Help Hooking RegEnumKeyExW

c++ / delphi package - dll injection and api hooking

Help Hooking RegEnumKeyExW

Postby pablo.p » Wed Aug 11, 2004 8:43 am

How i can hide registry key of my app ??

i try with this code but don't work


Code: Select all

const

FHIDE_KEY = '*HIDE_ME*'

{-----------------Next Hook prototype---------------------}
 RegEnumKeyExWNextHook : function(hKey: HKEY;
                            dwIndex: DWORD;
                            lpName: PWideChar;
                            var lpcbName: DWORD;
                            lpReserved: Pointer;
                            lpClass: PWideChar;
                            lpcbClass: PDWORD;
                            lpftLastWriteTime: PFileTime): Longint; stdcall;
{-------------------------------------------------------------}

{----------------------Callback function -----------------------------}
function RegEnumKeyExWCallBack( hKey: HKEY; dwIndex: DWORD; lpName: PWideChar; var lpcbName: DWORD; lpReserved: Pointer; lpClass: PWideChar; lpcbClass: PDWORD; lpftLastWriteTime: PFileTime): Longint; stdcall;
  var MyKey : string;
begin
  MyKey   := '';
  MyKey   := WideCharToString(lpName);

  if TextMatch(MyKey,FHIDE_KEY) then
    begin
      hKey              := hKey;
      dwIndex         := dwIndex+1;
      lpName          := nil;
      lpcbName       := 0;
      lpReserved     := lpReserved;
      lpClass           := nil;
      lpcbClass        := nil;
      lpftLastWriteTime := 0
    end;

  Result  := RegEnumKeyExWNextHook(hKey,dwIndex,lpName,lpcbName,lpReserved,lpClass,lpcbClass,lpftLastWriteTime);

end;
{-----------------------------------------------------------------------------------}




Tanks for help.
pablo.p
 
Posts: 1
Joined: Wed Aug 11, 2004 8:34 am

Postby madshi » Wed Aug 11, 2004 12:28 pm

First of all you are violating hooking rule 7. Please check the documentation.

Next, when someone calls RegEnumKeyEx, the parameters point to buffers which are not filled yet. They may contain random data. RegEnumKeyEx is supposed to fill the buffers with real information. So it doesn't make sense to ask "lpName" before you called RegEnumKeyWNextHook. After you called it you can check lpName and then eventually call it again to hide your key. However, this is known to make some problems, because you're "dropping" an index. Some programs may not care, but some programs may make problems. Correctly hiding a registry key is a bit harder than this.

(Finally, I hope your program is going to me legal? You must not use madCodeHook for anything illegal, also not for rootkits or anything else which might become a target of anti virus companies. Because otherwise me and my customers will run into serious trouble.)
madshi
Site Admin
 
Posts: 9810
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Baidu [Spider] and 2 guests