public static extern int NtQueryKey(IntPtr KeyHandle, KEY_INFORMATION_CLASS KeyInformationClass, IntPtr KeyInformation, int Length, out int ResultLength);
public unsafe static extern NTSTATUS NtQueryKey(
RegistryKeyHandle KeyHandle,
KEY_INFORMATION_CLASS KeyInformationClass,
void *KeyInformation,
uint Length,
out uint ResultLength);
private static string KeyInformation(KEY_INFORMATION_CLASS keyInfoClass, byte[] keyInformation)
{
string keyInfoStr = "(" + keyInfoClass.ToString() + ") ";
try
{
MemoryStream ms = new MemoryStream(keyInformation);
BinaryReader br = new BinaryReader(ms);
switch (keyInfoClass)
{
case KEY_INFORMATION_CLASS.KeyBasicInformation:
{
long lastWriteTime = br.ReadInt64();
uint titleIndex = br.ReadUInt32();
uint nameLength = br.ReadUInt32();
string name = Encoding.Unicode.GetString(keyInformation, (int)ms.Position, (int)nameLength);
keyInfoStr += "LastWriteTime:" + DateTime.FromFileTime(lastWriteTime).ToShortDateString();
keyInfoStr += " Name:" + name;
break;
}
case KEY_INFORMATION_CLASS.KeyNodeInformation:
{
long lastWriteTime = br.ReadInt64();
uint titleIndex = br.ReadUInt32();
uint classOffset = br.ReadUInt32();
uint classLength = br.ReadUInt32();
uint nameLength = br.ReadUInt32();
string name = Encoding.Unicode.GetString(keyInformation, (int)ms.Position, (int)nameLength);
string className = Encoding.Unicode.GetString(keyInformation, (int)classOffset, (int)classLength);
keyInfoStr += "LastWriteTime:" + DateTime.FromFileTime(lastWriteTime).ToShortDateString();
keyInfoStr += " Name:" + name + " ClassName:" + className;
break;
}
case KEY_INFORMATION_CLASS.KeyFullInformation:
{
long lastWriteTime = br.ReadInt64();
uint titleIndex = br.ReadUInt32();
uint classOffset = br.ReadUInt32();
uint classLength = br.ReadUInt32();
uint subKeys = br.ReadUInt32();
uint maxNameLen = br.ReadUInt32();
uint maxClassLen = br.ReadUInt32();
uint values = br.ReadUInt32();
uint maxValueNameLen = br.ReadUInt32();
uint maxValueDataLen = br.ReadUInt32();
uint nameLength = br.ReadUInt32();
string className = Encoding.Unicode.GetString(keyInformation, (int)classOffset, (int)classLength);
keyInfoStr += "LastWriteTime:" + DateTime.FromFileTime(lastWriteTime).ToShortDateString();
keyInfoStr += " subKeys:" + subKeys + " valueEntries:" + values + " ClassName:" + className;
break;
}
case KEY_INFORMATION_CLASS.KeyNameInformation:
{
uint nameLength = br.ReadUInt32();
string name = Encoding.Unicode.GetString(keyInformation, (int)ms.Position, (int)nameLength);
keyInfoStr += " Name:" + name;
break;
}
default: break;
}
}
catch (Exception ex)
{
keyInfoStr = "get data failed:" + ex.Message;
}
return(keyInfoStr);
}
public static extern uint ZwQueryKey(IntPtr hKey, KEY_INFORMATION_CLASS KeyInformationClass, IntPtr lpKeyInformation, int Length, out int ResultLength);
public static string FormatDescription(FilterAPI.MessageSendData messageSend)
{
string descrption = string.Empty;
FilterAPI.RegCallbackClass regCallbackClass = (FilterAPI.RegCallbackClass)messageSend.Offset;
try
{
if (messageSend.Status != (uint)FilterAPI.NTSTATUS.STATUS_SUCCESS)
{
return("");
}
switch (regCallbackClass)
{
case FilterAPI.RegCallbackClass.Reg_Pre_Delete_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Delete_Key:
{
descrption = "registry key is being deleted.";
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Set_Value_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Set_Value_Key:
{
VALUE_DATA_TYPE valueType = (VALUE_DATA_TYPE)messageSend.InfoClass;
descrption = "Type:" + valueType.ToString();
descrption += " Data:" + ValueTypeData(valueType, (int)messageSend.DataBufferLength, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Delete_Value_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Delete_Value_Key:
{
descrption = "registry key's value is being deleted.";
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_SetInformation_Key:
case FilterAPI.RegCallbackClass.Reg_Post_SetInformation_Key:
{
KEY_SET_INFORMATION_CLASS keySetInformationClass = (KEY_SET_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keySetInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Rename_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Rename_Key:
{
string newName = Encoding.Unicode.GetString(messageSend.DataBuffer);
descrption = "registry key's name is being changed to " + newName;
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Enumerate_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Enumerate_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyInformation(keyInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Enumerate_Value_Key:
{
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyValuseInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Enumerate_Value_Key:
{
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyValueInformation(keyValuseInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Query_Key:
{
KEY_INFORMATION_CLASS keyInformationClass = (KEY_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyInformation(keyInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_Value_Key:
{
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption = keyValuseInformationClass.ToString();
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Query_Value_Key:
{
//for unit test
if (messageSend.FileName.IndexOf("EaseFilter") > 0)
{
//this is our test key.
RegistryUnitTest.postQueryValueKeyPassed = true;
}
KEY_VALUE_INFORMATION_CLASS keyValuseInformationClass = (KEY_VALUE_INFORMATION_CLASS)messageSend.InfoClass;
descrption += KeyValueInformation(keyValuseInformationClass, messageSend.DataBuffer);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_Multiple_Value_Key:
{
break;
}
case FilterAPI.RegCallbackClass.Reg_Post_Query_Multiple_Value_Key:
{
uint entryCount = messageSend.InfoClass;
MemoryStream ms = new MemoryStream(messageSend.DataBuffer);
BinaryReader br = new BinaryReader(ms);
for (int i = 0; i < entryCount && ms.Position < ms.Length; i++)
{
long currentOffset = ms.Position;
int nextEntryOffset = br.ReadInt32();
int valueNameLength = br.ReadInt32();
int dataType = br.ReadInt32();
int dataLength = br.ReadInt32();
byte[] valueName = br.ReadBytes(valueNameLength);
byte[] data = br.ReadBytes(dataLength);
VALUE_DATA_TYPE type = (VALUE_DATA_TYPE)dataType;
descrption += "Name:" + Encoding.Unicode.GetString(valueName, 0, valueNameLength);
descrption += " Type:" + type.ToString();
descrption += " Data:" + ValueTypeData(type, dataLength, data) + Environment.NewLine;
ms.Position = currentOffset + nextEntryOffset;
}
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Create_KeyEx:
case FilterAPI.RegCallbackClass.Reg_Post_Create_KeyEx:
case FilterAPI.RegCallbackClass.Reg_Pre_Open_KeyEx:
case FilterAPI.RegCallbackClass.Reg_Post_Open_KeyEx:
{
descrption += FormatCreateDescription(messageSend);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Load_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Load_Key:
{
descrption += "SourceFile:" + Encoding.Unicode.GetString(messageSend.DataBuffer, 0, (int)messageSend.DataBufferLength);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Replace_Key:
case FilterAPI.RegCallbackClass.Reg_Post_Replace_Key:
{
descrption += "NewFileName:" + Encoding.Unicode.GetString(messageSend.DataBuffer, 0, (int)messageSend.DataBufferLength);
break;
}
case FilterAPI.RegCallbackClass.Reg_Pre_Query_KeyName:
case FilterAPI.RegCallbackClass.Reg_Post_Query_KeyName:
{
break;
}
default: descrption = "unsupported registry callback class:" + regCallbackClass.ToString(); break;
}
}
catch (Exception ex)
{
descrption = "Format description failed, return error:" + ex.Message;
}
return(descrption);
}
