1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
|
#ifndef _NT_REGISTRY_H_
#define _NT_REGISTRY_H_
#include "nt_abi.h"
#include "nt_object.h"
typedef enum _nt_registry_types {
NT_REG_NONE = 0x00,
NT_REG_SZ = 0x01,
NT_REG_EXPAND_SZ = 0x02,
NT_REG_BINARY = 0x03,
NT_REG_DWORD = 0x04,
NT_REG_DWORD_LITTLE_ENDIAN = 0x04,
NT_REG_DWORD_BIG_ENDIAN = 0x05,
NT_REG_LINK = 0x06,
NT_REG_MULTI_SZ = 0x07,
NT_REG_RESOURCE_LIST = 0x08,
NT_REG_FULL_RESOURCE_DESCRIPTOR = 0x09,
NT_REG_RESOURCE_REQUIREMENTS_LIST = 0x0A,
NT_REG_QWORD = 0x0B,
NT_REG_QWORD_LITTLE_ENDIAN = 0x0B,
} nt_registry_types;
typedef enum _nt_key_info_class {
NT_KEY_BASIC_INFORMATION,
NT_KEY_NODE_INFORMATION,
NT_KEY_FULL_INFORMATION,
NT_KEY_NAME_INFORMATION,
} nt_key_info_class;
typedef enum _nt_key_value_info_class {
NT_KEY_VALUE_BASIC_INFORMATION,
NT_KEY_VALUE_FULL_INFORMATION,
NT_KEY_VALUE_PARTIAL_INFORMATION,
NT_KEY_VALUE_FULL_INFORMATION_ALIGN64,
} nt_key_value_info_class;
typedef enum _nt_key_set_info_class {
NT_KEY_LAST_WRITE_TIME_INFORMATION = 0
} nt_key_set_info_class;
/* registry key access bits */
#define NT_KEY_QUERY_VALUE 0x00000001
#define NT_KEY_SET_VALUE 0x00000002
#define NT_KEY_CREATE_SUB_NT_KEY 0x00000004
#define NT_KEY_ENUMERATE_SUB_NT_KEYS 0x00000008
#define NT_KEY_NOTIFY 0x00000010
#define NT_KEY_CREATE_LINK 0x00000020
#define NT_KEY_WOW64_64NT_KEY 0x00000100
#define NT_KEY_WOW64_32NT_KEY 0x00000200
#define NT_KEY_WRITE 0x00020006
#define NT_KEY_READ 0x00020019
#define NT_KEY_EXECUTE 0x00020019
#define NT_KEY_ALL_ACCESS 0x000F003F
/* registry option bits */
#define NT_REG_OPTION_NON_VOLATILE 0x00000000L
#define NT_REG_OPTION_VOLATILE 0x00000001L
#define NT_REG_OPTION_CREATE_LINK 0x00000002L
#define NT_REG_OPTION_BACKUP_RESTORE 0x00000004L
#define NT_REG_OPTION_OPEN_LINK 0x00000008L
/* registry hive option bits */
#define NT_REG_WHOLE_HIVE_VOLATILE 0x00000001L
#define NT_REG_REFRESH_HIVE 0x00000002L
#define NT_REG_NO_LAZY_FLUSH 0x00000004L
#define NT_REG_FORCE_RESTORE 0x00000008L
/* registry disposition bits */
#define NT_REG_CREATED_NEW_KEY 0x00000000L
#define NT_REG_OPENED_EXISTING_KEY 0x00000001L
/* registry monitor bits */
#define NT_REG_MONITOR_SINGLE_KEY 0x0000
#define NT_REG_MONITOR_SECOND_KEY 0x0001
/* registry key notification bits */
#define NT_REG_NOTIFY_CHANGE_NAME 0x00000001L
#define NT_REG_NOTIFY_CHANGE_ATTRIBUTES 0x00000002L
#define NT_REG_NOTIFY_CHANGE_LAST_SET 0x00000004L
#define NT_REG_NOTIFY_CHANGE_SECURITY 0x00000008L
#define NT_REG_LEGAL_CHANGE_FILTER NT_REG_NOTIFY_CHANGE_NAME \
| NT_REG_NOTIFY_CHANGE_ATTRIBUTES \
| NT_REG_NOTIFY_CHANGE_LAST_SET \
| NT_REG_NOTIFY_CHANGE_SECURITY
typedef struct _nt_key_basic_information {
nt_large_integer last_write_time;
uint32_t title_index;
uint32_t name_length;
wchar16_t name[];
} nt_key_basic_information;
typedef struct _nt_key_node_information {
nt_large_integer last_write_time;
uint32_t title_index;
uint32_t class_offset;
uint32_t class_length;
uint32_t name_length;
wchar16_t name[];
} nt_key_node_information;
typedef struct _nt_key_full_information {
nt_large_integer last_write_time;
uint32_t title_index;
uint32_t class_offset;
uint32_t class_length;
uint32_t sub_keys;
uint32_t max_name_len;
uint32_t max_class_len;
uint32_t values;
uint32_t max_value_name_len;
uint32_t max_value_data_len;
wchar16_t kclass[];
} nt_key_full_information;
typedef struct _nt_key_name_information {
uint32_t name_length;
wchar16_t name[];
} nt_key_name_information;
typedef struct _nt_key_value_basic_information {
uint32_t title_index;
uint32_t type;
uint32_t name_length;
wchar16_t name[];
} nt_key_value_basic_information;
typedef struct _nt_key_value_full_information {
uint32_t title_index;
uint32_t type;
uint32_t data_offset;
uint32_t data_length;
uint32_t name_length;
wchar16_t name[];
} nt_key_value_full_information;
typedef struct _nt_key_value_partial_information {
uint32_t title_index;
uint32_t type;
uint32_t data_length;
unsigned char data[];
} nt_key_value_partial_information;
typedef struct _nt_key_value_entry {
nt_unicode_string * value_name;
uint32_t data_length;
uint32_t data_offset;
uint32_t type;
} nt_key_value_entry;
typedef struct _nt_key_last_write_time_information {
nt_large_integer last_write_time;
} nt_key_last_write_time_information;
typedef int32_t __stdcall ntapi_zw_create_key(
__out void ** hkey,
__in uint32_t desired_access,
__in nt_object_attributes * obj_attr,
__in uint32_t title_index,
__in nt_unicode_string * reg_class __optional,
__in uint32_t create_options,
__out uint32_t * disposition __optional);
typedef int32_t __stdcall ntapi_zw_open_key(
__out void ** hkey,
__in uint32_t desired_access,
__in nt_object_attributes * obj_attr);
typedef int32_t __stdcall ntapi_zw_delete_key(
__in void * hkey);
typedef int32_t __stdcall ntapi_zw_flush_key(
__in void * hkey);
typedef int32_t __stdcall ntapi_zw_save_key(
__in void * hkey,
__in void * hfile);
typedef int32_t __stdcall ntapi_zw_save_merged_keys(
__in void * hkey_1st,
__in void * hkey_2nd,
__in void * hfile);
typedef int32_t __stdcall ntapi_zw_restore_key(
__in void * hkey,
__in void * hfile,
__in uint32_t flags);
typedef int32_t __stdcall ntapi_zw_load_key(
__in nt_object_attributes key_obj_attr,
__in nt_object_attributes file_obj_attr);
typedef int32_t __stdcall ntapi_zw_load_key2(
__in nt_object_attributes key_obj_attr,
__in nt_object_attributes file_obj_attr,
__in uint32_t flags);
typedef int32_t __stdcall ntapi_zw_unload_key(
__in nt_object_attributes key_obj_attr);
typedef int32_t __stdcall ntapi_zw_query_open_sub_keys(
__in nt_object_attributes key_obj_attr,
__out uint32_t * number_of_keys);
typedef int32_t __stdcall ntapi_zw_replace_key(
__in nt_object_attributes new_file_obj_attr,
__in void * hkey,
__in nt_object_attributes old_file_obj_attr);
typedef int32_t __stdcall ntapi_zw_set_information_key(
__in void * hkey,
__in nt_key_set_info_class key_info_class,
__in void * key_info,
__in uint32_t key_info_length);
typedef int32_t __stdcall ntapi_zw_query_key(
__in void * hkey,
__in nt_key_info_class key_info_class,
__out void * key_info,
__in uint32_t key_info_length,
__out uint32_t * result_length);
typedef int32_t __stdcall ntapi_zw_enumerate_key(
__in void * hkey,
__in uint32_t index,
__in nt_key_info_class key_info_class,
__out void * key_info,
__in uint32_t key_info_length,
__out uint32_t * result_length);
typedef int32_t __stdcall ntapi_zw_notify_change_key(
__in void * hkey,
__in void * hevent __optional,
__in nt_io_apc_routine * apc_routine __optional,
__in void * apc_context __optional,
__out nt_io_status_block * io_status_block,
__in uint32_t notify_filter,
__in unsigned char watch_subtree,
__in void * buffer,
__in uint32_t buffer_length,
__in unsigned char asynchronous);
typedef int32_t __stdcall ntapi_zw_notify_change_multiple_keys(
__in void * hkey,
__in uint32_t flags,
__in nt_object_attributes * key_obj_attr,
__in void * hevent __optional,
__in nt_io_apc_routine * apc_routine __optional,
__in void * apc_context __optional,
__out nt_io_status_block * io_status_block,
__in uint32_t notify_filter,
__in unsigned char watch_subtree,
__in void * buffer,
__in uint32_t buffer_length,
__in unsigned char asynchronous);
typedef int32_t __stdcall ntapi_zw_delete_value_key(
__in void * hkey,
__in nt_unicode_string * value_name);
typedef int32_t __stdcall ntapi_zw_set_value_key(
__in void * hkey,
__in nt_unicode_string * value_name,
__in uint32_t title_index,
__in uint32_t type,
__in void * data,
__in uint32_t data_size);
typedef int32_t __stdcall ntapi_zw_query_value_key(
__in void * hkey,
__in nt_unicode_string * value_name,
__in nt_key_value_info_class key_value_info_class,
__out void * key_value_info,
__in uint32_t key_value_info_length,
__out uint32_t * result_length);
typedef int32_t __stdcall ntapi_zw_enumerate_value_key(
__in void * hkey,
__in uint32_t index,
__in nt_key_value_info_class key_value_info_class,
__out void * key_value_info,
__in uint32_t key_value_info_length,
__out uint32_t * result_length);
typedef int32_t __stdcall ntapi_zw_query_multiple_value_key(
__in void * hkey,
__in_out nt_key_value_entry * value_list,
__in uint32_t number_of_values,
__out void * buffer,
__in_out uint32_t * buffer_length,
__out uint32_t * buffer_nedded);
typedef int32_t __stdcall ntapi_zw_initialize_registry(
__in unsigned char setup);
#endif
|