也是经过微软的函数 然后直接调用的 设置回调即可~~~~~~~~~~~~~
#include <ntddk.h>
#include <ntimage.h>
#include <windef.h>
#include <stdlib.h>
#include <ntimage.h>
#define REGISTRY_POOL_TAG 'pRE'
NTKERNELAPI NTSTATUS ObQueryNameString
(
IN PVOID Object,
OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
IN ULONG Length,
OUT PULONG ReturnLength
);
NTKERNELAPI NTSTATUS RtlUnicodeStringCopy
(
__out PUNICODE_STRING DestinationString,
__in PUNICODE_STRING SourceString
);
NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS Process);
VOID Unload(PDRIVER_OBJECT pDriverObj)
{
KdPrint(("拜拜!\n"));
}
BOOLEAN IsProcessName(char *string, PEPROCESS eprocess)
{
char name[260] = { 0 };
strcpy(name, PsGetProcessImageFileName(eprocess));
if (!_stricmp(name, string))
{
return TRUE;
}
else
return FALSE;
}
BOOLEAN GetRegistryObjectCompleteName(
PUNICODE_STRING pRegistryPath,
PUNICODE_STRING pPartialRegistryPath,
PVOID pRegistryObject)
{
BOOLEAN Name = FALSE;
BOOLEAN partial = FALSE;
if (!MmIsAddressValid(pRegistryObject) || (pRegistryObject) == NULL)
{
return FALSE;
}
if (pPartialRegistryPath != NULL)
{
if ((((pPartialRegistryPath->Buffer[0] == '\\') || (pPartialRegistryPath->Buffer[0] == '%')) ||
((pPartialRegistryPath->Buffer[0] == 'T') && (pPartialRegistryPath->Buffer[1] == 'R') &&
(pPartialRegistryPath->Buffer[2] == 'Y') && (pPartialRegistryPath->Buffer[3] == '\\'))))
{
RtlCopyUnicodeString(pRegistryPath, pPartialRegistryPath);
partial = TRUE;
Name = TRUE;
}
}
if (!Name)
{
NTSTATUS status;
ULONG returnLen;
PUNICODE_STRING pObjectName = NULL;
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, 0, &returnLen);
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
pObjectName = ExAllocatePoolWithTag(NonPagedPool, returnLen, REGISTRY_POOL_TAG);
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, returnLen, &returnLen);
if (NT_SUCCESS(status))
{
RtlCopyUnicodeString(pRegistryPath, pObjectName);
Name = TRUE;
}
ExFreePoolWithTag(pObjectName, REGISTRY_POOL_TAG);
}
}
return Name;
}
NTSTATUS RegistryCallBack(
IN PVOID CallbackContext,
IN PVOID Argument1,
IN PVOID Argument2
)
{
long type;
NTSTATUS CallBack = STATUS_SUCCESS;
UNICODE_STRING registryPath;
registryPath.Length = 0;
registryPath.MaximumLength = 2048 * sizeof(WCHAR);
registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, REGISTRY_POOL_TAG);
if (registryPath.Buffer != NULL)
{
return STATUS_SUCCESS;
}
type = (REG_NOTIFY_CLASS)Argument1;
switch (type)
{
case RegNtPreCreateKeyEx:
{
if (IsProcessName("regedit.exe", PsGetCurrentProcess()))
{
GetRegistryObjectCompleteName(®istryPath, NULL, ((PREG_CREATE_KEY_INFORMATION)Argument2)->RootObject);
KdPrint(("[RegNtPreCreateKeyEx]KeyPath: %wZ", ®istryPath)); //新键的路径
KdPrint(("[RegNtPreCreateKeyEx]KeyName: %wZ",
((PREG_CREATE_KEY_INFORMATION)Argument2)->CompleteName));//新键的名称
CallBack = STATUS_ACCESS_DENIED;
}
break;
}
case RegNtPreDeleteKey:
{
if (IsProcessName("regedit.exe", PsGetCurrentProcess()))
{
GetRegistryObjectCompleteName(®istryPath, NULL, ((PREG_DELETE_KEY_INFORMATION)Argument2)->Object);
KdPrint(("[RegNtPreDeleteKey]%wZ", ®istryPath)); //新键的路径
CallBack = STATUS_ACCESS_DENIED;
}
break;
}
case RegNtPreSetValueKey:
{
if (IsProcessName("regedit.exe", PsGetCurrentProcess()))
{
GetRegistryObjectCompleteName(®istryPath, NULL, ((PREG_SET_VALUE_KEY_INFORMATION)Argument2)->Object);
KdPrint(("[RegNtPreSetValueKey]KeyPath: %wZ", ®istryPath));
KdPrint(("[RegNtPreSetValueKey]ValName: %wZ", ((PREG_SET_VALUE_KEY_INFORMATION)Argument2)->ValueName));
CallBack = STATUS_ACCESS_DENIED;
}
break;
}
case RegNtPreDeleteValueKey:
{
if (IsProcessName("regedit.exe", PsGetCurrentProcess()))
{
GetRegistryObjectCompleteName(®istryPath, NULL, ((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2)->Object);
KdPrint(("[RegNtPreDeleteValueKey]KeyPath: %wZ", ®istryPath));
KdPrint(("[RegNtPreDeleteValueKey]ValName: %wZ", ((PREG_DELETE_VALUE_KEY_INFORMATION)Argument2)->ValueName));
CallBack = STATUS_ACCESS_DENIED;
}
break;
}
case RegNtPreRenameKey:
{
if (IsProcessName("regedit.exe", PsGetCurrentProcess()))
{
GetRegistryObjectCompleteName(®istryPath, NULL, ((PREG_RENAME_KEY_INFORMATION)Argument2)->Object);
KdPrint(("[RegNtPreRenameKey]KeyPath: %wZ", ®istryPath));
KdPrint(("[RegNtPreRenameKey]NewName: %wZ", ((PREG_RENAME_KEY_INFORMATION)Argument2)->NewName));
CallBack = STATUS_ACCESS_DENIED;
}
break;
}
default:
break;
if (registryPath.Buffer != NULL)
ExFreePoolWithTag(registryPath.Buffer, REGISTRY_POOL_TAG);
}
return CallBack;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status;
LARGE_INTEGER hRegistry;
status = CmRegisterCallback(RegistryCallBack, NULL, &hRegistry);
if (NT_SUCCESS(status))
{
KdPrint(("成功!\n"));
}
else
{
KdPrint(("失败!\n"));
}
pDriverObj->DriverUnload = Unload;
return STATUS_SUCCESS;
}
上面代码是根据 作者:Tesla.Angela 所写
感谢 作者 Tesla.Angela 的无私奉献·~~~~