Malware Development – Registry Key Manipulation

Manipulate Windows Registry Keys

Create a Registry Key – Code

#define UNICODE
#define _UNICODE
#include <windows.h>
#include <string>

static std::wstring LastErrorMessage(DWORD err) {
    LPWSTR buf = nullptr;
    DWORD flags = FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS;
    FormatMessageW(flags, nullptr, err, 0, (LPWSTR)&buf, 0, nullptr);
    std::wstring msg = buf ? buf : L"Unknown error";
    if (buf) LocalFree(buf);
    return msg;
}

int APIENTRY wWinMain(HINSTANCE, HINSTANCE, LPWSTR, int) {
    const wchar_t* subkey = L"Software\\MyCompany\\MyApp";
    HKEY hKey = nullptr;
    DWORD disposition = 0;

    LONG rc = RegCreateKeyExW(
        HKEY_CURRENT_USER,         // root hive (user scope, no admin required)
        subkey,                    // subkey path
        0,                         // reserved
        nullptr,                   // class (optional)
        REG_OPTION_NON_VOLATILE,   // persistent
        KEY_READ | KEY_WRITE,      // desired access
        nullptr,                   // default security
        &hKey,                     // [out] key handle
        &disposition               // [out] created or opened
    );

    if (rc != ERROR_SUCCESS) {
        std::wstring msg = L"RegCreateKeyExW failed: " + LastErrorMessage(rc);
        MessageBoxW(nullptr, msg.c_str(), L"Error", MB_OK | MB_ICONERROR);
        return 1;
    }

    std::wstring ok = (disposition == REG_CREATED_NEW_KEY)
        ? L"Key CREATED at HKCU\\Software\\MyCompany\\MyApp"
        : L"Key OPENED at HKCU\\Software\\MyCompany\\MyApp";
    MessageBoxW(nullptr, ok.c_str(), L"Success", MB_OK | MB_ICONINFORMATION);

    RegCloseKey(hKey);
    return 0;
}

Output

Set Value – Code

#define UNICODE
#include <windows.h>

int APIENTRY wWinMain(HINSTANCE, HINSTANCE, LPWSTR, int) {
    HKEY hKey = nullptr;
    const wchar_t* subkey = L"Software\\MyCompany\\MyApp";

    //Open the existing key
    LONG rc = RegOpenKeyExW(
        HKEY_CURRENT_USER,       // Root hive
        subkey,                  // Path to the key you already created
        0,                       // Reserved, must be 0
        KEY_SET_VALUE,           // Only need permission to set values
        &hKey                    // Output handle
    );

    if (rc != ERROR_SUCCESS) {
        MessageBoxW(nullptr, L"Failed to open registry key.", L"Error", MB_OK | MB_ICONERROR);
        return 1;
    }

    //Write a string value (REG_SZ)
    const wchar_t* valueNameText = L"AppName";
    const wchar_t* valueDataText = L"Mosaic Fusion";

    rc = RegSetValueExW(
        hKey,
        valueNameText,
        0,
        REG_SZ,
        reinterpret_cast<const BYTE*>(valueDataText),
        static_cast<DWORD>((wcslen(valueDataText) + 1) * sizeof(wchar_t))
    );

    if (rc != ERROR_SUCCESS) {
        MessageBoxW(nullptr, L"Failed to set string value.", L"Error", MB_OK | MB_ICONERROR);
        RegCloseKey(hKey);
        return 1;
    }

    //Done
    RegCloseKey(hKey);

    MessageBoxW(nullptr, L"Values successfully written to registry!", L"Success", MB_OK | MB_ICONINFORMATION);
    return 0;
}

Output

Get Value – Code

#define UNICODE
#include <windows.h>

int APIENTRY wWinMain(HINSTANCE, HINSTANCE, LPWSTR, int) {
    HKEY hKey = nullptr;
    const wchar_t* subkey = L"Software\\MyCompany\\MyApp";

    //Open the existing key (read-only)
    LONG rc = RegOpenKeyExW(
        HKEY_CURRENT_USER,   // Root hive
        subkey,              // Path to the existing key
        0,                   // Reserved
        KEY_READ,            // Read-only access
        &hKey                // Output handle
    );

    if (rc != ERROR_SUCCESS) {
        MessageBoxW(nullptr, L"Failed to open registry key.", L"Error", MB_OK | MB_ICONERROR);
        return 1;
    }

    //Read the REG_SZ value (AppName)
    wchar_t appName[256];
    DWORD sizeAppName = sizeof(appName);

    rc = RegGetValueW(
        hKey,
        nullptr,            // No subkey, we’re already in it
        L"AppName",         // Value name
        RRF_RT_REG_SZ,      // We expect a REG_SZ
        nullptr,
        appName,
        &sizeAppName
    );

    if (rc != ERROR_SUCCESS) {
        MessageBoxW(nullptr, L"Failed to read AppName value.", L"Error", MB_OK | MB_ICONERROR);
        RegCloseKey(hKey);
        return 1;
    }

    //Show the value in a message box
    MessageBoxW(nullptr, appName, L"AppName Value", MB_OK | MB_ICONINFORMATION);

    //Close the key
    RegCloseKey(hKey);
    return 0;
}

Output

Delete and Close Registry Key – Code

#define UNICODE
#include <windows.h>

int APIENTRY wWinMain(HINSTANCE, HINSTANCE, LPWSTR, int) {
    const wchar_t* subkey = L"Software\\MyCompany\\MyApp";
    HKEY hKey = nullptr;

    //Open the key first (so we have a valid handle)
    LONG rc = RegOpenKeyExW(
        HKEY_CURRENT_USER,
        subkey,
        0,
        KEY_READ | DELETE,   // Need DELETE access to remove it
        &hKey
    );

    if (rc != ERROR_SUCCESS) {
        MessageBoxW(nullptr, L"Failed to open registry key.", L"Error", MB_OK | MB_ICONERROR);
        return 1;
    }

    //Delete the key (and any subkeys)
    rc = RegDeleteTreeW(HKEY_CURRENT_USER, subkey);
    if (rc == ERROR_SUCCESS) {
        MessageBoxW(nullptr, L"Registry key deleted successfully!", L"Success", MB_OK | MB_ICONINFORMATION);
    }
    else if (rc == ERROR_FILE_NOT_FOUND) {
        MessageBoxW(nullptr, L"Registry key not found.", L"Info", MB_OK | MB_ICONWARNING);
    }
    else {
        MessageBoxW(nullptr, L"Failed to delete registry key.", L"Error", MB_OK | MB_ICONERROR);
    }

    //Close the handle
    RegCloseKey(hKey);

    return 0;
}

Output

Related Posts

Trending now

Support – Hack The Box
Timelapse – Hack The Box
Sauna – Hack The Box
Forest