none
ELAM driver and the registry RRS feed

  • Question

  • Hi,

    I have the following problem:

    In an ELAM driver I want to write some data to the registry using kernel API
    ZwSetValueKey().  The call returns SUCCESS, however, when I access the value later on
    in user mode (using offline registry library) this value is not there.
    If I write a value in user mode then I am able to see it in ELAM driver, but the opposite
    is not working.
    Is it expected behavior, or I'm doing something wrong?

    Thank you


    Monday, April 1, 2019 2:22 AM

Answers

  • As I recall, the ELAM registry area is read-only (with the writes silently failing), to prevent malware from attacking and disabling the ELAM driver. You should be able to write to the System hive

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by st1111 Monday, April 1, 2019 8:52 PM
    Monday, April 1, 2019 7:42 PM
    Moderator

All replies

  • Hello st1111,

    This forum is for "Discuss general issues about developing applications for Windows."

    Since this issue is hardware driver related so I'll move it to the right forum for more professional support.

    Best regards,

    Rita


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, April 1, 2019 8:16 AM
  • Show us a code snippet of the kernel write and the user mode read.   There are challenges in making sure the paths in the kernel and user space align.


    Don Burn Windows Driver Consulting Website: http://www.windrvr.com

    Monday, April 1, 2019 11:49 AM
  • // kernel mode

    /*
    KeyPath is "\Registry\Machine\ELAM\Best DynoHunters Co" (in UNICODE_STRING format)
    ValueName is "NewData" (in UNICODE_STRING format)
    RegType is REG_BINARY;
    Data is binary blob
    DataSize is 0x66f0
    */

    int RegistryWrite(
        PUNICODE_STRING KeyPath, 
        PUNICODE_STRING ValueName, 
        UINT32 RegType, 
        PVOID Data, 
        UINT32 DataSize)
    {
        NTSTATUS status;
    HANDLE hRegKey = NULL;

        hRegKey = RegistryOpenKey(KeyPath);
        if (hRegKey == NULL)
            return STATUS_UNSUCCESSFUL;

    if (DataSize == 0)
    status = ZwDeleteValueKey(hRegKey, ValueName);
    else
    status = ZwSetValueKey(hRegKey, ValueName, 0, RegType, Data, DataSize);

    ZwClose(hRegKey);

    return status;
    }

    static HANDLE RegistryOpenKey(
        PUNICODE_STRING KeyPath)
    {
        NTSTATUS status;
        HANDLE regKey = NULL;
        OBJECT_ATTRIBUTES objectAttributes;

        InitializeObjectAttributes(&objectAttributes,
            KeyPath,
            OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
            NULL,
            NULL);

        status = ZwOpenKey(&regKey, KEY_WRITE, &objectAttributes);
        if (!NT_SUCCESS(status))
        {
            Trace(LEVEL_DEBUG, FLAG_UTIL, "ZwOpenKey() failed: 0x%x.", status);
            goto Cleanup;
        }

    Cleanup:
        return regKey;
    }



    ///////////////////////////////////////

    // User mode

       rc = OpenRegHiveAndKey(L"c:\\Windows\\System32\\config\\ELAM", L"Best DynoHunters Co", &elamHiveKey,
            &elamRegKey);
       if (rc != ERROR_SUCCESS)
       {
           ReportError("OpenRegHiveAndKey", rc);
           goto cleanup;
       }

      ...

      rc = ReadRegBinaryValue(elamRegKey, L"NewData", &newData, 
            &newDataLength);



    DWORD OpenRegHiveAndKey(
        _In_ LPCWSTR hiveFileName, 
        _In_ LPCWSTR keyName, 
        _Out_ ORHKEY* hiveKeyPtr,
        _Out_ ORHKEY* regKeyPtr)
    {
        DWORD rc = 0;
        ORHKEY hiveKey = NULL;
        ORHKEY regKey = NULL;

        rc = OROpenHive_fn(hiveFileName, &hiveKey);
        if (rc != ERROR_SUCCESS)
        {
            ReportError("OROpenHive", rc);
            goto cleanup;
        }

        rc = OROpenKey_fn(hiveKey, keyName, &regKey);
        if (rc != ERROR_SUCCESS)
        {
            rc = ORCreateKey_fn(hiveKey, keyName, NULL, 0, NULL, &regKey, NULL);
            if (rc != ERROR_SUCCESS)
            {
                ReportError("ORCreateKey", rc);
                goto cleanup;
            }
        }

        *hiveKeyPtr = hiveKey;
        hiveKey = NULL;
        *regKeyPtr = regKey;
        regKey = NULL;

    cleanup:
        if (regKey != NULL)
            ORCloseKey_fn(regKey);

        if (hiveKey != NULL)
            ORCloseHive_fn(hiveKey);

        return rc;
    }


    DWORD ReadRegBinaryValue(ORHKEY regKey, LPCWSTR valueName, PBYTE* valuePtr, DWORD* valueLengthPtr)
    {
        DWORD rc = 0;
        DWORD regType;
        DWORD valueLength;
        PUCHAR valueData = NULL;

        rc = ORGetValue_fn(regKey, NULL, valueName, &regType, NULL, &valueLength);
        if (rc != ERROR_MORE_DATA)
        {
            ReportError("ORGetValue", rc);
            goto cleanup;
        }

        valueData = (PBYTE)HeapAlloc(GetProcessHeap(), 0, valueLength);
        if (valueData == NULL)
        {
            rc = ERROR_NOT_ENOUGH_MEMORY;
            ReportError("HeapAlloc", rc);
            goto cleanup;
        }

        rc = ORGetValue_fn(regKey, NULL, valueName, &regType, valueData, &valueLength);
        if (rc != ERROR_SUCCESS)
        {
            ReportError("ORGetValue", rc);
            goto cleanup;
        }

        *valuePtr = valueData;
        valueData = NULL;
        *valueLengthPtr = valueLength;

    cleanup:
        if (valueData != NULL)
            HeapFree(GetProcessHeap(), 0, valueData);

        return rc;
    }

    Monday, April 1, 2019 5:49 PM
  • As I recall, the ELAM registry area is read-only (with the writes silently failing), to prevent malware from attacking and disabling the ELAM driver. You should be able to write to the System hive

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Marked as answer by st1111 Monday, April 1, 2019 8:52 PM
    Monday, April 1, 2019 7:42 PM
    Moderator
  • That explains what I'm seeing.

    Thanks!

    Monday, April 1, 2019 8:52 PM