static List <SemanticUnit> OnRegOpenKey(SequenceUnit s)
{
List <SemanticUnit> sem = new List <SemanticUnit>();
SequenceUnit seq = (SequenceUnit)s;
var cParam = (RegOpenKeyParameter)seq.API.Parameter;
foreach (APIUnit api in seq.Consumers)
{
RegSetValueParameter sParam = (RegSetValueParameter)api.Parameter;
string value = string.Format(@"{0:X2}\{1}\{2}", cParam.HKey.ToInt32(), cParam.SubKey, sParam.Value);
sem.Add(new RegSetValueSemanticUnit()
{
Value = value.ToUpper().Trim(), Data = sParam.Data.ToUpper().Trim()
});
}
return(sem);
}
static void OnRegSetValue(NktHook hook, NktProcess process, NktHookCallInfo callInfo)
{
var report = Base(APIType.HandleConsuming, APICategory.Registry, APIID.RegSetValue, hook, process, callInfo);
if (report == null)
{
return;
}
var param = new RegSetValueParameter();
param.Handle = callInfo.Params().GetAt(0).SizeTVal;
param.Value = callInfo.Params().GetAt(1).IsNullPointer ? "Default" : callInfo.Params().GetAt(1).ReadString();
string data = "";
uint type, len;
INktParam pData;
if (hook.FunctionName.Contains("Ex"))
{
type = callInfo.Params().GetAt(3).ULongVal;
len = callInfo.Params().GetAt(5).ULongVal;
pData = callInfo.Params().GetAt(4);
}
else
{
type = callInfo.Params().GetAt(2).ULongVal;
len = callInfo.Params().GetAt(4).ULongVal;
pData = callInfo.Params().GetAt(3);
}
if (!pData.IsNullPointer)
{
switch (type)
{
case 1:
case 2:
case 7:
byte[] buf = new byte[len];
GCHandle h = GCHandle.Alloc(buf, GCHandleType.Pinned);
IntPtr p = h.AddrOfPinnedObject();
INktProcessMemory mem = pData.Memory();
mem.ReadMem(p, pData.PointerVal, (IntPtr)len);
h.Free();
if (hook.FunctionName.Contains("W"))
{
data = Encoding.Unicode.GetString(buf, 0, (int)len);
}
else
{
data = Encoding.ASCII.GetString(buf, 0, (int)len);
}
break;
case 3:
case 4:
data = pData.Evaluate().ULongVal.ToString();
break;
}
}
data = data.Replace('\0', ' ');
data = data.Trim();
param.Type = type;
param.Data = data;
report.Parameter = param;
Reports.Enqueue(report);
}