1. 首頁
  2. 問答
  3. 獲得手柄NtCreateKey以鍵/ NtOpenKey

獲得手柄NtCreateKey以鍵/ NtOpenKey

2017-09-14 44 views
2

目的獲得手柄NtCreateKey以鍵/ NtOpenKey

我試圖讓這將創造在HKCU註冊表配置單元給定的子鍵,或打開子鍵,如果它已經存在的功能,然後返回TRUE。

NOTES

RegSidPath表示與附加到user SID一個完全合格的HKCU註冊表路徑它如\\Registry\\User\\S-1-5-20-xxxxxx-xxxxxx-xxxxxxxx-1050

KeyToCreate表示特定註冊表路徑如\\Software\\MyCompany\\MySoftware\\MySubKey

CODE

我有以下功能:

BOOL CreateHKCUKey(PWCHAR RegSidPath, PWCHAR KeyToCreate) { 

UNICODE_STRING uString; 
RtlInitUnicodeString(&uString, RegSidPath); 

OBJECT_ATTRIBUTES ObjAttributes; 
InitializeObjectAttributes(&ObjAttributes, &uString, OBJ_CASE_INSENSITIVE, 0, 0); 

HANDLE BaseKeyHandle = NULL; 
NTSTATUS Status = NtOpenKey(&BaseKeyHandle, KEY_CREATE_SUB_KEY, &ObjAttributes); 
if (NT_SUCCESS(Status) && Status != STATUS_OBJECT_NAME_NOT_FOUND) { 

    UNICODE_STRING KeyString = { 0 }; 
    do { 
     PWCHAR NextSubKey = StrStrW((KeyString.Length == 0 ? KeyToCreate : KeyString.Buffer) + 1, L"\\"); 
     DWORD CurrentKeyLength = lstrlenW(KeyToCreate) - lstrlenW(NextSubKey); 
     PWCHAR CurrentSubKey = PWCHAR(GlobalAlloc(GPTR, CurrentKeyLength + sizeof(WCHAR))); 
     if (CurrentSubKey != ERROR) { 
      memcpy(CurrentSubKey, KeyToCreate, CurrentKeyLength * sizeof(WCHAR)); 
      CurrentSubKey[CurrentKeyLength] = UNICODE_NULL; 

      RtlInitUnicodeString(&KeyString, CurrentSubKey); 

      OBJECT_ATTRIBUTES KeyAttributes; 
      InitializeObjectAttributes(&KeyAttributes, &KeyString, OBJ_CASE_INSENSITIVE, &BaseKeyHandle, 0); 

      HANDLE CurrentHiveEntry = NULL; 
      Status = NtOpenKey(&CurrentHiveEntry, KEY_CREATE_SUB_KEY, &KeyAttributes); 
      if (RtlNtStatusToDosError(Status) == ERROR_BAD_PATHNAME) { 
       InitializeObjectAttributes(&KeyAttributes, &KeyString, OBJ_CASE_INSENSITIVE, &CurrentHiveEntry, 0); 

       DWORD DefaultDisposition; 
       Status = NtCreateKey(&CurrentHiveEntry, KEY_CREATE_SUB_KEY, &KeyAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &DefaultDisposition); 
       if (NT_SUCCESS(Status)) { 
        if (StrCmpNW(KeyString.Buffer + uString.Length, KeyString.Buffer, lstrlenW(KeyToCreate) == 0)) 
         return TRUE; 
        else continue; 
       } else break; 
      } else break; 
      BaseKeyHandle = CurrentHiveEntry; 
     } 
    } while (TRUE); 
} 
NtClose(BaseKeyHandle); 
return FALSE; 
}

問題

每當代碼獲取的這部分功能

Status = NtOpenKey(&CurrentHiveEntry, KEY_CREATE_SUB_KEY, &KeyAttributes); 
     if (RtlNtStatusToDosError(Status) == ERROR_BAD_PATHNAME) {

的返回值始終是ERROR_BAD_PATHNAME (161)即使當前子鍵已經存在。

問題

的原因是什麼,以及我究竟做錯了什麼?有沒有我做過的不正確的,我該如何解決?

來源

2017-09-14 mike chang

+0

在點失敗,'CurrentSubKey'的價值是什麼?此外,您檢查的唯一錯誤是「ERROR_BAD_PATHNAME」,如果前一個循環失敗並出現任何其他錯誤代碼,則「BaseKeyHandle」將不會指向您所期望的位置。 (哦,你正在泄漏句柄。) –

+0

@HarryJohnston'\\ Software' - 那麼我能做些什麼來調試錯誤 –

+2

爲什麼你需要這個NT API? – Anders

回答

1 
NTSTATUS CreateKey(PHANDLE KeyHandle, ACCESS_MASK DesiredAccess, PWCHAR RegSidPath, PWCHAR KeyToCreate, PULONG Disposition) 
{ 
    UNICODE_STRING ObjectName; 
    RtlInitUnicodeString(&ObjectName, RegSidPath); 

    OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, &ObjectName ,OBJ_CASE_INSENSITIVE }; 

    NTSTATUS status = ZwOpenKey(&oa.RootDirectory, KEY_CREATE_SUB_KEY, &oa); 

    if (0 <= status) 
    { 
     ObjectName.Buffer = KeyToCreate; 

     do 
     { 
      ACCESS_MASK Access; 

      if (KeyToCreate = wcschr(++ObjectName.Buffer, '\\')) 
      { 
       ObjectName.Length = (USHORT)RtlPointerToOffset(ObjectName.Buffer, KeyToCreate); 
       Access = KEY_CREATE_SUB_KEY; 
      } 
      else 
      { 
       ObjectName.Length = (USHORT)wcslen(ObjectName.Buffer) * sizeof(WCHAR); 
       Access = DesiredAccess; 
      } 

      ObjectName.MaximumLength = ObjectName.Length; 

      status = ZwCreateKey(KeyHandle, Access, &oa, 0, 0, 0, Disposition); 

      NtClose(oa.RootDirectory); 

      oa.RootDirectory = *KeyHandle; 

     } while (0 <= status && (ObjectName.Buffer = KeyToCreate)); 
    } 

    return status; 
}

和使用作爲

HANDLE hKey; 
    NTSTATUS status = CreateKey(&hKey, KEY_ALL_ACCESS, 
    L"\\REGISTRY\\USER\\S-***", 
    L"\\Software\\MyCompany\\MySoftware\\MySubKey", 0);

來源

2017-09-15 00:53:24 RbMm

1

除非你正在編寫一個驅動程序,使用RegCreateKeyEx()代替。如果它們不存在,它將處理爲您創建中間密鑰的所有邏輯。 1個函數調用,不需要循環。

HKEY hKey; 
DWORD dwDisposition; 
LONG lRet = RegCreateKeyExW(HKEY_USERS, L"S-1-5-20-xxxxxx-xxxxxx-xxxxxxxx-1050\\Software\\MyCompany\\MySoftware\\MySubKey", 0, NULL, REG_OPTION_NON_VOLATILE, samDesired, NULL, &hKey, &dwDisposition); 
if (lRet == 0) 
{ 
    ... 
    RegCloseKey(hKey); 
}

但是,要訪問一個特定用戶的HKEY_CURRENT_USER蜂巢,優選的解決方案是使用的RegOpenCurrentUser()LoadUserProfile()而不是直接訪問HKEY_USERS

// impersonate the desired user first, then... 

HKEY hRootKey; 
LONG lRet = RegOpenCurrentUser(samDesired, &hRootKey); 
if (lRet == 0) 
{ 
    HKEY hKey; 
    DWORD dwDisposition; 
    lRet = RegCreateKeyExW(hRootKey, L"Software\\MyCompany\\MySoftware\\MySubKey", 0, NULL, REG_OPTION_NON_VOLATILE, samDesired, NULL, &hKey, &dwDisposition); 
    if (lRet == 0) 
    { 
     ... 
     RegCloseKey(hKey); 
    } 
    RegCloseKey(hRootKey); 
} 

// stop impersonating... 


// obtain token to desired user first, then... 

PROFILEINFO profile = {0}; 
profile.dwSize = sizeof(profile); 
profile.dwFlags = PI_NOUI; 

if (LoadUserProfile(hToken, &profile)) 
{ 
    HKEY hKey; 
    DWORD dwDisposition; 
    LONG lRet = RegCreateKeyExW((HKEY)profile.hProfile, L"Software\\MyCompany\\MySoftware\\MySubKey", 0, NULL, REG_OPTION_NON_VOLATILE, samDesired, NULL, &hKey, &dwDisposition); 
    if (lRet == 0) 
    { 
     ... 
     RegCloseKey(hKey); 
    } 
    UnloadUserProfile(hToken, profile.hProfile); 
} 

// release token ...

來源

2017-09-15 15:19:01

+0

我知道如何使用Advapi32,謝謝,但我正在尋找NTAPI電話。後者在其他地方都有很好的記錄。 –

相關問題

 相關問題