From 2acec63b2ed75bf4b71ad257db573c4b8f9639e7 Mon Sep 17 00:00:00 2001
From: tumagonx
Date: Tue, 8 Aug 2017 10:54:53 +0700
Subject: initial commit

---
 registry.h | 140 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 140 insertions(+)
 create mode 100644 registry.h

(limited to 'registry.h')

diff --git a/registry.h b/registry.h
new file mode 100644
index 0000000..d4f5756
--- /dev/null
+++ b/registry.h
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2004 Security Architects Corporation. All rights reserved.
+ *
+ * Module Name:
+ *
+ *		registry.h
+ *
+ * Abstract:
+ *
+ *		This module defines various types used by registry hooking routines.
+ *
+ * Author:
+ *
+ *		Eugene Tsyrklevich 20-Feb-2004
+ *
+ * Revision History:
+ *
+ *		None.
+ */
+
+
+#ifndef __REGISTRY_H__
+#define __REGISTRY_H__
+
+
+/*
+ * ZwCreateKey creates or opens a registry key object. [NAR]
+ */
+
+typedef NTSTATUS (*fpZwCreateKey) (
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    IN ULONG  TitleIndex,
+    IN PUNICODE_STRING  Class  OPTIONAL,
+    IN ULONG  CreateOptions,
+    OUT PULONG  Disposition  OPTIONAL
+    );
+
+NTSTATUS
+NTAPI
+HookedNtCreateKey(
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes,
+    IN ULONG  TitleIndex,
+    IN PUNICODE_STRING  Class  OPTIONAL,
+    IN ULONG  CreateOptions,
+    OUT PULONG  Disposition  OPTIONAL
+	);
+
+
+/*
+ * ZwOpenKey opens a registry key object. [NAR]
+ */
+
+typedef NTSTATUS (*fpZwOpenKey) (
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+    );
+
+NTSTATUS
+NTAPI
+HookedNtOpenKey(
+    OUT PHANDLE  KeyHandle,
+    IN ACCESS_MASK  DesiredAccess,
+    IN POBJECT_ATTRIBUTES  ObjectAttributes
+	);
+
+
+/*
+ * ZwSetValueKey updates or adds a value to a key. [NAR]
+ */
+
+typedef NTSTATUS (*fpZwSetValueKey) (
+	IN HANDLE KeyHandle,
+	IN PUNICODE_STRING ValueName,
+	IN ULONG TitleIndex,
+	IN ULONG Type,
+	IN PVOID Data,
+	IN ULONG DataSize
+	);
+
+NTSTATUS
+NTAPI
+HookedNtSetValueKey(
+	IN HANDLE KeyHandle,
+	IN PUNICODE_STRING ValueName,
+	IN ULONG TitleIndex,
+	IN ULONG Type,
+	IN PVOID Data,
+	IN ULONG DataSize
+	);
+
+
+/*
+ * ZwQueryValueKey retrieves information about a key value. [NAR]
+ */
+
+typedef NTSTATUS (*fpZwQueryValueKey) (
+	IN HANDLE KeyHandle,
+	IN PUNICODE_STRING ValueName,
+	IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+	OUT PVOID KeyValueInformation,
+	IN ULONG KeyValueInformationLength,
+	OUT PULONG ResultLength
+	);
+
+NTSTATUS
+NTAPI
+HookedNtQueryValueKey(
+	IN HANDLE KeyHandle,
+	IN PUNICODE_STRING ValueName,
+	IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
+	OUT PVOID KeyValueInformation,
+	IN ULONG KeyValueInformationLength,
+	OUT PULONG ResultLength
+	);
+
+
+/*
+ * ZwDeleteKey deletes a key in the registry. [NAR]
+ */
+
+typedef NTSTATUS (*fpZwDeleteKey) (
+	IN HANDLE KeyHandle
+	);
+
+NTSTATUS
+NTAPI
+HookedNtDeleteKey(
+	IN HANDLE KeyHandle
+	);
+
+
+BOOLEAN InitRegistryHooks();
+
+
+#endif	/* __REGISTRY_H__ */
-- 
cgit v1.3