A forum for reverse engineering, OS internals and malware analysis 

CmRegisterCallbackEx Questions.

Forum for discussion about kernel-mode development.

Re: CmRegisterCallbackEx Questions.

 #16259  by __fastcall
 Wed Oct 24, 2012 4:18 pm
ok im trying to do my explanation a bit more in detail. If you look at the enum struct provided by the callback you will see that i can't get the actuall full keyname , if i would have hooked ZwEnumerateKey then i could use the handle to get information but i don't know how to work with objects as i saw it for the first time now ..

Thanks,
__fastcall

Re: CmRegisterCallbackEx Questions.

 #16260  by xdeadcode
 Wed Oct 24, 2012 6:43 pm
Hi __fastcall.

Inside you callback just use ObQueryNameString api:
Code: Select all
NTSTATUS ObQueryNameString(
PVOID Object,
POBJECT_NAME_INFORMATION ObjectNameInfo,
ULONG Length,
PULONG ReturnLength
);
(link: http://msdn.microsoft.com/en-us/library ... s.85).aspx)

First allocate memory buffer, then use ObQueryNameString, first parameter is Object member from REG_ENUMERATE_KEY_INFORMATION, second your allocated buffer (POBJECT_NAME_INFORMATION) rest is (I belive) straight forward.
It should work.

Best regards.
 Return to “Kernel-Mode Development”