注册表回调整体框架

时间：2017-10-20 21:35:09 阅读：425 评论：0 收藏：0 [点我收藏+]

标签：max demo fun with cut rtl ++ i++ process

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)  
{  
    NTSTATUS ntStatus;  
    ntStatus = CmRegisterCallback(MyRegistryCallback, NULL,  &pCookie);  
      
    return ntStatus;  
}  
//see demo:  
//7eightl-minifilter\Demo\REG-hips  
  
  
  
  
  
  
NTSTATUS HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION Data)  
{  
    NTSTATUS status = 0;  
    PUNICODE_STRING keyName;  
    UNICODE_STRING uTarget;  
  
  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS MyRegistryCallback(__in PVOID CallbackContext,__in_opt PVOID Argument1,            / / REG_NOTIFY_CLASS  __in_opt PVOID Argument2            //  KEY_INFORMATION ){  
            switch( (REG_NOTIFY_CLASS) Argument1)  
{  
         case RegNtPreDeleteKey :  
return HOOK_PreNtDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2);  
          case RegNtPreRenameKey:  
return HOOK_PreNtRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2);  
          case RegNtPreCreateKeyEx:  // pre 操作  
 return HOOK_PreNtCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2);  
          case RegNtPostCreateKeyEx :    // post 操作  
return HOOK_PostNtCreateKeyEx((PRGG_POST_OPERATION_INFORMATION )}  
   }        
}                                                                                                                                  }  
  
  
  
  
main.c  
#include "precomp.h"  
  
  
#define     DEVICE_NAME                 L"\\device\\HipsRegDrv"  
#define     LINK_NAME                   L"\\dosDevices\\HipsRegDrv"  
  
  
  
  
// function to dispatch the IRPs  
NTSTATUS DispatchOK(PDEVICE_OBJECT DeviceObject, PIRP Irp)  
{  
   Irp->IoStatus.Status = STATUS_SUCCESS;  
   IoCompleteRequest(Irp,IO_NO_INCREMENT);  
   return STATUS_SUCCESS;  
}  
  
  
VOID DriverUnload (  
    IN PDRIVER_OBJECT   pDriverObject)   
{  
    UNICODE_STRING strLink;  
    RtlInitUnicodeString(&strLink, LINK_NAME);  
    stopRegMon();  
  
  
    IoDeleteSymbolicLink(&strLink);  
    IoDeleteDevice(pDriverObject->DeviceObject);  
  
  
    DbgPrint(" Unloaded\n");   
}  
  
  
  
  
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)  
{  
    UNICODE_STRING  DeviceName;  
    UNICODE_STRING  LinkName;    
    NTSTATUS        status;   
    PDEVICE_OBJECT  pDriverDeviceObject;    
    ULONG i;  
      
    //DbgPrint("Driver loaded.");  
    pDriverObject->DriverUnload = DriverUnload;     
      
    // init strings  
    RtlInitUnicodeString(&DeviceName, DEVICE_NAME);  
    RtlInitUnicodeString(&LinkName, LINK_NAME);  
      
    // to communicate with usermode, we need a device  
    status = IoCreateDevice(  
           pDriverObject,        // ptr to caller object  
           0,  // extension device allocated byte number  
           &DeviceName,         // device name   
           FILE_DEVICE_UNKNOWN,   
           0,                   // no special caracteristics  
           FALSE,               // we can open many handles in same time  
           &pDriverDeviceObject); // [OUT] ptr to the created object  
             
    if ( !NT_SUCCESS(status) )   
       return STATUS_NO_SUCH_DEVICE;  
      
    pDriverDeviceObject-> Flags |= DO_BUFFERED_IO;  
  
  
    // we also need a symbolic link  
    status = IoCreateSymbolicLink(&LinkName,&DeviceName);  
    if( !NT_SUCCESS(status) )   
    {  
        IoDeleteDevice( pDriverDeviceObject );  
        return STATUS_NO_SUCH_DEVICE;  
    }    
  
  
    for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)  
        pDriverObject->MajorFunction[i] = DispatchOK;   
      
  
  
    startRegMon(pDriverObject);  
    //Do other things...     
      
    return STATUS_SUCCESS;  
}  
  
  
precomp.h  
#ifndef _PRECOMP_H_  
#define _PRECOMP_H_  
#include <ntifs.h>  
#include <ntddk.h>  
#include <windef.h>  
#include "regmon.h"  
#endif  
  
  
regmon.c  
#include "precomp.h"  
  
  
GENERIC_MAPPING g_KeyMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS};  
static WCHAR g_wszAltitude[] = L"370020";  
  
  
PGENERIC_MAPPING IoGetKeyGenericMapping( )  
{  
    return &g_KeyMapping;  
}  
  
  
BOOL MyObQueryObjectName(HANDLE hObjHandle, PUNICODE_STRING ustrObjectName, BOOL bNeedAllocateName)  
{  
    PVOID           pQueryBuffer        = NULL;  
    DWORD           dwReqSize           = 0;  
    NTSTATUS        ntStatus            = 0;  
    __try  
    {  
        dwReqSize = sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH + 32)*sizeof(WCHAR);  
          
        pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, ‘RFLM‘);  
          
        if(pQueryBuffer == NULL)  
            return FALSE;  
          
        ntStatus = ZwQueryObject(hObjHandle,   
            ObjectNameInfo,  
            pQueryBuffer,  
            dwReqSize,  
            &dwReqSize);  
          
        if((ntStatus == STATUS_INFO_LENGTH_MISMATCH) ||  
            (ntStatus == STATUS_BUFFER_OVERFLOW) ||  
            (ntStatus == STATUS_BUFFER_TOO_SMALL))  
        {  
            ExFreePool(pQueryBuffer);  
            pQueryBuffer = NULL;  
              
            pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, ‘RFLM‘);  
              
            if(pQueryBuffer == NULL)  
            {  
                return FALSE;  
            }  
              
            ntStatus = ZwQueryObject(hObjHandle,   
                ObjectNameInfo,  
                pQueryBuffer,  
                dwReqSize,  
                &dwReqSize);  
              
        }  
          
        if(NT_SUCCESS(ntStatus))  
        {   
            OBJECT_NAME_INFORMATION * pNameInfo = (OBJECT_NAME_INFORMATION *)pQueryBuffer;  
              
            if(bNeedAllocateName)  
            {  
                ustrObjectName->Buffer = ExAllocatePoolWithTag(PagedPool, pNameInfo->Name.Length + sizeof(WCHAR), ‘RFLM‘);  
                  
                if(ustrObjectName->Buffer)  
                {  
                    RtlZeroMemory(ustrObjectName->Buffer, pNameInfo->Name.Length + sizeof(WCHAR));  
                    ustrObjectName->Length = 0;  
                    ustrObjectName->MaximumLength = pNameInfo->Name.Length;  
                    RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name);  
                }  
                else  
                    ntStatus = STATUS_INSUFFICIENT_RESOURCES;  
                  
            }  
            else  
                RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name);  
        }  
    }  
    __except(EXCEPTION_EXECUTE_HANDLER)  
    {  
        ntStatus = GetExceptionCode();  
    }  
      
    if(pQueryBuffer)  
    {  
        ExFreePool(pQueryBuffer);  
        pQueryBuffer = NULL;  
    }  
      
    return NT_SUCCESS(ntStatus);  
}  
  
  
  
  
LARGE_INTEGER g_RegCookie;  
  
  
#if (NTDDI_VERSION >= NTDDI_VISTA)  
NTSTATUS TlGetObjectNameOnVistaAndLater(PVOID Object, PUNICODE_STRING Name)  
{  
    PUNICODE_STRING         pKeyName = NULL;  
    NTSTATUS                ntStatus = 0;  
  
  
    if(Object == NULL || Name == NULL)  
        return STATUS_INVALID_PARAMETER;  
  
  
    ntStatus = CmCallbackGetKeyObjectID(&g_RegCookie,  
                                      Object,  
                                      NULL,  
                                     &pKeyName);  
  
  
    if(NT_SUCCESS(ntStatus) == FALSE)  
    {  
        return ntStatus;  
    }  
  
  
    Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag(   
                            PagedPool,   
                            pKeyName->Length,  
                            ‘RFLM‘  
                            );  
  
  
    if(Name->Buffer == NULL)  
    {  
        return STATUS_INSUFFICIENT_RESOURCES;  
    }  
  
  
    RtlZeroMemory(Name->Buffer, pKeyName->Length);  
  
  
    Name->Length = 0;  
    Name->MaximumLength = pKeyName->Length;  
  
  
    RtlCopyUnicodeString(Name, pKeyName);  
    return STATUS_SUCCESS;  
}  
#endif  
  
  
NTSTATUS TlGetObjectNameOnXP(PVOID Object, PUNICODE_STRING Name)  
{  
    UNICODE_STRING              ustrKeyName             = {0};  
    HANDLE                      ObjectHandle            = NULL;  
    NTSTATUS                    ntStatus                = 0;  
  
  
    if(Object == NULL || Name == NULL)  
        return STATUS_INVALID_PARAMETER;  
  
  
    ntStatus = ObOpenObjectByPointer(Object,  
                              OBJ_KERNEL_HANDLE ,  
                              0,  
                              0,  
                              NULL,  
                              KernelMode,  
                              &ObjectHandle);  
  
  
    if(NT_SUCCESS(ntStatus) == FALSE)  
    {  
        return ntStatus;  
    }  
  
  
    if(MyObQueryObjectName(ObjectHandle, &ustrKeyName, TRUE) == FALSE)  
    {  
        ZwClose(ObjectHandle);  
        return STATUS_INSUFFICIENT_RESOURCES;  
    }  
      
    ZwClose(ObjectHandle);  
  
  
    Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag(   
                            PagedPool,   
                            ustrKeyName.Length,  
                            ‘RFLM‘  
                            );  
  
  
    if(Name->Buffer == NULL)  
    {  
        return STATUS_INSUFFICIENT_RESOURCES;  
    }  
  
  
    RtlZeroMemory(Name->Buffer, ustrKeyName.Length);  
  
  
    Name->Length = 0;  
    Name->MaximumLength = ustrKeyName.Length;  
  
  
    RtlCopyUnicodeString(Name, &ustrKeyName);  
    ExFreePool(ustrKeyName.Buffer);  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS TlGetObjectFullName(PVOID Object, PUNICODE_STRING Name)  
{  
#if (NTDDI_VERSION >= NTDDI_LONGHORN)  
    return TlGetObjectNameOnVistaAndLater(Object, Name);  
#else  
    return TlGetObjectNameOnXP(Object, Name);  
#endif  
}  
  
  
  
  
NTSTATUS MyDeleteKey(PREG_DELETE_KEY_INFORMATION Data)  
{  
    NTSTATUS            ntStatus        = 0;  
    UNICODE_STRING      ustrKeyName     = {0};  
  
  
    __try  
    {  
  
  
        if((ExGetPreviousMode() == KernelMode))  
        {  
            return STATUS_SUCCESS;  
        }  
  
  
        if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)  
        {  
            return STATUS_SUCCESS;  
        }  
        DbgPrint("DeleteKey Key:%wZ\n", &ustrKeyName);  
  
  
        ExFreePool(ustrKeyName.Buffer);  
  
  
    }  
    __except(EXCEPTION_EXECUTE_HANDLER)  
    {  
    }  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS MySetValueKey(PREG_SET_VALUE_KEY_INFORMATION Data)  
{  
    NTSTATUS                ntStatus                = 0;  
    UNICODE_STRING          ustrKeyName             = {0};  
    UNICODE_STRING          ustrTarget              = {0};  
    WCHAR                   wszKeyPath[MAX_PATH]    = {0};  
  
  
    __try  
    {  
          
        if((ExGetPreviousMode() == KernelMode))  
        {  
            return STATUS_SUCCESS;  
        }  
  
  
        if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)  
        {  
  
  
            return STATUS_SUCCESS;  
        }  
  
  
        ustrTarget.Buffer = wszKeyPath;  
        ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);  
          
        RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);  
  
  
  
  
        ExFreePool(ustrKeyName.Buffer);  
  
  
        if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1] != L‘\\‘ )  
            RtlAppendUnicodeToString(&ustrTarget, L"\\");  
  
  
        RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName);  
        DbgPrint("SetValueKey Key:%wZ\n", &ustrTarget);  
  
  
    }  
    __except(EXCEPTION_EXECUTE_HANDLER)  
    {  
  
  
    }  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS MyDeleteValueKey(PREG_DELETE_VALUE_KEY_INFORMATION Data)  
{  
    NTSTATUS                ntStatus                = 0;  
    UNICODE_STRING          ustrKeyName             = {0};  
    UNICODE_STRING          ustrTarget              = {0};  
    WCHAR                   wszKeyPath[MAX_PATH]    = {0};  
  
  
  
  
    __try  
    {  
  
  
        if((ExGetPreviousMode() == KernelMode))  
        {  
            return STATUS_SUCCESS;  
        }  
  
  
        if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)  
        {  
            return STATUS_SUCCESS;  
        }  
  
  
        ustrTarget.Buffer = wszKeyPath;  
        ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);  
          
        RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);  
  
  
        ExFreePool(ustrKeyName.Buffer);  
  
  
        if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1]!=L‘\\‘ )  
            RtlAppendUnicodeToString(&ustrTarget, L"\\");  
  
  
        RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName);  
        DbgPrint("DeleteValueKey Key:%wZ\n", &ustrTarget);  
  
  
    }  
    __except(EXCEPTION_EXECUTE_HANDLER)  
    {  
  
  
    }  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS MyRenameKey(PREG_RENAME_KEY_INFORMATION Data)  
{  
    NTSTATUS                ntStatus    = 0;  
    UNICODE_STRING          ustrKeyName = {0};  
      
    __try  
    {  
        if((ExGetPreviousMode() == KernelMode))  
        {  
            return STATUS_SUCCESS;  
        }  
  
  
        if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)  
        {  
            return STATUS_SUCCESS;  
        }  
  
  
        DbgPrint("RenameKey Key:%wZ\n", &ustrKeyName);  
  
  
        ExFreePool(ustrKeyName.Buffer);  
  
  
  
  
    }  
    __except(EXCEPTION_EXECUTE_HANDLER)  
    {  
  
  
    }  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS MyCreateKey(PREG_PRE_CREATE_KEY_INFORMATION Data)  
{  
    NTSTATUS            ntStatus                = 0;  
    UNICODE_STRING      ustrTarget              = {0};  
    WCHAR               wszKeyName[MAX_PATH]    = {0};  
  
  
    __try  
    {  
        if((ExGetPreviousMode() == KernelMode))  
        {  
            return STATUS_SUCCESS;  
        }  
          
        ustrTarget.Buffer = wszKeyName;  
        ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);  
          
        RtlCopyUnicodeString(&ustrTarget, Data->CompleteName);  
        DbgPrint("CreateKey Key:%wZ\n", &ustrTarget);  
    }  
    __except(EXCEPTION_EXECUTE_HANDLER)  
    {  
    }  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS MyCreateKeyEx(PREG_CREATE_KEY_INFORMATION Data)  
{  
    NTSTATUS            ntStatus    = 0;  
    UNICODE_STRING      ustrKeyName = {0};  
    UNICODE_STRING      ustrTarget  = {0};  
  
  
    __try  
    {  
        if((ExGetPreviousMode() == KernelMode))  
        {  
  
  
            return STATUS_SUCCESS;  
        }  
  
  
        if(NT_SUCCESS(TlGetObjectFullName(Data->RootObject, &ustrKeyName)) == FALSE)  
        {  
  
  
            return STATUS_SUCCESS;  
        }  
  
  
        ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);  
          
        RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);  
  
  
        ExFreePool(ustrKeyName.Buffer);  
          
        if(Data->CompleteName)  
        {  
            RtlAppendUnicodeToString(&ustrTarget, L"\\");  
            RtlAppendUnicodeStringToString(&ustrTarget, Data->CompleteName);  
        }  
  
  
        DbgPrint("CreateKeyEx :%wZ\n", ustrTarget);  
  
  
    }  
    __except(EXCEPTION_EXECUTE_HANDLER)  
    {  
  
  
    }  
  
  
    return STATUS_SUCCESS;  
}  
  
  
  
  
NTSTATUS MyRegCallback  
(  
    PVOID CallbackContext,   
    PVOID Argument1,   
    PVOID Argument2  
)  
{  
    switch( (REG_NOTIFY_CLASS) Argument1)  
    {  
    case RegNtPreDeleteKey :  
        return MyDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2);  
    case RegNtPreSetValueKey:  
        return MySetValueKey((PREG_SET_VALUE_KEY_INFORMATION) Argument2);  
    case RegNtPreDeleteValueKey:  
        return MyDeleteValueKey((PREG_DELETE_VALUE_KEY_INFORMATION) Argument2);  
    case RegNtPreRenameKey:  
        return MyRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2);  
    case RegNtPreCreateKey:  
        return MyCreateKey((PREG_PRE_CREATE_KEY_INFORMATION) Argument2);      
    case RegNtPreCreateKeyEx:  
        return MyCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2);  
  
  
    }  
  
  
    return STATUS_SUCCESS;  
}  
  
  
NTSTATUS startRegMon(PDRIVER_OBJECT driverObject)  
{  
#if (NTDDI_VERSION >= NTDDI_VISTA)  
    UNICODE_STRING uAltitude;  
  
  
    RtlInitUnicodeString(&uAltitude, g_wszAltitude);  
    return CmRegisterCallbackEx(MyRegCallback,  
                          &uAltitude,  
                          driverObject,  
                          NULL,  
                          &g_RegCookie,  
                          NULL);      
#else  
    return CmRegisterCallback(MyRegCallback,  
                              NULL,  
                             &g_RegCookie);  
  
  
#endif  
                            
}  
  
  
VOID stopRegMon( )  
{  
    CmUnRegisterCallback(g_RegCookie);  
}  
  
  
  
  
  
  
regmon.c  
#ifndef __REGMON_H__  
#define __REGMON_H__  
  
  
typedef enum _OBJECT_INFO_CLASS {  
    ObjectBasicInfo,  
        ObjectNameInfo,  
        ObjectTypeInfo,  
        ObjectAllTypesInfo,  
        ObjectProtectionInfo  
} OBJECT_INFO_CLASS;  
  
  
  
  
PGENERIC_MAPPING IoGetKeyGenericMapping( );  
  
  
NTSTATUS   
MyRegCallback  
(  
    PVOID CallbackContext,   
    PVOID Argument1,   
    PVOID Argument2  
);  
  
  
  
  
NTSTATUS startRegMon(PDRIVER_OBJECT driverObject);  
VOID stopRegMon( );  
  
  
  
  
#endif

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS ntStatus;
ntStatus = CmRegisterCallback(MyRegistryCallback, NULL, &pCookie);
return ntStatus;
}
//see demo:
//7eightl-minifilter\Demo\REG-hips
NTSTATUS HOOK_PreNtDeleteKey(PREG_DELETE_KEY_INFORMATION Data)
{
NTSTATUS status = 0;
PUNICODE_STRING keyName;
UNICODE_STRING uTarget;
return STATUS_SUCCESS;
}
NTSTATUS MyRegistryCallback(__in PVOID CallbackContext,__in_opt PVOID Argument1, / / REG_NOTIFY_CLASS __in_opt PVOID Argument2 // KEY_INFORMATION ){
switch( (REG_NOTIFY_CLASS) Argument1)
{
case RegNtPreDeleteKey :
return HOOK_PreNtDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2);
case RegNtPreRenameKey:
return HOOK_PreNtRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2);
case RegNtPreCreateKeyEx: // pre 操作
return HOOK_PreNtCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2);
case RegNtPostCreateKeyEx : // post 操作
return HOOK_PostNtCreateKeyEx((PRGG_POST_OPERATION_INFORMATION )}
}
} }
main.c
#include "precomp.h"
#define DEVICE_NAME L"\\device\\HipsRegDrv"
#define LINK_NAME L"\\dosDevices\\HipsRegDrv"
// function to dispatch the IRPs
NTSTATUS DispatchOK(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID DriverUnload (
IN PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME);
stopRegMon();
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObject->DeviceObject);
DbgPrint(" Unloaded\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
UNICODE_STRING DeviceName;
UNICODE_STRING LinkName;
NTSTATUS status;
PDEVICE_OBJECT pDriverDeviceObject;
ULONG i;
//DbgPrint("Driver loaded.");
pDriverObject->DriverUnload = DriverUnload;
// init strings
RtlInitUnicodeString(&DeviceName, DEVICE_NAME);
RtlInitUnicodeString(&LinkName, LINK_NAME);
// to communicate with usermode, we need a device
status = IoCreateDevice(
pDriverObject, // ptr to caller object
0, // extension device allocated byte number
&DeviceName, // device name
FILE_DEVICE_UNKNOWN,
0, // no special caracteristics
FALSE, // we can open many handles in same time
&pDriverDeviceObject); // [OUT] ptr to the created object
if ( !NT_SUCCESS(status) )
return STATUS_NO_SUCH_DEVICE;
pDriverDeviceObject-> Flags |= DO_BUFFERED_IO;
// we also need a symbolic link
status = IoCreateSymbolicLink(&LinkName,&DeviceName);
if( !NT_SUCCESS(status) )
{
IoDeleteDevice( pDriverDeviceObject );
return STATUS_NO_SUCH_DEVICE;
}
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = DispatchOK;
startRegMon(pDriverObject);
//Do other things...
return STATUS_SUCCESS;
}
precomp.h
#ifndef _PRECOMP_H_
#define _PRECOMP_H_
#include <ntifs.h>
#include <ntddk.h>
#include <windef.h>
#include "regmon.h"
#endif
regmon.c
#include "precomp.h"
GENERIC_MAPPING g_KeyMapping = {KEY_READ, KEY_WRITE, KEY_EXECUTE, KEY_ALL_ACCESS};
static WCHAR g_wszAltitude[] = L"370020";
PGENERIC_MAPPING IoGetKeyGenericMapping( )
{
return &g_KeyMapping;
}
BOOL MyObQueryObjectName(HANDLE hObjHandle, PUNICODE_STRING ustrObjectName, BOOL bNeedAllocateName)
{
PVOID pQueryBuffer = NULL;
DWORD dwReqSize = 0;
NTSTATUS ntStatus = 0;
__try
{
dwReqSize = sizeof(OBJECT_NAME_INFORMATION) + (MAX_PATH + 32)*sizeof(WCHAR);
pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, ‘RFLM‘);
if(pQueryBuffer == NULL)
return FALSE;
ntStatus = ZwQueryObject(hObjHandle,
ObjectNameInfo,
pQueryBuffer,
dwReqSize,
&dwReqSize);
if((ntStatus == STATUS_INFO_LENGTH_MISMATCH) ||
(ntStatus == STATUS_BUFFER_OVERFLOW) ||
(ntStatus == STATUS_BUFFER_TOO_SMALL))
{
ExFreePool(pQueryBuffer);
pQueryBuffer = NULL;
pQueryBuffer = ExAllocatePoolWithTag(PagedPool, dwReqSize, ‘RFLM‘);
if(pQueryBuffer == NULL)
{
return FALSE;
}
ntStatus = ZwQueryObject(hObjHandle,
ObjectNameInfo,
pQueryBuffer,
dwReqSize,
&dwReqSize);
}
if(NT_SUCCESS(ntStatus))
{
OBJECT_NAME_INFORMATION * pNameInfo = (OBJECT_NAME_INFORMATION *)pQueryBuffer;
if(bNeedAllocateName)
{
ustrObjectName->Buffer = ExAllocatePoolWithTag(PagedPool, pNameInfo->Name.Length + sizeof(WCHAR), ‘RFLM‘);
if(ustrObjectName->Buffer)
{
RtlZeroMemory(ustrObjectName->Buffer, pNameInfo->Name.Length + sizeof(WCHAR));
ustrObjectName->Length = 0;
ustrObjectName->MaximumLength = pNameInfo->Name.Length;
RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name);
}
else
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
}
else
RtlCopyUnicodeString(ustrObjectName, &pNameInfo->Name);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ntStatus = GetExceptionCode();
}
if(pQueryBuffer)
{
ExFreePool(pQueryBuffer);
pQueryBuffer = NULL;
}
return NT_SUCCESS(ntStatus);
}
LARGE_INTEGER g_RegCookie;
#if (NTDDI_VERSION >= NTDDI_VISTA)
NTSTATUS TlGetObjectNameOnVistaAndLater(PVOID Object, PUNICODE_STRING Name)
{
PUNICODE_STRING pKeyName = NULL;
NTSTATUS ntStatus = 0;
if(Object == NULL || Name == NULL)
return STATUS_INVALID_PARAMETER;
ntStatus = CmCallbackGetKeyObjectID(&g_RegCookie,
Object,
NULL,
&pKeyName);
if(NT_SUCCESS(ntStatus) == FALSE)
{
return ntStatus;
}
Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag(
PagedPool,
pKeyName->Length,
‘RFLM‘
);
if(Name->Buffer == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlZeroMemory(Name->Buffer, pKeyName->Length);
Name->Length = 0;
Name->MaximumLength = pKeyName->Length;
RtlCopyUnicodeString(Name, pKeyName);
return STATUS_SUCCESS;
}
#endif
NTSTATUS TlGetObjectNameOnXP(PVOID Object, PUNICODE_STRING Name)
{
UNICODE_STRING ustrKeyName = {0};
HANDLE ObjectHandle = NULL;
NTSTATUS ntStatus = 0;
if(Object == NULL || Name == NULL)
return STATUS_INVALID_PARAMETER;
ntStatus = ObOpenObjectByPointer(Object,
OBJ_KERNEL_HANDLE ,
0,
0,
NULL,
KernelMode,
&ObjectHandle);
if(NT_SUCCESS(ntStatus) == FALSE)
{
return ntStatus;
}
if(MyObQueryObjectName(ObjectHandle, &ustrKeyName, TRUE) == FALSE)
{
ZwClose(ObjectHandle);
return STATUS_INSUFFICIENT_RESOURCES;
}
ZwClose(ObjectHandle);
Name->Buffer = ( PWCHAR )ExAllocatePoolWithTag(
PagedPool,
ustrKeyName.Length,
‘RFLM‘
);
if(Name->Buffer == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlZeroMemory(Name->Buffer, ustrKeyName.Length);
Name->Length = 0;
Name->MaximumLength = ustrKeyName.Length;
RtlCopyUnicodeString(Name, &ustrKeyName);
ExFreePool(ustrKeyName.Buffer);
return STATUS_SUCCESS;
}
NTSTATUS TlGetObjectFullName(PVOID Object, PUNICODE_STRING Name)
{
#if (NTDDI_VERSION >= NTDDI_LONGHORN)
return TlGetObjectNameOnVistaAndLater(Object, Name);
#else
return TlGetObjectNameOnXP(Object, Name);
#endif
}
NTSTATUS MyDeleteKey(PREG_DELETE_KEY_INFORMATION Data)
{
NTSTATUS ntStatus = 0;
UNICODE_STRING ustrKeyName = {0};
__try
{
if((ExGetPreviousMode() == KernelMode))
{
return STATUS_SUCCESS;
}
if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
{
return STATUS_SUCCESS;
}
DbgPrint("DeleteKey Key:%wZ\n", &ustrKeyName);
ExFreePool(ustrKeyName.Buffer);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
NTSTATUS MySetValueKey(PREG_SET_VALUE_KEY_INFORMATION Data)
{
NTSTATUS ntStatus = 0;
UNICODE_STRING ustrKeyName = {0};
UNICODE_STRING ustrTarget = {0};
WCHAR wszKeyPath[MAX_PATH] = {0};
__try
{
if((ExGetPreviousMode() == KernelMode))
{
return STATUS_SUCCESS;
}
if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
{
return STATUS_SUCCESS;
}
ustrTarget.Buffer = wszKeyPath;
ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);
ExFreePool(ustrKeyName.Buffer);
if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1] != L‘\\‘ )
RtlAppendUnicodeToString(&ustrTarget, L"\\");
RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName);
DbgPrint("SetValueKey Key:%wZ\n", &ustrTarget);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
NTSTATUS MyDeleteValueKey(PREG_DELETE_VALUE_KEY_INFORMATION Data)
{
NTSTATUS ntStatus = 0;
UNICODE_STRING ustrKeyName = {0};
UNICODE_STRING ustrTarget = {0};
WCHAR wszKeyPath[MAX_PATH] = {0};
__try
{
if((ExGetPreviousMode() == KernelMode))
{
return STATUS_SUCCESS;
}
if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
{
return STATUS_SUCCESS;
}
ustrTarget.Buffer = wszKeyPath;
ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);
ExFreePool(ustrKeyName.Buffer);
if (ustrTarget.Buffer[ustrTarget.Length/sizeof(WCHAR) - 1]!=L‘\\‘ )
RtlAppendUnicodeToString(&ustrTarget, L"\\");
RtlAppendUnicodeStringToString(&ustrTarget, Data->ValueName);
DbgPrint("DeleteValueKey Key:%wZ\n", &ustrTarget);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
NTSTATUS MyRenameKey(PREG_RENAME_KEY_INFORMATION Data)
{
NTSTATUS ntStatus = 0;
UNICODE_STRING ustrKeyName = {0};
__try
{
if((ExGetPreviousMode() == KernelMode))
{
return STATUS_SUCCESS;
}
if(NT_SUCCESS(TlGetObjectFullName(Data->Object, &ustrKeyName)) == FALSE)
{
return STATUS_SUCCESS;
}
DbgPrint("RenameKey Key:%wZ\n", &ustrKeyName);
ExFreePool(ustrKeyName.Buffer);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
NTSTATUS MyCreateKey(PREG_PRE_CREATE_KEY_INFORMATION Data)
{
NTSTATUS ntStatus = 0;
UNICODE_STRING ustrTarget = {0};
WCHAR wszKeyName[MAX_PATH] = {0};
__try
{
if((ExGetPreviousMode() == KernelMode))
{
return STATUS_SUCCESS;
}
ustrTarget.Buffer = wszKeyName;
ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
RtlCopyUnicodeString(&ustrTarget, Data->CompleteName);
DbgPrint("CreateKey Key:%wZ\n", &ustrTarget);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
NTSTATUS MyCreateKeyEx(PREG_CREATE_KEY_INFORMATION Data)
{
NTSTATUS ntStatus = 0;
UNICODE_STRING ustrKeyName = {0};
UNICODE_STRING ustrTarget = {0};
__try
{
if((ExGetPreviousMode() == KernelMode))
{
return STATUS_SUCCESS;
}
if(NT_SUCCESS(TlGetObjectFullName(Data->RootObject, &ustrKeyName)) == FALSE)
{
return STATUS_SUCCESS;
}
ustrTarget.MaximumLength = MAX_PATH * sizeof(WCHAR);
RtlCopyUnicodeString(&ustrTarget, &ustrKeyName);
ExFreePool(ustrKeyName.Buffer);
if(Data->CompleteName)
{
RtlAppendUnicodeToString(&ustrTarget, L"\\");
RtlAppendUnicodeStringToString(&ustrTarget, Data->CompleteName);
}
DbgPrint("CreateKeyEx :%wZ\n", ustrTarget);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return STATUS_SUCCESS;
}
NTSTATUS MyRegCallback
(
PVOID CallbackContext,
PVOID Argument1,
PVOID Argument2
)
{
switch( (REG_NOTIFY_CLASS) Argument1)
{
case RegNtPreDeleteKey :
return MyDeleteKey((PREG_DELETE_KEY_INFORMATION) Argument2);
case RegNtPreSetValueKey:
return MySetValueKey((PREG_SET_VALUE_KEY_INFORMATION) Argument2);
case RegNtPreDeleteValueKey:
return MyDeleteValueKey((PREG_DELETE_VALUE_KEY_INFORMATION) Argument2);
case RegNtPreRenameKey:
return MyRenameKey((PREG_RENAME_KEY_INFORMATION) Argument2);
case RegNtPreCreateKey:
return MyCreateKey((PREG_PRE_CREATE_KEY_INFORMATION) Argument2);
case RegNtPreCreateKeyEx:
return MyCreateKeyEx((PREG_CREATE_KEY_INFORMATION) Argument2);
}
return STATUS_SUCCESS;
}
NTSTATUS startRegMon(PDRIVER_OBJECT driverObject)
{
#if (NTDDI_VERSION >= NTDDI_VISTA)
UNICODE_STRING uAltitude;
RtlInitUnicodeString(&uAltitude, g_wszAltitude);
return CmRegisterCallbackEx(MyRegCallback,
&uAltitude,
driverObject,
NULL,
&g_RegCookie,
NULL);
#else
return CmRegisterCallback(MyRegCallback,
NULL,
&g_RegCookie);
#endif
}
VOID stopRegMon( )
{
CmUnRegisterCallback(g_RegCookie);
}
regmon.c
#ifndef __REGMON_H__
#define __REGMON_H__
typedef enum _OBJECT_INFO_CLASS {
ObjectBasicInfo,
ObjectNameInfo,
ObjectTypeInfo,
ObjectAllTypesInfo,
ObjectProtectionInfo
} OBJECT_INFO_CLASS;
PGENERIC_MAPPING IoGetKeyGenericMapping( );
NTSTATUS
MyRegCallback
(
PVOID CallbackContext,
PVOID Argument1,
PVOID Argument2
);
NTSTATUS startRegMon(PDRIVER_OBJECT driverObject);
VOID stopRegMon( );
#endif

注册表回调整体框架

标签：max demo fun with cut rtl ++ i++ process

原文地址：http://www.cnblogs.com/wongnel/p/7701367.html

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行