注册表回调整体框架
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { NTSTATUS ntStatus; ntStatus = CmRegisterCallback(MyRegistryCallback, NULL, &pCookie); return ntStatus; } //see demo: //7eightl-minifilter\Demo\REG-hips NTSTATUS HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION Data) { NTSTATUS status = 0; PUNICODE_STRING keyName; UNICODE_STRING uTarget; return STATUS_SUCCESS; } NTSTATUS MyRegistryCallback( __in PVOID CallbackContext, __in_opt PVOID Argument1, / / REG_NOTIFY_CLASS __in_opt PVOID Argument2 // KEY_INFORMATION ) { switch( (REG_NOTIFY_CLASS) Argument1) { case RegNtPreDeleteKey : return HOOK_PreNtDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2); case RegNtPreRenameKey: return HOOK_PreNtRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2); case RegNtPreCreateKeyEx: // pre 操作 return HOOK_PreNtCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2); case RegNtPostCreateKeyEx : // post 操作 return HOOK_PostNtCreateKeyEx((PRGG_POST_OPERATION_INFORMATION )} } } } main.c #include "precomp.h" #define DEVICE_NAME L"\\device\\HipsRegDrv" #define LINK_NAME L"\\dosDevices\\HipsRegDrv" // function to dispatch the IRPs NTSTATUS DispatchOK(PDEVICE_OBJECT DeviceObject, PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(Irp,IO_NO_INCREMENT); return STATUS_SUCCESS; } VOID DriverUnload ( IN PDRIVER_OBJECT pDriverObject) { UNICODE_STRING strLink; RtlInitUnicodeString(&strLink, LINK_NAME); stopRegMon(); IoDeleteSymbolicLink(&strLink); IoDeleteDevice(pDriverObject->DeviceObject); DbgPrint(" Unloaded\n"); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath) { UNICODE_STRING DeviceName; UNICODE_STRING LinkName; NTSTATUS status; PDEVICE_OBJECT pDriverDeviceObject; ULONG i; //DbgPrint("Driver loaded."); pDriverObject->DriverUnload = DriverUnload; // init strings RtlInitUnicodeString(&DeviceName, DEVICE_NAME); RtlInitUnicodeString(&LinkName, LINK_NAME); // to communicate with usermode, we need a device status = IoCreateDevice( pDriverObject, // ptr to caller object 0, // extension device allocated byte number &DeviceName, // device name FILE_DEVICE_UNKNOWN, 0, // no special caracteristics FALSE, // we can open many handles in same time &pDriverDeviceObject); // [OUT] ptr to the created object if ( !NT_SUCCESS(status) ) return STATUS_NO_SUCH_DEVICE; pDriverDeviceObject-> Flags |= DO_BUFFERED_IO; // we also need a symbolic link status = IoCreateSymbolicLink(&LinkName,&DeviceName); if( !NT_SUCCESS(status) ) { IoDeleteDevice( pDriverDeviceObject ); return STATUS_NO_SUCH_DEVICE; } for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) pDriverObject->MajorFunction[i] = DispatchOK; startRegMon(pDriverObject); //Do other things... return STATUS_SUCCESS; } precomp.h #ifndef _PRECOMP_H_ #define _PRECOMP_H_ #include <ntifs.h> #include <ntddk.h> #include <windef.h> #include "regmon.h" #endif regmon.c #include "precomp.h" GENERIC_MAPPING g_KeyMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS}; static WCHAR g_wszAltitude[] = L"370020"; PGENERIC_MAPPING IoGetKeyGenericMapping( ) { return &g_KeyMapping; } BOOL MyObQueryObjectName(HANDLE hObjHandle, PUNICODE_STRING ustrObjectName, BOOL bNeedAllocateName) { PVOID pQueryBuffer = NULL; DWORD dwReqSize = 0; NTSTATUS ntStatus = 0; __try { dwReqSize = sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH + 32)*sizeof(WCHAR); pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, 'RFLM'); if(pQueryBuffer == NULL) return FALSE; ntStatus = ZwQueryObject(hObjHandle, ObjectNameInfo, pQueryBuffer, dwReqSize, &dwReqSize); if((ntStatus == STATUS_INFO_LENGTH_MISMATCH) || (ntStatus == STATUS_BUFFER_OVERFLOW) || (ntStatus == STATUS_BUFFER_TOO_SMALL)) { ExFreePool(pQueryBuffer); pQueryBuffer = NULL; pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, 'RFLM'); if(pQueryBuffer == NULL) { return FALSE; } ntStatus = ZwQueryObject(hObjHandle, ObjectNameInfo, pQueryBuffer, dwReqSize, &dwReqSize); } if(NT_SUCCESS(ntStatus)) { OBJECT_NAME_INFORMATION * pNameInfo = (OBJECT_NAME_INFORMATION *)pQueryBuffer; if(bNeedAllocateName) { ustrObjectName->Buffer = ExAllocatePoolWithTag(PagedPool, pNameInfo->Name.Length + sizeof(WCHAR), 'RFLM'); if(ustrObjectName->Buffer) { RtlZeroMemory(ustrObjectName->Buffer, pNameInfo->Name.Length + sizeof(WCHAR)); ustrObjectName->Length = 0; ustrObjectName->MaximumLength = pNameInfo->Name.Length; RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name); } else ntStatus = STATUS_INSUFFICIENT_RESOURCES; } else RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name); } } __except(EXCEPTION_EXECUTE_HANDLER) { ntStatus = GetExceptionCode(); } if(pQueryBuffer) { ExFreePool(pQueryBuffer); pQueryBuffer = NULL; } return NT_SUCCESS(ntStatus); } LARGE_INTEGER g_RegCookie; #if (NTDDI_VERSION >= NTDDI_VISTA) NTSTATUS TlGetObjectNameOnVistaAndLater(PVOID Object, PUNICODE_STRING Name) { PUNICODE_STRING pKeyName = NULL; NTSTATUS ntStatus = 0; if(Object == NULL || Name == NULL) return STATUS_INVALID_PARAMETER; ntStatus = CmCallbackGetKeyObjectID(&g_RegCookie, Object, NULL, &pKeyName); if(NT_SUCCESS(ntStatus) == FALSE) { return ntStatus; } Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag( PagedPool, pKeyName->Length, 'RFLM' ); if(Name->Buffer == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } RtlZeroMemory(Name->Buffer, pKeyName->Length); Name->Length = 0; Name->MaximumLength = pKeyName->Length; RtlCopyUnicodeString(Name, pKeyName); return STATUS_SUCCESS; } #endif NTSTATUS TlGetObjectNameOnXP(PVOID Object, PUNICODE_STRING Name) { UNICODE_STRING ustrKeyName = {0}; HANDLE ObjectHandle = NULL; NTSTATUS ntStatus = 0; if(Object == NULL || Name == NULL) return STATUS_INVALID_PARAMETER; ntStatus = ObOpenObjectByPointer(Object, OBJ_KERNEL_HANDLE , 0, 0, NULL, KernelMode, &ObjectHandle); if(NT_SUCCESS(ntStatus) == FALSE) { return ntStatus; } if(MyObQueryObjectName(ObjectHandle, &ustrKeyName, TRUE) == FALSE) { ZwClose(ObjectHandle); return STATUS_INSUFFICIENT_RESOURCES; } ZwClose(ObjectHandle); Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag( PagedPool, ustrKeyName.Length, 'RFLM' ); if(Name->Buffer == NULL) { return STATUS_INSUFFICIENT_RESOURCES; } RtlZeroMemory(Name->Buffer, ustrKeyName.Length); Name->Length = 0; Name->MaximumLength = ustrKeyName.Length; RtlCopyUnicodeString(Name, &ustrKeyName); ExFreePool(ustrKeyName.Buffer); return STATUS_SUCCESS; } NTSTATUS TlGetObjectFullName(PVOID Object, PUNICODE_STRING Name) { #if (NTDDI_VERSION >= NTDDI_LONGHORN) return TlGetObjectNameOnVistaAndLater(Object, Name); #else return TlGetObjectNameOnXP(Object, Name); #endif } NTSTATUS MyDeleteKey(PREG_DELETE_KEY_INFORMATION Data) { NTSTATUS ntStatus = 0; UNICODE_STRING ustrKeyName = {0}; __try { if((ExGetPreviousMode() == KernelMode)) { return STATUS_SUCCESS; } if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE) { return STATUS_SUCCESS; } DbgPrint("DeleteKey Key:%wZ\n", &ustrKeyName); ExFreePool(ustrKeyName.Buffer); } __except(EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } NTSTATUS MySetValueKey(PREG_SET_VALUE_KEY_INFORMATION Data) { NTSTATUS ntStatus = 0; UNICODE_STRING ustrKeyName = {0}; UNICODE_STRING ustrTarget = {0}; WCHAR wszKeyPath[MAX_PATH] = {0}; __try { if((ExGetPreviousMode() == KernelMode)) { return STATUS_SUCCESS; } if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE) { return STATUS_SUCCESS; } ustrTarget.Buffer = wszKeyPath; ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR); RtlCopyUnicodeString(&ustrTarget, &ustrKeyName); ExFreePool(ustrKeyName.Buffer); if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1] != L'\\' ) RtlAppendUnicodeToString(&ustrTarget, L"\\"); RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName); DbgPrint("SetValueKey Key:%wZ\n", &ustrTarget); } __except(EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } NTSTATUS MyDeleteValueKey(PREG_DELETE_VALUE_KEY_INFORMATION Data) { NTSTATUS ntStatus = 0; UNICODE_STRING ustrKeyName = {0}; UNICODE_STRING ustrTarget = {0}; WCHAR wszKeyPath[MAX_PATH] = {0}; __try { if((ExGetPreviousMode() == KernelMode)) { return STATUS_SUCCESS; } if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE) { return STATUS_SUCCESS; } ustrTarget.Buffer = wszKeyPath; ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR); RtlCopyUnicodeString(&ustrTarget, &ustrKeyName); ExFreePool(ustrKeyName.Buffer); if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1]!=L'\\' ) RtlAppendUnicodeToString(&ustrTarget, L"\\"); RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName); DbgPrint("DeleteValueKey Key:%wZ\n", &ustrTarget); } __except(EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } NTSTATUS MyRenameKey(PREG_RENAME_KEY_INFORMATION Data) { NTSTATUS ntStatus = 0; UNICODE_STRING ustrKeyName = {0}; __try { if((ExGetPreviousMode() == KernelMode)) { return STATUS_SUCCESS; } if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE) { return STATUS_SUCCESS; } DbgPrint("RenameKey Key:%wZ\n", &ustrKeyName); ExFreePool(ustrKeyName.Buffer); } __except(EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } NTSTATUS MyCreateKey(PREG_PRE_CREATE_KEY_INFORMATION Data) { NTSTATUS ntStatus = 0; UNICODE_STRING ustrTarget = {0}; WCHAR wszKeyName[MAX_PATH] = {0}; __try { if((ExGetPreviousMode() == KernelMode)) { return STATUS_SUCCESS; } ustrTarget.Buffer = wszKeyName; ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR); RtlCopyUnicodeString(&ustrTarget, Data->CompleteName); DbgPrint("CreateKey Key:%wZ\n", &ustrTarget); } __except(EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } NTSTATUS MyCreateKeyEx(PREG_CREATE_KEY_INFORMATION Data) { NTSTATUS ntStatus = 0; UNICODE_STRING ustrKeyName = {0}; UNICODE_STRING ustrTarget = {0}; __try { if((ExGetPreviousMode() == KernelMode)) { return STATUS_SUCCESS; } if(NT_SUCCESS(TlGetObjectFullName(Data->RootObject, &ustrKeyName)) == FALSE) { return STATUS_SUCCESS; } ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR); RtlCopyUnicodeString(&ustrTarget, &ustrKeyName); ExFreePool(ustrKeyName.Buffer); if(Data->CompleteName) { RtlAppendUnicodeToString(&ustrTarget, L"\\"); RtlAppendUnicodeStringToString(&ustrTarget, Data->CompleteName); } DbgPrint("CreateKeyEx :%wZ\n", ustrTarget); } __except(EXCEPTION_EXECUTE_HANDLER) { } return STATUS_SUCCESS; } NTSTATUS MyRegCallback ( PVOID CallbackContext, PVOID Argument1, PVOID Argument2 ) { switch( (REG_NOTIFY_CLASS) Argument1) { case RegNtPreDeleteKey : return MyDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2); case RegNtPreSetValueKey: return MySetValueKey((PREG_SET_VALUE_KEY_INFORMATION) Argument2); case RegNtPreDeleteValueKey: return MyDeleteValueKey((PREG_DELETE_VALUE_KEY_INFORMATION) Argument2); case RegNtPreRenameKey: return MyRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2); case RegNtPreCreateKey: return MyCreateKey((PREG_PRE_CREATE_KEY_INFORMATION) Argument2); case RegNtPreCreateKeyEx: return MyCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2); } return STATUS_SUCCESS; } NTSTATUS startRegMon(PDRIVER_OBJECT driverObject) { #if (NTDDI_VERSION >= NTDDI_VISTA) UNICODE_STRING uAltitude; RtlInitUnicodeString(&uAltitude, g_wszAltitude); return CmRegisterCallbackEx(MyRegCallback, &uAltitude, driverObject, NULL, &g_RegCookie, NULL); #else return CmRegisterCallback(MyRegCallback, NULL, &g_RegCookie); #endif } VOID stopRegMon( ) { CmUnRegisterCallback(g_RegCookie); } regmon.c #ifndef __REGMON_H__ #define __REGMON_H__ typedef enum _OBJECT_INFO_CLASS { ObjectBasicInfo, ObjectNameInfo, ObjectTypeInfo, ObjectAllTypesInfo, ObjectProtectionInfo } OBJECT_INFO_CLASS; PGENERIC_MAPPING IoGetKeyGenericMapping( ); NTSTATUS MyRegCallback ( PVOID CallbackContext, PVOID Argument1, PVOID Argument2 ); NTSTATUS startRegMon(PDRIVER_OBJECT driverObject); VOID stopRegMon( ); #endif
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS ntStatus;
- ntStatus = CmRegisterCallback(MyRegistryCallback, NULL, &pCookie);
- return ntStatus;
- }
- //see demo:
- //7eightl-minifilter\Demo\REG-hips
- NTSTATUS HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION Data)
- {
- NTSTATUS status = 0;
- PUNICODE_STRING keyName;
- UNICODE_STRING uTarget;
- return STATUS_SUCCESS;
- }
- NTSTATUS MyRegistryCallback( __in PVOID CallbackContext, __in_opt PVOID Argument1, / / REG_NOTIFY_CLASS __in_opt PVOID Argument2 // KEY_INFORMATION ) {
- switch( (REG_NOTIFY_CLASS) Argument1)
- {
- case RegNtPreDeleteKey :
- return HOOK_PreNtDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2);
- case RegNtPreRenameKey:
- return HOOK_PreNtRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2);
- case RegNtPreCreateKeyEx: // pre 操作
- return HOOK_PreNtCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2);
- case RegNtPostCreateKeyEx : // post 操作
- return HOOK_PostNtCreateKeyEx((PRGG_POST_OPERATION_INFORMATION )}
- }
- } }
- main.c
- #include "precomp.h"
- #define DEVICE_NAME L"\\device\\HipsRegDrv"
- #define LINK_NAME L"\\dosDevices\\HipsRegDrv"
- // function to dispatch the IRPs
- NTSTATUS DispatchOK(PDEVICE_OBJECT DeviceObject, PIRP Irp)
- {
- Irp->IoStatus.Status = STATUS_SUCCESS;
- IoCompleteRequest(Irp,IO_NO_INCREMENT);
- return STATUS_SUCCESS;
- }
- VOID DriverUnload (
- IN PDRIVER_OBJECT pDriverObject)
- {
- UNICODE_STRING strLink;
- RtlInitUnicodeString(&strLink, LINK_NAME);
- stopRegMon();
- IoDeleteSymbolicLink(&strLink);
- IoDeleteDevice(pDriverObject->DeviceObject);
- DbgPrint(" Unloaded\n");
- }
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
- {
- UNICODE_STRING DeviceName;
- UNICODE_STRING LinkName;
- NTSTATUS status;
- PDEVICE_OBJECT pDriverDeviceObject;
- ULONG i;
- //DbgPrint("Driver loaded.");
- pDriverObject->DriverUnload = DriverUnload;
- // init strings
- RtlInitUnicodeString(&DeviceName, DEVICE_NAME);
- RtlInitUnicodeString(&LinkName, LINK_NAME);
- // to communicate with usermode, we need a device
- status = IoCreateDevice(
- pDriverObject, // ptr to caller object
- 0, // extension device allocated byte number
- &DeviceName, // device name
- FILE_DEVICE_UNKNOWN,
- 0, // no special caracteristics
- FALSE, // we can open many handles in same time
- &pDriverDeviceObject); // [OUT] ptr to the created object
- if ( !NT_SUCCESS(status) )
- return STATUS_NO_SUCH_DEVICE;
- pDriverDeviceObject-> Flags |= DO_BUFFERED_IO;
- // we also need a symbolic link
- status = IoCreateSymbolicLink(&LinkName,&DeviceName);
- if( !NT_SUCCESS(status) )
- {
- IoDeleteDevice( pDriverDeviceObject );
- return STATUS_NO_SUCH_DEVICE;
- }
- for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
- pDriverObject->MajorFunction[i] = DispatchOK;
- startRegMon(pDriverObject);
- //Do other things...
- return STATUS_SUCCESS;
- }
- precomp.h
- #ifndef _PRECOMP_H_
- #define _PRECOMP_H_
- #include <ntifs.h>
- #include <ntddk.h>
- #include <windef.h>
- #include "regmon.h"
- #endif
- regmon.c
- #include "precomp.h"
- GENERIC_MAPPING g_KeyMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS};
- static WCHAR g_wszAltitude[] = L"370020";
- PGENERIC_MAPPING IoGetKeyGenericMapping( )
- {
- return &g_KeyMapping;
- }
- BOOL MyObQueryObjectName(HANDLE hObjHandle, PUNICODE_STRING ustrObjectName, BOOL bNeedAllocateName)
- {
- PVOID pQueryBuffer = NULL;
- DWORD dwReqSize = 0;
- NTSTATUS ntStatus = 0;
- __try
- {
- dwReqSize = sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH + 32)*sizeof(WCHAR);
- pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, 'RFLM');
- if(pQueryBuffer == NULL)
- return FALSE;
- ntStatus = ZwQueryObject(hObjHandle,
- ObjectNameInfo,
- pQueryBuffer,
- dwReqSize,
- &dwReqSize);
- if((ntStatus == STATUS_INFO_LENGTH_MISMATCH) ||
- (ntStatus == STATUS_BUFFER_OVERFLOW) ||
- (ntStatus == STATUS_BUFFER_TOO_SMALL))
- {
- ExFreePool(pQueryBuffer);
- pQueryBuffer = NULL;
- pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, 'RFLM');
- if(pQueryBuffer == NULL)
- {
- return FALSE;
- }
- ntStatus = ZwQueryObject(hObjHandle,
- ObjectNameInfo,
- pQueryBuffer,
- dwReqSize,
- &dwReqSize);
- }
- if(NT_SUCCESS(ntStatus))
- {
- OBJECT_NAME_INFORMATION * pNameInfo = (OBJECT_NAME_INFORMATION *)pQueryBuffer;
- if(bNeedAllocateName)
- {
- ustrObjectName->Buffer = ExAllocatePoolWithTag(PagedPool, pNameInfo->Name.Length + sizeof(WCHAR), 'RFLM');
- if(ustrObjectName->Buffer)
- {
- RtlZeroMemory(ustrObjectName->Buffer, pNameInfo->Name.Length + sizeof(WCHAR));
- ustrObjectName->Length = 0;
- ustrObjectName->MaximumLength = pNameInfo->Name.Length;
- RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name);
- }
- else
- ntStatus = STATUS_INSUFFICIENT_RESOURCES;
- }
- else
- RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name);
- }
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- ntStatus = GetExceptionCode();
- }
- if(pQueryBuffer)
- {
- ExFreePool(pQueryBuffer);
- pQueryBuffer = NULL;
- }
- return NT_SUCCESS(ntStatus);
- }
- LARGE_INTEGER g_RegCookie;
- #if (NTDDI_VERSION >= NTDDI_VISTA)
- NTSTATUS TlGetObjectNameOnVistaAndLater(PVOID Object, PUNICODE_STRING Name)
- {
- PUNICODE_STRING pKeyName = NULL;
- NTSTATUS ntStatus = 0;
- if(Object == NULL || Name == NULL)
- return STATUS_INVALID_PARAMETER;
- ntStatus = CmCallbackGetKeyObjectID(&g_RegCookie,
- Object,
- NULL,
- &pKeyName);
- if(NT_SUCCESS(ntStatus) == FALSE)
- {
- return ntStatus;
- }
- Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag(
- PagedPool,
- pKeyName->Length,
- 'RFLM'
- );
- if(Name->Buffer == NULL)
- {
- return STATUS_INSUFFICIENT_RESOURCES;
- }
- RtlZeroMemory(Name->Buffer, pKeyName->Length);
- Name->Length = 0;
- Name->MaximumLength = pKeyName->Length;
- RtlCopyUnicodeString(Name, pKeyName);
- return STATUS_SUCCESS;
- }
- #endif
- NTSTATUS TlGetObjectNameOnXP(PVOID Object, PUNICODE_STRING Name)
- {
- UNICODE_STRING ustrKeyName = {0};
- HANDLE ObjectHandle = NULL;
- NTSTATUS ntStatus = 0;
- if(Object == NULL || Name == NULL)
- return STATUS_INVALID_PARAMETER;
- ntStatus = ObOpenObjectByPointer(Object,
- OBJ_KERNEL_HANDLE ,
- 0,
- 0,
- NULL,
- KernelMode,
- &ObjectHandle);
- if(NT_SUCCESS(ntStatus) == FALSE)
- {
- return ntStatus;
- }
- if(MyObQueryObjectName(ObjectHandle, &ustrKeyName, TRUE) == FALSE)
- {
- ZwClose(ObjectHandle);
- return STATUS_INSUFFICIENT_RESOURCES;
- }
- ZwClose(ObjectHandle);
- Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag(
- PagedPool,
- ustrKeyName.Length,
- 'RFLM'
- );
- if(Name->Buffer == NULL)
- {
- return STATUS_INSUFFICIENT_RESOURCES;
- }
- RtlZeroMemory(Name->Buffer, ustrKeyName.Length);
- Name->Length = 0;
- Name->MaximumLength = ustrKeyName.Length;
- RtlCopyUnicodeString(Name, &ustrKeyName);
- ExFreePool(ustrKeyName.Buffer);
- return STATUS_SUCCESS;
- }
- NTSTATUS TlGetObjectFullName(PVOID Object, PUNICODE_STRING Name)
- {
- #if (NTDDI_VERSION >= NTDDI_LONGHORN)
- return TlGetObjectNameOnVistaAndLater(Object, Name);
- #else
- return TlGetObjectNameOnXP(Object, Name);
- #endif
- }
- NTSTATUS MyDeleteKey(PREG_DELETE_KEY_INFORMATION Data)
- {
- NTSTATUS ntStatus = 0;
- UNICODE_STRING ustrKeyName = {0};
- __try
- {
- if((ExGetPreviousMode() == KernelMode))
- {
- return STATUS_SUCCESS;
- }
- if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
- {
- return STATUS_SUCCESS;
- }
- DbgPrint("DeleteKey Key:%wZ\n", &ustrKeyName);
- ExFreePool(ustrKeyName.Buffer);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS MySetValueKey(PREG_SET_VALUE_KEY_INFORMATION Data)
- {
- NTSTATUS ntStatus = 0;
- UNICODE_STRING ustrKeyName = {0};
- UNICODE_STRING ustrTarget = {0};
- WCHAR wszKeyPath[MAX_PATH] = {0};
- __try
- {
- if((ExGetPreviousMode() == KernelMode))
- {
- return STATUS_SUCCESS;
- }
- if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
- {
- return STATUS_SUCCESS;
- }
- ustrTarget.Buffer = wszKeyPath;
- ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
- RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);
- ExFreePool(ustrKeyName.Buffer);
- if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1] != L'\\' )
- RtlAppendUnicodeToString(&ustrTarget, L"\\");
- RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName);
- DbgPrint("SetValueKey Key:%wZ\n", &ustrTarget);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS MyDeleteValueKey(PREG_DELETE_VALUE_KEY_INFORMATION Data)
- {
- NTSTATUS ntStatus = 0;
- UNICODE_STRING ustrKeyName = {0};
- UNICODE_STRING ustrTarget = {0};
- WCHAR wszKeyPath[MAX_PATH] = {0};
- __try
- {
- if((ExGetPreviousMode() == KernelMode))
- {
- return STATUS_SUCCESS;
- }
- if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
- {
- return STATUS_SUCCESS;
- }
- ustrTarget.Buffer = wszKeyPath;
- ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
- RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);
- ExFreePool(ustrKeyName.Buffer);
- if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1]!=L'\\' )
- RtlAppendUnicodeToString(&ustrTarget, L"\\");
- RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName);
- DbgPrint("DeleteValueKey Key:%wZ\n", &ustrTarget);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS MyRenameKey(PREG_RENAME_KEY_INFORMATION Data)
- {
- NTSTATUS ntStatus = 0;
- UNICODE_STRING ustrKeyName = {0};
- __try
- {
- if((ExGetPreviousMode() == KernelMode))
- {
- return STATUS_SUCCESS;
- }
- if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
- {
- return STATUS_SUCCESS;
- }
- DbgPrint("RenameKey Key:%wZ\n", &ustrKeyName);
- ExFreePool(ustrKeyName.Buffer);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS MyCreateKey(PREG_PRE_CREATE_KEY_INFORMATION Data)
- {
- NTSTATUS ntStatus = 0;
- UNICODE_STRING ustrTarget = {0};
- WCHAR wszKeyName[MAX_PATH] = {0};
- __try
- {
- if((ExGetPreviousMode() == KernelMode))
- {
- return STATUS_SUCCESS;
- }
- ustrTarget.Buffer = wszKeyName;
- ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
- RtlCopyUnicodeString(&ustrTarget, Data->CompleteName);
- DbgPrint("CreateKey Key:%wZ\n", &ustrTarget);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS MyCreateKeyEx(PREG_CREATE_KEY_INFORMATION Data)
- {
- NTSTATUS ntStatus = 0;
- UNICODE_STRING ustrKeyName = {0};
- UNICODE_STRING ustrTarget = {0};
- __try
- {
- if((ExGetPreviousMode() == KernelMode))
- {
- return STATUS_SUCCESS;
- }
- if(NT_SUCCESS(TlGetObjectFullName(Data->RootObject, &ustrKeyName)) == FALSE)
- {
- return STATUS_SUCCESS;
- }
- ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
- RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);
- ExFreePool(ustrKeyName.Buffer);
- if(Data->CompleteName)
- {
- RtlAppendUnicodeToString(&ustrTarget, L"\\");
- RtlAppendUnicodeStringToString(&ustrTarget, Data->CompleteName);
- }
- DbgPrint("CreateKeyEx :%wZ\n", ustrTarget);
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS MyRegCallback
- (
- PVOID CallbackContext,
- PVOID Argument1,
- PVOID Argument2
- )
- {
- switch( (REG_NOTIFY_CLASS) Argument1)
- {
- case RegNtPreDeleteKey :
- return MyDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2);
- case RegNtPreSetValueKey:
- return MySetValueKey((PREG_SET_VALUE_KEY_INFORMATION) Argument2);
- case RegNtPreDeleteValueKey:
- return MyDeleteValueKey((PREG_DELETE_VALUE_KEY_INFORMATION) Argument2);
- case RegNtPreRenameKey:
- return MyRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2);
- case RegNtPreCreateKey:
- return MyCreateKey((PREG_PRE_CREATE_KEY_INFORMATION) Argument2);
- case RegNtPreCreateKeyEx:
- return MyCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2);
- }
- return STATUS_SUCCESS;
- }
- NTSTATUS startRegMon(PDRIVER_OBJECT driverObject)
- {
- #if (NTDDI_VERSION >= NTDDI_VISTA)
- UNICODE_STRING uAltitude;
- RtlInitUnicodeString(&uAltitude, g_wszAltitude);
- return CmRegisterCallbackEx(MyRegCallback,
- &uAltitude,
- driverObject,
- NULL,
- &g_RegCookie,
- NULL);
- #else
- return CmRegisterCallback(MyRegCallback,
- NULL,
- &g_RegCookie);
- #endif
- }
- VOID stopRegMon( )
- {
- CmUnRegisterCallback(g_RegCookie);
- }
- regmon.c
- #ifndef __REGMON_H__
- #define __REGMON_H__
- typedef enum _OBJECT_INFO_CLASS {
- ObjectBasicInfo,
- ObjectNameInfo,
- ObjectTypeInfo,
- ObjectAllTypesInfo,
- ObjectProtectionInfo
- } OBJECT_INFO_CLASS;
- PGENERIC_MAPPING IoGetKeyGenericMapping( );
- NTSTATUS
- MyRegCallback
- (
- PVOID CallbackContext,
- PVOID Argument1,
- PVOID Argument2
- );
- NTSTATUS startRegMon(PDRIVER_OBJECT driverObject);
- VOID stopRegMon( );
- #endif
浙公网安备 33010602011771号