API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 22nd, 2018
101
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.35 KB | None | 0 0
raw download clone embed print report
  1. Source.c:
  2. UNREFERENCED_PARAMETER(RegistryPath);
  3. INT err = KLoggerInit(RegistryPath);
  4.  
  5. Klogger.h/KLogger.c:
  6. INT KLoggerInit(PUNICODE_STRING RegistryPath)
  7.  
  8.  
  9. KLogger.c:
  10. size_t ring_buf_size = get_ring_buf_size(RegistryPath);
  11.  
  12. size_t get_ring_buf_size(PUNICODE_STRING RegistryPath)
  13. {  
  14.     HANDLE reg_key_handle;
  15.     NTSTATUS status;
  16.     OBJECT_ATTRIBUTES obj_attr;
  17.     UNICODE_STRING reg_key_path;
  18.     ULONG key_value = DEFAULT_RING_BUF_SIZE;
  19.  
  20.     PKEY_VALUE_PARTIAL_INFORMATION part_info;
  21.     ULONG part_info_size;
  22.  
  23.     InitializeObjectAttributes(&obj_attr, RegistryPath, 0, NULL, NULL);
  24.  
  25.     // status = ZwOpenKey(&reg_key_handle, KEY_QUERY_VALUE, &obj_attr);
  26.     status = ZwCreateKey(&reg_key_handle, KEY_QUERY_VALUE | KEY_SET_VALUE, &obj_attr, 0,  NULL, REG_OPTION_NON_VOLATILE, NULL);
  27.     if (!NT_SUCCESS(status))
  28.     {
  29.         DbgPrint("[library_driver]: 'ZwCreateKey()' failed");
  30.         return DEFAULT_RING_BUF_SIZE;
  31.     }
  32.  
  33.     RtlInitUnicodeString(&reg_key_path, REGISTRY_BUF_SIZE_KEY);
  34.    
  35.     part_info_size = sizeof(KEY_VALUE_PARTIAL_INFORMATION) + sizeof(part_info_size);
  36.     part_info = ExAllocatePool(PagedPool, part_info_size);
  37.     if (part_info == NULL)
  38.     {
  39.         DbgPrint("[library_driver]: 'ExAllocatePool()' failed");
  40.         ZwClose(reg_key_handle);
  41.         return DEFAULT_RING_BUF_SIZE;
  42.     }
  43.  
  44.     status = ZwQueryValueKey(reg_key_handle, &reg_key_path, KeyValuePartialInformation,
  45.         part_info, part_info_size, &part_info_size);
  46.  
  47.     switch (status) {
  48.         case STATUS_SUCCESS:
  49.             DbgPrint("[library_driver]: switch: STATUS_SUCCESS");
  50.             if (part_info->Type == REG_DWORD && part_info->DataLength == sizeof(ULONG))
  51.             {
  52.                 RtlCopyMemory(&key_value, part_info->Data, sizeof(key_value));
  53.                 ZwClose(reg_key_handle);
  54.                 ExFreePool(part_info);
  55.                 return key_value;
  56.             }
  57.             // break; - not break
  58.  
  59.         case STATUS_OBJECT_NAME_NOT_FOUND:
  60.             DbgPrint("[library_driver]: switch: STATUS_OBJECT_NAME_NOT_FOUND");
  61.             status = ZwSetValueKey(reg_key_handle, &reg_key_path, 0, REG_DWORD, &key_value, sizeof(key_value));
  62.             if (!NT_SUCCESS(status))
  63.             {
  64.                 ZwClose(reg_key_handle);
  65.                 ExFreePool(part_info);
  66.                 return DEFAULT_RING_BUF_SIZE;
  67.             }
  68.  
  69.             break;
  70.  
  71.         default:
  72.             DbgPrint("[library_driver]: switch: default");
  73.             ZwClose(reg_key_handle);
  74.             ExFreePool(part_info);
  75.             return DEFAULT_RING_BUF_SIZE;
  76.  
  77.             break;
  78.            
  79.     }
  80.  
  81.     ZwClose(reg_key_handle);
  82.     ExFreePool(part_info);
  83.  
  84.     return DEFAULT_RING_BUF_SIZE;
  85. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!