Hide String value from Regedit by Hooking the RegEnumValueW API

• Download source files - 25 Kb

Introduction

This Article Explains how to hide a registry string from regedit by hooking the RegEnumValueW API, In this article there is a Function that hooks APIs called

HookAPICalls

. I am not the author of that function - I got it from some website whose name I forget. Thanks to the author of that function. The function that replaces the

RegEnumValueW

is given below

.

LONG MyRegEnumValue(HKEY hKey,           
                    DWORD dwIndex,       
                    LPWSTR lpValueName,  
                    LPDWORD lpcValueName,
                    LPDWORD lpReserved,  
                    LPDWORD lpType,      
                    LPBYTE lpData,       
                    LPDWORD lpcbData)
{
   LONG ret;

   RegEnumValueWtype oldfn=(RegEnumValueWtype)RegDLL_Hooks.Functions [0].OrigFn;

   char ss[10];
   ret=oldfn(hKey,dwIndex,lpValueName,lpcValueName,lpReserved,lpType,lpData,lpcbData);
   WideCharToMultiByte(CP_ACP, 0,lpValueName,
                            -1,
                            ss,
                            10,
                            NULL, NULL);
   if (strstr(ss,"hirosh")!=NULL)
      return 1;
   else
      return ret;
}

This function simply checks the string "hirosh" from the lpValueName and if found it will return a 1. That means the the function has not completed successfully, so regedit will not display any string that contains the word "hirosh". 

API hooking is a powerful tool. To use this we can also hide files, processed from OS. However, I don't know which APIs must be hooked to achieve this. If anybody knows this please help me. 

I check this program on Windows XP. regedit is OK but when I take msconfig it displays an error. I don't know what is the problem so if anybody knows this please help me. I am not experienced in API hooking so I am just experiment with this.