注册表打开

  2. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegisteryPath) {
  5.     DriverObject->DriverUnload = Unload;
  7.     OBJECT_ATTRIBUTES Attr = { 0 };
  8.     HANDLE hKey = NULL;
  9.     ULONG ulDisposition = 0;
  10.     NTSTATUS nStatus = STATUS_SUCCESS;
  11.     UNREFERENCED_PARAMETER(DriverObject);
  13.     //使用宏初始化objectattr 结构体
  14.     InitializeObjectAttributes(
  15.         &Attr,
  16.         RegisteryPath,
  17.         OBJ_KERNEL_HANDLE|OBJ_CASE_INSENSITIVE,
  18.         NULL,
  19.         NULL);
  23.     nStatus = ZwCreateKey(
  24.         &hKey,//注册表handle
  25.         KEY_WRITE,//访问权限KEY_ALL_ACCESS,KEY_SET_VALUE
  26.         &Attr,//对象属性
  27.         0,//可以设置为null
  28.         NULL,
  29.         REG_OPTION_NON_VOLATILE,//重启后不保留
  30.         &ulDisposition);//返回结果 REG_CREATED_NEW_KEY(创建了新的)或REG_OPENED_EXISTING_KEY
  31.     if (hKey!=NULL)
  32.     {
  33.         ZwClose(hKey);//关闭handle
  34.         hKey = NULL;
  37.     }
  40.     return STATUS_SUCCESS;
  41. }

注册表修改

ZwSetValueKey 设置驱动为自启动

  1. if (hKey!=NULL)
  2.     {
  3.         UNICODE_STRING usValueName = { 0 };
  4.         ULONG ulNewStartValue = 2;
  5.         RtlInitUnicodeString(&usValueName, L"Start");
  6.         nStatus = ZwSetValueKey(
  7.                 hKey,
  8.                 &usValueName,
  9.                 0,
  10.                 REG_DWORD,
  11.                 (PVOID)&ulNewStartValue,
  12.                 sizeof(ulNewStartValue));
  14.         ZwClose(hKey);
  15.         hKey = NULL;
  18.     }

注册表读取

ZwQueryValueKey