search for: zwcreatekey

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to properly work with such names for several years. These changes make such names accessible from hivex.

...e, L"\\Registry\\Machine\\minimal"); + OBJECT_ATTRIBUTES root_key_obj; + InitializeObjectAttributes (&root_key_obj, &root_key_name, + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, + NULL, NULL); + HANDLE minimal_key_handle; + rc = ZwCreateKey (&minimal_key_handle, KEY_ALL_ACCESS, &root_key_obj, + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); + if (!NT_SUCCESS (rc)) { + printf("error: CreateKey <HKLM\\minimal>: 0x%08x\n", rc); + exit(1); + } + + UNICODE_STRING key_name = {16, 16, L"zero...

...val_len, val }; > + OBJECT_ATTRIBUTES key_obj; > + InitializeObjectAttributes (&key_obj, &key_name, > + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, > + *handle, NULL); > + HANDLE key_handle; > + NTSTATUS rc; > + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj, > + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); > + if (!NT_SUCCESS (rc)) { > + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc); > + exit(1); > + } > + DWORD value = 0; > + rc = ZwSetValueKey...

...ODE_STRING value_name = { val_len, val_len, val }; + OBJECT_ATTRIBUTES key_obj; + InitializeObjectAttributes (&key_obj, &key_name, + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, + *handle, NULL); + HANDLE key_handle; + NTSTATUS rc; + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj, + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); + if (!NT_SUCCESS (rc)) { + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc); + exit(1); + } + DWORD value = 0; + rc = ZwSetValueKey (key_handle, &value_name, 0, +...

..._ATTRIBUTES key_obj; > > + InitializeObjectAttributes (&key_obj, &key_name, > > + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, > > + *handle, NULL); > > + HANDLE key_handle; > > + NTSTATUS rc; > > + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj, > > + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); > > + if (!NT_SUCCESS (rc)) { > > + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc); > > + exit(1); > > + } > > + DWORD value =...

On Wed, Jan 08, 2014 at 01:26:23AM +0100, Hilko Bengen wrote: > On Windows, there exist at least two APIs for dealing with the > Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works > with null-terminated ASCII or UTF-16 strings. The native API > (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that > are stored as buffers+length and may contain null characters. Malware > authors have been relying on the Win32 API's inability to properly > work with such names for several years. > > These changes make such names acces...