static PPH_STRING EspGetServiceSidString( _In_ PPH_STRINGREF ServiceName ) { PSID serviceSid = NULL; UNICODE_STRING serviceNameUs; ULONG serviceSidLength = 0; PPH_STRING sidString = NULL; if (!RtlCreateServiceSid_I) return NULL; PhStringRefToUnicodeString(ServiceName, &serviceNameUs); if (RtlCreateServiceSid_I(&serviceNameUs, serviceSid, &serviceSidLength) == STATUS_BUFFER_TOO_SMALL) { serviceSid = PhAllocate(serviceSidLength); if (NT_SUCCESS(RtlCreateServiceSid_I(&serviceNameUs, serviceSid, &serviceSidLength))) sidString = PhSidToStringSid(serviceSid); PhFree(serviceSid); } return sidString; }
PPH_STRING PhFormatNativeKeyName( __in PPH_STRING Name ) { static PH_STRINGREF hklmPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine"); static PH_STRINGREF hkcrPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine\\Software\\Classes"); static PH_STRINGREF hkuPrefix = PH_STRINGREF_INIT(L"\\Registry\\User"); static PPH_STRING hkcuPrefix; static PPH_STRING hkcucrPrefix; static PH_STRINGREF hklmString = PH_STRINGREF_INIT(L"HKLM"); static PH_STRINGREF hkcrString = PH_STRINGREF_INIT(L"HKCR"); static PH_STRINGREF hkuString = PH_STRINGREF_INIT(L"HKU"); static PH_STRINGREF hkcuString = PH_STRINGREF_INIT(L"HKCU"); static PH_STRINGREF hkcucrString = PH_STRINGREF_INIT(L"HKCU\\Software\\Classes"); static PH_INITONCE initOnce = PH_INITONCE_INIT; PPH_STRING newName; PH_STRINGREF name; if (PhBeginInitOnce(&initOnce)) { PTOKEN_USER tokenUser; PPH_STRING stringSid = NULL; if (PhCurrentTokenQueryHandle) { if (NT_SUCCESS(PhGetTokenUser( PhCurrentTokenQueryHandle, &tokenUser ))) { stringSid = PhSidToStringSid(tokenUser->User.Sid); PhFree(tokenUser); } } if (stringSid) { static PH_STRINGREF registryUserPrefix = PH_STRINGREF_INIT(L"\\Registry\\User\\"); static PH_STRINGREF classesString = PH_STRINGREF_INIT(L"_Classes"); hkcuPrefix = PhConcatStringRef2(®istryUserPrefix, &stringSid->sr); hkcucrPrefix = PhConcatStringRef2(&hkcuPrefix->sr, &classesString); PhDereferenceObject(stringSid); } else { hkcuPrefix = PhCreateString(L"..."); // some random string that won't ever get matched hkcucrPrefix = PhCreateString(L"..."); } PhEndInitOnce(&initOnce); } name = Name->sr; if (PhStartsWithStringRef(&name, &hkcrPrefix, TRUE)) { name.Buffer += hkcrPrefix.Length / sizeof(WCHAR); name.Length -= hkcrPrefix.Length; newName = PhConcatStringRef2(&hkcrString, &name); } else if (PhStartsWithStringRef(&name, &hklmPrefix, TRUE)) { name.Buffer += hklmPrefix.Length / sizeof(WCHAR); name.Length -= hklmPrefix.Length; newName = PhConcatStringRef2(&hklmString, &name); } else if (PhStartsWithStringRef(&name, &hkcucrPrefix->sr, TRUE)) { name.Buffer += hkcucrPrefix->Length / sizeof(WCHAR); name.Length -= hkcucrPrefix->Length; newName = PhConcatStringRef2(&hkcucrString, &name); } else if (PhStartsWithStringRef(&name, &hkcuPrefix->sr, TRUE)) { name.Buffer += hkcuPrefix->Length / sizeof(WCHAR); name.Length -= hkcuPrefix->Length; newName = PhConcatStringRef2(&hkcuString, &name); } else if (PhStartsWithStringRef(&name, &hkuPrefix, TRUE)) { name.Buffer += hkuPrefix.Length / sizeof(WCHAR); name.Length -= hkuPrefix.Length; newName = PhConcatStringRef2(&hkuString, &name); } else { newName = Name; PhReferenceObject(Name); } return newName; }