Simple Registry Operations for Malware Development, Part 2 - RegSetKeyValue
Welcome back to my mini-series on simple registry operations for malware development! If this is the first you're seeing of it, you can read the first article on creating registry keys here on Medium
Alright. So, in the last article, we talked about how to create registry keys using the RegCreateKeyExA method. This article will be a fair bit shorter, as now we're just going to be writing to the registry we just created. It's a fairly simple process, so let's hop straight into it. I'll give you the code first just below and then we'll break it down.
So, in the writeKey function, we're passing in an (open) key handle as the first argument and a constant character pointer as the value we're going to write to that key. Now, that open key handle? That's what we created in the last blog by creating or opening the key using the RegCreateKey function. It all builds on itself in layers, right? Like an onion.
In my code, I have to dynamically fetch the length of the message, because in the malware I'm writing (you can find the Wulf devlogs here on my YouTube channel) I don't have access to the standard library for strings and such. After that, it's just a simple call to RegSetKeyValue!
The inputs for the RegSetKeyValue function (I'm using the ASCII version, so RegSetKeyValueA here) are as follows:
- The open key (in the code above, I de-referenced the inputted pointer).
- The name of the specific key that we're setting. In the code above, I left this null, so it's just setting the default key in the open key location we fed it.
- A weird reserved value which is supposed to be set to NULL, because Windows is a trash operating system.
- The type of data we're setting. There are tons of them you can view in this MSDN article but the one I went with is REG_SZ, which is basically just a string value.
- A pointer to the message object, which we passed into our function.
- The length of the value being written to the registry
It's fairly self explanatory. The return value is a LONG that, if the operation was successful, will be zero.
... and honestly, that's it! I could drag this one out as long as I want but writing to the registry is pretty simple. In the next article, we're going to talk about how I'm using the registry to facilitate communication between my malware and the C2, so be on the lookout for that on my blog or on Twitter.