//当有注册表行为时进行回调 进行注册表保护
#include <wdm.h>
#include <ntddk.h>
#include <ntifs.h>
LARGE_INTEGER cookies = {0};
//参数1决定操作类型 参数2决定操作数据
NTSTATUS RegisterCallBack(PVOID context,PVOID arg1,PVOID arg2)
{
NTSTATUS status = STATUS_SUCCESS;
DbgPrint("-----%p\n",context);
REG_NOTIFY_CLASS tempclass = (REG_NOTIFY_CLASS)arg1;
PREG_CREATE_KEY_INFORMATION pkInf = (PREG_CREATE_KEY_INFORMATION)arg2;
UNICODE_STRING targetName = { 0 };
RtlInitUnicodeString(&targetName,L"AAAAAAAAAA");
switch (tempclass)
{
case RegNtPreOpenKey:
break;
case RegNtPreOpenKeyEx:
break;
case RegNtPreCreateKey:
break;
case RegNtPreCreateKeyEx:
{
DbgPrint("Any key is creating!!");
__try {
//DbgPrint("%wZ\n",pkInf->CompleteName);
if (FsRtlIsNameInExpression(&targetName,pkInf->CompleteName,TRUE,NULL))
{
status = STATUS_UNSUCCESSFUL;
}
}
__except(1){
}
}
break;
default:
break;
}
return status;
}
void DriverUnload(PDRIVER_OBJECT object)
{
CmUnRegisterCallback(cookies);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver,PUNICODE_STRING regpath)
{
NTSTATUS status = STATUS_SUCCESS;
status = CmRegisterCallback(RegisterCallBack,(PVOID)0x12345,&cookies);
pdriver->DriverUnload = DriverUnload;
return status;
}