|
|
/*++
Copyright (c) 2001 Microsoft Corporation
Module Name:
RegistryChecks.cpp
Abstract: Warn the app when it's trying to read from or write to inappropriate places in the registry.
Notes:
This is a general purpose shim.
History:
03/09/2001 maonis Created 09/04/2001 maonis Since none of the paths we compare with exceed MAX_PATH - 1 characters, we only examine at most that many characters of the key paths to make sure there's no buffer overflow in the paths of open keys.--*/
#include "precomp.h"
IMPLEMENT_SHIM_BEGIN(RegistryChecks)#include "ShimHookMacro.h"
#include "RegistryChecks.h"
//
// verifier log entries
//
BEGIN_DEFINE_VERIFIER_LOG(RegistryChecks) VERIFIER_LOG_ENTRY(VLOG_HKCU_Console_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_ControlPanel_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_Environment_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_Identities_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_KeyboardLayout_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_Printers_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_RemoteAccess_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_SessionInformation_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_UNICODEProgramGroups_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_VolatileEnvironment_READ) VERIFIER_LOG_ENTRY(VLOG_HKCU_Windows31MigrationStatus_READ) VERIFIER_LOG_ENTRY(VLOG_HKLM_HARDWARE_READ) VERIFIER_LOG_ENTRY(VLOG_HKLM_SAM_READ) VERIFIER_LOG_ENTRY(VLOG_HKLM_SECURITY_READ) VERIFIER_LOG_ENTRY(VLOG_HKLM_SYSTEM_READ) VERIFIER_LOG_ENTRY(VLOG_HKCC_READ) VERIFIER_LOG_ENTRY(VLOG_HKUS_READ) VERIFIER_LOG_ENTRY(VLOG_NON_HKCU_WRITE)END_DEFINE_VERIFIER_LOG(RegistryChecks)
INIT_VERIFIER_LOG(RegistryChecks);
const RCWARNING g_warnNoDirectRead[] = { {HKCU_Console_STR, VLOG_HKCU_Console_READ, NUM_OF_CHAR(HKCU_Console_STR)}, {HKCU_ControlPanel_STR, VLOG_HKCU_ControlPanel_READ, NUM_OF_CHAR(HKCU_ControlPanel_STR)}, {HKCU_Environment_STR, VLOG_HKCU_Environment_READ, NUM_OF_CHAR(HKCU_Environment_STR)}, {HKCU_Identities_STR, VLOG_HKCU_Identities_READ, NUM_OF_CHAR(HKCU_Identities_STR)}, {HKCU_KeyboardLayout_STR, VLOG_HKCU_KeyboardLayout_READ, NUM_OF_CHAR(HKCU_KeyboardLayout_STR)}, {HKCU_Printers_STR, VLOG_HKCU_Printers_READ, NUM_OF_CHAR(HKCU_Printers_STR)}, {HKCU_RemoteAccess_STR, VLOG_HKCU_RemoteAccess_READ, NUM_OF_CHAR(HKCU_RemoteAccess_STR)}, {HKCU_SessionInformation_STR, VLOG_HKCU_SessionInformation_READ, NUM_OF_CHAR(HKCU_SessionInformation_STR)}, {HKCU_UNICODEProgramGroups_STR, VLOG_HKCU_UNICODEProgramGroups_READ, NUM_OF_CHAR(HKCU_UNICODEProgramGroups_STR)}, {HKCU_VolatileEnvironment_STR, VLOG_HKCU_VolatileEnvironment_READ, NUM_OF_CHAR(HKCU_VolatileEnvironment_STR)}, {HKCU_Windows31MigrationStatus_STR, VLOG_HKCU_Windows31MigrationStatus_READ,NUM_OF_CHAR(HKCU_Windows31MigrationStatus_STR)}, {HKLM_HARDWARE_STR, VLOG_HKLM_HARDWARE_READ, NUM_OF_CHAR(HKLM_HARDWARE_STR)}, {HKLM_SAM_STR, VLOG_HKLM_SAM_READ, NUM_OF_CHAR(HKLM_SAM_STR)}, {HKLM_SECURITY_STR, VLOG_HKLM_SECURITY_READ, NUM_OF_CHAR(HKLM_SECURITY_STR)}, {HKLM_SYSTEM_STR, VLOG_HKLM_SYSTEM_READ, NUM_OF_CHAR(HKLM_SYSTEM_STR)}, {HKCC_STR, VLOG_HKCC_READ, NUM_OF_CHAR(HKCC_STR)}, {HKUS_STR, VLOG_HKUS_READ, NUM_OF_CHAR(HKUS_STR)},};
const UINT g_cWarnNDirectRead = sizeof(g_warnNoDirectRead) / sizeof(RCWARNING);
VOIDMakePathW( IN RCOPENKEY* key, IN HKEY hKey, IN LPCWSTR lpSubKey, IN OUT LPWSTR lpPath ){ if (key) { if (key->wszPath[0]) { //
// We only care about at most MAX_PATH - 1 characters.
//
wcsncpy(lpPath, key->wszPath, MAX_PATH - 1); } } else { if (hKey == HKEY_CLASSES_ROOT) { wcscpy(lpPath, L"HKCR"); } else if (hKey == HKEY_CURRENT_CONFIG) { wcscpy(lpPath, L"HKCC"); } else if (hKey == HKEY_CURRENT_USER) { wcscpy(lpPath, L"HKCU"); } else if (hKey == HKEY_LOCAL_MACHINE) { wcscpy(lpPath, L"HKLM"); } else if (hKey == HKEY_USERS) { wcscpy(lpPath, L"HKUS"); } else { wcscpy(lpPath, L"Not recognized"); } }
if (lpSubKey && *lpSubKey) { DWORD cLen = wcslen(lpPath); //
// We only care about at most MAX_PATH - 1 characters.
//
if (cLen < MAX_PATH - 1) { lpPath[cLen] = L'\\'; wcsncpy(lpPath + cLen + 1, lpSubKey, MAX_PATH - cLen - 2); } }
lpPath[MAX_PATH - 1] = L'\0';}
VOID CheckReading( IN LPCWSTR pwszPath ){ RCWARNING warn;
for (UINT ui = 0; ui < g_cWarnNDirectRead; ++ui) { warn = g_warnNoDirectRead[ui]; if (!_wcsnicmp(pwszPath, warn.wszPath, warn.cLen)) { VLOG(VLOG_LEVEL_ERROR, warn.dwAVStatus, "Read from dangerous registry entry '%ls'.", pwszPath); } }}
// We warn for every tempt of writing to anything besides keys under HKCU.
// Note this applies to both Users and Admins/Power Users because when an
// app is running it shouldn't write anything to non HKCU keys, which should
// be done during the installation time.
VOID CheckWriting( IN REGSAM samDesired, IN LPCWSTR pwszPath ){ if ((samDesired &~ STANDARD_RIGHTS_WRITE) & KEY_WRITE) { if (_wcsnicmp(pwszPath, L"HKCU", 4)) { VLOG(VLOG_LEVEL_ERROR, VLOG_NON_HKCU_WRITE, "Write to non-HKCU registry entry '%ls'.", pwszPath); } }}
//
// simple locking.
//
static BOOL g_bInitialized = FALSE;
CRITICAL_SECTION g_csRegRedirect;
class CRRegLock{public: CRRegLock() { if (!g_bInitialized) { InitializeCriticalSection(&g_csRegRedirect); g_bInitialized = TRUE; }
EnterCriticalSection(&g_csRegRedirect); } ~CRRegLock() { LeaveCriticalSection(&g_csRegRedirect); }};
//
// Implementation of the CRegistryChecks class.
//
RCOPENKEY* CRegistryChecks::FindKey( HKEY hKey ){ RCOPENKEY* key = keys;
while (key) { if (key->hkBase == hKey) { return key; }
key = key->next; }
return NULL;}
// We add the key to the front of the list because the most
// recently added keys are usually used/deleted first.
BOOL CRegistryChecks::AddKey( HKEY hKey, LPCWSTR pwszPath ){ RCOPENKEY* key = new RCOPENKEY;
if (!key) { return FALSE; }
key->hkBase = hKey;
//
// None of the key paths we need to check exceed MAX_PATH - 1 characters so
// we only need to copy at most that many characters.
//
wcsncpy(key->wszPath, pwszPath, MAX_PATH - 1); key->wszPath[MAX_PATH - 1] = L'\0';
key->next = keys; keys = key;
return TRUE;}
VOID CRegistryChecks::Check( HKEY hKey, LPCSTR lpSubKey, BOOL fCheckRead, BOOL fCheckWrite, REGSAM samDesired ){ LPWSTR pwszSubKey = NULL;
if (pwszSubKey = ToUnicode(lpSubKey)) { Check(hKey, pwszSubKey, fCheckRead, fCheckWrite); free(pwszSubKey); } else { DPFN(eDbgLevelError, "Failed to convert %s to unicode", lpSubKey); }}
VOID CRegistryChecks::Check( HKEY hKey, LPCWSTR lpSubKey, BOOL fCheckRead, BOOL fCheckWrite, REGSAM samDesired ){ RCOPENKEY* key = FindKey(hKey); WCHAR wszPath[MAX_PATH] = L""; MakePathW(key, hKey, lpSubKey, wszPath);
if (fCheckRead) { CheckReading(wszPath); }
if (fCheckWrite) { CheckWriting(samDesired, wszPath); }}
LONG CRegistryChecks::OpenKeyExOriginalW( HKEY hKey, LPCWSTR lpSubKey, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition, BOOL bCreate ){ if (bCreate) { return ORIGINAL_API(RegCreateKeyExW)( hKey, lpSubKey, 0, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition); } else { return ORIGINAL_API(RegOpenKeyExW)( hKey, lpSubKey, 0, samDesired, phkResult); }}
LONG CRegistryChecks::OpenKeyExA( HKEY hKey, LPCSTR lpSubKey, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition, BOOL bCreate ){ LONG lRet; LPWSTR pwszSubKey = NULL; LPWSTR pwszClass = NULL;
if (lpSubKey) { if (!(pwszSubKey = ToUnicode(lpSubKey))) { DPFN(eDbgLevelError, "Failed to convert %s to unicode", lpSubKey); return ERROR_NOT_ENOUGH_MEMORY; } }
if (lpClass) { if (!(pwszClass = ToUnicode(lpClass))) { free(pwszSubKey); DPFN(eDbgLevelError, "Failed to convert %s to unicode", lpClass); return ERROR_NOT_ENOUGH_MEMORY; } }
lRet = OpenKeyExW( hKey, pwszSubKey, pwszClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition, bCreate);
free(pwszSubKey); free(pwszClass);
return lRet;}
LONG CRegistryChecks::OpenKeyExW( HKEY hKey, LPCWSTR lpSubKey, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition, BOOL bCreate ){ RCOPENKEY* key = FindKey(hKey); WCHAR wszPath[MAX_PATH] = L""; MakePathW(key, hKey, lpSubKey, wszPath);
CheckReading(wszPath); CheckWriting(samDesired, wszPath);
LONG lRes = OpenKeyExOriginalW( hKey, lpSubKey, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition, bCreate);
if (lRes == ERROR_SUCCESS) { if (AddKey(*phkResult, wszPath)) { DPFN(eDbgLevelInfo, "[OpenKeyExW] success - adding key 0x%08x", *phkResult); } else { lRes = ERROR_INVALID_HANDLE; } }
return lRes;}
LONG CRegistryChecks::QueryValueA( HKEY hKey, LPCSTR lpSubKey, LPSTR lpValue, PLONG lpcbValue ){ Check(hKey, lpSubKey, TRUE, FALSE);
return ORIGINAL_API(RegQueryValueA)( hKey, lpSubKey, lpValue, lpcbValue);}
LONG CRegistryChecks::QueryValueW( HKEY hKey, LPCWSTR lpSubKey, LPWSTR lpValue, PLONG lpcbValue ){ Check(hKey, lpSubKey, TRUE, FALSE);
return ORIGINAL_API(RegQueryValueW)( hKey, lpSubKey, lpValue, lpcbValue);}
LONG CRegistryChecks::QueryValueExA( HKEY hKey, LPCSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ Check(hKey, L"", TRUE, FALSE); return ORIGINAL_API(RegQueryValueExA)( hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);}
LONG CRegistryChecks::QueryValueExW( HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ Check(hKey, L"", TRUE, FALSE);
return ORIGINAL_API(RegQueryValueExW)( hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);}
LONG CRegistryChecks::QueryInfoKeyA( HKEY hKey, LPSTR lpClass, LPDWORD lpcbClass, LPDWORD lpReserved, LPDWORD lpcSubKeys, LPDWORD lpcbMaxSubKeyLen, LPDWORD lpcbMaxClassLen, LPDWORD lpcValues, LPDWORD lpcbMaxValueNameLen, LPDWORD lpcbMaxValueLen, LPDWORD lpcbSecurityDescriptor, PFILETIME lpftLastWriteTime ){ Check(hKey, L"", TRUE, FALSE);
return ORIGINAL_API(RegQueryInfoKeyA)( hKey, lpClass, lpcbClass, lpReserved, lpcSubKeys, lpcbMaxSubKeyLen, lpcbMaxClassLen, lpcValues, lpcbMaxValueNameLen, lpcbMaxValueLen, lpcbSecurityDescriptor, lpftLastWriteTime);}
LONG CRegistryChecks::QueryInfoKeyW( HKEY hKey, LPWSTR lpClass, LPDWORD lpcbClass, LPDWORD lpReserved, LPDWORD lpcSubKeys, LPDWORD lpcbMaxSubKeyLen, LPDWORD lpcbMaxClassLen, LPDWORD lpcValues, LPDWORD lpcbMaxValueNameLen, LPDWORD lpcbMaxValueLen, LPDWORD lpcbSecurityDescriptor, PFILETIME lpftLastWriteTime ){ Check(hKey, L"", TRUE, FALSE);
return ORIGINAL_API(RegQueryInfoKeyW)( hKey, lpClass, lpcbClass, lpReserved, lpcSubKeys, lpcbMaxSubKeyLen, lpcbMaxClassLen, lpcValues, lpcbMaxValueNameLen, lpcbMaxValueLen, lpcbSecurityDescriptor, lpftLastWriteTime);}
LONG CRegistryChecks::SetValueA( HKEY hKey, LPCSTR lpSubKey, DWORD dwType, LPCSTR lpData, DWORD cbData ){ Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
return ORIGINAL_API(RegSetValueA)( hKey, lpSubKey, dwType, lpData, cbData);}
LONG CRegistryChecks::SetValueW( HKEY hKey, LPCWSTR lpSubKey, DWORD dwType, LPCWSTR lpData, DWORD cbData ){ Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
return ORIGINAL_API(RegSetValueW)( hKey, lpSubKey, dwType, lpData, cbData);}
LONG CRegistryChecks::SetValueExA( HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, CONST BYTE * lpData, DWORD cbData ){ Check(hKey, L"", FALSE, TRUE, KEY_WRITE); return ORIGINAL_API(RegSetValueExA)( hKey, lpValueName, Reserved, dwType, lpData, cbData);}
LONG CRegistryChecks::SetValueExW( HKEY hKey, LPCWSTR lpValueName, DWORD Reserved, DWORD dwType, CONST BYTE * lpData, DWORD cbData ){ Check(hKey, L"", FALSE, TRUE, KEY_WRITE); return ORIGINAL_API(RegSetValueExW)( hKey, lpValueName, Reserved, dwType, lpData, cbData);}
LONG CRegistryChecks::EnumValueA( HKEY hKey, DWORD dwIndex, LPSTR lpValueName, LPDWORD lpcbValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ Check(hKey, L"", TRUE, FALSE);
return ORIGINAL_API(RegEnumValueA)( hKey, dwIndex, lpValueName, lpcbValueName, lpReserved, lpType, lpData, lpcbData);}
// If the key was not originated from HKCU,
// we enum at the original location.
LONG CRegistryChecks::EnumValueW( HKEY hKey, DWORD dwIndex, LPWSTR lpValueName, LPDWORD lpcbValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ Check(hKey, L"", TRUE, FALSE);
return ORIGINAL_API(RegEnumValueW)( hKey, dwIndex, lpValueName, lpcbValueName, lpReserved, lpType, lpData, lpcbData);}
LONG CRegistryChecks::EnumKeyExA( HKEY hKey, DWORD dwIndex, LPSTR lpName, LPDWORD lpcbName, LPDWORD lpReserved, LPSTR lpClass, LPDWORD lpcbClass, PFILETIME lpftLastWriteTime ){ Check(hKey, L"", TRUE, FALSE);
return ORIGINAL_API(RegEnumKeyExA)( hKey, dwIndex, lpName, lpcbName, lpReserved, lpClass, lpcbClass, lpftLastWriteTime);}
// If the key was not originated from HKCU,
// we enum at the original location.
LONG CRegistryChecks::EnumKeyExW( HKEY hKey, DWORD dwIndex, LPWSTR lpName, LPDWORD lpcbName, LPDWORD lpReserved, LPWSTR lpClass, LPDWORD lpcbClass, PFILETIME lpftLastWriteTime ){ Check(hKey, L"", TRUE, FALSE);
return ORIGINAL_API(RegEnumKeyExW)( hKey, dwIndex, lpName, lpcbName, lpReserved, lpClass, lpcbClass, lpftLastWriteTime);}
// Remove the key from the list.
LONG CRegistryChecks::CloseKey( HKEY hKey ){ RCOPENKEY* key = keys; RCOPENKEY* last = NULL;
while (key) { if (key->hkBase == hKey) { if (last) { last->next = key->next; } else { keys = key->next; }
delete key; break; }
last = key; key = key->next; }
DPFN(eDbgLevelInfo, "[CloseKey] closing key 0x%08x", hKey);
return ORIGINAL_API(RegCloseKey)(hKey);}
LONG CRegistryChecks::DeleteKeyA( HKEY hKey, LPCSTR lpSubKey ){ Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
return ORIGINAL_API(RegDeleteKeyA)( hKey, lpSubKey);}
LONG CRegistryChecks::DeleteKeyW( HKEY hKey, LPCWSTR lpSubKey ){ Check(hKey, lpSubKey, FALSE, TRUE, KEY_WRITE);
return ORIGINAL_API(RegDeleteKeyW)( hKey, lpSubKey);}
CRegistryChecks RRegistry;
//
// Hook APIs.
//
LONG APIHOOK(RegOpenKeyA)( HKEY hKey, LPSTR lpSubKey, PHKEY phkResult ){ CRRegLock Lock;
return RRegistry.OpenKeyExA( hKey, lpSubKey, 0, REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, phkResult, NULL, FALSE);}
LONG APIHOOK(RegOpenKeyW)( HKEY hKey, LPWSTR lpSubKey, PHKEY phkResult ){ CRRegLock Lock;
return RRegistry.OpenKeyExW( hKey, lpSubKey, 0, REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, phkResult, NULL, FALSE);}
LONG APIHOOK(RegOpenKeyExA)( HKEY hKey, LPCSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult ){ CRRegLock Lock;
return RRegistry.OpenKeyExA( hKey, lpSubKey, 0, REG_OPTION_NON_VOLATILE, samDesired, NULL, phkResult, NULL, FALSE);}
LONG APIHOOK(RegOpenKeyExW)( HKEY hKey, LPCWSTR lpSubKey, DWORD ulOptions, REGSAM samDesired, PHKEY phkResult ){ CRRegLock Lock;
return RRegistry.OpenKeyExW( hKey, lpSubKey, 0, REG_OPTION_NON_VOLATILE, samDesired, NULL, phkResult, NULL, FALSE);}
LONG APIHOOK(RegCreateKeyA)( HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult ){ CRRegLock Lock;
return RRegistry.OpenKeyExA( hKey, lpSubKey, 0, REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, phkResult, NULL, TRUE);}
LONG APIHOOK(RegCreateKeyW)( HKEY hKey, LPCWSTR lpSubKey, PHKEY phkResult ){ CRRegLock Lock;
return RRegistry.OpenKeyExW( hKey, lpSubKey, 0, REG_OPTION_NON_VOLATILE, MAXIMUM_ALLOWED, NULL, phkResult, NULL, TRUE);}
LONG APIHOOK(RegCreateKeyExA)( HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, LPSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition ){ CRRegLock Lock;
return RRegistry.OpenKeyExA( hKey, lpSubKey, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition, TRUE);}
LONG APIHOOK(RegCreateKeyExW)( HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, LPWSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition ){ CRRegLock Lock;
return RRegistry.OpenKeyExW( hKey, lpSubKey, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition, TRUE);}
LONG APIHOOK(RegQueryValueA)( HKEY hKey, LPCSTR lpSubKey, LPSTR lpValue, PLONG lpcbValue ){ CRRegLock Lock;
return RRegistry.QueryValueA( hKey, lpSubKey, lpValue, lpcbValue);}
LONG APIHOOK(RegQueryValueW)( HKEY hKey, LPCWSTR lpSubKey, LPWSTR lpValue, PLONG lpcbValue ){ CRRegLock Lock;
return RRegistry.QueryValueW( hKey, lpSubKey, lpValue, lpcbValue);}
LONG APIHOOK(RegQueryValueExA)( HKEY hKey, LPCSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ CRRegLock Lock;
return RRegistry.QueryValueExA( hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);}
LONG APIHOOK(RegQueryValueExW)( HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ CRRegLock Lock;
return RRegistry.QueryValueExW( hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);}
LONG APIHOOK(RegQueryInfoKeyA)( HKEY hKey, LPSTR lpClass, LPDWORD lpcbClass, LPDWORD lpReserved, LPDWORD lpcSubKeys, LPDWORD lpcbMaxSubKeyLen, LPDWORD lpcbMaxClassLen, LPDWORD lpcValues, LPDWORD lpcbMaxValueNameLen, LPDWORD lpcbMaxValueLen, LPDWORD lpcbSecurityDescriptor, PFILETIME lpftLastWriteTime ){ CRRegLock Lock;
return RRegistry.QueryInfoKeyA( hKey, lpClass, lpcbClass, lpReserved, lpcSubKeys, lpcbMaxSubKeyLen, lpcbMaxClassLen, lpcValues, lpcbMaxValueNameLen, lpcbMaxValueLen, lpcbSecurityDescriptor, lpftLastWriteTime);}
LONG APIHOOK(RegQueryInfoKeyW)( HKEY hKey, LPWSTR lpClass, LPDWORD lpcbClass, LPDWORD lpReserved, LPDWORD lpcSubKeys, LPDWORD lpcbMaxSubKeyLen, LPDWORD lpcbMaxClassLen, LPDWORD lpcValues, LPDWORD lpcbMaxValueNameLen, LPDWORD lpcbMaxValueLen, LPDWORD lpcbSecurityDescriptor, PFILETIME lpftLastWriteTime ){ CRRegLock Lock;
return RRegistry.QueryInfoKeyW( hKey, lpClass, lpcbClass, lpReserved, lpcSubKeys, lpcbMaxSubKeyLen, lpcbMaxClassLen, lpcValues, lpcbMaxValueNameLen, lpcbMaxValueLen, lpcbSecurityDescriptor, lpftLastWriteTime);}
LONG APIHOOK(RegSetValueA)( HKEY hKey, LPCSTR lpSubKey, DWORD dwType, LPCSTR lpData, DWORD cbData ){ CRRegLock Lock;
return RRegistry.SetValueA( hKey, lpSubKey, dwType, lpData, cbData);}
LONG APIHOOK(RegSetValueW)( HKEY hKey, LPCWSTR lpSubKey, DWORD dwType, LPCWSTR lpData, DWORD cbData ){ CRRegLock Lock;
return RRegistry.SetValueW( hKey, lpSubKey, dwType, lpData, cbData);}
LONG APIHOOK(RegSetValueExA)( HKEY hKey, LPCSTR lpSubKey, DWORD Reserved, DWORD dwType, CONST BYTE * lpData, DWORD cbData ){ CRRegLock Lock;
return RRegistry.SetValueExA( hKey, lpSubKey, Reserved, dwType, lpData, cbData);}
LONG APIHOOK(RegSetValueExW)( HKEY hKey, LPCWSTR lpSubKey, DWORD Reserved, DWORD dwType, CONST BYTE * lpData, DWORD cbData ){ CRRegLock Lock;
return RRegistry.SetValueExW( hKey, lpSubKey, Reserved, dwType, lpData, cbData);}
LONG APIHOOK(RegEnumValueA)( HKEY hKey, DWORD dwIndex, LPSTR lpValueName, LPDWORD lpcbValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ CRRegLock Lock;
return RRegistry.EnumValueA( hKey, dwIndex, lpValueName, lpcbValueName, lpReserved, lpType, lpData, lpcbData);}
LONG APIHOOK(RegEnumValueW)( HKEY hKey, DWORD dwIndex, LPWSTR lpValueName, LPDWORD lpcbValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ){ CRRegLock Lock;
return RRegistry.EnumValueW( hKey, dwIndex, lpValueName, lpcbValueName, lpReserved, lpType, lpData, lpcbData);}
LONG APIHOOK(RegEnumKeyA)( HKEY hKey, DWORD dwIndex, LPSTR lpName, DWORD cbName ){ CRRegLock Lock;
return RRegistry.EnumKeyExA( hKey, dwIndex, lpName, &cbName, NULL, NULL, NULL, NULL); // can this be null???
}
LONG APIHOOK(RegEnumKeyW)( HKEY hKey, DWORD dwIndex, LPWSTR lpName, DWORD cbName ){ CRRegLock Lock;
return RRegistry.EnumKeyExW( hKey, dwIndex, lpName, &cbName, NULL, NULL, NULL, NULL);}
LONG APIHOOK(RegEnumKeyExA)( HKEY hKey, DWORD dwIndex, LPSTR lpName, LPDWORD lpcbName, LPDWORD lpReserved, LPSTR lpClass, LPDWORD lpcbClass, PFILETIME lpftLastWriteTime ){ CRRegLock Lock;
return RRegistry.EnumKeyExA( hKey, dwIndex, lpName, lpcbName, lpReserved, lpClass, lpcbClass, lpftLastWriteTime);}
LONG APIHOOK(RegEnumKeyExW)( HKEY hKey, DWORD dwIndex, LPWSTR lpName, LPDWORD lpcbName, LPDWORD lpReserved, LPWSTR lpClass, LPDWORD lpcbClass, PFILETIME lpftLastWriteTime ){ CRRegLock Lock;
return RRegistry.EnumKeyExW( hKey, dwIndex, lpName, lpcbName, lpReserved, lpClass, lpcbClass, lpftLastWriteTime);}
LONG APIHOOK(RegCloseKey)(HKEY hKey){ CRRegLock Lock;
return RRegistry.CloseKey(hKey);}
LONG APIHOOK(RegDeleteKeyA)( HKEY hKey, LPCSTR lpSubKey ){ CRRegLock Lock;
return RRegistry.DeleteKeyA(hKey, lpSubKey);}
LONG APIHOOK(RegDeleteKeyW)( HKEY hKey, LPCWSTR lpSubKey ){ CRRegLock Lock;
return RRegistry.DeleteKeyW(hKey, lpSubKey);}
SHIM_INFO_BEGIN()
SHIM_INFO_DESCRIPTION(AVS_REGISTRYCHECKS_DESC) SHIM_INFO_FRIENDLY_NAME(AVS_REGISTRYCHECKS_FRIENDLY) SHIM_INFO_VERSION(1, 2) SHIM_INFO_INCLUDE_EXCLUDE("E:msi.dll sxs.dll comctl32.dll ole32.dll oleaut32.dll")
SHIM_INFO_END()
/*++
Register hooked functions
Note we purposely ignore the cleanup because some apps call registry functions during process detach.
--*/
HOOK_BEGIN
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Console_READ, AVS_HKCU_Console_READ, AVS_HKCU_Console_READ_R, AVS_HKCU_Console_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_ControlPanel_READ, AVS_HKCU_ControlPanel_READ, AVS_HKCU_ControlPanel_READ_R, AVS_HKCU_ControlPanel_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Environment_READ, AVS_HKCU_Environment_READ, AVS_HKCU_Environment_READ_R, AVS_HKCU_Environment_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Identities_READ, AVS_HKCU_Identities_READ, AVS_HKCU_Identities_READ_R, AVS_HKCU_Identities_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_KeyboardLayout_READ, AVS_HKCU_KeyboardLayout_READ, AVS_HKCU_KeyboardLayout_READ_R, AVS_HKCU_KeyboardLayout_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Printers_READ, AVS_HKCU_Printers_READ, AVS_HKCU_Printers_READ_R, AVS_HKCU_Printers_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_RemoteAccess_READ, AVS_HKCU_RemoteAccess_READ, AVS_HKCU_RemoteAccess_READ_R, AVS_HKCU_RemoteAccess_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_SessionInformation_READ, AVS_HKCU_SessionInformation_READ, AVS_HKCU_SessionInformation_READ_R, AVS_HKCU_SessionInformation_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_UNICODEProgramGroups_READ, AVS_HKCU_UNICODEProgramGroups_READ, AVS_HKCU_UNICODEProgramGroups_READ_R, AVS_HKCU_UNICODEProgramGroups_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_VolatileEnvironment_READ, AVS_HKCU_VolatileEnvironment_READ, AVS_HKCU_VolatileEnvironment_READ_R, AVS_HKCU_VolatileEnvironment_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCU_Windows31MigrationStatus_READ, AVS_HKCU_Windows31MigrationStatus_READ, AVS_HKCU_Windows31MigrationStatus_READ_R, AVS_HKCU_Windows31MigrationStatus_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_HARDWARE_READ, AVS_HKLM_HARDWARE_READ, AVS_HKLM_HARDWARE_READ_R, AVS_HKLM_HARDWARE_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_SAM_READ, AVS_HKLM_SAM_READ, AVS_HKLM_SAM_READ_R, AVS_HKLM_SAM_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_SECURITY_READ, AVS_HKLM_SECURITY_READ, AVS_HKLM_SECURITY_READ_R, AVS_HKLM_SECURITY_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKLM_SYSTEM_READ, AVS_HKLM_SYSTEM_READ, AVS_HKLM_SYSTEM_READ_R, AVS_HKLM_SYSTEM_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKCC_READ, AVS_HKCC_READ, AVS_HKCC_READ_R, AVS_HKCC_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_HKUS_READ, AVS_HKUS_READ, AVS_HKUS_READ_R, AVS_HKUS_READ_URL)
DUMP_VERIFIER_LOG_ENTRY(VLOG_NON_HKCU_WRITE, AVS_NON_HKCU_WRITE, AVS_NON_HKCU_WRITE_R, AVS_NON_HKCU_WRITE_URL)
APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyA) APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyW) APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyExA) APIHOOK_ENTRY(ADVAPI32.DLL, RegOpenKeyExW) APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyA) APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyW) APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyExA) APIHOOK_ENTRY(ADVAPI32.DLL, RegCreateKeyExW) APIHOOK_ENTRY(ADVAPI32.DLL, RegCloseKey) APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueA) APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueW) APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueExA) APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryValueExW) APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryInfoKeyA) APIHOOK_ENTRY(ADVAPI32.DLL, RegQueryInfoKeyW) APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueA) APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueW) APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueExA) APIHOOK_ENTRY(ADVAPI32.DLL, RegSetValueExW) APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumValueA) APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumValueW) APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyA) APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyW) APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyExA) APIHOOK_ENTRY(ADVAPI32.DLL, RegEnumKeyExW) APIHOOK_ENTRY(ADVAPI32.DLL, RegDeleteKeyA) APIHOOK_ENTRY(ADVAPI32.DLL, RegDeleteKeyW)
HOOK_END
IMPLEMENT_SHIM_END
|
