SharpHide icon indicating copy to clipboard operation
SharpHide copied to clipboard
verified publisher icon outflanknl

How do you get the value?

Open testpushhydra opened this issue 1 year ago • 1 comments

I can try the valueNameTrick with or without the leading zeroes. Consistently returns: ERROR_FILE_NOT_FOUND 2 (0x2) The system cannot find the file specified.

`

    public static T GetHiddenKeyValue<T>(string registryPath, string valueName)
    {
        UIntPtr regKeyHandle = UIntPtr.Zero;
        string valueNameTrick = "\0\0" + valueName;

        bool IsSystem;
        using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
        {
            IsSystem = identity.IsSystem;
        }

        registryPath = registryPath.RemoveStartIfMatches(@"HKEY_CURRENT_USER\");

        uint Status = 0xc0000000;
        uint STATUS_SUCCESS = 0x00000000;
        uint ERROR_MORE_DATA = 0xEA;

        Debug.WriteLine("\n[+] SharpHide running as normal user:\r\n    Using HKCU\\{0}", registryPath);
        Status = RegOpenKeyEx(HKEY_CURRENT_USER, registryPath, 0, KEY_QUERY_VALUE, out regKeyHandle);

        UNICODE_STRING ValueName = new UNICODE_STRING(valueNameTrick)
        {
            Length = (ushort)(2 * valueNameTrick.Length),
            MaximumLength = 0
        };

        IntPtr ValueNamePtr = StructureToPtr(ValueName);
        UNICODE_STRING ValueData;
        uint lpType = 0;
        IntPtr lpData = IntPtr.Zero;
        int lpcbData = 0;

        ValueData = new UNICODE_STRING();

        Status = RegQueryValueEx(regKeyHandle, ValueNamePtr, 0, out lpType, out lpData, ref lpcbData); 

        if (Status.Equals(ERROR_MORE_DATA))
        {
            lpData = Marshal.AllocCoTaskMem(lpcbData);
            Status = RegQueryValueEx(regKeyHandle, ValueNamePtr, 0, out lpType, out lpData, ref lpcbData);

            if (Status.Equals(STATUS_SUCCESS))
            {
                ValueData = PtrToStructure<UNICODE_STRING>(lpData);

                Debug.WriteLine("[+] Key value retrieved created.");

                Marshal.FreeCoTaskMem(lpData);

                if (typeof(T) == typeof(string))
                {
                    return (T)(object)ValueData.ToString();
                }
                else if (typeof(T) == typeof(byte[]))
                {
                    return (T)(object)ValueData.buffer;
                }
                else
                {
                    DebugUtils.Break();
                    return default(T);
                }
            }
        }
        else
        {
            Debug.WriteLine("[!] Failed to create registry key.");
        }

        RegCloseKey(regKeyHandle);
        return default(T);
    }

`

testpushhydra avatar Jan 24 '24 01:01 testpushhydra

Code for saving value:

`

    public static void MakeHiddenKey(string registryPath, string valueName, byte[] keyValue)
    {
        UIntPtr regKeyHandle = UIntPtr.Zero;
        string valueNameTrick = "\0\0" + valueName;

        bool IsSystem;
        using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
        {
            IsSystem = identity.IsSystem;
        }

        registryPath = registryPath.RemoveStartIfMatches(@"HKEY_CURRENT_USER\");

        uint Status = 0xc0000000;
        uint STATUS_SUCCESS = 0x00000000;

        Debug.WriteLine("\n[+] SharpHide running as normal user:\r\n    Using HKCU\\{0}", registryPath);
        Status = RegOpenKeyEx(HKEY_CURRENT_USER, registryPath, 0, KEY_SET_VALUE, out regKeyHandle);

        UNICODE_STRING ValueName = new UNICODE_STRING(valueNameTrick)
        {
            Length = (ushort)(2 * valueNameTrick.Length),
            MaximumLength = 0
        };

        IntPtr ValueNamePtr = StructureToPtr(ValueName);
        UNICODE_STRING ValueData;

        ValueData = new UNICODE_STRING(keyValue);

        Status = NtSetValueKey(regKeyHandle, ValueNamePtr, 0, RegistryKeyType.REG_SZ, ValueData.buffer, ValueData.MaximumLength);

        if (Status.Equals(STATUS_SUCCESS))
        {
            Debug.WriteLine("[+] Key successfully created.");
        }
        else
        {
            Debug.WriteLine("[!] Failed to create registry key.");
        }

        RegCloseKey(regKeyHandle);
    }

    public static void MakeHiddenKey(string registryPath, string valueName, string keyValue)
    {
        UIntPtr regKeyHandle = UIntPtr.Zero;
        string valueNameTrick = "\0\0" + valueName;

        bool IsSystem;
        using (var identity = System.Security.Principal.WindowsIdentity.GetCurrent())
        {
            IsSystem = identity.IsSystem;
        }

        uint Status = 0xc0000000;
        uint STATUS_SUCCESS = 0x00000000;

        Debug.WriteLine("\n[+] SharpHide running as normal user:\r\n    Using HKCU\\{0}", registryPath);
        Status = RegOpenKeyEx(HKEY_CURRENT_USER, registryPath, 0, KEY_SET_VALUE, out regKeyHandle);

        UNICODE_STRING ValueName = new UNICODE_STRING(valueNameTrick)
        {
            Length = 2 * 11,
            MaximumLength = 0
        };

        IntPtr ValueNamePtr = StructureToPtr(ValueName);
        UNICODE_STRING ValueData;

        ValueData = new UNICODE_STRING("\"" + keyValue + "\"");

        Status = NtSetValueKey(regKeyHandle, ValueNamePtr, 0, RegistryKeyType.REG_SZ, ValueData.buffer, ValueData.MaximumLength);

        if (Status.Equals(STATUS_SUCCESS))
        {
            Debug.WriteLine("[+] Key successfully created.");
        }
        else
        {
            Debug.WriteLine("[!] Failed to create registry key.");
        }

        RegCloseKey(regKeyHandle);
    }

`

testpushhydra avatar Jan 24 '24 01:01 testpushhydra