Copying Bytes from Memory to char array then writing the bytes to a registry key via Driver C
NickName:Ballers Ask DateTime:2020-09-11T03:10:53

Copying Bytes from Memory to char array then writing the bytes to a registry key via Driver C

I am having an issue with my project where I am attempting to copy a structure from memory.

Copying the structure into a char array and writing the bytes in the char array to a registry key of type REG_BINARY

Here is the code so far, I am using RtlCopyMemory to achieve copying the bytes from memory:

   VOID ReadVirtualMem(ULONG32 address, PVOID buffer, SIZE_T size)
{
    PEPROCESS Process;
    if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)ProcessID, &Process)))
    {
        KAPC_STATE  apc_state;
        KeStackAttachProcess(Process, &apc_state);

        if (MmIsAddressValid((PVOID)address) && MmIsAddressValid((PVOID)(address + size)))
        {
            RtlCopyMemory(buffer, (PVOID)address, size);
        }

        KeUnstackDetachProcess(&apc_state);
    }

   
}

The above code will take in a vew parameters, address of the location I need reading from, buffer aka output the bytes need to be stored in, and the amount of bytes I want copied.

So here is how I am obtaining the bytes from memory:

struct PlayerInformation {
    float Position;
    int Points;
    float Speed;
};

 struct PlayerInformation PlayerInfo;
 ReadVirtualMem(ReadAddress, &PlayerInfo, size);

I then cast this information to a PVOID data type so I can write this to the registry key like so:

PVOID Buffer;

memcpy(&Buffer, &PlayerInfo, sizeof(struct PlayerInfo));

status = WriteToKey(L"\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", L"Bytes", REG_BINARY, Buffer, size);


    if (!NT_SUCCESS(status))
        return STATUS_UNSUCCESSFUL;

The following above code works just fine for 8 bytes only. I believe this is due to PVOID only having a size of 8 bytes.

Here is my code for writing to the registry key:

NTSTATUS WriteToKey(PWSTR registry_path, PWSTR value_name, ULONG type, PVOID data, ULONG length)
{

    UNICODE_STRING valname;
    UNICODE_STRING keyname;
    OBJECT_ATTRIBUTES attribs;
    HANDLE handle;
    NTSTATUS rc;
    ULONG result;

    RtlInitUnicodeString(&valname, registry_path);
    RtlInitUnicodeString(&keyname, value_name);

    InitializeObjectAttributes(&attribs, &valname, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

    rc = ZwCreateKey(&handle, KEY_ALL_ACCESS, &attribs, 0, NULL, REG_OPTION_VOLATILE, &result);

    if (!NT_SUCCESS(rc))
        return STATUS_UNSUCCESSFUL;

    rc = ZwSetValueKey(handle, &keyname, 0, type, &data, length);

    if (!NT_SUCCESS(rc))
        STATUS_UNSUCCESSFUL;

    return STATUS_SUCCESS;
}

My question is how would I be able to take the data copied from RtlCopyMemory into a structure, turn that structure into a char array and write this data to the registry key path.

In c++ its as easy as this:

unsigned char b[sizeof(PlayerInfo)];
    std::cout << "Size of structure: " << sizeof(PlayerInfo) << "\n\n";
    memcpy(b, &PlayerInfo, sizeof(PlayerInfo));

    HKEY handle;
    if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", 0, KEY_WRITE, &handle) == ERROR_SUCCESS)
    {
        RegSetValueEx(handle, L"Bytes", 0, REG_BINARY, (BYTE*)&b, sizeof(b));

But C has no data type for BYTE* so I am just a bit confused on how I could go on about taking this C++ function, which works perfectly, and implementing it into C code to work the exact same way as the C++ function.

If you need any other details I will be more than gladly to give you the information.

Thanks in advance!

EDIT: So I edited my function to accept the PlayerInfo struct as an argument and now all the data is read correctly.

Here is the updated code:

NTSTATUS WriteToBytes(PWSTR registry_path, PWSTR value_name, ULONG type, struct PlayerInfo data, ULONG length)
{

    UNICODE_STRING valname;
    UNICODE_STRING keyname;
    OBJECT_ATTRIBUTES attribs;
    HANDLE handle;
    NTSTATUS rc;
    ULONG result;

    RtlInitUnicodeString(&valname, registry_path);
    RtlInitUnicodeString(&keyname, value_name);

    InitializeObjectAttributes(&attribs, &valname, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);

    rc = ZwCreateKey(&handle, KEY_ALL_ACCESS, &attribs, 0, NULL, REG_OPTION_VOLATILE, &result);

    if (!NT_SUCCESS(rc))
        return STATUS_UNSUCCESSFUL;

    rc = ZwSetValueKey(handle, &keyname, 0, type, &data, length);

    if (!NT_SUCCESS(rc))
        STATUS_UNSUCCESSFUL;

    return STATUS_SUCCESS;
}

This works well, no errors from what I can see. does anyone know why this works? And not passing a void* to the original write key function?

Copyright Notice:Content Author:「Ballers」,Reproduced under the CC 4.0 BY-SA copyright license with a link to the original source and this disclaimer.
Link to original article:https://stackoverflow.com/questions/63836256/copying-bytes-from-memory-to-char-array-then-writing-the-bytes-to-a-registry-key

Products recommended by Amazon
More >>>
SanDisk 128GB microSDXC-Card, Licensed for Nintendo-Switch - SDSQXAO-128G-GNCZN
SanDisk 128GB microSDXC-Card, Licensed for Nintendo-Switch - SDSQXAO-128G-GNCZN
 HUANUO Dual Monitor Stand - Adjustable Spring Monitor Desk Mount Swivel Vesa Bracket with C Clamp, Grommet Mounting Base for 13 to 27 Inch Computer Screens - Each Arm Holds 4.4 to 14.3lbs
HUANUO Dual Monitor Stand - Adjustable Spring Monitor Desk Mount Swivel Vesa Bracket with C Clamp, Grommet Mounting Base for 13 to 27 Inch Computer Screens - Each Arm Holds 4.4 to 14.3lbs
 AMD Ryzen 5 5600X 6-core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler
AMD Ryzen 5 5600X 6-core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler
 Timberland Men's 6-Inch Premium Waterproof Boot
Timberland Men's 6-Inch Premium Waterproof Boot
More about “Copying Bytes from Memory to char array then writing the bytes to a registry key via Driver C” related questions
Copying Bytes from Memory to char array then writing the bytes to a registry key via Driver C

I am having an issue with my project where I am attempting to copy a structure from memory. Copying the structure into a char array and writing the bytes in the char array to a registry key of type

Show Detail
C: unsigned char * bytes array copying elements to other unsigned char * array

I think that copying elements of array like this: unsigned char *new_bytes_array = malloc(sizeof(unsigned char)*length/2); for(int i=0, j=0; i&lt;length; i++) { if(i % 2 == 0) continue;

Show Detail
difference between copying 16-bytes and 256-bytes to shared memory

I'm writing a CUDA program. The code copies pinned memory to shared memory, by pinned memory I mean memory allocated with cudaHostAlloc(., ., cudaHostAllocMapped). It takes 600us to copy 16 bytes a...

Show Detail
copying integers from char array depending on number of bytes in C

I have one character array of 8 bytes containing integer values. I need to copy the 1 byte to one integer variable, next 4 bytes to different integer variable, next 3 bytes to another integer varia...

Show Detail
Input Python 3 bytes to C char* via SWIG

Im trying to create a wrapper around SWT algorythm written on C. I found this post and code from there is perfectly working in python 2.7, but when I am trying to run it from python 3, error emerge...

Show Detail
Can't write char array to Windows Registry key

I am trying to write to the Windows Registry using the Win32 API, but for some reason when I try writing bytes to a Registry key with the REG_BINARY data type, the key value does not change. Here i...

Show Detail
C Question: why char actually occupies 4 bytes in memory?

I wrote a small program to check how many bytes char occupies in my memory and it shows char actually occupies 4 bytes in memory. I understand it's mostly because of word alignment and don't see

Show Detail
How to allocate specific number of bytes in a char array - memory management

I have a char array that I'm using as a memory pool. I already have all the bytes flagged to signify that they are free/not free. My question is how do I go about allocating 4 bytes of the array ...

Show Detail
malloc using 4 bytes for char

I am writing a code to examine how memory is managed between stack and heap. for a course work. #include&lt;stdio.h&gt; #include&lt;stdlib.h&gt; #define NUM_OF_CHARS 100 // function prototype v...

Show Detail
C: Why is this address of the char array 6 bytes?

I thought addresses are 4 bytes big, why is this address 6 bytes? Im compiling with gcc on a virtual machine with Ubuntu 20.04 and I got an x64 processor if this matters. #include &lt;stdio.h&gt;...

Show Detail