📄 native.c
字号:
printf("NtAdjustPrivilegesToken failed, rc=%x\n", rc);
return FALSE;
}
return TRUE;
}
void TimeManagement()
{
LARGE_INTEGER SystemTime, NewSystemTime;
NTSTATUS rc;
TIME_FIELDS TimeFields;
BOOLEAN retval;
ULONG TickCount;
if (!EnableOrDisablePrivilege(SE_SYSTEMTIME_PRIVILEGE, FALSE)) {
printf("Unable to enable SE_SYSTEMTIME_PRIVILEGE\n");
return;
}
rc=NtQuerySystemTime(&SystemTime);
if (rc!=STATUS_SUCCESS) {
printf("NtQuerySystemTime failed, rc=%x\n", rc);
goto ExitFunction;
}
printf("Dumping System time\n");
RtlTimeToTimeFields(&SystemTime, &TimeFields);
DumpTime(TimeFields);
TimeFields.Day++;
retval=RtlTimeFieldsToTime(&TimeFields, &NewSystemTime);
if (!retval) {
printf("RtlTimeFieldsToTime failed\n");
goto ExitFunction;
}
rc=NtSetSystemTime(&NewSystemTime, NULL);
if (rc!=STATUS_SUCCESS) {
printf("NtSetSystemTime failed, rc=%x\n", rc);
goto ExitFunction;
}
printf("Dumping System time after incrementing day by 1\n");
rc=NtQuerySystemTime(&SystemTime);
if (rc!=STATUS_SUCCESS) {
printf("NtQuerySystemTime failed, rc=%x\n", rc);
goto ExitFunction;
}
RtlTimeToTimeFields(&SystemTime, &TimeFields);
DumpTime(TimeFields);
TimeFields.Day--;
retval=RtlTimeFieldsToTime(&TimeFields, &NewSystemTime);
if (!retval) {
printf("RtlTimeFieldsToTime failed\n");
goto ExitFunction;
}
rc=NtSetSystemTime(&NewSystemTime, NULL);
if (rc!=STATUS_SUCCESS) {
printf("NtSetSystemTime failed, rc=%x\n", rc);
goto ExitFunction;
}
printf("Dumping System time after decrementing day by 1\n");
rc=NtQuerySystemTime(&SystemTime);
if (rc!=STATUS_SUCCESS) {
printf("NtQuerySystemTime failed, rc=%x\n", rc);
goto ExitFunction;
}
RtlTimeToTimeFields(&SystemTime, &TimeFields);
DumpTime(TimeFields);
ExitFunction:
TickCount=NtGetTickCount();
printf("NtGetTickCount() returned %x\n", TickCount);
EnableOrDisablePrivilege(SE_SYSTEMTIME_PRIVILEGE, TRUE);
}
void _stdcall RegApcRoutine(PVOID ApcContext, PIO_STATUS_BLOCK pIoStatusBlock, ULONG Reserved)
{
printf("Registry change ApcRoutine called\n");
return;
}
KeyManagement()
{
HANDLE hKeyOpened, hKeyCreated, hKey;
NTSTATUS rc;
OBJECT_ATTRIBUTES ObjectAttr, HiveObjectAttr;
UNICODE_STRING KeyName;
ULONG Disposition;
ULONG Index;
PKEY_BASIC_INFORMATION pKeyBasicInfo;
PKEY_VALUE_BASIC_INFORMATION pKeyValueBasicInfo;
PKEY_FULL_INFORMATION pKeyFullInfo;
PKEY_VALUE_FULL_INFORMATION pKeyValueFullInfo;
HANDLE hFile;
UNICODE_STRING FileName;
IO_STATUS_BLOCK IoStatusBlock;
LARGE_INTEGER DelayTime;
KEY_VALUE_ENTRY KeyValueEntries[2];
UNICODE_STRING KeyValueName[2];
ULONG i;
UNICODE_STRING ValueName;
WCHAR *regszData=L"StringData";
ULONG regdwordData=0x1020;
static char Buffer[4096];
ULONG BufferSize=sizeof(Buffer);
ULONG BytesReturned;
KEY_WRITE_TIME_INFORMATION KeyWriteTimeInfo;
rc=NtInitializeRegistry(0);
if (rc!=STATUS_SUCCESS) {
printf("NtInitializeRegistry failed, rc=%x\n", rc);
}
/* Open HKEY_LOCAL_MACHINE\Software */
RtlInitUnicodeString(&KeyName, L"\\Registry\\Machine\\Software");
InitializeObjectAttributes(&ObjectAttr,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
rc=NtOpenKey(&hKeyOpened,
MAXIMUM_ALLOWED,
&ObjectAttr);
if (rc!=STATUS_SUCCESS) {
printf("Unable to open key, rc=%x\n", rc);
return 0;
}
printf("Key opened, hKeyOpened=%x\n", hKeyOpened);
/* Create TestKey under HKEY_LOCAL_MACHINE\Software */
RtlInitUnicodeString(&KeyName, L"TestKey");
InitializeObjectAttributes(&ObjectAttr,
&KeyName,
OBJ_CASE_INSENSITIVE,
hKeyOpened,
NULL);
rc=NtCreateKey(&hKeyCreated,
KEY_ALL_ACCESS,
&ObjectAttr,
0,
NULL,
0,
&Disposition);
if (rc!=STATUS_SUCCESS) {
printf("Unable to create key, rc=%x\n", rc);
NtClose(hKeyOpened);
return 0;
}
printf("Key created, hKeyCreated=%x\n", hKeyCreated);
rc=NtNotifyChangeKey(hKeyCreated,
NULL,
(PIO_APC_ROUTINE)RegApcRoutine,
Buffer,
&IoStatusBlock,
REG_NOTIFY_CHANGE_NAME|REG_NOTIFY_CHANGE_ATTRIBUTES|REG_NOTIFY_CHANGE_LAST_SET|REG_NOTIFY_CHANGE_SECURITY,
TRUE,
Buffer,
sizeof(Buffer),
TRUE);
if ((rc!=STATUS_SUCCESS)&&(rc!=STATUS_PENDING)) {
printf("NtNotifyChangeKey failed, rc=%x\n", rc);
goto ExitFunction;
}
/* Create two subkeys under HKEY_LOCAL_MACHINE\Software\TestKey */
RtlInitUnicodeString(&KeyName, L"Key1");
InitializeObjectAttributes(&ObjectAttr,
&KeyName,
OBJ_CASE_INSENSITIVE,
hKeyCreated,
NULL);
rc=NtCreateKey(&hKey,
KEY_ALL_ACCESS,
&ObjectAttr,
0,
NULL,
0,
&Disposition);
if (rc!=STATUS_SUCCESS) {
printf("Unable to create key, rc=%x\n", rc);
goto ExitFunction;
}
NtClose(hKey);
RtlInitUnicodeString(&KeyName, L"Key2");
InitializeObjectAttributes(&ObjectAttr,
&KeyName,
OBJ_CASE_INSENSITIVE,
hKeyCreated,
NULL);
rc=NtCreateKey(&hKey,
KEY_ALL_ACCESS,
&ObjectAttr,
0,
NULL,
0,
&Disposition);
if (rc!=STATUS_SUCCESS) {
printf("Unable to create key, rc=%x\n", rc);
goto ExitFunction;
}
NtClose(hKey);
/* Create two values under HKEY_LOCAL_MACHINE\Software\TestKey */
RtlInitUnicodeString(&ValueName, L"Value1");
rc=NtSetValueKey(hKeyCreated,
&ValueName,
0,
REG_SZ,
regszData,
(wcslen(regszData)+1)*2);
if (rc!=STATUS_SUCCESS) {
printf("Unable to set value data, rc=%x\n", rc);
goto ExitFunction;
}
RtlInitUnicodeString(&ValueName, L"Value2");
rc=NtSetValueKey(hKeyCreated,
&ValueName,
0,
REG_DWORD,
®dwordData,
sizeof(regdwordData));
if (rc!=STATUS_SUCCESS) {
printf("Unable to set value data, rc=%x\n", rc);
goto ExitFunction;
}
DelayTime.QuadPart = 10*1000*1000; // 1 second
DelayTime.QuadPart = -(DelayTime.QuadPart);
rc=NtDelayExecution(TRUE, &DelayTime);
if ((rc!=STATUS_USER_APC)&&(rc!=STATUS_SUCCESS)) {
printf("NtDelayExecution failed, rc=%x\n", rc);
goto ExitFunction;
}
/* Save key in hive */
RtlInitUnicodeString(&FileName, L"\\Device\\HardDisk0\\Partition1\\hello.dat");
InitializeObjectAttributes(&ObjectAttr,
&FileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
rc=NtCreateFile(&hFile,
GENERIC_WRITE,
&ObjectAttr,
&IoStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
FILE_OPEN_IF,
0,
NULL,
0);
if (rc!=STATUS_SUCCESS) {
printf("NtCreateFile failed, rc=%x\n", rc);
goto ExitFunction;
}
if (!EnableOrDisablePrivilege(SE_BACKUP_PRIVILEGE, FALSE)) {
printf("EnableOrDisablePrivilege failed\n");
goto ExitFunction;
}
rc=NtSaveKey(hKeyCreated,
hFile);
EnableOrDisablePrivilege(SE_BACKUP_PRIVILEGE, TRUE);
if (rc!=STATUS_SUCCESS) {
printf("NtSaveFile failed, rc=%x\n", rc);
goto ExitFunction;
}
NtClose(hFile);
/* Load hive on key*/
RtlInitUnicodeString(&KeyName, L"\\Registry\\Machine\\Prasad");
InitializeObjectAttributes(&ObjectAttr,
&KeyName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
RtlInitUnicodeString(&FileName, L"\\Device\\HardDisk0\\Partition1\\hello.dat");
InitializeObjectAttributes(&HiveObjectAttr,
&FileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
if (!EnableOrDisablePrivilege(SE_RESTORE_PRIVILEGE, FALSE)) {
printf("EnableOrDisablePrivilege failed\n");
goto ExitFunction;
}
rc=NtLoadKey2(&ObjectAttr, &HiveObjectAttr, REG_NO_LAZY_FLUSH);
EnableOrDisablePrivilege(SE_RESTORE_PRIVILEGE, TRUE);
if (rc!=STATUS_SUCCESS) {
printf("NtLoadKey failed, rc=%x\n", rc);
goto ExitFunction;
}
if (!EnableOrDisablePrivilege(SE_RESTORE_PRIVILEGE, FALSE)) {
printf("EnableOrDisablePrivilege failed\n");
goto ExitFunction;
}
rc=NtUnloadKey(&ObjectAttr);
EnableOrDisablePrivilege(SE_RESTORE_PRIVILEGE, TRUE);
if (rc!=STATUS_SUCCESS) {
printf("NtUnloadKey failed, rc=%x\n", rc);
goto ExitFunction;
}
/* Query Key */
rc=NtQueryKey(hKeyCreated,
KeyFullInformation,
Buffer,
sizeof(Buffer),
&BytesReturned);
if (rc!=STATUS_SUCCESS) {
printf("NtQueryKey failed, rc=%x\n", rc);
goto ExitFunction;
}
pKeyFullInfo=(PKEY_FULL_INFORMATION)Buffer;
printf("pKeyFullInfo->SubKeys = %d\n", pKeyFullInfo->SubKeys);
printf("pKeyFullInfo->MaxNameLen = %d\n", pKeyFullInfo->MaxNameLen);
printf("pKeyFullInfo->Values = %d\n", pKeyFullInfo->Values);
printf("pKeyFullInfo->MaxValueNameLen = %d\n", pKeyFullInfo->MaxValueNameLen);
printf("pKeyFullInfo->MaxValueDataLen = %d\n", pKeyFullInfo->MaxValueDataLen);
/* Query Value */
RtlInitUnicodeString(&ValueName, L"Value1");
rc=NtQueryValueKey(hKeyCreated,
&ValueName,
KeyValueFullInformation,
Buffer,
sizeof(Buffer),
&BytesReturned);
if (rc!=STATUS_SUCCESS) {
printf("NtQueryValueKey failed, rc=%x\n", rc);
goto ExitFunction;
}
pKeyValueFullInfo=(PKEY_VALUE_FULL_INFORMATION)Buffer;
printf("pKeyValueFullInfo->DataLength = %d\n", pKeyValueFullInfo->DataLength);
printf("pKeyValueFullInfo->NameLength = %d\n", pKeyValueFullInfo->NameLength);
printf("pKeyValueFullInfo->Type = ", pKeyValueFullInfo->DataLength);
switch (pKeyValueFullInfo->Type) {
case REG_SZ:
printf("(REG_SZ)\n");
break;
case REG_DWORD:
printf("(REG_DWORD)\n");
break;
default:
printf("(%x)\n", pKeyValueFullInfo->Type);
}
RtlInitUnicodeString(&KeyValueName[0], L"Value1");
RtlInitUnicodeString(&KeyValueName[1], L"Value2");
KeyValueEntries[0].ValueName=&KeyValueName[0];
KeyValueEntries[1].ValueName=&KeyValueName[1];
rc=NtQueryMultipleValueKey(hKeyCreated,
KeyValueEntries,
2,
Buffer,
&BufferSize,
&BytesReturned);
if (rc!=STATUS_SUCCESS) {
printf("NtQueryMultipleValueKey failed, rc=%x\n", rc);
goto ExitFunction;
}
for (i=0; i<2; i++) {
printf("%S ", KeyValueEntries[i].ValueName->Buffer);
switch(KeyValueEntries[i].Type) {
case REG_SZ:
printf("REG_SZ %S\n", Buffer+KeyValueEntries[i].DataOffset);
break;
case REG_DWORD:
printf("REG_DWORD %x\n", *((ULONG *)(Buffer+KeyValueEntries[i].DataOffset)));
break;
}
}
/* Enumerate values under HKEY_LOCAL_MACHINE\Software\TestKey */
Index=0;
rc=NtEnumerateValueKey(hKeyCreated,
Index,
KeyValueBasicInformation,
Buffer,
sizeof(Buffer),
&BytesReturned);
while (rc==STATUS_SUCCESS) {
*(PWCHAR)(&Buffer[BytesReturned])=L'\0';
pKeyValueBasicInfo=(PKEY_VALUE_BASIC_INFORMATION)Buffer;
printf("%S ", pKeyValueBasicInfo->Name);
switch (pKeyValueBasicInfo->Type) {
case REG_SZ:
printf("(REG_SZ)\n");
break;
case REG_DWORD:
printf("(REG_DWORD)\n");
break;
default:
printf("(%x)\n", pKeyValueBasicInfo->Type);
}
Index++;
RtlInitUnicodeString(&ValueName, pKeyValueBasicInfo->Name);
rc=NtEnumerateValueKey(hKeyCreated,
Index,
KeyValueBasicInformation,
Buffer,
sizeof(Buffer),
&BytesReturned);
}
/* Enumerate subkeys under HKEY_LOCAL_MACHINE\Software\TestKey */
Index=0;
rc=NtEnumerateKey(hKeyCreated,
Index,
KeyBasicInformation,
Buffer,
sizeof(Buffer),
&BytesReturned);
while (rc==STATUS_SUCCESS) {
*(PWCHAR)(&Buffer[BytesReturned])=L'\0';
pKeyBasicInfo=(PKEY_BASIC_INFORMATION)Buffer;
printf("%x %S\n", pKeyBasicInfo->NameLength, pKeyBasicInfo->Name);
Index++;
rc=NtEnumerateKey(hKeyCreated,
Index,
KeyBasicInformation,
Buffer,
sizeof(Buffer),
&BytesReturned);
}
/* Delete keys under HKEY_LOCAL_MACHINE\Software\TestKey */
RtlInitUnicodeString(&KeyName, L"Key1");
InitializeObjectAttributes(&ObjectAttr,
&KeyName,
OBJ_CASE_INSENSITIVE,
hKeyCreated,
NULL);
rc=NtOpenKey(&hKey,
MAXIMUM_ALLOWED,
&ObjectAttr);
if (rc!=STATUS_SUCCESS) {
printf("Unable to open key, rc=%x\n", rc);
goto ExitFunction;
}
rc=NtDeleteKey(hKey);
if (rc!=STATUS_SUCCESS) {
printf("Unable to delete key, rc=%x\n", rc);
NtClose(hKey);
goto ExitFunction;
}
NtClose(hKey);
RtlInitUnicodeString(&KeyName, L"Key2");
InitializeObjectAttributes(&ObjectAttr,
&KeyName,
OBJ_CASE_INSENSITIVE,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -