0

我很想知道KeyInformation应该如何将参数传递给NtEnumerateKey(). 当我运行以下代码时,NtEnumerateKey()返回NTSTATUS = 0xC000000D错误消息“无效参数已传递给服务或函数”。

我使用的是 Windows 7。虽然下面的代码使用的是 Delphi 语言,但你也可以用 C 语言回答我的问题。我的问题并非特定于编程语言。

type
  KEY_NAME_INFORMATION = record
    NameLength: ULONG;
    Name: array[0..254] of WCHAR;
  end;
  PKEY_NAME_INFORMATION = ^KEY_NAME_INFORMATION;

var
  iNtStatus: LONG;
  hKeyResult: THandle;
  KeyNameInfo: KEY_NAME_INFORMATION;
  iResultLen: ULONG;

iNtStatus := NtOpenKey(@hKeyResult, (KEY_ENUMERATE_SUB_KEYS) and not
    SYNCHRONIZE, @rObjAttrs);
if hKeyResult = 0 then Exit;

iNtStatus := NtEnumerateKey(hKeyResult,
    0,
    KeyNameInformation,
    @KeyNameInfo,                 // I'm asking about this parameter,
    SizeOf(KEY_NAME_INFORMATION), // and also this parameter
    @iResultLen);

更新:奇怪的事情

如果我通过KeyBasicInformation而不是KeyNameInformationNtEnumerateKey()返回STATUS_SUCCESS。不NtEnumerateKey()支持KeyNameInformation

type
  KEY_BASIC_INFORMATION = record
    LastWriteTime: LARGE_INTEGER;
    TitleIndex: ULONG;
    NameLength: ULONG;
    Name: array[0..254] of WCHAR;
  end;
  PKEY_BASIC_INFORMATION = ^KEY_BASIC_INFORMATION;

var
  KeyBasicInfo: KEY_BASIC_INFORMATION;

iNtStatus := NtEnumerateKey(hKeyResult,
    0,
    KeyBasicInformation,           // Note this!
    @KeyBasicInfo,                 // Note this!
    SizeOf(KEY_BASIC_INFORMATION), // Note this!
    @iResultLen);
4

1 回答 1

2

如果您查看 Zw(Nt for usermode)EnumerateKey 的文档,您会看到

NTSTATUS ZwEnumerateKey(
  _In_       HANDLE KeyHandle,
  _In_       ULONG Index,
  _In_       KEY_INFORMATION_CLASS KeyInformationClass,
  _Out_opt_  PVOID KeyInformation,
  _In_       ULONG Length,
  _Out_      PULONG ResultLength
);

然后如果你低头看 KeyInformationClass 你会看到

KeyInformationClass [in]
Specifies a KEY_INFORMATION_CLASS enumeration value that determines the type of information to be received by the KeyInformation buffer. Set KeyInformationClass to one of the following values:
KeyBasicInformation
KeyFullInformation
KeyNodeInformation
If any value not in this list is specified, the routine returns error code STATUS_INVALID_PARAMETER.

您需要使用这 3 个中的一个

于 2012-10-06T07:01:56.100 回答