added full log dump + hook fixes

3 years ago · a66452c280
parent f84196d4ed
commit a66452c280
3 changed files with 591 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -282,7 +282,7 @@ lpValueName: DisableRealtimeMonitoring
 lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
 [RegQueryValueExW]
 lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
-
+<also redacted a bunch of stuff from policy manager stuff>
 ```


--- a/logs.MD
+++ b/logs.MD
@ -0,0 +1,524 @@
+Here is the complete log dump cleaned:
+```
+obtained RegDeleteKeyW from 75A60000
+obtained RegDeleteValueW from 75A60000
+obtained RegEnumValueW from 75A60000
+obtained RegSetValueExW from 75A60000
+obtained RegCreateKeyExW from 75A60000
+obtained RegConnectRegistryW from 75A60000
+obtained RegEnumKeyExW from 75A60000
+obtained RegQueryValueExW from 75A60000
+obtained RegOpenKeyExW from 75A60000
+imports resolved
+preparing to hook
+
+Check for AV:
+
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegQueryValueExW]
+lpValueName: DisableRealtimeMonitoring
+[RegQueryValueExW]
+lpValueName: DisableRealtimeMonitoring
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
+[RegQueryValueExW]
+lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
+
+Disable AV:
+
+[RegCreateKeyExW]
+lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender
+[RegSetValueExW]
+lpValueName: DisableAntiSpyware
+[RegCreateKeyExW]
+lpSubKey: SOFTWARE\Microsoft\Windows Defender
+[RegCreateKeyExW]
+lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender
+[RegQueryValueExW]
+lpValueName: DisableAntiSpyware
+[RegQueryValueExW]
+lpValueName: DisableAntiSpyware
+[RegCreateKeyExW]
+lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend
+[RegSetValueExW]
+lpValueName: Start
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegQueryValueExW]
+lpValueName: SecurityHealth
+[RegQueryValueExW]
+lpValueName: SecurityHealth
+[RegCreateKeyExW]
+lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
+[RegSetValueExW]
+lpValueName: SecurityHealth
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegEnumValueW]
+lpValueName: SecurityHealth
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegQueryValueExW]
+lpValueName: DisableRealtimeMonitoring
+[RegQueryValueExW]
+lpValueName: DisableRealtimeMonitoring
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
+[RegQueryValueExW]
+lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
+
+Enable AV:
+
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
+[RegEnumKeyExW]
+lpName: ☺
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender
+[RegQueryValueExW]
+lpValueName: DisableAntiSpyware
+[RegQueryValueExW]
+lpValueName: DisableAntiSpyware
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender
+[RegQueryValueExW]
+lpValueName: DisableAntiSpyware
+[RegQueryValueExW]
+lpValueName: DisableAntiSpyware
+[RegOpenKeyExW]
+lpValueName: SYSTEM\CurrentControlSet\Services\SecLogon
+[RegQueryValueExW]
+lpValueName: Start
+[RegQueryValueExW]
+lpValueName: Start
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
+[RegEnumKeyExW]
+lpName: ☺
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender
+[RegEnumKeyExW]
+lpName: ☺
+[RegOpenKeyExW]
+lpValueName: Policy Manager
+[RegEnumKeyExW]
+lpName: ☺
+[RegEnumKeyExW]
+lpName: Policy Manager
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender
+[RegQueryValueExW]
+lpValueName: DisableAntiSpyware
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegQueryValueExW]
+lpValueName: DisableRealtimeMonitoring
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegEnumValueW]
+lpValueName: SecurityHealth
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegQueryValueExW]
+lpValueName: SecurityHealth
+[RegQueryValueExW]
+lpValueName: SecurityHealth
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
+[RegDeleteValueW]
+lpValueNameSecurityHealth
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegEnumValueW]
+lpValueName: SecurityHealth
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegQueryValueExW]
+lpValueName: WindowsDefender
+[RegQueryValueExW]
+lpValueName: WindowsDefender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+[RegEnumValueW]
+lpValueName: WindowsDefender
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
+[RegQueryValueExW]
+lpValueName: DisableRealtimeMonitoring
+[RegOpenKeyExW]
+lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
+[RegQueryValueExW]
+lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe
+[RegOpenKeyExW]
+```
--- a/src/dumper/dumper.cpp
+++ b/src/dumper/dumper.cpp
@ -10,8 +10,8 @@
 // RegCreateKeyExW [done]
 // RegConnectRegistryW [done]
 // RegEnumKeyExW [done]
-// RegCloseKey
-// RegQueryValueExW
+// RegCloseKey [not hooked since redundant]
+// RegQueryValueExW [done]
 // RegOpenKeyExW
 // reformat printing if succesfully hooked

@ -54,6 +54,8 @@ namespace RegHooks

  // WM_COMMAND handler
  // base+05F48E
+  // can be found by tracing the main function and looking for WM_COMMAND (0x0111)
+  // however this function doesn't seem to be called on runtime
  //
  using handle_command_t = char(__stdcall*)(int, UINT, UINT);
  uintptr_t handle_command_addr;
@ -170,7 +172,6 @@ namespace RegHooks
  {
    std::cout << "[RegCreateKeyExW]" << std::endl;
    std::cout << "lpSubKey: " << wide_to_string(lpSubKey).c_str() << std::endl;
-    std::cout << "lpClass: " << wide_to_string(lpClass).c_str() << std::endl;

    return (reinterpret_cast<RegCreateKeyExW_t>(RegCreateKeyExW_addr))
      (hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition);
@ -194,7 +195,7 @@ namespace RegHooks
  }

  // RegEnumKeyExW
-  // ms docs:
+  // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regenumkeyexw
  //
  using RegEnumKeyExW_t = LSTATUS(__stdcall*)(HKEY, DWORD, LPWSTR, LPDWORD, LPDWORD, LPWSTR, LPDWORD, PFILETIME);
  uintptr_t RegEnumKeyExW_addr;
@ -212,10 +213,64 @@ namespace RegHooks
  {
    std::cout << "[RegEnumKeyExW]" << std::endl;
    std::cout << "lpName: " << wide_to_string(lpName).c_str() << std::endl;
-    std::cout << "lpClass: " << wide_to_string(lpClass).c_str() << std::endl;
+
    return (reinterpret_cast<RegEnumKeyExW_t>(RegEnumKeyExW_addr))
      (hKey, dwIndex, lpName, lpcchName, lpReserved, lpClass, lpcchClass, lpftLastWriteTime);
  }
+
+  // RegCloseKey
+  // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regclosekey
+  // seems redundant to hook
+  //
+  LSTATUS __stdcall hk_RegCloseKey(
+    HKEY hKey
+  )
+  {
+    return EXIT_SUCCESS;
+  }
+
+  // RegQueryValueExW 
+  // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexw
+  //
+  using RegQueryValueExW_t = LSTATUS(__stdcall*)(HKEY, LPCWSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD);
+  uintptr_t RegQueryValueExW_addr;
+
+  LSTATUS __stdcall hk_RegQueryValueExW(
+    HKEY    hKey,
+    LPCWSTR lpValueName,
+    LPDWORD lpReserved,
+    LPDWORD lpType,
+    LPBYTE  lpData,
+    LPDWORD lpcbData
+  )
+  {
+    std::cout << "[RegQueryValueExW]" << std::endl;
+    std::cout << "lpValueName: " << wide_to_string(lpValueName).c_str() << std::endl;
+
+    return (reinterpret_cast<RegQueryValueExW_t>(RegQueryValueExW_addr))
+      (hKey, lpValueName, lpReserved, lpType, lpData, lpcbData);
+  }
+
+  // RegOpenKeyExW
+  // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexw
+  //
+  using RegOpenKeyExW_t = LSTATUS(__stdcall*)(HKEY, LPCWSTR, DWORD, REGSAM, PHKEY);
+  uintptr_t RegOpenKeyExW_addr;
+
+  LSTATUS __stdcall hk_RegOpenKeyExW(
+    HKEY    hKey,
+    LPCWSTR lpSubKey,
+    DWORD   ulOptions,
+    REGSAM  samDesired,
+    PHKEY   phkResult
+  )
+  {
+    std::cout << "[RegOpenKeyExW]" << std::endl;
+    std::cout << "lpValueName: " << wide_to_string(lpSubKey).c_str() << std::endl;
+
+    return (reinterpret_cast<RegOpenKeyExW_t>(RegOpenKeyExW_addr))
+      (hKey, lpSubKey, ulOptions, samDesired, phkResult);
+  }
 }

 namespace DetourHelper
@ -275,6 +330,8 @@ void thread_main()
  RegHooks::RegCreateKeyExW_addr = get_func_addr(advapi32, "RegCreateKeyExW");
  RegHooks::RegConnectRegistryW_addr = get_func_addr(advapi32, "RegConnectRegistryW");
  RegHooks::RegEnumKeyExW_addr = get_func_addr(advapi32, "RegEnumKeyExW");
+  RegHooks::RegQueryValueExW_addr = get_func_addr(advapi32, "RegQueryValueExW");
+  RegHooks::RegOpenKeyExW_addr = get_func_addr(advapi32, "RegOpenKeyExW");

  std::cout << "imports resolved\npreparing to hook" << std::endl;

@ -286,8 +343,11 @@ void thread_main()
  DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW);
  DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW);
  DetourHelper::perf_hook((PVOID*)&RegHooks::RegConnectRegistryW_addr, RegHooks::hk_RegConnectRegistryW);
-  DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW);

+  DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW); // figure crash here\
+ 
+  DetourHelper::perf_hook((PVOID*)&RegHooks::RegQueryValueExW_addr, RegHooks::hk_RegQueryValueExW);
+  DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW);

  // native hooks
  // pretty redunant dont need to enable them