Simple way to hook registry access for specific process

Question

Is there a simple way to hook registry access of a process that my code executes? I know about SetWindowsHookEx and friends, but its just too complex... I still have hopes that there is a way as simple as LD_PRELOAD on Unix...

Answer 1

SetWindowsHookEx won't help at all - it provides different functionality.

Check if https://web.archive.org/web/20080212040635/http://www.codeproject.com/KB/system/RegMon.aspx helps. SysInternals' RegMon uses a kernel-mode driver which is very complicated way.

Update: Our company offers CallbackRegistry product, that lets you track registry operations without hassle. And BTW we offer free non-commercial licenses upon request (subject to approval on case by case basis).

Answer 2

Most winapi calls generate symbol table entries for inter modular calls, this makes it pretty simple to hook them, all you need to do is overwrite the IAT addresses. Using something such as MSDetours, it can be done safely in a few lines of code. MSDetours also provides the tools to inject a custom dll into the target process so you can do the hooking

Answer 3

Read up on the theory of DLL Injection here: http://en.wikipedia.org/wiki/DLL_injection

However, I will supply you with a DLL Injection snippet here: http://www.dreamincode.net/code/snippet407.htm

It's pretty easy to do these types of things once you're in the memory of an external application, upon injection, you might as well be a part of the process.

There's something called detouring, which I believe is what you're looking for, it simply hooks a function, and when that process calls it, it executes your own function instead. (To ensure that it doesn't crash, call the function at the end of your function)

So if you were wanting to write your own function over CreateRegKeyEx

(http://msdn.microsoft.com/en-us/library/ms724844%28v=vs.85%29.aspx)

It might look something like this:

    LONG WINAPI myRegCreateKeyEx(HKEY hKey, LPCTSTR lpSubKey, DWORD Reserved, LPTSTR lpClass, DWORD dwOptions, REGSAM samDesired, LPSECURITY_ATTRIBUTES lpSecurityAttributes, PHKEY phkResult, LPDWORD lpdwDisposition)
    {
            //check for suspicious keys being made via the parameters
            RegCreateKeyEx(hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);
    }

You can get a very well written detour library called DetourXS here: http://www.gamedeception.net/threads/10649-DetourXS

Here is his example code of how to establish a detour using it:

    #include <detourxs.h>

    typedef DWORD (WINAPI* tGetTickCount)(void);
    tGetTickCount oGetTickCount;

    DWORD WINAPI hGetTickCount(void)
    {
        printf("GetTickCount hooked!");
        return oGetTickCount();
    }

    // To create the detour
    oGetTickCount = (tGetTickCount) DetourCreate("kernel32.dll", "GetTickCount", hGetTickCount, DETOUR_TYPE_JMP);

    // ...Or an address
    oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP);

    // ...You can also specify the detour len
    oGetTickCount = (tGetTickCount) DetourCreate(0x00000000, hGetTickCount, DETOUR_TYPE_JMP, 5);

    // To remove the detour
    DetourRemove(oGetTickCount);

And if you can't tell, that snippet is hooking GetTickCount() and whenever the function is called, he writes "GetTickCount hooked!" -- then he executes the function GetTickCount is it was intended.

Sorry for being so scattered with info, but I hope this helps. :) -- I realize this is an old question. --