內核修改註冊表和API修改註冊表非常相似,僅僅只是相似。這裏貼出來我自己通過查找資料寫出來的註冊表操作代碼!方法我就不多說了,這些事學習心得,所以會有很多註釋,有基礎的人都能看懂!有些地方不是很完善,希望大家指出來!
這裏分爲Mykey.h文件 和 Mykey.cpp文件!
代碼纔是最好的說明!
| | | | |
| | | | |
\/ \/ \/ \/ \/
//************************
//Mykey.h
//***********************
///////////////////////////////////////////////////////////////////////////////
/// Copyright (c) 2012 - <fsjaky>
///
/// Original filename: MyKey.h
/// Project : MyKey
/// Date of creation : <see MyKey.cpp>
/// Author(s) :fsjaky
/// Purpose : only study only share!
/// Blog : http://blog.csdn.net/fsjaky
///
///////////////////////////////////////////////////////////////////////////////
#define MY_REG_SOFTWARE_KEY_NAME L"\\Registry\\Machine\\Software\\Mzf"
#pragma INITCODE
//***********************************
//函數名:MyCreatKey()
//參數:無
//功能:創建一個註冊表項
//***********************************
VOID MyCreatKey()
{
UNICODE_STRING Father_Key; //父鍵
//初始化父鍵 也就是上面的宏定義
RtlInitUnicodeString(&Father_Key, MY_REG_SOFTWARE_KEY_NAME);
OBJECT_ATTRIBUTES objAttribute ={0};
//初始化 OBJECT_ATTRIBUTES
InitializeObjectAttributes(&objAttribute, &Father_Key, OBJ_CASE_INSENSITIVE, NULL, NULL);
HANDLE hKey;
ULONG Des;
NTSTATUS status = ZwCreateKey(
&hKey,
KEY_ALL_ACCESS,
&objAttribute,
NULL, NULL,
REG_OPTION_NON_VOLATILE, &Des);
if (NT_SUCCESS(status))
{
if (Des == REG_CREATED_NEW_KEY)
{
KdPrint(("新建註冊表項!\n"));
}
else
{
KdPrint(("要創建的註冊表項已經存在!\n"));
}
}
//打開或創建註冊表子項
UNICODE_STRING Son_Key; //子鍵
//初始化子鍵
RtlInitUnicodeString(&Son_Key, L"SubKey");
OBJECT_ATTRIBUTES subObjAttribute;
//注意最後第二個參數,爲父鍵的句柄 小心易錯 父鍵的句柄hKey
InitializeObjectAttributes( &subObjAttribute, &Son_Key, OBJ_CASE_INSENSITIVE, hKey, NULL);
HANDLE hSubKey;//
ULONG subDes;
status = ZwCreateKey(&hSubKey, KEY_ALL_ACCESS, &subObjAttribute,
NULL, NULL, REG_OPTION_NON_VOLATILE, &subDes);
if (NT_SUCCESS(status))
{
if (subDes == REG_CREATED_NEW_KEY)
{
KdPrint(("新建註冊表子項!\n"));
}
else
{
KdPrint(("要創建的註冊表子項已經存在!\n"));
//return STATUS_UNSUCCESS;
}
}
//關閉註冊表句柄
ZwClose(hKey);
ZwClose(hSubKey);
//return status;
}
HANDLE MyOpenKey()
{
HANDLE my_key = NULL;
NTSTATUS status;
// 定義要獲取的路徑 並初始化
UNICODE_STRING my_key_path = RTL_CONSTANT_STRING(MY_REG_SOFTWARE_KEY_NAME);
OBJECT_ATTRIBUTES subObjAttribute = { 0 };
// 初始化OBJECT_ATTRIBUTE
InitializeObjectAttributes(
&subObjAttribute,
&my_key_path,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
// 接下來是打開Key
status = ZwOpenKey(&my_key,KEY_READ,&subObjAttribute);
if(NT_SUCCESS(status))
{
KdPrint(("打開成功\n"));
}
else
{
KdPrint(("打開失敗\n"));
}
ZwClose(my_key);
return my_key;
}
//NTSTATUS SetKeyWorld(HANDLE hKey)
NTSTATUS SetKeyWorld(HANDLE hKey)
{
hKey=NULL;
//初始化註冊表項
UNICODE_STRING MyKey;
RtlInitUnicodeString(&MyKey, MY_REG_SOFTWARE_KEY_NAME);
//初始化OBJECT_ATTRIBUTES結構
OBJECT_ATTRIBUTES ObjectAttributes ={0};
InitializeObjectAttributes( &ObjectAttributes, &MyKey,
OBJ_CASE_INSENSITIVE, NULL, NULL);
//調用自己的函數 打開註冊表項
NTSTATUS status = ZwOpenKey(&hKey, GENERIC_ALL, &ObjectAttributes);
if (!NT_SUCCESS(status))
{
KdPrint(("打開註冊表項失敗!\n"));
return status;
}
//初始化valueName
UNICODE_STRING valueTestName;
RtlInitUnicodeString(&valueTestName, L"valueName REG_DWORD");
//設置REG_DWORD鍵值 四字節整數
ULONG uMyValue = 100;
status = ZwSetValueKey(hKey, &valueTestName, 0, REG_DWORD, &uMyValue, sizeof(uMyValue));
if (!NT_SUCCESS(status))
{
KdPrint(("設置REG_DWORD鍵值失敗!\n"));
return status;
}
else
{
KdPrint(("設置REG_DWORD鍵值成功!\n"));
}
//設置REG_SZ鍵值 以空結束的UNICODE字符串
RtlInitUnicodeString(&valueTestName, L"valueName REG_SZ");
WCHAR* str = L"MyKeyWordTest";
status = ZwSetValueKey(hKey, &valueTestName, 0, REG_SZ, str, wcslen(str)*2 + 2);
if (!NT_SUCCESS(status))
{
KdPrint(("設置REG_SZ鍵值失敗!\n"));
return status;
}
else
{
KdPrint(("設置REG_SZ鍵值成功!\n"));
}
//設置REG_BINARY鍵值 二進制數據
RtlInitUnicodeString(&valueTestName, L"valueName REG_BINARY");
UCHAR buffer[10];
RtlFillMemory(buffer, sizeof(buffer), 0x01); //01填充
status = ZwSetValueKey(hKey, &valueTestName, 0, REG_BINARY, buffer, sizeof(buffer));
if (!NT_SUCCESS(status))
{
KdPrint(("設置REG_BINARY鍵值失敗!\n"));
return status;
}
else
{
KdPrint(("設置REG_BINARY鍵值成功!\n"));
}
//關閉註冊表句柄
ZwClose(hKey);
return status;
}
VOID Unload(IN OUT PDRIVER_OBJECT Driverobject)
{
KdPrint(("Driver Unload\n"));
//return STATUS_SUCCESS;
}
VOID MyDetKey()
{
HANDLE hKey=NULL;
//初始化註冊表項
HANDLE hSonKey; //子鍵
UNICODE_STRING MyKey;
RtlInitUnicodeString(&MyKey, MY_REG_SOFTWARE_KEY_NAME);
//初始化OBJECT_ATTRIBUTES結構
OBJECT_ATTRIBUTES ObjectAttributes ={0};
InitializeObjectAttributes( &ObjectAttributes, &MyKey,
OBJ_CASE_INSENSITIVE, NULL, NULL);
//調用自己的函數 打開註冊表項
NTSTATUS status = ZwOpenKey(&hKey, GENERIC_ALL, &ObjectAttributes);
if (!NT_SUCCESS(status))
{
KdPrint(("打開註冊表項失敗!\n"));
//return status;
}
status = ZwDeleteKey( hKey );
if(!NT_SUCCESS(status))
{
KdPrint(("含有子項,需先刪除子項"));
UNICODE_STRING Son_Key; //子鍵
//初始化子鍵
RtlInitUnicodeString(&Son_Key, L"SubKey");
OBJECT_ATTRIBUTES subObjAttribute;
//注意最後第二個參數,爲父鍵的句柄 小心易錯 父鍵的句柄hKey
InitializeObjectAttributes( &subObjAttribute, &Son_Key, OBJ_CASE_INSENSITIVE, hKey, NULL);
//打開子鍵
status = ZwOpenKey(&hSonKey, GENERIC_ALL, &ObjectAttributes);
if(!NT_SUCCESS(status))
{
KdPrint(("打開子項失敗\n"));
}
else
{
status = ZwDeleteKey( hSonKey );
if(!NT_SUCCESS(status))
{
KdPrint(("刪除子項失敗\n"));
}
else
{
//再刪除父鍵
status = ZwDeleteKey( hKey );
}
}
}
else{
KdPrint(("刪除成功\n"));
}
ZwClose(hSonKey);
ZwClose(hKey);
//RtlDeleteRegistryValue();
}
/***********************************************\/\/\/\/\/*****************************************************/
//********************
//Mykey.cpp
//********************
///////////////////////////////////////////////////////////////////////////////
/// Original filename: MyKey.cpp
/// Project : MyKey
/// Date of creation : 2012-03-06
/// Author(s) : fsjaky
///
/// Purpose : only study only share!
/// Blog : http://blog.csdn.net/fsjaky
///////////////////////////////////////////////////////////////////////////////
// $Id$
#ifdef __cplusplus
extern "C" {
#endif
#include <ntddk.h>
#include <string.h>
#ifdef __cplusplus
}; // extern "C"
#endif
#include "MyKey.h"
#ifdef __cplusplus
extern "C" {
#endif
NTSTATUS DriverEntry(
IN OUT PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hOpenkey =NULL;
//MyCreatKey();
hOpenkey = MyOpenKey();
//KdPrint(("The Open Key Is:%wZ\n",(PUNICODE_STRING)hOpenkey));
//SetKeyWorld(hOpenkey);
MyDetKey();
DriverObject->DriverUnload =Unload;//DriverUnload = MyUnload;
return STATUS_SUCCESS;
}
#ifdef __cplusplus
}; // extern "C"
#endif