#define IOCTL_MODIFY_FILE_RIGHT CTL_CODE(FILE_DEVICE_UNKNOWN,800,METHOD_BUFFERED,FILE_ANY_ACCESS)
BOOL GetRightToAccessFile(HANDLE hSor, HANDLE hDes)
{
/*
hSor 源句柄
hDes 目标句柄,
目标句柄会获得和源句柄相同的权限
*/
ASSERT(hSor != 0);
ASSERT(hDes != 0);
FILE_RIGHT_MODIFY Data = {0};
Data.SourceHandle = hSor;
Data.DesHandle = hDes;
HANDLE h1 = gProcess::getSysHandle("5YRlp");
glog::trace("h1:%x CurProHandle:%x", h1, Data.CurProHandle);
if(h1 != INVALID_HANDLE_VALUE)
{
DWORD dwret;
BYTE hhh[216] = {0};
BOOL b2 = DeviceIoControl(h1, IOCTL_MODIFY_FILE_RIGHT, &Data, sizeof(FILE_RIGHT_MODIFY), 0, 0, &dwret, NULL);
if(b2 == 0)
{
glog::traceErrorInfo("DeviceIoControl", GetLastError());
}
FILE_RIGHT_MODIFY* p2 = (FILE_RIGHT_MODIFY*)hhh;
CloseHandle(h1);
return b2;
}
CloseHandle(h1);
}
BOOL GetHiveFileList(PHIVE_FILE_LIST pList, ULONG BufferSize)
{
ULONG Count = 0;
Count = BufferSize / sizeof(HIVE_FILE_LSIT) - 1;
unsigned char Buffer[2048] = {0};
ULONG RetLen = 0;
BOOL isWOW64;
REGSAM p = KEY_READ;
IsWow64Process(GetCurrentProcess(), &isWOW64);//判断环境是否为WOW64
if(isWOW64)
p |= KEY_WOW64_64KEY;
HKEY hKey;
if(RegCreateKeyEx(HKEY_LOCAL_MACHINE, TEXT("SYSTEM\\CurrentControlSet\\Control\\hivelist"), 0, NULL, 0, p, NULL, &hKey, NULL) != ERROR_SUCCESS)
{
//失败
return 0;
}//打开键
LONG re;
int i = 0;
// glog::trace("枚举值项");
char name[16383] = { 0 };
DWORD type;
do
{
char Name[MAX_PATH] = {0};
ULONG BufferLen = MAX_PATH;
ULONG NameLen = MAX_PATH;
DWORD lang = 16383;
re = RegEnumValue(hKey, i, Name, &NameLen, 0, &type, Buffer, &BufferLen);
// glog::trace("Name:%s Buffer:%s i:%d \n", Name, Buffer, i);
if(i == 12)
{
int aa = 5;
}
if(type == REG_SZ)
{
// name:\REGISTRY\MACHINE\SECURITY path:\Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
glog::trace("Buffer:%s", Buffer);
// [3944] Buffer:\Device\HarddiskVolume2\Windows\System32\config\SOFTWARE
char* a1 = "\\Device\\HarddiskVolume1";
string str1 = gstring::toAlphabe((char*)Buffer, 2);
char* p2 = (char*)strstr((const char*)str1.c_str(), "e1");
char* p3 = (char*)strstr(str1.c_str(), "software");
//char* p3 = (char*)strstr((const char*)Buffer, "software");
if(BufferLen > strlen(a1) && Count > RetLen)
{
if(p2 && p3)
{
*p2 = 'c';
*(p2 + 1) = ':';
}
if(p2 != NULL && p3)
{
//RegBack
//[368] Name:\REGISTRY\MACHINE\SOFTWARE path:c:\windows\system32\config\software pHive:004F1BD0
char data[216] = {0};
RtlCopyMemory(data, p2, BufferLen - strlen(a1) + 2);
string s22 = data;
//gstring::replace(s22, "software", "regback\\software");
//glog::trace("s22:%s", s22.c_str());
RtlCopyMemory(pList->Entry[RetLen].Path, s22.c_str(), s22.size());
RtlCopyMemory(pList->Entry[RetLen].Name, Name, NameLen);
RetLen++;
}
}
}
i++;
}
while(re != ERROR_NO_MORE_ITEMS);
pList->Count = RetLen;
if(hKey)
RegCloseKey(hKey);
return TRUE;
}
void test()
{
glog::setOpenLog(TRUE);
gProcess::EnableDebugPrivilege();
PVOID OldValue = NULL;
ULONG BufferSize = 260 * 30, i = 0;
PHIVE_FILE_LIST pList = (PHIVE_FILE_LIST)AllocateBuffer(BufferSize);
glog::trace("pList:%p", pList);
if(pList == 0)
return ;
char Name[MAX_PATH] = {0};
if(GetHiveFileList(pList, BufferSize) == false)
return;
glog::trace("pList->Count:%d", pList->Count);
PHIVE_LIST p = NULL;
PHIVE pHive = NULL;
PHIVE_LIST Seek = 0;
for(i = 0; i < pList->Count; i++)
{
RtlZeroMemory(Name, MAX_PATH);
string FilePath3 = pList->Entry[i].Path;
glog::trace("\ni:%d hRootNode:%p name:%s path:%s ", i, hRootNode, pList->Entry[i].Name, pList->Entry[i].Path);
if(FilePath3.size() < 10)
continue;
pHive = NewOpenHive((char*)FilePath3.c_str(), HMODE_RW);
if(pHive == NULL)
{
glog::trace("打开文件失败:");
glog::trace("\n");
continue;
}
if(hRootNode)
{
p = (PHIVE_LIST)AllocateBuffer(sizeof(HIVE_LIST));
RtlZeroMemory(Name, MAX_PATH);
strcpy(Name, pList->Entry[i].Name);
RtlCopyMemory(p->Name, Name, strlen(Name));
glog::trace("Name:%s path:%s pHive:%p", Name, pList->Entry[i].Path, pHive);
p->hRoot = pHive;
Seek->Next = p;
Seek = p;
}
else
{
p = (PHIVE_LIST)AllocateBuffer(sizeof(HIVE_LIST));
RtlZeroMemory(Name, MAX_PATH);
strcpy(Name, pList->Entry[i].Name);
RtlCopyMemory(p->Name, Name, strlen(Name));
p->hRoot = pHive;
glog::trace("Name:%s path:%s pHive:%p", Name, pList->Entry[i].Path, pHive);
hRootNode = p;
Seek = p;
}
}
if(hRootNode == 0)
{
FreeBuffer(pList);
return;
}
string val = "hehe";
wstring wval = gstring::s2w(val);
//添加键hehe
ULONG u1 = AddValue("\\REGISTRY\\MACHINE\\SOFTWARE\\ODBC", "hehe", (BYTE*)wval.c_str(), wval.size() * 2, REG_SZ);
//设置值也是hehe
ULONG ret = SetKeyValueData("\\REGISTRY\\MACHINE\\SOFTWARE\\ODBC", "hehe", (BYTE*)wval.c_str(), wval.size() * 2);
SIZE_T dwBytesWritten = 0;
WriteFile((HANDLE)pHive->filehandle, pHive->buffer, pHive->size, &dwBytesWritten, NULL);
if(dwBytesWritten != (SIZE_T)(pHive->size))
{
glog::trace("WriteHive error\n");
}
int nn = GetSubKeyCount("\\REGISTRY\\MACHINE\\SOFTWARE\\ODBC");
glog::trace("键值数量:%d", nn);
PSUB_KEY_INFO pInfo = (PSUB_KEY_INFO)malloc(0x1000);
PKEY_VALUE_INFO pvalinfo = (PKEY_VALUE_INFO)malloc(0x1000);
if(EnumSubKey("\\REGISTRY\\MACHINE\\SOFTWARE\\ODBC", pInfo, 0x1000) == REG_SUCCESS)
{
glog::trace("Count:%d", pInfo->Count);
for(ULONG i = 0; i < pInfo->Count; i++)
{
glog::trace("%s", pInfo->Entrys[i].Name);
}
}
if(EnumKeyValue("\\REGISTRY\\MACHINE\\SOFTWARE\\ODBC", pvalinfo, 0x1000) == REG_SUCCESS)
{
for(ULONG i = 0; i < pvalinfo->Count; i++)
{
char name[216] = {0};
char val[216];
glog::trace("name:%s val:%ws", pvalinfo->Entrys[i].Name, pvalinfo->Entrys[i].DataBuffer);
}
}
FreeBuffer(pList);
}