Merge pull request #54 from mrexodia/registry

Initial registry support (`ZwOpenKey` and `ZwQueryValueKey`)

Author: mrexodia

src/dumpulator/dumpulator.py

@@ -292,7 +292,9 @@ def __init__(self, minidump_file, *, trace=False, quiet=False, thread_id=None, d
         self.syscalls = []
         self._setup_syscalls()
         self._setup_emulator(thread)
+        self.handles = HandleManager()
         self._setup_handles()
+        self._setup_registry()
         self.kill_me = None
         self.exit_code = None
         self.exports = self._all_exports()
@@ -519,9 +521,19 @@ def _setup_pebteb(self, thread):
         self.memory.set_region_info(default_activation_context_data, "Default activation context data")
         self.memory.set_region_info(leap_second_data, "Leap second data")
 
-    def _setup_handles(self):
-        self.handles = HandleManager()
+    def _setup_registry(self):
+        self.handles.create_key(r"\Registry\Machine\System\CurrentControlSet\Control\Nls\Sorting\Versions", {
+            "": "00060305",
+            "000601xx": "SortWindows61.dll",
+            "000602xx": "SortWindows62.dll",
+            "000603xx": "kernel32.dll",
+            "FF0000xx": "SortServer2003Compat.dll",
+            "FF0406xx": "SortWindows6Compat.dll",
+            "FF0502xx": "SortWindows6Compat.dll",
+            "000604xx": "SortWindows64.dll",
+        })
 
+    def _setup_handles(self):
         import dumpulator.ntdevices as ntdevices
         self.console = ntdevices.ConsoleDeviceObject(R"\Device\ConDrv")
         self.stdin = ConsoleFileObject(ConsoleType.In)

src/dumpulator/native.py

@@ -81,6 +81,22 @@
 IMAGE_SCN_MEM_READ = 0x40000000
 IMAGE_SCN_MEM_WRITE = 0x80000000
 
+# Registry value types
+REG_NONE = 0  # No value type
+REG_SZ = 1  # Unicode nul terminated string
+REG_EXPAND_SZ = 2  # Unicode nul terminated string (with environment variable references)
+REG_BINARY = 3  # Free form binary
+REG_DWORD = 4  # 32-bit number
+REG_DWORD_LITTLE_ENDIAN = 4  # 32-bit number (same as REG_DWORD)
+REG_DWORD_BIG_ENDIAN = 5  # 32-bit number
+REG_LINK = 6  # Symbolic Link (unicode)
+REG_MULTI_SZ = 7  # Multiple Unicode strings
+REG_RESOURCE_LIST = 8  # Resource list in the resource map
+REG_FULL_RESOURCE_DESCRIPTOR = 9  # Resource list in the hardware description
+REG_RESOURCE_REQUIREMENTS_LIST = 10  # Resource requirements list
+REG_QWORD = 11  # 64-bit number
+REG_QWORD_LITTLE_ENDIAN = 11  # 64-bit number (same as REG_QWORD)
+
 def round_to_pages(size):
     return (size + 0xFFF) & 0xFFFFFFFFFFFFF000
 
@@ -561,3 +577,12 @@ def __init__(self, ptr, mem_read):
             super().__init__(ptr, mem_read)
             self.type = t
     return P
+
+class KEY_VALUE_FULL_INFORMATION(ctypes.Structure):
+    _fields_ = [
+        ("TitleIndex", ctypes.c_uint32),
+        ("Type", ctypes.c_uint32),
+        ("DataOffset", ctypes.c_uint32),
+        ("DataLength", ctypes.c_uint32),
+        ("NameLength", ctypes.c_uint32),
+    ]

src/dumpulator/ntsyscalls.py

@@ -3280,6 +3280,49 @@ def ZwQueryValueKey(dp: Dumpulator,
                     Length: Annotated[ULONG, SAL("_In_")],
                     ResultLength: Annotated[P(ULONG), SAL("_Out_")]
                     ):
+    key = dp.handles.get(KeyHandle, RegistryKeyObject)
+    name = ValueName[0].read_str()
+    if KeyValueInformationClass == KEY_VALUE_INFORMATION_CLASS.KeyValueFullInformation:
+        value = key.values.get(name.lower(), None)
+        assert value is not None, "value not found"
+        info = KEY_VALUE_FULL_INFORMATION()
+        info.TitleIndex = 0
+
+        if len(name) == 0:
+            info.NameLength = 0
+            appended_data = b""
+        else:
+            name_data = name.encode("utf-16-le")
+            info.NameLength = len(name_data)
+            appended_data = name_data
+
+        # Align to 4 bytes
+        remain = 4 - len(appended_data) % 4
+        if remain > 0:
+            appended_data += b"\0" * remain
+            assert (len(appended_data) % 4) == 0
+
+        if isinstance(value, str):
+            info.Type = REG_SZ
+            value_data = value.encode("utf-16-le") + b"\0\0"
+        elif isinstance(value, int):
+            info.Type = REG_DWORD
+            value_data = struct.pack("<I", value)
+        else:
+            raise NotImplementedError()
+
+        info.DataLength = len(value_data)
+        info.DataOffset = ctypes.sizeof(info) + len(appended_data)
+        appended_data += value_data
+
+        final_data = bytes(info) + appended_data
+        assert len(final_data) <= Length
+        if ResultLength != 0:
+            dp.write_ulong(ResultLength, len(final_data))
+        KeyValueInformation.write(final_data)
+
+        return STATUS_SUCCESS
+
     raise NotImplementedError()
 
 @syscall