写常用的注册表读取程序,查看几个我非常关心的注册表项。
病毒通常访问的注册表项如下
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
在VC++ SP6 和WINDOWS XP SP1下编译通过。
QueryKey函数用来枚举子键,QueryValue用来枚举每个子键的键值,
m_listValue是一个ListBox控件。
代码如下:
void CAutoRunReaderDlg::QueryKey(HKEY hKey)
{
CHAR achKey[MAX_PATH] = "";
LPTSTR lpName = achKey;
CHAR achClass[MAX_PATH] = "";
LPTSTR lpClass = achClass;
FILETIME ftLastWriteTime;
DWORD dwIndex = 0;
DWORD lpcName = MAX_PATH;
DWORD lpcClass = MAX_PATH;
DWORD i=0;
DWORD retCode;
//CString strTemp;
SetCursor(LoadCursor(NULL, IDC_WAIT));
retCode = ERROR_SUCCESS;
do
{
retCode = RegEnumKeyEx(
hKey,
dwIndex,
lpName,
&lpcName,
NULL,
lpClass,
&lpcClass,
&ftLastWriteTime);
if (retCode == (DWORD)ERROR_SUCCESS)
{
m_listValue.AddString(lpName);
}
if(retCode == (DWORD) ERROR_INVALID_HANDLE)
{
SetCursor(LoadCursor(NULL, IDC_ARROW));
m_listValue.AddString("invalid handle");
return;
}
dwIndex++;
lpcName = MAX_PATH;//每次循环都要给缓冲区重新配置大小,否则出错
lpcClass = MAX_PATH;
} while(ERROR_NO_MORE_ITEMS != retCode);
SetCursor(LoadCursor(NULL, IDC_ARROW));
}
void CAutoRunReaderDlg::QueryValue(HKEY hKey)
{
CHAR ValueName[MAX_PATH] = "";
LPTSTR lpValueName = ValueName;
BYTE lpData[MAX_PATH];
//FILETIME ftLastWriteTime;
DWORD dwIndex = 0;
DWORD lpcValueName = MAX_PATH;
DWORD lpcbData = MAX_PATH;
DWORD lpType;
DWORD retCode;
CString strTemp;
CString strTypename;
SetCursor(LoadCursor(NULL, IDC_WAIT));
retCode = ERROR_SUCCESS;
do
{
retCode = RegEnumValue(
hKey,
dwIndex,
lpValueName,
&lpcValueName,
NULL,
&lpType,
lpData,
&lpcbData);
if (retCode == (DWORD)ERROR_SUCCESS)
{
switch(lpType)
{
case REG_BINARY:
strTypename = "REG_BINARY";
break;
case REG_DWORD:
strTypename = "REG_DWORD";
break;
/*
case REG_DWORD_LITTLE_ENDIAN:
strTypename = "REG_DWORD_LITTLE_ENDIAN";
break;
*/
case REG_DWORD_BIG_ENDIAN:
strTypename = "REG_DWORD_BIG_ENDIAN";
break;
case REG_EXPAND_SZ:
strTypename = "REG_EXPAND_SZ";
break;
case REG_LINK:
strTypename = "REG_LINK";
break;
case REG_MULTI_SZ:
strTypename = "REG_MULTI_SZ";
break;
case REG_NONE:
strTypename = "REG_NONE";
break;
/*
case REG_QWORD:
strTypename = "REG_QWORD";
break;
case REG_QWORD_LITTLE_ENDIAN:
strTypename = "REG_QWORD_LITTLE_ENDIAN";
break;
*/
case REG_SZ:
strTypename = "REG_SZ";
break;
default:
strTypename = "Unknown type";
break;
}
strTemp.Format("%s=%s,%s=%d", lpValueName, lpData, strTypename, lpType);
m_listValue.AddString(strTemp);
}
if(retCode == (DWORD) ERROR_INVALID_HANDLE)
{
SetCursor(LoadCursor(NULL, IDC_ARROW));
m_listValue.AddString("Invalid handle");
return;
}
dwIndex++;
lpcValueName = MAX_PATH;//每次循环都要给缓冲区重新配置大小,否则出错
lpcbData = MAX_PATH;
} while(ERROR_NO_MORE_ITEMS != retCode);
SetCursor(LoadCursor(NULL, IDC_ARROW));
}