static PPH_STRING EspGetServiceSidString(
_In_ PPH_STRINGREF ServiceName
)
{
PSID serviceSid = NULL;
UNICODE_STRING serviceNameUs;
ULONG serviceSidLength = 0;
PPH_STRING sidString = NULL;
if (!RtlCreateServiceSid_I)
return NULL;
PhStringRefToUnicodeString(ServiceName, &serviceNameUs);
if (RtlCreateServiceSid_I(&serviceNameUs, serviceSid, &serviceSidLength) == STATUS_BUFFER_TOO_SMALL)
{
serviceSid = PhAllocate(serviceSidLength);
if (NT_SUCCESS(RtlCreateServiceSid_I(&serviceNameUs, serviceSid, &serviceSidLength)))
sidString = PhSidToStringSid(serviceSid);
PhFree(serviceSid);
}
return sidString;
}
PPH_STRING PhFormatNativeKeyName(
__in PPH_STRING Name
)
{
static PH_STRINGREF hklmPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine");
static PH_STRINGREF hkcrPrefix = PH_STRINGREF_INIT(L"\\Registry\\Machine\\Software\\Classes");
static PH_STRINGREF hkuPrefix = PH_STRINGREF_INIT(L"\\Registry\\User");
static PPH_STRING hkcuPrefix;
static PPH_STRING hkcucrPrefix;
static PH_STRINGREF hklmString = PH_STRINGREF_INIT(L"HKLM");
static PH_STRINGREF hkcrString = PH_STRINGREF_INIT(L"HKCR");
static PH_STRINGREF hkuString = PH_STRINGREF_INIT(L"HKU");
static PH_STRINGREF hkcuString = PH_STRINGREF_INIT(L"HKCU");
static PH_STRINGREF hkcucrString = PH_STRINGREF_INIT(L"HKCU\\Software\\Classes");
static PH_INITONCE initOnce = PH_INITONCE_INIT;
PPH_STRING newName;
PH_STRINGREF name;
if (PhBeginInitOnce(&initOnce))
{
PTOKEN_USER tokenUser;
PPH_STRING stringSid = NULL;
if (PhCurrentTokenQueryHandle)
{
if (NT_SUCCESS(PhGetTokenUser(
PhCurrentTokenQueryHandle,
&tokenUser
)))
{
stringSid = PhSidToStringSid(tokenUser->User.Sid);
PhFree(tokenUser);
}
}
if (stringSid)
{
static PH_STRINGREF registryUserPrefix = PH_STRINGREF_INIT(L"\\Registry\\User\\");
static PH_STRINGREF classesString = PH_STRINGREF_INIT(L"_Classes");
hkcuPrefix = PhConcatStringRef2(®istryUserPrefix, &stringSid->sr);
hkcucrPrefix = PhConcatStringRef2(&hkcuPrefix->sr, &classesString);
PhDereferenceObject(stringSid);
}
else
{
hkcuPrefix = PhCreateString(L"..."); // some random string that won't ever get matched
hkcucrPrefix = PhCreateString(L"...");
}
PhEndInitOnce(&initOnce);
}
name = Name->sr;
if (PhStartsWithStringRef(&name, &hkcrPrefix, TRUE))
{
name.Buffer += hkcrPrefix.Length / sizeof(WCHAR);
name.Length -= hkcrPrefix.Length;
newName = PhConcatStringRef2(&hkcrString, &name);
}
else if (PhStartsWithStringRef(&name, &hklmPrefix, TRUE))
{
name.Buffer += hklmPrefix.Length / sizeof(WCHAR);
name.Length -= hklmPrefix.Length;
newName = PhConcatStringRef2(&hklmString, &name);
}
else if (PhStartsWithStringRef(&name, &hkcucrPrefix->sr, TRUE))
{
name.Buffer += hkcucrPrefix->Length / sizeof(WCHAR);
name.Length -= hkcucrPrefix->Length;
newName = PhConcatStringRef2(&hkcucrString, &name);
}
else if (PhStartsWithStringRef(&name, &hkcuPrefix->sr, TRUE))
{
name.Buffer += hkcuPrefix->Length / sizeof(WCHAR);
name.Length -= hkcuPrefix->Length;
newName = PhConcatStringRef2(&hkcuString, &name);
}
else if (PhStartsWithStringRef(&name, &hkuPrefix, TRUE))
{
name.Buffer += hkuPrefix.Length / sizeof(WCHAR);
name.Length -= hkuPrefix.Length;
newName = PhConcatStringRef2(&hkuString, &name);
}
else
{
newName = Name;
PhReferenceObject(Name);
}
return newName;
}
