|
阅读:2047回复:8
=======注册表重定向!有代码-=========
想做一个注册表重定向,如当有应用程序读\Registry\Machine\SOFTWARE\A时,将其定向到\Registry\Machine\SOFTWARE\B,
如何做?各位大侠给点思路。多谢! 另外有个问题: 参考REGMON,我在HookRegOpenKey中判断,如果是我HOOK的键值\Registry\Machine\SOFTWARE\A,我就这么处理: OBJECT_ATTRIBUTES obj; UNICODE_STRING uRegistryPath; WCHAR uPath[]=L"\\REGISTRY\\MACHINE\\SOFTWARE\\B"; RtlInitUnicodeString(&uRegistryPath,uPath); InitializeObjectAttributes(&obj,&uRegistryPath,OBJ_CASE_INSENSITIVE, NULL, NULL ); pOpenInfo=&obj; ntstatus = RealRegOpenKey( pHandle, ReqAccess, pOpenInfo ); 但总是不成功,不知道为什么? [编辑 - 12/23/04 by pursuer_zhao] |
|
最新喜欢: hongsi...
|
|
沙发#
发布于:2004-12-22 20:25
关注
|
|
|
|
板凳#
发布于:2004-12-23 10:04
NTSTATUS HookRegOpenKey( IN OUT PHANDLE pHandle, IN ACCESS_MASK ReqAccess,
IN POBJECT_ATTRIBUTES pOpenInfo ) { NTSTATUS ntstatus; POBJECT regobj; CHAR fullname[MAXPATHLEN]; PREDIR_ENTRY pEntry=NULL; OBJECT_ATTRIBUTES obj; char szTmp[256]; UNICODE_STRING uRegistryPath; WCHAR uPath[]=L"\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\B"; CHAR aPath[]="\\\\REGISTRY\\\\MACHINE\\\\SOFTWARE\\\\A"; BOOLEAN bIsMy=FALSE; GetFullName( pOpenInfo->RootDirectory, pOpenInfo->ObjectName, fullname ); if(_stricmp(fullname+1,aPath)==0) { sprintf(szTmp,"OpenMyKey,path:%s",fullname+1); WriteLog(szTmp); bIsMy=TRUE; RtlInitUnicodeString(&uRegistryPath,uPath); InitializeObjectAttributes(&obj,&uRegistryPath,OBJ_CASE_INSENSITIVE, NULL, NULL ); ntstatus = RealRegOpenKey( pHandle, ReqAccess, &obj ); //执行完后ntstatus=STATUS_ACCESS_VIOLATION,访问非法,为什么? } else { ntstatus = RealRegOpenKey( pHandle, ReqAccess, pOpenInfo ); } if(bIsMy && NT_SUCCESS( ntstatus )) { sprintf(szTmp,"RegOpenKey success:%s => %x, %s", fullname, *pHandle,ErrorString(ntstatus )); WriteLog(szTmp); } else if(bIsMy) { sprintf(szTmp,"RegOpenKey fail:%s => %x, %s", fullname, *pHandle,ErrorString(ntstatus )); WriteLog(szTmp); } if( NT_SUCCESS( ntstatus )) { regobj = GetPointer( *pHandle ); RegmonFreeHashEntry( regobj ); RegmonLogHash( regobj, fullname ); ReleasePointer( regobj ); } return ntstatus; } |
|
|
地板#
发布于:2004-12-23 11:44
please help me! ths!
|
|
|
地下室#
发布于:2004-12-23 15:42
直接修改pOpenInfo里的路径名
if(_stricmp(fullname,"HKLM\\\\software\\\\\A") { UNICODE_STRING uRegistryPath; WCHAR uPath[]=L"SOFTWARE\\\\\B"; RtlInitUnicodeString(&uRegistryPath,uPath); pOpenInfo->ObjectName->Length=uRegistryPath.Length; RtlMoveMemory( pOpenInfo->ObjectName->Buffer, uRegistryPath.Buffer, uRegistryPath.Length); } ntstatus = RealRegOpenKey( pHandle, ReqAccess,pOpenInfo); |
|
|
|
5楼#
发布于:2004-12-23 15:59
直接修改pOpenInfo里的路径名 谢谢,不过这段代码你试了吗? |
|
|
6楼#
发布于:2004-12-23 17:53
我测试后贴出来的,
可以看一看你的源贴 http://www.driverdevelop.com/forum/html_83715.html?1103795564 |
|
|
|
7楼#
发布于:2004-12-23 18:03
我测试后贴出来的, 我试了一下,open没有问题了,谢谢! 高手出招就是不一样!呵呵 但enum时还有问题,也就是当用regedit打开时,看到的键值不对 请继续关注..... |
|
|
8楼#
发布于:2004-12-24 09:47
结了这一贴,给分!
同样的问题在 http://www.driverdevelop.com/forum/html_83715.html?1103852805 继续讨论..... |
|