0

I am trying to make my FASM application add itself to the system start up by adding an entry in "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

I am using the following API's:

RegOpenKeyExA

RegSetValueExA

RegCloseKey

In advapi32.dll

When my code is ran, the entry is never created. Here is my code:

format PE GUI 4.0
include "Win32A.Inc"
entry start

section ".idata" import data readable writable

        library  kernel32,      "kernel32.dll",\
                 advapi32,      "advapi32.dll"

        import   kernel32,\
                 lstrlen,       "lstrlenA",\
                 ExitProcess,   "ExitProcess"

        import   advapi32,\
                 RegOpenKeyExA, "RegOpenKeyExA",\
                 RegSetValueEx, "RegSetValueExA",\
                 RegCloseKey,   "RegCloseKey"

section ".data" data readable writeable

sKey            db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run",0
lpData          db "C:\File.txt",0
lpValueName     db "Text File"
phkresult       dd ?


section ".code" code readable executable

start:

        invoke  RegOpenKeyExA, HKEY_CURRENT_USER, sKey, 0, KEY_SET_VALUE, phkresult
        invoke  lstrlen, lpData
        invoke  RegSetValueEx, phkresult, lpValueName, 0, REG_SZ, lpData, eax
        invoke  RegCloseKey, phkresult

exit:

        invoke  ExitProcess, 0

I am not understanding as to why my entry is not being added in the registry. Any help on this issue would be greatly appreciated.

Tried using OllyDbg and coming up with this:

enter image description here

Have NO idea why I would get access denied error. RegOpenKeyExA returns ERROR_SUCCESS

Turns out it was adding itself to the startup, but not visable in RegEdit, only in MSConfig..weird..?

Josh Line
  • 625
  • 3
  • 13
  • 27

1 Answers1

1

When you invoke RegSetValueEx you pass phkresult's address, not its value

So, try something like this:

    invoke  RegOpenKeyExA, HKEY_CURRENT_USER, sKey, 0, KEY_SET_VALUE, phkresult
    invoke  lstrlen, lpData
    invoke  RegSetValueEx, [phkresult], lpValueName, 0, REG_SZ, lpData, eax
    invoke  RegCloseKey, [phkresult]
Serge
  • 6,088
  • 17
  • 27
  • That still did not solve the issue, I do appreciate the response though. I am checking if the api calls = ERROR_SUCCESS (or 0) and the RegOpenKeyExA call does, but the RegSetValueEx does not, using your code, and my previous code as well. I am unsure as to how to check the exact value of the result other than using: cmp eax,ERROR_CODE_NUMBER But there are many different error codes...so that would take a while. Is there a way I can directly display what the error code is? – Josh Line Oct 14 '12 at 03:48
  • 1
    The simplest way is to use debugger as otherwise you have to program the numeric to text conversion in some way and the output of this text. – Serge Oct 14 '12 at 03:56
  • Wait, you aren't using a debugger? Debugging is a lot easier with a debugger. – Raymond Chen Oct 14 '12 at 04:17
  • Wait, SO is NOT a debugger?! :-) – Gunner Oct 14 '12 at 05:51
  • @Serge I used OllyDbg and it is saying the last error is ERROR_ACCESS_DENIED which makes no sense at all to me. RegOpenKeyExA returns ERROR_SUCCESS and I am not access HKLM. There should be no reason for this error..? http://gyazo.com/9e188de57d89ed5d9d28da70fb95daa3.png?1350206338 – Josh Line Oct 14 '12 at 09:30