Question about registry

Hi!

An article says if you know keynode’s address,you can get cell data.

The procedure is as follows,

keynode->GetCellRoutine->cell data list->KeyList->GetCellRoutine->cell data

The theory is beyond my ability.

Could someone give me some explanations using windbg ?

kd> dt _cm_key_node e1012134
nt!_CM_KEY_NODE
nt!_CM_KEY_NODE
+0x000 Signature : 0x6b6e
+0x002 Flags : 0x20
+0x004 LastWriteTime : _LARGE_INTEGER 0x1c8a59a`913acf5a
+0x00c Spare : 0
+0x010 Parent : 0x20
+0x014 SubKeyCounts : [2] 5
+0x01c SubKeyLists : [2] 0x448
+0x024 ValueList : _CHILD_LIST
+0x01c ChildHiveReference : _CM_KEY_REFERENCE
+0x02c Security : 0x78
+0x030 Class : 0xffffffff
+0x034 MaxNameLen : 0x10
+0x038 MaxClassLen : 0
+0x03c MaxValueNameLen : 0
+0x040 MaxValueDataLen : 0
+0x044 WorkVar : 0
+0x048 NameLength : 7
+0x04a ClassLength : 0
+0x04c Name : [1] 0x414d


MSN ±íÇéħ·¨Ê飬¸Ä±äÄãµÄ¶Ô»°Ê±´ú£¡
http://im.live.cn/emoticons/

zmerry wrote:

An article says if you know keynode’s address,you can get cell data.

What article?

The procedure is as follows,
keynode->GetCellRoutine->cell data list->KeyList->GetCellRoutine->cell
data

The theory is beyond my ability.
Could someone give me some explanations using windbg ?

The internal format of the registry is completely undocumented. You will
need to do some reverse engineering, and that’s going to require you to
dig in yourself. Even a brief look at this structure on Google would
show you where the list of subkeys and values are stored.

Why do you need this? What are you hoping to accomplish?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.