能力值:
( LV2,RANK:10 )
|
-
-
26 楼
你写的编码方式和企鹅的编码方式不同,同时操作注册表的时候会有问题。你全部改成unicode吧。
|
能力值:
( LV2,RANK:10 )
|
-
-
27 楼
这段代码用windbg分析错误,它指向了我红色的这一行,不明白是哪里出错了
#include "ntifs.h"
#include <ntstrsafe.h>
#include <ntddk.h>
#include <string.h>
#define REGISTRY_POOL_TAG 'pRE'
NTSTATUS st;
LARGE_INTEGER g_CallbackCookie;
ANSI_STRING astr;
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2);
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath,PVOID pRegistryObject);
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("[RegRoutine]Loading!\n");
DriverObject->DriverUnload = UnloadDriver;
st = CmRegisterCallback(RegistryCallback,NULL,&g_CallbackCookie);
if ( !NT_SUCCESS(st) )
{
DbgPrint("[RegRoutine]CmRegisterCallback Failed!\n");
return st;
}
//DbgPrint("[RegRoutine]RegistryCallback Addr:0x%08X\n",RegistryCallback);
//DbgPrint("[RegRoutine]Cookie.LowPart:0x%08X Cookie.HighPart:0x%08X\n",g_CallbackCookie.LowPart,g_CallbackCookie.HighPart);
return st;
}
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{
CmUnRegisterCallback(g_CallbackCookie);
DbgPrint("[RegRoutine]UnLoading!\n");
}
NTSTATUS
RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2 )
{
int type;
BOOLEAN exception = FALSE;
BOOLEAN registryEventIsValid = FALSE;
UNICODE_STRING registryPath;
UCHAR* registryData = NULL;
ULONG registryDataLength = 0;
ULONG registryDataType = 0;
registryPath.Length = 0;
registryPath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, 'ConT');
if(registryPath.Buffer == NULL)
{
DbgPrint("[RegRoutine]Allocate registryPath failed!\n");
return STATUS_SUCCESS;
}
type = (REG_NOTIFY_CLASS)Argument1;
try{
switch(type)
{
case RegNtDeleteValueKey:
{
PREG_DELETE_VALUE_KEY_INFORMATION deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(deleteValueKey->ValueName))
{
registryEventIsValid = GetRegistryObjectCompleteName(®istryPath, NULL, deleteValueKey->Object);
if((registryEventIsValid) && (deleteValueKey->ValueName->Length > 0))
{
//RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE);
//DbgPrint("[RegDeletedKey]KeyName:%s!\n",astr.Buffer);
//RtlFreeAnsiString(&astr);
RtlUnicodeStringToAnsiString(&astr,deleteValueKey->ValueName,TRUE);
// DbgPrint("[RegDelValue]ValueName:%s!\n",astr.Buffer);
if (!strncmp(astr.Buffer,"Start Page",deleteValueKey->ValueName->MaximumLength) )
{
DbgPrint("[RegDelValue]Forbin!\n");
RtlFreeAnsiString(&astr);
return STATUS_INVALID_PARAMETER;
}
RtlFreeAnsiString(&astr);
}
}
break;
}
case RegNtPreSetValueKey:
{
PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(setValueKey->ValueName) )
{
registryEventIsValid = GetRegistryObjectCompleteName(®istryPath, NULL, setValueKey->Object);
if((registryEventIsValid) && (setValueKey->ValueName->Length > 0))
{
//RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE);
//DbgPrint("[RegSetKey]KeyName:%s!\n",astr.Buffer);
//RtlFreeAnsiString(&astr);
registryDataType = setValueKey->Type;
registryDataLength = setValueKey->DataSize;
registryData = ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG);
//RtlFreeAnsiString(&astr);
RtlUnicodeStringToAnsiString(&astr,setValueKey->ValueName,TRUE);
//DbgPrint("[RegSetValue]ValueName:%d!\n",setValueKey->ValueName->MaximumLength);
if (!strncmp(astr.Buffer,"Start Page",setValueKey->ValueName->MaximumLength) )
{
DbgPrint("[RegSetValue]Forbin!\n");
//DbgPrint("[RegSetValue]ForbinKeyName:%s!\n",astr.Buffer);
RtlFreeAnsiString(&astr);
return STATUS_INVALID_PARAMETER;
}
RtlFreeAnsiString(&astr);
}
}
break;
}
default:
break;
}
}
except( EXCEPTION_EXECUTE_HANDLER )
{
DbgPrint("[RegRoutine]Catch a Expection!\n");
exception = TRUE;
registryEventIsValid = FALSE;
}
if(registryEventIsValid)
{
if(registryData != NULL)
{
ExFreePoolWithTag(registryData, REGISTRY_POOL_TAG);
}
}
if(registryPath.Buffer != NULL)
{
ExFreePoolWithTag(registryPath.Buffer, 'ConT');
}
return STATUS_SUCCESS;
}
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath, PVOID pRegistryObject)
{
BOOLEAN foundCompleteName = FALSE;
BOOLEAN partial = FALSE;
NTSTATUS status;
ULONG returnedLength;
PUNICODE_STRING pObjectName = NULL;
//判断object的有效性
if( (!MmIsAddressValid(pRegistryObject)) || (pRegistryObject == NULL) )
{
DbgPrint("[RegRoutine]pRegistryObject Invalid!\n");
return FALSE;
}
if(pPartialRegistryPath != NULL)
{
if( (((pPartialRegistryPath->Buffer[0] == '\\') || (pPartialRegistryPath->Buffer[0] == '%')) ||
((pPartialRegistryPath->Buffer[0] == 'T') && (pPartialRegistryPath->Buffer[1] == 'R') &&
(pPartialRegistryPath->Buffer[2] == 'Y') && (pPartialRegistryPath->Buffer[3] == '\\'))) )
{
RtlUnicodeStringCopy(pRegistryPath, pPartialRegistryPath);
partial = TRUE;
foundCompleteName = TRUE;
}
}
if(!foundCompleteName)
{
//使用ObQueryNameString来得到object对应的名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, 0, &returnedLength );
//第一次传的buffer长度为0,ObQueryNameString返回的结果必定是缓冲区大小不足
if(status == STATUS_INFO_LENGTH_MISMATCH)
{
pObjectName = ExAllocatePoolWithTag(NonPagedPool, returnedLength, 'ConT'); //申请内存
if( pObjectName == NULL ) //申请内存失败则返回FALSE
{
DbgPrint("[RegRoutine]AllocatePool Failed!\n");
return FALSE;
}
//查询名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, returnedLength, &returnedLength );
if(NT_SUCCESS(status))
{
RtlUnicodeStringCopy(pRegistryPath, pObjectName); //拷贝名称
foundCompleteName = TRUE;
}
ExFreePoolWithTag(pObjectName, 'ConT'); //无论查询是否成功都应该释放内存
}
}
return foundCompleteName;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
28 楼
就是指向了我这个大括号这一行
|
能力值:
( LV2,RANK:10 )
|
-
-
29 楼
windbg分析的dump文件他指向了} 这一行,不知道哪里有问题,还有这个代码if (!strncmp(astr.Buffer,"Start Page",setValueKey->ValueName->MaximumLength) ) 这样写可以吗
|
能力值:
( LV2,RANK:10 )
|
-
-
30 楼
怎么跟QQ管家有关系了?是你自己的问题吧 应该是在 释放内存的时候破坏了堆结构 要么就是重复释放了 好好检查
|
能力值:
( LV2,RANK:10 )
|
-
-
31 楼
希望能在代码里指出错误.谢谢!
|
能力值:
( LV2,RANK:10 )
|
-
-
32 楼
结贴吧 QQ管家锁定主页不是改注册表的 和360一个破样 具体自己研究 #include "ntifs.h"
#include <ntstrsafe.h>
#include <ntddk.h>
#include <string.h>
#define REGISTRY_POOL_TAG 'pRE'
NTSTATUS st;
LARGE_INTEGER g_CallbackCookie;
ANSI_STRING astr;
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2);
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath,PVOID pRegistryObject);
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("[RegRoutine]Loading!\n");
DriverObject->DriverUnload = UnloadDriver;
st = CmRegisterCallback(RegistryCallback,NULL,&g_CallbackCookie);
if ( !NT_SUCCESS(st) )
{
DbgPrint("[RegRoutine]CmRegisterCallback Failed!\n");
return st;
}
//DbgPrint("[RegRoutine]RegistryCallback Addr:0x%08X\n",RegistryCallback);
//DbgPrint("[RegRoutine]Cookie.LowPart:0x%08X Cookie.HighPart:0x%08X\n",g_CallbackCookie.LowPart,g_CallbackCookie.HighPart);
return st;
}
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{
CmUnRegisterCallback(g_CallbackCookie);
DbgPrint("[RegRoutine]UnLoading!\n");
}
NTSTATUS
RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2 )
{
ULONG type;
BOOLEAN exception = FALSE;
BOOLEAN registryEventIsValid = FALSE;
UNICODE_STRING registryPath;
UCHAR* registryData = NULL;
ULONG registryDataLength = 0;
ULONG registryDataType = 0;
UNICODE_STRING ustrStratPage;
NTSTATUS status = STATUS_SUCCESS;
registryPath.Length = 0;
registryPath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
registryPath.Buffer = (PWCH)ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, 'ConT');
//////////////////////////////////////////////////////////////////////////
RtlInitUnicodeString(&ustrStratPage, L"Start Page");
//////////////////////////////////////////////////////////////////////////
if(registryPath.Buffer == NULL)
{
DbgPrint("[RegRoutine]Allocate registryPath failed!\n");
status = STATUS_SUCCESS;
goto _exit;
}
type = (ULONG)Argument1;
try
{
switch(type)
{
case RegNtDeleteValueKey:
{
PREG_DELETE_VALUE_KEY_INFORMATION deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(deleteValueKey->ValueName))
{
registryEventIsValid = GetRegistryObjectCompleteName(®istryPath, NULL, deleteValueKey->Object);
if((registryEventIsValid) && (deleteValueKey->ValueName->Length > 0))
{
//RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE);
//DbgPrint("[RegDeletedKey]KeyName:%s!\n",astr.Buffer);
//RtlFreeAnsiString(&astr);
//RtlUnicodeStringToAnsiString(&astr,deleteValueKey->ValueName,TRUE);
// DbgPrint("[RegDelValue]ValueName:%s!\n",astr.Buffer);
if (/*!strncmp(astr.Buffer,"Start Page",deleteValueKey->ValueName->MaximumLength) */
0 == RtlCompareUnicodeString(deleteValueKey->ValueName, &ustrStratPage, TRUE))
{
DbgPrint("[RegDelValue]Forbin!\n");
status = STATUS_CALLBACK_BYPASS;
break;
}
//RtlFreeAnsiString(&astr);
}
}
}
break;
case RegNtPreSetValueKey:
{
PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(setValueKey->ValueName) )
{
registryEventIsValid = GetRegistryObjectCompleteName(®istryPath, NULL, setValueKey->Object);
if((registryEventIsValid) && (setValueKey->ValueName->Length > 0))
{
//RtlUnicodeStringToAnsiString(&astr,®istryPath,TRUE);
//DbgPrint("[RegSetKey]KeyName:%s!\n",astr.Buffer);
//RtlFreeAnsiString(&astr);
registryDataType = setValueKey->Type;
registryDataLength = setValueKey->DataSize;
registryData = (UCHAR*)ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG);
//RtlFreeAnsiString(&astr);
//RtlUnicodeStringToAnsiString(&astr,setValueKey->ValueName,TRUE);
//DbgPrint("[RegSetValue]ValueName:%d!\n",setValueKey->ValueName->MaximumLength);
if (/*!strncmp(astr.Buffer,"Start Page",setValueKey->ValueName->MaximumLength)*/
0 == RtlCompareUnicodeString(&ustrStratPage, setValueKey->ValueName, TRUE))
{
DbgPrint("[RegSetValue]Forbin!\n");
//DbgPrint("[RegSetValue]ForbinKeyName:%s!\n",astr.Buffer);
//RtlFreeAnsiString(&astr);
//return STATUS_INVALID_PARAMETER;
status = STATUS_CALLBACK_BYPASS;
break;
}
//RtlFreeAnsiString(&astr);
}
}
}
break;
default:
break;
}
}
except( EXCEPTION_EXECUTE_HANDLER )
{
DbgPrint("[RegRoutine]Catch a Expection!\n");
exception = TRUE;
registryEventIsValid = FALSE;
}
_exit:
if(registryData != NULL)
{
ExFreePoolWithTag(registryData, REGISTRY_POOL_TAG);
registryData = NULL;
}
if(registryPath.Buffer != NULL)
{
ExFreePoolWithTag(registryPath.Buffer, 'ConT');
registryPath.Buffer = NULL;
}
return status;
}
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath, PVOID pRegistryObject)
{
BOOLEAN foundCompleteName = FALSE;
BOOLEAN partial = FALSE;
NTSTATUS status;
ULONG returnedLength;
PUNICODE_STRING pObjectName = NULL;
//判断object的有效性
if( (!MmIsAddressValid(pRegistryObject)) || (pRegistryObject == NULL) )
{
DbgPrint("[RegRoutine]pRegistryObject Invalid!\n");
return FALSE;
}
if(pPartialRegistryPath != NULL)
{
if( (((pPartialRegistryPath->Buffer[0] == '\\') || (pPartialRegistryPath->Buffer[0] == '%')) ||
((pPartialRegistryPath->Buffer[0] == 'T') && (pPartialRegistryPath->Buffer[1] == 'R') &&
(pPartialRegistryPath->Buffer[2] == 'Y') && (pPartialRegistryPath->Buffer[3] == '\\'))) )
{
RtlUnicodeStringCopy(pRegistryPath, pPartialRegistryPath);
partial = TRUE;
foundCompleteName = TRUE;
}
}
if(!foundCompleteName)
{
//使用ObQueryNameString来得到object对应的名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, 0, &returnedLength );
//第一次传的buffer长度为0,ObQueryNameString返回的结果必定是缓冲区大小不足
if(status == STATUS_INFO_LENGTH_MISMATCH)
{
pObjectName = (PUNICODE_STRING)ExAllocatePoolWithTag(NonPagedPool, returnedLength, 'ConT'); //申请内存
if( pObjectName == NULL ) //申请内存失败则返回FALSE
{
DbgPrint("[RegRoutine]AllocatePool Failed!\n");
return FALSE;
}
//查询名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, returnedLength, &returnedLength );
if(NT_SUCCESS(status))
{
RtlUnicodeStringCopy(pRegistryPath, pObjectName); //拷贝名称
foundCompleteName = TRUE;
}
ExFreePoolWithTag(pObjectName, 'ConT'); //无论查询是否成功都应该释放内存
}
}
return foundCompleteName;
}
|
