BOOLEAN load_hive(HKEY key,LPCTSTR subkey,LPCTSTR filename)
{
ULONG A;
HANDLE hToken = NULL;
//LUID rLuid;
//LUID bLuid;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY, &hToken);
TOKEN_PRIVILEGES tkp;
//LookupPrivilegeValue(NULL, SE_BACKUP_NAME, &tkp.Privileges[0].Luid);
//LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &tkp.Privileges[1].Luid);
//tkp.PrivilegeCount = 2;
tkp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &tkp.Privileges[0].Luid);
//tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
//tkp.Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, NULL, 0))
{
//explam RegLoadKey(HKEY_USERS, L"Test\\", L"C:\\Documents and Settings\\test\\NTUSER.DAT");'
// A=RegLoadKey(HKEY_LOCAL_MACHINE,subkey,filename);
A=RegLoadKey(key,subkey,filename);
//printf("%d",A);
CloseHandle(hToken);
return (ERROR_SUCCESS == A);
}
CloseHandle(hToken);
printf (" AdjustTokenPrivileges is false \n");
return FALSE;
}
JNIEXPORT jint SIGAR_JNI(win32_RegistryKey_RegLoadKey)
(JNIEnv *env, jclass, jlong hkey, jstring subkey, jstring file)
{
LPCTSTR lpSubkey = (LPCTSTR)env->GetStringChars(subkey, NULL);
LPCTSTR lpFile = (LPCTSTR)env->GetStringChars(file, NULL);
LONG lResult = RegLoadKey((HKEY)hkey, lpSubkey, lpFile);
env->ReleaseStringChars(subkey, (const jchar *)lpSubkey);
env->ReleaseStringChars(file, (const jchar *)lpFile);
return lResult;
}
static BOOL LoadHive(HWND hWnd)
{
OPENFILENAME ofn;
TCHAR Caption[128];
LPCTSTR pszKeyPath;
TCHAR xPath[128];
HKEY hRootKey;
TCHAR Filter[1024];
FILTERPAIR filter;
/* get the item key to load the hive in */
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hRootKey);
/* initialize the "open file" dialog */
InitOpenFileName(hWnd, &ofn);
/* build the "All Files" filter up */
filter.DisplayID = IDS_FLT_ALLFILES;
filter.FilterID = IDS_FLT_ALLFILES_FLT;
BuildFilterStrings(Filter, &filter, sizeof(filter));
ofn.lpstrFilter = Filter;
/* load and set the caption and flags for dialog */
LoadString(hInst, IDS_LOAD_HIVE, Caption, COUNT_OF(Caption));
ofn.lpstrTitle = Caption;
ofn.Flags |= OFN_ENABLESIZING;
/* ofn.lCustData = ;*/
/* now load the hive */
if (GetOpenFileName(&ofn))
{
if(DialogBoxParam(hInst, MAKEINTRESOURCE(IDD_LOADHIVE), hWnd, &LoadHive_KeyNameInHookProc, (LPARAM)xPath))
{
LONG regLoadResult = RegLoadKey(hRootKey, xPath, ofn.lpstrFile);
if(regLoadResult == ERROR_SUCCESS)
{
/* refresh tree and list views */
RefreshTreeView(g_pChildWnd->hTreeWnd);
pszKeyPath = GetItemPath(g_pChildWnd->hTreeWnd, 0, &hRootKey);
RefreshListView(g_pChildWnd->hListWnd, hRootKey, pszKeyPath);
}
else
{
ErrorMessageBox(hWnd, Caption, regLoadResult);
return FALSE;
}
}
}
else
{
CheckCommDlgError(hWnd);
}
return TRUE;
}
/*
* Creates a subkey and loads data from the specified registry hive into that
* subkey.
*
* TLVs:
*
* req: TLV_TYPE_ROOT_KEY - The root key
* req: TLV_TYPE_BASE_KEY - The base key
* opt: TLV_TYPE_FILE_PATH - Hive file to load
*/
DWORD request_registry_load_key(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
LPCTSTR baseKey = NULL;
HKEY rootKey = NULL;
LPCSTR hiveFile = NULL;
DWORD result;
rootKey = (HKEY)packet_get_tlv_value_qword(packet, TLV_TYPE_ROOT_KEY);
baseKey = packet_get_tlv_value_string(packet, TLV_TYPE_BASE_KEY);
hiveFile = packet_get_tlv_value_string(packet, TLV_TYPE_FILE_PATH);
if ((!rootKey) || (!baseKey) || (!hiveFile))
result = ERROR_INVALID_PARAMETER;
else
{
result = RegLoadKey(rootKey,baseKey,hiveFile);
}
packet_add_tlv_uint(response, TLV_TYPE_RESULT, result);
packet_transmit(remote, response, NULL);
return ERROR_SUCCESS;
}
/**
*
* Load SYSTEM hive to memory
* Returns TRUE or FALSE
*
*/
BOOL SystemKey::Load (std::wstring fname) {
UnLoad();
if (!bRestore) {
bRestore = SetPrivilege (L"SeRestorePrivilege", TRUE);
}
if (bRestore) {
dprintf("\nChecking %s", std::string(fname.begin(), fname.end()).c_str());
DWORD dwAttr = GetFileAttributes (fname.c_str());
if (dwAttr != INVALID_FILE_ATTRIBUTES) {
dwError = RegLoadKey (HKEY_LOCAL_MACHINE, L"$$_SYSTEM", fname.c_str());
if (dwError == ERROR_SUCCESS) {
regFile = L"$$_SYSTEM";
bLoaded = TRUE;
}
} else {
dwError = GetLastError ();
}
}
return dwError == ERROR_SUCCESS;
}
int _tmain(int argc, _TCHAR* argv[]) {
LONG retval;
Params p;
LPVOID cert, crl;
DWORD certSz = 0, crlSz = 0, index = 0, disp = 0;
HKEY rootKey = NULL, storesKey = NULL, key = NULL;
HCERTSTORE hCertStore = NULL;
TCHAR root[MAX_REG_KEY_LEN];
// Get params
if (!GetParams(&p, argc, argv)) {
_tprintf(TEXT("Usage:\n"));
_tprintf(TEXT("%s hive crt.cer [/CRL crl.crl] [/Store store]\n\n"), argv[0]);
_tprintf(TEXT("hive\ta registry hive for HKLM\\SOFTWARE (user hives not supported)\n"));
_tprintf(TEXT(" found at Windows\\System32\\config\\SOFTWARE (cannot use be an in-use hive)\n"));
_tprintf(TEXT("crt.cer\tthe certificate to import\n"));
_tprintf(TEXT("crl.crl\tif provided adds a CRL as well\n"));
_tprintf(TEXT("store\tthe store to import to, defaults to ROOT\n\n"));
return -1;
}
// Enable privileges
if (!EnablePriv(SE_TAKE_OWNERSHIP_NAME) || !EnablePriv(SE_BACKUP_NAME) || !EnablePriv(SE_RESTORE_NAME)) {
return LastError(TEXT("Failed to enable take ownership, backup, and restore privileges"), NULL);
}
// Read the certificate file
if ((cert = Read(p.cert, &certSz)) == NULL) {
return LastError(TEXT("Failed to read certificate file '%s'"), p.cert);
}
// Read the CRL file
if (p.crl && ((crl = Read(p.crl, &crlSz)) == NULL)) {
LocalFree(cert);
return LastError(TEXT("Failed to read the CRL file '%s'"), p.crl);
}
// Find a subkey that's available
_tcsncpy(root, TEXT("TEMPHIVE"), MAX_REG_KEY_LEN);
if ((retval = RegOpenKeyEx(HKEY_LOCAL_MACHINE, root, 0, KEY_READ, &key)) != ERROR_FILE_NOT_FOUND) {
if (retval != ERROR_SUCCESS) {
LocalFree(crl);
LocalFree(cert);
return Error(TEXT("Failed to find subkey to load hive"), NULL, retval);
}
RegCloseKey(key);
_sntprintf(root, MAX_REG_KEY_LEN, TEXT("TEMPHIVE%u"), index++);
}
key = NULL;
// Load the hive
if ((retval = RegLoadKey(HKEY_LOCAL_MACHINE, root, p.hive)) != ERROR_SUCCESS) {
LocalFree(cert);
if (crl) LocalFree(crl);
return Error(TEXT("Failed to load hive file '%s'"), p.hive, retval);
}
// Open the HKLM\TEMPHIVE\Microsoft\SystemCertificates
if ((retval = RegOpenKeyEx(HKEY_LOCAL_MACHINE, root, 0, KEY_ALL_ACCESS, &rootKey)) != ERROR_SUCCESS) {
Error(TEXT("Failed to get root key '%s'"), root, retval);
} else if ((retval = RegOpenKeyEx(rootKey, TEXT("Microsoft\\SystemCertificates"), 0, KEY_ALL_ACCESS, &storesKey)) != ERROR_SUCCESS) {
Error(TEXT("Failed to get stores key: %u\n"), NULL, retval);
// Create/Open the registry certificate store
} else if ((retval = RegCreateKeyEx(storesKey, p.store, 0, NULL, REG_OPTION_BACKUP_RESTORE, KEY_ALL_ACCESS, NULL, &key, &disp)) != ERROR_SUCCESS) {
Error(TEXT("Failed to create store key '%s'"), p.store, retval);
// Open the store
} else if ((hCertStore = CertOpenStore(CERT_STORE_PROV_REG, 0, (HCRYPTPROV)NULL, CERT_STORE_BACKUP_RESTORE_FLAG | CERT_STORE_OPEN_EXISTING_FLAG, key)) == NULL) {
retval = LastError(TEXT("Failed to create certificate store"), NULL);
// Add the certificate to the store
} else if (!CertAddEncodedCertificateToStore(hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, cert, certSz, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) {
retval = LastError(TEXT("Failed add certificate to store"), NULL);
// Add the crl to the store
} else if (crl && !CertAddEncodedCRLToStore(hCertStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, crl, crlSz, CERT_STORE_ADD_REPLACE_EXISTING, NULL)) {
retval = LastError(TEXT("Failed add the CRL to store"), NULL);
}
// Cleanup
if (hCertStore) { CertCloseStore(hCertStore, CERT_CLOSE_STORE_FORCE_FLAG); }
if (key) { RegCloseKey(key); }
if (storesKey) { RegCloseKey(storesKey); }
if (rootKey) { RegCloseKey(rootKey); }
LocalFree(crl);
LocalFree(cert);
// Unload the hive
if ((disp = RegUnLoadKey(HKEY_LOCAL_MACHINE, root)) != ERROR_SUCCESS) {
if (retval == ERROR_SUCCESS) { retval = disp; }
Error(TEXT("Failed to unload the hive"), NULL, disp);
}
// Successful? Yeah!
if (retval == ERROR_SUCCESS) {
if (p.crl) {
_tprintf(TEXT("Successfully added %s and %s to the %s store in %s\n\n"), p.cert, p.crl, p.store, p.hive);
} else {
_tprintf(TEXT("Successfully added %s to the %s store in %s\n\n"), p.cert, p.store, p.hive);
}
}
return retval;
}
void test8(void)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING KeyName;
NTSTATUS Status;
LONG dwError;
TOKEN_PRIVILEGES NewPrivileges;
HANDLE Token,hKey;
LUID Luid = {0};
BOOLEAN bRes;
Status=NtOpenProcessToken(GetCurrentProcess()
,TOKEN_ADJUST_PRIVILEGES,&Token);
// ,TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&Token);
dprintf("\t\t\t\tStatus =%x\n",Status);
// bRes=LookupPrivilegeValueA(NULL,SE_RESTORE_NAME,&Luid);
// dprintf("\t\t\t\tbRes =%x\n",bRes);
NewPrivileges.PrivilegeCount = 1;
NewPrivileges.Privileges[0].Luid = Luid;
// NewPrivileges.Privileges[0].Luid.u.LowPart=18;
// NewPrivileges.Privileges[0].Luid.u.HighPart=0;
NewPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// Status = NtAdjustPrivilegesToken(
bRes = AdjustTokenPrivileges(
Token,
FALSE,
&NewPrivileges,
0,
NULL,
NULL
);
dprintf("\t\t\t\tbRes =%x\n",bRes);
// Status=NtClose(Token);
// dprintf("\t\t\t\tStatus =%x\n",Status);
RtlRosInitUnicodeStringFromLiteral(&KeyName,L"test5");
InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE
, NULL, NULL);
Status = NtLoadKey((HANDLE)HKEY_LOCAL_MACHINE,&ObjectAttributes);
dprintf("\t\t\t\tStatus =%x\n",Status);
dwError=RegLoadKey(HKEY_LOCAL_MACHINE,"def"
,"test5");
dprintf("\t\t\t\tdwError =%x\n",dwError);
dprintf("NtOpenKey \\Registry\\Machine : ");
RtlRosInitUnicodeStringFromLiteral(&KeyName, L"\\Registry\\Machine");
InitializeObjectAttributes(&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status=NtOpenKey( &hKey, MAXIMUM_ALLOWED, &ObjectAttributes);
dprintf("\t\t\tStatus =%x\n",Status);
RtlRosInitUnicodeStringFromLiteral(&KeyName,L"test5");
InitializeObjectAttributes(&ObjectAttributes, &KeyName, OBJ_CASE_INSENSITIVE
, NULL, NULL);
Status = NtLoadKey(hKey,&ObjectAttributes);
dprintf("\t\t\t\tStatus =%x\n",Status);
}
// 0 - SUCCEEDED, otherwise - error code
int WINAPI MountVirtualHive(LPCWSTR asHive, PHKEY phKey, LPCWSTR asXPMountName, wchar_t* pszErrInfo, int cchErrInfoMax, BOOL* pbKeyMounted)
{
int lRc = -1;
if (pszErrInfo && cchErrInfoMax)
*pszErrInfo = 0; // если передали буфер для ошибки - сразу его почистить
*pbKeyMounted = FALSE;
OSVERSIONINFO osv = {sizeof(OSVERSIONINFO)};
GetVersionEx(&osv);
HMODULE hAdvapi32 = LoadLibrary(L"advapi32.dll");
//LPCWSTR pszKeyName = NULL;
LPCWSTR ppszKeys[] =
{
L"HKCU",
L"HKCU\\Software",
L"HKLM",
L"HKLM\\Software",
L"HKLM64",
L"HKLM64\\Software"
};
size_t nRootKeys = IsWindows64() ? countof(ppszKeys) : (countof(ppszKeys) - 2);
if (!hAdvapi32)
{
if (pszErrInfo && cchErrInfoMax)
msprintf(pszErrInfo, cchErrInfoMax,
L"LoadLibrary(advapi32.dll) failed, code=0x%08X!\n", GetLastError());
lRc = -2;
goto wrap;
}
if (osv.dwMajorVersion >= 6)
{
// Vista+
typedef LONG (WINAPI* RegLoadAppKey_t)(LPCWSTR lpFile, PHKEY phkResult, REGSAM samDesired, DWORD dwOptions, DWORD Reserved);
RegLoadAppKey_t RegLoadAppKey_f = (RegLoadAppKey_t)GetProcAddress(hAdvapi32, "RegLoadAppKeyW");
if (!RegLoadAppKey_f)
{
if (pszErrInfo && cchErrInfoMax)
msprintf(pszErrInfo, cchErrInfoMax,
L"RegLoadAppKeyW not found, code=0x%08X!\n", GetLastError());
lRc = -3;
goto wrap;
}
else
{
if ((lRc = RegLoadAppKey_f(asHive, phKey, KEY_ALL_ACCESS, 0, 0)) != 0)
{
if ((lRc = RegLoadAppKey_f(asHive, phKey, KEY_READ, 0, 0)) != 0)
{
if (pszErrInfo && cchErrInfoMax)
msprintf(pszErrInfo, cchErrInfoMax,
L"RegLoadAppKey failed, code=0x%08X!", (DWORD)lRc);
lRc = -4; //-V112
goto wrap;
}
}
*pbKeyMounted = TRUE;
}
}
else if (!asXPMountName || !*asXPMountName)
{
lRc = -7;
if (pszErrInfo && cchErrInfoMax)
lstrcpyn(pszErrInfo, L"XPMountName is empty!", cchErrInfoMax);
goto wrap;
}
else
{
CBackupPrivileges se;
if (!se.BackupPrivilegesAcuire(TRUE))
{
if (pszErrInfo && cchErrInfoMax)
msprintf(pszErrInfo, cchErrInfoMax,
L"Aquiring SE_BACKUP_NAME/SE_RESTORE_NAME failed, code=0x%08X!\nYou must be Administrator or Backup operator", GetLastError());
lRc = -5;
goto wrap;
}
//_wcscpy_c(rsXPMountName, cchXPMountMax, VIRTUAL_REGISTRY_GUID);
//WARNING("###: Докинуть в конец что-нть уникальное, например CRC пути к hive");
// Hive уже мог быть подключен другой копией ConEmu.
TODO("При выходе - может возникнуть конфликт? Кто первый сделает RegUnloadKey...");
if ((lRc = RegOpenKeyEx(HKEY_USERS, asXPMountName, 0, KEY_ALL_ACCESS, phKey)) == 0)
{
goto wrap; // успешно - hive уже подключен
}
else if ((lRc = RegOpenKeyEx(HKEY_USERS, asXPMountName, 0, KEY_READ, phKey)) == 0)
{
goto wrap; // успешно - hive уже подключен (ReadOnly)
}
// Hive еще не был подключен
if ((lRc = RegLoadKey(HKEY_USERS, asXPMountName, asHive)) != 0)
{
if (pszErrInfo && cchErrInfoMax)
msprintf(pszErrInfo, cchErrInfoMax,
L"RegLoadKey failed, code=0x%08X!", (DWORD)lRc);
lRc = -6;
goto wrap;
}
// Ключ смонтирован, нужно его будет демонтировать при выходе
*pbKeyMounted = TRUE;
if ((lRc = RegOpenKeyEx(HKEY_USERS, asXPMountName, 0, KEY_ALL_ACCESS, phKey)) == 0)
{
goto wrap; // успешно - hive уже подключен
}
else if ((lRc = RegOpenKeyEx(HKEY_USERS, asXPMountName, 0, KEY_READ, phKey)) == 0)
{
goto wrap; // успешно - hive уже подключен (ReadOnly)
}
}
// Нужно проверить, можно ли создать/открыть необходимые ключи
for (UINT i = 0; i < nRootKeys; i++)
{
HKEY hTest = NULL;
LPCWSTR pszKeyName = ppszKeys[i];
lRc = RegCreateKeyEx(*phKey, pszKeyName, 0,0,0, KEY_ALL_ACCESS, 0, &hTest, 0);
if (lRc != 0)
lRc = RegCreateKeyEx(*phKey, pszKeyName, 0,0,0, KEY_READ, 0, &hTest, 0);
if (lRc != 0)
{
if (pszErrInfo && cchErrInfoMax)
msprintf(pszErrInfo, cchErrInfoMax,
L"RegCreateKeyEx(%s) failed, code=0x%08X!", pszKeyName, (DWORD)lRc);
RegCloseKey(*phKey);
*phKey = NULL;
if (asXPMountName && *asXPMountName)
UnMountVirtualHive(asXPMountName, NULL, 0);
lRc = -8;
goto wrap;
}
}
wrap:
if (hAdvapi32)
FreeLibrary(hAdvapi32); // Decrease counter
return lRc;
}
