好友
阅读权限10
听众
最后登录1970-1-1
|
谈笑人生
发表于 2018-4-18 18:23
本帖最后由 谈笑人生 于 2018-4-19 16:28 编辑
吾爱专用:最近太忙 网络找了 一些代码 具体来分析 大神勿喷 基础的只是 小白学习。发截图 不如直接发代码 :
#include<ntddk.h> //头文件
#include<string.h> //头文件
//1.字符串初始化
VOID StringInitTest() //自定义函数
{
//(1)用RtlInitAnsiString 初始化字符串
{
ANSI_STRING AnsiString1;
CHAR * string1 = "hello";
//初始化ANSI_STRING字符串
RtlInitAnsiString(&AnsiString1, string1);
DbgPrint("AnsiString1:%Z\n", &AnsiString1);//打印hello
string1[0] = 'H';
string1[1] = 'E';
string1[2] = 'L';
string1[3] = 'L';
string1[4] = 'O';
//改变string1,AnsiString1同样会导致变化
DbgPrint("AnsiString1:%Z\n", &AnsiString1);//打印HELLO
}
//(2)程序员自己初始化字符串
{
#define BUFFER_SIZE 1024
UNICODE_STRING UnicodeString1 = { 0 };
WCHAR* wideString = L"hello";
//设置缓冲区大小
UnicodeString1.MaximumLength = BUFFER_SIZE;
//分配内存
UnicodeString1.Buffer = (PWSTR)ExAllocatePool(PagedPool, BUFFER_SIZE);
//设置字符长度,因为是宽字符,所以是字符长度的2倍
UnicodeString1.Length = 2 * wcslen(wideString);
//保证缓冲区足够大,否则程序终止
ASSERT(UnicodeString1.MaximumLength >= UnicodeString1.Length);
//内存拷贝,
RtlCopyMemory(UnicodeString1.Buffer, wideString, UnicodeString1.Length);
//设置字符长度
UnicodeString1.Length = 2 * wcslen(wideString);
DbgPrint("UnicodeString:%wZ\n", &UnicodeString1);
//清理内存
ExFreePool(UnicodeString1.Buffer);
UnicodeString1.Buffer = NULL;
UnicodeString1.Length = UnicodeString1.MaximumLength = 0;
}
}
//2.字符串拷贝
VOID StringCopyTest() //自定义函数
{
UNICODE_STRING UnicodeString1;
UNICODE_STRING UnicodeString2 = { 0 };
//初始化UnicodeString1
RtlInitUnicodeString(&UnicodeString1, L"Hello World");
//初始化UnicodeString2
UnicodeString2.Buffer = (PWSTR)ExAllocatePool(PagedPool, BUFFER_SIZE);
UnicodeString2.MaximumLength = BUFFER_SIZE;
//将初始化UnicodeString2拷贝到UnicodeString1
RtlCopyUnicodeString(&UnicodeString2, &UnicodeString1);
//分别显示UnicodeString1和UnicodeString2
DbgPrint("UnicodeString1:%wZ\n", &UnicodeString1);
DbgPrint("UnicodeString2:%wZ\n", &UnicodeString2);
//销毁UnicodeString2(UnicodeString1不用销毁)
RtlFreeUnicodeString(&UnicodeString2);
}
//3.字符串比较
VOID StringCompareTest() //自定义函数
{
UNICODE_STRING UnicodeString1;
UNICODE_STRING UnicodeString2;
//初始化UnicodeString1
RtlInitUnicodeString(&UnicodeString1, L"Hello World");
//初始化UnicodeString2
RtlInitUnicodeString(&UnicodeString1, L"Hello");
if (RtlEqualUnicodeString(&UnicodeString1, &UnicodeString2, TRUE))
DbgPrint("UnicodeString1 and UnicodeString2 are equal\n");
else
DbgPrint("UnicodeString1 and UnicodeString2 are NOT equal\n");
}
//4.字符串变大写
VOID StringToUpperTest() //自定义函数
{
//初始化UnicodeString1
UNICODE_STRING UnicodeString1;
UNICODE_STRING UnicodeString2;
RtlInitUnicodeString(&UnicodeString1, L"Hello World");
//变化前
DbgPrint("UnicodeString1:%wZ\n", &UnicodeString1);
//变大写
RtlUpcaseUnicodeString(&UnicodeString2, &UnicodeString1, TRUE);
//变化后
DbgPrint("UnicodeString2:%wZ\n", &UnicodeString2);
//销毁UnicodeString2(UnicodeString1不用销毁)
RtlFreeUnicodeString(&UnicodeString2);
}
//5.字符串与整型相互转化
VOID StringToIntegerTest() //自定义函数
{
//(1)字符串转换成数字
{
UNICODE_STRING UnicodeString1;
ULONG lNumber;
NTSTATUS nStatus;
//初始化UnicodeString1
RtlInitUnicodeString(&UnicodeString1, L"-100");
nStatus = RtlUnicodeStringToInteger(&UnicodeString1, 10, &lNumber);
if (NT_SUCCESS(nStatus))
{
DbgPrint("Conver to integer succussfully!\n");
DbgPrint("Result:%d\n", lNumber);
}
else
{
DbgPrint("Conver to integer unsuccessfully!\n");
}
}
//(2)数字转换成字符串
{
NTSTATUS nStatus;
UNICODE_STRING UnicodeString2 = { 0 };
//初始化UnicodeString2
UnicodeString2.Buffer = (PWSTR)ExAllocatePool(PagedPool, BUFFER_SIZE);
UnicodeString2.MaximumLength = BUFFER_SIZE;
nStatus = RtlIntegerToUnicodeString(200, 10, &UnicodeString2);
if (NT_SUCCESS(nStatus))
{
DbgPrint("Conver to string succussfully!\n");
DbgPrint("Result:%wZ\n", &UnicodeString2);
}
else
{
DbgPrint("Conver to string unsuccessfully!\n");
}
//销毁UnicodeString2
//注意!!UnicodeString1不用销毁
RtlFreeUnicodeString(&UnicodeString2);
}
}
//6. ANSI_STRING字符串与UNICODE_STRING字符串相互转换
VOID StringConverTest()
{
//(1)将UNICODE_STRING字符串转换成ANSI_STRING字符串
UNICODE_STRING UnicodeString1;
ANSI_STRING AnsiString1;
NTSTATUS nStatus;
//初始化UnicodeString1
RtlInitUnicodeString(&UnicodeString1, L"Hello World");
nStatus = RtlUnicodeStringToAnsiString(&AnsiString1, &UnicodeString1, TRUE);
if (NT_SUCCESS(nStatus))
{
DbgPrint("Conver succussfully!\n");
DbgPrint("Result:%Z\n", &AnsiString1);
}
else
{
DbgPrint("Conver unsuccessfully!\n");
}
//销毁AnsiString1
RtlFreeAnsiString(&AnsiString1);
//(2)将ANSI_STRING字符串转换成UNICODE_STRING字符串
{
ANSI_STRING AnsiString2;
UNICODE_STRING UnicodeString2;
NTSTATUS nStatus;
//初始化AnsiString2
RtlInitString(&AnsiString2, "Hello World");
nStatus = RtlAnsiStringToUnicodeString(&UnicodeString2, &AnsiString2, TRUE);
if (NT_SUCCESS(nStatus))
{
DbgPrint("Conver succussfully!\n");
DbgPrint("Result:%wZ\n", &UnicodeString2);
}
else
{
DbgPrint("Conver unsuccessfully!\n");
}
//销毁UnicodeString2
RtlFreeUnicodeString(&UnicodeString2);
}
}
/*
以下代码为字符串转换代码
*/
//UNICODE_STRINGz转换为CHAR*
//输入UNICODE_STRING的指针,输出窄字符串,BUFFER需要已经分配好空间
VOID UnicodeToChar(PUNICODE_STRING dst, char *src)
{
ANSI_STRING string;
RtlUnicodeStringToAnsiString(&string, dst, TRUE);
strcpy(src, string.Buffer);
RtlFreeAnsiString(&string);
}
//WCHAR*转换为CHAR*
//输入宽字符串首地址,输出窄字符串,BUFFER需要已经分配好空间
VOID WcharToChar(PWCHAR src, PCHAR dst)
{
UNICODE_STRING uString;
ANSI_STRING aString;
RtlInitUnicodeString(&uString, src);
RtlUnicodeStringToAnsiString(&aString, &uString, TRUE);
strcpy(dst, aString.Buffer);
RtlFreeAnsiString(&aString);
}
//CHAR*转WCHAR*
//输入窄字符串首地址,输出宽字符串,BUFFER需要已经分配好空间
VOID CharToWchar(PCHAR src, PWCHAR dst)
{
UNICODE_STRING uString;
ANSI_STRING aString;
RtlInitAnsiString(&aString, src);
RtlAnsiStringToUnicodeString(&uString, &aString, TRUE);
wcscpy(dst, uString.Buffer);
RtlFreeUnicodeString(&uString);
}
VOID MyUnload(PDRIVER_OBJECT pDriverObject) //卸载驱动 格式 都是死的
{
///卸载历程
/*DbgPrint("1111111");*/
DbgPrint("[MyDriver]Unloaded...\n");
KdPrint(("驱动卸载成功"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING Reg_Path) //加载 驱动格式 都是死的
{
///主程序
KdPrint(("[MyDriver]Loaded...\n"));
pDriverObject->DriverUnload = MyUnload;
StringInitTest();
StringCopyTest();
StringCompareTest();
StringToUpperTest();
StringToIntegerTest();
StringConverTest();
return STATUS_SUCCESS;
}
---------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
学习日志五注册表函数:
#include <ntddk.h>
#include <windef.h>
//PCWSTR C库文件自定义的字符串格式 解释如下:
//typedef _Null_terminated_ CONST WCHAR *LPCWSTR, *PCWSTR;
PVOID GetFunctionAddr(PCWSTR FunctionName)
{
//UNICODE_STRING 自定义数据类型 UniCodeFunctionNam
UNICODE_STRING UniCodeFunctionName;
/*RtlInitUnicodeString( 初始化ANSI_STRING字符串,参数:1.要初始化的字符2.字符串的内容
_Out_ PUNICODE_STRING DestinationString,
_In_opt_z_ __drv_aliasesMem PCWSTR SourceString
);*/
RtlInitUnicodeString(&UniCodeFunctionName, FunctionName);
/*MmGetSystemRoutineAddress 得到系统导出函数的地址*/
return MmGetSystemRoutineAddress(&UniCodeFunctionName);
}
//NTKERNELAPI NTSTATUS ZwRenameKey(HANDLE KeyHandle, PUNICODE_STRING NewName);
//typedef 标识另起名字C本身的死命令 NTSTATUS:宏
//__fastcall:调用约定:它是通过寄存器来传送参数的(实际上,它用ecx和edx传送前两个双字(dword)或更小的参数,
//剩下的参数仍旧自右向左压栈传送,被调用的函数在返回前清理传送参数的内存栈)。
//PUNICODE_STRING:自定义数据类型然后又起了个别名
typedef NTSTATUS (__fastcall *ZWRENAMEKEY)(HANDLE KeyHandle, PUNICODE_STRING NewName);
ZWRENAMEKEY MyZwRenameKey=NULL;
//RegCreateKey,用于创建或打开注册表项
void RegCreateKey(LPWSTR KeyName)
{
//typedef struct _OBJECT_ATTRIBUTES {
// ULONG Length;
// HANDLE RootDirectory;
// PUNICODE_STRING ObjectName;
// ULONG Attributes;
// PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
// PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
//} OBJECT_ATTRIBUTES; 头文件的自定义数据类型 UNICODE_STRING:头文件的自定义数据类型
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING usKeyName;
/*NTSTATUS ntStatus;库文件自定义返回类型*/
NTSTATUS ntStatus;
/*typedef void *HANDLE; 万能指针*/
HANDLE hRegister;
//上面有解释
RtlInitUnicodeString( &usKeyName, KeyName);
/*InitializeObjectAttributes(p, n, a, r, s) {
\
(p)->Length = sizeof(OBJECT_ATTRIBUTES); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}*/
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
//---------------------------------------------------------------------
/*ZwCreateKey 指定的项不存在,则会直接创建该项*/
//ZwCreateKey(
// OUT PHANDLE KeyHandle,
// IN ACCESS_MASK DesiredAccess, //访问权限,一般为KEY_ALL_ACCLESS
// IN POBJECT_ATTRIBUTES ObjectAttributes,
// IN ULONG TitleIndex, //一般为NULL
// IN PUNICODE_STRING Class OPTIONAL, //一般为NULL
// IN ULONG CreateOptions, //一般为REG_OPTION_NON_VOLATILE
// OUT PULONG Disposition OPTIONAL //返回是打开成功还是创建成功
// );
/*ZwOpenKey 例程打开一个已经存在的注册表键*/
//----------------------------------------------------------------------
/*ZwOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);*/
ntStatus=ZwCreateKey(&hRegister, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
if(NT_SUCCESS(ntStatus))
{
/*ZwClose 关闭对象句柄*/
ZwClose(hRegister);
DbgPrint("ZwCreateKey success!\n");
}
else
{
DbgPrint("ZwCreateKey failed!\n");
}
}
//RegRenameKey 新建 KEY
void RegRenameKey(LPWSTR OldKeyName, LPWSTR NewKeyName)
{
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hRegister;
NTSTATUS ntStatus;
UNICODE_STRING usOldKeyName,usNewKeyName;
RtlInitUnicodeString(&usOldKeyName,OldKeyName);
RtlInitUnicodeString(&usNewKeyName,NewKeyName);
InitializeObjectAttributes(&objectAttributes,
&usOldKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes);
if(NT_SUCCESS(ntStatus))
{
ntStatus = MyZwRenameKey(hRegister,&usNewKeyName);
ZwFlushKey(hRegister);
ZwClose(hRegister);
DbgPrint("ZwRenameKey success!\n");
}
else
{
DbgPrint("ZwRenameKey failed!\n");
}
}
//RegDeleteKey 删除 KEY
void RegDeleteKey(LPWSTR KeyName)
{
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING usKeyName;
NTSTATUS ntStatus;
HANDLE hRegister;
RtlInitUnicodeString( &usKeyName, KeyName);
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes);
if (NT_SUCCESS(ntStatus))
{
ntStatus = ZwDeleteKey(hRegister);
ZwClose(hRegister);
DbgPrint("ZwDeleteKey success!\n");
}
else
{
DbgPrint("ZwDeleteKey failed!\n");
}
}
//新建/设置 VALUE
void RegSetValueKey(LPWSTR KeyName, LPWSTR ValueName, DWORD DataType, PVOID DataBuffer, DWORD DataLength)
{
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING usKeyName,usValueName;
NTSTATUS ntStatus;
HANDLE hRegister;
ULONG Type;
RtlInitUnicodeString(&usKeyName, KeyName);
RtlInitUnicodeString(&usValueName, ValueName);
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &objectAttributes);
if (NT_SUCCESS(ntStatus))
{
ntStatus = ZwSetValueKey(hRegister, &usValueName, 0, DataType, DataBuffer, DataLength);
ZwFlushKey(hRegister);
ZwClose(hRegister);
DbgPrint("ZwSetValueKey success!\n");
}
else
{
DbgPrint("ZwSetValueKey failed!\n");
}
}
/*
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataLength;
UCHAR Data[1];
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
*/
//自定义函数
NTSTATUS RegQueryValueKey(LPWSTR KeyName, LPWSTR ValueName, PKEY_VALUE_PARTIAL_INFORMATION *pkvpi)
{
ULONG ulSize;
NTSTATUS ntStatus;
PKEY_VALUE_PARTIAL_INFORMATION pvpi;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hRegister;
UNICODE_STRING usKeyName;
UNICODE_STRING usValueName;
RtlInitUnicodeString(&usKeyName, KeyName);
RtlInitUnicodeString(&usValueName, ValueName);
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("[RegQueryValueKey]ZwOpenKey failed!\n");
return ntStatus;
}
ntStatus = ZwQueryValueKey(hRegister,
&usValueName,
KeyValuePartialInformation ,
NULL,
0,
&ulSize);
if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0)
{
DbgPrint("ZwQueryValueKey 1 failed!\n");
return STATUS_UNSUCCESSFUL;
}
pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ntStatus = ZwQueryValueKey(hRegister,
&usValueName,
KeyValuePartialInformation ,
pvpi,
ulSize,
&ulSize);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("ZwQueryValueKey 2 failed!\n");
return STATUS_UNSUCCESSFUL;
}
//这里的pvpi是没有释放的用完要释放。ExFreePool(pvpi);
*pkvpi=pvpi;
DbgPrint("ZwQueryValueKey success!\n");
return STATUS_SUCCESS;
}
//自定义函数
void RegDeleteValueKey(LPWSTR KeyName, LPWSTR ValueName)
{
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING usKeyName,usValueName;
NTSTATUS ntStatus;
HANDLE hRegister;
RtlInitUnicodeString(&usKeyName, KeyName);
RtlInitUnicodeString(&usValueName, ValueName);
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &objectAttributes);
if (NT_SUCCESS(ntStatus))
{
ntStatus = ZwDeleteValueKey(hRegister,&usValueName);
ZwFlushKey(hRegister);
ZwClose(hRegister);
DbgPrint("ZwDeleteValueKey success!\n");
}
else
{
DbgPrint("ZwDeleteValueKey failed!\n");
}
}
//自定义
VOID EnumSubKeyTest()
{
WCHAR MY_KEY_NAME[] = L"\\Registry\\Machine\\Software";
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES objectAttributes;
NTSTATUS ntStatus;
ULONG ulSize,i;
UNICODE_STRING uniKeyName;
PKEY_FULL_INFORMATION pfi;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString( &RegUnicodeString, MY_KEY_NAME);
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
//打开注册表
ntStatus = ZwOpenKey( &hRegister,
KEY_ALL_ACCESS,
&objectAttributes);
if (NT_SUCCESS(ntStatus))
{
DbgPrint("Open register successfully\n");
}
//第一次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的长度
ZwQueryKey(hRegister,KeyFullInformation,NULL,0,&ulSize);
pfi = (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
//第二次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的数据
ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize);
for (i=0;i<pfi->SubKeys;i++)
{
PKEY_BASIC_INFORMATION pbi;
//第一次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的长度
ZwEnumerateKey(hRegister,i,KeyBasicInformation,NULL,0,&ulSize);
pbi =(PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);
//第二次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的数据
ZwEnumerateKey(hRegister,i,KeyBasicInformation,pbi,ulSize,&ulSize);
uniKeyName.Length = (USHORT)pbi->NameLength;
uniKeyName.MaximumLength = (USHORT)pbi->NameLength;
uniKeyName.Buffer = pbi->Name;
DbgPrint("The %d sub item name:%wZ\n",i,&uniKeyName);
ExFreePool(pbi);
}
ExFreePool(pfi);
ZwClose(hRegister);
}
//自定义
VOID EnumSubValueTest()
{
WCHAR MY_KEY_NAME[] = L"\\Registry\\Machine\\Software\\Microsoft\\.NETFramework";
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES objectAttributes;
ULONG ulSize,i;
UNICODE_STRING uniKeyName;
PKEY_FULL_INFORMATION pfi;
NTSTATUS ntStatus;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString( &RegUnicodeString, MY_KEY_NAME);
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
//打开注册表
ntStatus = ZwOpenKey( &hRegister,KEY_ALL_ACCESS,&objectAttributes);
if (NT_SUCCESS(ntStatus))
{
DbgPrint("Open register successfully\n");
}
//查询VALUE的大小
ZwQueryKey(hRegister,KeyFullInformation,NULL,0,&ulSize);
pfi = (PKEY_FULL_INFORMATION) ExAllocatePool(PagedPool,ulSize);
ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize);
for (i=0;i<pfi->Values;i++)
{
PKEY_VALUE_BASIC_INFORMATION pvbi;
//查询单个VALUE的大小
ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,NULL,0,&ulSize);
pvbi = (PKEY_VALUE_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);
//查询单个VALUE的详情
ZwEnumerateValueKey(hRegister,i,KeyValueBasicInformation,pvbi,ulSize,&ulSize);
uniKeyName.Length = (USHORT)pvbi->NameLength;
uniKeyName.MaximumLength = (USHORT)pvbi->NameLength;
uniKeyName.Buffer = pvbi->Name;
DbgPrint("The %d sub value name:%wZ\n",i,&uniKeyName);
if (pvbi->Type==REG_SZ)
{
DbgPrint("The sub value type:REG_SZ\n");
}
else if (pvbi->Type==REG_MULTI_SZ)
{
DbgPrint("The sub value type:REG_MULTI_SZ\n");
}
else if (pvbi->Type==REG_DWORD)
{
DbgPrint("The sub value type:REG_DWORD\n");
}
else if (pvbi->Type==REG_BINARY)
{
DbgPrint("The sub value type:REG_BINARY\n");
}
ExFreePool(pvbi);
}
ExFreePool(pfi);
ZwClose(hRegister);
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("[MyDriver]Unloaded...\n");
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DWORD dw=1234,dw0=0;
PKEY_VALUE_PARTIAL_INFORMATION pkvi;
DriverObject->DriverUnload = DriverUnload;
DbgPrint("[MyDriver]Loaded...\n");
//
MyZwRenameKey=(ZWRENAMEKEY)GetFunctionAddr(L"ZwRenameKey");//DbgPrint("ZwRenameKey: %p\n",MyZwRenameKey);
//
DbgPrint("枚举子KEY测试\n");
EnumSubKeyTest();
DbgPrint("\n");
DbgPrint("枚举子VALUE测试\n");
EnumSubValueTest();
DbgPrint("\n");
DbgPrint("创建KEY测试\n");
RegCreateKey(L"\\Registry\\Machine\\Software\\0000");
DbgPrint("\n");
DbgPrint("重命名KEY测试\n");
RegRenameKey(L"\\Registry\\Machine\\Software\\0000",L"1111");
DbgPrint("\n");
DbgPrint("新建/设置VALUE测试\n");
RegSetValueKey(L"\\Registry\\Machine\\Software\\1111",L"dw",REG_DWORD,&dw,sizeof(dw));
DbgPrint("\n");
DbgPrint("查询VALUE测试\n");
RegQueryValueKey(L"\\Registry\\Machine\\Software\\1111",L"dw",&pkvi);
memcpy(&dw0,pkvi->Data,pkvi->DataLength);
DbgPrint("dw0: %ld\n",dw0);
ExFreePool(pkvi);
DbgPrint("\n");
DbgPrint("删除VALUE测试\n");
RegDeleteValueKey(L"\\Registry\\Machine\\Software\\1111",L"dw");
DbgPrint("\n");
DbgPrint("删除KEY测试\n");
RegDeleteKey(L"\\Registry\\Machine\\Software\\1111");
DbgPrint("\n");
//
return STATUS_SUCCESS;
}
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2018-4-18 18:44
