Prototype of the NtLoadKeyEx
by James on Apr.27, 2010, under ReverseIt, System Research
If you have seen the WRK, you will find out that the NtLoadKeyEx prototype is as following:
NTSTATUS __stdcall NtLoadKeyEx
(
__in POBJECT_ATTRIBUTES TargetKey,
__in POBJECT_ATTRIBUTES SourceFile,
__in ULONG Flags,
__in_opt HANDLE TrustClassKey
);
But when you attempt to hook this function as this prototype, there must be a critical error.
What’s wrong?
Yeah, the real windows system does not use this prototype.
The real one is:
NTSTATUS __stdcall NtLoadKeyEx
(
__in POBJECT_ATTRIBUTES TargetKey,
__in POBJECT_ATTRIBUTES SourceFile,
__in ULONG Flags,
__in_opt HANDLE TrustClassKey,
__in PVOID Reserved,
__in PVOID ObjectContext,
__in PVOID CallbackReserved,
__out PIO_STATUS_BLOCK IoStatusBlock
);
I will ignore the first 4 parameters and describe the last 4 ones.
Reserved :
must be NULL;
ObjectContext:
The “ObjectContext” Parameter in REG_LOAD_KEY_INFORMATION structure which is passed when you register the RegNtPreLoadKey call back routine of CmRegisterCallback;
CallbackReserved:
The “Reserved” Parameter in REG_LOAD_KEY_INFORMATION structure which is passed when you register the RegNtPreLoadKey call back routine of CmRegisterCallback(must be NULL);
IoStatusBlock:
return the status for openning source file(NULL is not acceptable);
Okay, that’s the end!
1 Comment for this entry
-
Tools for Download
SysReveal.zip v1.0.0.72 
ThreatenReveal.zip v1.0.0.24 
SysTracer.zip v1.0.0.11 Our tool-sets are under developing, only latest versions are available.
Please send your feedback to: epocsoft@gmail.com
May 11th, 2010 on 15:03
If this issue be found, that’s to say your guys referred API mentioned by WRK directly. Try to avoid this next time since WRK for students to explore OS, not the exact document, thanks.