Im trying to read a registry using the winapi and c++.
The code runs, but the result is not the contents of the registry
After a hexdump is just 0xCD repeated over and over. (So, as if the data hasnt been modified by RegQueryValueEx, and is just the result of the malloc)
I tried running as admin too, with no luck.
This is the code im using:
HKEY hKey;
if (RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop", 0, KEY_ALL_ACCESS, &hKey) != ERROR_SUCCESS)
return;
//Read & save
DWORD BufferSize = TOTALBYTES;
DWORD cbData;
DWORD dwRet;
LPBYTE data = (LPBYTE)malloc(BufferSize);
cbData = BufferSize;
DWORD type = REG_BINARY;
dwRet = RegQueryValueEx(hKey, "IconLayouts", NULL, &type, data, &cbData);
while (dwRet == ERROR_MORE_DATA) {
BufferSize += BYTEINCREMENT;
data = (LPBYTE)realloc(data, BufferSize);
cbData = BufferSize;
dwRet = RegQueryValueEx(hKey, "IconLayouts", NULL, &type, data, &cbData);
}
if (dwRet == ERROR_SUCCESS)
{
//Write current registry to a file
std::ofstream currentRegistryFile(DIRECTORY + currentDesktop + ".bin");
if (!currentRegistryFile) {
log(currentDesktop + " file couldn't be opened.");
return;
}
for (int i = 0; i < cbData; i++)
currentRegistryFile << (data)[cbData];
}
else
log("Couldnt read registry");
//Close registry
RegCloseKey(hKey);
Your saving code is the problem. It’s actually accessing the array out of bounds:
for (int i = 0; i < cbData; i++)
currentRegistryFile << (data)[cbData];
Note you’re indexing data with constant value of cbData and not loop variable i. Change that.
Related
I am working on a encryption algo with c++ using WINAPI. My encryption works flawless and my decryption too untill the last chunk to be decrypted with final = TRUE. I got the NTE_BAD_DATA error.
PS : I manualy check the buffer and the decryption works fine untill the last CryptDecrypt.
If someone have an idea, kindly help me :)
Here is my code :
PVOID test(PVOID buffer, DWORD* length, PCHAR key_str2,bool isdecrypt) {
CHAR default_key[] = "3igcZhRdWq96m3GUmTAiv9";
CHAR* key_str = default_key;
size_t len = lstrlenA(key_str);
DWORD dwStatus = 0;
BOOL bResult = FALSE;
wchar_t info[] = L"Microsoft Enhanced RSA and AES Cryptographic Provider";
HCRYPTPROV hProv;
if (!CryptAcquireContextW(&hProv, NULL, info, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
dwStatus = GetLastError();
CryptReleaseContext(hProv, 0);
return 0;
}
HCRYPTHASH hHash;
if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
dwStatus = GetLastError();
CryptReleaseContext(hProv, 0);
return 0;
}
if (!CryptHashData(hHash, (BYTE*)key_str, len, 0)) {
DWORD err = GetLastError();
return 0;
}
HCRYPTKEY hKey;
if (!CryptDeriveKey(hProv, CALG_AES_128, hHash, 0, &hKey)) {
dwStatus = GetLastError();
CryptReleaseContext(hProv, 0);
return 0;
}
const size_t chunk_size = CHUNK_SIZE;
BYTE chunk[chunk_size] = { 0 };
DWORD out_len = 0;
BOOL isFinal = FALSE;
DWORD readTotalSize = 0;
DWORD inputSize = *length;
PVOID newBuff = VirtualAlloc(0, inputSize, MEM_COMMIT, PAGE_READWRITE);
while (true)
{
if (readTotalSize + chunk_size >= inputSize)
{
isFinal = TRUE;
memcpy(chunk, PVOID((DWORD)buffer + readTotalSize), inputSize - readTotalSize);
out_len = inputSize - readTotalSize;
}
else {
memcpy(chunk, PVOID((DWORD)buffer + readTotalSize), chunk_size);
out_len = chunk_size;
}
if (isdecrypt) {
if (!CryptDecrypt(hKey, NULL, isFinal, 0, chunk, &out_len)) {
int a = GetLastError();
break;
}
}
else {
if (!CryptEncrypt(hKey, NULL, isFinal, 0, chunk, &out_len, chunk_size)) {
break;
}
}
if (readTotalSize + chunk_size >= inputSize) {
memcpy(PVOID((DWORD)newBuff + readTotalSize), chunk, inputSize - readTotalSize);
readTotalSize += inputSize - readTotalSize;
}
else {
memcpy(PVOID((DWORD)newBuff + readTotalSize), chunk, chunk_size);
readTotalSize += chunk_size;
}
if (isFinal)
break;
memset(chunk, 0, chunk_size);
}
CryptReleaseContext(hProv, 0);
CryptDestroyKey(hKey);
CryptDestroyHash(hHash);
return newBuff;
}
You are not storing off the encryption the final block correctly.
The amount of data you pass into the encryption is in out_len, and the amount of data that is encrypted is put back into out_len. For a block cypher that doesn't matter for whole blocks, but your last block which is less than a whole block being passed into encryption probably creates a whole block of encrypted data.
This means that your encrypted data is probably a little larger than your plain text in the final block, but you make no effort to handle this so on when you decrypt you have an issue as you've dropped some of the encrypted data on the floor.
Use the value put into out_len by the encryption function to store off your data (as you overwrite your data stream you'll need to make sure there's space though)
I'm pretty sure my RegSetSetValueExA works fine, My data I'm writing is (CONST BYTE*)&setValue. My setvalue is a DWORD and I've already wrote to the registry with this with RegOpenKeyExA and it works fine.
I think the problem is coming from RegCreateKeyExA because I'm creating my new key from that.
Also, my REG_DWORD requires me to write in Binary for some reason
https://gyazo.com/e418587d579a3e540656f06a2524901f
I've tried looking at other threads but everyone's problem seems different to mine because they're using RegOpenKeyExA.
#include "stdafx.h"
#include <stdio.h>
#include <iostream>
#include <Windows.h>
#include <cstdio>
#include "Strsafe.h"
// Stolen microsoft error code credits:msdn
void ErrorExit(LPTSTR lpszFunction)
{
// Retrieve the system error message for the last-error code
LPVOID lpMsgBuf;
LPVOID lpDisplayBuf;
DWORD dw = GetLastError();
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
dw,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR)&lpMsgBuf,
0, NULL);
// Display the error message and exit the process
lpDisplayBuf = (LPVOID)LocalAlloc(LMEM_ZEROINIT,
(lstrlen((LPCTSTR)lpMsgBuf) + lstrlen((LPCTSTR)lpszFunction) + 40) * sizeof(TCHAR));
StringCchPrintf((LPTSTR)lpDisplayBuf,
LocalSize(lpDisplayBuf) / sizeof(TCHAR),
TEXT("%s failed with error %d: %s"),
lpszFunction, dw, lpMsgBuf);
MessageBox(NULL, (LPCTSTR)lpDisplayBuf, TEXT("Error"), MB_OK);
LocalFree(lpMsgBuf);
LocalFree(lpDisplayBuf);
ExitProcess(dw);
}
// end of stolen code
int main()
{
DWORD Disposition = REG_CREATED_NEW_KEY;
BYTE lpData[32];
DWORD setValue = 2;
PHKEY throwAwayKey = 0;
DWORD lpType = { REG_DWORD };
DWORD lpcbData = { sizeof(lpData) };
HKEY hKey = 0;
char regPath[64] = "Software\\Policies\\Microsoft\\Windows\\System";
char lpValueName[32] = "DisableCMD";
long RegCKExA = RegCreateKeyExA(HKEY_CURRENT_USER, regPath, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &Disposition);
if (RegCKExA == ERROR_SUCCESS)
{
std::cout << "Successfully executed RegCreatKeyExA\n";
}
else
{
std::cout << "An error has occurred while executing RRegCreateKeyExA. Error code: ";
ErrorExit((LPTSTR)TEXT("RegCreateKeyExA"));
getchar();
return EXIT_FAILURE;
}
long regQVExA = RegQueryValueExA(hKey, lpValueName, NULL, &lpType, (LPBYTE)lpData, &lpcbData);
if (regQVExA == ERROR_SUCCESS)
{
std::cout << "Successfully executed RegQueryValueExA and DisableCMD is already on this computer. Press ENTER to continute\n";
getchar();
return ERROR_SUCCESS; // Difference is it returns here if DisableCMD exists
}
else
std::cout << "DisableCMD not found. Starting creation of DisableCMD registry value. Press ENTER to continue";
getchar();
auto regSVExA = RegSetValueExA(hKey, lpValueName, 0, REG_DWORD, (CONST BYTE*)&setValue, lpcbData);
if (regSVExA == ERROR_SUCCESS)
{
std::cout << "Successfully executed RegSetValueExA\n";
getchar();
}
else
{
std::cout << "An error has occurred while executing RegSetValueExA. Error code: ";
getchar();
return EXIT_FAILURE;
}
RegCloseKey(hKey);
return 0;
}
I refactored your functions as WriteDWORD and ReadDWORD.
Note that the code is actually VERY SIMILAR to your code. So why did I bother? Well, there is one subtle difference in that I made DWORD the input/output type instead of the BYTE array you had.
LSTATUS WriteDWORD(LPCSTR lpPath, LPCSTR lpValueName, DWORD dwData)
{
LSTATUS status = ERROR_SUCCESS;
HKEY hKey = NULL;
DWORD dwDisposition = 0;
status = RegCreateKeyExA(HKEY_CURRENT_USER, lpPath, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
if (status != ERROR_SUCCESS)
{
return status;
}
status = RegSetValueExA(hKey, lpValueName, 0, REG_DWORD, (CONST BYTE*) &dwData, sizeof(DWORD));
RegCloseKey(hKey);
return status;
}
LSTATUS ReadDWORD(LPCSTR lpPath, LPCSTR lpValueName, DWORD* pdwData)
{
LSTATUS status = ERROR_SUCCESS;
HKEY hKey = NULL;
DWORD dwDisposition = 0;
status = RegCreateKeyExA(HKEY_CURRENT_USER, lpPath, 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &hKey, &dwDisposition);
if (status != ERROR_SUCCESS)
{
return status;
}
DWORD dwType = 0;
DWORD cbData = sizeof(DWORD);
status = RegQueryValueExA(hKey, lpValueName, NULL, &dwType, (LPBYTE)pdwData, &cbData);
RegCloseKey(hKey);
return status;
}
Here is a sample usage:
int main()
{
char szPath[64] = "Software\\Policies\\Microsoft\\Windows\\System";
char szValueName[32] = "DisableCMD";
WriteDWORD(szPath, szValueName, 1234);
DWORD dwValue = 0;
ReadDWORD(szPath, szValueName, &dwValue); // dwValue now contains 1234
return 0;
}
Note that I did a few things:
I used DWORD dwData for the writer but DWORD* pdwData for the reader.
I preinitialized DWORD cbData = sizeof(DWORD); (i.e. 4)
I hope this gives you insight to the "Binary" part of your question. A DWORD is 4 bytes. When you wrote it to the registry, you are telling it to store a DWORD which is a 32 bit number or 4 bytes. When you read it back from registry, to reconstitute in your app you should supply a pointer to a DWORD. Since you gave it a byte array, the 32 bit number populated the first 4 bytes of the array you supplied. You may not have understood it but it is the correct behavior.
If you used std::cout you will find that it reacts differently to the same 4 bytes because of the overloaded C++ type. If you had used a DWORD you would have seen your number. However, since you have it in your byte array, it will be binary gibberish.
I'm currently working on a simple encryption/decryption system in C++ using the Windows API.
I believe I've been successful at getting CryptEncrypt() to work (AES_128) for encrypting a file.
But when I Use CryptDecrypt() to decrypt the file, the first 16 bytes are corrupted and then after 4000 bytes (which is the size of the chunks I'm pulling from ReadFile() and encrypting) is another chunk of corrupted bytes and so on. If I try to decrypt a file with a total length less than 4000 bytes, the decryption works perfectly.
I'm very confused about why this is happening. There are no errors at all.
Here is a snippet of my code (I have CryptEncrypt() and CryptDecrypt() right after each other to save me exporting the key and to make the testing faster):
DWORD bytesRead;
DWORD bytesWritten;
DWORD pointer = 0;
unsigned int blockSize = 4000;
void *fileBuffer = new unsigned char[4106];
bool EOF = false;
do
{
SetFilePointer(hFileOrginal,pointer,0,0);
ReadFile(hFileOrginal,fileBuffer,blockSize,&bytesRead,NULL);
if(bytesRead<blockSize)
{
EOF=true;
}
CryptEncrypt(aesKey,NULL,EOF,0,(BYTE *)fileBuffer,&bytesRead,(blockSize+16));
CryptDecrypt(aesKey,NULL,EOF,0,(BYTE *)fileBuffer,&bytesRead);
WriteFile(hTempFile,fileBuffer,bytesRead,&bytesWritten,NULL);
pointer +=bytesRead;
}
while(!EOF);
delete[] fileBuffer;
I would really appreciate any suggestions about whats going wrong.
EDIT: On a 4704 bytes file I got the following using breakpoints.
First ReadFile bytesread 4000
First CryptEncrypt bytesRead 4000
First CryptDecrypt bytesRead 4000
Second ReadFile bytesread 704
Second CryptEncrypt bytesread 720
Second CryptDecrupt bytesread 704
Everything seems good with that yet I still get a problem.
I'm using the enhanced crypto api (With verifycontext) with a generated a single AES key with the CRYPT_EXPORTABLE property
You are not doing any error handling at all. All of the API functions you are calling have return values and error codes, none of which you are checking.
You are also not managing bytesRead correctly. CryptEncrypt() modifies the variable you pass to it, which then affects your call to CreateDecrypt(), which also modifies it, and that then affects subsequent calls to SetFilePointer(), which you should not be calling in your loop to begin with. You are not validating that you have as many bytes as you are expecting, or that bytesRead ends up back at the original value that ReadFile() returned, so you may end up skipping bytes in the source file.
Try something more like this instead:
bool ReadFromFile(HANDLE hFile, void *Buffer, DWORD BufSize, DWORD *BytesRead)
{
if (BytesRead)
*BytesRead = 0;
LPBYTE pBuffer = (LPBYTE) Buffer;
DWORD dwRead;
while (BufSize > 0)
{
if (!ReadFile(hFile, pBuffer, BufSize, &dwRead, NULL))
return false;
if (dwRead == 0)
break;
pBuffer += dwRead;
BufSize -= dwRead;
if (BytesRead)
*BytesRead += dwRead;
}
return true;
}
bool WriteToFile(HANDLE hFile, void *Buffer, DWORD BufSize)
{
LPBYTE pBuffer = (LPBYTE) Buffer;
DWORD dwWritten;
while (BufSize > 0)
{
if (!WriteFile(hFile, pBuffer, BufSize, &dwWritten, NULL))
return false;
pBuffer += dwWritten;
BufSize -= dwWritten;
}
return true;
}
DWORD bytesRead;
const UINT blockSize = 4000;
LPBYTE fileBuffer = new BYTE[blockSize+16];
bool EOF;
if (SetFilePointer(hFileOrginal, 0, NULL, FILE_BEGIN) != 0)
{
errorCode = GetLastError();
...
}
else
{
do
{
if (!ReadFromFile(hFileOrginal, fileBuffer, blockSize, &bytesRead))
{
errorCode = GetLastError();
...
break;
}
EOF = (bytesRead < blockSize);
bytesEncrypted = bytesRead;
if (!CryptEncrypt(aesKey, NULL, EOF, 0, fileBuffer, &bytesEncrypted, blockSize+16))
{
errorCode = GetLastError();
...
break;
}
bytesDecrypted = bytesEncrypted;
if (!CryptDecrypt(aesKey, NULL, EOF, 0, fileBuffer, &bytesDecrypted))
{
errorCode = GetLastError();
...
break;
}
if (!WriteToFile(hTempFile, fileBuffer, bytesDecrypted))
{
errorCode = GetLastError();
...
break;
}
if (bytesDecrypted != bytesRead)
{
...
break;
}
}
while (!EOF);
}
delete[] fileBuffer;
I am trying to print info about registry. My problem is in the first for loop.
I can't get it to print dataType and data correctly.
Also, adding them in the same print will crash the program or not print correctly.
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
void EnumerateValues(HKEY hKey, DWORD numValues)
{
DWORD dwIndex = 0;
LPSTR valueName = new CHAR[64];
DWORD valNameLen;
DWORD dataType;
DWORD data;
DWORD dataSize;
for (int i = 0; i < numValues; i++)
{
RegEnumValue(hKey,
dwIndex,
valueName,
&valNameLen,
NULL,
&dataType,
(BYTE*)&data,
&dataSize);
dwIndex++;
_tprintf(TEXT("(%d) %s %d\n"), i+1, valueName, dataType);
// printf("Code: 0x%08X\n", data);
}
}
void EnumerateSubKeys(HKEY RootKey, char* subKey, unsigned int tabs = 0)
{
HKEY hKey;
DWORD cSubKeys; //Used to store the number of Subkeys
DWORD maxSubkeyLen; //Longest Subkey name length
DWORD cValues; //Used to store the number of Subkeys
DWORD maxValueLen; //Longest Subkey name length
DWORD retCode; //Return values of calls
RegOpenKeyEx(RootKey, subKey, 0, KEY_ALL_ACCESS, &hKey);
RegQueryInfoKey(hKey, // key handle
NULL, // buffer for class name
NULL, // size of class string
NULL, // reserved
&cSubKeys, // number of subkeys
&maxSubkeyLen, // longest subkey length
NULL, // longest class string
&cValues, // number of values for this key
&maxValueLen, // longest value name
NULL, // longest value data
NULL, // security descriptor
NULL); // last write time
if(cSubKeys>0)
{
char currentSubkey[MAX_PATH];
for(int i=0;i < cSubKeys;i++){
DWORD currentSubLen=MAX_PATH;
retCode=RegEnumKeyEx(hKey, // Handle to an open/predefined key
i, // Index of the subkey to retrieve.
currentSubkey, // buffer to receives the name of the subkey
¤tSubLen, // size of that buffer
NULL, // Reserved
NULL, // buffer for class string
NULL, // size of that buffer
NULL); // last write time
if(retCode==ERROR_SUCCESS)
{
for (int i = 0; i < tabs; i++)
printf("\t");
printf("(%d) %s\n", i+1, currentSubkey);
char* subKeyPath = new char[currentSubLen + strlen(subKey)];
sprintf(subKeyPath, "%s\\%s", subKey, currentSubkey);
EnumerateSubKeys(RootKey, subKeyPath, (tabs + 1));
}
}
}
else
{
EnumerateValues(hKey, cValues);
}
RegCloseKey(hKey);
}
int main()
{
EnumerateSubKeys(HKEY_CURRENT_USER,"SOFTWARE\\Dropbox");
getchar();
return 0;
}
Your call to RegEnumValue is incorrect. It has the following problems:
You are expected to initialise valNameLen before calling the function.
You are expected to initialise dataSize before calling the function.
You fail to check the return value of RegEnumValue and thus assume that the function succeeds. And in fact it fails because you of the aforementioned errors.
Let's ignore the value for now, since that's much more complex. Let's just try and enumerate the names of the values. That code would look like this:
void EnumerateValues(HKEY hKey, DWORD numValues)
{
for (DWORD dwIndex = 0; dwIndex < numValues; dwIndex++)
{
char valueName[64];
DWORD valNameLen = sizeof(valueName);
DWORD dataType;
DWORD dataSize = 0;
DWORD retval = RegEnumValue(hKey, dwIndex, valueName, &valNameLen,
NULL, &dataType, NULL, &dataSize);
if (retval == ERROR_SUCCESS)
{
printf("(%d) %s %d\n", dwIndex+1, valueName, dataType);
}
else
{
// handle error
}
}
}
Note also that I stopped using a dynamically allocated character array as your code did. Your code leaked that array. Obviously if you need to cope with arbitrarily large value names, then you would need to use dynamically allocated arrays.
As for extracting the data, that's a bigger task that I don't believe is in the scope of
this question. You need special code for each individual data type.
For instance, to read a REG_SZ you would use code like this:
char *data = new char [dataSize+1];
data[dataSize] = '\0';
valNameLen = sizeof(valueName);
DWORD retval = RegEnumValue(hKey, dwIndex, valueName, &valNameLen,
NULL, NULL, (LPBYTE)data, &dataSize);
if (retval == ERROR_SUCCESS)
{
printf("(%d) %s %d %s\n", dwIndex+1, valueName, dataType, data);
}
else
{
// handle error
}
delete[] data;
I want to get all the registry values under specific key path, but RegEnumValue() always returns back the error code 259 as ERROR_NO_MORE_ITEMS and sectionValue has nonsense value. I check the registry manually and there are values under the specified key.
For example.
key is MyTestApp
key value is ManualTestCase = 10
key value is AutomationTestCase = 50
HKEY hKey; //registry key handle
LONG lResult; //result of registry operations
DWORD dwType, dwSize=0;
//try to open the key that we are currently pointing at with rootPath
lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, rootPath, NULL, KEY_ALL_ACCESS, &hKey);
if (lResult == ERROR_SUCCESS)
{
LPTSTR className = NULL;
DWORD classNameSize = MAX_PATH;
DWORD subKey = 0;
DWORD maxSubKey;
DWORD maxClass;
DWORD value;
DWORD maxValue;
DWORD maxValueData;
DWORD securityDescriptor;
FILETIME ftLastWriteTime;
DWORD sectionNameSize;
int j;
//to get total keys for the specified path
lResult = RegQueryInfoKey(hKey, className, &classNameSize, NULL,
&subKey, &maxSubKey, &maxClass, &value, &maxValue,
&maxValueData, &securityDescriptor, &ftLastWriteTime);
if(lResult == ERROR_SUCCESS)
{
for(int i = 0; i < subKey; i++)
{
LPTSTR sectionName = new TCHAR[1096];
sectionNameSize = 1096;
ftLastWriteTime.dwHighDateTime = 0;
ftLastWriteTime.dwLowDateTime = 0;
//enumerate all the registry key names for specified path
lResult = RegEnumKeyEx(hKey, i, sectionName,
§ionNameSize, NULL, NULL,
NULL, &ftLastWriteTime);
CString testStr = sectionName;
if(lResult == ERROR_SUCCESS)
{
j = 0;
do
{
LPTSTR sectionValue;
DWORD sectionValueSize = 4096;
DWORD dwType;
//enumerate all the values for specified key
lResult = RegEnumValue(hKey, j, sectionName,
§ionNameSize, NULL, &dwType,
(LPBYTE)sectionValue, §ionValueSize);
//
if(lResult == ERROR_SUCCESS)
{
//do something to the data
bool whatever = true;
}
else if(lResult == ERROR_MORE_DATA)
{
//
bool yeahSure = true;
}
j++;
}while(lResult != ERROR_NO_MORE_ITEMS);
}
delete[] sectionName;
}
}
}
RegCloseKey(hKey);
My guess is your problem is with how you use lResult = RegEnumKeyEx(hKey, i, sectionName,...
You are trying to enumerate values of a subkey without actually opening that subkey.