NtCreateKey and DllCall

[joakim]

I am trying to access registry keys by using ntdll.dll, but I'm facing a dreaded ntstatus 0xc0000005 (STATUS_ACCESS_VIOLATION). From the msdn docs; http://msdn.microsoft.com/en-us/library/windows/hardware/ff566425(v=vs.85).aspx it says the RootDirectory can be empty in which case the ObjectName member of the input ObjectAttributes contains the full qualified path, and should start with Registry. A bit stuck, so any help would be appreciated. Here the code;

expandcollapse popup

Global Const $tagIOSTATUSBLOCK = "dword Status;ptr Information"
Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService"
Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer"
Global Const $OBJ_CASE_INSENSITIVE = 0x00000040
Global Const $KEY_READ = 0x20019
Global Const $KEY_WRITE = 0x20006
Global Const $KEY_CREATE_LINK = 0x0020
Global Const $KEY_ALL_ACCESS = 0xF003F
Global Const $REG_OPTION_NON_VOLATILE = 0x00000000

$RegKey = "RegistryMachineSOFTWAREClasses"
_NtCreateKey($RegKey)

Func _NtCreateKey($RegKey)
Local $Disposition, $ret, $KeyHandle
Local $hNTDLL = DllOpen("ntdll.dll")
Local $szName = DllStructCreate("wchar[260]")
Local $sUS = DllStructCreate($tagUNICODESTRING)
Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES)
Local $sISB = DllStructCreate($tagIOSTATUSBLOCK)
DllStructSetData($szName, 1, $RegKey)
$ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName))
DllStructSetData($sOA, "Length", DllStructGetSize($sOA))
DllStructSetData($sOA, "RootDirectory", Chr(0))
DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS))
DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE)
DllStructSetData($sOA, "SecurityDescriptor", Chr(0))
DllStructSetData($sOA, "SecurityQualityOfService", Chr(0))
$ret = DllCall($hNTDLL, "int", "NtCreateKey", "hwnd", $KeyHandle, "dword", $KEY_ALL_ACCESS, "ptr", DllStructGetPtr($sOA), "ulong", 0, "ulong", 0, "ulong", $REG_OPTION_NON_VOLATILE, "ptr", $Disposition)
If NT_SUCCESS($ret[0]) Then
Return $ret[1]
Else
ConsoleWrite("Ntstatus: NtCreateKey: 0x" & Hex($ret[0],8) & @CRLF)
ConsoleWrite("System error code: " & _LsaNtStatusToWinError($ret[0]) & @CRLF)
Return SetError(1,0,0)
EndIf
EndFunc

Func NT_SUCCESS($status)
If 0 <= $status And $status <= 0x7FFFFFFF Then
     Return True
Else
     Return False
EndIf
EndFunc

Func _LsaNtStatusToWinError($iNtStatus)
Local $iSysError
$iSysError = DllCall("Advapi32.dll", "ulong", "LsaNtStatusToWinError", "dword", $iNtStatus)
Return $iSysError[0]
EndFunc

Btw, parts of the code is taken from wraithdu's ads sample.

Edited August 7, 2012 by joakim

[joakim]

Nevermind. Turned out all that was missing was a * behind "hwnd".