Click here to Skip to main content
15,891,136 members
Search within:


Articles / Programming Languages / C++
 
Article

Hide String value from Regedit by Hooking the RegEnumValueW API

Rate me:
Please Sign up or sign in to vote.
3.67/5 (4 votes)
5 Dec 2001 107.7K   1.1K   20   21
This Article shows how to hide a string value from Regedit

Introduction

This Article Explains how to hide a registry string from regedit by hooking the RegEnumValueW API, In this article there is a Function that hooks APIs called 

HookAPICalls
. I am not the author of that function - I got it from some website whose name I forget. Thanks to the author of that function. The function that replaces the 
RegEnumValueW
is given below
.

LONG MyRegEnumValue(HKEY hKey,           
                    DWORD dwIndex,       
                    LPWSTR lpValueName,  
                    LPDWORD lpcValueName,
                    LPDWORD lpReserved,  
                    LPDWORD lpType,      
                    LPBYTE lpData,       
                    LPDWORD lpcbData)
{
   LONG ret;

   RegEnumValueWtype oldfn=(RegEnumValueWtype)RegDLL_Hooks.Functions [0].OrigFn;

   char ss[10];
   ret=oldfn(hKey,dwIndex,lpValueName,lpcValueName,lpReserved,lpType,lpData,lpcbData);
   WideCharToMultiByte(CP_ACP, 0,lpValueName,
                            -1,
                            ss,
                            10,
                            NULL, NULL);
   if (strstr(ss,"hirosh")!=NULL)
      return 1;
   else
      return ret;
}

This function simply checks the string "hirosh" from the lpValueName and if found it will return a 1. That means the the function has not completed successfully, so regedit will not display any string that contains the word "hirosh". 

API hooking is a powerful tool. To use this we can also hide files, processed from OS. However, I don't know which APIs must be hooked to achieve this. If anybody knows this please help me. 

I check this program on Windows XP. regedit is OK but when I take msconfig it displays an error. I don't know what is the problem so if anybody knows this please help me. I am not experienced in API hooking so I am just experiment with this.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
H. Joseph
United States United States
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
First Prev Next
Questionregedit not work Pin
software.m13-Aug-13 21:05
software.m13-Aug-13 21:05 
GeneralI need help please Pin
rabih_saleh24-Apr-07 2:47
rabih_saleh24-Apr-07 2:47 
Generalihelp Pin
cgf9927-Mar-06 2:06
cgf9927-Mar-06 2:06 
GeneralRe: ihelp Pin
cgf9927-Mar-06 2:14
cgf9927-Mar-06 2:14 
GeneralWindows 2003 Platform Pin
tocsjung13-Jul-05 23:08
tocsjung13-Jul-05 23:08 
Generalcalling callbacks Pin
K-ballo22-Aug-04 15:57
K-ballo22-Aug-04 15:57 
Questionhow to add new functions to be hooked Pin
Anonymous28-Apr-04 12:51
Anonymous28-Apr-04 12:51 
GeneralI have a question. Pin
tocsjung22-Dec-03 18:05
tocsjung22-Dec-03 18:05 
GeneralRe: I have a question. Pin
cgf9927-Mar-06 2:09
cgf9927-Mar-06 2:09 
GeneralOnly with dll Pin
xxcyberguruxx1-Oct-03 7:20
xxcyberguruxx1-Oct-03 7:20 
GeneralRe: Only with dll Pin
Member 69079210-Nov-03 6:45
Member 69079210-Nov-03 6:45 
GeneralFreeing this dll Pin
rohit.dhamija22-Sep-03 23:53
rohit.dhamija22-Sep-03 23:53 
GeneralSolution to the msconfig problem Pin
Tim Kosse8-Dec-01 9:30
Tim Kosse8-Dec-01 9:30 
GeneralRe: Solution to the msconfig problem Pin
9-Dec-01 4:25
suss9-Dec-01 4:25 
GeneralRe: Solution to the msconfig problem Pin
24-Dec-01 15:04
suss24-Dec-01 15:04 
GeneralRe: Solution to the msconfig problem Pin
Anonymous28-May-03 23:03
Anonymous28-May-03 23:03 
GeneralRe: Security issue Pin
10-Dec-01 21:07
suss10-Dec-01 21:07 
...yeah like hooking (psapi.dll) EnumProcessModules (to hide dll) and EnumProcesses to hide trojan. Nice idea for Back Orifice 2000 add in Wink | ;)
Even better idea would be to hook some more apis (CreateFile, FindFirst, FindNext,CreateProcess(to spawn dll as soon as program starts),...) so the trojan would be hidden even on disk. Maybe even stick it into NTFS streams (try to create program with name "bla.txt:stream1"). With some dll injection and proces rights elevation, you can actually insert remote thread into services, system processes (winlogon.exe; hmm what would i do there... what are those 2 *cool* edit boxes Wink | ;) ) etc. so quite resonable stealth could be achived. Actually program wouldnt be *that* huge at all and there aint that much of apis to hook.

Lets see when i can finish that (ADO with bugs, databases with "too many" tables, annoying customers waiting for new update, working till night,...)
hehe guess that program wont see its light *ever*, so dont bother (I hardly believe that some teenager is able to code that).
GeneralRe: Security issue Pin
Tim Kosse10-Dec-01 21:26
Tim Kosse10-Dec-01 21:26 
GeneralRe: Security issue Pin
11-Dec-01 21:27
suss11-Dec-01 21:27 
GeneralRe: Security issue Pin
24-Dec-01 3:50
suss24-Dec-01 3:50 
GeneralRe: Security issue Pin
24-Dec-01 14:58
suss24-Dec-01 14:58 
Last Visit: 31-Dec-99 18:00     Last Update: 3-May-24 13:10Refresh1

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 5 Dec 2001

Article Copyright 2001 by H. Joseph
Everything else Copyright © CodeProject, 1999-2024

Web01 2.8:2024-04-02:1