brad-sp
commented
8 years ago Should be fixed now by https://github.com/brad-accuvant/cuckoomon-modified/commit/2c7f89529f0b35d766e9e219e3c678bb0749bebb
Thanks for the report!
-Brad
Closed MerX1030 closed 8 years ago
brad-sp
commented
8 years ago Should be fixed now by https://github.com/brad-accuvant/cuckoomon-modified/commit/2c7f89529f0b35d766e9e219e3c678bb0749bebb
Thanks for the report!
-Brad
MerX1030
commented
8 years ago Thanks for the fast fix!
Hi,
I tried working on a sample calling SHCopyKeyA which subsequently calls the following APIs in a Windows XP system:
RegOpenKeyExA RegEnumKeyExA RegCreateKeyExA and so on
It logged the APIs just fine. However, when in a Windows 7 system SHCopyKeyA calls SHCopyKeyW which subsequently calls the following APIs:
RegOpenKeyExW - logged properly RegEnumKeyExW - not logged - replaced by NtEnumerateKey RegCreateKeyExW - not logged - replaced by NtCreateKey and so on
The logged NtCreateKey is actually fine since it contains almost the same information as RegCreateKeyExW. However, the logged NtEnumerateKey doesn't have the same information as RegEnumKeyExW.
Is there a way to log RegEnumKeyExW in Windows 7. If there's none, can we expand the logged information for NtEnumerateKey to resemble that of RegEnumKeyExW?