Can't catch KEY_VALUE_BASIC_INFORMATION.Name in CmRegisterCallback
Posted
by
alex
on Stack Overflow
See other posts from Stack Overflow
or by alex
Published on 2012-12-01T17:02:57Z
Indexed on
2012/12/01
17:03 UTC
Read the original article
Hit count: 408
Filed under:
c++
I want to hide in registry name of key value. I write driver, that using CmRegisterCallback. But I can't catch name of key value that I need. When I DbgPrint PKEY_VALUE_BASIC_INFORMATION->Name I get only symbols [ , u . Where is my mistake? Can anybody help me?My RegistryCallback source:
NTSTATUS RegistryCallback(PVOID CallbackContext, PVOID Argument1, PVOID Argument2)
{
PDEVICE_CONTEXT pContext = (PDEVICE_CONTEXT) CallbackContext;
REG_NOTIFY_CLASS Action = (REG_NOTIFY_CLASS) Argument1;
UNICODE_STRING regKeyNameValueToHide = {0};
try
{
switch (Action)
{
case RegNtEnumerateValueKey:
{
PREG_ENUMERATE_VALUE_KEY_INFORMATION pInfo = (PREG_ENUMERATE_VALUE_KEY_INFORMATION) Argument2;
//DbgPrint(pInfo->ValueName->Buffer);
RtlInitUnicodeString(®KeyNameValueToHide,L"alex-56328943333");
if(pInfo->KeyValueInformationClass == KeyValueBasicInformation)
{
PKEY_VALUE_BASIC_INFORMATION pKeyValueBasicInfirmation = (PKEY_VALUE_BASIC_INFORMATION) pInfo->KeyValueInformation;
UNICODE_STRING regKeyNameValue = {0};
RtlInitUnicodeString(®KeyNameValue,pKeyValueBasicInfirmation->Name);
if (RtlEqualUnicodeString(®KeyNameValue, ®KeyNameValueToHide, 1))
{
return STATUS_CALLBACK_BYPASS;
}
}
else if(pInfo->KeyValueInformationClass == KeyValueFullInformation)
{
PKEY_VALUE_FULL_INFORMATION pKeyValueFullInfirmation = (PKEY_VALUE_FULL_INFORMATION) pInfo->KeyValueInformation;
UNICODE_STRING regKeyNameValue = {0};
RtlInitUnicodeString(®KeyNameValue,pKeyValueFullInfirmation->Name);
if (RtlEqualUnicodeString(®KeyNameValue, ®KeyNameValueToHide, 1))
{
return STATUS_CALLBACK_BYPASS;
}
}
break;
}
default:
{
return STATUS_SUCCESS
break;
}
}
}
except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("Exception in RegistryCallback!!!");
}
return STATUS_SUCCESS;
}
© Stack Overflow or respective owner
