Native API: NtOpenKey & OBJECT_ATTRIBUTES ---> Need Help Please

[altf4]

Ok I am trying to work with Native API functions but it seems very hard to do since they mostly require unicode input strings.

I decided that one of the basic places to start would be using NtOpenKey to open a registry key.

What it requires is the handle to be opened (hKey), the key access, and OBJECT_ATTRIBUTES UDT.

Here is my code:

Code:

 Private Type ACL
        AclRevision As Byte
        Sbz1 As Byte
        AclSize As Integer
        AceCount As Integer
        Sbz2 As Integer
End Type

Private Type SECURITY_DESCRIPTOR
        Revision As Byte
        Sbz1 As Byte
        Control As Long
        Owner As Long
        Group As Long
        Sacl As ACL
        Dacl As ACL
End Type

Private Type UNICODE_STRING
       Length           As Long
       MaximumLength    As Long
       Buffer           As Long
End Type
 
'Private Type OBJECT_ATTRIBUTES
'    Length                      As Long
'    RootDirectory               As Long
'    ObjectName                  As UNICODE_STRING
'    Attributes                  As Long
'    SecurityDescriptor          As SECURITY_DESCRIPTOR
'    SecurityQualityOfService    As Long
'End Type

Private Type OBJECT_ATTRIBUTES
    Length                      As Long
    RootDirectory               As Long
    ObjectName                  As Long
    Attributes                  As Long
    SecurityDescriptor          As Long
    SecurityQualityOfService    As Long
End Type

Private Const FORMAT_MESSAGE_FROM_SYSTEM = &H1000
Private Const LANG_NEUTRAL = &H0
Private Const SUBLANG_DEFAULT = &H1


Public Enum rcMainKey
    HKEY_CLASSES_ROOT = &H80000000
    HKEY_CURRENT_USER = &H80000001
    HKEY_LOCAL_MACHINE = &H80000002
    HKEY_USERS = &H80000003
    HKEY_PERFORMANCE_DATA = &H80000004
    HKEY_CURRENT_CONFIG = &H80000005
    HKEY_DYN_DATA = &H80000006
End Enum

Private Const KEY_ALL_ACCESS = &HF003F
 
Private Declare Sub RtlInitUnicodeString Lib "ntdll.dll" (DestinationString As UNICODE_STRING, ByVal SourceString As Long)
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function FormatMessage Lib "kernel32" Alias "FormatMessageA" (ByVal dwFlags As Long, lpSource As Any, ByVal dwMessageId As Long, ByVal dwLanguageId As Long, ByVal lpBuffer As String, ByVal nSize As Long, Arguments As Long) As Long

Private Declare Function NtOpenKey Lib "ntdll.dll" (KeyHandle As Long, ByVal DesiredAccess As Long, ObjectAttributes As OBJECT_ATTRIBUTES) As Long
Private Declare Function NtClose Lib "ntdll.dll" (ByVal hObj As Long) As Long

Private Sub Command1_Click()
    Call OpenKey
End Sub

Public Sub OpenKey()

    Dim ObjAt           As OBJECT_ATTRIBUTES
    Dim hKey            As Long
    Dim hResult         As Long
    Dim UString         As UNICODE_STRING
    Dim l               As Long
    Dim hMem            As Long
    Dim KeySubPath      As String
   
    'KeySubPath = "\\Registry\\Machine\\SOFTWARE"
    KeySubPath = "\Registry\Machine\SOFTWARE"
    'Call RtlInitUnicodeString(UString, StrPtr(KeySubPath))
    
    ObjAt.Length = Len(ObjAt)
    ObjAt.RootDirectory = 0
    'ObjAt.ObjectName = UString
    'ObjAt.ObjectName = VarPtr(UString)
    ObjAt.ObjectName = StrPtr(KeySubPath)
    'ObjAt.Attributes = 0
    'ObjAt.SecurityDescriptor = 0
    'ObjAt.SecurityQualityOfService = 0
   
    hResult = NtOpenKey(hKey, KEY_ALL_ACCESS, ObjAt)
    
        MsgBox GetSysMsg(hResult)
        MsgBox hKey
   
        MsgBox GetError(hResult)
   
    If hKey = 0 Then Call NtClose(hKey)
   
End Sub

Public Function GetError(ByVal ret As Long) As String

    Dim sBuffer As String * 255
    
    FormatMessage FORMAT_MESSAGE_FROM_SYSTEM, ByVal 0&, ret, LANG_NEUTRAL, sBuffer, 255, ByVal 0
    GetError = Trim(sBuffer)
   
End Function

Problem is, NtOpenKey keeps returning a 0x80000002 (&H80000002) which means "Ran out of memory"

I am trying to figure out how this is happening and I really need some help. The entire unicode pointer crap is killing me for the ObjAt.ObjectName because I dont know if this is the correct way to do it.

I have googled for hours for examples of how to use this in vb but I can only find code that does not work. So can someone please help me initialize this structure properly so I can further understand how to work with Native API functions in VB.

Thanks you.

[minor28]

I wonder what you want to achieve to call functions in ntdll.

RegOpenKey or rather RegOpenKeyEx are the functions you should use. There are lots of code to execute from these functions via different ways depending on your parameters before you come to NtOpenKey. To succeed with NtOpenKey you must do these preparations.

<-------------------user mode-----------------------------------------------><-----kernel mode--->
|----advapi32.dll----|--------ntdll.dll-------------------------------------|
RegOpenKeyEx > lots of code > NtOpenKey > lots of code > interupt jumptable > ntoskrnl.exe > result

Do you really believe you can open a key with just NtOpenKey. A simple function like NtClose will work though

[triggernum5]

Is your goal to hide a registry key from anything not calling with the native api??

[schoolbusdriver]

I'm curious too.

(Note that the company that used these as a method of copyright protection ended up in deep trouble. If the intention is to create hidden values, you can do it without the native APIs - although I won't post it. Also note that regedit won't export these hidden values, so they're easy to get rid of by exporting the branch to a file, deleting the branch in regedit, then importing the file.)

[altf4]

My goal here is to be able to work with native api so i can have better access to the registry. I am curious to how null charater regkeys can be implemented as well as deleted. I have observed the reghide app C source from sysinternals and it works wonderful, but in vb this is a litter harder to perform since its strings are in ANSI.

@ minor28, Hmm I guess you could use RegCreateKeyExW and take a VB6 regkey path string (with null charactor included) and convert every char to a separate byte and convert the byte array to unicode. Once you get the unicode array you would pass its pointer using VarPtr to the input of RegCreateKeyExW ?
Just a guess..

Anyways, Well I have figured out how to make this work from some other Unicode_String examples online. I changed the buffer to String and added "& chr(0)" to then end of the buffer and it appeared to work. Problem is the /0 null unicode char is not working properly.

I found a module on here to convert the string's byte array to unicode and pass it that way, yet it still does not seem the input the null char to the key.

Anyways, I guess I am out of ideas here. I mean I am very glad I atleast got these functions working, now I just have to find out other ways to do it so the unicode is properly input.

[minor28]

If your problem is ansi -> unicode you have the API MultiByteToWideChar and back API WideCharToMultiByte or if you prefer ntdll.dll RtlAnsiStringToUnicodeString

[triggernum5]

I once tinkered with the same notion, but then Vista appeared and I opted to play it safe since I had no way to test it.. What does reghide.c do under Vista? Any idea?

[altf4]

Hello everyone.

Well I have just made a breakthrough and figured it out. Yay.

Anyways Thanks for all your input. Btw should I post the code once Im done modifing it?

Also, triggernum5, yes it should work under vista b/c I jsut tested this under vista with a null char and it can not by opened by any Win32 API functioon (IE Regedit or any other registry tool that uses win32 API. Now if it uses Native API then it will work and be displayed.)

Anyways, have a great night, now it looks like its time to move on to more Native Functions and some remote process thread crap. =]

VB6 0wnz

[triggernum5]

I was concerned about Vista security labeling me evil.. But thinking more, I doubt it would be possible to put mailious entries in, assuming windows uses the Win32 api to load crucial settings at boot etc.. <-- Confirmation couldn't hurt..

[altf4]

Interesting point, well atleast I think it uses Win32 API. I should try to create a startup value using a nullchar and see if it works. Ill prolly try that later on today.