void loadSam(IO &io,char *args) { get_privilege(SE_RESTORE_PRIVILEGE); RegKey machine(L"Machine\\"); UnicodeString key(L"SAM"); UnicodeString path(L"\\??\\C:\\WINDOWS\\system32\\config\\SAM"); OBJECT_ATTRIBUTES dest; InitializeObjectAttributes( &dest, &key.unicode_string(), OBJ_CASE_INSENSITIVE, machine.get_handle(), NULL); OBJECT_ATTRIBUTES file; InitializeObjectAttributes( &file, &path.unicode_string(), OBJ_CASE_INSENSITIVE, NULL, NULL); ULONG status=NtLoadKey(&dest,&file); CHECKER(status) }
/* * Should be called under privileges */ static NTSTATUS ConnectRegistry( IN HANDLE RootKey OPTIONAL, IN PCWSTR RegMountPoint, IN HANDLE RootDirectory OPTIONAL, IN PUNICODE_STRING RootPath OPTIONAL, IN PCWSTR RegistryKey) { NTSTATUS Status; HANDLE RootPathHandle; UNICODE_STRING KeyName, FileName; OBJECT_ATTRIBUTES KeyObjectAttributes; OBJECT_ATTRIBUTES FileObjectAttributes; /* Open the root directory */ Status = OpenDirectoryByHandleOrPath(&RootPathHandle, RootDirectory, RootPath); if (!NT_SUCCESS(Status)) { DPRINT1("OpenDirectoryByHandleOrPath failed, Status 0x%08lx\n", Status); return Status; } RtlInitUnicodeString(&KeyName, RegMountPoint); InitializeObjectAttributes(&KeyObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE, RootKey, NULL); RtlInitUnicodeString(&FileName, RegistryKey); InitializeObjectAttributes(&FileObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE, (HANDLE)((ULONG_PTR)RootPathHandle & ~1), // Remove the opened-locally flag NULL); /* Mount the registry hive in the registry namespace */ Status = NtLoadKey(&KeyObjectAttributes, &FileObjectAttributes); /* Close the root directory (if opened locally), and return */ if ((ULONG_PTR)RootPathHandle & 1) NtClose((HANDLE)((ULONG_PTR)RootPathHandle & ~1)); return Status; }
void test8(void) { OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING KeyName; NTSTATUS Status; LONG dwError; TOKEN_PRIVILEGES NewPrivileges; HANDLE Token,hKey; LUID Luid = {0}; BOOLEAN bRes; Status=NtOpenProcessToken(GetCurrentProcess() ,TOKEN_ADJUST_PRIVILEGES,&Token); // ,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&Token); dprintf("\t\t\t\tStatus =%x\n",Status); // bRes=LookupPrivilegeValueA(NULL,SE_RESTORE_NAME,&Luid); // dprintf("\t\t\t\tbRes =%x\n",bRes); NewPrivileges.PrivilegeCount = 1; NewPrivileges.Privileges[0].Luid = Luid; // NewPrivileges.Privileges[0].Luid.u.LowPart=18; // NewPrivileges.Privileges[0].Luid.u.HighPart=0; NewPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; // Status = NtAdjustPrivilegesToken( bRes = AdjustTokenPrivileges( Token, FALSE, &NewPrivileges, 0, NULL, NULL ); dprintf("\t\t\t\tbRes =%x\n",bRes); // Status=NtClose(Token); // dprintf("\t\t\t\tStatus =%x\n",Status); RtlRosInitUnicodeStringFromLiteral(&KeyName,L"test5"); InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE , NULL, NULL); Status = NtLoadKey((HANDLE)HKEY_LOCAL_MACHINE,&ObjectAttributes); dprintf("\t\t\t\tStatus =%x\n",Status); dwError=RegLoadKey(HKEY_LOCAL_MACHINE,"def" ,"test5"); dprintf("\t\t\t\tdwError =%x\n",dwError); dprintf("NtOpenKey \\Registry\\Machine : "); RtlRosInitUnicodeStringFromLiteral(&KeyName, L"\\Registry\\Machine"); InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL); Status=NtOpenKey( &hKey, MAXIMUM_ALLOWED, &ObjectAttributes); dprintf("\t\t\tStatus =%x\n",Status); RtlRosInitUnicodeStringFromLiteral(&KeyName,L"test5"); InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE , NULL, NULL); Status = NtLoadKey(hKey,&ObjectAttributes); dprintf("\t\t\t\tStatus =%x\n",Status); }