Message board for the users of flat assembler.
> Windows > Native API, Regustry, System restart
Hi, people I got some troble: I wanna create auto-deletion of my native-mode application. I need to force save registry keys onto disk.
Program does next (1st stage):
1. Open registry key with NtOpenKey \Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager ... success!
2. Read autorun member in registry with NtQueryValueKey. Here I can get full path to my executable (saved previusly by installer); ... success, I got wanted string!!!.
3. Clear autorun member in registry with NtSetValueKey. It works, member clears (I saw it when decomment NtInitiatePowerAction function). But after system has restarted my application starts again!!! It mustn't to be. ... But member realy clears, then success.
4. I found the NtFlushKey function, it forcely saves registry data onto disk. Here I use it. But it doesn' work. Why??? I wanna know ... but function alsoreturns success.
5. Create PendingFileRenameOperations member in registry with NtSetValueKey function. It works, this member is also creates. ... success!
6. Using NtFlushKey function again. All the same as at 4th.
7. Close the registry handle with NtClose ... success!
8. Get Se_Shutdown_Name privilege with RtlAdjustPrivilege It's all right. ... success!
9. Get the system restarted with NtInitiatePowerAction. It works too. ... success!
All looks like all right, but...
1. By the idea, system after restarted must delete my application by following PendingFileRenameOperations member. This member writes correctly, I tested it created by hand. But as I see, it doen' work be cause my application starts!!! WTH? As I propose, registry doesn't save onto disk its files and all my previus changes are undo. My question is: how can I save registry forcely?? As I see, NtFlushKey doesn' help.... Can you help me to resolve it?
2. Windows must show user logon screen... At here, my program must be deleted But, no.
This part of code:
invoke RtlInitUnicodeString, string, RegSessionManager xor ebx, ebx push ebx push ebx push OBJ_CASE_INSENSITIVE push string push ObjectAttributes call InitializeObjectAttributes invoke NtOpenKey, tmp, KEY_ALL_ACCESS, ObjectAttributes invoke RtlInitUnicodeString, string, BootExecute ; Get module file name mov dword [BufferA], 512 invoke NtQueryValueKey, [tmp], string, KeyValuePartialInformation, BufferA + 512 - (4 * 3), 512 - (4 * 3), BufferA ; Delete autorun member in registry invoke NtSetValueKey, [tmp], string, 0, REG_MULTI_SZ, dwZero, 1 invoke NtFlushKey, [tmp] ; Write registry force ; Delete itself (name find in reg boot key) invoke RtlDosPathNameToNtPathName_U, BufferA + 512, BufferA, 0, 0 invoke RtlInitUnicodeString, tmpstring, PendingFileRenameOperations mov ecx, dword [BufferA + 4] .GettingStrSize: inc ecx inc ecx cmp word [ecx], 0 jne .GettingStrSize mov edx, dword [BufferA + 4] sub ecx, edx add ecx, 6 mov word [edx + ecx - 6], 00h mov word [edx + ecx - 4], 00h mov word [edx + ecx - 2], 00h invoke NtSetValueKey, [tmp], tmpstring, 0, REG_MULTI_SZ, edx, ecx invoke NtFlushKey, [tmp] ; Write registry force invoke NtClose, [tmp] ; Restart the computer invoke RtlAdjustPrivilege, 19, 1, 0, tmp invoke NtInitiatePowerAction, 5, 1, 0, 0
OBJ_CASE_INSENSITIVE = 64 KeyValuePartialInformation = 00000002h RegSessionManager du '\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager', 0 BootExecute du 'BootExecute', 0 PendingFileRenameOperations du 'PendingFileRenameOperations', 0 section '.data' data readable writeable struct OBJECT_ATTRIBUTES Length dd ? ;ULONG Length; RootDirectory dd ? ;HANDLE RootDirectory; ObjectName dd ? ;PUNICODE_STRING ObjectName; Attributes dd ? ;ULONG Attributes; SecurityDescriptor dd ? ;PVOID SecurityDescriptor; SecurityQualityOfService dd ? ;PVOID SecurityQualityOfService; ends ObjectAttributes OBJECT_ATTRIBUTES BufferA db 1024 dup (?) tmp dd ? string dd 4 dup (?) tmpstring dd 4 dup (?) dwZero dd 6 dup (?)
Showed the code above I tested, the native FASM directive I exchange by GUI and debugged it by OllyDbg. Here I made that the code is working. The troble in registry. As I say above, Registry doesn' save itself onto disk, I restart the System, and I got that troble... Can u me?
|23 Mar 2014, 08:42||
At least you posted code. Read about registry virtualization.
And why are you using low level APIs? Do you require your app to delete itself only after boot? Because there are ways for an app to delete itself without shutting down the computer.
|24 Mar 2014, 00:23||
maybe Native API allows to avoid system calls
(hide from antivirus)
|03 Apr 2014, 18:31||
Using the Native API is a good way to ensure your app will fail unexpectedly. You don't gain any significant extra functionality over the documented and stable APIs published by MS. It is not a magic doorway to secret treasures. What you do gain is a lot of headaches and problems with things not working as expected. And you get the great advantage of having no official documentation to tell you how to use it correctly.
|04 Apr 2014, 04:01||
< Last Thread | Next Thread >
Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.
Website powered by rwasa.