使用 ZwSetValueKey 來進行注冊表鍵值的寫操作,寫操作是并不需要鍵已經(jīng)存在,如果已存在則覆蓋值.
步驟 ZwOpenKey -> ZwSetValueKey
ZwSetValueKey(
_In_ HANDLE KeyHandle,//注冊表鍵句柄
_In_ PUNICODE_STRING ValueName,//鍵名
_In_opt_ ULONG TitleIndex,//始終為零
_In_ ULONG Type,//類型?
_In_reads_bytes_opt_(DataSize) PVOID Data,//執(zhí)行開始寫入數(shù)據(jù)的地址,可以是任意數(shù)據(jù),不管類型是什么都可以
_In_ ULONG DataSize//數(shù)據(jù)的長度
);
返回結(jié)果:
#include
VOID DriverUnload(PDRIVER_OBJECT driver){
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path){
//注冊表鍵句柄
HANDLE mykey = NULL;
//函數(shù)執(zhí)行的返回結(jié)果
NTSTATUS status;
//靜態(tài)定義要獲取的注冊表路徑
UNICODE_STRING mykeypath = RTL_CONSTANT_STRING(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion");
//注冊表對象屬性,包涵注冊表路徑名稱
OBJECT_ATTRIBUTES myobjattr = { 0 };
//初始化 OBJECT_ATTRIBUTES
InitializeObjectAttributes(&myobjattr, &mykeypath,OBJ_CASE_INSENSITIVE,NULL,NULL);
//打開注冊表Key
status = ZwOpenKey(&mykey, KEY_READ, &myobjattr);
if (!NT_SUCCESS(status)){
DbgPrint("misaka: open regeditkey failed\r\n");
}
//要寫的鍵
UNICODE_STRING name = RTL_CONSTANT_STRING(L"misaka");
//要寫的值
PWCHAR value = { L"hello , this is a misaka value" };
//寫入注冊表數(shù)據(jù),加1是加上空結(jié)束符
status = ZwSetValueKey(mykey,&name,0,REG_SZ,value,(wcslen(value)+1)*sizeof(WCHAR));
if (!NT_SUCCESS(status)){
DbgPrint("misaka: this is error !\r\n");
}
driver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
結(jié)果成功寫入 鍵 misaka 值 misaka: open regeditkey failed 到對應注冊表,重啟系統(tǒng)數(shù)據(jù)還在!
