Hook Windows Registry, generally hook windows prg calls

a little questions. How can i hook a registry call from an exe in windows? Or the hole callings from an exe in windows (Enviroment Variables, Registry ADD/DEL/* and so on ...).

I want to change this hooks from any exe in windows, to my own needs.


I know the redhook crate is designed for exactly this use case (intercepting calls to existing C functions), but I don't know if it works on Windows.

EDIT: Looks like Windows already provides a mechanism for this. See this StackOverflow question or Intercepting WinAPI calls.

1 Like

@Michael-F-Bryan thx for your answer. I think redhook can i not use he has no win32api crate dependencys. I was hopening that it gives a crate like Microsoft Research Detours Package.

I wanto to code a prgs as an example that works in the background and when a exe starts it log all registry operations.

At the moment i want to use other programs like sysinternal to fetch enviroment-var and registry calls, but i need the possibility to make an temporary registry call.

I call an exe from an rust code and the exe call to the registry will be only delivered from my rust code, so that the original windows registry don't will be touch.

Have you seen this StackOverflow answer?

While the solution from Joshua will work for this particular application, it might not work for others (f.e. where the registry path is constructed in code or when the application is signed).

Therefore, I would suggest using DLL injection and intercept calls to RegOpenKey(Ex) , RegCreateKey(Ex) , etc. That way, you can fiddle with the registry path before passing the call down to the real Windows Advapi32.dll .

Some great articles about API hooking:

API Hooking and DLL Injection on Windows

API Hooking with MS Detours

1 Like

Ah yeah i have hoped it gives good wrappers for the rust win32api library :slight_smile:.

Might be something could help you. https://github.com/AurevoirXavier/hook-in-rust

@AurevoirXavier yes thx a good explanation for hooking in rust. I have some questions.

You have written Libs and i must use your methods for an special thing when i want to hook messageboxes or are this only examples for messageboxes.

Umm the winapi the last contact i have was on win95/98 and the api is ugly today as is is:). every c/c++ has wrapper libs;).

I have a little bit debugged and it's a flashback;). At the moment i cannot find RegEx but opengl calls for the registry.

My program that i want to hook and overwrite are an Unity/3D-Game that don't use Enviroment-Vars (Unity has a special command to determine LocalLow) but it uses Registry-Entrys:

Disassembler=push opengl32.6D867C58

Search the active Profile and snag the Value for the Profile C:\Users\cyber and then he put manually Appdata/LocalLow at the string. I think so. When i change ProfileImagePath he save in the new changed location.

Why can the UnityEnginge not go the normal way about Enviroment-Variables;).

I think that i want to hook is:

77327AFE | FF15 0C213377 | call dword ptr ds:[<&RegOpenKeyExW>] |

Do you have a little code how i can hook all RegOpenKeyExW and print the values and change the values in RunTime so that the Unity-Prgs became another Value back not the real from the registry?

Sry, I’ve no experience in that. But I could show you some ways to make a hook with rust. If your target is a 32-bit process just use asm! macro to make a inline detour. For 64-bit process you have to do it manually with some ‘disasm’ code. Or you can use a detour library, detour-rs. Here’s a example for d3d hook(64-bit vmt inline hook), that I could change every frame’s rendering. https://github.com/AurevoirXavier/dauntless-helper/tree/master/rust-ver

If you have some experience in c/c++, it should not be so hard. And I recommend you to make a c version first.