flat assembler
Message board for the users of flat assembler.

Index > Windows > Native API, Regustry, System restart

Author
Thread Post new topic Reply to topic
KostX



Joined: 19 Sep 2012
Posts: 38
KostX
Hi, people Razz I got some troble: I wanna create auto-deletion of my native-mode application. I need to force save registry keys onto disk.

Program does next (1st stage):
1. Open registry key with NtOpenKey \Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager ... success!
2. Read autorun member in registry with NtQueryValueKey. Here I can get full path to my executable (saved previusly by installer); ... success, I got wanted string!!!.
3. Clear autorun member in registry with NtSetValueKey. It works, member clears (I saw it when decomment NtInitiatePowerAction function). But after system has restarted my application starts again!!! It mustn't to be. ... But member realy clears, then success.
4. I found the NtFlushKey function, it forcely saves registry data onto disk. Here I use it. But it doesn' work. Why??? I wanna know ... but function alsoreturns success.
5. Create PendingFileRenameOperations member in registry with NtSetValueKey function. It works, this member is also creates. ... success!
6. Using NtFlushKey function again. All the same as at 4th.
7. Close the registry handle with NtClose ... success!
8. Get Se_Shutdown_Name privilege with RtlAdjustPrivilege It's all right. ... success!
9. Get the system restarted with NtInitiatePowerAction. It works too. ... success!

All looks like all right, but...
Second stage:
1. By the idea, system after restarted must delete my application by following PendingFileRenameOperations member. This member writes correctly, I tested it created by hand. But as I see, it doen' work be cause my application starts!!! WTH? As I propose, registry doesn't save onto disk its files and all my previus changes are undo. My question is: how can I save registry forcely?? As I see, NtFlushKey doesn' help.... Can you help me to resolve it?
2. Windows must show user logon screen... At here, my program must be deleted But, no.

This part of code:
Code:
invoke  RtlInitUnicodeString, string, RegSessionManager
     xor     ebx, ebx
     push    ebx
     push    ebx
     push    OBJ_CASE_INSENSITIVE
     push    string
     push    ObjectAttributes
     call    InitializeObjectAttributes
     invoke  NtOpenKey, tmp, KEY_ALL_ACCESS, ObjectAttributes
     
     invoke  RtlInitUnicodeString, string, BootExecute

     ; Get module file name
     mov     dword [BufferA], 512
     invoke  NtQueryValueKey, [tmp], string, KeyValuePartialInformation, BufferA + 512 - (4 * 3), 512 - (4 * 3), BufferA
     
     ; Delete autorun member in registry
     invoke  NtSetValueKey, [tmp], string, 0, REG_MULTI_SZ, dwZero, 1
     invoke  NtFlushKey, [tmp] ; Write registry force
     
     ; Delete itself (name find in reg boot key)
     invoke  RtlDosPathNameToNtPathName_U, BufferA + 512, BufferA, 0, 0

     invoke  RtlInitUnicodeString, tmpstring, PendingFileRenameOperations

     mov     ecx, dword [BufferA + 4]
     .GettingStrSize:
             inc     ecx
             inc     ecx
             cmp     word [ecx], 0
     jne     .GettingStrSize
     mov     edx, dword [BufferA + 4]
     sub     ecx, edx
     add     ecx, 6
     mov     word  [edx + ecx - 6], 00h
     mov     word  [edx + ecx - 4], 00h
     mov     word  [edx + ecx - 2], 00h
     

     invoke  NtSetValueKey, [tmp], tmpstring, 0, REG_MULTI_SZ, edx, ecx
     invoke  NtFlushKey, [tmp] ; Write registry force
     invoke  NtClose, [tmp]

     ; Restart the computer
     invoke  RtlAdjustPrivilege, 19, 1, 0, tmp
     invoke  NtInitiatePowerAction, 5, 1, 0, 0
    


Data sections:
Code:
OBJ_CASE_INSENSITIVE          =  64
KeyValuePartialInformation    =  00000002h


RegSessionManager             du '\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager',  0
BootExecute                   du 'BootExecute',            0
PendingFileRenameOperations   du 'PendingFileRenameOperations',                                         0



section '.data' data readable writeable
     struct OBJECT_ATTRIBUTES
          Length                        dd ? ;ULONG           Length;
          RootDirectory                 dd ? ;HANDLE          RootDirectory;
          ObjectName                    dd ? ;PUNICODE_STRING ObjectName;
          Attributes                    dd ? ;ULONG           Attributes;
          SecurityDescriptor            dd ? ;PVOID           SecurityDescriptor;
          SecurityQualityOfService      dd ? ;PVOID           SecurityQualityOfService;
     ends
     ObjectAttributes  OBJECT_ATTRIBUTES


     BufferA           db 1024 dup (?)
     tmp               dd ?
     string            dd 4    dup (?)
     tmpstring         dd 4    dup (?)
     dwZero            dd 6    dup (?)
    



Showed the code above I tested, the native FASM directive I exchange by GUI and debugged it by OllyDbg. Here I made that the code is working. The troble in registry. As I say above, Registry doesn' save itself onto disk, I restart the System, and I got that troble... Can u me?
Post 23 Mar 2014, 08:42
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
At least you posted code. Read about registry virtualization.
And why are you using low level APIs? Do you require your app to delete itself only after boot? Because there are ways for an app to delete itself without shutting down the computer.
Post 24 Mar 2014, 00:23
View user's profile Send private message Reply with quote
tutenhamon



Joined: 16 Jan 2010
Posts: 27
Location: Polska (Poland)
tutenhamon
maybe Native API allows to avoid system calls Wink
(hide from antivirus)
Post 03 Apr 2014, 18:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17327
Location: In your JS exploiting you and your system
revolution
Using the Native API is a good way to ensure your app will fail unexpectedly. You don't gain any significant extra functionality over the documented and stable APIs published by MS. It is not a magic doorway to secret treasures. What you do gain is a lot of headaches and problems with things not working as expected. And you get the great advantage of having no official documentation to tell you how to use it correctly.
Post 04 Apr 2014, 04:01
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.