From a66452c280b3d086b61e1e364bdd0ed6dacf06eb Mon Sep 17 00:00:00 2001 From: zhwu2697 Date: Fri, 4 Jun 2021 23:06:12 +1000 Subject: [PATCH] added full log dump + hook fixes --- README.md | 2 +- logs.MD | 524 ++++++++++++++++++++++++++++++++++++++++++ src/dumper/dumper.cpp | 72 +++++- 3 files changed, 591 insertions(+), 7 deletions(-) create mode 100644 logs.MD diff --git a/README.md b/README.md index e6b647a..ac04766 100644 --- a/README.md +++ b/README.md @@ -282,7 +282,7 @@ lpValueName: DisableRealtimeMonitoring lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths [RegQueryValueExW] lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe - + ``` diff --git a/logs.MD b/logs.MD new file mode 100644 index 0000000..99d7758 --- /dev/null +++ b/logs.MD @@ -0,0 +1,524 @@ +Here is the complete log dump cleaned: +``` +obtained RegDeleteKeyW from 75A60000 +obtained RegDeleteValueW from 75A60000 +obtained RegEnumValueW from 75A60000 +obtained RegSetValueExW from 75A60000 +obtained RegCreateKeyExW from 75A60000 +obtained RegConnectRegistryW from 75A60000 +obtained RegEnumKeyExW from 75A60000 +obtained RegQueryValueExW from 75A60000 +obtained RegOpenKeyExW from 75A60000 +imports resolved +preparing to hook + +Check for AV: + +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegQueryValueExW] +lpValueName: DisableRealtimeMonitoring +[RegQueryValueExW] +lpValueName: DisableRealtimeMonitoring +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths +[RegQueryValueExW] +lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe + +Disable AV: + +[RegCreateKeyExW] +lpSubKey: SOFTWARE\Policies\Microsoft\Windows Defender +[RegSetValueExW] +lpValueName: DisableAntiSpyware +[RegCreateKeyExW] +lpSubKey: SOFTWARE\Microsoft\Windows Defender +[RegCreateKeyExW] +lpSubKey: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender +[RegQueryValueExW] +lpValueName: DisableAntiSpyware +[RegQueryValueExW] +lpValueName: DisableAntiSpyware +[RegCreateKeyExW] +lpSubKey: SYSTEM\CurrentControlSet\Services\WinDefend +[RegSetValueExW] +lpValueName: Start +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegQueryValueExW] +lpValueName: SecurityHealth +[RegQueryValueExW] +lpValueName: SecurityHealth +[RegCreateKeyExW] +lpSubKey: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run +[RegSetValueExW] +lpValueName: SecurityHealth +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegEnumValueW] +lpValueName: SecurityHealth +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegQueryValueExW] +lpValueName: DisableRealtimeMonitoring +[RegQueryValueExW] +lpValueName: DisableRealtimeMonitoring +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths +[RegQueryValueExW] +lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe + +Enable AV: + +[RegOpenKeyExW] +lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender +[RegEnumKeyExW] +lpName: ☺ +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender +[RegQueryValueExW] +lpValueName: DisableAntiSpyware +[RegQueryValueExW] +lpValueName: DisableAntiSpyware +[RegOpenKeyExW] +lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender +[RegQueryValueExW] +lpValueName: DisableAntiSpyware +[RegQueryValueExW] +lpValueName: DisableAntiSpyware +[RegOpenKeyExW] +lpValueName: SYSTEM\CurrentControlSet\Services\SecLogon +[RegQueryValueExW] +lpValueName: Start +[RegQueryValueExW] +lpValueName: Start +[RegOpenKeyExW] +lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender +[RegEnumKeyExW] +lpName: ☺ +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: SOFTWARE\Policies\Microsoft\Windows Defender +[RegEnumKeyExW] +lpName: ☺ +[RegOpenKeyExW] +lpValueName: Policy Manager +[RegEnumKeyExW] +lpName: ☺ +[RegEnumKeyExW] +lpName: Policy Manager +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender +[RegQueryValueExW] +lpValueName: DisableAntiSpyware +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegQueryValueExW] +lpValueName: DisableRealtimeMonitoring +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegEnumValueW] +lpValueName: SecurityHealth +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegQueryValueExW] +lpValueName: SecurityHealth +[RegQueryValueExW] +lpValueName: SecurityHealth +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run +[RegDeleteValueW] +lpValueNameSecurityHealth +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegEnumValueW] +lpValueName: SecurityHealth +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegQueryValueExW] +lpValueName: WindowsDefender +[RegQueryValueExW] +lpValueName: WindowsDefender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows\CurrentVersion\Run +[RegEnumValueW] +lpValueName: WindowsDefender +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Real-Time Protection +[RegQueryValueExW] +lpValueName: DisableRealtimeMonitoring +[RegOpenKeyExW] +lpValueName: SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths +[RegQueryValueExW] +lpValueName: C:\Program Files (x86)\DefenderControl\dControl.exe +[RegOpenKeyExW] +``` \ No newline at end of file diff --git a/src/dumper/dumper.cpp b/src/dumper/dumper.cpp index e124086..2dedfad 100644 --- a/src/dumper/dumper.cpp +++ b/src/dumper/dumper.cpp @@ -10,8 +10,8 @@ // RegCreateKeyExW [done] // RegConnectRegistryW [done] // RegEnumKeyExW [done] -// RegCloseKey -// RegQueryValueExW +// RegCloseKey [not hooked since redundant] +// RegQueryValueExW [done] // RegOpenKeyExW // reformat printing if succesfully hooked @@ -54,6 +54,8 @@ namespace RegHooks // WM_COMMAND handler // base+05F48E + // can be found by tracing the main function and looking for WM_COMMAND (0x0111) + // however this function doesn't seem to be called on runtime // using handle_command_t = char(__stdcall*)(int, UINT, UINT); uintptr_t handle_command_addr; @@ -170,7 +172,6 @@ namespace RegHooks { std::cout << "[RegCreateKeyExW]" << std::endl; std::cout << "lpSubKey: " << wide_to_string(lpSubKey).c_str() << std::endl; - std::cout << "lpClass: " << wide_to_string(lpClass).c_str() << std::endl; return (reinterpret_cast(RegCreateKeyExW_addr)) (hKey, lpSubKey, Reserved, lpClass, dwOptions, samDesired, lpSecurityAttributes, phkResult, lpdwDisposition); @@ -194,7 +195,7 @@ namespace RegHooks } // RegEnumKeyExW - // ms docs: + // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regenumkeyexw // using RegEnumKeyExW_t = LSTATUS(__stdcall*)(HKEY, DWORD, LPWSTR, LPDWORD, LPDWORD, LPWSTR, LPDWORD, PFILETIME); uintptr_t RegEnumKeyExW_addr; @@ -212,10 +213,64 @@ namespace RegHooks { std::cout << "[RegEnumKeyExW]" << std::endl; std::cout << "lpName: " << wide_to_string(lpName).c_str() << std::endl; - std::cout << "lpClass: " << wide_to_string(lpClass).c_str() << std::endl; + return (reinterpret_cast(RegEnumKeyExW_addr)) (hKey, dwIndex, lpName, lpcchName, lpReserved, lpClass, lpcchClass, lpftLastWriteTime); } + + // RegCloseKey + // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regclosekey + // seems redundant to hook + // + LSTATUS __stdcall hk_RegCloseKey( + HKEY hKey + ) + { + return EXIT_SUCCESS; + } + + // RegQueryValueExW + // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryvalueexw + // + using RegQueryValueExW_t = LSTATUS(__stdcall*)(HKEY, LPCWSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD); + uintptr_t RegQueryValueExW_addr; + + LSTATUS __stdcall hk_RegQueryValueExW( + HKEY hKey, + LPCWSTR lpValueName, + LPDWORD lpReserved, + LPDWORD lpType, + LPBYTE lpData, + LPDWORD lpcbData + ) + { + std::cout << "[RegQueryValueExW]" << std::endl; + std::cout << "lpValueName: " << wide_to_string(lpValueName).c_str() << std::endl; + + return (reinterpret_cast(RegQueryValueExW_addr)) + (hKey, lpValueName, lpReserved, lpType, lpData, lpcbData); + } + + // RegOpenKeyExW + // ms docs: https://docs.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regopenkeyexw + // + using RegOpenKeyExW_t = LSTATUS(__stdcall*)(HKEY, LPCWSTR, DWORD, REGSAM, PHKEY); + uintptr_t RegOpenKeyExW_addr; + + LSTATUS __stdcall hk_RegOpenKeyExW( + HKEY hKey, + LPCWSTR lpSubKey, + DWORD ulOptions, + REGSAM samDesired, + PHKEY phkResult + ) + { + std::cout << "[RegOpenKeyExW]" << std::endl; + std::cout << "lpValueName: " << wide_to_string(lpSubKey).c_str() << std::endl; + + return (reinterpret_cast(RegOpenKeyExW_addr)) + (hKey, lpSubKey, ulOptions, samDesired, phkResult); + } } namespace DetourHelper @@ -275,6 +330,8 @@ void thread_main() RegHooks::RegCreateKeyExW_addr = get_func_addr(advapi32, "RegCreateKeyExW"); RegHooks::RegConnectRegistryW_addr = get_func_addr(advapi32, "RegConnectRegistryW"); RegHooks::RegEnumKeyExW_addr = get_func_addr(advapi32, "RegEnumKeyExW"); + RegHooks::RegQueryValueExW_addr = get_func_addr(advapi32, "RegQueryValueExW"); + RegHooks::RegOpenKeyExW_addr = get_func_addr(advapi32, "RegOpenKeyExW"); std::cout << "imports resolved\npreparing to hook" << std::endl; @@ -286,8 +343,11 @@ void thread_main() DetourHelper::perf_hook((PVOID*)&RegHooks::regsetvalue_addr, RegHooks::hk_RegSetValueExW); DetourHelper::perf_hook((PVOID*)&RegHooks::RegCreateKeyExW_addr, RegHooks::hk_RegCreateKeyExW); DetourHelper::perf_hook((PVOID*)&RegHooks::RegConnectRegistryW_addr, RegHooks::hk_RegConnectRegistryW); - DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW); + DetourHelper::perf_hook((PVOID*)&RegHooks::RegEnumKeyExW_addr, RegHooks::hk_RegEnumKeyExW); // figure crash here\ + + DetourHelper::perf_hook((PVOID*)&RegHooks::RegQueryValueExW_addr, RegHooks::hk_RegQueryValueExW); + DetourHelper::perf_hook((PVOID*)&RegHooks::RegOpenKeyExW_addr, RegHooks::hk_RegOpenKeyExW); // native hooks // pretty redunant dont need to enable them