驱动中使用ObQueryNameString获取注册表全路径假死的问题
小弟在驱动中HOOK了ZwSetValueKey函数,用来检测对注册表关键键值的危险写入操作,用ObQueryNameString函数获取注册表的全路径,不过感觉ObQueryNameString函数的效率非常的低,获取注册表路径的速度很慢,有时候甚至导致系统假死在ObQueryNameString这句上,过了几分钟至几十分钟才恢复过来,这应该不是我本机配置低的问题(i5处理器+2G内存,使用Windbg+VBox调试环境),这是我获取注册表路径的代码。
NTSTATUS GetFullRegPath(IN HANDLE KeyHandle, OUT PUNICODE_STRING pRegPath) { NTSTATUS status; PVOID pObj; ULONG BufLength; ULONG i; POBJECT_NAME_INFORMATION pTmpStr; status = ObReferenceObjectByHandle(KeyHandle, 0, NULL, KernelMode, &pObj, NULL ); if (!NT_SUCCESS(status)) { return status; } BufLength = pRegPath->MaximumLength+sizeof(UNICODE_STRING); if (BufLength < 1024) { BufLength = 1024; } pTmpStr = ExAllocatePoolWithTag(NonPagedPool, BufLength, 'Reg1'); if (pTmpStr == NULL) { ObDereferenceObject(pObj); return STATUS_INSUFFICIENT_RESOURCES; } memset(pTmpStr, 0, BufLength); i = BufLength; status = ObQueryNameString(pObj, pTmpStr, i, &BufLength); ObDereferenceObject(pObj); if (NT_SUCCESS(status)) { RtlCopyUnicodeString(pRegPath, &(pTmpStr->Name)); } ExFreePoolWithTag(pTmpStr, 'Reg1'); return status;}