Use Visual studio11 to develop the kernel enumeration Registry on Windows 8

In Windows NT, The 80386 protection mode is more robust than Windows 95, and this "gold-plated cage" is more robust and hard to break. In Windows 95, at least application I/O operations are unrestricted, while in Windows NT, our applications are deprived of this permission. In NT, it is almost impossible to enter the real ring0 layer.
In Windows NT, there are three device drivers:

1. "virtual device driver" (VDD ). Through VDD, 16-bit applications, such as DOS and Win16 applications, can access specific I/O Ports (note that access is not implemented directly, but through VDD ).

2. "GDI driver", which provides the required GDI functions for display and printing.

3. "kernel mode driver" is used to perform operations on specific hardware, such as createfile, closehandle (for file objects), readfile, writefile, and deviceiocontrol. "Kernel mode driver" is the only driver in Windows NT that can operate on hardware interruptions and DMA. Both the SCSI small port driver and the nic ndis driver are special forms of Kernel Mode driver.

 

 

Visual studio11 and Windows 8 Bring exceptionally different new experiences

 

1. Start vs11

2. See the full-purpose driver development Template

3. Select a driver mode. There are two drivers: Kernel Mode and user mode.

 

4. Create a driver, kmdf drivermvp

 

5. We chose the kernel-mode driver. The following is the created interface, namely the driver itself and the driver installation package.

6. Press F5 and select driver compilation,

 

Insert the following code to implement the ring0-layer enumeration registry. For more information, see code analysis.

# Include <ntddk. h> void driverunload (in pdriver_object driverobject) {dbuplint ("Driver unload");} // you can customize the registry key value function ntstatusmyregenumsubvalue () {unicode_string regunicodestring; handle hregister; ulong ulsize; ntstatus; unicode_string unikeyname; pkey_value_full_information pvbi; pkey_full_information PFI; ulong I; object_attributes objectattributes; // initialize the unicode_string string rtlinitunicodestring (& regunicodestring, L "\ REGISTRY \ MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run"); // initialize objectattributesinitializeobjectattributes (& objectattributes, & regunicodestring, obj_case_insensitive, // case sensitive null, null); // enable the Registry ntstatus = zwopenkey (& hregister, key_all_access, & objectattributes); If (nt_success (ntstatus )) {kdprint ("open register successfully \ n");} zwquerykey (hregister, keyfullinformation, null, 0, & ulsize); PFI = (pkey_full_information) exallocatepool (pagedpool, ulsize); // query the Registry zwquerykey (hregister, keyfullinformation, PFI, ulsize, & ulsize); // start to cyclically enumerate the registry for (I = 0; I <PFI-> values; I ++) {register (hregister, I, keyvaluefullinformation, null, 0, & ulsize); pvbi = (pkey_value_full_information) exallocatepool (pagedpool, ulsize); Register (hregister, I, keyvaluefullinformation, pvbi, ulsize, & ulsize); unikeyname. length = unikeyname. maximumlength = (ushort) pvbi-> namelength; unikeyname. buffer = pvbi-> name; // output the key value to dbuplint ("The Name Of The % d key value is: % WZ \ n", I, & unikeyname ); // determine the key value type if (pvbi-> type = reg_sz) {dbuplint ("key value type: REG_SZ \ n ");} else if (pvbi-> type = reg_multi_sz) {dbuplint ("key value type: reg_multi_sz \ n");} else if (pvbi-> type = REG_DWORD) {kdprint ("key value type: REG_DWORD \ n");} else if (pvbi-> type = reg_binary) {kdprint ("key value type: REG_BINARY \ n");} exfreepool (pvbi);} exfreepool (PFI); zwclose (hregister); return STATUS_SUCCESS ;} ntstatus DriverEntry (in pdriver_object driverobject, in punicode_string registrypath) {myregenumsubvalue (); driverobject-> driverunload = driverunload; return STATUS_SUCCESS ;}