Sign in to follow this  
Followers 0
joakim

Replace RtlInitUnicodeString with custom code

6 posts in this topic

#1 ·  Posted (edited)

I am working with some native registry functions, and in order to handle invalid registry keys properly, I need to specify the keyname in hex. Note this is a must when invalid characters are in the middle of the key name, and not just appended to the end of name. So first the original code as I've used lately that uses RtlInitUnicodeString;

Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"

$objectname = "test"
$szName = DllStructCreate("wchar[260]")
$sUS = DllStructCreate($tagUNICODESTRING)
$sOA = DllStructCreate($tagOBJECTATTRIBUTES)
DllStructSetData($szName, 1, $objectname)
$ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", Chr(0))
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", Chr(0))
DllStructSetData($sOA, "SecurityQualityOfService", Chr(0))

Now here's the attemped custom code that currently returns a 0xC0000033 (STATUS_OBJECT_NAME_INVALID);

Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"

$objectname = "7400650073007400"
$szName = DllStructCreate("wchar[260]")
$sUS = DllStructCreate($tagUNICODESTRING)
$sOA = DllStructCreate($tagOBJECTATTRIBUTES)
DllStructSetData($szName, 1, $objectname)
DllStructSetData($sUS,"Length",StringLen($ObjectName)/2)
DllStructSetData($sUS,"MaximumLength",StringLen($ObjectName)/2)
DllStructSetData($sUS,"Buffer",DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", $handle)
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", Chr(0))
DllStructSetData($sOA, "SecurityQualityOfService", Chr(0));Chr(0)

This is actually quite interesting because if we can manage to specify the name this way, we can also handle invalid key names much better than RegDelNull (which is crappy); http://technet.microsoft.com/en-us/sysinternals/bb897448. It already looks promising as I have a PoC identical to RegHide; http://technet.microsoft.com/en-us/sysinternals/dd581628.aspx and I can rename and/or delete invalid keynames (with nulls appended to end) entirely using native functions.

Edited by joakim

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

It should be:

DllStructSetData($sUS, "Length", 2 * StringLen($ObjectName))
DllStructSetData($sUS, "MaximumLength", 2 * StringLen($ObjectName) + 2)

Why are you dividing? One wchar is two bytes, not the other way around.

Edited by trancexx

♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

I guess I was too tired to see.. Thanks, it works fine now :) I'll post in the sample scripts section when done.

Share this post


Link to post
Share on other sites

Get rid of those Chr(0). They make you look like you don't know better.


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

Actually it was dividing by 2 that was correct, however the plus 2 in MaximumLength is crucial for the function to succeed. Beware that "7400" is 4 characters in non-binary, equivalent to "t", which is 2 bytes and not 4. I get back to it when the sample it finished.

Share this post


Link to post
Share on other sites

Get rid of those Chr(0). They make you look like you don't know better.

OK :)

And also changing $szName from wchar to byte is necessary..

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0