NTSTATUS
NTAPI
IntSetupDeviceSettingsKey(
PVIDEO_PORT_DEVICE_EXTENSION DeviceExtension)
{
static UNICODE_STRING SettingsKeyName = RTL_CONSTANT_STRING(L"Settings");
HANDLE DevInstRegKey, SourceKeyHandle, DestKeyHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS Status;
/* Open the software key: HKLM\System\CurrentControlSet\Control\Class\<ClassGUID>\<n> */
Status = IoOpenDeviceRegistryKey(DeviceExtension->PhysicalDeviceObject,
PLUGPLAY_REGKEY_DRIVER,
KEY_ALL_ACCESS,
&DevInstRegKey);
if (Status != STATUS_SUCCESS)
{
ERR_(VIDEOPRT, "Failed to open device software key. Status 0x%lx", Status);
return Status;
}
/* Open the 'Settings' sub-key */
InitializeObjectAttributes(&ObjectAttributes,
&SettingsKeyName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
DevInstRegKey,
NULL);
Status = ZwOpenKey(&DestKeyHandle, KEY_WRITE, &ObjectAttributes);
/* Close the device software key */
ObCloseHandle(DevInstRegKey, KernelMode);
if (Status != STATUS_SUCCESS)
{
ERR_(VIDEOPRT, "Failed to open settings key. Status 0x%lx", Status);
return Status;
}
/* Open the device profile key */
InitializeObjectAttributes(&ObjectAttributes,
&DeviceExtension->RegistryPath,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenKey(&SourceKeyHandle, KEY_WRITE, &ObjectAttributes);
if (Status != STATUS_SUCCESS)
{
ERR_(VIDEOPRT, "ZwOpenKey failed for settings key: status 0x%lx", Status);
ObCloseHandle(DestKeyHandle, KernelMode);
return Status;
}
IntCopyRegistryValue(SourceKeyHandle, DestKeyHandle, L"InstalledDisplayDrivers");
IntCopyRegistryValue(SourceKeyHandle, DestKeyHandle, L"Attach.ToDesktop");
ObCloseHandle(SourceKeyHandle, KernelMode);
ObCloseHandle(DestKeyHandle, KernelMode);
return STATUS_SUCCESS;
}
NTSTATUS
RegistryOpenKey(
IN HANDLE Parent,
IN PUNICODE_STRING Path,
IN ACCESS_MASK DesiredAccess,
OUT PHANDLE Key
)
{
OBJECT_ATTRIBUTES Attributes;
NTSTATUS status;
InitializeObjectAttributes(&Attributes,
Path,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
Parent,
NULL);
status = ZwOpenKey(Key,
DesiredAccess,
&Attributes);
if (!NT_SUCCESS(status))
goto fail1;
return STATUS_SUCCESS;
fail1:
return status;
}
void RegRenameKey(LPWSTR OldKeyName, LPWSTR NewKeyName)
{
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hRegister;
NTSTATUS ntStatus;
UNICODE_STRING usOldKeyName,usNewKeyName;
RtlInitUnicodeString(&usOldKeyName,OldKeyName);
RtlInitUnicodeString(&usNewKeyName,NewKeyName);
InitializeObjectAttributes(&objectAttributes,
&usOldKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes);
if(NT_SUCCESS(ntStatus))
{
ntStatus = MyZwRenameKey(hRegister,&usNewKeyName);
ZwFlushKey(hRegister);
ZwClose(hRegister);
DbgPrint("ZwRenameKey success!\n");
}
else
{
DbgPrint("ZwRenameKey failed!\n");
}
}
MIXER_STATUS
OpenKey(
IN HANDLE hKey,
IN LPWSTR lpSubKeyName,
IN ULONG DesiredAccess,
OUT PHANDLE OutKey)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING SubKeyName;
NTSTATUS Status;
/* initialize sub key name */
RtlInitUnicodeString(&SubKeyName, lpSubKeyName);
/* initialize key attributes */
InitializeObjectAttributes(&ObjectAttributes, &SubKeyName, OBJ_CASE_INSENSITIVE | OBJ_OPENIF, hKey, NULL);
/* open the key */
Status = ZwOpenKey(OutKey, DesiredAccess, &ObjectAttributes);
if (NT_SUCCESS(Status))
return MM_STATUS_SUCCESS;
else
return MM_STATUS_UNSUCCESSFUL;
}
void RegSetValueKey(LPWSTR KeyName, LPWSTR ValueName, DWORD DataType, PVOID DataBuffer, DWORD DataLength)
{
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING usKeyName,usValueName;
NTSTATUS ntStatus;
HANDLE hRegister;
ULONG Type;
RtlInitUnicodeString(&usKeyName, KeyName);
RtlInitUnicodeString(&usValueName, ValueName);
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey(&hRegister, KEY_ALL_ACCESS, &objectAttributes);
if (NT_SUCCESS(ntStatus))
{
ntStatus = ZwSetValueKey(hRegister, &usValueName, 0, DataType, DataBuffer, DataLength);
ZwFlushKey(hRegister);
ZwClose(hRegister);
DbgPrint("ZwSetValueKey success!\n");
}
else
{
DbgPrint("ZwSetValueKey failed!\n");
}
}
// Open registry key, ZwOpenKey wrapper
HANDLE RegOpenKey (PWSTR KeyName, ACCESS_MASK DesiredAccess)
{
OBJECT_ATTRIBUTES Oa;
UNICODE_STRING uKeyName;
NTSTATUS Status;
HANDLE hKey;
RtlInitUnicodeString (&uKeyName, KeyName);
InitializeObjectAttributes (
&Oa,
&uKeyName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
0,
0
);
Status = ZwOpenKey (&hKey, DesiredAccess, &Oa);
if (!NT_SUCCESS(Status))
{
KdPrint (("ZwOpenKey(%S) failed with status %X\n", KeyName));
return NULL;
}
return hKey;
}
NTSTATUS MrSetRegValue(PWCHAR n, PVOID d, ULONG l)
{
OBJECT_ATTRIBUTES oa = {0};
HANDLE hk = NULL;
NTSTATUS status;
UNICODE_STRING name;
InitializeObjectAttributes(
&oa, &g_core.mc_reg,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL, NULL);
status = ZwOpenKey(&hk, KEY_ALL_ACCESS, &oa);
if (!NT_SUCCESS(status))
goto errorout;
RtlInitUnicodeString(&name, n);
status = ZwSetValueKey(hk,
&name,
0,
REG_MULTI_SZ,
d,
l);
errorout:
if (hk != 0)
ZwClose(hk);
return status;
}
NTSTATUS ReadRegistryString(PUNICODE_STRING RegistryPath, PWCHAR ValueName, PWCHAR ValueBuffer, DWORD Len)
{
NTSTATUS St;
UNICODE_STRING param;
OBJECT_ATTRIBUTES ObjAtr;
HANDLE hKey;
PKEY_VALUE_PARTIAL_INFORMATION info = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(NonPagedPool, 260*2);
ULONG size;
InitializeObjectAttributes(&ObjAtr, RegistryPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
St = ZwOpenKey(&hKey, KEY_QUERY_VALUE, &ObjAtr);
if (St == STATUS_SUCCESS)
{
RtlInitUnicodeString(¶m, ValueName);
St = ZwQueryValueKey(hKey, ¶m, KeyValuePartialInformation, (PVOID)info, 260*2, &size);
if (NT_SUCCESS(St))
{
RtlZeroMemory(ValueBuffer, Len);
RtlCopyMemory(ValueBuffer, info->Data, info->DataLength);
}
ZwClose(hKey);
}
return St;
}
/*
* TsmiLoadParameters
*
* Purpose:
*
* Read parameters from registry.
*
*/
NTSTATUS TsmiLoadParameters(
VOID
)
{
UCHAR cond = 0;
PKEY_VALUE_PARTIAL_INFORMATION tmpChains;
HANDLE hKey = NULL;
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNICODE_STRING uStr;
OBJECT_ATTRIBUTES ObjectAttributes;
ULONG ChainsLength;
RtlInitUnicodeString(&uStr, TSUGUMI_PARAMS);
InitializeObjectAttributes(&ObjectAttributes, &uStr, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenKey(&hKey, KEY_READ, &ObjectAttributes);
if (!NT_SUCCESS(status))
return status;
do {
#ifdef _DEBUGMSG
DbgPrint("[TSMI] TsmiLoadParameters(%ws)\n", DDname);
#endif
ChainsLength = 0;
tmpChains = NULL;
RtlInitUnicodeString(&uStr, DDname);
status = TsmiReadPatchChains(hKey, &uStr, &tmpChains, &ChainsLength);
if (NT_SUCCESS(status)) {
if (tmpChains != NULL) {
TsmiCopyPatchChainsData(&PatchChains_VBoxDD, tmpChains, ChainsLength);
ExFreePoolWithTag(tmpChains, TSUGUMI_TAG);
}
}
#ifdef _DEBUGMSG
DbgPrint("[TSMI] TsmiLoadParameters(%ws)\n", VMMname);
#endif
ChainsLength = 0;
tmpChains = NULL;
RtlInitUnicodeString(&uStr, VMMname);
status = TsmiReadPatchChains(hKey, &uStr, &tmpChains, &ChainsLength);
if (NT_SUCCESS(status)) {
if (tmpChains != NULL) {
TsmiCopyPatchChainsData(&PatchChains_VBoxVMM, tmpChains, ChainsLength);
ExFreePoolWithTag(tmpChains, TSUGUMI_TAG);
}
}
} while (cond);
ZwClose(hKey);
hKey = NULL;
#ifdef _DEBUGMSG
DbgPrint("[TSMI] TsmiLoadParameters=%lx\n", status);
#endif
return status;
}
VOID
HalpLogErrorInfo(
IN PCWSTR RegistryKey,
IN PCWSTR ValueName,
IN ULONG Type,
IN PVOID Data,
IN ULONG Size
)
/*++
Routine Description:
This function ?
Arguments:
None.
Return Value:
None.
--*/
{
UNICODE_STRING unicodeString;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hMFunc;
NTSTATUS status;
RtlInitUnicodeString(&unicodeString, RegistryKey);
InitializeObjectAttributes (
&objectAttributes,
&unicodeString,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
status = ZwOpenKey (&hMFunc,
KEY_WRITE,
&objectAttributes);
if (!NT_SUCCESS(status)) {
return ;
}
RtlInitUnicodeString(&unicodeString, ValueName);
ZwSetValueKey(hMFunc,
&unicodeString,
0,
Type,
Data,
Size);
ZwClose(hMFunc);
}
VBOXDRVTOOL_DECL(NTSTATUS) VBoxDrvToolRegOpenKeyU(OUT PHANDLE phKey, IN PUNICODE_STRING pName, IN ACCESS_MASK fAccess)
{
OBJECT_ATTRIBUTES ObjAttr;
InitializeObjectAttributes(&ObjAttr, pName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
return ZwOpenKey(phKey, fAccess, &ObjAttr);
}
static SshRegKey
ssh_registry_platform_open_key(SshRegKey parent_key,
SshRegPathUnicode parent_path,
SshRegPathUnicode path)
{
OBJECT_ATTRIBUTES attrs;
SshRegKey key = NULL;
SSH_ASSERT(KeGetCurrentIrql() == PASSIVE_LEVEL);
if (parent_key == HKEY_LOCAL_MACHINE)
{
parent_key = ssh_registry_platform_open_hklm();
if (parent_key)
{
key = ssh_registry_key_open_unicode(parent_key, parent_path, path);
ssh_registry_key_close(parent_key);
return key;
}
}
else if (parent_path)
{
InitializeObjectAttributes(&attrs, parent_path,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
parent_key, NULL);
if (NT_SUCCESS(ZwOpenKey(&parent_key, KEY_ALL_ACCESS, &attrs)))
{
key = ssh_registry_key_open_unicode(parent_key, NULL, path);
ssh_registry_key_close(parent_key);
return key;
}
}
else
{
InitializeObjectAttributes(&attrs, path,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
parent_key, NULL);
if (NT_SUCCESS(ZwOpenKey(&parent_key, KEY_ALL_ACCESS, &attrs)))
return parent_key;
}
return NULL;
}
/*****************************************************************************
* GetRegValueDword()
*****************************************************************************
* Convenience function to encapsulate registry reads.
*/
int GetRegValueDword(_In_ LPTSTR RegPath,_In_ LPTSTR ValueName,PULONG Value)
{
int ReturnValue = 0;
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE KeyHandle;
KEY_VALUE_PARTIAL_INFORMATION *Information;
ULONG InformationSize;
UNICODE_STRING UnicodeRegPath;
UNICODE_STRING UnicodeValueName;
RtlInitUnicodeString(&UnicodeRegPath, RegPath);
RtlInitUnicodeString(&UnicodeValueName, ValueName);
InitializeObjectAttributes(&ObjectAttributes,
&UnicodeRegPath,
OBJ_KERNEL_HANDLE, // Flags
NULL, // Root directory
NULL); // Security descriptor
Status = ZwOpenKey(&KeyHandle,
KEY_QUERY_VALUE,
&ObjectAttributes);
if (Status != STATUS_SUCCESS)
{
return 0;
}
InformationSize = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(ULONG);
Information = (KEY_VALUE_PARTIAL_INFORMATION*)ExAllocatePoolWithTag(PagedPool, InformationSize,'ISmD'); // DmSI
if (Information == NULL)
{
ZwClose(KeyHandle);
return 0;
}
Status = ZwQueryValueKey(KeyHandle,
&UnicodeValueName,
KeyValuePartialInformation,
Information,
InformationSize,
&InformationSize);
if (Status == STATUS_SUCCESS)
{
if (Information->Type == REG_DWORD && Information->DataLength == sizeof(ULONG))
{
RtlCopyMemory(Value, Information->Data, sizeof(ULONG));
ReturnValue = 1;
}
}
ExFreePool(Information);
ZwClose(KeyHandle);
return ReturnValue;
}
NTSTATUS NtfsQueryValueKey(IN PUNICODE_STRING KeyName,
IN PUNICODE_STRING ValueName,
IN OUT ULONG *KeyInfoSize,
OUT PKEY_VALUE_FULL_INFORMATION *KeyInfo,
OUT BOOLEAN* bNeedRelease)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE Handle;
ULONG MemSize;
ULONG ResultLength;
InitializeObjectAttributes(&ObjectAttributes,KeyName,OBJ_CASE_INSENSITIVE,NULL,NULL);
Status = ZwOpenKey(&Handle,0x20019, &ObjectAttributes);
if(NT_SUCCESS(Status))
{
MemSize = *KeyInfoSize;
do
{
Status = ZwQueryValueKey(Handle, ValueName, KeyValueFullInformation, (PVOID)*KeyInfo, MemSize, &ResultLength);
if(Status != 0x80000005)
break;
if(bNeedRelease[0])
{
ExFreePool(*KeyInfo);
KeyInfoSize[0] = 0;
KeyInfo[0] = 0;
bNeedRelease[0] = FALSE;
}
MemSize += 256;
KeyInfo[0] = (PKEY_VALUE_FULL_INFORMATION)ExAllocatePoolWithTag(PagedPool, MemSize, REG_TAG );
if(!KeyInfo[0])
return 0xC0000017;
KeyInfoSize[0] = MemSize;
bNeedRelease[0] = TRUE;
} while (TRUE);
ZwClose(Handle);
if(NT_SUCCESS(Status))
{
if(!KeyInfo[0]->NameLength)
{
Status = 0xC0000034;
}
}
}
return Status;
}
static NTSTATUS EvhdQueryBoolParameter(LPCWSTR lpszParameterName, BOOLEAN bDefaultValue, BOOLEAN *pResult)
{
NTSTATUS status = STATUS_SUCCESS;
HANDLE KeyHandle = NULL, SubKeyHandle = NULL;
OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
UNICODE_STRING SubKeyName, ValueName;
BOOLEAN Result = bDefaultValue;
KEY_VALUE_PARTIAL_INFORMATION KeyValueInformation;
ULONG ResultLength;
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.ObjectName = g_pRegistryPath;
ObjectAttributes.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
status = ZwOpenKey(&KeyHandle, FILE_GENERIC_READ, &ObjectAttributes);
if (NT_SUCCESS(status))
{
RtlInitUnicodeString(&SubKeyName, L"Parameters");
ObjectAttributes.RootDirectory = KeyHandle;
ObjectAttributes.ObjectName = &SubKeyName;
status = ZwOpenKey(&SubKeyHandle, FILE_GENERIC_READ, &ObjectAttributes);
if (NT_SUCCESS(status))
{
RtlInitUnicodeString(&ValueName, lpszParameterName);
if (NT_SUCCESS(ZwQueryValueKey(SubKeyHandle, &ValueName, KeyValuePartialInformation, &KeyValueInformation,
sizeof(KeyValueInformation), &ResultLength)))
{
if (ResultLength == sizeof(KeyValueInformation) &&
REG_DWORD == KeyValueInformation.Type &&
sizeof(ULONG32) == KeyValueInformation.DataLength)
{
Result = 0 != *(ULONG32 *)KeyValueInformation.Data;
}
}
ZwClose(SubKeyHandle);
}
ZwClose(KeyHandle);
}
*pResult = Result;
return status;
}
NTSTATUS vboxWddmRegOpenKey(OUT PHANDLE phKey, IN PWCHAR pName, IN ACCESS_MASK fAccess)
{
OBJECT_ATTRIBUTES ObjAttr;
UNICODE_STRING RtlStr;
RtlInitUnicodeString(&RtlStr, pName);
InitializeObjectAttributes(&ObjAttr, &RtlStr, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
return ZwOpenKey(phKey, fAccess, &ObjAttr);
}
NTSTATUS NTAPI
IoQueryDeviceDescription(PINTERFACE_TYPE BusType OPTIONAL,
PULONG BusNumber OPTIONAL,
PCONFIGURATION_TYPE ControllerType OPTIONAL,
PULONG ControllerNumber OPTIONAL,
PCONFIGURATION_TYPE PeripheralType OPTIONAL,
PULONG PeripheralNumber OPTIONAL,
PIO_QUERY_DEVICE_ROUTINE CalloutRoutine,
PVOID Context)
{
NTSTATUS Status;
ULONG BusLoopNumber = -1; /* Root Bus */
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING RootRegKey;
HANDLE RootRegHandle;
IO_QUERY Query;
/* Set up the String */
RootRegKey.Length = 0;
RootRegKey.MaximumLength = 2048;
RootRegKey.Buffer = ExAllocatePoolWithTag(PagedPool, RootRegKey.MaximumLength, TAG_IO_RESOURCE);
RtlAppendUnicodeToString(&RootRegKey, L"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\SYSTEM");
/* Open a handle to the Root Registry Key */
InitializeObjectAttributes(
&ObjectAttributes,
&RootRegKey,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenKey(&RootRegHandle, KEY_READ, &ObjectAttributes);
if (NT_SUCCESS(Status))
{
/* Use a helper function to loop though this key and get the info */
Query.BusType = BusType;
Query.BusNumber = BusNumber;
Query.ControllerType = ControllerType;
Query.ControllerNumber = ControllerNumber;
Query.PeripheralType = PeripheralType;
Query.PeripheralNumber = PeripheralNumber;
Query.CalloutRoutine = CalloutRoutine;
Query.Context = Context;
Status = IopQueryBusDescription(&Query, RootRegKey, RootRegHandle, &BusLoopNumber, TRUE);
/* Close registry */
ZwClose(RootRegHandle);
}
/* Free Memory */
ExFreePoolWithTag(RootRegKey.Buffer, TAG_IO_RESOURCE);
return Status;
}
NTSTATUS
NTAPI
ExpSetCurrentUserUILanguage(IN PWSTR MuiName,
IN LANGID LanguageId)
{
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING KeyName = RTL_CONSTANT_STRING(L"Control Panel\\Desktop");
UNICODE_STRING ValueName;
WCHAR ValueBuffer[8];
ULONG ValueLength;
HANDLE UserHandle;
HANDLE KeyHandle;
NTSTATUS Status;
PAGED_CODE();
/* Setup the key name */
RtlInitUnicodeString(&ValueName, MuiName);
/* Open the use key */
Status = RtlOpenCurrentUser(KEY_WRITE, &UserHandle);
if (!NT_SUCCESS(Status)) return Status;
/* Initialize the attributes */
InitializeObjectAttributes(&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
UserHandle,
NULL);
/* Open the key */
Status = ZwOpenKey(&KeyHandle, KEY_SET_VALUE, &ObjectAttributes);
if (NT_SUCCESS(Status))
{
/* Setup the value name */
ValueLength = swprintf(ValueBuffer,
L"%04lX",
(ULONG)LanguageId);
/* Set the length for the call and set the value */
ValueLength = (ValueLength + 1) * sizeof(WCHAR);
Status = ZwSetValueKey(KeyHandle,
&ValueName,
0,
REG_SZ,
ValueBuffer,
ValueLength);
/* Close the handle for this key */
ZwClose(KeyHandle);
}
/* Close the user key and return status */
ZwClose(UserHandle);
return Status;
}
HANDLE openKey(WCHAR *key, ACCESS_MASK access) {
OBJECT_ATTRIBUTES OA;
UNICODE_STRING str;
NTSTATUS status;
HANDLE hreg;
RtlInitUnicodeString(&str, key);
InitializeObjectAttributes(&OA, &str, OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenKey(&hreg, access, &OA);
if (status != STATUS_SUCCESS) return NULL;
return hreg;
}
uint16_t FilterCountSettings(_In_ PMS_FILTER pFilter, uint16_t aKey)
{
HANDLE regKey = NULL;
OBJECT_ATTRIBUTES attributes;
DECLARE_UNICODE_STRING_SIZE(Name, 8);
UCHAR InfoBuffer[128] = {0};
PKEY_FULL_INFORMATION pInfo = (PKEY_FULL_INFORMATION)InfoBuffer;
ULONG InfoLength = sizeof(InfoBuffer);
// Convert 'aKey' to a string
RtlIntegerToUnicodeString((ULONG)aKey, 16, &Name);
InitializeObjectAttributes(
&attributes,
&Name,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
pFilter->otSettingsRegKey,
NULL);
// Open the registry key
NTSTATUS status =
ZwOpenKey(
®Key,
KEY_ALL_ACCESS,
&attributes);
if (!NT_SUCCESS(status))
{
// Key doesn't exist, return a count of 0
goto error;
}
// Query the key info from the registry
status =
ZwQueryKey(
regKey,
KeyValueFullInformation,
pInfo,
InfoLength,
&InfoLength);
if (!NT_SUCCESS(status))
{
LogError(DRIVER_DEFAULT, "ZwQueryKey for %S value failed, %!STATUS!", Name.Buffer, status);
goto error;
}
error:
if (regKey) ZwClose(regKey);
return (uint16_t)pInfo->Values;
}
/*
typedef struct _KEY_VALUE_PARTIAL_INFORMATION {
ULONG TitleIndex;
ULONG Type;
ULONG DataLength;
UCHAR Data[1];
} KEY_VALUE_PARTIAL_INFORMATION, *PKEY_VALUE_PARTIAL_INFORMATION;
*/
NTSTATUS RegQueryValueKey(LPWSTR KeyName, LPWSTR ValueName, PKEY_VALUE_PARTIAL_INFORMATION *pkvpi)
{
ULONG ulSize;
NTSTATUS ntStatus;
PKEY_VALUE_PARTIAL_INFORMATION pvpi;
OBJECT_ATTRIBUTES objectAttributes;
HANDLE hRegister;
UNICODE_STRING usKeyName;
UNICODE_STRING usValueName;
RtlInitUnicodeString(&usKeyName, KeyName);
RtlInitUnicodeString(&usValueName, ValueName);
InitializeObjectAttributes(&objectAttributes,
&usKeyName,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
ntStatus = ZwOpenKey( &hRegister, KEY_ALL_ACCESS, &objectAttributes);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("[RegQueryValueKey]ZwOpenKey failed!\n");
return ntStatus;
}
ntStatus = ZwQueryValueKey(hRegister,
&usValueName,
KeyValuePartialInformation ,
NULL,
0,
&ulSize);
if (ntStatus==STATUS_OBJECT_NAME_NOT_FOUND || ulSize==0)
{
DbgPrint("ZwQueryValueKey 1 failed!\n");
return STATUS_UNSUCCESSFUL;
}
pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
ntStatus = ZwQueryValueKey(hRegister,
&usValueName,
KeyValuePartialInformation ,
pvpi,
ulSize,
&ulSize);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("ZwQueryValueKey 2 failed!\n");
return STATUS_UNSUCCESSFUL;
}
//这里的pvpi是没有释放的用完要释放。ExFreePool(pvpi);
*pkvpi=pvpi;
DbgPrint("ZwQueryValueKey success!\n");
return STATUS_SUCCESS;
}
NTSTATUS InitializeConfigs(PUNICODE_STRING RegistryPath)
{
HidConfigContext config;
OBJECT_ATTRIBUTES attribs;
NTSTATUS status;
HANDLE hkey;
ULONG value;
if (g_configContext)
return STATUS_ALREADY_REGISTERED;
RtlZeroMemory(&config, sizeof(config));
InitializeObjectAttributes(&attribs, RegistryPath, 0, NULL, NULL);
status = ZwOpenKey(&hkey, KEY_ALL_ACCESS, &attribs);
if (!NT_SUCCESS(status))
{
DbgPrint("FsFilter1!" __FUNCTION__ ": can't open config registry key, code:%08x\n", status);
return status;
}
GetRegistryDWORD(hkey, L"Hid_State", &value, 1);
config.state = (value ? TRUE : FALSE);
GetRegistryDWORD(hkey, L"Hid_StealthMode", &value, 0);
config.stealth = (value ? TRUE : FALSE);
QueryAndAllocRegistryData(hkey, L"Hid_HideFsDirs", REG_MULTI_SZ, &config.hideFSDirs, NULL);
QueryAndAllocRegistryData(hkey, L"Hid_HideFsFiles", REG_MULTI_SZ, &config.hideFSFiles, NULL);
QueryAndAllocRegistryData(hkey, L"Hid_HideRegKeys", REG_MULTI_SZ, &config.hideRegKeys, NULL);
QueryAndAllocRegistryData(hkey, L"Hid_HideRegValues", REG_MULTI_SZ, &config.hideRegValues, NULL);
QueryAndAllocRegistryData(hkey, L"Hid_IgnoredImages", REG_MULTI_SZ, &config.ignoreImages, NULL);
QueryAndAllocRegistryData(hkey, L"Hid_ProtectedImages", REG_MULTI_SZ, &config.protectImages, NULL);
ZwClose(hkey);
g_configContext = (PHidConfigContext)ExAllocatePoolWithTag(NonPagedPool, sizeof(config), CONFIG_ALLOC_TAG);
if (!g_configContext)
{
DbgPrint("FsFilter1!" __FUNCTION__ ": can't allocate memory for the config context\n");
ReleaseConfigContext(&config);
return STATUS_NO_MEMORY;
}
RtlCopyMemory(g_configContext, &config, sizeof(config));
return STATUS_SUCCESS;
}
BOOLEAN
FsRtlpIsDfsEnabled(VOID)
{
HANDLE Key;
ULONG Length;
NTSTATUS Status;
UNICODE_STRING KeyName;
OBJECT_ATTRIBUTES ObjectAttributes;
struct
{
KEY_VALUE_PARTIAL_INFORMATION KeyInfo;
ULONG KeyValue;
} KeyQueryOutput;
/* You recognize MuppIsDfsEnabled()! Congratz :-) */
KeyName.Buffer = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup";
KeyName.Length = sizeof(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup") - sizeof(UNICODE_NULL);
KeyName.MaximumLength = sizeof(L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Mup");
/* Simply query registry to get whether DFS is disabled.
* If DFS isn't disabled from registry side, assume it is enabled
* and go through MUP.
* MUP itself might disable it, but that's not our concern
* any longer
*/
InitializeObjectAttributes(&ObjectAttributes,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenKey(&Key, KEY_READ, &ObjectAttributes);
if (!NT_SUCCESS(Status))
{
return TRUE;
}
KeyName.Buffer = L"DisableDfs";
KeyName.Length = sizeof(L"DisableDfs") - sizeof(UNICODE_NULL);
KeyName.MaximumLength = sizeof(L"DisableDfs");
Status = ZwQueryValueKey(Key, &KeyName, KeyValuePartialInformation, &KeyQueryOutput, sizeof(KeyQueryOutput), &Length);
ZwClose(Key);
if (!NT_SUCCESS(Status) || KeyQueryOutput.KeyInfo.Type != REG_DWORD)
{
return TRUE;
}
return ((ULONG)KeyQueryOutput.KeyInfo.Data != 1);
}
static NTSTATUS
ExpLoadUuidSequence(PULONG Sequence)
{
UCHAR ValueBuffer[VALUE_BUFFER_SIZE];
PKEY_VALUE_PARTIAL_INFORMATION ValueInfo;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING Name;
HANDLE KeyHandle;
ULONG ValueLength;
NTSTATUS Status;
RtlInitUnicodeString(&Name,
L"\\Registry\\Machine\\Software\\Microsoft\\Rpc");
InitializeObjectAttributes(&ObjectAttributes,
&Name,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
Status = ZwOpenKey(&KeyHandle,
KEY_QUERY_VALUE,
&ObjectAttributes);
if (!NT_SUCCESS(Status))
{
DPRINT("ZwOpenKey() failed (Status %lx)\n", Status);
return Status;
}
RtlInitUnicodeString(&Name, L"UuidSequenceNumber");
ValueInfo = (PKEY_VALUE_PARTIAL_INFORMATION)ValueBuffer;
Status = ZwQueryValueKey(KeyHandle,
&Name,
KeyValuePartialInformation,
ValueBuffer,
VALUE_BUFFER_SIZE,
&ValueLength);
ZwClose(KeyHandle);
if (!NT_SUCCESS(Status))
{
DPRINT("ZwQueryValueKey() failed (Status %lx)\n", Status);
return Status;
}
*Sequence = *((PULONG)ValueInfo->Data);
DPRINT("Loaded sequence %lx\n", *Sequence);
return STATUS_SUCCESS;
}
NTSTATUS
OpenDevicesKey(
IN PWSTR RegistryPath,
OUT PHANDLE Key)
/*
Description:
Create a volatile key under this driver's Services node to contain
the device name list.
Parameters:
RegistryPath The location of the registry entry
Key The key in the registry
Return Value:
NT status STATUS_SUCCESS if successful (duh...)
*/
{
NTSTATUS s;
HANDLE hKey;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uStr;
// Attempt to open the key
RtlInitUnicodeString(&uStr, RegistryPath);
InitializeObjectAttributes(&oa, &uStr, OBJ_CASE_INSENSITIVE, NULL,
(PSECURITY_DESCRIPTOR)NULL);
s = ZwOpenKey(&hKey, KEY_CREATE_SUB_KEY, &oa);
if (! NT_SUCCESS(s))
return s; // Problem
// Now create sub key
RtlInitUnicodeString(&uStr, (PWSTR) DEVICE_SUBKEY);
InitializeObjectAttributes(&oa, &uStr, OBJ_CASE_INSENSITIVE, hKey,
(PSECURITY_DESCRIPTOR)NULL);
s = ZwCreateKey(Key, KEY_ALL_ACCESS, &oa, 0, NULL, REG_OPTION_VOLATILE,
NULL);
ZwClose(hKey);
return s;
}
SHORT
FASTCALL
UserGetLanguageID(VOID)
{
HANDLE KeyHandle;
OBJECT_ATTRIBUTES ObAttr;
// http://support.microsoft.com/kb/324097
ULONG Ret = MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT);
PKEY_VALUE_PARTIAL_INFORMATION pKeyInfo;
ULONG Size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + MAX_PATH*sizeof(WCHAR);
UNICODE_STRING Language;
RtlInitUnicodeString( &Language,
L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Nls\\Language");
InitializeObjectAttributes( &ObAttr,
&Language,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
if ( NT_SUCCESS(ZwOpenKey(&KeyHandle, KEY_READ, &ObAttr)))
{
pKeyInfo = ExAllocatePoolWithTag(PagedPool, Size, TAG_STRING);
if ( pKeyInfo )
{
RtlInitUnicodeString(&Language, L"Default");
if ( NT_SUCCESS(ZwQueryValueKey( KeyHandle,
&Language,
KeyValuePartialInformation,
pKeyInfo,
Size,
&Size)) )
{
RtlInitUnicodeString(&Language, (PWSTR)pKeyInfo->Data);
if (!NT_SUCCESS(RtlUnicodeStringToInteger(&Language, 16, &Ret)))
{
Ret = MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT);
}
}
ExFreePoolWithTag(pKeyInfo, TAG_STRING);
}
ZwClose(KeyHandle);
}
TRACE("Language ID = %x\n",Ret);
return (SHORT) Ret;
}
VOID
SoundFlushRegistryKey(
IN PWSTR RegistryPathName
)
/*++
Routine Description:
Flush a key - usually the driver's parameters key -
used mainly to save volume settings.
Arguments:
RegistryPathName - Our driver's parameters registry entry
Return Value:
None
--*/
{
HANDLE KeyHandle;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING RegistryPathString;
RtlInitUnicodeString(&RegistryPathString, RegistryPathName);
InitializeObjectAttributes(&ObjectAttributes,
&RegistryPathString,
OBJ_CASE_INSENSITIVE,
NULL,
(PSECURITY_DESCRIPTOR)NULL);
//
// Just open the key and flush it. Not much we can do if this
// fails.
//
if (NT_SUCCESS(ZwOpenKey(&KeyHandle,
KEY_WRITE,
&ObjectAttributes))) {
ZwFlushKey(KeyHandle);
ZwClose(KeyHandle);
} else {
dprintf1(("Could not open device's key for flushing"));
}
}
VOID EnumSubKeyTest()
{
WCHAR MY_KEY_NAME[] = L"\\Registry\\Machine\\Software";
UNICODE_STRING RegUnicodeString;
HANDLE hRegister;
OBJECT_ATTRIBUTES objectAttributes;
NTSTATUS ntStatus;
ULONG ulSize,i;
UNICODE_STRING uniKeyName;
PKEY_FULL_INFORMATION pfi;
//初始化UNICODE_STRING字符串
RtlInitUnicodeString( &RegUnicodeString, MY_KEY_NAME);
//初始化objectAttributes
InitializeObjectAttributes(&objectAttributes,
&RegUnicodeString,
OBJ_CASE_INSENSITIVE,//对大小写敏感
NULL,
NULL );
//打开注册表
ntStatus = ZwOpenKey( &hRegister,
KEY_ALL_ACCESS,
&objectAttributes);
if (NT_SUCCESS(ntStatus))
{
DbgPrint("Open register successfully\n");
}
//第一次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的长度
ZwQueryKey(hRegister,KeyFullInformation,NULL,0,&ulSize);
pfi = (PKEY_FULL_INFORMATION)ExAllocatePool(PagedPool,ulSize);
//第二次调用ZwQueryKey为了获取KEY_FULL_INFORMATION数据的数据
ZwQueryKey(hRegister,KeyFullInformation,pfi,ulSize,&ulSize);
for (i=0;i<pfi->SubKeys;i++)
{
PKEY_BASIC_INFORMATION pbi;
//第一次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的长度
ZwEnumerateKey(hRegister,i,KeyBasicInformation,NULL,0,&ulSize);
pbi =(PKEY_BASIC_INFORMATION)ExAllocatePool(PagedPool,ulSize);
//第二次调用ZwEnumerateKey为了获取KEY_BASIC_INFORMATION数据的数据
ZwEnumerateKey(hRegister,i,KeyBasicInformation,pbi,ulSize,&ulSize);
uniKeyName.Length = (USHORT)pbi->NameLength;
uniKeyName.MaximumLength = (USHORT)pbi->NameLength;
uniKeyName.Buffer = pbi->Name;
DbgPrint("The %d sub item name:%wZ\n",i,&uniKeyName);
ExFreePool(pbi);
}
ExFreePool(pfi);
ZwClose(hRegister);
}
NTSTATUS OpenKey(LPWSTR Root, LPWSTR KeyPath, OUT PHANDLE hKey) {
LPWSTR FullKeyPath = GetFullKeyPath(Root, KeyPath);
UNICODE_STRING UnicodePath;
RtlInitUnicodeString(&UnicodePath, FullKeyPath);
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes(&ObjectAttributes, &UnicodePath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
NTSTATUS Status = ZwOpenKey(hKey, KEY_ALL_ACCESS, &ObjectAttributes);
FreeString(FullKeyPath);
return Status;
}
static
NTSTATUS
NTAPI
RXactpOpenTargetKey(
HANDLE RootDirectory,
ULONG ActionType,
PUNICODE_STRING KeyName,
PHANDLE KeyHandle)
{
NTSTATUS Status;
ULONG Disposition;
OBJECT_ATTRIBUTES ObjectAttributes;
/* Check what kind of action this is */
if (ActionType == RXactDeleteKey)
{
/* This is a delete, so open the key for delete */
InitializeObjectAttributes(&ObjectAttributes,
KeyName,
OBJ_CASE_INSENSITIVE,
RootDirectory,
NULL);
Status = ZwOpenKey(KeyHandle, DELETE, &ObjectAttributes);
}
else if (ActionType == RXactSetValueKey)
{
/* This is a create, so open or create with write access */
InitializeObjectAttributes(&ObjectAttributes,
KeyName,
OBJ_CASE_INSENSITIVE | OBJ_OPENIF,
RootDirectory,
NULL);
Status = ZwCreateKey(KeyHandle,
KEY_WRITE,
&ObjectAttributes,
0,
NULL,
0,
&Disposition);
}
else
{
return STATUS_INVALID_PARAMETER;
}
return Status;
}