Jump to content

NtCreateKey and DllCall


Recommended Posts

I am trying to access registry keys by using ntdll.dll, but I'm facing a dreaded ntstatus 0xc0000005 (STATUS_ACCESS_VIOLATION). From the msdn docs; http://msdn.microsoft.com/en-us/library/windows/hardware/ff566425(v=vs.85).aspx it says the RootDirectory can be empty in which case the ObjectName member of the input ObjectAttributes contains the full qualified path, and should start with Registry. A bit stuck, so any help would be appreciated. Here the code;

Global Const $tagIOSTATUSBLOCK = "dword Status;ptr Information"
Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $KEY_READ = 0x20019
Global Const $KEY_WRITE = 0x20006
Global Const $KEY_CREATE_LINK = 0x0020
Global Const $KEY_ALL_ACCESS = 0xF003F
Global Const $REG_OPTION_NON_VOLATILE = 0x00000000

$RegKey = "RegistryMachineSOFTWAREClasses"
_NtCreateKey($RegKey)

Func _NtCreateKey($RegKey)
Local $Disposition, $ret, $KeyHandle
Local $hNTDLL = DllOpen("ntdll.dll")
Local $szName = DllStructCreate("wchar[260]")
Local $sUS = DllStructCreate($tagUNICODESTRING)
Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES)
Local $sISB = DllStructCreate($tagIOSTATUSBLOCK)
DllStructSetData($szName, 1, $RegKey)
$ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", Chr(0))
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", Chr(0))
DllStructSetData($sOA, "SecurityQualityOfService", Chr(0))
$ret = DllCall($hNTDLL, "int", "NtCreateKey", "hwnd", $KeyHandle, "dword", $KEY_ALL_ACCESS, "ptr", DllStructGetPtr($sOA), "ulong", 0, "ulong", 0, "ulong", $REG_OPTION_NON_VOLATILE, "ptr", $Disposition)
If NT_SUCCESS($ret[0]) Then
Return $ret[1]
Else
ConsoleWrite("Ntstatus: NtCreateKey: 0x" & Hex($ret[0],8) & @CRLF)
ConsoleWrite("System error code: " & _LsaNtStatusToWinError($ret[0]) & @CRLF)
Return SetError(1,0,0)
EndIf
EndFunc

Func NT_SUCCESS($status)
If 0 <= $status And $status <= 0x7FFFFFFF Then
     Return True
Else
     Return False
EndIf
EndFunc

Func _LsaNtStatusToWinError($iNtStatus)
Local $iSysError
$iSysError = DllCall("Advapi32.dll", "ulong", "LsaNtStatusToWinError", "dword", $iNtStatus)
Return $iSysError[0]
EndFunc

Btw, parts of the code is taken from wraithdu's ads sample.

Edited by joakim
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...