// 创建新的键值的函数
HKEY CRegKeyManager::CreateNewKey(HKEY hRootKey, LPCTSTR lpszSubKey, HKEY hSubKey)
{
std::wstring strSubKey;
if (((UINT)hRootKey & 0x80000000) == 0)
{
// rootkey不是predefined的,需要再次获取一下
hRootKey = GetRegFullPath(hRootKey, strSubKey);
if (hRootKey == NULL)
return NULL;
if (lpszSubKey)
{
strSubKey += _T("\\");
strSubKey += lpszSubKey;
}
}
else if (lpszSubKey)
strSubKey = lpszSubKey;
TrimString(strSubKey, BLANKS_SLASH);
// 这个注册表键值不存在,需要搞一个虚拟的
// 在实际中建一个是为了得到HKEY值,既不跟实际的注册表一样,又达到虚拟自己的目的
if (hSubKey == NULL)
{
std::wstringstream strVirtualKey;
strVirtualKey << _T("Software\\Bank\\VirtualReg\\") << (UINT)hRootKey << _T("\\") << strSubKey;
::RegCreateKey(HKEY_CURRENT_USER, strVirtualKey.str().c_str(), &hSubKey);
}
::EnterCriticalSection(&m_cs);
m_HKeyMap.insert(std::make_pair(hSubKey, std::make_pair(hRootKey, strSubKey)));
::LeaveCriticalSection(&m_cs);
return hSubKey;
}
NTSTATUS
RegProc_EnumValueKey( HANDLE hKey,
PVOID pRootObject,
KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
PVOID pKeyValueInformation,
ULONG Length,
PULONG pResultLength )
{
ULONG ulLength = 0;
NAME_BUFFER RegPath = {0};
NTSTATUS Status = STATUS_SUCCESS;
WCHAR wzProcName[ MAX_PROCESS_LEN ] = L"";
if(!hKey && !pRootObject) return Status;
if(ExGetPreviousMode() == KernelMode) return Status;
if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status;
if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl)
{
return Status;
}
RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN );
GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN );
// 전역기능 예외 프로세스 판단.
if(ISExpProcList_PolicyAll( wzProcName ))
{
return Status;
}
ALLOCATE_N_REG_POOL( RegPath );
if(!RegPath.pBuffer) return Status;
SET_REG_POOL_ZERO( RegPath );
ulLength = GetRegFullPath( hKey, pRootObject, NULL, &RegPath );
if(ulLength <= 0)
{
FREE_N_REG_POOL( RegPath );
return STATUS_SUCCESS;
}
if(KeyValueInformationClass == KeyValueBasicInformation)
{
}
else if(KeyValueInformationClass == KeyValueFullInformation)
{
}
else if(KeyValueInformationClass == KeyValuePartialInformation)
{
}
FREE_N_REG_POOL( RegPath );
return Status;
}
NTSTATUS
RegProc_DeleteKey( HANDLE hKey, PVOID pRootObject, PUNICODE_STRING pSubKey )
{
ULONG ulLength = 0;
NAME_BUFFER RegPath = {0};
NTSTATUS Status = STATUS_SUCCESS;
WCHAR wzProcName[ MAX_PROCESS_LEN ] = L"";
if(!hKey && !pRootObject) return Status;
if(ExGetPreviousMode() == KernelMode) return Status;
if(KeGetCurrentIrql() >= DISPATCH_LEVEL) return Status;
if (FALSE == g_MalwFind.DrvConfig.bGlobalCtrl)
{
return Status;
}
RtlZeroMemory( wzProcName, sizeof(WCHAR)*MAX_PROCESS_LEN );
GetProcessName( PsGetCurrentProcess(), wzProcName, MAX_PROCESS_LEN );
// 전역기능 예외프로세스 판단.
if(ISExpProcList_PolicyAll( wzProcName ))
{
return Status;
}
ALLOCATE_N_REG_POOL( RegPath );
if(!RegPath.pBuffer) return Status;
SET_REG_POOL_ZERO( RegPath );
ulLength = GetRegFullPath( hKey, pRootObject, pSubKey, &RegPath );
if(ulLength <= 0)
{
FREE_N_REG_POOL( RegPath );
return STATUS_SUCCESS;
}
_wcslwr( RegPath.pBuffer );
if( wcsstr(RegPath.pBuffer, SVCNAME_AGENT) || wcsstr(RegPath.pBuffer, SVCNAME_DRIVER) )
{
KdPrint(("RegProc_DeleteKey=[%ws] \n", RegPath.pBuffer ));
// SetupDir Control == FALSE:제어안함 TRUE: 제어함
if (g_MalwFind.DrvConfig.bGlobalCtrl)
{
Status = STATUS_ACCESS_DENIED;
KdPrint(("Ret--STATUS_ACCESS_DENIED RegPath=%ws \n", RegPath.pBuffer));
}
}
FREE_N_REG_POOL( RegPath );
return Status;
}
