hookManager.h

The file hookManager.h was modified to define the three registry key kernel hooks:

  typedef NTSTATUS (*ZWOPENKEY)(  OUT PHANDLE KeyHandle,  IN ACCESS_MASK DesiredAccess,  IN POBJECT_ATTRIBUTES ObjectAttributes ); extern ZWOPENKEY OldZwOpenKey; NTSTATUS NewZwOpenKey(  OUT PHANDLE KeyHandle,  IN ACCESS_MASK DesiredAccess,  IN POBJECT_ATTRIBUTES ObjectAttributes ); typedef NTSTATUS (*ZWQUERYKEY)(  IN HANDLE KeyHandle,  IN KEY_INFORMATION_CLASS KeyInformationClass,  OUT PVOID KeyInformation,  IN ULONG Length,  OUT PULONG ResultLength ); extern ZWQUERYKEY OldZwQueryKey; NTSTATUS NewZwQueryKey(  IN HANDLE KeyHandle,  IN KEY_INFORMATION_CLASS KeyInformationClass,  OUT PVOID KeyInformation,  IN ULONG Length,  OUT PULONG ResultLength ); typedef NTSTATUS (*ZWENUMERATEKEY)(  IN HANDLE KeyHandle,  IN ULONG Index,  IN KEY_INFORMATION_CLASS KeyInformationClass,  OUT PVOID KeyInformation,  IN ULONG Length,  OUT PULONG ResultLength ); extern ZWENUMERATEKEY OldZwEnumerateKey; NTSTATUS NewZwEnumerateKey(  IN HANDLE KeyHandle,  IN ULONG Index,  IN KEY_INFORMATION_CLASS KeyInformationClass,  OUT PVOID KeyInformation,  IN ULONG Length,  OUT PULONG ResultLength ); 

In addition, hookManager.h was modified to define one undocumented function used to get a key name from its handle:

  NTSYSAPI NTSTATUS NTAPI ObQueryNameString(  IN PVOID  Object,  OUT POBJECT_NAME_INFORMATION  ObjectNameInfo,  IN ULONG  Length,  OUT PULONG  ReturnLength );