Page 1 of 1

Help Hooking RegEnumKeyExW

Posted: Wed Aug 11, 2004 8:43 am
by pablo.p
How i can hide registry key of my app ??

i try with this code but don't work

Code: Select all


const 

FHIDE_KEY = '*HIDE_ME*'

{-----------------Next Hook prototype---------------------}
 RegEnumKeyExWNextHook : function(hKey: HKEY;
                            dwIndex: DWORD;
                            lpName: PWideChar;
                            var lpcbName: DWORD;
                            lpReserved: Pointer;
                            lpClass: PWideChar;
                            lpcbClass: PDWORD;
                            lpftLastWriteTime: PFileTime): Longint; stdcall;
{-------------------------------------------------------------}

{----------------------Callback function -----------------------------}
function RegEnumKeyExWCallBack( hKey: HKEY; dwIndex: DWORD; lpName: PWideChar; var lpcbName: DWORD; lpReserved: Pointer; lpClass: PWideChar; lpcbClass: PDWORD; lpftLastWriteTime: PFileTime): Longint; stdcall;
  var MyKey : string;
begin
  MyKey   := '';
  MyKey   := WideCharToString(lpName);

  if TextMatch(MyKey,FHIDE_KEY) then
    begin
      hKey              := hKey;
      dwIndex         := dwIndex+1;
      lpName          := nil;
      lpcbName       := 0;
      lpReserved     := lpReserved;
      lpClass           := nil;
      lpcbClass        := nil;
      lpftLastWriteTime := 0
    end;

  Result  := RegEnumKeyExWNextHook(hKey,dwIndex,lpName,lpcbName,lpReserved,lpClass,lpcbClass,lpftLastWriteTime);

end;
{-----------------------------------------------------------------------------------}


Tanks for help.

Posted: Wed Aug 11, 2004 12:28 pm
by madshi
First of all you are violating hooking rule 7. Please check the documentation.

Next, when someone calls RegEnumKeyEx, the parameters point to buffers which are not filled yet. They may contain random data. RegEnumKeyEx is supposed to fill the buffers with real information. So it doesn't make sense to ask "lpName" before you called RegEnumKeyWNextHook. After you called it you can check lpName and then eventually call it again to hide your key. However, this is known to make some problems, because you're "dropping" an index. Some programs may not care, but some programs may make problems. Correctly hiding a registry key is a bit harder than this.

(Finally, I hope your program is going to me legal? You must not use madCodeHook for anything illegal, also not for rootkits or anything else which might become a target of anti virus companies. Because otherwise me and my customers will run into serious trouble.)