-
-
[旧帖]
[求助]ZwOpenKey一直失败
0.00雪花
-
发表于:
2012-7-10 15:43
1355
-
[旧帖] [求助]ZwOpenKey一直失败
0.00雪花
我用的是SSDT进行注册表操作的Hook,现在是对ZwOpenKey进行勾取。目的是截取原先欲访问的路径,替换成另外一个路径。代码如下:
NTSTATUS HookZwOpenKey
(
OUT PHANDLE KeyHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
)
{
char fullPath[1024] = {0};
char hookPath[1024] = {0};
UINT find = 0;
ANSI_STRING ansi_path;
int i,j,num=0;
NTSTATUS status;
char tmp[1024] = {0};
PHANDLE handle;
if(NULL != ObjectAttributes->RootDirectory)
{
GetFullName(ObjectAttributes->RootDirectory,fullPath);
strcat(fullPath,"\\");
RtlUnicodeStringToAnsiString(&ansi_path,ObjectAttributes->ObjectName,TRUE);
strcat(fullPath,ansi_path.Buffer);
}
else
{
RtlUnicodeStringToAnsiString(&ansi_path,ObjectAttributes->ObjectName,TRUE);
strcpy(fullPath,ansi_path.Buffer);
}
//如果匹配,开始重定向。TRUE表示不区分大小写
if(1 == ShouldBeReDirected(fullPath,REDIRECT_TYPE_OPEN))
{
OBJECT_ATTRIBUTES objAttr;
ANSI_STRING tmpAnsi;
UNICODE_STRING ObjectName;
#if DBG
_asm int 3
#endif
//创建文件名
RtlInitUnicodeString(&ObjectName,L"\\Registry\\Machine\\SOFTWARE\\Program Groups");
//初始化objectAttributes
InitializeObjectAttributes(&objAttr,&ObjectName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,NULL,NULL);
status = OldZwOpenKey(handle,KEY_ALL_ACCESS,&objAttr);
if(NT_SUCCESS(status))
{
DbgPrint("After redirect ZwOpenKey,status=%ld",status);
}
//status = OldZwOpenKey(KeyHandle,DesiredAccess,ObjectAttributes);
return status;
}
status = OldZwOpenKey(KeyHandle,DesiredAccess,ObjectAttributes);
return status;
}
OldZwOpenKey是我之前保存的ZwOpenKey.
status = OldZwOpenKey(handle,KEY_ALL_ACCESS,&objAttr);//这一句一直出错,status是一个很大的负数。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
