Why is my ZwOpenKey function not returning a HANDLE?

Question

Why is my ZwOpenKey function not returning a HANDLE?

I could be missing something obvious here but I've tried everything I could think of and still no luck.

I'm trying to use ZwOpenKey and ZwCreateKey to add a value to the Run key in the registry.

However, the ZwOpenKey never fills my RegKey HANDLE value and it instead returns STATUS_OBJECT_NAME_NOT_FOUND.

Also, the ZwCreateKey doesn't return STATUS_SUCCESS either.

My Code:

Where function is called:

WCHAR RegistryString[MAX_PATH], Path[MAX_PATH];
            if (wsprintfW(RegistryString, TEXT("\\Registry\\User\\Software\\Microsoft\\Windows\\CurrentVersion\\Run")) != NULL) {
                HANDLE RegKey = 0;
                if (Registry::OpenKeyW(&RegKey, RegistryString, KEY_WRITE, &Api) != STATUS_SUCCESS) {
                    if (Registry::CreateKeyW(&RegKey, RegistryString, KEY_WRITE, &Api) != STATUS_SUCCESS) {

                    }
                }

ZwOpenKey Code itself:

NTSTATUS Registry::OpenKeyW(HANDLE hKey, PWCHAR KeyName, ACCESS_MASK MaskType, API * p)
{
    UNICODE_STRING uKeyName;
    p->_RtlInitUnicodeString(&uKeyName, KeyName);

    OBJECT_ATTRIBUTES KeyAttributes;
    InitializeObjectAttributes(&KeyAttributes, &uKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);

    return p->_ZwOpenKey(&hKey, MaskType, &KeyAttributes);
}

NTSTATUS Registry::CreateKeyW(HANDLE hKey, PWCHAR KeyName, ACCESS_MASK MaskType, API * p)
{
    ULONG Disposition = NULL;

    UNICODE_STRING uKeyName;
    p->_RtlInitUnicodeString(&uKeyName, KeyName);

    OBJECT_ATTRIBUTES KeyAttributes;
    InitializeObjectAttributes(&KeyAttributes, &uKeyName, OBJ_CASE_INSENSITIVE, NULL, NULL);

    return p->_ZwCreateKey(&hKey, MaskType, &KeyAttributes, 0, NULL, 0, &Disposition);
}

NTSTATUS Registry::WriteValueKeyW(HANDLE hKey, PWCHAR ValueName, ULONG Type, PBYTE Data, ULONG DataSize, API * p)
{
    UNICODE_STRING uKeyName;
    p->_RtlInitUnicodeString(&uKeyName, ValueName);

    return p->_ZwSetValueKey(&hKey, &uKeyName, 0, Type, Data, DataSize);
}

Header file:

#define OBJ_CASE_INSENSITIVE 0x00000040

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
#define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L)

#define InitializeObjectAttributes( p, n, a, r, s ) { \
    (p)->Length = sizeof( OBJECT_ATTRIBUTES );        \
    (p)->RootDirectory = NULL;                           \
    (p)->Attributes = a;                              \
    (p)->ObjectName = n;                              \
    (p)->SecurityDescriptor = s;                      \
    (p)->SecurityQualityOfService = NULL;             \
    }

namespace Registry {
    NTSTATUS OpenKeyW(HANDLE hKey, PWCHAR KeyName, ACCESS_MASK MaskType, API *p);
    NTSTATUS CreateKeyW(HANDLE hKey, PWCHAR KeyName, ACCESS_MASK MaskType, API *p);
    NTSTATUS WriteValueKeyW(HANDLE hKey, PWCHAR ValueName, ULONG Type, PBYTE Data, ULONG DataSize, API *p);
}

Function Struct:

typedef NTSTATUS(NTAPI *fnZwCreateKey)(
    PHANDLE            KeyHandle,
    ACCESS_MASK        DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes,
    ULONG              TitleIndex,
    PUNICODE_STRING    Class,
    ULONG              CreateOptions,
    PULONG             Disposition
);

typedef NTSTATUS (NTAPI *fnZwOpenKey)(
    PHANDLE            KeyHandle,
    ACCESS_MASK        DesiredAccess,
    POBJECT_ATTRIBUTES ObjectAttributes
);

c++

registry

asked on Stack Overflow Jul 23, 2019 by

Cosmos • edited Jul 23, 2019 by

Nerdy Bunz

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0