regenum

The regenum program, as mentioned below, aims to enumerate all values and data in a given registry key. The parameters required for the APIs depend on the result of the previous APIs. Just like how we were able to write data to a file in the keylogger program, registry enumerating APIs also require a handle. In this case, a handle to the registry key is used by the RegEnumValueA and RegQueryValueExA APIs.

The source code for this program can be found at https://github.com/PacktPublishing/Mastering-Reverse-Engineering/blob/master/ch7/regenum.cpp.
int main()
{
 LPCSTR lpSubKey = "Software\Microsoft\Windows\CurrentVersion\Run";
 HKEY hkResult;
 DWORD dwIndex;
 char ValueName[1024];
 char ValueData[1024];
 DWORD cchValueName;
 DWORD result;
 DWORD dType;
 DWORD dataSize;
 HKEY hKey = HKEY_LOCAL_MACHINE;

 if (RegOpenKeyExA(hKey, lpSubKey, 0, KEY_READ, &hkResult) == ERROR_SUCCESS)
 {
 printf("HKEY_LOCAL_MACHINE\%s
", lpSubKey);
 dwIndex = 0;
 result = ERROR_SUCCESS;
 while (result == ERROR_SUCCESS)
 {
 cchValueName = 1024;
 result = RegEnumValueA(hkResult, dwIndex, (char *)&ValueName, &cchValueName, NULL, NULL, NULL, NULL);
 if (result == ERROR_SUCCESS)
 {
 RegQueryValueExA(hkResult, ValueName, NULL, &dType, (unsigned char *)&ValueData, &dataSize);
 if (strlen(ValueName) == 0)
 sprintf((char*)&ValueName, "%s", "(Default)");
 printf("%s: %s
", ValueName, ValueData);
 }
 dwIndex++;
 }
 RegCloseKey(hkResult);
 }
 return 0;
}

The enumeration begins by retrieving a handle for the registry key via RegOpenKeyExA. A successful return value should be non-zero, while its output should show a handle stored in hkResult. The registry key that is being targeted here is HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun.

The handle in hkResult is used by RegEnumValueA to begin enumerating each registry value under the registry key. Subsequent calls to RegEnumValueA gives the next registry value entry. This block of code is therefore placed in a loop until it fails to return an ERROR_SUCCESS result. An ERROR_SUCCESS result means that a registry value was successfully retrieved.

For every registry value, RegQueryValueExA is called. Remember that we only go the registry value, but not its respective data. Using RegQueryValueExA, we should be able to acquire the registry data.

Finally, we have to close the handle by using RegCloseKey.

Other APIs that are used here are printf, strlen, and sprintfprintf was used in the program to print the target registry key, value, and data to the command-line console. strlen was used to get the text string length. Every registry key has a default value. Since RegEnumValueA will return ERROR_SUCCEPantf, we are able to replace the ValueName variable with a string called (Default):

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.69.255