public bool TryGetValue(
string lpValue,
Win32Api.RegRestrictionFlags dwFlags,
/*ref UInt32*/ IntPtr pdwType,
IntPtr pvData,
/*ref UInt32*/ IntPtr pcbData)
{
if (!DoUni2AnsiConversion)
{
return(Win32Exception.CheckIfFoundAndNoError((int)key_.TryGetValueUnmanaged(lpValue, pdwType, pvData, pcbData)));
}
Data dst = new Data(pvData, pcbData, Data.CountIn.Bytes);
// Sandboxie-generated reghives might contain REG_SZ values stored in ansi format
// we need to detect them and avoid conversion for them
return(DataTransformer.TryAlterData(pdwType, dst,
(newpdwType, newDst) =>
(int)key_.TryGetValueUnmanaged(lpValue, newpdwType, newDst.Ptr, newDst.PCount),
(result, type) => result == Win32Api.Error.ERROR_SUCCESS &&
DataTransformer.IsStringType(type),
(type, pSrcData, cbSrcData) =>
dst.FillWithString(new BytesString(pSrcData, cbSrcData), StringFormat.Ansi,
Data.NullCharHandling.NotAddingIfNotPresent)));
}
public bool TryQueryValue(
string lpValueName,
IntPtr lpReserved,
IntPtr lpType,
IntPtr lpData,
IntPtr lpcbData)
{
return(Win32Exception.CheckIfFoundAndNoError(
Win32Api.RegQueryValueEx(handle_, lpValueName, lpReserved,
lpType, lpData, lpcbData)));
}
public bool TryGetValue(
string lpValue,
Win32Api.RegRestrictionFlags dwFlags,
/*ref UInt32*/ IntPtr pdwType,
IntPtr pvData,
/*ref UInt32*/ IntPtr pcbData)
{
return(Win32Exception.CheckIfFoundAndNoError(
Win32Api.RegGetValue(handle_, null, lpValue, dwFlags,
pdwType, pvData, pcbData)));
}
public bool Handle(WindowsKey key)
{
if (!KeyIdentity.IsPredefined(key.Handle))
{
return Win32Exception.CheckIfFoundAndNoError(
Win32Api.NtQueryKey(key.Handle, KeyInformationClass_, KeyInformation_, Length_,
out ResultLength_));
}
// Predefined key handle values are valid only on the advapi32.dll level
// on the ntdll.dll level we have to replace them with appropriate ntdll.dll handles
IntPtr hNtKey = IntPtr.Zero;
string objectName = KeyIdentity.GetSystemBasePath(key.Handle);
Win32Api.UNICODE_STRING usObjectName = new Win32Api.UNICODE_STRING();
usObjectName.Length = unchecked((ushort)(sizeof(char) * objectName.Length));
usObjectName.MaximumLength = usObjectName.Length;
using (HGlobalPtr pObjectNameBuffer = new HGlobalPtr(Marshal.StringToHGlobalUni(objectName)))
{
usObjectName.Buffer = pObjectNameBuffer.Ptr;
using (HGlobalPtr pObjectName = new HGlobalPtr(Marshal.SizeOf(typeof(Win32Api.UNICODE_STRING))))
{
Marshal.StructureToPtr(usObjectName, pObjectName.Ptr, false);
Win32Api.OBJECT_ATTRIBUTES oa = new Win32Api.OBJECT_ATTRIBUTES();
oa.Length = unchecked((uint)Marshal.SizeOf(typeof(Win32Api.OBJECT_ATTRIBUTES)));
oa.RootDirectory = IntPtr.Zero;
oa.ObjectName = pObjectName.Ptr;
oa.Attributes = (uint)Win32Api.ObjectAttributes.OBJ_CASE_INSENSITIVE;
oa.SecurityDescriptor = IntPtr.Zero;
oa.SecurityQualityOfService = IntPtr.Zero;
using (HGlobalPtr pOA = new HGlobalPtr(Marshal.SizeOf(typeof(Win32Api.OBJECT_ATTRIBUTES))))
{
Marshal.StructureToPtr(oa, pOA.Ptr, false);
if (!Win32Exception.CheckIfFoundAndNoError(
Win32Api.NtOpenKey(out hNtKey, (uint)Win32Api.KeySecurity.KEY_QUERY_VALUE, pOA.Ptr)))
{
return false;
}
try
{
return Win32Exception.CheckIfFoundAndNoError(
Win32Api.NtQueryKey(hNtKey, KeyInformationClass_, KeyInformation_, Length_,
out ResultLength_));
}
finally
{
Win32Api.NtClose(hNtKey);
}
}
}
}
}
internal static bool TryAlterData(IntPtr pdwType, Data dst,
Operation operation, Condition condition, Transformer transformer)
{
// We call operation in original way to handle all the cases other
// than when the altering condition is true
// But if we call original operation, then we might not know some condition
// params like data type if user provided null pointers, for instance
using (HGlobalPtr newpdwType = new HGlobalPtr(Marshal.SizeOf(typeof(uint))),
newpcbData = new HGlobalPtr(Marshal.SizeOf(typeof(uint))))
{
// Marshal.WriteInt32(newpcbData.Ptr, 0);
Marshal.WriteInt32(newpcbData.Ptr, -1);
int result = operation(newpdwType.Ptr, new Data(IntPtr.Zero, newpcbData.Ptr, Data.CountIn.Bytes));
int type = Marshal.ReadInt32(newpdwType.Ptr);
// if pcbData == IntPtr.Zero => pData too - data is not to be read
if (dst.PCount == IntPtr.Zero || !condition(unchecked ((Win32Api.Error)result),
unchecked ((Win32Api.RegValueType)type)))
{
return(Win32Exception.CheckIfFoundAndNoError(operation(pdwType, dst)));
}
if (pdwType != IntPtr.Zero)
{
Marshal.WriteInt32(pdwType, type);
}
using (HGlobalPtr newpData = new HGlobalPtr(Marshal.ReadInt32(newpcbData.Ptr)))
{
// The full value is retrieved even if pData == IntPtr.Zero
// because length of new value may depend on the contents of original
// one like in path modification feature
if (!Win32Exception.CheckIfFoundAndNoError(
operation(IntPtr.Zero, new Data(newpData.Ptr, newpcbData.Ptr, Data.CountIn.Bytes))))
{
return(false);
}
return(Win32Exception.CheckIfFoundAndNoError(
transformer(unchecked ((Win32Api.RegValueType)type),
newpData.Ptr, Marshal.ReadInt32(newpcbData.Ptr))));
}
}
}
public static bool TryOpen(KeyIdentity identity, KeySecurity samDesired, out WindowsKey openedImpl)
{
if (identity.GetRegPath() == null)
{
// This works fine because baseKey is always one of the predefined
// registry keys, so its handle does not need to be duplicated
// or closed
openedImpl = new WindowsKey(identity.BaseKey, samDesired);
return(true);
}
IntPtr handle;
int result = Win32Api.RegOpenKeyEx(identity.BaseKey, identity.GetRegPath(), 0,
samDesired.Value | (Win32Api.KeySecurity)identity.GetWow64Mode(),
out handle);
openedImpl = null;
if (!Win32Exception.CheckIfFoundAndNoError(result))
{
return(false);
}
openedImpl = new WindowsKey(handle, samDesired);
return(true);
}
internal bool TryAlterData(KeyIdentity key, string valueName,
IKeyImpl keyImpl, IntPtr pdwType, Data dst, DataTransformer.Operation operation)
{
// TODO: this is a specific check that
// rewrite is done only for values in sandboxie reghive which is BASE_HIVE
// and if values are copied, DIFF_HIVE is also supported
// It should be put outside this generalized class
if (keyImpl.GetDisposition() == KeyDisposition.WINDOWS_REG)
{
return(Win32Exception.CheckIfFoundAndNoError(operation(pdwType, dst)));
}
return(DataTransformer.TryAlterData(pdwType, dst, operation,
(result, type) =>
{
DebugLogger.WriteLine(@"AlterData {0} {1}\{2} ({3}) Result: {4}",
keyImpl.GetDisposition(), key.ToString(), valueName, type, (int)result);
return result == Win32Api.Error.ERROR_SUCCESS &&
DataTransformer.IsStringType(type);
},
(type, pSrcData, cbSrcData) =>
DataTransformer.TransformStringValue(
type, pSrcData, cbSrcData, dst, str => CallStrAlterers(key, valueName, str),
HookBarrier.IsLastInjectedFuncAnsi ? StringFormat.Ansi : StringFormat.Unicode)));
}
public bool Handle(WindowsKey key)
{
return(Win32Exception.CheckIfFoundAndNoError(
Win32Api.RegGetKeySecurity(key.Handle, securityInformation_, pSecurityDescriptor_, lpcbSecurityDescriptor_)));
}
public bool Handle(WindowsKey key)
{
return(Win32Exception.CheckIfFoundAndNoError(
Win32Api.RegNotifyChangeKeyValue(key.Handle, watchSubtree_, notifyFilter_, hEvent_,
asynchronous_)));
}
