内核注册表操作_zwcreatekey _zwopenkey_zwsetvaluekey_zwqueryvaluekey_zwquerykey_zwenumeratekey_zwenumera

#include"ntddk.h"
VOID xiezai1(PDRIVER_OBJECT qudongduixiang_wode)
{
KdPrint(("驱动卸载历程 已经执行\n"));
}
HANDLE chuanjianzhucebiao_xiang(wchar_t *zhucebiaoxiang_lujing) //ZwCreateKey
{
HANDLE jubing;//创建注册表项的句柄
OBJECT_ATTRIBUTES shuxing_duixiang;
UNICODE_STRING zhucebiaoxiangmingzi;//注册表项的名字也就是路径
ULONG fanhui1;//创建一个新的项 或是现有的键被打开了
RtlInitUnicodeString(&zhucebiaoxiangmingzi, zhucebiaoxiang_lujing);
InitializeObjectAttributes(&shuxing_duixiang, &zhucebiaoxiangmingzi, OBJ_CASE_INSENSITIVE, NULL, NULL);
ZwCreateKey(&jubing, GENERIC_ALL, &shuxing_duixiang, 0, &zhucebiaoxiangmingzi, REG_OPTION_NON_VOLATILE, &fanhui1);
if (fanhui1 == REG_CREATED_NEW_KEY)
{
KdPrint(("创建一个新的密钥\n"));
}if (fanhui1 == REG_OPENED_EXISTING_KEY)
{
KdPrint(("现有的键被打开了\n"));
}
return jubing;
}
HANDLE dakaizhucebiao_xiang(wchar_t *zhucebiaoxiang_lujing)//ZwOpenKey
{
HANDLE jubing;//创建注册表项的句柄
UNICODE_STRING zhucebiaoxiangmingzi;//注册表项的名字也就是路径
OBJECT_ATTRIBUTES shuxing_duixiang;
NTSTATUS zhuangtai1;
RtlInitUnicodeString(&zhucebiaoxiangmingzi, zhucebiaoxiang_lujing);
InitializeObjectAttributes(&shuxing_duixiang, &zhucebiaoxiangmingzi, OBJ_CASE_INSENSITIVE, NULL, NULL);
zhuangtai1=ZwOpenKey(&jubing, GENERIC_ALL, &shuxing_duixiang);
if (zhuangtai1==STATUS_SUCCESS)
{
KdPrint(("注册表_项 打开成功\n"));
return jubing;
}
else
{
KdPrint(("注册表_项 打开失败\n"));
return jubing;
}
return jubing;
}
VOID shezhixiangdejiandezhi(HANDLE jubing)//设置项的键的值 ZwSetValueKey
{
NTSTATUS zhuangtai1;
ULONG jiandezhi = 100;
UNICODE_STRING jiandemingzi;
RtlInitUnicodeString(&jiandemingzi, L"m_1");
zhuangtai1 = ZwSetValueKey(jubing, &jiandemingzi, 0, REG_DWORD, &jiandezhi, sizeof(jiandezhi));
if (!NT_SUCCESS(zhuangtai1))
{
KdPrint(("设置键值失败\n"));
}
else
{
KdPrint(("设置键值成功\n"));
}
}
ULONG chaxun_xiang(HANDLE jubing)//查询项 例如个数 ZwQueryKey
{
KEY_FULL_INFORMATION*xinxi = NULL;
ULONG fanhui1 = 0;//这个项的信息大小
if (jubing)
{
ZwQueryKey(jubing, KeyFullInformation, 0, 0, &fanhui1);//先得到这个项的信息大小
xinxi = ExAllocatePool(NonPagedPool, fanhui1);
ZwQueryKey(jubing, KeyFullInformation, xinxi, fanhui1, &fanhui1);//再得到这个项的全信息
}
KdPrint(("子项的个数%d\n", xinxi->SubKeys));
ExFreePool(xinxi);
return xinxi->SubKeys;
}
VOID meiju_xiang(HANDLE jubing,ULONG j)//枚举注册表项
{
ULONG fanhui1 = 0;
KEY_BASIC_INFORMATION*xinxi = NULL;
for (ULONG i = 0; i < j;i++)
{
ZwEnumerateKey(jubing, i, KeyBasicInformation, NULL, 0, &fanhui1);//0就是从第一个想开始遍历
xinxi = ExAllocatePool(NonPagedPool, fanhui1);
ZwEnumerateKey(jubing, i, KeyBasicInformation, xinxi, fanhui1, &fanhui1);
KdPrint(("子项的名字%S", xinxi->Name));
}
ExFreePool(xinxi);

}
NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang_wode, PUNICODE_STRING zhucebiao_wode)
{
KdPrint(("打印本驱动的注册表路径%wZ\n", zhucebiao_wode));
HANDLE jubing=NULL;
ULONG xiang_geshu = 0;
jubing=chuanjianzhucebiao_xiang(L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\lisaisaidequdong_xiang");//创建注册表项
jubing = dakaizhucebiao_xiang(L"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\lisaisaidequdong_xiang");//打开注册表项
shezhixiangdejiandezhi(jubing);//设置项的键的值
xiang_geshu = chaxun_xiang(jubing);//查询项的子项个数
meiju_xiang(jubing, xiang_geshu);//遍历子项
//ZwDeleteKey(jubing);删除注册表_项
ZwClose(jubing);
qudongduixiang_wode->DriverUnload = xiezai1;
return STATUS_SUCCESS;
}