1 files changed, 140 insertions, 0 deletions
diff --git a/registry.h b/registry.h
new file mode 100644
index 0000000..d4f5756
--- /dev/null
+++ b/registry.h
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *              registry.h
+ *
+ * Abstract:
+ *
+ *              This module defines various types used by registry hooking routines.
+ *
+ * Author:
+ *
+ *              Eugene Tsyrklevich 20-Feb-2004
+ *
+ * Revision History:
+ *
+ *              None.
+ */
+#ifndef __REGISTRY_H__
+#define __REGISTRY_H__
+/*
+ * ZwCreateKey creates or opens a registry key object. [NAR]
+ */
+typedef NTSTATUS (*fpZwCreateKey) (
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    IN ULONG  TitleIndex,
+    IN PUNICODE_STRING  Class  OPTIONAL,
+    IN ULONG  CreateOptions,
+    OUT PULONG  Disposition  OPTIONAL
+    );
+NTSTATUS
+NTAPI
+HookedNtCreateKey(
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    IN ULONG  TitleIndex,
+    IN PUNICODE_STRING  Class  OPTIONAL,
+    IN ULONG  CreateOptions,
+    OUT PULONG  Disposition  OPTIONAL
+        );
+/*
+ * ZwOpenKey opens a registry key object. [NAR]
+ */
+typedef NTSTATUS (*fpZwOpenKey) (
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
+NTSTATUS
+NTAPI
+HookedNtOpenKey(
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+        );
+/*
+ * ZwSetValueKey updates or adds a value to a key. [NAR]
+ */
+typedef NTSTATUS (*fpZwSetValueKey) (
+        IN HANDLE KeyHandle,
+        IN PUNICODE_STRING ValueName,
+        IN ULONG TitleIndex,
+        IN ULONG Type,
+        IN PVOID Data,
+        IN ULONG DataSize
+        );
+NTSTATUS
+NTAPI
+HookedNtSetValueKey(
+        IN HANDLE KeyHandle,
+        IN PUNICODE_STRING ValueName,
+        IN ULONG TitleIndex,
+        IN ULONG Type,
+        IN PVOID Data,
+        IN ULONG DataSize
+        );
+/*
+ * ZwQueryValueKey retrieves information about a key value. [NAR]
+ */
+typedef NTSTATUS (*fpZwQueryValueKey) (
+        IN HANDLE KeyHandle,
+        IN PUNICODE_STRING ValueName,
+        IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+        OUT PVOID KeyValueInformation,
+        IN ULONG KeyValueInformationLength,
+        OUT PULONG ResultLength
+        );
+NTSTATUS
+NTAPI
+HookedNtQueryValueKey(
+        IN HANDLE KeyHandle,
+        IN PUNICODE_STRING ValueName,
+        IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+        OUT PVOID KeyValueInformation,
+        IN ULONG KeyValueInformationLength,
+        OUT PULONG ResultLength
+        );
+/*
+ * ZwDeleteKey deletes a key in the registry. [NAR]
+ */
+typedef NTSTATUS (*fpZwDeleteKey) (
+        IN HANDLE KeyHandle
+        );
+NTSTATUS
+NTAPI
+HookedNtDeleteKey(
+        IN HANDLE KeyHandle
+        );
+BOOLEAN InitRegistryHooks();
+#endif  /* __REGISTRY_H__ */

diff --git a/registry.h b/registry.h new file mode 100644 index 0000000..d4f5756 --- /dev/null +++ b/registry.h
@@ -0,0 +1,140 @@
	1	/*
	2	* Copyright (c) 2004 Security Architects Corporation. All rights reserved.
	3	*
	4	* Module Name:
	5	*
	6	* registry.h
	7	*
	8	* Abstract:
	9	*
	10	* This module defines various types used by registry hooking routines.
	11	*
	12	* Author:
	13	*
	14	* Eugene Tsyrklevich 20-Feb-2004
	15	*
	16	* Revision History:
	17	*
	18	* None.
	19	*/
	20
	21
	22	#ifndef __REGISTRY_H__
	23	#define __REGISTRY_H__
	24
	25
	26	/*
	27	* ZwCreateKey creates or opens a registry key object. [NAR]
	28	*/
	29
	30	typedef NTSTATUS (*fpZwCreateKey) (
	31	OUT PHANDLE KeyHandle,
	32	IN ACCESS_MASK DesiredAccess,
	33	IN POBJECT_ATTRIBUTES ObjectAttributes,
	34	IN ULONG TitleIndex,
	35	IN PUNICODE_STRING Class OPTIONAL,
	36	IN ULONG CreateOptions,
	37	OUT PULONG Disposition OPTIONAL
	38	);
	39
	40	NTSTATUS
	41	NTAPI
	42	HookedNtCreateKey(
	43	OUT PHANDLE KeyHandle,
	44	IN ACCESS_MASK DesiredAccess,
	45	IN POBJECT_ATTRIBUTES ObjectAttributes,
	46	IN ULONG TitleIndex,
	47	IN PUNICODE_STRING Class OPTIONAL,
	48	IN ULONG CreateOptions,
	49	OUT PULONG Disposition OPTIONAL
	50	);
	51
	52
	53	/*
	54	* ZwOpenKey opens a registry key object. [NAR]
	55	*/
	56
	57	typedef NTSTATUS (*fpZwOpenKey) (
	58	OUT PHANDLE KeyHandle,
	59	IN ACCESS_MASK DesiredAccess,
	60	IN POBJECT_ATTRIBUTES ObjectAttributes
	61	);
	62
	63	NTSTATUS
	64	NTAPI
	65	HookedNtOpenKey(
	66	OUT PHANDLE KeyHandle,
	67	IN ACCESS_MASK DesiredAccess,
	68	IN POBJECT_ATTRIBUTES ObjectAttributes
	69	);
	70
	71
	72	/*
	73	* ZwSetValueKey updates or adds a value to a key. [NAR]
	74	*/
	75
	76	typedef NTSTATUS (*fpZwSetValueKey) (
	77	IN HANDLE KeyHandle,
	78	IN PUNICODE_STRING ValueName,
	79	IN ULONG TitleIndex,
	80	IN ULONG Type,
	81	IN PVOID Data,
	82	IN ULONG DataSize
	83	);
	84
	85	NTSTATUS
	86	NTAPI
	87	HookedNtSetValueKey(
	88	IN HANDLE KeyHandle,
	89	IN PUNICODE_STRING ValueName,
	90	IN ULONG TitleIndex,
	91	IN ULONG Type,
	92	IN PVOID Data,
	93	IN ULONG DataSize
	94	);
	95
	96
	97	/*
	98	* ZwQueryValueKey retrieves information about a key value. [NAR]
	99	*/
	100
	101	typedef NTSTATUS (*fpZwQueryValueKey) (
	102	IN HANDLE KeyHandle,
	103	IN PUNICODE_STRING ValueName,
	104	IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
	105	OUT PVOID KeyValueInformation,
	106	IN ULONG KeyValueInformationLength,
	107	OUT PULONG ResultLength
	108	);
	109
	110	NTSTATUS
	111	NTAPI
	112	HookedNtQueryValueKey(
	113	IN HANDLE KeyHandle,
	114	IN PUNICODE_STRING ValueName,
	115	IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
	116	OUT PVOID KeyValueInformation,
	117	IN ULONG KeyValueInformationLength,
	118	OUT PULONG ResultLength
	119	);
	120
	121
	122	/*
	123	* ZwDeleteKey deletes a key in the registry. [NAR]
	124	*/
	125
	126	typedef NTSTATUS (*fpZwDeleteKey) (
	127	IN HANDLE KeyHandle
	128	);
	129
	130	NTSTATUS
	131	NTAPI
	132	HookedNtDeleteKey(
	133	IN HANDLE KeyHandle
	134	);
	135
	136
	137	BOOLEAN InitRegistryHooks();
	138
	139
	140	#endif /* __REGISTRY_H__ */