Skip to content
/ HiddenNtRegistry Public

Use NT Native Registry API to create a registry that normal user can not query.

License

BSD-3-Clause license
52 stars 28 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

3gstudent/HiddenNtRegistry

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
HiddenNtRegistry.cpp
HiddenNtRegistry.cpp
 
 
HiddenNtRegistry.h
HiddenNtRegistry.h
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

HiddenNtRegistry

Use NT Native Registry API to create a registry that normal user can not query.

Author: 3gstudent

Notes:

Refer to Daniel Madden Sr's NtRegistry.

Link: https://www.codeproject.com/Articles/14508/Registry-Manipulation-Using-NT-Native-APIs

Rewrite the CNtRegistry class.

Add the following functions:

  • Create hidden key value
  • Read hidden key value
  • Delete hidden key value

Principle:

“In the Win32 API strings are interpreted as NULL-terminated ANSI (8-bit) or wide character (16-bit) strings. In the Native API names are counted Unicode (16-bit) strings. While this distinction is usually not important, it leaves open an interesting situation: there is a class of names that can be referenced using the Native API, but that cannot be described using the Win32 API. […] When a key (or any other object with a name such as a named Event, Semaphore or Mutex) is created with such a name any applications using the Win32 API will be unable to open the name, even though they might seem to see it.”

More explanation: https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update

About

Use NT Native Registry API to create a registry that normal user can not query.

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

52 stars

Watchers

4 watching

Forks

28 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages