joakim Posted August 7, 2012 Posted August 7, 2012 (edited) I am trying to access registry keys by using ntdll.dll, but I'm facing a dreaded ntstatus 0xc0000005 (STATUS_ACCESS_VIOLATION). From the msdn docs; http://msdn.microsoft.com/en-us/library/windows/hardware/ff566425(v=vs.85).aspx it says the RootDirectory can be empty in which case the ObjectName member of the input ObjectAttributes contains the full qualified path, and should start with Registry. A bit stuck, so any help would be appreciated. Here the code;expandcollapse popupGlobal Const $tagIOSTATUSBLOCK = "dword Status;ptr Information" Global Const $tagOBJECTATTRIBUTES = "ulong Length;hwnd RootDirectory;ptr ObjectName;ulong Attributes;ptr SecurityDescriptor;ptr SecurityQualityOfService" Global Const $tagUNICODESTRING = "ushort Length;ushort MaximumLength;ptr Buffer" Global Const $OBJ_CASE_INSENSITIVE = 0x00000040 Global Const $KEY_READ = 0x20019 Global Const $KEY_WRITE = 0x20006 Global Const $KEY_CREATE_LINK = 0x0020 Global Const $KEY_ALL_ACCESS = 0xF003F Global Const $REG_OPTION_NON_VOLATILE = 0x00000000 $RegKey = "RegistryMachineSOFTWAREClasses" _NtCreateKey($RegKey) Func _NtCreateKey($RegKey) Local $Disposition, $ret, $KeyHandle Local $hNTDLL = DllOpen("ntdll.dll") Local $szName = DllStructCreate("wchar[260]") Local $sUS = DllStructCreate($tagUNICODESTRING) Local $sOA = DllStructCreate($tagOBJECTATTRIBUTES) Local $sISB = DllStructCreate($tagIOSTATUSBLOCK) DllStructSetData($szName, 1, $RegKey) $ret = DllCall($hNTDLL, "none", "RtlInitUnicodeString", "ptr", DllStructGetPtr($sUS), "ptr", DllStructGetPtr($szName)) DllStructSetData($sOA, "Length", DllStructGetSize($sOA)) DllStructSetData($sOA, "RootDirectory", Chr(0)) DllStructSetData($sOA, "ObjectName", DllStructGetPtr($sUS)) DllStructSetData($sOA, "Attributes", $OBJ_CASE_INSENSITIVE) DllStructSetData($sOA, "SecurityDescriptor", Chr(0)) DllStructSetData($sOA, "SecurityQualityOfService", Chr(0)) $ret = DllCall($hNTDLL, "int", "NtCreateKey", "hwnd", $KeyHandle, "dword", $KEY_ALL_ACCESS, "ptr", DllStructGetPtr($sOA), "ulong", 0, "ulong", 0, "ulong", $REG_OPTION_NON_VOLATILE, "ptr", $Disposition) If NT_SUCCESS($ret[0]) Then Return $ret[1] Else ConsoleWrite("Ntstatus: NtCreateKey: 0x" & Hex($ret[0],8) & @CRLF) ConsoleWrite("System error code: " & _LsaNtStatusToWinError($ret[0]) & @CRLF) Return SetError(1,0,0) EndIf EndFunc Func NT_SUCCESS($status) If 0 <= $status And $status <= 0x7FFFFFFF Then Return True Else Return False EndIf EndFunc Func _LsaNtStatusToWinError($iNtStatus) Local $iSysError $iSysError = DllCall("Advapi32.dll", "ulong", "LsaNtStatusToWinError", "dword", $iNtStatus) Return $iSysError[0] EndFuncBtw, parts of the code is taken from wraithdu's ads sample. Edited August 7, 2012 by joakim
joakim Posted August 7, 2012 Author Posted August 7, 2012 Nevermind. Turned out all that was missing was a * behind "hwnd".
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now