标题: Play with the Registry [打印本页] 作者: x86 时间: 2005-6-14 11:12 标题: Play with the Registry
____________________________________________________________________________________________
...:: Play with the Registry ::..
- by DiA /auXnet -
[GermanY]
____________________________________________________________________________________________
+++++Disclaimer+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+I am NOT responsible for any damage that you do! You can need the code however you want...+
+My motherlanguage is not English, I hope you understand what I mean. +
+Feel FREE to write any Comments to +
+ DiA_hates_machine@gmx.de +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
................................................
. .
. Index: _1_ : Intro .
. .
. _2_ : What the HELL is the Registry .
. .
. _3_ : Structure of Registry .
. .
. _4_ : The MainKey';s .
. .
. _5_ : Kewl SubKey';s .
. .
. _6_ : ??Open and Close a SubKey .
. .
. _7_ : ??Read a Value .
. .
. _8_ : ??Create a SubKey .
. .
. _9_ : ??Set a Value .
. .
. _A_ : ??Delete a Subkey .
. .
. _B_ : Outro .
. .
. #C# : Appendix = RegCounter .
. .
................................................
*** _1_ : Intro ***
Here we go again Motherfucker... ;)
Yes, here it is, another tutorial from me! In this tutorial i wanna describe the most
important things about the WindowZ "Registry". The Registry is a fine thing, in DOS age
there was .INI filez where the progs save something. Today in WIN age there are the Registry
Of course, it';s a new thing (for Newbies :), but I think it';s easy to learn and understand.
When you checked it, you can do a lot of things with the Registry. But enogh with the silly
BlaBlaBla... ...LET';S ROCK ';N ROLL!
*** _2_ : What the HELL is the Registry ***
In the Registry are saved some important things for WindowZ, Win32 Progs, Bios Stuff and
some other interesting things. You can look at the Registry with the WindowZ tool "RegEdit".
It';s in the WindowZ folder (eg C:\Windows\RegEdit.EXE)...
Offer: before you go on with reading, start RegEdit and look at the Registry by yourself,
and then go on with the reading, let';s do this.....
*** _3_ : Structure of Registry ***
HKEY_LOCAL_MACHINE, HKEY_USERS, ... WHAT DA HELL IS THIS?
Easy, this shit is called "MainKeys", but wait, I show you this all in a nice graphic';s...
Ok, first open RegEdit then click on "HKEY_LOCAL_MACHINE".
You see a tree, right? Ok, go to the following Folders (SubKey';s):
\Software
\Microsoft
\Windows
\CurrentVersion
Now you see some Value';s, look for "RegisteredOwner".
Yup, here are the graphic';s:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
^~~~~~~~~~~~~~~~~^ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
| |
MainKey SubKey
MainKey : it exist 5 MainKey';s (ever) and maybe one more (not ever) [ See _4_ ]
SubKey : can be everything, your SubKey, SubKey from WindowZ or a Win32 Prog [ See RegEdit ]
RegisteredOwner "SillyMotherFucker"
^~~~~~~~~~~~~~^ ^~~~~~~~~~~~~~~~~~^
| |
ValueName Value
ValueName : you need the name to read, write or delete a Value
Value : here saved a String or a Number (eg SetupFlags 02 05 00 00)
*** _4_ : The MainKey';s ***
Ok, now you know the structure of the Registry, but what are the MainKay';s:
HKEY_CLASSES_ROOT equ 80000000h;ever
HKEY_CURRENT_USER equ 80000001h;ever
HKEY_LOCAL_MACHINE equ 80000002h;ever
HKEY_USERS equ 80000003h;ever
HKEY_PERFORMANCE_DATA equ 80000004h;ever
HKEY_CURRENT_CONFIG equ 80000005h;ever
HKEY_DYN_DATA equ 80000006h;NOT ever (fuck off)
You will see it to use in chapter _6_ ...
*** _5_ : Kewl SubKey';s ***
Here comez kewl SubKey';s where you can watch out:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER\Control Panel\Keyboard
HKEY_CURRENT_USER\Control Panel\Mouse
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Look for some other kewl stuff, everyday you will find new things!
*** _6_ : ??Open and Close a SubKey ***
Ok, here comez the Code Examples, it';s enogh describe...
To Compile the Example Progs (? = The current Example Prog):
TASM32 /z /ml /m3 Ex?,,;
TLINK32 -Tpe -c Ex?,Ex?,, import,lib
In this Example we wanna OPEN and CLOSE a MainKey with a SubKey:
;-----cut-----Ex1.asm-----------------------------------------------------------------------
.386;386+
.model flat;no registers
jumps;TASM is kewl
;+++++
; YOU MUST KNOW IT!
;+++++
extrn RegOpenKeyExA:PROC;open a key (see chapter _4_), with a subkey
extrn RegCloseKey:PROC;close a key
;+++++
; needed API';s for the Example Prog
; for more infos look at the Win32 Programerz Referenz from WindowZ
;+++++
extrn MessageBoxA:PROC;show a message, only to see that it workz
extrn ExitProcess:PROC;to exit the Example Prog
;+++++
; only needed that you see that it workz
; i think you know this shit
;+++++
HKEY_LOCAL_MACHINEequ 80000002h;define the MainKey ( _4_ )
ReadAndWriteequ 001F0000h;flag to read and write something (Value, SubKey...)
;+++++
; the code is clearer, TASM makes it ;)
;+++++
.data
SubKeydb ';Software\Microsoft\Windows\CurrentVersion';,0
RegHandledd 0;handle for the current open SubKey
;+++++
; Ok, here is the SubKey string, it must be a NULLterminated string
; in RegHandle we are save the handle
;+++++
oTitledb ';癙lay with the Registry?- Example Prog - ??,0
oMsgdb ';Now the SubKey is open:';,10,13
db ';HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion';,10,13
db ';OK, to close the SubKey';,0
;+++++
; for the message, only to POSE ;)
;+++++
.code
start:
;+++++
; BAH!
;+++++
push offset RegHandle;here saves the Handle
push ReadAndWrite;Read and Write flag
push 0;NULLLLL
push offset SubKey;pointer to the SubKey string
push HKEY_LOCAL_MACHINE;see up, defined
call RegOpenKeyExA;call the API
;+++++
; this is the funktion to open a MainKey and a SubKey
; after the work the handle is saved in RegHandle
; for more infoz about API';s look at th Win32 Referenz
;+++++
test eax,eax;if not NULL
jnz Exit;then ERROR -> Exit
;+++++
; here we test if there is an error (eg: can';t open SubKey...)
; test eax,eax = cmp eax,00
;+++++
push 0;NO style
push offset oTitle;title of message box
push offset oMsg;msg in the message box
push 0;no window
call MessageBoxA;call the API
;+++++
; here we show that the SubKey is opened and the handle is saved
;+++++
Exit:
push dword ptr [RegHandle];push the value of RegHandle
call RegCloseKey;close the key via saved handle
;+++++
; ok, here we close the SubKey with the handle (RegHandle) that we are have save
;+++++
push 0;NULL
call ExitProcess;exit it
;+++++
; afte work exit the prog
; if there is any error, exit it too (no message)
;+++++
end start
;+++++
; ya know...
;+++++
;-----cut-----------------------------------------------------------------------------------
Run the Prog:
If you see a Message then the SubKey is opened...
If no Message, then is any Error... (SH!T)
*** _7_ : ??Read a Value ***
In this Example we wanna OPEN a MainKey with SubKey ( see _6_ ),
then READ A VALUE (RegisteredOwner), and CLOSE the Key:
;-----cut-----Ex2.asm-----------------------------------------------------------------------
.386
.model flat
jumps
;+++++
; what must I say???
;+++++
extrn RegOpenKeyExA:PROC;see _6_
extrn RegQueryValueExA:PROC; to raed a value from a SubKey
extrn RegCloseKey:PROC;see also _6_
;+++++
; only RegQueryValue is new: to read a value
; if you don';t know the other shit, look ine chapter before
;+++++
extrn MessageBoxA:PROC;to show a message
extrn ExitProcess:PROC;to exit
;+++++
; to show the read Value
; and exit
;+++++
HKEY_LOCAL_MACHINEequ 80000002h;see up
ReadAndWriteequ 001F0000h;,too!
;+++++
; I don';t describe thing';s when that are in a other chapter before!
;+++++
.data
SubKeydb ';Software\Microsoft\Windows\CurrentVersion';,0
ValueNamedb ';RegisteredOwner';,0
RegHandledd 0;here saves the handle
lpTypedd 0;the type to read
Sizedd 100d;the size for RegisteredOwner string
Ownerdb 100d dup (0);here we save the string
;+++++
; oh, some new shit...
; ValueName contains a NULLterminated string, ...ValueName ( see _3_ )
; lpType is the type to read, must be a offset
; Size is the size for buffer, must be a offset
; Owner is the buffer, where we save the Value-String from "RegisteredOwner"
;+++++
oTitledb ';癙lay with the Registry?- Example Prog - ??,0
;+++++
; here the Title of the message box
; message is the read Value from "RegisteredOwner"
;+++++
.code
start:
;+++++
; NO QUESTIONZ!
;+++++
push offset RegHandle;if you don';t know, look at chapter _6_
push ReadAndWrite
push 0
push offset SubKey
push HKEY_LOCAL_MACHINE
call RegOpenKeyExA
;+++++
; Open the SubKey ( see _6_ )
;+++++
test eax,eax
jnz Exit;error?
;+++++
; if error jmp to Exit
;+++++
push offset Size;size of buffer
push offset Owner;here we save the Value
push offset lpType;type to read
push 0;NULL
push offset ValueName;name of Value to read
push dword ptr [RegHandle];push the handle of the open SubKey
call RegQueryValueExA;API
;+++++
; here is the new API "RegQueryValueExA"
; after work the Value is in "Owner"
; now we have the Value
;+++++
test eax,eax;error?
jnz Exit
;+++++
; here we check if there is a error to read the Value
;+++++
push 0;show a message
push offset oTitle;title
push offset Owner;show the value that we read =)
push 0;NULL
call MessageBoxA
;+++++
; what must I say???
;+++++
Exit:
push dword ptr [RegHandle];close the SubKey after work
call RegCloseKey;via handle
;+++++
; see _6_ .....
;+++++
push 0
call ExitProcess
;+++++
; exit the prog
;+++++
end start
;-----cut-----------------------------------------------------------------------------------
So, when you run the prog, you see a message box with the current Registered Owner...
If there is any error, then NO message...
*** _8_ : ??Create a SubKey ***
Now we can Open a SubKey, Read a Value and Close a SubKey...
That';s enough, good night.
WHAT? It';s NOT ENOUGH, Ok, Ok. ;)
In this Example Prog we wanna Create a SubKey! We create "TE$T" in HKEY_LOCAL_MACHINE\System
But let';s see:
;-----cut-----Ex3.asm-----------------------------------------------------------------------
.386
.model flat
jumps
;+++++
; don';t ask!
;+++++
extrn RegOpenKeyExA:PROC;see _6_
extrn RegCreateKeyA:PROC;create';s a new subkey
extrn RegCloseKey:PROC;see _6_
;+++++
; only one new API, RegCreateKeyA
; simply, creates a new subkey in the current open key
;+++++
extrn MessageBoxA:PROC;show message...
extrn ExitProcess:PROC;exit the prog
;+++++
; show & exit =)
;+++++
HKEY_LOCAL_MACHINEequ 80000002h;define
ReadAndWriteequ 001F0000h;only for TASM
;+++++
; see up...
;+++++
.data
SubKeydb ';System';,0;in this SubKey we wanna create our SubKey
OurSubKeydb ';TE$T';,0;the name of the SubKey to create
RegHandledd 0;handle of SubKey
OurRegHandledd 0;here we save our handle of the SubKey (TE$T)
;+++++
; ohh, new things...
; but simply
; OurSubKey contains a NULLterminated string (can be anything =)
; When we create this SubKey, it';s in HKEY_LOCAL_MACHINE\System\TE$T
; OurRegHandle, there we save the handle from HKEY_LOCAL_MACHINE\System\TE$T
; but in RegHandle, there is the handle from HKEY_LOCAL_MACHINE\System
; wow
;+++++
oTitledb ';癙lay with the Registry?- Example Prog - ??,0
oMsgdb ';Create a new SubKey:';,10,13
db '; HKEY_LOCAL_MACHINE\System\TE$T';,0
;+++++
; pose a little bit...
;+++++
.code
start:
;+++++
;if you don';t know, FUCK YOU :)
;+++++
test eax,eax;error?
jnz Exit
;+++++
; ya know?!?
;+++++
push offset OurRegHandle;here we save the handle of our SubKey
push offset OurSubKey;point';s to the string, contain';s our SubKey
push dword ptr [RegHandle];handle of HKEY_LOCAL_MACHINE\System
call RegCreateKeyA;API
;+++++
; here is the new thing,
; creates in "HKEY_LOCAL_MACHINE\System" the SubKey "TE$T"
;+++++
push 0;show the message
push offset oTitle;title
push offset oMsg;message
push 0;no owner window...
call MessageBoxA;!SHOW!
;+++++
; show the message that all is allright
;+++++
Exit:
push dword ptr [OurRegHandle];close our SubKey
call RegCloseKey
;+++++
; first we must close our handle, and then...
;+++++
push dword ptr [RegHandle];close handle
call RegCloseKey
;+++++
; ...we must close the handle from HKEY_LOCAL_MACHINE\System
;+++++
push 0
call ExitProcess
;+++++
; exit and good night!
;+++++
end start
;-----cut-----------------------------------------------------------------------------------
Ok, run the prog...
... when you see a message, start RegEdit (C:\WINDOWS\RegEdit.EXE):
click on HKEY_LOCAL_MACHINE
\Sytem
Yup, now you can see (if no error) "TE$T" SubKey, KEWL!
If no message, there is a error!
*** _9_ : ??Set a Value ****
MAN! Now we wanna SET A VALUE, in the SubKey that we create in the chapter before ( _8_ )
The ValueName is " Example Prog ??" and the Value is " from -Play with the Registry- tut,
written by DiA /auXnet ". Let';s do this:
;-----cut-----Ex4.asm-----------------------------------------------------------------------
.386
.model flat
jumps
;+++++
; I kill you, if you don';t know ;)
;+++++
extrn RegOpenKeyExA:PROC; _6_
extrn RegSetValueExA:PROC;to set a Value in a opened SubKey
extrn RegCloseKey:PROC; _6_
;+++++
; we set the value in the SubKey
; HKEY_LOCAL_MACHINE\System\TE$T
;+++++
extrn MessageBoxA:PROC
extrn ExitProcess:PROC
;+++++
; show and exit
;+++++
HKEY_LOCAL_MACHINEequ 80000002h;define
ReadAndWriteequ 001F0000h
SizeOfValueequ (offset ValueEnd - offset ValueStart)
;+++++
; ya must know, TASM RULEZ
; SizeOfValue is defined for the API RegSetValueA, see down...
;+++++
.data
SubKey db ';System\TE$T';,0
ValueNamedb ';Example Prog ??,0
ValueStart:
Valuedb ';from -Play with the Registry- tut, written by DiA /auXnet';,0
ValueEnd:
RegHandledd 0
;+++++
; ValueName : Value
; you will see it, and I think the rest is clear
;+++++
oTitledb ';癙lay with the Registry?- Example Prog - ??,0
oMsgdb ';Set the Value:';,10,13
db '; - Example Prog ??: from -Play with the Registry- tut, written by DiA /auXnet -';,10,13
db '; in - HKEY_LOCAL_MACHINE\System\TE$T -';,0
;+++++
; to show something
;+++++
.code
start:
;+++++
; hard to understand, not? ;)
;+++++
push offset RegHandle;see _6_
push ReadAndWrite;TASM...
push 0
push offset SubKey;create in chapter _8_
push HKEY_LOCAL_MACHINE;...RULEZ
call RegOpenKeyExA
;+++++
; open the key that we create in cahpter _8_ (TE$T)
;+++++
test eax,eax;error
jnz Exit
;+++++
; error -> exit
;+++++
push SizeOfValue;contains the size of the value
push offset Value;value to set
push 1;1 = String 0 = Number
push 0;NULLNULLNULL
push offset ValueName;the name of value
push dword ptr [RegHandle];set it in HKEY_LOCAL_MACHINE\System\TE$T
call RegSetValueExA;API
;+++++
; now we set the Value in the ValueName
; the size is defined "SizeOfValue"
; in RegHandle, ya know...
;+++++
push 0;message box
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
;+++++
; show a message box
;+++++
Exit:
push dword ptr [RegHandle];close the handle
call RegCloseKey
;+++++
; close the handle before exit
;+++++
push 0
call ExitProcess
;+++++
; exit the prog
;+++++
end start
;-----cut-----------------------------------------------------------------------------------
Whatzz UP?!?
Run the Example Prog, if you see the message, good!
Start RegEdit, click on HKEY_LOCAL_MACHINE
\System
\TE$T
Yeah, you will see the ValueName contains the Value that we set in the prog! ROCK ';N ROLL.
No message, error ...sorry.
*** _A_ : ??Delete a Subkey ***
The last Example Prog...
Ok, we create a SubKey ( _8_ ) and set a Value ( _9_ ), now we don';t wanna this shit anymore
...so we DELETE THE SUBKEY! See:
;-----cut-----Ex5.asm-----------------------------------------------------------------------
.386
.model flat
jumps
;+++++
; what can I say?
;+++++
extrn RegOpenKeyExA:PROC;man, look at _6_
extrn RegDeleteKeyA:PROC;delete';s a SubKey
extrn RegCloseKey:PROC;fuck off...
;+++++
; new API RegDeleteKeyA delete';s the subkey that we create ( _8_ )
; also the Value that we set in chapter _9_
;+++++
extrn MessageBoxA:PROC;show
extrn ExitProcess:PROC;exit
;+++++
; show & exit
;+++++
HKEY_LOCAL_MACHINEequ 80000002h;define
ReadAndWriteequ 001F0000h
;+++++
; ya know, if not shutdown your computer ;)
;+++++
.data
SubKeydb ';System';,0
OurSubKeydb ';TE$T';,0
RegHandledd 0
;+++++
; first we must open HKEY_LOCAL_MACHINE\System
; to delete \TE$T
;+++++
oTitledb ';癙lay with the Registry?- Example Prog - ??,0
oMsgdb ';Delete SubKey:';,10,13
db '; \TE$T in HKEY_LOCAL_MACHINE\System';,0
;+++++
; poser!
;+++++
.code
start:
;+++++
; ARGH!
;+++++
push offset RegHandle; _666_
push ReadAndWrite;TASM, I luv ya
push 0
push offset SubKey
push HKEY_LOCAL_MACHINE
call RegOpenKeyExA
;+++++
; all know';n from chapter _6_
;+++++
test eax,eax;not
jnz Exit;NULL
;+++++
; ERROR!
;+++++
push offset OurSubKey;what delete?
push dword ptr [RegHandle];in HKEY_LOCAL_MACHINE\System
call RegDeleteKeyA;API
;+++++
; delete this fucking shit
; all is clear
;+++++
push 0;show message
push offset oTitle
push offset oMsg
push 0
call MessageBoxA
;+++++
; show THE message
;+++++
Exit:
push dword ptr [RegHandle];close handle
call RegCloseKey
;+++++
; close the opened SubKey
;+++++
push 0
call ExitProcess
;+++++
; exit
;+++++
end start
;-----cut-----------------------------------------------------------------------------------
Run the prog, when you see the message the SubKey is deleted. Look at RegEdit:
HEKEY_LOCAL_MACHINE\System ... no TE$T SubKey!
No message -> error!
*** _B_ : Outro ***
All is done, now you have the most important knowledge to *Play with the Registry* =)
Ok, we see us in another Tutorial...
cya DiA
end start
;-----cut-----------------------------------------------------------------------------------
____________________________________________________________________________________________
DiA /auXnet (c)02
____________________________________________________________________________________________作者: 漫天樱舞 时间: 2005-6-14 11:39 标题: Play with the Registry
in his opinion,seems everything is so easy
i think in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
expect run,others aren';t important.
some subkeys must remmenber firmly,for example:main etc
