// 创建新的键值的函数 HKEY CRegKeyManager::CreateNewKey(HKEY hRootKey, LPCTSTR lpszSubKey, HKEY hSubKey) { std::wstring strSubKey; if (((UINT)hRootKey & 0x80000000) == 0) { // rootkey不是predefined的,需要再次获取一下 hRootKey = GetRegFullPath(hRootKey, strSubKey); if (hRootKey == NULL) return NULL; if (lpszSubKey) { strSubKey += _T("\\"); strSubKey += lpszSubKey; } } else if (lpszSubKey) strSubKey = lpszSubKey; TrimString(strSubKey, BLANKS_SLASH); // 这个注册表键值不存在,需要搞一个虚拟的 // 在实际中建一个是为了得到HKEY值,既不跟实际的注册表一样,又达到虚拟自己的目的 if (hSubKey == NULL) { std::wstringstream strVirtualKey; strVirtualKey << _T("Software\\Bank\\VirtualReg\\") << (UINT)hRootKey << _T("\\") << strSubKey; ::RegCreateKey(HKEY_CURRENT_USER, strVirtualKey.str().c_str(), &hSubKey); } ::EnterCriticalSection(&m_cs); m_HKeyMap.insert(std::make_pair(hSubKey, std::make_pair(hRootKey, strSubKey))); ::LeaveCriticalSection(&m_cs); return hSubKey; }
NTSTATUS RegProc_EnumValueKey( HANDLE hKey, PVOID pRootObject, KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, PVOID pKeyValueInformation, ULONG Length, PULONG pResultLength ) { ULONG ulLength = 0; NAME_BUFFER RegPath = {0}; NTSTATUS Status = STATUS_SUCCESS; WCHAR wzProcName[ MAX_PROCESS_LEN ] = L""; if(!hKey && !pRootObject) return Status; if(ExGetPreviousMode() == KernelMode) return Status; if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status; if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl) { return Status; } RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN ); GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN ); // 전역기능 예외 프로세스 판단. if(ISExpProcList_PolicyAll( wzProcName )) { return Status; } ALLOCATE_N_REG_POOL( RegPath ); if(!RegPath.pBuffer) return Status; SET_REG_POOL_ZERO( RegPath ); ulLength = GetRegFullPath( hKey, pRootObject, NULL, &RegPath ); if(ulLength <= 0) { FREE_N_REG_POOL( RegPath ); return STATUS_SUCCESS; } if(KeyValueInformationClass == KeyValueBasicInformation) { } else if(KeyValueInformationClass == KeyValueFullInformation) { } else if(KeyValueInformationClass == KeyValuePartialInformation) { } FREE_N_REG_POOL( RegPath ); return Status; }
NTSTATUS RegProc_DeleteKey( HANDLE hKey, PVOID pRootObject, PUNICODE_STRING pSubKey ) { ULONG ulLength = 0; NAME_BUFFER RegPath = {0}; NTSTATUS Status = STATUS_SUCCESS; WCHAR wzProcName[ MAX_PROCESS_LEN ] = L""; if(!hKey && !pRootObject) return Status; if(ExGetPreviousMode() == KernelMode) return Status; if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status; if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl) { return Status; } RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN ); GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN ); // 전역기능 예외프로세스 판단. if(ISExpProcList_PolicyAll( wzProcName )) { return Status; } ALLOCATE_N_REG_POOL( RegPath ); if(!RegPath.pBuffer) return Status; SET_REG_POOL_ZERO( RegPath ); ulLength = GetRegFullPath( hKey, pRootObject, pSubKey, &RegPath ); if(ulLength <= 0) { FREE_N_REG_POOL( RegPath ); return STATUS_SUCCESS; } _wcslwr( RegPath.pBuffer ); if( wcsstr(RegPath.pBuffer, SVCNAME_AGENT) || wcsstr(RegPath.pBuffer, SVCNAME_DRIVER) ) { KdPrint(("RegProc_DeleteKey=[%ws] \n", RegPath.pBuffer )); // SetupDir Control == FALSE:제어안함 TRUE: 제어함 if (g_MalwFind.DrvConfig.bGlobalCtrl) { Status = STATUS_ACCESS_DENIED; KdPrint(("Ret--STATUS_ACCESS_DENIED RegPath=%ws \n", RegPath.pBuffer)); } } FREE_N_REG_POOL( RegPath ); return Status; }