How do you get the value? #2
Description
I can try the valueNameTrick with or without the leading zeroes. Consistently returns:
ERROR_FILE_NOT_FOUND
2 (0x2)
The system cannot find the file specified.
`
public static T GetHiddenKeyValue<T>(string registryPath, string valueName)
{
UIntPtr regKeyHandle = UIntPtr.Zero;
string valueNameTrick = "\0\0" + valueName;
bool IsSystem;
using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
{
IsSystem = identity.IsSystem;
}
registryPath = registryPath.RemoveStartIfMatches(@"HKEY_CURRENT_USER\");
uint Status = 0xc0000000;
uint STATUS_SUCCESS = 0x00000000;
uint ERROR_MORE_DATA = 0xEA;
Debug.WriteLine("\n[+] SharpHide running as normal user:\r\n Using HKCU\\{0}", registryPath);
Status = RegOpenKeyEx(HKEY_CURRENT_USER, registryPath, 0, KEY_QUERY_VALUE, out regKeyHandle);
UNICODE_STRING ValueName = new UNICODE_STRING(valueNameTrick)
{
Length = (ushort)(2 * valueNameTrick.Length),
MaximumLength = 0
};
IntPtr ValueNamePtr = StructureToPtr(ValueName);
UNICODE_STRING ValueData;
uint lpType = 0;
IntPtr lpData = IntPtr.Zero;
int lpcbData = 0;
ValueData = new UNICODE_STRING();
Status = RegQueryValueEx(regKeyHandle, ValueNamePtr, 0, out lpType, out lpData, ref lpcbData);
if (Status.Equals(ERROR_MORE_DATA))
{
lpData = Marshal.AllocCoTaskMem(lpcbData);
Status = RegQueryValueEx(regKeyHandle, ValueNamePtr, 0, out lpType, out lpData, ref lpcbData);
if (Status.Equals(STATUS_SUCCESS))
{
ValueData = PtrToStructure<UNICODE_STRING>(lpData);
Debug.WriteLine("[+] Key value retrieved created.");
Marshal.FreeCoTaskMem(lpData);
if (typeof(T) == typeof(string))
{
return (T)(object)ValueData.ToString();
}
else if (typeof(T) == typeof(byte[]))
{
return (T)(object)ValueData.buffer;
}
else
{
DebugUtils.Break();
return default(T);
}
}
}
else
{
Debug.WriteLine("[!] Failed to create registry key.");
}
RegCloseKey(regKeyHandle);
return default(T);
}
`