-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathregistry.h
140 lines (114 loc) · 2.5 KB
/
registry.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
/*
* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
*
* Module Name:
*
* registry.h
*
* Abstract:
*
* This module defines various types used by registry hooking routines.
*
* Author:
*
* Eugene Tsyrklevich 20-Feb-2004
*
* Revision History:
*
* None.
*/
#ifndef __REGISTRY_H__
#define __REGISTRY_H__
/*
* ZwCreateKey creates or opens a registry key object. [NAR]
*/
typedef NTSTATUS (*fpZwCreateKey) (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
);
NTSTATUS
NTAPI
HookedNtCreateKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG TitleIndex,
IN PUNICODE_STRING Class OPTIONAL,
IN ULONG CreateOptions,
OUT PULONG Disposition OPTIONAL
);
/*
* ZwOpenKey opens a registry key object. [NAR]
*/
typedef NTSTATUS (*fpZwOpenKey) (
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS
NTAPI
HookedNtOpenKey(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
/*
* ZwSetValueKey updates or adds a value to a key. [NAR]
*/
typedef NTSTATUS (*fpZwSetValueKey) (
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
NTSTATUS
NTAPI
HookedNtSetValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex,
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
/*
* ZwQueryValueKey retrieves information about a key value. [NAR]
*/
typedef NTSTATUS (*fpZwQueryValueKey) (
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG KeyValueInformationLength,
OUT PULONG ResultLength
);
NTSTATUS
NTAPI
HookedNtQueryValueKey(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG KeyValueInformationLength,
OUT PULONG ResultLength
);
/*
* ZwDeleteKey deletes a key in the registry. [NAR]
*/
typedef NTSTATUS (*fpZwDeleteKey) (
IN HANDLE KeyHandle
);
NTSTATUS
NTAPI
HookedNtDeleteKey(
IN HANDLE KeyHandle
);
BOOLEAN InitRegistryHooks();
#endif /* __REGISTRY_H__ */