public bool TryGetValue( string lpValue, Win32Api.RegRestrictionFlags dwFlags, /*ref UInt32*/ IntPtr pdwType, IntPtr pvData, /*ref UInt32*/ IntPtr pcbData) { if (!DoUni2AnsiConversion) { return(Win32Exception.CheckIfFoundAndNoError((int)key_.TryGetValueUnmanaged(lpValue, pdwType, pvData, pcbData))); } Data dst = new Data(pvData, pcbData, Data.CountIn.Bytes); // Sandboxie-generated reghives might contain REG_SZ values stored in ansi format // we need to detect them and avoid conversion for them return(DataTransformer.TryAlterData(pdwType, dst, (newpdwType, newDst) => (int)key_.TryGetValueUnmanaged(lpValue, newpdwType, newDst.Ptr, newDst.PCount), (result, type) => result == Win32Api.Error.ERROR_SUCCESS && DataTransformer.IsStringType(type), (type, pSrcData, cbSrcData) => dst.FillWithString(new BytesString(pSrcData, cbSrcData), StringFormat.Ansi, Data.NullCharHandling.NotAddingIfNotPresent))); }
public bool TryQueryValue( string lpValueName, IntPtr lpReserved, IntPtr lpType, IntPtr lpData, IntPtr lpcbData) { return(Win32Exception.CheckIfFoundAndNoError( Win32Api.RegQueryValueEx(handle_, lpValueName, lpReserved, lpType, lpData, lpcbData))); }
public bool TryGetValue( string lpValue, Win32Api.RegRestrictionFlags dwFlags, /*ref UInt32*/ IntPtr pdwType, IntPtr pvData, /*ref UInt32*/ IntPtr pcbData) { return(Win32Exception.CheckIfFoundAndNoError( Win32Api.RegGetValue(handle_, null, lpValue, dwFlags, pdwType, pvData, pcbData))); }
public bool Handle(WindowsKey key) { if (!KeyIdentity.IsPredefined(key.Handle)) { return Win32Exception.CheckIfFoundAndNoError( Win32Api.NtQueryKey(key.Handle, KeyInformationClass_, KeyInformation_, Length_, out ResultLength_)); } // Predefined key handle values are valid only on the advapi32.dll level // on the ntdll.dll level we have to replace them with appropriate ntdll.dll handles IntPtr hNtKey = IntPtr.Zero; string objectName = KeyIdentity.GetSystemBasePath(key.Handle); Win32Api.UNICODE_STRING usObjectName = new Win32Api.UNICODE_STRING(); usObjectName.Length = unchecked((ushort)(sizeof(char) * objectName.Length)); usObjectName.MaximumLength = usObjectName.Length; using (HGlobalPtr pObjectNameBuffer = new HGlobalPtr(Marshal.StringToHGlobalUni(objectName))) { usObjectName.Buffer = pObjectNameBuffer.Ptr; using (HGlobalPtr pObjectName = new HGlobalPtr(Marshal.SizeOf(typeof(Win32Api.UNICODE_STRING)))) { Marshal.StructureToPtr(usObjectName, pObjectName.Ptr, false); Win32Api.OBJECT_ATTRIBUTES oa = new Win32Api.OBJECT_ATTRIBUTES(); oa.Length = unchecked((uint)Marshal.SizeOf(typeof(Win32Api.OBJECT_ATTRIBUTES))); oa.RootDirectory = IntPtr.Zero; oa.ObjectName = pObjectName.Ptr; oa.Attributes = (uint)Win32Api.ObjectAttributes.OBJ_CASE_INSENSITIVE; oa.SecurityDescriptor = IntPtr.Zero; oa.SecurityQualityOfService = IntPtr.Zero; using (HGlobalPtr pOA = new HGlobalPtr(Marshal.SizeOf(typeof(Win32Api.OBJECT_ATTRIBUTES)))) { Marshal.StructureToPtr(oa, pOA.Ptr, false); if (!Win32Exception.CheckIfFoundAndNoError( Win32Api.NtOpenKey(out hNtKey, (uint)Win32Api.KeySecurity.KEY_QUERY_VALUE, pOA.Ptr))) { return false; } try { return Win32Exception.CheckIfFoundAndNoError( Win32Api.NtQueryKey(hNtKey, KeyInformationClass_, KeyInformation_, Length_, out ResultLength_)); } finally { Win32Api.NtClose(hNtKey); } } } } }
internal static bool TryAlterData(IntPtr pdwType, Data dst, Operation operation, Condition condition, Transformer transformer) { // We call operation in original way to handle all the cases other // than when the altering condition is true // But if we call original operation, then we might not know some condition // params like data type if user provided null pointers, for instance using (HGlobalPtr newpdwType = new HGlobalPtr(Marshal.SizeOf(typeof(uint))), newpcbData = new HGlobalPtr(Marshal.SizeOf(typeof(uint)))) { // Marshal.WriteInt32(newpcbData.Ptr, 0); Marshal.WriteInt32(newpcbData.Ptr, -1); int result = operation(newpdwType.Ptr, new Data(IntPtr.Zero, newpcbData.Ptr, Data.CountIn.Bytes)); int type = Marshal.ReadInt32(newpdwType.Ptr); // if pcbData == IntPtr.Zero => pData too - data is not to be read if (dst.PCount == IntPtr.Zero || !condition(unchecked ((Win32Api.Error)result), unchecked ((Win32Api.RegValueType)type))) { return(Win32Exception.CheckIfFoundAndNoError(operation(pdwType, dst))); } if (pdwType != IntPtr.Zero) { Marshal.WriteInt32(pdwType, type); } using (HGlobalPtr newpData = new HGlobalPtr(Marshal.ReadInt32(newpcbData.Ptr))) { // The full value is retrieved even if pData == IntPtr.Zero // because length of new value may depend on the contents of original // one like in path modification feature if (!Win32Exception.CheckIfFoundAndNoError( operation(IntPtr.Zero, new Data(newpData.Ptr, newpcbData.Ptr, Data.CountIn.Bytes)))) { return(false); } return(Win32Exception.CheckIfFoundAndNoError( transformer(unchecked ((Win32Api.RegValueType)type), newpData.Ptr, Marshal.ReadInt32(newpcbData.Ptr)))); } } }
public static bool TryOpen(KeyIdentity identity, KeySecurity samDesired, out WindowsKey openedImpl) { if (identity.GetRegPath() == null) { // This works fine because baseKey is always one of the predefined // registry keys, so its handle does not need to be duplicated // or closed openedImpl = new WindowsKey(identity.BaseKey, samDesired); return(true); } IntPtr handle; int result = Win32Api.RegOpenKeyEx(identity.BaseKey, identity.GetRegPath(), 0, samDesired.Value | (Win32Api.KeySecurity)identity.GetWow64Mode(), out handle); openedImpl = null; if (!Win32Exception.CheckIfFoundAndNoError(result)) { return(false); } openedImpl = new WindowsKey(handle, samDesired); return(true); }
internal bool TryAlterData(KeyIdentity key, string valueName, IKeyImpl keyImpl, IntPtr pdwType, Data dst, DataTransformer.Operation operation) { // TODO: this is a specific check that // rewrite is done only for values in sandboxie reghive which is BASE_HIVE // and if values are copied, DIFF_HIVE is also supported // It should be put outside this generalized class if (keyImpl.GetDisposition() == KeyDisposition.WINDOWS_REG) { return(Win32Exception.CheckIfFoundAndNoError(operation(pdwType, dst))); } return(DataTransformer.TryAlterData(pdwType, dst, operation, (result, type) => { DebugLogger.WriteLine(@"AlterData {0} {1}\{2} ({3}) Result: {4}", keyImpl.GetDisposition(), key.ToString(), valueName, type, (int)result); return result == Win32Api.Error.ERROR_SUCCESS && DataTransformer.IsStringType(type); }, (type, pSrcData, cbSrcData) => DataTransformer.TransformStringValue( type, pSrcData, cbSrcData, dst, str => CallStrAlterers(key, valueName, str), HookBarrier.IsLastInjectedFuncAnsi ? StringFormat.Ansi : StringFormat.Unicode))); }
public bool Handle(WindowsKey key) { return(Win32Exception.CheckIfFoundAndNoError( Win32Api.RegGetKeySecurity(key.Handle, securityInformation_, pSecurityDescriptor_, lpcbSecurityDescriptor_))); }
public bool Handle(WindowsKey key) { return(Win32Exception.CheckIfFoundAndNoError( Win32Api.RegNotifyChangeKeyValue(key.Handle, watchSubtree_, notifyFilter_, hEvent_, asynchronous_))); }