Click here to Skip to main content
Click here to Skip to main content
Search within:



 
Comments & Discussions (20)

Hide String value from Regedit by Hooking the RegEnumValueW API

By , 5 Dec 2001
 

Introduction

This Article Explains how to hide a registry string from regedit by hooking the RegEnumValueW API, In this article there is a Function that hooks APIs called HookAPICalls. I am not the author of that function - I got it from some website whose name I forget. Thanks to the author of that function. The function that replaces the RegEnumValueW is given below .

LONG MyRegEnumValue(HKEY hKey,           
                    DWORD dwIndex,       
                    LPWSTR lpValueName,  
                    LPDWORD lpcValueName,
                    LPDWORD lpReserved,  
                    LPDWORD lpType,      
                    LPBYTE lpData,       
                    LPDWORD lpcbData)
{
   LONG ret;

   RegEnumValueWtype oldfn=(RegEnumValueWtype)RegDLL_Hooks.Functions [0].OrigFn;

   char ss[10];
   ret=oldfn(hKey,dwIndex,lpValueName,lpcValueName,lpReserved,lpType,lpData,lpcbData);
   WideCharToMultiByte(CP_ACP, 0,lpValueName,
                            -1,
                            ss,
                            10,
                            NULL, NULL);
   if (strstr(ss,"hirosh")!=NULL)
      return 1;
   else
      return ret;
}

This function simply checks the string "hirosh" from the lpValueName and if found it will return a 1. That means the the function has not completed successfully, so regedit will not display any string that contains the word "hirosh". 

API hooking is a powerful tool. To use this we can also hide files, processed from OS. However, I don't know which APIs must be hooked to achieve this. If anybody knows this please help me. 

I check this program on Windows XP. regedit is OK but when I take msconfig it displays an error. I don't know what is the problem so if anybody knows this please help me. I am not experienced in API hooking so I am just experiment with this.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

 H. Joseph
United States United States
Member
No Biography provided

Article Top
 
Sign Up to vote   Poor Excellent
Add a reason or comment to your vote: x
Votes of 3 or less require a comment

Comments and Discussions

 
You must Sign In to use this message board.
Search this forum  
    Spacing  Noise  Layout  Per page   
First PrevNext
GeneralI need help pleasememberrabih_saleh24 Apr '07 - 2:47 
please can u convert this source to exe and sended by mail to me : rabih_saleh@hotmail.co.uk , another question can i hide registry entry ? Frown | :( (Frown | :( (Frown | :( (Frown | :( (Frown | :( (Frown | :( please i need help for this.
Sign In·View Thread·Permalink
Generalihelpmembercgf9927 Mar '06 - 2:06 
I test your code,it can inject the dll to running exe.
but when i run regedit.exe ,the application regedit.exe will be crashed!
why ,please give me reason .
i test it in winxp sp2 and winsk sp3.alse failed
Sign In·View Thread·Permalink
GeneralRe: ihelpmembercgf9927 Mar '06 - 2:14 
I build the code of testdll,but failed with the mess:
 
Compiling...
apihijack.cpp
c:\hidereg\testdll\apihijack.cpp(158) : error C2440: '=' : cannot convert from 'unsigned long' to 'void *'
Conversion from integral type to pointer type requires reinterpret_cast, C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(196) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(203) : error C2446: '>' : no conversion from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
c:\hidereg\testdll\apihijack.cpp(203) : error C2040: '>' : 'unsigned long' differs in levels of indirection from 'unsigned long *'
c:\hidereg\testdll\apihijack.cpp(204) : error C2440: '=' : cannot convert from 'unsigned long *' to 'unsigned long'
This conversion requires a reinterpret_cast, a C-style cast or function-style cast
dllmain.cpp
Error executing cl.exe.
 
TestDLL.dll - 5 error(s), 0 warning(s)
 
how to solute it?
Sign In·View Thread·Permalink
GeneralWindows 2003 Platformmembertocsjung13 Jul '05 - 23:08 
Is there any problem of using this program on Windows 2003 Platform.
I've met a lot of error message.
What's the problem of this program.
I want to modify this bug.
Help me, Please.
 
Thanks in advance!
 
csjung
Sign In·View Thread·Permalink
Generalcalling callbacksmemberK-ballo22 Aug '04 - 15:57 
Why the hooked function can't access to a callback? It can't read memory where jmp instruction is. How to solve this problem?
Sign In·View Thread·Permalink
Questionhow to add new functions to be hookedsussAnonymous28 Apr '04 - 12:51 
okay that was a nice code but can you tell me whats the stpes needed to add a new thing to br hooked without getting any problems please reply as soon as possible thanks, thumbs up
Sign In·View Thread·Permalink
GeneralI have a question.membertocsjung22 Dec '03 - 18:05 
I want to hook IoCreateFile function, now.
Can i apply this method to hook IoCreateFile?
Then, How?
 
Thanks in advance!
 
csjung
Sign In·View Thread·Permalink
GeneralRe: I have a question.membercgf9927 Mar '06 - 2:09 
Can i use it to hook the api CreateProcessW?
Sign In·View Thread·Permalink
GeneralOnly with dllmemberxxcyberguruxx1 Oct '03 - 7:20 
Hi!
I've put the code to my application but i don't want to use the dll in the example...
But it looks like it doesn't work without the dll?
cyberguru
Sign In·View Thread·Permalink
GeneralRe: Only with dllmemberDr. Fred10 Nov '03 - 6:45 
The other apps can only access the
hooked funktion if it is inside of a dll.
Sign In·View Thread·Permalink
Last Visit: 31 Dec '99 - 18:00     Last Update: 24 May '13 - 2:11Refresh12 Next »

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

About Article
This Article shows how to hide a string value from Regedit
Type Article
Licence 
First Posted 5 Dec 2001
Views 90,405
Bookmarked 17 times
Top News

Old Japanese Man Creates Amazing Art Using Excel (Wait, Excel?)

Get the Insider News free each morning.
Related Videos
40 Construct 2 - hiding layers on demand
jQuery - 0402 Hiding/Showing
Easy way to set up global API hooks
Using Window Messages to Implement Global System Hooks in C#
NtRegEdit - Native Registry Editor
A .NET NT Registry Library and NT Registry Editor
Global System Hooks in .NET
How to read/dump/compare registry hives
.NET Object Spy and InvokeRemote
Registry Manipulation Using NT Native APIs
Lock Windows Desktop
Windows Live Messenger Plug-in Development Bible
API Hooking with MS Detours
Driver to Hide Processes and Files
API hooking revealed
Saving app settings as XML
Driver to hide files in Linux OS
MFC/C++ Helper Class for Window Resizing
EasyHook - The reinvention of Windows API hooking
Detecting USB Drive Removal in a C# Program
.NET Internals and Native Compiling
Low-level Windows API hooks from C# to stop unwanted keystrokes
Permalink | Advertise | Privacy | Mobile
Web03 | 2.6.130523.1 | Last Updated 6 Dec 2001
Article Copyright 2001 by H. Joseph
Everything else Copyright © CodeProject, 1999-2013
Terms of Use
Layout: fixed | fluid