[SOLVED] Problem with RegQueryValueEx

Index > Windows > [SOLVED] Problem with RegQueryValueEx

Author

Thread

upsurt

Joined: 14 Jan 2014
Posts: 51

upsurt 03 Dec 2014, 23:25

I try to read an installation directory as REG_SZ from the registry with RegQueryValueEx.

Code:

include "win32ax.inc"

.data
  lpSubKey             db 'SOFTWARE\VMware, Inc.\Installer\VMware Workstation',0
  lpValueName          db 'uninstaller',0
  phkResult            dd ?
  lpType               dd REG_SZ
  lpData               db ?
  lpcbData             dd $ - lpData

  lpFmt                db '[%hs]',0
  lpOut                db ?

  NULL                 equ 0
  KEY_WOW64_64KEY      equ 0x0100
  KEY_WOW64_32KEY      equ 0x0200

  ;winerror.h
  ERROR_SUCCESS        equ 0
  ERROR_FILE_NOT_FOUND equ 2
  ERROR_ACCESS_DENIED  equ 5
  ERROR_INVALID_HANDLE equ 6
  ERROR_MORE_DATA      equ 234

.code 
start:

  invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_QUERY_VALUE+KEY_WOW64_32KEY,phkResult
  cmp eax,ERROR_SUCCESS
  jne finish

  invoke RegQueryValueEx,[phkResult],lpValueName,0,NULL,lpType,lpData,lpcbData
  cmp eax,ERROR_SUCCESS
  jne close_key

  ;Wrong result
  invoke wsprintf,lpOut,lpFmt,lpData
  invoke MessageBox,0,lpOut,lpSubKey,MB_OK

  ;Even worse
  invoke MessageBox,0,lpData,lpSubKey,MB_OK

close_key:
  invoke RegCloseKey,[phkResult]

finish:
  invoke ExitProcess,0
.end start

When I run my code, I get some weird result.
Correct would be: C:\ProgramData\VMware\VMware Workstation\Uninstaller\\uninstall.exe

Can anyone point me the direction?

Description:
Filesize:	10.03 KB
Viewed:	8348 Time(s)

Last edited by upsurt on 07 Dec 2014, 10:29; edited 3 times in total

03 Dec 2014, 23:25

upsurt

Joined: 14 Jan 2014
Posts: 51

upsurt 03 Dec 2014, 23:42

Another test gives a better result, but still wrong. And I think it is NOT to way to do it.

>> lpFmt db lpcbData dup ('[%hs]',0,0)

Code:

include "win32ax.inc"

.data
  lpSubKey             db 'SOFTWARE\VMware, Inc.\Installer\VMware Workstation',0
  lpValueName          db 'uninstaller',0
  phkResult            dd ?
  lpType               dd REG_SZ
  lpData               db ?
  lpcbData             dd $ - lpData

  lpFmt                db lpcbData dup ('[%hs]',0,0)
  lpOut                db ? ;MAX_PATH dup(0)

  NULL                 equ 0
  KEY_WOW64_64KEY      equ 0x0100
  KEY_WOW64_32KEY      equ 0x0200

  ;winerror.h
  ERROR_SUCCESS        equ 0
  ERROR_FILE_NOT_FOUND equ 2
  ERROR_ACCESS_DENIED  equ 5
  ERROR_INVALID_HANDLE equ 6
  ERROR_MORE_DATA      equ 234

.code 
start:

  invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_QUERY_VALUE+KEY_WOW64_32KEY,phkResult
  cmp eax,ERROR_SUCCESS
  jne finish

  invoke RegQueryValueEx,[phkResult],lpValueName,0,NULL,lpType,lpData,lpcbData
  cmp eax,ERROR_SUCCESS
  jne close_key

  invoke wsprintf,lpOut,lpFmt,lpData
  invoke MessageBox,0,lpOut,lpSubKey,MB_OK

close_key:
  invoke RegCloseKey,[phkResult]

finish:
  invoke ExitProcess,0
.end start

Description:
Filesize:	4.79 KB
Viewed:	8343 Time(s)

03 Dec 2014, 23:42

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 04 Dec 2014, 00:42

Your buffers are only one byte in length. You will need to make them longer.

Code:

lpData               rb 1024 ;make enough space to store the result
;...
lpOut                rb 1024 ;reserve space for the formatted output

04 Dec 2014, 00:42

upsurt

Joined: 14 Jan 2014
Posts: 51

upsurt 04 Dec 2014, 08:36

Thank you.

But now I get only an '-' back. (And with a different lpValueName I may get different char)

In OllyDbg it shows me 'C:\P- am Files (x86)\VMware\VMware Player\'

Description:
Filesize:	41.23 KB
Viewed:	8326 Time(s)

Last edited by upsurt on 04 Dec 2014, 08:41; edited 1 time in total

04 Dec 2014, 08:36

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 04 Dec 2014, 08:41

Yup, looks like you are overwriting the output buffer with the DWORD 0x0000002d (45 decimal). So I expect your pointer to the result_length is within the result_string buffer.

04 Dec 2014, 08:41

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 04 Dec 2014, 08:44

My guess is that your buffer is only 4 bytes in length and your length pointer comes immediately after that. But you have placed a larger value in the length than 4 so you tried to cheat the system by faking the buffer length. Amirite?

04 Dec 2014, 08:44

upsurt

Joined: 14 Jan 2014
Posts: 51

upsurt 04 Dec 2014, 09:44

It looks like you're right, 0040103D points to '-'. But I don't get why?

04 Dec 2014, 09:44

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 04 Dec 2014, 12:27

Show your code.

04 Dec 2014, 12:27

upsurt

Joined: 14 Jan 2014
Posts: 51

upsurt 04 Dec 2014, 12:44

Thank you very much, revolution!

Code:

LONG WINAPI RegQueryValueEx(
  _In_         HKEY hKey,
  _In_opt_     LPCTSTR lpValueName,
  _Reserved_   LPDWORD lpReserved,
  _Out_opt_    LPDWORD lpType,
  _Out_opt_    LPBYTE lpData,
  _Inout_opt_  LPDWORD lpcbData
);

WRONG
invoke RegQueryValueEx,[phkResult],lpValueName,0,NULL,lpType,lpData,lpcbData

CORRECT
invoke RegQueryValueEx,[phkResult],lpValueName,0,lpType,lpData,lpcbData

Somehow I added 'lpReserved' twice (once as 0 and second time as NULL) and didn't notice. Mad

04 Dec 2014, 12:44

upsurt

Joined: 14 Jan 2014
Posts: 51

upsurt 04 Dec 2014, 12:56

Here the working sample Idea

Code:

include "win32ax.inc"

.data
  lpSubKey             db 'SOFTWARE\VMware, Inc.\VMware Workstation',0
  lpValueName          db 'InstallPath',0
  phkResult            dd ?
  lpType               dd REG_SZ
  lpData               rb 1024
  lpcbData             dd $ - lpData

  KEY_WOW64_64KEY      equ 0x0100
  KEY_WOW64_32KEY      equ 0x0200

  ;winerror.h
  ERROR_SUCCESS        equ 0
  ERROR_FILE_NOT_FOUND equ 2
  ERROR_ACCESS_DENIED  equ 5
  ERROR_INVALID_HANDLE equ 6
  ERROR_MORE_DATA      equ 234

.code 
start:

  invoke RegOpenKeyEx,HKEY_LOCAL_MACHINE,lpSubKey,0,KEY_QUERY_VALUE+KEY_WOW64_32KEY,phkResult
  cmp eax,ERROR_SUCCESS
  jne finish

  invoke RegQueryValueEx,[phkResult],lpValueName,0,lpType,lpData,lpcbData
  cmp eax,ERROR_SUCCESS
  jne close_key

  invoke MessageBox,0,lpData,lpSubKey,MB_OK

close_key:
  invoke RegCloseKey,[phkResult]

finish:
  invoke ExitProcess,0
.end start

revolution, I really appreciate your patience and your support Cool

04 Dec 2014, 12:56

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20761
Location: In your JS exploiting you and your system

revolution 04 Dec 2014, 14:33

upsurt wrote:

Somehow I added 'lpReserved' twice (once as 0 and second time as NULL) and didn't notice.

If you had used the parameter count checked include (win32axp) you would have caught a typo like that early on.

04 Dec 2014, 14:33

upsurt

Joined: 14 Jan 2014
Posts: 51

upsurt 04 Dec 2014, 15:15

haha nice

I was wondering what win32axp is good for ... now I know Very Happy

I expected it has something to do with the args passed to a console application. Rolling Eyes

thanks again Cool

04 Dec 2014, 15:15

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum