/* * TsmiReadPatchChains * * Purpose: * * Read specified chains value from registry. * */ NTSTATUS TsmiReadPatchChains( _In_ HANDLE sKey, _In_ PUNICODE_STRING ParamName, _In_ VBOX_PATCH *PatchInfo ) { KEY_VALUE_PARTIAL_INFORMATION keyinfo; ULONG ChainsLength = 0, bytesIO; NTSTATUS status; PAGED_CODE(); if (sKey == NULL) return STATUS_INVALID_PARAMETER_1; if (ParamName == NULL) return STATUS_INVALID_PARAMETER_2; if (PatchInfo == NULL) return STATUS_INVALID_PARAMETER_3; status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, &keyinfo, sizeof(KEY_VALUE_PARTIAL_INFORMATION), &ChainsLength); if (NT_SUCCESS(status)) { return STATUS_BUFFER_TOO_SMALL; // The key value is empty. It should not success with zero-length buffer if there are some data; } if ((status != STATUS_BUFFER_TOO_SMALL) && (status != STATUS_BUFFER_OVERFLOW)) { return status; } // // Allocate buffer for data with given size // PatchInfo->Chains = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTagPriority(PagedPool, (SIZE_T)ChainsLength, TSUGUMI_TAG, NormalPoolPriority); if (PatchInfo->Chains == NULL) return STATUS_INSUFFICIENT_RESOURCES; #ifdef _DEBUGMSG DbgPrint("[TSMI] ChainsLength=%lx\n", ChainsLength); #endif //_DEBUGMSG RtlSecureZeroMemory(PatchInfo->Chains, ChainsLength); status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, PatchInfo->Chains, ChainsLength, &bytesIO); if (NT_SUCCESS(status)) { PatchInfo->ChainsLength = ChainsLength; #ifdef _DEBUGMSG TsmiListPatchChains(PatchInfo->Chains); #endif //_DEBUGMSG } return status; }
NTSTATUS KphReadDynamicDataParameters( __in_opt HANDLE KeyHandle ) { NTSTATUS status; UNICODE_STRING valueName; PKEY_VALUE_PARTIAL_INFORMATION info; ULONG resultLength; PAGED_CODE(); if (!KeyHandle) return STATUS_UNSUCCESSFUL; RtlInitUnicodeString(&valueName, L"DynamicConfiguration"); status = ZwQueryValueKey( KeyHandle, &valueName, KeyValuePartialInformation, NULL, 0, &resultLength ); if (status != STATUS_BUFFER_OVERFLOW && status != STATUS_BUFFER_TOO_SMALL) { // Unexpected status; fail now. return STATUS_UNSUCCESSFUL; } info = ExAllocatePoolWithTag(PagedPool, resultLength, 'ThpK'); if (!info) return STATUS_INSUFFICIENT_RESOURCES; status = ZwQueryValueKey( KeyHandle, &valueName, KeyValuePartialInformation, info, resultLength, &resultLength ); if (NT_SUCCESS(status)) { if (info->Type == REG_BINARY) status = KphpLoadDynamicConfiguration(info->Data, info->DataLength); else status = STATUS_OBJECT_TYPE_MISMATCH; if (!NT_SUCCESS(status)) dprintf("Unable to load dynamic configuration: 0x%x\n", status); } ExFreePoolWithTag(info, 'ThpK'); return status; }
NTSTATUS Reg_GetStringValue(_In_ HANDLE hKey, _In_ LPCWSTR pszValueName, _Out_ PWSTR *ppValue) { NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING ValueName; RtlInitUnicodeString(&ValueName, pszValueName); ULONG ResultLength = 0; Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, NULL, 0, &ResultLength); if (STATUS_BUFFER_OVERFLOW == Status || STATUS_BUFFER_TOO_SMALL == Status) { KEY_VALUE_PARTIAL_INFORMATION *pBuffer = ExAllocatePool(PagedPool, ResultLength); if (pBuffer) { Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, pBuffer, ResultLength, &ResultLength); if (NT_SUCCESS(Status) && pBuffer->Type == REG_SZ) { *ppValue = ExAllocatePool(PagedPool, pBuffer->DataLength); if (*ppValue) RtlMoveMemory(*ppValue, pBuffer->Data, pBuffer->DataLength); else Status = STATUS_INSUFFICIENT_RESOURCES; } ExFreePool(pBuffer); } } else if (NT_SUCCESS(Status)) { *ppValue = NULL; } return Status; }
/* typedef struct _KEY_VALUE_PARTIAL_INFORMATION { ULONG TitleIndex; ULONG Type; ULONG DataLength; UCHAR Data[1]; } KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION; */ NTSTATUS RegQueryValueKey(LPWSTR KeyName, LPWSTR ValueName, PKEY_VALUE_PARTIAL_INFORMATION *pkvpi) { ULONG ulSize; NTSTATUS ntStatus; PKEY_VALUE_PARTIAL_INFORMATION pvpi; OBJECT_ATTRIBUTES objectAttributes; HANDLE hRegister; UNICODE_STRING usKeyName; UNICODE_STRING usValueName; RtlInitUnicodeString(&usKeyName, KeyName); RtlInitUnicodeString(&usValueName, ValueName); InitializeObjectAttributes(&objectAttributes, &usKeyName, OBJ_CASE_INSENSITIVE,//对大小写敏感 NULL, NULL ); ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes); if(!NT_SUCCESS(ntStatus)) { DbgPrint("[RegQueryValueKey]ZwOpenKey failed!\n"); return ntStatus; } ntStatus = ZwQueryValueKey(hRegister, &usValueName, KeyValuePartialInformation , NULL, 0, &ulSize); if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0) { DbgPrint("ZwQueryValueKey 1 failed!\n"); return STATUS_UNSUCCESSFUL; } pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize); ntStatus = ZwQueryValueKey(hRegister, &usValueName, KeyValuePartialInformation , pvpi, ulSize, &ulSize); if (!NT_SUCCESS(ntStatus)) { DbgPrint("ZwQueryValueKey 2 failed!\n"); return STATUS_UNSUCCESSFUL; } //这里的pvpi是没有释放的用完要释放。ExFreePool(pvpi); *pkvpi=pvpi; DbgPrint("ZwQueryValueKey success!\n"); return STATUS_SUCCESS; }
VBOXDRVTOOL_DECL(NTSTATUS) VBoxDrvToolRegQueryValueDword(IN HANDLE hKey, IN PWCHAR pName, OUT PULONG pDword) { struct { KEY_VALUE_PARTIAL_INFORMATION Info; UCHAR Buf[32]; /* should be enough */ } Buf; ULONG cbBuf; UNICODE_STRING RtlStr; RtlInitUnicodeString(&RtlStr, pName); NTSTATUS Status = ZwQueryValueKey(hKey, &RtlStr, KeyValuePartialInformation, &Buf.Info, sizeof(Buf), &cbBuf); if (Status == STATUS_SUCCESS) { if (Buf.Info.Type == REG_DWORD) { Assert(Buf.Info.DataLength == 4); *pDword = *((PULONG)Buf.Info.Data); return STATUS_SUCCESS; } } return STATUS_INVALID_PARAMETER; }
NTSTATUS ReadRegistryString(PUNICODE_STRING RegistryPath, PWCHAR ValueName, PWCHAR ValueBuffer, DWORD Len) { NTSTATUS St; UNICODE_STRING param; OBJECT_ATTRIBUTES ObjAtr; HANDLE hKey; PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(NonPagedPool, 260*2); ULONG size; InitializeObjectAttributes(&ObjAtr, RegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL); St = ZwOpenKey(&hKey, KEY_QUERY_VALUE, &ObjAtr); if (St == STATUS_SUCCESS) { RtlInitUnicodeString(¶m, ValueName); St = ZwQueryValueKey(hKey, ¶m, KeyValuePartialInformation, (PVOID)info, 260*2, &size); if (NT_SUCCESS(St)) { RtlZeroMemory(ValueBuffer, Len); RtlCopyMemory(ValueBuffer, info->Data, info->DataLength); } ZwClose(hKey); } return St; }
NTSTATUS GetRegistryDWORD(HANDLE hKey, LPCWSTR Value, PULONG Data, ULONG Default) { UCHAR buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG)]; NTSTATUS status; UNICODE_STRING valueName; ULONG length; RtlInitUnicodeString(&valueName, Value); status = ZwQueryValueKey(hKey, &valueName, KeyValuePartialInformation, buffer, sizeof(buffer), &length); if (NT_SUCCESS(status) && length <= sizeof(buffer)) { PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer; if (info->Type == REG_DWORD && info->DataLength == sizeof(ULONG)) *Data = *(ULONG*)(info->Data); else *Data = Default; } else { *Data = Default; } return STATUS_SUCCESS; }
PJOYSTICK_MAP PPJoy_ReadMappingFromReg (UCHAR JoyType, HANDLE RegKey) { NTSTATUS ntStatus; ULONG NumRead; UNICODE_STRING ValueName; WCHAR ValueNameBuffer[128]; ULONG MapSize; UCHAR Buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION)+1024]; PJOYSTICK_MAP Mapping; PAGED_CODE(); Mapping= NULL; swprintf (ValueNameBuffer,L"MapV1_%02X",JoyType); RtlInitUnicodeString(&ValueName,ValueNameBuffer); NumRead= 0; ntStatus= ZwQueryValueKey(RegKey,&ValueName,KeyValuePartialInformation,Buffer,sizeof(Buffer),&NumRead); if(!NT_SUCCESS(ntStatus)) { PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_WARN, ("Error 0x%X reading value %S. NumRead= %d",ntStatus,ValueName.Buffer,NumRead) ); goto Exit; } if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Type!=REG_BINARY) { PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_WARN, ("Wrong registry datatype %d reading value %S",((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Type,ValueName.Buffer) ); goto Exit; } if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength==0) { PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_BABBLE, ("Empty registry key, ignoring") ); goto Exit; } MapSize= (ULONG)-1; if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength>4) MapSize= PPJOY_ComputeMappingSize((PJOYSTICK_MAP)(((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Data)); if (((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength!=MapSize) { PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_WARN, ("Invalid registry value size. Value size= %d expected %d",((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->DataLength,MapSize) ); goto Exit; } Mapping= ExAllocatePoolWithTag (NonPagedPool,MapSize,PPJOY_POOL_TAG); if (!Mapping) { PPJOY_DBGPRINT (FILE_MAPPING|PPJOY_ERROR, ("Cannot allocate nonpaged pool to store joystick mapping. Help!") ); goto Exit; } RtlCopyMemory (Mapping,((PKEY_VALUE_PARTIAL_INFORMATION)Buffer)->Data,MapSize); Exit: return Mapping; }
/***************************************************************************** * GetRegValueDword() ***************************************************************************** * Convenience function to encapsulate registry reads. */ int GetRegValueDword(_In_ LPTSTR RegPath,_In_ LPTSTR ValueName,PULONG Value) { int ReturnValue = 0; NTSTATUS Status; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE KeyHandle; KEY_VALUE_PARTIAL_INFORMATION *Information; ULONG InformationSize; UNICODE_STRING UnicodeRegPath; UNICODE_STRING UnicodeValueName; RtlInitUnicodeString(&UnicodeRegPath, RegPath); RtlInitUnicodeString(&UnicodeValueName, ValueName); InitializeObjectAttributes(&ObjectAttributes, &UnicodeRegPath, OBJ_KERNEL_HANDLE, // Flags NULL, // Root directory NULL); // Security descriptor Status = ZwOpenKey(&KeyHandle, KEY_QUERY_VALUE, &ObjectAttributes); if (Status != STATUS_SUCCESS) { return 0; } InformationSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG); Information = (KEY_VALUE_PARTIAL_INFORMATION*)ExAllocatePoolWithTag(PagedPool, InformationSize,'ISmD'); // DmSI if (Information == NULL) { ZwClose(KeyHandle); return 0; } Status = ZwQueryValueKey(KeyHandle, &UnicodeValueName, KeyValuePartialInformation, Information, InformationSize, &InformationSize); if (Status == STATUS_SUCCESS) { if (Information->Type == REG_DWORD && Information->DataLength == sizeof(ULONG)) { RtlCopyMemory(Value, Information->Data, sizeof(ULONG)); ReturnValue = 1; } } ExFreePool(Information); ZwClose(KeyHandle); return ReturnValue; }
NTSTATUS NtfsQueryValueKey(IN PUNICODE_STRING KeyName, IN PUNICODE_STRING ValueName, IN OUT ULONG *KeyInfoSize, OUT PKEY_VALUE_FULL_INFORMATION *KeyInfo, OUT BOOLEAN* bNeedRelease) { NTSTATUS Status; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE Handle; ULONG MemSize; ULONG ResultLength; InitializeObjectAttributes(&ObjectAttributes,KeyName,OBJ_CASE_INSENSITIVE,NULL,NULL); Status = ZwOpenKey(&Handle,0x20019, &ObjectAttributes); if(NT_SUCCESS(Status)) { MemSize = *KeyInfoSize; do { Status = ZwQueryValueKey(Handle, ValueName, KeyValueFullInformation, (PVOID)*KeyInfo, MemSize, &ResultLength); if(Status != 0x80000005) break; if(bNeedRelease[0]) { ExFreePool(*KeyInfo); KeyInfoSize[0] = 0; KeyInfo[0] = 0; bNeedRelease[0] = FALSE; } MemSize += 256; KeyInfo[0] = (PKEY_VALUE_FULL_INFORMATION)ExAllocatePoolWithTag(PagedPool, MemSize, REG_TAG ); if(!KeyInfo[0]) return 0xC0000017; KeyInfoSize[0] = MemSize; bNeedRelease[0] = TRUE; } while (TRUE); ZwClose(Handle); if(NT_SUCCESS(Status)) { if(!KeyInfo[0]->NameLength) { Status = 0xC0000034; } } } return Status; }
PKEY_VALUE_PARTIAL_INFORMATION ReadKeyValue( IN HANDLE hSubKey, IN PUNICODE_STRING KeyName) { NTSTATUS Status; ULONG Length; PKEY_VALUE_PARTIAL_INFORMATION PartialInformation; /* now query MatchingDeviceId key */ Status = ZwQueryValueKey(hSubKey, KeyName, KeyValuePartialInformation, NULL, 0, &Length); /* check for success */ if (Status != STATUS_BUFFER_TOO_SMALL) return NULL; /* allocate a buffer for key data */ PartialInformation = AllocateItem(NonPagedPool, Length); if (!PartialInformation) return NULL; /* now query MatchingDeviceId key */ Status = ZwQueryValueKey(hSubKey, KeyName, KeyValuePartialInformation, PartialInformation, Length, &Length); /* check for success */ if (!NT_SUCCESS(Status)) { FreeItem(PartialInformation); return NULL; } if (PartialInformation->Type != REG_SZ) { /* invalid key type */ FreeItem(PartialInformation); return NULL; } return PartialInformation; }
static SshRegData ssh_registry_platform_get_value(SshRegKey registry_key, SshRegUnicodeString value_name, SshRegSize *size_return) { PKEY_VALUE_PARTIAL_INFORMATION info; ULONG data_size; SshRegData ret_ptr = NULL; SSH_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL); if (ZwQueryValueKey(registry_key, value_name, KeyValuePartialInformation, NULL, 0, &data_size) != STATUS_BUFFER_TOO_SMALL) goto error; info = ssh_malloc(data_size); if (info == NULL) goto error; if (NT_SUCCESS(ZwQueryValueKey(registry_key, value_name, KeyValuePartialInformation, info, data_size, &data_size))) { if (data_size > info->DataLength) { ret_ptr = ssh_malloc(info->DataLength); if (ret_ptr) { memcpy(ret_ptr, info->Data, info->DataLength); if (size_return) *size_return = info->DataLength; } } } ssh_free(info); error: return ret_ptr; }
/* * TsmiReadPatchChains * * Purpose: * * Read specified chains value from registry. * */ NTSTATUS TsmiReadPatchChains( _In_ HANDLE sKey, _In_ PUNICODE_STRING ParamName, _In_ PVOID *ParamBuffer, _In_ ULONG *ChainsLength ) { KEY_VALUE_PARTIAL_INFORMATION keyinfo; NTSTATUS status; ULONG bytesIO = 0; if (ChainsLength == NULL) return STATUS_INVALID_PARAMETER_4; status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, &keyinfo, sizeof(KEY_VALUE_PARTIAL_INFORMATION), &bytesIO); if (NT_SUCCESS(status)) return STATUS_BUFFER_TOO_SMALL; // The key value is empty. It should not success with zero-length buffer if there are some data; if ((status != STATUS_BUFFER_TOO_SMALL) && (status != STATUS_BUFFER_OVERFLOW)) return STATUS_INVALID_PARAMETER; // we got unexpected return // bytesIO contains key value data length *ChainsLength = bytesIO; *ParamBuffer = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTagPriority(PagedPool, (SIZE_T)bytesIO, TSUGUMI_TAG, NormalPoolPriority); if (*ParamBuffer == NULL) return STATUS_INSUFFICIENT_RESOURCES; #ifdef _DEBUGMSG DbgPrint("[TSMI] ChainsLength=%lx\n", *ChainsLength); #endif RtlSecureZeroMemory(*ParamBuffer, bytesIO); status = ZwQueryValueKey(sKey, ParamName, KeyValuePartialInformation, *ParamBuffer, bytesIO, &bytesIO); #ifdef _DEBUGMSG if (NT_SUCCESS(status)) { TsmiListPatchChains(*ParamBuffer); } #endif return status; }
static NTSTATUS ExpLoadUuidSequence(PULONG Sequence) { UCHAR ValueBuffer[VALUE_BUFFER_SIZE]; PKEY_VALUE_PARTIAL_INFORMATION ValueInfo; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING Name; HANDLE KeyHandle; ULONG ValueLength; NTSTATUS Status; RtlInitUnicodeString(&Name, L"\\Registry\\Machine\\Software\\Microsoft\\Rpc"); InitializeObjectAttributes(&ObjectAttributes, &Name, OBJ_CASE_INSENSITIVE, NULL, NULL); Status = ZwOpenKey(&KeyHandle, KEY_QUERY_VALUE, &ObjectAttributes); if (!NT_SUCCESS(Status)) { DPRINT("ZwOpenKey() failed (Status %lx)\n", Status); return Status; } RtlInitUnicodeString(&Name, L"UuidSequenceNumber"); ValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer; Status = ZwQueryValueKey(KeyHandle, &Name, KeyValuePartialInformation, ValueBuffer, VALUE_BUFFER_SIZE, &ValueLength); ZwClose(KeyHandle); if (!NT_SUCCESS(Status)) { DPRINT("ZwQueryValueKey() failed (Status %lx)\n", Status); return Status; } *Sequence = *((PULONG)ValueInfo->Data); DPRINT("Loaded sequence %lx\n", *Sequence); return STATUS_SUCCESS; }
BOOLEAN FsRtlpIsDfsEnabled(VOID) { HANDLE Key; ULONG Length; NTSTATUS Status; UNICODE_STRING KeyName; OBJECT_ATTRIBUTES ObjectAttributes; struct { KEY_VALUE_PARTIAL_INFORMATION KeyInfo; ULONG KeyValue; } KeyQueryOutput; /* You recognize MuppIsDfsEnabled()! Congratz :-) */ KeyName.Buffer = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup"; KeyName.Length = sizeof(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup") - sizeof(UNICODE_NULL); KeyName.MaximumLength = sizeof(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup"); /* Simply query registry to get whether DFS is disabled. * If DFS isn't disabled from registry side, assume it is enabled * and go through MUP. * MUP itself might disable it, but that's not our concern * any longer */ InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE, NULL, NULL); Status = ZwOpenKey(&Key, KEY_READ, &ObjectAttributes); if (!NT_SUCCESS(Status)) { return TRUE; } KeyName.Buffer = L"DisableDfs"; KeyName.Length = sizeof(L"DisableDfs") - sizeof(UNICODE_NULL); KeyName.MaximumLength = sizeof(L"DisableDfs"); Status = ZwQueryValueKey(Key, &KeyName, KeyValuePartialInformation, &KeyQueryOutput, sizeof(KeyQueryOutput), &Length); ZwClose(Key); if (!NT_SUCCESS(Status) || KeyQueryOutput.KeyInfo.Type != REG_DWORD) { return TRUE; } return ((ULONG)KeyQueryOutput.KeyInfo.Data != 1); }
SHORT FASTCALL UserGetLanguageID(VOID) { HANDLE KeyHandle; OBJECT_ATTRIBUTES ObAttr; // http://support.microsoft.com/kb/324097 ULONG Ret = MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT); PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo; ULONG Size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + MAX_PATH*sizeof(WCHAR); UNICODE_STRING Language; RtlInitUnicodeString( &Language, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language"); InitializeObjectAttributes( &ObAttr, &Language, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); if ( NT_SUCCESS(ZwOpenKey(&KeyHandle, KEY_READ, &ObAttr))) { pKeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING); if ( pKeyInfo ) { RtlInitUnicodeString(&Language, L"Default"); if ( NT_SUCCESS(ZwQueryValueKey( KeyHandle, &Language, KeyValuePartialInformation, pKeyInfo, Size, &Size)) ) { RtlInitUnicodeString(&Language, (PWSTR)pKeyInfo->Data); if (!NT_SUCCESS(RtlUnicodeStringToInteger(&Language, 16, &Ret))) { Ret = MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT); } } ExFreePoolWithTag(pKeyInfo, TAG_STRING); } ZwClose(KeyHandle); } TRACE("Language ID = %x\n",Ret); return (SHORT) Ret; }
NTSTATUS GetKeyValue(HANDLE hKey, LPWSTR ValueName, PVOID OutputBuffer, ULONG BufferSize, OUT OPTIONAL PULONG BytesReturned) { if (BytesReturned != NULL) *BytesReturned = 0; UNICODE_STRING UnicodeValueName; RtlInitUnicodeString(&UnicodeValueName, ValueName); ULONG PartialInformationSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + BufferSize - 1; PKEY_VALUE_PARTIAL_INFORMATION PartialInformation = GetMem(PartialInformationSize); ULONG ResultLength = 0; NTSTATUS Status = ZwQueryValueKey(hKey, &UnicodeValueName, KeyValuePartialInformation, PartialInformation, PartialInformationSize, &ResultLength); if NT_SUCCESS(Status) { RtlCopyMemory(OutputBuffer, PartialInformation->Data, PartialInformation->DataLength); if (BytesReturned != NULL) *BytesReturned = PartialInformation->DataLength; } else if ((BytesReturned != NULL) && ((Status == STATUS_BUFFER_OVERFLOW) || (Status == STATUS_BUFFER_TOO_SMALL))) {
VOID NTAPI INIT_FUNCTION KeI386VdmInitialize(VOID) { NTSTATUS Status; OBJECT_ATTRIBUTES ObjectAttributes; HANDLE RegHandle; UNICODE_STRING Name; UCHAR KeyValueInfo[sizeof(KEY_VALUE_BASIC_INFORMATION) + 30]; ULONG ReturnLength; /* Make sure that there is a WOW key */ RtlInitUnicodeString(&Name, L"\\Registry\\Machine\\System\\CurrentControlSet\\" L"Control\\Wow"); InitializeObjectAttributes(&ObjectAttributes, &Name, OBJ_CASE_INSENSITIVE, NULL, NULL); Status = ZwOpenKey(&RegHandle, KEY_READ, &ObjectAttributes); if (!NT_SUCCESS(Status)) return; /* Check if VME is enabled */ RtlInitUnicodeString(&Name, L"DisableVme"); Status = ZwQueryValueKey(RegHandle, &Name, KeyValueBasicInformation, &KeyValueInfo, sizeof(KeyValueInfo), &ReturnLength); if (!NT_SUCCESS(Status)) { /* Not present, so check if the CPU supports VME */ if (KeGetPcr()->Prcb->FeatureBits & KF_V86_VIS) { /* Enable them. FIXME: Use IPI */ Ki386VdmEnablePentiumExtentions(TRUE); KeI386VirtualIntExtensions = TRUE; } } /* Close the key */ ZwClose(RegHandle); }
////////////////////////////////////////////////////////////////////////// // // Registry primitives. // NTSTATUS DrReadKeyValue( HANDLE RegKey, PWCHAR KeyName, ULONG KeyType, PVOID Buffer, ULONG BufferLength, PULONG BufferLengthNeeded ) { PKEY_VALUE_PARTIAL_INFORMATION keyValue; NTSTATUS status; ULONG outLength; UNICODE_STRING valueName; outLength = 0; keyValue = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePoolWithTag(PagedPool, 512, DEVREG_POOTAG_KEYINFO); if(keyValue == NULL) return STATUS_INSUFFICIENT_RESOURCES; RtlInitUnicodeString(&valueName, KeyName); status = ZwQueryValueKey(RegKey, &valueName, KeyValuePartialInformation, keyValue, 512, &outLength); if(BufferLengthNeeded) { *BufferLengthNeeded = keyValue->DataLength; } if(!NT_SUCCESS(status)) { KDPrint(1, ("ZwQueryValueKey() failed. ValueKeyName:%ws\n", KeyName)); ExFreePool(keyValue); return status; } if(keyValue->Type != KeyType) { KDPrint(1, ("Wrong value key type. ValueKeyName:%ws\n", KeyName)); ExFreePool(keyValue); return status; } if(BufferLength < keyValue->DataLength) { KDPrint(1, ("Buffer too small. ValueKeyName:%ws\n", KeyName)); ExFreePool(keyValue); return STATUS_BUFFER_TOO_SMALL; } RtlCopyMemory(Buffer, keyValue->Data, keyValue->DataLength); ExFreePool(keyValue); return STATUS_SUCCESS; }
static NTSTATUS EvhdQueryBoolParameter(LPCWSTR lpszParameterName, BOOLEAN bDefaultValue, BOOLEAN *pResult) { NTSTATUS status = STATUS_SUCCESS; HANDLE KeyHandle = NULL, SubKeyHandle = NULL; OBJECT_ATTRIBUTES ObjectAttributes = { 0 }; UNICODE_STRING SubKeyName, ValueName; BOOLEAN Result = bDefaultValue; KEY_VALUE_PARTIAL_INFORMATION KeyValueInformation; ULONG ResultLength; ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES); ObjectAttributes.ObjectName = g_pRegistryPath; ObjectAttributes.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE; status = ZwOpenKey(&KeyHandle, FILE_GENERIC_READ, &ObjectAttributes); if (NT_SUCCESS(status)) { RtlInitUnicodeString(&SubKeyName, L"Parameters"); ObjectAttributes.RootDirectory = KeyHandle; ObjectAttributes.ObjectName = &SubKeyName; status = ZwOpenKey(&SubKeyHandle, FILE_GENERIC_READ, &ObjectAttributes); if (NT_SUCCESS(status)) { RtlInitUnicodeString(&ValueName, lpszParameterName); if (NT_SUCCESS(ZwQueryValueKey(SubKeyHandle, &ValueName, KeyValuePartialInformation, &KeyValueInformation, sizeof(KeyValueInformation), &ResultLength))) { if (ResultLength == sizeof(KeyValueInformation) && REG_DWORD == KeyValueInformation.Type && sizeof(ULONG32) == KeyValueInformation.DataLength) { Result = 0 != *(ULONG32 *)KeyValueInformation.Data; } } ZwClose(SubKeyHandle); } ZwClose(KeyHandle); } *pResult = Result; return status; }
VOID NTAPI PopReadShutdownPolicy(VOID) { UNICODE_STRING KeyString; OBJECT_ATTRIBUTES ObjectAttributes; NTSTATUS Status; HANDLE KeyHandle; ULONG Length; UCHAR Buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG)]; PKEY_VALUE_PARTIAL_INFORMATION Info = (PVOID)Buffer; /* Setup object attributes */ RtlInitUnicodeString(&KeyString, L"\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT"); InitializeObjectAttributes(&ObjectAttributes, &KeyString, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); /* Open the key */ Status = ZwOpenKey(&KeyHandle, KEY_READ, &ObjectAttributes); if (NT_SUCCESS(Status)) { /* Open the policy value and query it */ RtlInitUnicodeString(&KeyString, L"DontPowerOffAfterShutdown"); Status = ZwQueryValueKey(KeyHandle, &KeyString, KeyValuePartialInformation, &Info, sizeof(Info), &Length); if ((NT_SUCCESS(Status)) && (Info->Type == REG_DWORD)) { /* Read the policy */ PopShutdownPowerOffPolicy = *Info->Data == 1; } /* Close the key */ ZwClose(KeyHandle); } }
PAGED NTSTATUS GetRegDWORDValue( _In_ PMS_FILTER pFilter, _In_ PCWSTR ValueName, _Out_ PULONG ValueData ) { NTSTATUS status; ULONG resultLength; UCHAR keybuf[128] = {0}; UNICODE_STRING UValueName; PAGED_CODE(); RtlInitUnicodeString(&UValueName, ValueName); status = ZwQueryValueKey( pFilter->InterfaceRegKey, &UValueName, KeyValueFullInformation, keybuf, sizeof(keybuf), &resultLength); if (NT_SUCCESS(status)) { PKEY_VALUE_FULL_INFORMATION keyInfo = (PKEY_VALUE_FULL_INFORMATION)keybuf; if (keyInfo->Type != REG_DWORD) { status = STATUS_INVALID_PARAMETER_MIX; } else { *ValueData = *((ULONG UNALIGNED *)(keybuf + keyInfo->DataOffset)); } } return status; }
NTSTATUS Reg_GetGuidValue(_In_ HANDLE hKey, _In_ LPCWSTR pszValueName, _Out_ PGUID pValue) { NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING ValueName; RtlInitUnicodeString(&ValueName, pszValueName); struct { KEY_VALUE_PARTIAL_INFORMATION Info; GUID Extra; } Buffer; ULONG ResultLength; Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, &Buffer, sizeof(Buffer), &ResultLength); if (NT_SUCCESS(Status)) { if (REG_BINARY == Buffer.Info.Type && sizeof(GUID) == Buffer.Info.DataLength) { RtlMoveMemory(pValue, Buffer.Info.Data, sizeof(GUID)); } else Status = STATUS_INVALID_BUFFER_SIZE; } return Status; }
_Use_decl_annotations_ EXTERN_C NTSTATUS UtilLoadPointerVaule(const wchar_t *Key, const wchar_t *Value, void **Data) { PAGED_CODE(); UNICODE_STRING path = {}; RtlInitUnicodeString(&path, Key); OBJECT_ATTRIBUTES oa = RTL_INIT_OBJECT_ATTRIBUTES( &path, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE); // Open the registry HANDLE keyNaked = nullptr; auto status = ZwOpenKey(&keyNaked, KEY_READ, &oa); if (!NT_SUCCESS(status)) { return status; } auto key = std::experimental::make_unique_resource(std::move(keyNaked), &::ZwClose); UNICODE_STRING valueName = {}; RtlInitUnicodeString(&valueName, Value); // Read value ULONG resultLength = 0; UCHAR buffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(void *)] = {}; status = ZwQueryValueKey(key.get(), &valueName, KeyValuePartialInformation, buffer, sizeof(buffer), &resultLength); if (!NT_SUCCESS(status)) { return status; } // Error if it is not an expected type or not a pointer size. ULONG expectedRegType = (IsX64()) ? REG_QWORD : REG_DWORD; auto data = reinterpret_cast<KEY_VALUE_PARTIAL_INFORMATION *>(buffer); if (data->Type != expectedRegType || data->DataLength != sizeof(void *)) { return STATUS_DATA_NOT_ACCEPTED; } *Data = *reinterpret_cast<void **>(data->Data); return status; }
// Query value from key, ZwQueryValueKey wrapper BOOLEAN RegQueryValue (HANDLE hKey, PWSTR ValueName, ULONG Type, PVOID Buffer, ULONG *Len) { UNICODE_STRING uValueName; NTSTATUS Status; UCHAR InfoBuffer[512] = {0}; KEY_VALUE_PARTIAL_INFORMATION *Info = (KEY_VALUE_PARTIAL_INFORMATION*) InfoBuffer; ULONG ResultLength; RtlInitUnicodeString (&uValueName, ValueName); Status = ZwQueryValueKey ( hKey, &uValueName, KeyValuePartialInformation, Info, sizeof(InfoBuffer), &ResultLength ); if (NT_SUCCESS(Status)) { if (Type != Info->Type) { KdPrint(("Type mismatch (%d, %d)\n", Type, Info->Type)); return FALSE; } ULONG Length = min (*Len, Info->DataLength); memcpy (Buffer, Info->Data, Length); *Len = Length; return TRUE; } KdPrint(("ZwQueryValueKey(%S) failed with status %X\n", ValueName, Status)); return FALSE; }
NTSTATUS Reg_GetQwordValue(_In_ HANDLE hKey, _In_ LPCWSTR pszValueName, _Out_ PULONG64 pValue) { NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING ValueName; RtlInitUnicodeString(&ValueName, pszValueName); struct { KEY_VALUE_PARTIAL_INFORMATION Info; ULONG64 Extra; } Buffer; ULONG ResultLength; Status = ZwQueryValueKey(hKey, &ValueName, KeyValuePartialInformation, &Buffer, sizeof(Buffer), &ResultLength); if (NT_SUCCESS(Status)) { if (REG_QWORD == Buffer.Info.Type) { ASSERT(Buffer.Info.DataLength == sizeof(ULONG64)); *pValue = *(PULONG64)Buffer.Info.Data; } else Status = STATUS_INVALID_BUFFER_SIZE; } return Status; }
/** * Reads an integer (REG_DWORD) parameter from the registry. * * \param KeyHandle A handle to the Parameters key. If NULL, the function * fails immediately and returns \a DefaultValue. * \param ValueName The name of the parameter. * \param DefaultValue The value that is returned if the function fails * to retrieve the parameter from the registry. * * \return The parameter value, or \a DefaultValue if the function failed. */ ULONG KphpReadIntegerParameter( __in_opt HANDLE KeyHandle, __in PUNICODE_STRING ValueName, __in ULONG DefaultValue ) { NTSTATUS status; UCHAR buffer[FIELD_OFFSET(KEY_VALUE_PARTIAL_INFORMATION, Data) + sizeof(ULONG)]; PKEY_VALUE_PARTIAL_INFORMATION info; ULONG resultLength; PAGED_CODE(); if (!KeyHandle) return DefaultValue; info = (PKEY_VALUE_PARTIAL_INFORMATION)buffer; status = ZwQueryValueKey( KeyHandle, ValueName, KeyValuePartialInformation, info, sizeof(buffer), &resultLength ); if (info->Type != REG_DWORD) status = STATUS_OBJECT_TYPE_MISMATCH; if (!NT_SUCCESS(status)) { dprintf("Unable to query parameter %.*S: 0x%x", ValueName->Length / sizeof(WCHAR), ValueName->Buffer, status); return DefaultValue; } return *(PULONG)info->Data; }
static VOID ProcessorSetFriendlyName( PDEVICE_OBJECT DeviceObject) { KEY_VALUE_PARTIAL_INFORMATION *Buffer = NULL; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING HardwareKeyName, ValueName, EnumKeyName; HANDLE KeyHandle = NULL; ULONG DataLength = 0; ULONG BufferLength = 0; NTSTATUS Status; PWSTR KeyNameBuffer = NULL; PWSTR DeviceId = NULL; PWSTR InstanceId = NULL; PWSTR pszPrefix = L"\\Registry\\Machine\\System\\CurrentcontrolSet\\Enum"; RtlInitUnicodeString(&HardwareKeyName, L"\\Registry\\Machine\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0"); InitializeObjectAttributes(&ObjectAttributes, &HardwareKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwOpenKey(&KeyHandle, KEY_READ, &ObjectAttributes); if (!NT_SUCCESS(Status)) { DPRINT1("ZwOpenKey() failed (Status 0x%08lx)\n", Status); return; } RtlInitUnicodeString(&ValueName, L"ProcessorNameString"); Status = ZwQueryValueKey(KeyHandle, &ValueName, KeyValuePartialInformation, NULL, 0, &DataLength); if (Status != STATUS_BUFFER_OVERFLOW && Status != STATUS_BUFFER_TOO_SMALL && Status != STATUS_SUCCESS) { DPRINT1("ZwQueryValueKey() failed (Status 0x%08lx)\n", Status); goto done; } Buffer = ExAllocatePool(PagedPool, DataLength + sizeof(KEY_VALUE_PARTIAL_INFORMATION)); if (Buffer == NULL) { DPRINT1("ExAllocatePool() failed\n"); goto done; } Status = ZwQueryValueKey(KeyHandle, &ValueName, KeyValuePartialInformation, Buffer, DataLength + sizeof(KEY_VALUE_PARTIAL_INFORMATION), &DataLength); if (!NT_SUCCESS(Status)) { DPRINT1("ZwQueryValueKey() failed (Status 0x%08lx)\n", Status); goto done; } DPRINT("ProcessorNameString: %S\n", (PWSTR)&Buffer->Data[0]); ZwClose(KeyHandle); KeyHandle = NULL; Status = GetDeviceId(DeviceObject, BusQueryDeviceID, &DeviceId); if (!NT_SUCCESS(Status)) { DPRINT1("GetDeviceId() failed (Status 0x%08lx)\n", Status); goto done; } DPRINT("DeviceId: %S\n", DeviceId); Status = GetDeviceId(DeviceObject, BusQueryInstanceID, &InstanceId); if (!NT_SUCCESS(Status)) { DPRINT1("GetDeviceId() failed (Status 0x%08lx)\n", Status); goto done; } DPRINT("InstanceId: %S\n", InstanceId); BufferLength = wcslen(pszPrefix) + 1 + wcslen(DeviceId) + 1 + wcslen(InstanceId) + 1; KeyNameBuffer = ExAllocatePool(PagedPool, BufferLength * sizeof(WCHAR)); if (KeyNameBuffer == NULL) { DPRINT1("ExAllocatePool() failed\n"); goto done; } swprintf(KeyNameBuffer, L"%s\\%s\\%s", pszPrefix, DeviceId, InstanceId); RtlInitUnicodeString(&EnumKeyName, KeyNameBuffer); InitializeObjectAttributes(&ObjectAttributes, &EnumKeyName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwOpenKey(&KeyHandle, KEY_WRITE, &ObjectAttributes); if (!NT_SUCCESS(Status)) { DPRINT1("ZwOpenKey() failed (Status 0x%08lx)\n", Status); goto done; } RtlInitUnicodeString(&ValueName, L"FriendlyName"); Status = ZwSetValueKey(KeyHandle, &ValueName, 0, REG_SZ, (PVOID)&Buffer->Data[0], Buffer->DataLength); if (!NT_SUCCESS(Status)) { DPRINT1("ZwSetValueKey() failed (Status 0x%08lx)\n", Status); goto done; } done: if (KeyHandle != NULL) ZwClose(KeyHandle); if (KeyNameBuffer != NULL) ExFreePool(KeyNameBuffer); if (InstanceId != NULL) ExFreePool(InstanceId); if (DeviceId != NULL) ExFreePool(DeviceId); if (Buffer != NULL) ExFreePool(Buffer); }
MIXER_STATUS QueryKeyValue( IN HANDLE hKey, IN LPWSTR lpKeyName, OUT PVOID * ResultBuffer, OUT PULONG ResultLength, OUT PULONG KeyType) { NTSTATUS Status; UNICODE_STRING KeyName; ULONG Length; PKEY_VALUE_PARTIAL_INFORMATION PartialInformation; /* initialize key name */ RtlInitUnicodeString(&KeyName, lpKeyName); /* now query MatchingDeviceId key */ Status = ZwQueryValueKey(hKey, &KeyName, KeyValuePartialInformation, NULL, 0, &Length); /* check for success */ if (Status != STATUS_BUFFER_TOO_SMALL) return MM_STATUS_UNSUCCESSFUL; /* allocate a buffer for key data */ PartialInformation = AllocateItem(NonPagedPool, Length); if (!PartialInformation) return MM_STATUS_NO_MEMORY; /* now query MatchingDeviceId key */ Status = ZwQueryValueKey(hKey, &KeyName, KeyValuePartialInformation, PartialInformation, Length, &Length); /* check for success */ if (!NT_SUCCESS(Status)) { FreeItem(PartialInformation); return MM_STATUS_UNSUCCESSFUL; } if (KeyType) { /* return key type */ *KeyType = PartialInformation->Type; } if (ResultLength) { /* return data length */ *ResultLength = PartialInformation->DataLength; } *ResultBuffer = AllocateItem(NonPagedPool, PartialInformation->DataLength); if (!*ResultBuffer) { /* not enough memory */ FreeItem(PartialInformation); return MM_STATUS_NO_MEMORY; } /* copy key value */ RtlMoveMemory(*ResultBuffer, PartialInformation->Data, PartialInformation->DataLength); /* free key info */ FreeItem(PartialInformation); return MM_STATUS_SUCCESS; }
//*********************************************************************************** // Name: RegReadDword // // Description: // reads dword registry value // // Return value: // operation status // // Parameters: // // NOTE: None // ********************************************************************************** NTSTATUS RegReadDword( IN HANDLE hKey, IN PWCHAR szValueName, OUT PULONG ValueData ) { NTSTATUS ntStatus; PKEY_VALUE_PARTIAL_INFORMATION KeyValueInfo = NULL; CHAR KeyValueBuffer[sizeof(KEY_VALUE_PARTIAL_INFORMATION)+sizeof(ULONG)]; UNICODE_STRING usValueName; ULONG ReturnedLength = 0; RtlInitUnicodeString(&usValueName, szValueName); KeyValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)KeyValueBuffer; RtlZeroMemory(KeyValueBuffer, sizeof(KeyValueBuffer)); ntStatus = ZwQueryValueKey( hKey, &usValueName, KeyValuePartialInformation, KeyValueInfo, sizeof(KeyValueBuffer), &ReturnedLength ); if (NT_SUCCESS(ntStatus)) { if (KeyValueInfo->Type != REG_DWORD || KeyValueInfo->DataLength != sizeof(ULONG) ) { ntStatus = STATUS_INVALID_PARAMETER_MIX; } else { *ValueData = *((ULONG UNALIGNED *)((PCHAR)KeyValueInfo->Data)); } } return ntStatus; }