Help Hooking RegEnumKeyExW

c++ / delphi package - dll injection and api hooking
Post Reply
pablo.p
Posts: 1
Joined: Wed Aug 11, 2004 8:34 am

Help Hooking RegEnumKeyExW

Post by pablo.p »

How i can hide registry key of my app ??

i try with this code but don't work

Code: Select all


const 

FHIDE_KEY = '*HIDE_ME*'

{-----------------Next Hook prototype---------------------}
 RegEnumKeyExWNextHook : function(hKey: HKEY;
                            dwIndex: DWORD;
                            lpName: PWideChar;
                            var lpcbName: DWORD;
                            lpReserved: Pointer;
                            lpClass: PWideChar;
                            lpcbClass: PDWORD;
                            lpftLastWriteTime: PFileTime): Longint; stdcall;
{-------------------------------------------------------------}

{----------------------Callback function -----------------------------}
function RegEnumKeyExWCallBack( hKey: HKEY; dwIndex: DWORD; lpName: PWideChar; var lpcbName: DWORD; lpReserved: Pointer; lpClass: PWideChar; lpcbClass: PDWORD; lpftLastWriteTime: PFileTime): Longint; stdcall;
  var MyKey : string;
begin
  MyKey   := '';
  MyKey   := WideCharToString(lpName);

  if TextMatch(MyKey,FHIDE_KEY) then
    begin
      hKey              := hKey;
      dwIndex         := dwIndex+1;
      lpName          := nil;
      lpcbName       := 0;
      lpReserved     := lpReserved;
      lpClass           := nil;
      lpcbClass        := nil;
      lpftLastWriteTime := 0
    end;

  Result  := RegEnumKeyExWNextHook(hKey,dwIndex,lpName,lpcbName,lpReserved,lpClass,lpcbClass,lpftLastWriteTime);

end;
{-----------------------------------------------------------------------------------}


Tanks for help.
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

First of all you are violating hooking rule 7. Please check the documentation.

Next, when someone calls RegEnumKeyEx, the parameters point to buffers which are not filled yet. They may contain random data. RegEnumKeyEx is supposed to fill the buffers with real information. So it doesn't make sense to ask "lpName" before you called RegEnumKeyWNextHook. After you called it you can check lpName and then eventually call it again to hide your key. However, this is known to make some problems, because you're "dropping" an index. Some programs may not care, but some programs may make problems. Correctly hiding a registry key is a bit harder than this.

(Finally, I hope your program is going to me legal? You must not use madCodeHook for anything illegal, also not for rootkits or anything else which might become a target of anti virus companies. Because otherwise me and my customers will run into serious trouble.)
Post Reply