求助:IoRegisterShutdownNotification关机回调里HKCU写进去
求助:IoRegisterShutdownNotification关机回调里HKCU写进去ShutDownDispatch里面写HKLM没问题,但是写HKCU就写不进去了,这个时刻各种关掉了,请问能有什么办法在ShutDownDispatch里写HKCU吗? TALK IS CHEAP, SHOW YOUR CODE. thanks NTSTATUS HKEY_CURRENT_USER_TEST(PWCHAR pTest)
{
UNICODE_STRING uPath;
OBJECT_ATTRIBUTES oa;
HANDLE hKey = NULL, hUserKey = NULL, hSubKey = NULL;
PKEY_VALUE_PARTIAL_INFORMATION pInfo;
ULONG len = 8192;
NTSTATUS ret = STATUS_UNSUCCESSFUL;
ULONG i = 0;
if (*pTest)
{
RtlInitUnicodeString(&uPath, L"\\Registry\\User");
InitializeObjectAttributes(&oa, &uPath, OBJ_CASE_INSENSITIVE, (HANDLE)NULL, NULL);
if (NT_SUCCESS(ret = ZwOpenKey(&hUserKey, KEY_ALL_ACCESS, &oa)))
{
for (i = 0; ; ++ i)
{
PKEY_BASIC_INFORMATION pInfo = NULL;
if (STATUS_BUFFER_TOO_SMALL == (ret = ZwEnumerateKey(hUserKey, i, KeyBasicInformation, NULL, 0, &len)))
{
len += 2;
if (pInfo = (PKEY_BASIC_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, len, '_EL_'))
{
if (NT_SUCCESS(ret = ZwEnumerateKey(hUserKey, i, KeyBasicInformation, pInfo, len, &len)))
{
*(PWCHAR)((PCHAR)pInfo->Name + pInfo->NameLength) = 0;
DbgPrint(("TestHKCU:%-4d find user %ws.\n", __LINE__, pInfo->Name));
RtlInitUnicodeString(&uPath, pInfo->Name);
InitializeObjectAttributes(&oa, &uPath, OBJ_CASE_INSENSITIVE, hUserKey, NULL);
if (NT_SUCCESS(ret = ZwOpenKey(&hKey, KEY_ALL_ACCESS, &oa)))
{
RtlInitUnicodeString(&uPath, L"SOFTWARE");
InitializeObjectAttributes(&oa, &uPath, OBJ_CASE_INSENSITIVE, hKey, NULL);
if (NT_SUCCESS(ret = ZwOpenKey(&hSubKey, KEY_ALL_ACCESS, &oa)))
{
RtlInitUnicodeString(&uPath, L"TEST");
if (NT_SUCCESS(ret = ZwSetValueKey(hSubKey, &uPath, 0, REG_SZ, pTest, wcslen(pTest) * 2 + 2)))
{
DbgPrint(("TestHKCU:%-4d reg %ws modifyed.\n", __LINE__, uPath.Buffer));
}
else
{
DbgPrint(("TestHKCU:%-4d ZwSetValueKey failed with 0x%p.\n", __LINE__, ret));
}
ZwClose(hSubKey);
}
else
{
DbgPrint(("TestHKCU:%-4d ZwOpenKey failed with 0x%p.\n", __LINE__, ret));
}
ZwClose(hKey);
}
else
{
DbgPrint(("TestHKCU:%-4d ZwOpenKey failed with 0x%p.\n", __LINE__, ret));
}
}
else
{
DbgPrint(("TestHKCU:%-4d 2nd ZwEnumerateKey failed with 0x%p.\n", __LINE__, ret));
}
ExFreePoolWithTag(pInfo, '_EL_');
}
else
{
DbgPrint(("TestHKCU:%-4d ExAllocatePoolWithTag failed with size %d.\n", __LINE__, len));
}
}
else
{
if (ret != STATUS_NO_MORE_ENTRIES)
{
DbgPrint(("TestHKCU:%-4d ZwEnumerateKey failed with 0x%p.\n", __LINE__, ret));
}
break;
}
}
ZwClose(hUserKey);
}
else
{
DbgPrint(("TestHKCU:%-4d ZwOpenKey failed with 0x%p.\n", __LINE__, ret));
}
}
return STATUS_SUCCESS;
}
DRIVER_DISPATCH ShutDownDispatch;
NTSTATUS ShutDownDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
HKEY_CURRENT_USER_TEST(L"ofcourseteststring");//在这个时刻总是失败的
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
..................
DriverObject->MajorFunction = ShutDownDispatch;
..................
if(!NT_SUCCESS(IoRegisterShutdownNotification(pDeviceObject)))
{
DbgPrint((" IoRegisterShutdownNotification faild."));
}
//HKEY_CURRENT_USER_TEST(L"ofcourseteststring");//这里是成功的
return ret;
} 请TA大神指点谜经 lanjingling888 发表于 2015-5-20 16:54
请TA大神指点谜经
1.不要说什么“TA大神”,也不要点名指定谁来解答问题。这么说等于拒绝了其他人回答。
2.程序出问题,拿出WINDBG进行调试。我没有研究过类似的问题。只不过我怎么记得内核里不存在什么HKCU,HKCU是USERS下一个分支的“马甲”,内核里写HKCU应该是\\registry\\user\\xxx这样子的路径。
页:
[1]