求助:IoRegisterShutdownNotification关机回调里HKCU写进去

lanjingling888 · 发表于 2015-5-19 18:55:41

求助:IoRegisterShutdownNotification关机回调里HKCU写进去
ShutDownDispatch里面写HKLM没问题，但是写HKCU就写不进去了，这个时刻各种关掉了，请问能有什么办法在ShutDownDispatch里写HKCU吗？

Tesla.Angela · 发表于 2015-5-20 08:23:01

TALK IS CHEAP, SHOW YOUR CODE.

upring · 发表于 2015-5-20 12:57:17

thanks

lanjingling888 · 发表于 2015-5-20 16:52:32

NTSTATUS HKEY_CURRENT_USER_TEST(PWCHAR pTest)
{
UNICODE_STRING uPath;
OBJECT_ATTRIBUTES oa;
HANDLE hKey = NULL, hUserKey = NULL, hSubKey = NULL;
PKEY_VALUE_PARTIAL_INFORMATION pInfo;
ULONG len = 8192;
NTSTATUS ret = STATUS_UNSUCCESSFUL;
ULONG i = 0;
if (*pTest)
{
RtlInitUnicodeString(&uPath, L"\\Registry\\User");
InitializeObjectAttributes(&oa, &uPath, OBJ_CASE_INSENSITIVE, (HANDLE)NULL, NULL);
if (NT_SUCCESS(ret = ZwOpenKey(&hUserKey, KEY_ALL_ACCESS, &oa)))
{
for (i = 0; ; ++ i)
{
PKEY_BASIC_INFORMATION pInfo = NULL;
if (STATUS_BUFFER_TOO_SMALL == (ret = ZwEnumerateKey(hUserKey, i, KeyBasicInformation, NULL, 0, &len)))
{
len += 2;
if (pInfo = (PKEY_BASIC_INFORMATION)ExAllocatePoolWithTag(NonPagedPool, len, '_EL_'))
{
if (NT_SUCCESS(ret = ZwEnumerateKey(hUserKey, i, KeyBasicInformation, pInfo, len, &len)))
{
*(PWCHAR)((PCHAR)pInfo->Name + pInfo->NameLength) = 0;
DbgPrint(("TestHKCU:%-4d [INFO] find user %ws.\n", __LINE__, pInfo->Name));
RtlInitUnicodeString(&uPath, pInfo->Name);
InitializeObjectAttributes(&oa, &uPath, OBJ_CASE_INSENSITIVE, hUserKey, NULL);
if (NT_SUCCESS(ret = ZwOpenKey(&hKey, KEY_ALL_ACCESS, &oa)))
{
RtlInitUnicodeString(&uPath, L"SOFTWARE");
InitializeObjectAttributes(&oa, &uPath, OBJ_CASE_INSENSITIVE, hKey, NULL);
if (NT_SUCCESS(ret = ZwOpenKey(&hSubKey, KEY_ALL_ACCESS, &oa)))
{
RtlInitUnicodeString(&uPath, L"TEST");
if (NT_SUCCESS(ret = ZwSetValueKey(hSubKey, &uPath, 0, REG_SZ, pTest, wcslen(pTest) * 2 + 2)))
{
DbgPrint(("TestHKCU:%-4d [INFO] reg %ws modifyed.\n", __LINE__, uPath.Buffer));
}
else
{
DbgPrint(("TestHKCU:%-4d [ERRO] ZwSetValueKey failed with 0x%p.\n", __LINE__, ret));
}
ZwClose(hSubKey);
}
else
{
DbgPrint(("TestHKCU:%-4d [ERRO] ZwOpenKey failed with 0x%p.\n", __LINE__, ret));
}
ZwClose(hKey);
}
else
{
DbgPrint(("TestHKCU:%-4d [ERRO] ZwOpenKey failed with 0x%p.\n", __LINE__, ret));
}
}
else
{
DbgPrint(("TestHKCU:%-4d [ERRO] 2nd ZwEnumerateKey failed with 0x%p.\n", __LINE__, ret));
}
ExFreePoolWithTag(pInfo, '_EL_');
}
else
{
DbgPrint(("TestHKCU:%-4d [ERRO] ExAllocatePoolWithTag failed with size %d.\n", __LINE__, len));
}
}
else
{
if (ret != STATUS_NO_MORE_ENTRIES)
{
DbgPrint(("TestHKCU:%-4d [ERRO] ZwEnumerateKey failed with 0x%p.\n", __LINE__, ret));
}
break;
}
}
ZwClose(hUserKey);
}
else
{
DbgPrint(("TestHKCU:%-4d [ERRO] ZwOpenKey failed with 0x%p.\n", __LINE__, ret));
}
}
return STATUS_SUCCESS;
}
DRIVER_DISPATCH ShutDownDispatch;
NTSTATUS ShutDownDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
HKEY_CURRENT_USER_TEST(L"ofcourseteststring"); //在这个时刻总是失败的
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
..................
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = ShutDownDispatch;
..................
if(!NT_SUCCESS(IoRegisterShutdownNotification(pDeviceObject)))
{
DbgPrint(("[INFO] IoRegisterShutdownNotification faild."));
}
//HKEY_CURRENT_USER_TEST(L"ofcourseteststring"); //这里是成功的
return ret;
}

复制代码

lanjingling888 · 发表于 2015-5-20 16:54:51

请TA大神指点谜经

Tesla.Angela · 发表于 2015-5-20 18:35:26

lanjingling888 发表于 2015-5-20 16:54
请TA大神指点谜经

1.不要说什么“TA大神”，也不要点名指定谁来解答问题。这么说等于拒绝了其他人回答。
2.程序出问题，拿出WINDBG进行调试。我没有研究过类似的问题。只不过我怎么记得内核里不存在什么HKCU，HKCU是USERS下一个分支的“马甲”，内核里写HKCU应该是\\registry\\user\\xxx这样子的路径。

账号		自动登录	找回密码
密码			加入我们