=(PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize); ntStatus=ZwQueryValueKey(hRegister, &ValueName, KeyValuePartialInformation, pvpi, ulSize, &ulSize); if (ntStatus!=STATUS_SUCCESS) { ZwClose(hRegister); DbgPrint(TEXT("读取注册表失败2")); return; } //判断是否为REG_DWORD类型 if (pvpi->Type==REG_DWORD && pvpi->DataLength==sizeof(ULONG)) { PULONG pulValue=(PULONG)pvpi->Data; DbgPrint(TEXT("%d\n"),*pulValue); } ExFreePool(pvpi); //初始化ValueName RtlInitUnicodeString(&ValueName,L"REG_SZ value"); //读取REG_SZ子健 ntStatus=ZwQueryValueKey(hRegister, &ValueName, KeyValuePartialInformation, NULL, NULL, &ulSize); if (ntStatus==STATUS_OBJECT_PATH_NOT_FOUND || ulSize==0) { ZwClose(hRegister); DbgPrint(TEXT("读取注册表失败3")); return; } pvpi=(PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize); ntStatus=ZwQueryValueKey(hRegister,&ValueName,KeyValuePartialInformation,pvpi,ulSize,&ulSize); if (ntStatus!=STATUS_SUCCESS) { ZwClose(hRegister); DbgPrint(TEXT("读取注册表失败4")); return; } //判断是否为REG_SZ类型 if (pvpi->Type==REG_SZ) { DbgPrint(TEXT("%S\n"),pvpi->Data); } ZwClose(hRegister); return; } //枚举注册表子项 void EnumerateSubItemRegText(void) { UNICODE_STRING RegUnicodeSting; HANDLE hRegister=NULL; //初始化UNICODE_STRING字符串 RtlInitUnicodeString(&RegUnicodeSting,MY_REG_SOFTWARE_KEY_NAME); //初始化objectAttributes OBJECT_ATTRIBUTES objectttributes; InitializeObjectAttributes(&objectttributes, &RegUnicodeSting, OBJ_CASE_INSENSITIVE, NULL, NULL); //打开注册表 NTSTATUS ntStatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectttributes); if (hRegister==NULL || ntStatus!= STATUS_SUCCESS) { DbgPrint(TEXT("打开注册表失败\n")); return; } ULONG ulSize=0; //第一次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的长度 ZwQueryKey(hRegister, KeyFullInformation, NULL, 0, &ulSize); //第二次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的数据 PKEY_FULL_INFORMATION pfi=(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize); ZwQueryKey(hRegister, KeyFullInformation, pfi, ulSize, &ulSize); for (ULONG i=0;i<pfi->SubKeys;i++) { //第一次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的长度 ZwEnumerateKey(hRegister, i, KeyBasicInformation, NULL, NULL, &ulSize); PKEY_BASIC_INFORMATION pbi=(PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize); //第二次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的数据 ZwEnumerateKey(hRegister, i, KeyBasicInformation, pbi, ulSize, &ulSize); UNICODE_STRING uniKeyName; uniKeyName.Length= uniKeyName.MaximumLength=(USHORT)pbi->NameLength; uniKeyName.Buffer=pbi->Name; DbgPrint(TEXT("%wZ\n"),i,&uniKeyName); ExFreePool(pbi); } ExFreePool(pfi); ZwClose(hRegister); return; } //枚举键值 void EnumetrateSubValueRegTest(void) { UNICODE_STRING RegUnicodeString; HANDLE hRegister=NULL; //初始化UNICODE_STRING字符串 RtlInitUnicodeString(&RegUnicodeString,MY_REG_SOFTWARE_KEY_NAME); //初始化objectAttributes OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &RegUnicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL); //打开注册表 NTSTATUS ntstatus=ZwOpenKey(&hRegister,KEY_ALL_ACCESS,&objectAttributes); if (hRegister==NULL || ntstatus!=STATUS_SUCCESS) { DbgPrint(TEXT("打开注册表失败")); return; } ULONG ulSize=0; ZwQueryKey(hRegister, KeyFullInformation, NULL, NULL, &ulSize); PKEY_FULL_INFORMATION pfi=(PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize); ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize); for (ULONG i=0;i<pfi->Values;i++) { ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,NULL,NULL,&ulSize); PKEY_VALUE_BASIC_INFORMATION pvbi=(PKEY_VALUE_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize); ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,pvbi,ulSize,&ulSize); UNICODE_STRING uniKeyName; uniKeyName.Length= uniKeyName.MaximumLength=(USHORT)pvbi->NameLength; uniKeyName.Buffer=pvbi->Name; DbgPrint(TEXT("%wZ\n"),i,&uniKeyName); if (pvbi->Type==REG_SZ) { DbgPrint(TEXT("the sub value type:REG_SZ\n")); } else if (pvbi->Type==REG_MULTI_SZ) { DbgPrint(TEXT("the sub value type:REG_MULTI_SZ\n")); } else if(pvbi->Type==REG_DWORD) { DbgPrint(TEXT("the sub value type:REG_DWORD\n")); } else if (pvbi->Type==REG_BINARY) { DbgPrint(TEXT("the sub value type:REG_BINARY\n")); } else { DbgPrint(TEXT("the sub value type:not type\n")); } ExFreePool(pvbi); } ExFreePool(pfi); ZwClose(hRegister); return; } //注册表测试 void RtlRegTest(void) { //创建子项目 NTSTATUS ntStatus=RtlCreateRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK"); //NTSTATUS ntStatus=RtlCreateRegistryKey(RTL_REGISTRY_ABSOLUTE,L"\\Registry\\Machine\\SOFTWARE\\125096"); if (ntStatus!=STATUS_SUCCESS) { DbgPrint(TEXT("创建失败")); } else { DbgPrint(TEXT("创建成功")); } //检查某项是否存在 ntStatus=RtlCheckRegistryKey(RTL_REGISTRY_SERVICES,L"HelloDDK"); if (ntStatus!=STATUS_SUCCESS) { DbgPrint(TEXT("不存在哈")); } //写入REG_DWORD的数据 ULONG value1=100; ntStatus=RtlWriteRegistryValue(RTL_REGISTRY_SERVICES, L"HelloDDK", L"DWORD_VALUE", REG_DWORD, &value1, sizeof(value1)); if (ntStatus!=STATUS_SUCCESS) { DbgPrint(TEXT("写入失败")); } //写入REG_SZ的数据 PWCHAR szString=L"Hello DDK"; ntStatus=RtlWriteRegistryValue(RTL_REGISTRY_SERVICES, L"HelloDDK", L"SZ_VALUE", REG_SZ, szString, wcslen(szString)*2+2); if (ntStatus!=STATUS_SUCCESS) { DbgPrint(TEXT("写入失败2")); } RTL_QUERY_REGISTRY_TABLE paramTable[2]={0}; RtlZeroMemory(paramTable,sizeof(paramTable)); ULONG defaultData=0; ULONG uQueryValue=0; paramTable[0].Flags=RTL_QUERY_REGISTRY_DIRECT; paramTable[0].Name=L"DWORD_VALUE"; paramTable[0].EntryContext=&uQueryValue; paramTable[0].DefaultType=REG_DWORD; paramTable[0].DefaultData=&defaultData; paramTable[0].DefaultLength=sizeof(ULONG); //查询REG_DWORD的数据 ntStatus=RtlQueryRegistryValues(RTL_REGISTRY_SERVICES, L"HelloDDK", paramTable, NULL, NULL); if (ntStatus==STATUS_SUCCESS) { DbgPrint(TEXT("The item is:%d\n",uQueryValue)); } //删除子健 ntStatus=RtlDeleteRegistryValue(RTL_REGISTRY_SERVICES, L"HelloDDK", L"DWORD_VALUE"); if (ntStatus==STATUS_SUCCESS) { DbgPrint(TEXT("删除成功")); } return; }
相关文章推荐
- 301
- iOS中-Qutarz2D详解及使用
- openerp学习笔记 按客户电话、名称模糊查找选择客户(name_search)及客户名称自定义显示(name_get) #同时按手机、电话、名称模糊查找选择客户 def nam
- 从fork面试题开始的思考
- java使用json将HashMap转化成javabean小例子
- Xcode 插件推荐
- UVA 12901 Refraction 数学
- 如何 clone git 项目到一个非空目录
- Gradle Tips#2-语法
- CSS专家的网站
- HDU 1018 斯特林公式应用
- maven最佳实践:划分模块
- 使用GetHashes获取Windows的用户密码Hash值
- HDU 1281 棋盘游戏
- Android中自定义样式与View的构造函数中的第三个参数defStyle的意义
- AndroidStudio中的包管理
- ubifs文件系统的移植
- java:快速文件分割及合并
- 资源管理器总是生成 avi,mpeg的预览图
- jffs2,yaffs2,logfs,ubifs文件系统性能分析