Create a registry key that contain embedded-null characters.
The created registry key become in-accessible using standard registry editing tools.
Code snippet:
#include <windows.h> #include <ntdll.h> int WINAPI iWinMain() { #ifdef _WIN64 LPWSTR captionMsg = L"64-bit Application"; #else LPWSTR captionMsg = L"32-bit Application"; #endif LPWSTR finishedMsg = L"Failed!\nRun me with Admin privileges."; #define HIDE_IT WCHAR HiddenKeyNameBuffer[] = L"Try2OpenOrRenameOrDeleteMe!\0"; WCHAR valueBuffer[]= L"Value"; WCHAR dataBuffer[]= L"Data"; UNICODE_STRING ObjectName; HANDLE ObjectNameHandle, HiddenKeyHandle; OBJECT_ATTRIBUTES ObjectAttributes; ULONG Disposition; RtlInitUnicodeString( &ObjectName, L"\\REGISTRY\\USER\\.DEFAULT\\Targeted Key"); InitializeObjectAttributes( &ObjectAttributes, &ObjectName, OBJ_CASE_INSENSITIVE, NULL, NULL); if (NtCreateKey( &ObjectNameHandle, KEY_ALL_ACCESS, &ObjectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &Disposition) == STATUS_SUCCESS) { ObjectName.Buffer = HiddenKeyNameBuffer; #ifdef HIDE_IT ObjectName.Length = wcslen(HiddenKeyNameBuffer) * sizeof(WCHAR) + sizeof(WCHAR); #else ObjectName.Length = wcslen(HiddenKeyNameBuffer) * sizeof(WCHAR); #endif InitializeObjectAttributes( &ObjectAttributes, &ObjectName, OBJ_CASE_INSENSITIVE, ObjectNameHandle, NULL); if (NtCreateKey(&HiddenKeyHandle, KEY_ALL_ACCESS, &ObjectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, &Disposition ) == STATUS_SUCCESS) { ObjectName.Buffer = valueBuffer; ObjectName.Length = wcslen(valueBuffer) * sizeof(WCHAR); if (NtSetValueKey( HiddenKeyHandle, &ObjectName, 0, REG_SZ, dataBuffer, wcslen(dataBuffer) * sizeof(WCHAR)) == STATUS_SUCCESS) { MessageBoxW( NULL, L"Done...\nTry this key: [HKEY_USERS\\.DEFAULT\\Targeted Key]", captionMsg, MB_ICONINFORMATION); finishedMsg = L"Finished!"; } } } NtDeleteKey(HiddenKeyHandle); NtDeleteKey(ObjectNameHandle); MessageBoxW( NULL, finishedMsg, captionMsg, MB_ICONINFORMATION); return 0; }
Source:
http://www.mediafire.com/download/lfmr79316lbvdg2/ProtectedRegKey.rar
