ZwOpenKey=(ZWOPENKEY)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"ZwOpenKey") ; //获得 ZwClose的函数指针 ZwClose=(ZWCLOSE)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"ZwClose"); RtlInitUnicodeString=(RTLINITUNICODESTRING)GetProcAddress(LoadLibraryW(L"nt dll.dll"),"RtlInitUnicodeString"); printf("ZwSetValueKey: %llx\n",(LONGLONG)ZwSetValueKey); printf("ZwOpenKey: %llx\n",(LONGLONG)ZwOpenKey); printf("ZwClose: %llx\n",(LONGLONG)ZwClose); } int main() { printf("My PID: %ld\n",GetCurrentProcessId()); InitApi(); UNICODE_STRING path;//定义注册表路径字符串 UNICODE_STRING name;//定义名称字符串 UNICODE_STRING data;//定义数据字符串 OBJECT_ATTRIBUTES oa;//定义操作对象 HANDLE myhandle=NULL;//定义返回句柄 // 初始化操作对象和初始化注册表路径字符串 InitializeObjectAttributes(&oa,&path,OBJ_CASE_INSENSITIVE,NULL,NULL);RtlIni tUnicodeString(&path,L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN"); //初始化名称字符串(其实是Start Page,这里只是为了方便测试) RtlInitUnicodeString(&name,L"Start_Page"); //初始化数据字符串 RtlInitUnicodeString(&data,L"www.m5home.com"); //打开注册表 ZwOpenKey( &myhandle,//返回句柄 KEY_WRITE,//权限 &oa//操作对象 ); //设置注册表键值 NTSTATUS st=ZwSetValueKey( myhandle,//当前句柄 &name,//键名 0, REG_SZ,//方式 data.Buffer,//字符串缓冲 data.Length//字符串长度 ); printf("[ZwSetValueKey] returned: 0x%x\n", st); //关闭注册表 ZwClose(myhandle); printf("Press [ENTER] to continue...\n"); getchar(); return 0; }
这里顺便说一句,64位系统里绝大多数函数都是__fastcall约定,但是我在定义函数 |
