def RegGetValue(self, emu, argv, ctx={}): ''' LSTATUS RegGetValueW( HKEY hkey, LPCWSTR lpSubKey, LPCWSTR lpValue, DWORD dwFlags, LPDWORD pdwType, PVOID pvData, LPDWORD pcbData ); ''' hKey, lpSubKey, lpValue, dwFlags, lpType, lpData, lpcbData = argv rv = windefs.ERROR_SUCCESS cw = self.get_char_width(ctx) if lpSubKey: lpSubKey = self.read_mem_string(lpSubKey, cw) argv[1] = lpSubKey if lpValue: lpValue = self.read_mem_string(lpValue, cw) argv[2] = lpValue type_name = regdefs.get_value_type(lpType) if type_name: argv[4] = type_name length = 0 if lpcbData: length = self.mem_read(lpcbData, 4) length = int.from_bytes(length, 'little') key = self.reg_get_key(hKey) if key: val = key.get_value(lpValue) if val: output = b'' if lpcbData: self.mem_write(lpcbData, len(output).to_bytes(4, 'little')) if len(output) > length: rv = windefs.ERROR_INSUFFICIENT_BUFFER else: self.mem_write(lpData, output) # For now, return an empty buffer else: output = b'\x00' * length self.mem_write(lpData, output) rv = windefs.ERROR_SUCCESS kp = key.get_path() self.log_registry_access(kp, REG_READ, value_name=lpValue, size=length, buffer=lpData) return rv
def RegQueryValueEx(self, emu, argv, ctx={}): ''' LSTATUS RegQueryValueEx( HKEY hKey, LPTSTR lpValueName, LPDWORD lpReserved, LPDWORD lpType, LPBYTE lpData, LPDWORD lpcbData ); ''' hKey, lpValueName, lpReserved, lpType, lpData, lpcbData = argv rv = windefs.ERROR_SUCCESS cw = self.get_char_width(ctx) if lpValueName: lpValueName = self.read_mem_string(lpValueName, cw) argv[1] = lpValueName type_name = regdefs.get_value_type(lpType) if type_name: argv[3] = type_name length = 0 if lpcbData: length = self.mem_read(lpcbData, 4) length = int.from_bytes(length, 'little') argv[5] = length key = self.reg_get_key(hKey) if key: val = key.get_value(lpValueName) if val: output = b'' typ = val.get_type() data = val.get_data() if typ == 'REG_SZ': output = data.encode('utf-8') if lpcbData: self.mem_write(lpcbData, len(output).to_bytes(4, 'little')) if len(output) > length: rv = windefs.ERROR_INSUFFICIENT_BUFFER else: if lpData: self.mem_write(lpData, output) # For now, return an empty buffer else: output = b'\x00' * length if lpData: try: self.mem_write(lpData, output) except Exception: return windefs.ERROR_INVALID_PARAMETER if lpcbData: self.mem_write(lpcbData, len(output).to_bytes(4, 'little')) rv = windefs.ERROR_SUCCESS kp = key.get_path() self.log_registry_access(kp, 'read_value', value_name=lpValueName, size=length, buffer=lpData) return rv