Hi community!
I have a feeling that !reg extension works strange on my vm. So what I want is to get an immediate address of a key value. So I go through all the chores of !reg from getting KCB for the reg key, through dumping the kye hive etc, and eventually I get to the point where I have kvalue at hand:
` !reg valuelist 0xffff9782f04f6000 00000000028cf9ac
Dumping ValueList of Key <AeDebug> :
[Idx] [ValAddr] [ValueName]
[ 0] 00000000028cfa04 UserDebuggerHotKey
[ 1] 00000000028cfa44 Debugger
[ 2] 00000000028cfad4 Auto
Use '!reg kvalue <ValAddr>' to dump the value
!reg kvalue 00000000028cfa44
Signature: CM_KEY_VALUE_SIGNATURE (kv)
Name : Debugger {compressed}
DataLength: 6c
Data : 28aea60 [cell index]
Type : 1
!reg cellindex 0xffff9782f04f6000 28aea60
Map = ffff9782f0ff7000 Type = 0 Table = 14 Block = ae Offset = a60
MapTable = ffff9782f108b000
MapEntry = ffff9782f108c050
BinAddress = 00000000028cf001, BlockOffset = 0000000000000000
BlockAddress = 00000000028cf000
pcell: 00000000028cfa64
`
Now, that pcell doesn’t look like a legitimate address does it? Needless to say when I try dumping it i get question marks of uncommitted memory.
Has anybody been there too? What do I do wrong?
Thank you!