Windows内核--交互注册表Reg

void RegTest()//内核的操作Reg函数和User下的函数不一样
{
RawCreateOpenRegTest();
EasyOpenRegTest();
EditReg();
QueryReg();
}

void RawCreateOpenRegTest()
//内核的操作Reg函数和User下的函数不一样
{
//获取注册表句柄ZwCreateKey
//创建或打开某注册表
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;

//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString, L"MY_REG_SOFTWARE_KEY_NAME");

OBJECT_ATTRIBUTES objectAttributes;
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
ULONG ulResult;
//创建或打开注册表项目，有就打开没有就创建再打开
NTSTATUS ntStatus = ZwCreateKey(&hRegister, KEY_ALL_ACCESS,
&objectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE,
&ulResult);

if (NT_SUCCESS(ntStatus))
{
//判断是新创建打开，还是直接打开
if (ulResult == REG_CREATED_NEW_KEY)
{
KdPrint(("The Register item is created\n"));
}
else if (ulResult == REG_OPENED_EXISTING_KEY)
{
KdPrint(("The Register item has been created,and now is opened\n"));
}
}

//创建或打开注册表项目的子项
UNICODE_STRING subRegUnicodeString;
HANDLE hSubRegister;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&subRegUnicodeString, L"SubItem");
OBJECT_ATTRIBUTES subObjectAttributes;
//初始化subObjectAttributes
InitializeObjectAttributes(&subObjectAttributes,
&subRegUnicodeString,
OBJ_CASE_INSENSITIVE,//对大小写敏感
hRegister,
NULL);

//创建或打开注册表
ntStatus = ZwCreateKey(&hSubRegister, KEY_ALL_ACCESS,
&subObjectAttributes, 0, NULL,
REG_OPTION_NON_VOLATILE, &ulResult);
if (NT_SUCCESS(ntStatus))
{
//判断是被新创建，还是被打开
if (ulResult == REG_CREATED_NEW_KEY)
{
KdPrint(("The Sub Register item is Created\n"));
}
else if (ulResult == REG_OPENED_EXISTING_KEY)
{
KdPrint(("The Sub Register item has benn create,and now is opened\n"));
}
}

//关闭注册表句柄
ZwClose(hRegister);
ZwClose(hSubRegister);
}
void EasyOpenRegTest()
{
//使用ZwOpenKey函数来简化打开注册表
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;

//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString, L"MY_REG_SOFTWARE_KEY_NAME");

OBJECT_ATTRIBUTES objectAttributes;
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString, OBJ_CASE_INSENSITIVE,
NULL, NULL);

//打开注册表
NTSTATUS ntStatus = ZwOpenKey(&hRegister, KEY_ALL_ACCESS,
&objectAttributes);

//判断是否打开成功
if((NT_SUCCESS(ntStatus)))
{
KdPrint(("Open Register Successfully\n"));
}
ZwClose(hRegister);
}
void EditReg()
{
//ZwSetValueKey,注册表以二元形式存储，也就是map
UNICODE_STRING RegUnicodeString;
HANDLE hRegsiter;

//初始化UNICODE_STRING字符串
RtlInitUnicodeString(&RegUnicodeString, L"MY_REG_SOFTWARE_KEY_NAME");
OBJECT_ATTRIBUTES objectAttributes;
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);

//打开注册表
NTSTATUS ntStatus = ZwOpenKey(&hRegsiter,
KEY_ALL_ACCESS, &objectAttributes);

if (NT_SUCCESS(ntStatus))
{
KdPrint(("Open Register Successfully\n"));
}

UNICODE_STRING ValueName;
//初始化ValueName
RtlInitUnicodeString(&ValueName, L"REG_DWORD value");

//设置REG_DWORD子健
ULONG ulValue = 1000;
ZwSetValueKey(hRegsiter,
&ValueName,
0,
REG_DWORD,
&ulValue,
sizeof(ulValue));

//初始化ValueName
RtlInitUnicodeString(&ValueName, L"REG_SZ value");
WCHAR* strValue = L"hello world";

//设置REG_SZ子健
ZwSetValueKey(hRegsiter,
&ValueName,
0,
REG_SZ,
strValue,
wcslen(strValue) * 2 + 2);

//初始化ValueName
RtlInitUnicodeString(&ValueName, L"REG_BINARY value");

UCHAR buffer[10];
RtlFillMemory(buffer, sizeof(buffer), 0XFF);
//设置REG_MULTI_SZ子健
ZwSetValueKey(hRegsiter,
&ValueName,
0,
REG_BINARY,
buffer,
sizeof(buffer));

//关闭注册表句柄
ZwClose(hRegsiter);
}