A forum for reverse engineering, OS internals and malware analysis 

How to get key name in registry call back?

Forum for discussion about kernel-mode development.

How to get key name in registry call back?

 #23935  by myid
 Fri Sep 19, 2014 9:24 am
Hi, everyone.
I have a very hard problem.
I preset there are 5 sub keys in "\REGISTRY\MACHINE\SYSTEM\xxx": sk1 sk2 sk3 sk4 sk5.
I can get "\REGISTRY\MACHINE\SYSTEM\xxx" in RegNtPostEnumerateKey/RegNtPreEnumerateKey callback.
But how to get sub keys' name(sk1~sk5) in RegNtPostEnumerateKey or RegNtPreEnumerateKey?

Re: How to get key name in registry call back?

 #23939  by Vrtule
 Fri Sep 19, 2014 4:01 pm
Hello,

if you want to get key name from its object pointer, there are two possibilities:
* ObQueryNameString
* CmCallbackGetKeyObjectID or CmCallbackGetKeyObjectIDEx

If you want to get information about a subkey enumerated by a call to Nt/ZwEnumerateKey that was caught by your registry filter, you can obtain this information from the output buffer. Howerver, you have to be careful (at least prior to Windows 8) because the output buffer may point to usermode part of the address space.

Re: How to get key name in registry call back?

 #23946  by myid
 Sat Sep 20, 2014 5:59 pm
Vrtule wrote:Hello,

if you want to get key name from its object pointer, there are two possibilities:
* ObQueryNameString
* CmCallbackGetKeyObjectID or CmCallbackGetKeyObjectIDEx

If you want to get information about a subkey enumerated by a call to Nt/ZwEnumerateKey that was caught by your registry filter, you can obtain this information from the output buffer. Howerver, you have to be careful (at least prior to Windows 8) because the output buffer may point to usermode part of the address space.
Thanks. I have solved this problem now.
 Return to “Kernel-Mode Development”