#include "stdafx.h"
#pragma warning(disable:4005)
#pragma warning(disable:4996)
#include <stdio.h>
#include <Windows.h>
#include <ntstatus.h>
#include "ntdll.h"
#pragma comment(lib,"ntdll.lib")
NTSTATUS NTAPI CreateRegistryKey(OBJECT_ATTRIBUTES *ObjectAttributes, ULONG dwValue, PCWSTR Name){
NTSTATUS Status;
UNICODE_STRING KeyName, ValueName;
HANDLE SubKeyHandle;
Status = NtCreateKey(&SubKeyHandle, DELETE | KEY_WRITE, ObjectAttributes, 0, NULL, 0, NULL);
if (NT_SUCCESS(Status)) {
printf("Registry Key Created\n");
RtlInitUnicodeString(&ValueName, Name);
Status = NtSetValueKey(SubKeyHandle, &ValueName, 0, REG_DWORD, &dwValue, sizeof(dwValue));
if (NT_SUCCESS(Status)){
printf("Registry Key Value Set\n");
}
NtClose(SubKeyHandle);
}
return Status;
}
NTSTATUS NTAPI DeleteRegistryKey(OBJECT_ATTRIBUTES *ObjectAttributes){
NTSTATUS Status;
UNICODE_STRING SubKeyName;
HANDLE SubKeyHandle;
Status = NtOpenKey(&SubKeyHandle, DELETE | KEY_WRITE, ObjectAttributes);
if (NT_SUCCESS(Status)) {
printf("Registry Key Deleted\n");
Status = NtDeleteKey(SubKeyHandle);
NtClose(SubKeyHandle);
}
return Status;
}
VOID SampDumpBinaryData(PBYTE pData,DWORD cbData){
DWORD i;
BYTE AsciiLine[16];
BYTE BinaryLine[16];
CHAR Buffer[1024];
if (0 == cbData){
printf("Zero-Length Data\n");
return;
}
if (cbData > 1024)
{
printf("ShowBinaryData - truncating display to 256 bytes\n");
cbData = 256;
}
for (; cbData > 0;)
{
for (i = 0; i < 16 && cbData > 0; i++, cbData--)
{
BinaryLine[i] = *pData;
(isprint(*pData)) ? (AsciiLine[i] = *pData) : (AsciiLine[i] = '.');
pData++;
}
if (i < 15)
{
for (; i < 16; i++)
{
BinaryLine[i] = ' ';
AsciiLine[i] = ' ';
}
}
printf(
"%02x %02x %02x %02x %02x %02x %02x %02x - %02x %02x %02x %02x %02x %02x %02x %02x\t",
BinaryLine[0],
BinaryLine[1],
BinaryLine[2],
BinaryLine[3],
BinaryLine[4],
BinaryLine[5],
BinaryLine[6],
BinaryLine[7],
BinaryLine[8],
BinaryLine[9],
BinaryLine[10],
BinaryLine[11],
BinaryLine[12],
BinaryLine[13],
BinaryLine[14],
BinaryLine[15]);
printf(
"%c%c%c%c%c%c%c%c - %c%c%c%c%c%c%c%c\n",
AsciiLine[0],
AsciiLine[1],
AsciiLine[2],
AsciiLine[3],
AsciiLine[4],
AsciiLine[5],
AsciiLine[6],
AsciiLine[7],
AsciiLine[8],
AsciiLine[9],
AsciiLine[10],
AsciiLine[11],
AsciiLine[12],
AsciiLine[13],
AsciiLine[14],
AsciiLine[15]);
}
}
int wmain(int argc, wchar_t* argv[]){
NTSTATUS Status;
ULONG dwValue = 0x12345678;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING KeyName;
RtlInitUnicodeString(&KeyName, L"\\Registry\\Machine\\Software\\Test");
InitializeObjectAttributes(&ObjectAttributes,&KeyName,OBJ_CASE_INSENSITIVE,NULL,NULL);
// Create the Registry Key
if ((Status = CreateRegistryKey(&ObjectAttributes, dwValue, L"TestKey86"))){
printf("Registry Key not created\n");
}
UNICODE_STRING SubKeyName;
HANDLE SubKeyHandle;
Status = NtOpenKey(&SubKeyHandle, DELETE | KEY_WRITE | KEY_READ, &ObjectAttributes);
if (NT_SUCCESS(Status)) {
if (Status != STATUS_OBJECT_NAME_NOT_FOUND) {
printf("NtOpenKey failed 0x%lx\n", Status);
}
}
size_t KeyValueInfoLength = 256;
Status = STATUS_NO_MEMORY;
void *KeyValueInformation = RtlAllocateHeap(RtlProcessHeap(), 0, KeyValueInfoLength);
if (KeyValueInformation == NULL) {
printf("RtlAllocateHeap failed\n");
}
ULONG ResultLength;
UNICODE_STRING ValueName;
RtlInitUnicodeString(&ValueName, L"TestKey86");
Status = NtQueryValueKey(
SubKeyHandle,
&ValueName,
KeyValueFullInformation,
KeyValueInformation,
KeyValueInfoLength,
&ResultLength
);
RtlFreeHeap(RtlProcessHeap(), 0, KeyValueInformation);
PKEY_BASIC_INFORMATION KeyBasicInformation;
PKEY_FULL_INFORMATION KeyFullInformation;
PKEY_NODE_INFORMATION KeyNodeInformation;
// Type of information
switch (KeyValueFullInformation){
case 0: // KeyBasicInformation
KeyBasicInformation = (PKEY_BASIC_INFORMATION)KeyValueInformation;
CHAR BufferTmp[1024];
wcstombs(BufferTmp,KeyBasicInformation->Name,wcslen(KeyBasicInformation->Name));
printf(
"%s\n%-30s = 0x%lx:0xlx\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %s\n",
"KeyInformation:",
"LastWriteTime",
KeyBasicInformation->LastWriteTime.HighPart,
KeyBasicInformation->LastWriteTime.LowPart,
"TitleIndex",
KeyBasicInformation->TitleIndex,
"NameLength",
KeyBasicInformation->NameLength,
"Name",
"BINARY DATA FOLLOWS:");
SampDumpBinaryData((PBYTE)KeyBasicInformation->Name,KeyBasicInformation->NameLength);
break;
case 1: // KeyNodeInformation
KeyNodeInformation = (PKEY_NODE_INFORMATION)KeyValueInformation;
wcstombs(BufferTmp,(LPWSTR)KeyNodeInformation->Name,wcslen((LPWSTR)KeyNodeInformation->Name));
printf(
"%s\n%-30s = 0x%lx:0x%lx\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %s\n",
"KeyInformation:",
"LastWriteTime",
KeyNodeInformation->LastWriteTime.HighPart,
KeyNodeInformation->LastWriteTime.LowPart,
"TitleIndex",
KeyNodeInformation->TitleIndex,
"ClassOffset",
KeyNodeInformation->ClassOffset,
"ClassLength",
KeyNodeInformation->ClassLength,
"NameLength",
KeyNodeInformation->NameLength,
"Name",
"BINARY DATA FOLLOWS:");
SampDumpBinaryData((PBYTE)KeyNodeInformation->Name,KeyNodeInformation->NameLength);
break;
case 2: // KeyFullInformation
KeyFullInformation = (PKEY_FULL_INFORMATION)KeyValueInformation;
sprintf(
"%s\n%-30s = 0x%lx:0x%lx\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %lu\n%-30s = %s\n",
"KeyInformation:",
"LastWriteTime",
KeyFullInformation->LastWriteTime.HighPart,
KeyFullInformation->LastWriteTime.LowPart,
"TitleIndex",
KeyFullInformation->TitleIndex,
"ClassOffset",
KeyFullInformation->ClassOffset,
"ClassLength",
KeyFullInformation->ClassLength,
"SubKeys",
KeyFullInformation->SubKeys,
"MaxNameLen",
KeyFullInformation->MaxNameLen,
"MaxClassLen",
KeyFullInformation->MaxClassLen,
"Values",
KeyFullInformation->Values,
"MaxValueNameLen",
KeyFullInformation->MaxValueNameLen,
"MaxValueDataLen",
KeyFullInformation->MaxValueDataLen,
"Class",
"BINARY DATA FOLLOWS:");
SampDumpBinaryData((PBYTE)KeyFullInformation->Class,KeyFullInformation->ClassLength);
break;
default:
break;
}
// Delete the Registry Key
if ((Status = DeleteRegistryKey(&ObjectAttributes))){
printf("Registry Key not removed\n");
}
return 0;
}
