流程:

  1. 创建OBJECT_ATTRIBUTES对象,InitializeObjectAttributes初始化对象
  2. 通过ZwOpenKey打开注册表对象
  3. 通过ZwQueryValueKey查询指定的注册表对象的值
  1. #include <ntddk.h>
  3. VOID UnloadDriver(PDRIVER_OBJECT pDriver)
  4. {
  5.     DbgPrint("卸载成功\n");
  6. }
  8. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath)
  9. {
  10.     NTSTATUS status = NULL;
  11.     HANDLE hKey = NULL;
  12.     OBJECT_ATTRIBUTES oKey;
  13.     UNICODE_STRING uKeyname = RTL_CONSTANT_STRING(L"\\Registry\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion");
  14.     UNICODE_STRING uKeyvalue = RTL_CONSTANT_STRING(L"DigitalProductId");
  15.     KEY_VALUE_PARTIAL_INFORMATION getkey = { 0 };
  16.     ULONG uResultLen ;
  17.     InitializeObjectAttributes(&oKey,
  18.         &uKeyname,
  19.         OBJ_OPENIF | OBJ_CASE_INSENSITIVE,
  20.         NULL,
  21.         NULL);
  23.     status = ZwOpenKey(
  24.         &hKey,
  25.         KEY_ALL_ACCESS,
  26.         &oKey);
  28.     if (!NT_SUCCESS(status))
  29.     {
  30.         DbgPrint("打开注册表失败,错误码%d",status);
  31.         return STATUS_SUCCESS;
  32.     }
  34.     status = ZwQueryValueKey(
  35.         hKey,
  36.         &uKeyvalue,
  37.         KeyValuePartialInformation,
  38.         &getkey ,
  39.         sizeof(KEY_VALUE_PARTIAL_INFORMATION),
  40.         &uResultLen
  41.         );
  43.     if (!NT_SUCCESS(status))
  44.     {
  45.         DbgPrint("查询失败,错误码是:%d", status);
  46.     }
  47.     DbgPrint("查询到的值得长度为:%d", getkey.DataLength); 
  48.     DbgPrint("驱动加载成功\n");
  49.     pDriver->DriverUnload = UnloadDriver;
  50. }