-
|
I think, there was already a discussion on this on Discord, but I was unable to make a mod that hooks registry access. Is it possible to see an example mod that hooks a registry read operation for a key in HKLM? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 9 replies
-
|
I don't think there's a mod that demonstrates that. We indeed discussed it on Discord, and I posted a simple example. Posting it here too for reference. I do have it on my list to try implementing a Registry Redirect mod, but I'm not sure when I'll get to it. // ==WindhawkMod==
// @id registry-hook-demo
// @name registry-hook-demo
// @description registry-hook-demo
// @version 0.1
// @author You
// @include target.exe
// ==/WindhawkMod==
// ==WindhawkModReadme==
/*
# registry-hook-demo
*/
// ==/WindhawkModReadme==
typedef LONG (WINAPI *REGQUERYVALUEEXA)(HKEY hKey,LPCSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData);
REGQUERYVALUEEXA pOriginalRegQueryValueExA;
LONG WINAPI RegQueryValueExAHook(HKEY hKey,LPCSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData)
{
if(lstrcmpiA(lpValueName, "Value") == 0)
return ERROR_FILE_NOT_FOUND;
return pOriginalRegQueryValueExA(hKey,lpValueName,lpReserved,lpType,lpData,lpcbData);
}
BOOL Wh_ModInit(void)
{
Wh_Log(L"Init");
Wh_SetFunctionHook((void*)RegQueryValueExA, (void*)RegQueryValueExAHook, (void**)&pOriginalRegQueryValueExA);
return TRUE;
} |
Beta Was this translation helpful? Give feedback.
-
|
Okay, so I need to hook RegQueryValueExW and use GetProcAddress(LoadLibrary(L"kernelbase.dll"), "RegQueryValueExW"). Then the desired key is listed in the log but when I turn this mod on, it breaks the system (enables high contrast theme) and comparing // ==WindhawkMod==
// @id registry-hook-demo
// @name registry-hook-demo
// @description registry-hook-demo
// @version 0.1
// @author You
// @include explorer.exe
// ==/WindhawkMod==
// ==WindhawkModReadme==
/*
# registry-hook-demo
*/
// ==/WindhawkModReadme==
#include <windows.h>
typedef LONG (WINAPI *REGQUERYVALUEEXW)(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData);
REGQUERYVALUEEXW pOriginalRegQueryValueExW;
LONG WINAPI RegQueryValueExWHook(HKEY hKey, LPCWSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData)
{
CHAR keyPath[256];
DWORD keyPathSize = sizeof(keyPath);
Wh_Log("%s",lpValueName);
if (lstrcmpiW(lpValueName, L"UndockingDisabled") == 0)
Beep(50,500);
{
if (lpType)
*lpType = REG_DWORD;
if (lpData && lpcbData && *lpcbData >= sizeof(DWORD))
{
*(DWORD*)lpData = 1;
*lpcbData = sizeof(DWORD);
}
return ERROR_SUCCESS;
}
return pOriginalRegQueryValueExW(hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);
}
BOOL Wh_ModInit(void)
{
Wh_Log(L"Init");
Wh_SetFunctionHook((void*)GetProcAddress(LoadLibrary(L"kernelbase.dll"), "RegQueryValueExW"), (void*)RegQueryValueExWHook, (void**)&pOriginalRegQueryValueExW);
return TRUE;
} |
Beta Was this translation helpful? Give feedback.
-
|
By the way, how to log an ANSI string using Wh_Log? |
Beta Was this translation helpful? Give feedback.
-
Wh_Log("%S", ansi_string); |
Beta Was this translation helpful? Give feedback.
-
|
Thanks regarding logging, this works! |
Beta Was this translation helpful? Give feedback.
-
|
Okay, I found the error, everything works now! (the error was beep outside the brackets) |
Beta Was this translation helpful? Give feedback.
I don't think there's a mod that demonstrates that. We indeed discussed it on Discord, and I posted a simple example. Posting it here too for reference.
I do have it on my list to try implementing a Registry Redirect mod, but I'm not sure when I'll get to it.