All geek questions in one place

How to hide a value in the registry (for example, RegSide sysinternals tool)

I read about the ability to hide the registry value in the registry using the technique registered by Sysinternals, which allows you to put a null character in the registry key using the built-in API (for example, "hello \ 0"): http://technet.microsoft.com/en- us / sysinternals / bb897446.aspx (go to the "Hidden Registry Registers" section).

They also have a tool to find and remove these values: http://technet.microsoft.com/en-us/sysinternals/bb897448.aspx

Does anyone know how to create / read / delete a hidden registry value in Delphi using this technique?

+3
source share
2

sysinternals, , :

" Win32 API ANSI NULL-(8-) (16-) . Native API Unicode (16 ). , : , API, Win32 API."

, win32 RegCreateKeyW(), , "Foo\0Bar", "Foo\0" .

API-, NtCreateKey, , ( UNICODE_STRING OBJECT_ATTRIBUTES). "Foo\0Bar".

Regedit , win32 api, . , "Foo\0", . , "Foo" regedit, , RegOpenKey ( "Foo" ) .

, , api.

delphi ntdll.dll.

, :

type
  NTSTATUS = Longint;
  PLARGE_INTEGER = ^LARGE_INTEGER;
  USHORT   = Word;

  UNICODE_STRING = record
    Length: WORD;
    MaximumLength: WORD;
    Buffer: PWideChar;
  end;
  PUNICODE_STRING = ^UNICODE_STRING;

  OBJECT_ATTRIBUTES = record
    Length: ULONG;
    RootDirectory: THandle;
    ObjectName: PUNICODE_STRING;
    Attributes: ULONG;
    SecurityDescriptor: Pointer;       
    SecurityQualityOfService: Pointer; 
  end;
  POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;

  // function prototypes
  TNtCreateKey = function(KeyHandle : PHANDLE;
                          DesiredAccess: ACCESS_MASK;
                          ObjectAttributes: POBJECT_ATTRIBUTES;
                          TitleIndex: ULONG;
                          ClassType: PUNICODE_STRING;
                          CreateOptions: ULONG;
                          Disposition: PULONG
                         ): NTSTATUS; stdcall;

  TNtDeleteKey = function(KeyHandle: THANDLE): NTSTATUS; stdcall;

, (++), , .

+12

, regedit ( , ). , "" , - , RegMon , , api.

0

Source: https://habr.com/ru/post/1722668/

More articles:


All Articles