im using ms-detours to hook functions. im successfully injecting my dll to a process. im successfully catching functions of createfile\deletefile and event see them at "debugView".
im unable to catch all registry functions.
tried:
REGSETVALUEX OrigRegSetValueEx = NULL;
REGOPENKEYEXA OrigRegOpenKeyExA = NULL;
REGOPENKEY OrigRegOpenKey = NULL;
REGCREATEKEYEXW OrigRegCreateKeyExW = NULL;
REGCREATEKEYW OrigRegCreateKeyW = NULL;
REGSETVALUEXW OrigRegSetValueExW = NULL;
i have a self-written code (c#) 32bit console programe that have 3 functions:
createNewFile
DeleteFile
open Registry subkey and set key value. code snip of number 3:
enter code here string Mash = String.Concat(Environment.MachineName, Environment.OSVersion.VersionString, Environment.UserName); RegistryKey rkApp = Registry.CurrentUser.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Run", true); rkApp.SetValue("newvalue", Mash); rkApp.Close();
createNewFile + DeleteFile - catching successfully.
open Registry subkey and set key value. - not catching event
im using the following code for functions and detours:
What I have tried:
I was debugging with:
1.Process monitor - which catching my events. ProcessMonitor Catching Registry Events
2.Placed messagebox3 at 'HookRegSetValue' function and not seeing it poping. im not sure but guessing it`s an issue with detours.
3.tried other registry functions - non of them fired.
include "stdafx.h"
include "windows.h"
include "tchar.h"
include "stdio.h"
typedef HANDLE(WINAPI *CREATEFILEW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef HANDLE(WINAPI *DELETEFILEW)(LPCWSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
typedef LONG(WINAPI *REGSETVALUE)(HKEY, LPCTSTR, DWORD,LPCSTR,DWORD);
CREATEFILEW OrigCreteFileW = NULL;
DELETEFILEW OrigDeleteFileW = NULL;
REGSETVALUE OrigRegSetValue = NULL;
HANDLE WINAPI HookCreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
OutputDebugString(__TEXT("Inside HookCreateFileW"));
OutputDebugStringW(lpFileName);
return OrigCreteFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
HANDLE WINAPI HookDeleteFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
OutputDebugString(__TEXT("Inside HookDeleteFileW"));
OutputDebugStringW(lpFileName);
return OrigDeleteFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
LONG WINAPI HookRegSetValue(HKEY hKey, LPCTSTR lpSubKey, DWORD dwType, LPCTSTR lpData, DWORD cbData)
{
MessageBox(0, "And text here3", "MessageBox caption", MB_OK);
OutputDebugString(__TEXT("Inside HookRegSetValue"));
OutputDebugStringW((LPCWSTR)hKey);
return OrigRegSetValue(hKey, lpSubKey, dwType, lpSubKey, cbData);
}
void InstallHooks(void)
{
HMODULE modKernel32 = GetModuleHandle(TEXT("KERNEL32.dll"));
HMODULE advapi32 = GetModuleHandle(TEXT("ADVAPI32.dll"));
OrigCreteFileW = (CREATEFILEW)GetProcAddress(modKernel32, "CreateFileW");
OrigDeleteFileW = (DELETEFILEW)GetProcAddress(modKernel32, "DeleteFileW");
OrigRegSetValue = (REGSETVALUE)GetProcAddress(advapi32, "RegSetValue");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
OutputDebugString(__TEXT("4.DetourAttach"));
DetourAttach(&(PVOID&)OrigRegSetValue, HookRegSetValue);
OutputDebugString(__TEXT("HookRegSetValue"));
DetourTransactionCommit();
void RestoreHooks(void)
{
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
OutputDebugString(__TEXT("5.DetourDetach"));
DetourTransactionCommit();
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
OutputDebugString(__TEXT("InstallHooks"));
InstallHooks();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}