You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2871 lines
86 KiB
2871 lines
86 KiB
/*++
|
|
|
|
Copyright (c) 1992 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
regext.c
|
|
|
|
Abstract:
|
|
|
|
Kernel debugger extensions useful for the registry
|
|
|
|
Author:
|
|
|
|
John Vert (jvert) 7-Sep-1993
|
|
|
|
Environment:
|
|
|
|
Loaded as a kernel debugger extension
|
|
|
|
Revision History:
|
|
|
|
John Vert (jvert) 7-Sep-1993
|
|
created
|
|
|
|
Dragos C. Sambotin (dragoss) 05-May-2000
|
|
updated to support new registry layout
|
|
enhanced with new commands
|
|
|
|
--*/
|
|
|
|
|
|
#include "precomp.h"
|
|
#pragma hdrstop
|
|
|
|
ULONG TotalPages;
|
|
ULONG TotalPresentPages;
|
|
PCHAR pc;
|
|
|
|
BOOLEAN SavePages;
|
|
BOOLEAN RestorePages;
|
|
HANDLE TempFile;
|
|
ULONG64 gHiveListAddr;
|
|
|
|
static ULONG DirectoryOffset, TableOffset, BlockAddrOffset, PtrSize, ULongSize, HMapSize, GotOnce = FALSE;
|
|
|
|
void
|
|
poolDumpHive(
|
|
IN ULONG64 Hive
|
|
);
|
|
|
|
VOID
|
|
poolDumpMap(
|
|
IN ULONG Length,
|
|
IN ULONG64 Map
|
|
);
|
|
|
|
|
|
void
|
|
dumpHiveFromFile(
|
|
HANDLE hFile
|
|
);
|
|
|
|
void
|
|
regdumppool(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Goes through all the paged pool allocated to registry space and
|
|
determines which pages are present and which are not.
|
|
|
|
Called as:
|
|
|
|
!regpool [s|r]
|
|
|
|
s Save list of registry pages to temporary file
|
|
r Restore list of registry pages from temp. file
|
|
|
|
Arguments:
|
|
|
|
CurrentPc - Supplies the current pc at the time the extension is
|
|
called.
|
|
|
|
lpExtensionApis - Supplies the address of the functions callable
|
|
by this extension.
|
|
|
|
lpArgumentString - Supplies the pattern and expression for this
|
|
command.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 pCmpHiveListHead;
|
|
ULONG64 pNextHiveList;
|
|
ULONG64 pHiveListEntry;
|
|
ULONG BytesRead;
|
|
ULONG64 CmHive;
|
|
BYTE HiveList[1024];
|
|
CHAR Dummy1[ 256 ],Dummy2[64];
|
|
|
|
if (!sscanf(args,"%255s %255s",Dummy1,Dummy2)) {
|
|
Dummy2[0] = 0;
|
|
}
|
|
|
|
if (toupper(Dummy2[0])=='S') {
|
|
SavePages = TRUE;
|
|
} else {
|
|
SavePages = FALSE;
|
|
}
|
|
if (toupper(Dummy2[0])=='R') {
|
|
RestorePages = TRUE;
|
|
} else {
|
|
RestorePages = FALSE;
|
|
}
|
|
|
|
//
|
|
// Go get the hivelist.
|
|
//
|
|
// memset(HiveList,0,sizeof(HiveList));
|
|
pHiveListEntry = GetExpression("nt!CmpMachineHiveList");
|
|
gHiveListAddr = pHiveListEntry;
|
|
if (pHiveListEntry != 0) {
|
|
// Kd caches hive list
|
|
ReadMemory(pHiveListEntry,
|
|
HiveList,
|
|
8 * GetTypeSize("_HIVE_LIST_ENTRY"),
|
|
&BytesRead);
|
|
}
|
|
|
|
//
|
|
// First go and get the hivelisthead
|
|
//
|
|
pCmpHiveListHead = GetExpression("nt!CmpHiveListHead");
|
|
if (pCmpHiveListHead==0) {
|
|
dprintf("CmpHiveListHead couldn't be read\n");
|
|
return;
|
|
}
|
|
|
|
|
|
|
|
if (!ReadPointer(pCmpHiveListHead, &pNextHiveList)) {
|
|
dprintf("Couldn't read first Flink (%p) of CmpHiveList\n",
|
|
pCmpHiveListHead);
|
|
return;
|
|
}
|
|
|
|
TotalPages = TotalPresentPages = 0;
|
|
|
|
if (SavePages || RestorePages) {
|
|
TempFile = CreateFile( "regext.dat",
|
|
GENERIC_READ | GENERIC_WRITE,
|
|
0,
|
|
NULL,
|
|
OPEN_ALWAYS,
|
|
0,
|
|
NULL
|
|
);
|
|
if (TempFile == INVALID_HANDLE_VALUE) {
|
|
dprintf("Couldn't open regext.dat\n");
|
|
return;
|
|
}
|
|
}
|
|
|
|
if (RestorePages) {
|
|
dumpHiveFromFile(TempFile);
|
|
} else {
|
|
ULONG HiveListOffset;
|
|
FIELD_INFO offField = {"HiveList", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "_CMHIVE", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 1, &offField
|
|
};
|
|
|
|
// Get The offset
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
return;
|
|
}
|
|
HiveListOffset = (ULONG) offField.address;
|
|
|
|
|
|
|
|
while (pNextHiveList != pCmpHiveListHead) {
|
|
CmHive = pNextHiveList - HiveListOffset;
|
|
|
|
poolDumpHive(CmHive);
|
|
|
|
if (GetFieldValue(pNextHiveList, "nt!_LIST_ENTRY", "Flink", pNextHiveList)) {
|
|
dprintf("Couldn't read Flink (%p) of %p\n",
|
|
pCmpHiveListHead,pNextHiveList);
|
|
break;
|
|
}
|
|
|
|
if (CheckControlC()) {
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
dprintf("Total pages present = %d / %d\n",
|
|
TotalPresentPages,
|
|
TotalPages);
|
|
|
|
if (SavePages || RestorePages) {
|
|
CloseHandle( TempFile );
|
|
}
|
|
}
|
|
|
|
BOOLEAN
|
|
GetHiveMaps(
|
|
ULONG64 pHive,
|
|
ULONG64 *pStableMap,
|
|
ULONG *pStableLength,
|
|
ULONG64 *pVolatileMap,
|
|
ULONG *pVolatileLength
|
|
)
|
|
{
|
|
ULONG BytesRead;
|
|
ULONG Stable_Length=0, Volatile_Length=0;
|
|
ULONG64 Stable_Map=0, Volatile_Map=0;
|
|
ULONG StorageOffset, DUAL_Size;
|
|
FIELD_INFO offField = {"Hive.Storage", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "_CMHIVE", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 1, &offField
|
|
};
|
|
|
|
// Get the offset of Hive.Storage in _CMHIVE
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
dprintf("Cannot find _CMHIVE type.\n");
|
|
return FALSE;
|
|
}
|
|
|
|
StorageOffset = (ULONG) offField.address;
|
|
|
|
DUAL_Size = GetTypeSize("_DUAL");
|
|
GetFieldValue(pHive + StorageOffset + Stable*DUAL_Size, "_DUAL", "Length", Stable_Length);
|
|
GetFieldValue(pHive + StorageOffset + Volatile*DUAL_Size, "_DUAL", "Length", Volatile_Length);
|
|
GetFieldValue(pHive + StorageOffset + Stable*DUAL_Size, "_DUAL", "Map", Stable_Map);
|
|
GetFieldValue(pHive + StorageOffset + Volatile*DUAL_Size, "_DUAL", "Map", Volatile_Map);
|
|
|
|
(*pStableMap) = Stable_Map;
|
|
(*pStableLength) = Stable_Length;
|
|
(*pVolatileMap) = Volatile_Map;
|
|
(*pVolatileLength) = Volatile_Length;
|
|
return TRUE;
|
|
}
|
|
|
|
BOOLEAN
|
|
USE_OLD_CELL(
|
|
ULONG64 pHive
|
|
)
|
|
{
|
|
ULONG Version;
|
|
|
|
if(!GetFieldValue(pHive, "nt!_CMHIVE", "Hive.Version", Version)) {
|
|
return (Version==1);
|
|
}
|
|
return FALSE;
|
|
}
|
|
|
|
ULONG64
|
|
MyHvpGetCellPaged(
|
|
ULONG64 pHive,
|
|
ULONG Cell
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Returns the memory address for the specified Cell. Will never
|
|
return failure, but may assert. Use HvIsCellAllocated to check
|
|
validity of Cell.
|
|
|
|
This routine should never be called directly, always call it
|
|
via the HvGetCell() macro.
|
|
|
|
This routine provides GetCell support for hives with full maps.
|
|
It is the normal version of the routine.
|
|
|
|
Arguments:
|
|
|
|
Hive - supplies a pointer to the hive control structure for the
|
|
hive of interest
|
|
|
|
Cell - supplies HCELL_INDEX of cell to return address for
|
|
|
|
Return Value:
|
|
|
|
Address of Cell in memory. Assert or BugCheck if error.
|
|
|
|
--*/
|
|
{
|
|
ULONG Type;
|
|
ULONG Table;
|
|
ULONG Block;
|
|
ULONG Offset;
|
|
ULONG Stable_Length=0, Volatile_Length=0;
|
|
ULONG64 Stable_Map=0, Volatile_Map=0;
|
|
ULONG64 MapTable;
|
|
ULONG64 Map;
|
|
ULONG64 MapEntryAddress, BlockAddress=0;
|
|
ULONG64 lRez;
|
|
ULONG64 pcell;
|
|
|
|
if(!GetHiveMaps(pHive,&Stable_Map,&Stable_Length,&Volatile_Map,&Volatile_Length) ) {
|
|
return 0;
|
|
}
|
|
|
|
|
|
Type = ((ULONG)((Cell & HCELL_TYPE_MASK) >> HCELL_TYPE_SHIFT));
|
|
Table = (Cell & HCELL_TABLE_MASK) >> HCELL_TABLE_SHIFT;
|
|
Block = (Cell & HCELL_BLOCK_MASK) >> HCELL_BLOCK_SHIFT;
|
|
Offset = (Cell & HCELL_OFFSET_MASK);
|
|
|
|
if( Type == 0 ) {
|
|
Map = Stable_Map;
|
|
} else {
|
|
Map = Volatile_Map;
|
|
}
|
|
|
|
dprintf("Map = %p Type = %lx Table = %lx Block = %lx Offset = %lx\n",Map,Type,Table,Block,Offset);
|
|
|
|
if (!ReadPointer(Map + DirectoryOffset + Table*PtrSize,
|
|
&MapTable))
|
|
return 0;
|
|
|
|
dprintf("MapTable = %p \n",MapTable);
|
|
|
|
MapEntryAddress = MapTable + Block * HMapSize + BlockAddrOffset;
|
|
if (!ReadPointer(MapEntryAddress, &BlockAddress)) {
|
|
dprintf(" can't read HMAP_ENTRY at %p\n",
|
|
MapEntryAddress);
|
|
return 0;
|
|
}
|
|
|
|
dprintf("BlockAddress = %p \n\n",BlockAddress);
|
|
|
|
pcell = ((ULONG64)(BlockAddress) + Offset);
|
|
lRez = (ULONG64)pcell;
|
|
if (USE_OLD_CELL(pHive)) {
|
|
return lRez + ULongSize + ULongSize;
|
|
//return (struct _CELL_DATA *)&(hcell.u.OldCell.u.UserData);
|
|
} else {
|
|
return lRez + ULongSize;
|
|
//return (struct _CELL_DATA *)&(hcell.u.NewCell.u.UserData);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
ULONG64
|
|
MyHvpGetCellFlat(
|
|
ULONG64 pHive,
|
|
ULONG Cell
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Returns the memory address for the specified Cell. Will never
|
|
return failure, but may assert. Use HvIsCellAllocated to check
|
|
validity of Cell.
|
|
|
|
This routine should never be called directly, always call it
|
|
via the HvGetCell() macro.
|
|
|
|
This routine provides GetCell support for read only hives with
|
|
single allocation flat images. Such hives do not have cell
|
|
maps ("page tables"), instead, we compute addresses by
|
|
arithmetic against the base image address.
|
|
|
|
Such hives cannot have volatile cells.
|
|
|
|
Arguments:
|
|
|
|
Hive - supplies a pointer to the hive control structure for the
|
|
hive of interest
|
|
|
|
Cell - supplies HCELL_INDEX of cell to return address for
|
|
|
|
Return Value:
|
|
|
|
Address of Cell in memory. Assert or BugCheck if error.
|
|
|
|
--*/
|
|
{
|
|
ULONG64 BaseBlock;
|
|
ULONG64 lRez;
|
|
|
|
if (GetFieldValue(pHive, "nt!_CMHIVE", "Hive.BaseBlock", BaseBlock)) {
|
|
dprintf("\tCan't CMHIVE Read from %p\n",pHive);
|
|
return 0;
|
|
}
|
|
|
|
|
|
|
|
//
|
|
// Address is base of Hive image + Cell
|
|
//
|
|
lRez = (ULONG64)BaseBlock + HBLOCK_SIZE + Cell;
|
|
if (USE_OLD_CELL(pHive)) {
|
|
return lRez + ULongSize + ULongSize;
|
|
//return (struct _CELL_DATA *)&(pcell->u.OldCell.u.UserData);
|
|
} else {
|
|
return lRez + ULongSize;
|
|
//return (struct _CELL_DATA *)&(pcell->u.NewCell.u.UserData);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
void
|
|
poolDumpHive(
|
|
IN ULONG64 pHive
|
|
)
|
|
{
|
|
ULONG BytesRead;
|
|
WCHAR FileName[HBASE_NAME_ALLOC/2 + 1];
|
|
CHAR buf[512];
|
|
ULONG cb;
|
|
ULONG Stable_Length=0, Volatile_Length=0;
|
|
ULONG64 Stable_Map=0, Volatile_Map=0;
|
|
ULONG64 BaseBlock;
|
|
ULONG StorageOffset, DUAL_Size;
|
|
FIELD_INFO offField = {"Hive.Storage", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "_CMHIVE", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 1, &offField
|
|
};
|
|
|
|
// Get the offset of Hive.Storage in _CMHIVE
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
dprintf("Cannot find _CMHIVE type.\n");
|
|
return ;
|
|
}
|
|
|
|
StorageOffset = (ULONG) offField.address;
|
|
|
|
dprintf("\ndumping hive at %p ",pHive);
|
|
|
|
if (GetFieldValue(pHive, "nt!_CMHIVE", "Hive.BaseBlock", BaseBlock)) {
|
|
dprintf("\tCan't CMHIVE Read from %p\n",pHive);
|
|
return;
|
|
}
|
|
|
|
if (GetFieldValue( BaseBlock, "_HBASE_BLOCK", "FileName", FileName )) {
|
|
wcscpy(FileName, L"UNKNOWN");
|
|
} else {
|
|
if (FileName[0]==L'\0') {
|
|
wcscpy(FileName, L"NONAME");
|
|
} else {
|
|
FileName[HBASE_NAME_ALLOC/2]=L'\0';
|
|
}
|
|
}
|
|
|
|
dprintf("(%ws)\n",FileName);
|
|
|
|
DUAL_Size = GetTypeSize("_DUAL");
|
|
GetFieldValue(pHive + StorageOffset + Stable*DUAL_Size, "_DUAL", "Length", Stable_Length);
|
|
GetFieldValue(pHive + StorageOffset + Volatile*DUAL_Size, "_DUAL", "Length", Volatile_Length);
|
|
GetFieldValue(pHive + StorageOffset + Stable*DUAL_Size, "_DUAL", "Map", Stable_Map);
|
|
GetFieldValue(pHive + StorageOffset + Volatile*DUAL_Size, "_DUAL", "Map", Volatile_Map);
|
|
|
|
dprintf(" Stable Length = %lx\n",Stable_Length);
|
|
if (SavePages) {
|
|
sprintf(buf,
|
|
"%ws %d %d\n",
|
|
FileName,
|
|
Stable_Length,
|
|
Volatile_Length);
|
|
WriteFile( TempFile, buf, strlen(buf), &cb, NULL );
|
|
}
|
|
poolDumpMap(Stable_Length, Stable_Map);
|
|
|
|
dprintf(" Volatile Length = %lx\n",Volatile_Length);
|
|
poolDumpMap(Volatile_Length, Volatile_Map);
|
|
|
|
}
|
|
|
|
|
|
VOID
|
|
poolDumpMap(
|
|
IN ULONG Length,
|
|
IN ULONG64 Map
|
|
)
|
|
{
|
|
ULONG Tables;
|
|
ULONG MapSlots;
|
|
ULONG i;
|
|
ULONG BytesRead;
|
|
ULONG64 MapTable;
|
|
ULONG Garbage;
|
|
ULONG Present=0;
|
|
CHAR buf[512];
|
|
ULONG cb;
|
|
|
|
// Get the offsets
|
|
if (!GotOnce) {
|
|
if (GetFieldOffset("_HMAP_DIRECTORY", "Directory", &DirectoryOffset)){
|
|
return;
|
|
}
|
|
if (GetFieldOffset("_HMAP_ENTRY", "BlockAddress", &BlockAddrOffset)) {
|
|
return;
|
|
}
|
|
if (GetFieldOffset("_HMAP_TABLE", "Table", &TableOffset)) {
|
|
return;
|
|
}
|
|
PtrSize = DBG_PTR_SIZE;
|
|
ULongSize = sizeof(ULONG); // This doesn't change with target GetTypeSize("ULONG");
|
|
HMapSize = GetTypeSize("_HMAP_ENTRY");
|
|
GotOnce = TRUE;
|
|
}
|
|
|
|
if (Length==0) {
|
|
return;
|
|
}
|
|
|
|
MapSlots = Length / HBLOCK_SIZE;
|
|
Tables = 1+ ((MapSlots-1) / HTABLE_SLOTS);
|
|
|
|
//
|
|
// read in map directory
|
|
//
|
|
// ReadMemory((DWORD)Map,
|
|
// &MapDirectory,
|
|
// Tables * sizeof(PHMAP_TABLE),
|
|
// &BytesRead);
|
|
/* if (BytesRead < (Tables * sizeof(PHMAP_TABLE))) {
|
|
dprintf("Only read %lx/%lx bytes from %lx\n",
|
|
BytesRead,
|
|
Tables * sizeof(PHMAP_TABLE),
|
|
Map);
|
|
return;
|
|
|
|
}*/
|
|
|
|
//
|
|
// check out each map entry
|
|
//
|
|
for (i=0; i<MapSlots; i++) {
|
|
ULONG64 MapEntryAddress, BlockAddress=0;
|
|
|
|
if (!ReadPointer(Map + DirectoryOffset + (i/HTABLE_SLOTS)*PtrSize,
|
|
&MapTable))
|
|
return;
|
|
|
|
MapEntryAddress = MapTable + TableOffset + (i%HTABLE_SLOTS) * HMapSize;
|
|
if (!ReadPointer(MapEntryAddress, &BlockAddress)) {
|
|
dprintf(" can't read HMAP_ENTRY at %p\n",
|
|
MapEntryAddress);
|
|
}
|
|
|
|
if (SavePages) {
|
|
sprintf(buf, "%I64lx\n",UNEXTEND64(BlockAddress));
|
|
WriteFile( TempFile, buf, strlen(buf), &cb, NULL );
|
|
dprintf("%s",buf);
|
|
}
|
|
|
|
//
|
|
// probe the HBLOCK
|
|
//
|
|
ReadMemory( BlockAddress,
|
|
&Garbage,
|
|
sizeof(ULONG),
|
|
&BytesRead);
|
|
if (BytesRead > 0) {
|
|
++Present;
|
|
}
|
|
if (CheckControlC()) {
|
|
return;
|
|
}
|
|
}
|
|
dprintf(" %d/%d pages present\n",
|
|
Present,
|
|
MapSlots);
|
|
|
|
TotalPages += MapSlots;
|
|
TotalPresentPages += Present;
|
|
|
|
}
|
|
|
|
|
|
void
|
|
dumpHiveFromFile(
|
|
HANDLE hFile
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Takes a list of the registry hives and pages from a file and
|
|
checks to see how many of the pages are in memory.
|
|
|
|
The format of the file is as follows
|
|
hivename stablelength volatilelength
|
|
stable page address
|
|
stable page address
|
|
.
|
|
.
|
|
.
|
|
volatile page address
|
|
volatile page address
|
|
.
|
|
.
|
|
.
|
|
hivename stablelength volatilelength
|
|
.
|
|
.
|
|
.
|
|
|
|
|
|
Arguments:
|
|
|
|
File - Supplies a file.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
#if 0
|
|
CHAR Hivename[33];
|
|
ULONG StableLength;
|
|
ULONG VolatileLength;
|
|
ULONG64 Page;
|
|
ULONG NumFields;
|
|
ULONG Garbage;
|
|
ULONG Present;
|
|
ULONG Total;
|
|
ULONG BytesRead;
|
|
BYTE buf[512];
|
|
|
|
while (!feof(File)) {
|
|
NumFields = fscanf(File,"%s %d %d\n",
|
|
Hivename,
|
|
&StableLength,
|
|
&VolatileLength);
|
|
if (NumFields != 3) {
|
|
dprintf("fscanf returned %d\n",NumFields);
|
|
return;
|
|
}
|
|
|
|
dprintf("\ndumping hive %s\n",Hivename);
|
|
dprintf(" Stable Length = %lx\n",StableLength);
|
|
Present = 0;
|
|
Total = 0;
|
|
while (StableLength > 0) {
|
|
fscanf(File, "%I64lx\n",&Page);
|
|
ReadMemory((DWORD)Page,
|
|
&Garbage,
|
|
sizeof(ULONG),
|
|
&BytesRead);
|
|
if (BytesRead > 0) {
|
|
++Present;
|
|
}
|
|
++Total;
|
|
StableLength -= HBLOCK_SIZE;
|
|
}
|
|
if (Total > 0) {
|
|
dprintf(" %d/%d stable pages present\n",
|
|
Present,Total);
|
|
}
|
|
TotalPages += Total;
|
|
TotalPresentPages += Present;
|
|
|
|
dprintf(" Volatile Length = %lx\n",VolatileLength);
|
|
Present = 0;
|
|
Total = 0;
|
|
while (VolatileLength > 0) {
|
|
fscanf(File, "%lx\n",&Page);
|
|
ReadMemory(Page,
|
|
&Garbage,
|
|
sizeof(ULONG),
|
|
&BytesRead);
|
|
if (BytesRead > 0) {
|
|
++Present;
|
|
}
|
|
++Total;
|
|
VolatileLength -= HBLOCK_SIZE;
|
|
}
|
|
if (Total > 0) {
|
|
dprintf(" %d/%d volatile pages present\n",
|
|
Present,Total);
|
|
}
|
|
|
|
TotalPages += Total;
|
|
TotalPresentPages += Present;
|
|
}
|
|
#endif //0
|
|
}
|
|
|
|
USHORT
|
|
GetKcbName(
|
|
ULONG64 KcbAddr,
|
|
PWCHAR NameBuffer,
|
|
ULONG BufferSize
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Takes a kcb and dump its complete name.
|
|
|
|
Arguments:
|
|
|
|
KcbAddr - Address of key control block.
|
|
|
|
NameBuffer - The Name buffer to fill in the name.
|
|
|
|
BufferSize - Size of Buffer.
|
|
Return Value:
|
|
|
|
Size of Name String.
|
|
|
|
--*/
|
|
{
|
|
WCHAR Name[ 256 ];
|
|
ULONG64 TmpKcbAddr;
|
|
ULONG64 NameBlockAddr;
|
|
DWORD BytesRead;
|
|
ULONG Length;
|
|
ULONG TotalLength;
|
|
ULONG size;
|
|
ULONG i;
|
|
ULONG BeginPosition;
|
|
ULONG NameOffset;
|
|
WCHAR *w1, *w2;
|
|
WCHAR *BufferEnd;
|
|
UCHAR *u2;
|
|
|
|
//
|
|
// Calculate the total string length.
|
|
//
|
|
TotalLength = 0;
|
|
TmpKcbAddr = KcbAddr;
|
|
// dprintf("Kcb %p ", KcbAddr);
|
|
while (TmpKcbAddr) {
|
|
ULONG Compressed=0, NameLength=0;
|
|
|
|
if (GetFieldValue(TmpKcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "NameBlock", NameBlockAddr)) {
|
|
dprintf("Cannot find CM_KEY_CONTROL_BLOCK type.\n");
|
|
return 0;
|
|
}
|
|
|
|
if (GetFieldValue(NameBlockAddr, "nt!_CM_NAME_CONTROL_BLOCK", "Compressed", Compressed) ||
|
|
GetFieldValue(NameBlockAddr, "nt!_CM_NAME_CONTROL_BLOCK", "NameLength", NameLength)) {
|
|
dprintf("Cannot find type _CM_NAME_CONTROL_BLOCK.\n");
|
|
return 0;
|
|
}
|
|
|
|
if (Compressed) {
|
|
Length = NameLength * sizeof(WCHAR);
|
|
} else {
|
|
Length = NameLength;
|
|
}
|
|
TotalLength += Length;
|
|
|
|
//
|
|
// Add the sapce for OBJ_NAME_PATH_SEPARATOR;
|
|
//
|
|
TotalLength += sizeof(WCHAR);
|
|
|
|
GetFieldValue(TmpKcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "ParentKcb", TmpKcbAddr);
|
|
|
|
if (CheckControlC()) {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
BufferEnd = &(NameBuffer[BufferSize/sizeof(WCHAR) - 1]);
|
|
if (TotalLength < BufferSize) {
|
|
NameBuffer[TotalLength/sizeof(WCHAR)] = UNICODE_NULL;
|
|
} else {
|
|
*BufferEnd = UNICODE_NULL;
|
|
}
|
|
|
|
//
|
|
// Now fill the name into the buffer.
|
|
//
|
|
TmpKcbAddr = KcbAddr;
|
|
BeginPosition = TotalLength;
|
|
GetFieldOffset("nt!_CM_NAME_CONTROL_BLOCK", "Name", &NameOffset);
|
|
|
|
while (TmpKcbAddr) {
|
|
ULONG NameLength=0, Compressed=0;
|
|
//
|
|
// Read the information.
|
|
//
|
|
if (GetFieldValue(TmpKcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "NameBlock", NameBlockAddr)) {
|
|
dprintf("Cannot find CM_KEY_CONTROL_BLOCK type.\n");
|
|
return 0;
|
|
}
|
|
|
|
if (GetFieldValue(NameBlockAddr, "nt!_CM_NAME_CONTROL_BLOCK", "Compressed", Compressed) ||
|
|
GetFieldValue(NameBlockAddr, "nt!_CM_NAME_CONTROL_BLOCK", "NameLength", NameLength)) {
|
|
dprintf("Cannot find type _CM_NAME_CONTROL_BLOCK.\n");
|
|
return 0;
|
|
}
|
|
|
|
if (NameLength > sizeof(Name)) {
|
|
NameLength = sizeof(Name);
|
|
}
|
|
|
|
ReadMemory(NameBlockAddr + NameOffset,// FIELD_OFFSET(CM_NAME_CONTROL_BLOCK, Name),
|
|
Name,
|
|
NameLength,
|
|
&BytesRead);
|
|
|
|
if (BytesRead < NameLength) {
|
|
dprintf("Could not read Name BUFFER: 5\n");
|
|
return (0);
|
|
}
|
|
|
|
//
|
|
// Calculate the begin position of each subkey. Then fill in the char.
|
|
//
|
|
if (Compressed) {
|
|
BeginPosition -= (NameLength + 1) * sizeof(WCHAR);
|
|
w1 = &(NameBuffer[BeginPosition/sizeof(WCHAR)]);
|
|
if (w1 < BufferEnd) {
|
|
*w1 = OBJ_NAME_PATH_SEPARATOR;
|
|
}
|
|
w1++;
|
|
|
|
u2 = (UCHAR *) &(Name[0]);
|
|
|
|
for (i=0; i<NameLength; i++) {
|
|
if (w1 < BufferEnd) {
|
|
*w1 = (WCHAR)(*u2);
|
|
} else {
|
|
break;
|
|
}
|
|
w1++;
|
|
u2++;
|
|
}
|
|
} else {
|
|
BeginPosition -= (NameLength + sizeof(WCHAR));
|
|
w1 = &(NameBuffer[BeginPosition/sizeof(WCHAR)]);
|
|
if (w1 < BufferEnd) {
|
|
*w1 = OBJ_NAME_PATH_SEPARATOR;
|
|
}
|
|
w1++;
|
|
|
|
w2 = Name;
|
|
|
|
for (i=0; i<NameLength; i=i+sizeof(WCHAR)) {
|
|
if (w1 < BufferEnd) {
|
|
*w1 = *w2;
|
|
} else {
|
|
break;
|
|
}
|
|
w1++;
|
|
w2++;
|
|
}
|
|
}
|
|
GetFieldValue(TmpKcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "ParentKcb", TmpKcbAddr);
|
|
}
|
|
// dprintf("\n%5d, %ws\n", TotalLength, NameBuffer);
|
|
return ((USHORT) TotalLength);
|
|
|
|
}
|
|
|
|
#define CMP_CELL_CACHED_MASK 1
|
|
|
|
#define CMP_IS_CELL_CACHED(Cell) ((ULONG64) (Cell) & CMP_CELL_CACHED_MASK)
|
|
#define CMP_GET_CACHED_ADDRESS(Cell) (((ULONG64) (Cell)) & ~CMP_CELL_CACHED_MASK)
|
|
|
|
void
|
|
regkcb(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the name when given a KCB address
|
|
|
|
Called as:
|
|
|
|
!regkcb KCB_Address
|
|
|
|
Arguments:
|
|
|
|
args - Supplies the address of the KCB.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
WCHAR KeyName[ 256 ];
|
|
ULONG64 KcbAddr, ParentKcbAddr, KeyHiveAddr, IndexHintAddr,RealKcb;
|
|
DWORD BytesRead;
|
|
ULONG ExtFlags, Delete, Flags, KeyCell, KcbMaxNameLen, KcbMaxValueNameLen,KcbMaxValueDataLen,SubKeyCount,ValueCount;
|
|
ULONG ValueCacheOffset,i,CellIndex;
|
|
ULONG64 ValueList,ValueAddr,CellData;
|
|
USHORT RefCount, TotalLevels;
|
|
SHORT DelayedCloseIndex;
|
|
LARGE_INTEGER KcbLastWriteTime;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG KeyBodyListHeadOffset;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&KcbAddr)) {
|
|
KcbAddr = GetExpression(args + strlen(Dummy));
|
|
}
|
|
|
|
if (GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "ExtFlags", ExtFlags) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "Flags", Flags) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "Delete", Delete) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "RefCount", RefCount) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "ParentKcb", ParentKcbAddr) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "KeyHive", KeyHiveAddr) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "KeyCell", KeyCell) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "TotalLevels", TotalLevels) ||
|
|
GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "DelayedCloseIndex", DelayedCloseIndex)
|
|
) {
|
|
dprintf("Could not read Kcb\n");
|
|
return;
|
|
}
|
|
|
|
if(GetKcbName(KcbAddr, KeyName, sizeof(KeyName))) {
|
|
dprintf("Key : %ws\n", KeyName);
|
|
} else {
|
|
dprintf("Could not read key name\n");
|
|
return;
|
|
}
|
|
|
|
dprintf("RefCount : %lx\n", RefCount);
|
|
dprintf("Flags :");
|
|
if (Delete) {
|
|
dprintf(" Deleted,");
|
|
}
|
|
if (Flags & KEY_COMP_NAME) {
|
|
dprintf(" CompressedName,");
|
|
}
|
|
if (Flags & KEY_PREDEF_HANDLE) {
|
|
dprintf(" PredefinedHandle,");
|
|
}
|
|
if (Flags & KEY_SYM_LINK) {
|
|
dprintf(" SymbolicLink,");
|
|
}
|
|
if (Flags & KEY_NO_DELETE) {
|
|
dprintf(" NoDelete,");
|
|
}
|
|
if (Flags & KEY_HIVE_EXIT) {
|
|
dprintf(" HiveExit,");
|
|
}
|
|
if (Flags & KEY_HIVE_ENTRY) {
|
|
dprintf(" HiveEntry,");
|
|
}
|
|
if (Flags & KEY_VOLATILE) {
|
|
dprintf(" Volatile");
|
|
} else {
|
|
dprintf(" Stable");
|
|
}
|
|
|
|
dprintf("\n");
|
|
|
|
dprintf("ExtFlags :");
|
|
if (ExtFlags & CM_KCB_KEY_NON_EXIST) {
|
|
dprintf(" Fake,");
|
|
}
|
|
if (ExtFlags & CM_KCB_SYM_LINK_FOUND) {
|
|
dprintf(" SymbolicLinkFound,");
|
|
}
|
|
if (ExtFlags & CM_KCB_NO_DELAY_CLOSE) {
|
|
dprintf(" NoDelayClose,");
|
|
}
|
|
if (ExtFlags & CM_KCB_INVALID_CACHED_INFO) {
|
|
dprintf(" InvalidCachedInfo,");
|
|
}
|
|
if (ExtFlags & CM_KCB_NO_SUBKEY) {
|
|
dprintf(" NoSubKey,");
|
|
}
|
|
if (ExtFlags & CM_KCB_SUBKEY_ONE) {
|
|
dprintf(" SubKeyOne,");
|
|
}
|
|
if (ExtFlags & CM_KCB_SUBKEY_HINT) {
|
|
dprintf(" SubKeyHint");
|
|
}
|
|
dprintf("\n");
|
|
|
|
dprintf("Parent : 0x%p\n", ParentKcbAddr);
|
|
dprintf("KeyHive : 0x%p\n", KeyHiveAddr);
|
|
dprintf("KeyCell : 0x%lx [cell index]\n", KeyCell);
|
|
dprintf("TotalLevels : %u\n", TotalLevels);
|
|
dprintf("DelayedCloseIndex: %d\n", DelayedCloseIndex);
|
|
|
|
if(!GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "KcbMaxNameLen", KcbMaxNameLen)) {
|
|
dprintf("MaxNameLen : 0x%lx\n", KcbMaxNameLen);
|
|
}
|
|
if(!GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "KcbMaxValueNameLen", KcbMaxValueNameLen)) {
|
|
dprintf("MaxValueNameLen : 0x%lx\n", KcbMaxValueNameLen);
|
|
}
|
|
if(!GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "KcbMaxValueDataLen", KcbMaxValueDataLen)) {
|
|
dprintf("MaxValueDataLen : 0x%lx\n", KcbMaxValueDataLen);
|
|
}
|
|
if(!GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "KcbLastWriteTime", KcbLastWriteTime)) {
|
|
dprintf("LastWriteTime : 0x%8lx:0x%8lx\n", KcbLastWriteTime.HighPart,KcbLastWriteTime.LowPart);
|
|
}
|
|
|
|
if( !GetFieldOffset("nt!_CM_KEY_CONTROL_BLOCK", "KeyBodyListHead", &KeyBodyListHeadOffset) ) {
|
|
ParentKcbAddr = KcbAddr + KeyBodyListHeadOffset;
|
|
|
|
dprintf("KeyBodyListHead : ");
|
|
if (!GetFieldValue(ParentKcbAddr, "nt!_LIST_ENTRY", "Flink", KeyHiveAddr)) {
|
|
dprintf("0x%p ", KeyHiveAddr);
|
|
}
|
|
if (!GetFieldValue(ParentKcbAddr, "nt!_LIST_ENTRY", "Blink", KeyHiveAddr)) {
|
|
dprintf("0x%p", KeyHiveAddr);
|
|
}
|
|
dprintf("\n");
|
|
}
|
|
if(!(Flags&KEY_HIVE_ENTRY)) {
|
|
dprintf("SubKeyCount : ");
|
|
if( !(ExtFlags & CM_KCB_INVALID_CACHED_INFO) ) {
|
|
if (ExtFlags & CM_KCB_NO_SUBKEY ) {
|
|
dprintf("0");
|
|
} else if (ExtFlags & CM_KCB_SUBKEY_ONE ) {
|
|
dprintf("1");
|
|
} else if (ExtFlags & CM_KCB_SUBKEY_HINT ) {
|
|
if( !GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "IndexHint", IndexHintAddr) ) {
|
|
if( !GetFieldValue(IndexHintAddr, "CM_INDEX_HINT_BLOCK", "Count", SubKeyCount) ) {
|
|
dprintf("%lu",SubKeyCount);
|
|
}
|
|
}
|
|
} else {
|
|
if( !GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", "SubKeyCount", SubKeyCount) ) {
|
|
dprintf("%lu",SubKeyCount);
|
|
}
|
|
}
|
|
} else {
|
|
dprintf("hint not valid");
|
|
}
|
|
dprintf("\n");
|
|
}
|
|
|
|
GetFieldOffset("nt!_CM_KEY_CONTROL_BLOCK", "ValueCache", &ValueCacheOffset);
|
|
if( ExtFlags & CM_KCB_SYM_LINK_FOUND ) {
|
|
if(!GetFieldValue(KcbAddr + ValueCacheOffset, "nt!_CACHED_CHILD_LIST", "RealKcb", RealKcb)) {
|
|
dprintf("RealKcb : 0x%p\n", RealKcb);
|
|
}
|
|
} else {
|
|
if(!GetFieldValue(KcbAddr + ValueCacheOffset, "nt!_CACHED_CHILD_LIST", "Count", ValueCount)) {
|
|
dprintf("ValueCache.Count : %lu\n", ValueCount);
|
|
if(!GetFieldValue(KcbAddr + ValueCacheOffset, "nt!_CACHED_CHILD_LIST", "ValueList", ValueList)) {
|
|
if (CMP_IS_CELL_CACHED(ValueList)) {
|
|
ValueList = CMP_GET_CACHED_ADDRESS(ValueList);
|
|
if(!GetFieldValue(ValueList, "nt!_CM_CACHED_VALUE_INDEX", "CellIndex", CellIndex) ) {
|
|
|
|
dprintf("ValueList : 0x%lx\n", CellIndex);
|
|
|
|
GetFieldOffset("nt!_CM_CACHED_VALUE_INDEX", "Data.CellData", &ValueCacheOffset);
|
|
ValueList += ValueCacheOffset;
|
|
for (i = 0; i < ValueCount; i++) {
|
|
|
|
dprintf(" ValueList[%2lu] = ",i);
|
|
|
|
ReadMemory(ValueList + i*PtrSize, &ValueAddr, PtrSize, &BytesRead);
|
|
if (BytesRead < PtrSize) {
|
|
dprintf("Couldn't read memory\n");
|
|
} else {
|
|
dprintf(" 0x%p\n",ValueAddr);
|
|
}
|
|
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
} else {
|
|
dprintf("ValueCache.List : 0x%p\n", ValueList);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// Miscelaneous Hash routines
|
|
//
|
|
ULONG CmpHashTableSize = 0;
|
|
#define RNDM_CONSTANT 314159269 /* default value for "scrambling constant" */
|
|
#define RNDM_PRIME 1000000007 /* prime number, also used for scrambling */
|
|
|
|
#define HASH_KEY(_convkey_) ((RNDM_CONSTANT * (_convkey_)) % RNDM_PRIME)
|
|
|
|
#define GET_HASH_INDEX(Key) HASH_KEY(Key) % CmpHashTableSize
|
|
#define GET_HASH_ENTRY(Table, Key) Table[GET_HASH_INDEX(Key)]
|
|
|
|
|
|
void
|
|
regopenkeys(
|
|
LPSTR args,
|
|
LPSTR subkey
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the registry hash table
|
|
|
|
Called as:
|
|
|
|
!openkeys <HiveAddr|0>
|
|
|
|
Arguments:
|
|
|
|
CurrentPc - Supplies the current pc at the time the extension is
|
|
called.
|
|
|
|
lpExtensionApis - Supplies the address of the functions callable
|
|
by this extension.
|
|
|
|
lpArgumentString - Supplies the pattern and expression for this
|
|
command.
|
|
|
|
Return Value:
|
|
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
DWORD64 TableSizeAddr;
|
|
DWORD64 HashTableAddr;
|
|
ULONG64 HashTable;
|
|
DWORD i;
|
|
ULONG64 KcbAddr;
|
|
WCHAR KeyName[ 256 ];
|
|
ULONG64 HashEntryAddr;
|
|
DWORD BytesRead;
|
|
ULONG KeyHashOffset;
|
|
BOOLEAN First;
|
|
ULONG64 TargetHive = 0;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG ConvKey = 0;
|
|
ULONG j,Count;
|
|
ULONG SearchedIndex;
|
|
WCHAR FullKeyName[ 512 ];
|
|
|
|
TableSizeAddr = GetExpression("nt!CmpHashTableSize");
|
|
if (TableSizeAddr == 0) {
|
|
dprintf("Couldn't find address of CmpHashTableSize\n");
|
|
return;
|
|
}
|
|
|
|
HashTableAddr = GetExpression("nt!CmpCacheTable");
|
|
if (HashTableAddr == 0) {
|
|
dprintf("Couldn't find address of CmpCacheTable\n");
|
|
return;
|
|
}
|
|
ReadMemory(TableSizeAddr, &CmpHashTableSize, sizeof(CmpHashTableSize), &BytesRead);
|
|
if (BytesRead < sizeof(CmpHashTableSize)) {
|
|
dprintf("Couldn't get CmpHashTableSize from %08p\n",TableSizeAddr);
|
|
return;
|
|
}
|
|
|
|
if (!ReadPointer(HashTableAddr, &HashTable) || !HashTable) {
|
|
dprintf("Couldn't get CmpCacheTable from %08p\n",HashTableAddr);
|
|
return;
|
|
}
|
|
|
|
if( subkey == NULL ) {
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&TargetHive)) {
|
|
TargetHive = GetExpression(args + strlen(Dummy));
|
|
}
|
|
|
|
i=0;
|
|
SearchedIndex = CmpHashTableSize - 1;
|
|
} else {
|
|
for( Count=0;subkey[Count];Count++) {
|
|
FullKeyName[Count] = (WCHAR)subkey[Count];
|
|
if( FullKeyName[Count] != OBJ_NAME_PATH_SEPARATOR ) {
|
|
ConvKey = 37 * ConvKey + (ULONG) RtlUpcaseUnicodeChar(FullKeyName[Count]);
|
|
}
|
|
}
|
|
FullKeyName[Count] = UNICODE_NULL;
|
|
SearchedIndex = GET_HASH_INDEX(ConvKey);
|
|
i=SearchedIndex;
|
|
}
|
|
|
|
|
|
GetFieldOffset("nt!_CM_KEY_CONTROL_BLOCK", "KeyHash", &KeyHashOffset);
|
|
|
|
for (; i<=SearchedIndex; i++) {
|
|
if (CheckControlC()) {
|
|
return;
|
|
}
|
|
|
|
if (!ReadPointer(HashTable + i*PtrSize,&HashEntryAddr)) {
|
|
dprintf("Couldn't get HashEntryAddr from %08p\n", HashTable + i*PtrSize);
|
|
continue;
|
|
}
|
|
if (HashEntryAddr != 0) {
|
|
First = TRUE;
|
|
while (HashEntryAddr != 0) {
|
|
#define KcbFld(F) GetFieldValue(KcbAddr, "nt!_CM_KEY_CONTROL_BLOCK", #F, F)
|
|
ULONG64 KeyHive, NextHash;
|
|
ULONG KeyCell, Flags, ExtFlags;
|
|
|
|
KcbAddr = HashEntryAddr - KeyHashOffset;
|
|
if (KcbFld(ConvKey)) {
|
|
dprintf("Couldn't get HashEntry from %08lx\n", HashEntryAddr);
|
|
break;
|
|
}
|
|
|
|
KcbFld(KeyHive); KcbFld(KeyCell);
|
|
KcbFld(Flags); KcbFld(ExtFlags); KcbFld(NextHash);
|
|
|
|
if( subkey == NULL ) {
|
|
if( (TargetHive == 0) || ((ULONG64)TargetHive == (ULONG64)KeyHive) ) {
|
|
if( !First ) {
|
|
dprintf("\t");
|
|
} else {
|
|
dprintf("Index %x: ",i);
|
|
}
|
|
dprintf("\t %08lx kcb=%p cell=%08lx f=%04lx%04lx ",
|
|
ConvKey,
|
|
KcbAddr,
|
|
KeyCell,
|
|
Flags,
|
|
ExtFlags);
|
|
First = FALSE;
|
|
if (GetKcbName(KcbAddr, KeyName, sizeof(KeyName))) {
|
|
dprintf("%ws\n", KeyName);
|
|
}
|
|
}
|
|
} else {
|
|
//
|
|
// findkcb case
|
|
//
|
|
if (GetKcbName(KcbAddr, KeyName, sizeof(KeyName))) {
|
|
for(j=0;KeyName[j] != UNICODE_NULL;j++);
|
|
if( (j == Count) && (_wcsnicmp(FullKeyName,KeyName,Count) == 0) ) {
|
|
dprintf("\nFound KCB = %p :: %ws\n\n",KcbAddr,KeyName);
|
|
return;
|
|
}
|
|
}
|
|
|
|
}
|
|
HashEntryAddr = NextHash;
|
|
if (CheckControlC()) {
|
|
return;
|
|
}
|
|
#undef KcbFld
|
|
}
|
|
}
|
|
}
|
|
if( subkey != NULL ) {
|
|
dprintf("\nSorry <%ws> is not cached \n\n",FullKeyName);
|
|
}
|
|
|
|
}
|
|
|
|
void
|
|
regcellindex(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the name when given a KCB address
|
|
|
|
Called as:
|
|
|
|
!cellindex HiveAddr HCELL_INDEX
|
|
|
|
Arguments:
|
|
|
|
args - Supplies the address of the HCELL_INDEX.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 HiveAddr;
|
|
ULONG IdxAddr;
|
|
ULONG64 pcell;
|
|
BOOLEAN Flat;
|
|
CHAR Dummy[ 256 ];
|
|
|
|
if (sscanf(args,"%255s %lX %lx",Dummy,&HiveAddr,&IdxAddr)) {
|
|
if (GetExpressionEx(args + strlen(Dummy), &HiveAddr, &args)) {
|
|
IdxAddr = (ULONG) GetExpression(args);
|
|
}
|
|
}
|
|
|
|
if(!GetFieldValue(HiveAddr, "nt!_HHIVE", "Flat", Flat) ){
|
|
if(Flat) {
|
|
pcell = MyHvpGetCellFlat(HiveAddr,IdxAddr);
|
|
} else {
|
|
pcell = MyHvpGetCellPaged(HiveAddr,IdxAddr);
|
|
}
|
|
|
|
dprintf("pcell: %p\n",pcell);
|
|
} else {
|
|
dprintf("could not read hive\n");
|
|
}
|
|
}
|
|
|
|
void
|
|
reghashindex (
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
display the index for the convkey
|
|
|
|
Called as:
|
|
|
|
!hashindex conv_key
|
|
|
|
Arguments:
|
|
|
|
args - convkey.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG ConvKey;
|
|
CHAR Dummy[ 256 ];
|
|
DWORD64 TableSizeAddr;
|
|
DWORD64 HashTableAddr;
|
|
ULONG64 HashTable;
|
|
DWORD BytesRead;
|
|
ULONG Index;
|
|
|
|
if (!sscanf(args,"%255s %lx",Dummy,&ConvKey)) {
|
|
ConvKey = 0;
|
|
}
|
|
|
|
TableSizeAddr = GetExpression("nt!CmpHashTableSize");
|
|
if (TableSizeAddr == 0) {
|
|
dprintf("Couldn't find address of CmpHashTableSize\n");
|
|
return;
|
|
}
|
|
|
|
ReadMemory(TableSizeAddr, &CmpHashTableSize, sizeof(CmpHashTableSize), &BytesRead);
|
|
if (BytesRead < sizeof(CmpHashTableSize)) {
|
|
dprintf("Couldn't get CmpHashTableSize from %08p\n",TableSizeAddr);
|
|
return;
|
|
}
|
|
|
|
HashTableAddr = GetExpression("nt!CmpCacheTable");
|
|
if (HashTableAddr == 0) {
|
|
dprintf("Couldn't find address of CmpCacheTable\n");
|
|
return ;
|
|
}
|
|
if (!ReadPointer(HashTableAddr, &HashTable)) {
|
|
dprintf("Couldn't get CmpCacheTable from %08p\n",HashTableAddr);
|
|
return;
|
|
} else {
|
|
dprintf("CmpCacheTable = %p\n\n",HashTable);
|
|
}
|
|
|
|
Index = GET_HASH_INDEX(ConvKey);
|
|
HashTable += Index*PtrSize;
|
|
dprintf("Hash Index[%8lx] : %lx\n",ConvKey,Index);
|
|
dprintf("Hash Entry[%8lx] : %p\n",ConvKey,HashTable);
|
|
}
|
|
|
|
void
|
|
regknode(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the name when given a KCB address
|
|
|
|
Called as:
|
|
|
|
!knode KNode_Address
|
|
|
|
Arguments:
|
|
|
|
args - Supplies the address of the CM_KEY_NODE.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
char KeyName[ 256 ];
|
|
ULONG64 KnodeAddr;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
USHORT Signature,Flags,NameLength;
|
|
LARGE_INTEGER LastWriteTime;
|
|
ULONG Parent,MaxNameLen,MaxClassLen,MaxValueNameLen,MaxValueDataLen,Security,Class;
|
|
ULONG KeyNameOffset,Count,ValueList;
|
|
ULONG SubKeys[4];
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&KnodeAddr)) {
|
|
|
|
KnodeAddr = GetExpression(args + strlen(Dummy));
|
|
}
|
|
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "Signature", Signature) ) {
|
|
if( Signature == CM_KEY_NODE_SIGNATURE) {
|
|
dprintf("Signature: CM_KEY_NODE_SIGNATURE (kn)\n");
|
|
} else if(Signature == CM_LINK_NODE_SIGNATURE) {
|
|
dprintf("Signature: CM_LINK_NODE_SIGNATURE (kl)\n");
|
|
} else {
|
|
dprintf("Invalid Signature %u\n",Signature);
|
|
}
|
|
}
|
|
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "NameLength", NameLength) ) {
|
|
GetFieldOffset("CM_KEY_NODE", "Name", &KeyNameOffset);
|
|
if (NameLength >= sizeof(KeyName))
|
|
{
|
|
NameLength = sizeof(KeyName)-1;
|
|
}
|
|
if( !ReadMemory(KnodeAddr + KeyNameOffset,
|
|
KeyName,
|
|
NameLength,
|
|
&BytesRead) ) {
|
|
dprintf("Could not read KeyName\n");
|
|
} else {
|
|
KeyName[NameLength] = '\0';
|
|
dprintf("Name : %s\n", KeyName);
|
|
}
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "Parent", Parent) ) {
|
|
dprintf("ParentCell : 0x%lx\n", Parent);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "Security", Security) ) {
|
|
dprintf("Security : 0x%lx [cell index]\n", Security);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "Class", Class) ) {
|
|
dprintf("Class : 0x%lx [cell index]\n", Class);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "Flags", Flags) ) {
|
|
dprintf("Flags : 0x%lx\n", Flags);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "MaxNameLen", MaxNameLen) ) {
|
|
dprintf("MaxNameLen : 0x%lx\n", MaxNameLen);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "MaxClassLen", MaxClassLen) ) {
|
|
dprintf("MaxClassLen : 0x%lx\n", MaxClassLen);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "MaxValueNameLen", MaxValueNameLen) ) {
|
|
dprintf("MaxValueNameLen : 0x%lx\n", MaxValueNameLen);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "MaxValueDataLen", MaxValueDataLen) ) {
|
|
dprintf("MaxValueDataLen : 0x%lx\n", MaxValueDataLen);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "LastWriteTime", LastWriteTime) ) {
|
|
dprintf("LastWriteTime : 0x%8lx:0x%8lx\n", LastWriteTime.HighPart,LastWriteTime.LowPart);
|
|
}
|
|
|
|
if(!(Flags&KEY_HIVE_ENTRY)) {
|
|
GetFieldOffset("nt!_CM_KEY_NODE", "SubKeyCounts", &KeyNameOffset);
|
|
if( !ReadMemory(KnodeAddr + KeyNameOffset,
|
|
SubKeys,
|
|
sizeof(SubKeys),
|
|
&BytesRead) ) {
|
|
dprintf("Could not read SubKey Info\n");
|
|
} else {
|
|
dprintf("SubKeyCount[Stable ]: 0x%lx\n", SubKeys[0]);
|
|
dprintf("SubKeyLists[Stable ]: 0x%lx\n", SubKeys[2]);
|
|
dprintf("SubKeyCount[Volatile]: 0x%lx\n", SubKeys[1]);
|
|
dprintf("SubKeyLists[Volatile]: 0x%lx\n", SubKeys[3]);
|
|
}
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "ValueList.Count", Count)) {
|
|
dprintf("ValueList.Count : 0x%lx\n", Count);
|
|
if (!GetFieldValue(KnodeAddr, "nt!_CM_KEY_NODE", "ValueList.List", ValueList)) {
|
|
dprintf("ValueList.List : 0x%lx\n", ValueList);
|
|
}
|
|
}
|
|
|
|
}
|
|
}
|
|
|
|
void
|
|
regkbody(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
displays a CM_KEY_BODY
|
|
|
|
Called as:
|
|
|
|
!kbody KBody_Address
|
|
|
|
Arguments:
|
|
|
|
args - Supplies the address of the CM_KEY_BODY.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 KbodyAddr,KeyControlBlock,NotifyBlock,Process,KeyBodyList,CallerAddress;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG Type,Offset,Callers,i;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&KbodyAddr)) {
|
|
|
|
KbodyAddr = GetExpression(args+ strlen(Dummy));
|
|
}
|
|
|
|
|
|
if (!GetFieldValue(KbodyAddr, "nt!_CM_KEY_BODY", "Type", Type) ) {
|
|
if( Type == KEY_BODY_TYPE) {
|
|
dprintf("Type : KEY_BODY_TYPE\n");
|
|
} else {
|
|
dprintf("Invalid Type %lx\n",Type);
|
|
return;
|
|
}
|
|
}
|
|
if (!GetFieldValue(KbodyAddr, "nt!_CM_KEY_BODY", "KeyControlBlock", KeyControlBlock) ) {
|
|
dprintf("KCB : %p\n", KeyControlBlock);
|
|
}
|
|
if (!GetFieldValue(KbodyAddr, "nt!_CM_KEY_BODY", "NotifyBlock", NotifyBlock) ) {
|
|
dprintf("NotifyBlock : %p\n", NotifyBlock);
|
|
}
|
|
if (!GetFieldValue(KbodyAddr, "nt!_CM_KEY_BODY", "Process", Process) ) {
|
|
dprintf("Process : %p\n", Process);
|
|
}
|
|
if (!GetFieldValue(KbodyAddr, "nt!_CM_KEY_BODY", "KeyBodyList", KeyBodyList) ) {
|
|
GetFieldOffset("CM_KEY_BODY", "KeyBodyList", &Offset);
|
|
|
|
dprintf("KeyBodyList : ");
|
|
if (!GetFieldValue(KbodyAddr + Offset, "nt!_LIST_ENTRY", "Flink", KeyBodyList)) {
|
|
dprintf("0x%p ", KeyBodyList);
|
|
}
|
|
if (!GetFieldValue(KbodyAddr + Offset, "nt!_LIST_ENTRY", "Blink", KeyBodyList)) {
|
|
dprintf("0x%p", KeyBodyList);
|
|
}
|
|
dprintf("\n");
|
|
}
|
|
if (!GetFieldValue(KbodyAddr, "nt!_CM_KEY_BODY", "Callers", Callers) ) {
|
|
GetFieldOffset("nt!_CM_KEY_BODY", "CallerAddress", &Offset);
|
|
if( Callers ) {
|
|
dprintf("Callers Stack: ");
|
|
}
|
|
for(i = 0;i< Callers;i++) {
|
|
dprintf("[%lu] ",i);
|
|
if( !ReadMemory(KbodyAddr + Offset + i*PtrSize,
|
|
&CallerAddress,
|
|
sizeof(CallerAddress),
|
|
&BytesRead) ) {
|
|
dprintf("Could not memory\n");
|
|
} else {
|
|
dprintf(" %p\n", CallerAddress);
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
|
|
void
|
|
regkvalue(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dumps the name when given a KCB address
|
|
|
|
Called as:
|
|
|
|
!kvalue KValue_Address
|
|
|
|
Arguments:
|
|
|
|
args - Supplies the address of the CM_KEY_NODE.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
char ValName[ 256 ];
|
|
ULONG64 KvalAddr;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG Offset,DataLength,Data,Type;
|
|
USHORT Signature,Flags,NameLength;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&KvalAddr)) {
|
|
|
|
KvalAddr = GetExpression(args+ strlen(Dummy));
|
|
}
|
|
|
|
if (!GetFieldValue(KvalAddr, "nt!_CM_KEY_VALUE", "Signature", Signature) ) {
|
|
if( Signature == CM_KEY_VALUE_SIGNATURE) {
|
|
dprintf("Signature: CM_KEY_VALUE_SIGNATURE (kv)\n");
|
|
} else {
|
|
dprintf("Invalid Signature %lx\n",Signature);
|
|
}
|
|
}
|
|
|
|
if (!GetFieldValue(KvalAddr, "nt!_CM_KEY_VALUE", "Flags", Flags) ) {
|
|
if( (Flags & VALUE_COMP_NAME) &&
|
|
!GetFieldValue(KvalAddr, "nt!_CM_KEY_VALUE", "NameLength", NameLength)
|
|
) {
|
|
if (NameLength >= sizeof(ValName))
|
|
{
|
|
NameLength = sizeof(ValName) -1;
|
|
}
|
|
GetFieldOffset("nt!_CM_KEY_VALUE", "Name", &Offset);
|
|
ReadMemory(KvalAddr + Offset,
|
|
ValName,
|
|
NameLength,
|
|
&BytesRead);
|
|
ValName[NameLength] = '\0';
|
|
dprintf("Name : %s {compressed}\n", ValName);
|
|
}
|
|
}
|
|
|
|
if (!GetFieldValue(KvalAddr, "nt!_CM_KEY_VALUE", "DataLength", DataLength) ) {
|
|
dprintf("DataLength: %lx\n", DataLength);
|
|
}
|
|
if (!GetFieldValue(KvalAddr, "nt!_CM_KEY_VALUE", "Data", Data) ) {
|
|
dprintf("Data : %lx [cell index]\n", Data);
|
|
}
|
|
if (!GetFieldValue(KvalAddr, "nt!_CM_KEY_VALUE", "Type", Type) ) {
|
|
dprintf("Type : %lx\n", Type);
|
|
}
|
|
|
|
}
|
|
|
|
void
|
|
regbaseblock(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
displays the base block structure
|
|
|
|
Called as:
|
|
|
|
!baseblock HiveAddress
|
|
|
|
Arguments:
|
|
|
|
args - convkey.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
WCHAR FileName[HBASE_NAME_ALLOC/sizeof(WCHAR) + 1];
|
|
ULONG64 BaseBlock,HiveAddr;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG Work;
|
|
LARGE_INTEGER TimeStamp;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&HiveAddr)) {
|
|
|
|
HiveAddr = GetExpression(args+ strlen(Dummy));
|
|
}
|
|
|
|
if (GetFieldValue(HiveAddr, "nt!_CMHIVE", "Hive.BaseBlock", BaseBlock)) {
|
|
dprintf("\tCan't CMHIVE Read from %p\n",HiveAddr);
|
|
return;
|
|
}
|
|
|
|
if (GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "FileName", FileName )) {
|
|
wcscpy(FileName, L"UNKNOWN");
|
|
} else {
|
|
if (FileName[0]==L'\0') {
|
|
wcscpy(FileName, L"NONAME");
|
|
} else {
|
|
FileName[HBASE_NAME_ALLOC/sizeof(WCHAR)]=L'\0';
|
|
}
|
|
}
|
|
dprintf("FileName : %ws\n",FileName);
|
|
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Signature", Work )) {
|
|
if( Work == HBASE_BLOCK_SIGNATURE ) {
|
|
dprintf("Signature: HBASE_BLOCK_SIGNATURE\n");
|
|
} else {
|
|
dprintf("Signature: %lx\n",Work);
|
|
}
|
|
}
|
|
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Sequence1", Work )) {
|
|
dprintf("Sequence1: %lx\n",Work);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Sequence2", Work )) {
|
|
dprintf("Sequence2: %lx\n",Work);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "TimeStamp", TimeStamp )) {
|
|
dprintf("TimeStamp: %lx %lx\n",TimeStamp.HighPart,TimeStamp.LowPart);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Major", Work )) {
|
|
dprintf("Major : %lx\n",Work);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Minor", Work )) {
|
|
dprintf("Minor : %lx\n",Work);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Type", Work )) {
|
|
switch(Work) {
|
|
case HFILE_TYPE_PRIMARY:
|
|
dprintf("Type : HFILE_TYPE_PRIMARY\n");
|
|
break;
|
|
case HFILE_TYPE_LOG:
|
|
dprintf("Type : HFILE_TYPE_LOG\n");
|
|
break;
|
|
case HFILE_TYPE_EXTERNAL:
|
|
dprintf("Type : HFILE_TYPE_EXTERNAL\n");
|
|
break;
|
|
default:
|
|
dprintf("Type : %lx\n",Work);
|
|
break;
|
|
|
|
}
|
|
}
|
|
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Format", Work )) {
|
|
if( Work == HBASE_FORMAT_MEMORY ) {
|
|
dprintf("Format : HBASE_FORMAT_MEMORY\n");
|
|
} else {
|
|
dprintf("Format : %lx\n",Work);
|
|
}
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "RootCell", Work )) {
|
|
dprintf("RootCell : %lx\n",Work);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Length", Work )) {
|
|
dprintf("Length : %lx\n",Work);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "Cluster", Work )) {
|
|
dprintf("Cluster : %lx\n",Work);
|
|
}
|
|
if(!GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "CheckSum", Work )) {
|
|
dprintf("CheckSum : %lx\n",Work);
|
|
}
|
|
}
|
|
|
|
void
|
|
reghivelist(
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
dumps all the hives in the system
|
|
|
|
Called as:
|
|
|
|
!hivelist
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 pCmpHiveListHead;
|
|
ULONG64 pNextHiveList;
|
|
ULONG BytesRead, WorkVar;
|
|
ULONG64 CmHive;
|
|
USHORT Count;
|
|
ULONG HiveListOffset;
|
|
FIELD_INFO offField = {"HiveList", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "_CMHIVE", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 1, &offField
|
|
};
|
|
ULONG Stable_Length=0, Volatile_Length=0;
|
|
ULONG64 Stable_Map=0, Volatile_Map=0;
|
|
WCHAR FileName[HBASE_NAME_ALLOC/sizeof(WCHAR) + 1];
|
|
ULONG64 BaseBlock;
|
|
|
|
|
|
//
|
|
// First go and get the hivelisthead
|
|
//
|
|
pCmpHiveListHead = GetExpression("nt!CmpHiveListHead");
|
|
if (pCmpHiveListHead==0) {
|
|
dprintf("CmpHiveListHead couldn't be read\n");
|
|
return;
|
|
}
|
|
|
|
|
|
|
|
if (!ReadPointer(pCmpHiveListHead, &pNextHiveList)) {
|
|
dprintf("Couldn't read first Flink (%p) of CmpHiveList\n",
|
|
pCmpHiveListHead);
|
|
return;
|
|
}
|
|
|
|
TotalPages = TotalPresentPages = 0;
|
|
|
|
// Get The offset
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
return;
|
|
}
|
|
HiveListOffset = (ULONG) offField.address;
|
|
|
|
dprintf("-------------------------------------------------------------------------------------------------------------\n");
|
|
dprintf("| HiveAddr |Stable Length|Stable Map|Volatile Length|Volatile Map|MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName \n");
|
|
dprintf("-------------------------------------------------------------------------------------------------------------\n");
|
|
while (pNextHiveList != pCmpHiveListHead) {
|
|
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
|
|
CmHive = pNextHiveList - HiveListOffset;
|
|
|
|
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.Signature", WorkVar)) {
|
|
if( WorkVar != HHIVE_SIGNATURE ) {
|
|
dprintf("Invalid Hive signature: %lx\n",WorkVar);
|
|
break;
|
|
}
|
|
}
|
|
dprintf("| %p ",CmHive);
|
|
|
|
|
|
if(!GetHiveMaps(CmHive,&Stable_Map,&Stable_Length,&Volatile_Map,&Volatile_Length) ) {
|
|
break;
|
|
}
|
|
|
|
dprintf("| %8lx ",Stable_Length);
|
|
dprintf("| %p ",Stable_Map);
|
|
dprintf("| %8lx ",Volatile_Length);
|
|
dprintf("| %p ",Volatile_Map);
|
|
if (!GetFieldValue(CmHive, "nt!_CMHIVE", "MappedViews", Count)) {
|
|
dprintf("| %8u ",Count);
|
|
}
|
|
if (!GetFieldValue(CmHive, "nt!_CMHIVE", "PinnedViews", Count)) {
|
|
dprintf("| %8u ",Count);
|
|
}
|
|
if (!GetFieldValue(CmHive, "nt!_CMHIVE", "UseCount", WorkVar)) {
|
|
dprintf("| %5u",WorkVar);
|
|
}
|
|
if (GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.BaseBlock", BaseBlock)) {
|
|
dprintf("\tCan't CMHIVE Read from %p\n",CmHive);
|
|
continue;
|
|
}
|
|
dprintf("| %p |",BaseBlock);
|
|
|
|
if (GetFieldValue( BaseBlock, "nt!_HBASE_BLOCK", "FileName", FileName )) {
|
|
wcscpy(FileName, L"<UNKNOWN>");
|
|
} else {
|
|
if (FileName[0]==L'\0') {
|
|
wcscpy(FileName, L"<NONAME>");
|
|
} else {
|
|
FileName[HBASE_NAME_ALLOC/sizeof(WCHAR)]=L'\0';
|
|
}
|
|
}
|
|
dprintf(" %ws\n",FileName);
|
|
|
|
if (GetFieldValue(pNextHiveList, "nt!_LIST_ENTRY", "Flink", pNextHiveList)) {
|
|
dprintf("Couldn't read Flink (%p) of %p\n",
|
|
pCmpHiveListHead,pNextHiveList);
|
|
break;
|
|
}
|
|
|
|
}
|
|
dprintf("-------------------------------------------------------------------------------------------------------------\n");
|
|
|
|
dprintf("\n");
|
|
|
|
}
|
|
|
|
void
|
|
regviewlist(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
dumps all the views mapped/pinned for the specified hive
|
|
|
|
Called as:
|
|
|
|
!viewlist <HiveAddr>
|
|
|
|
Arguments:
|
|
|
|
args - hive.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 CmHive,PinViewListHead,LRUViewListHead,Flink,Blink,ViewAddr,Address;
|
|
ULONG64 List1,List2;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG WorkVar,OffsetPinned,OffsetMapped,OffsetPinnedHead,OffsetMappedHead;
|
|
USHORT MappedViews,PinnedViews;
|
|
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&CmHive)) {
|
|
|
|
CmHive = GetExpression(args+ strlen(Dummy));
|
|
}
|
|
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.Signature", WorkVar)) {
|
|
if( WorkVar != HHIVE_SIGNATURE ) {
|
|
dprintf("Invalid Hive signature: %lx\n",WorkVar);
|
|
return;
|
|
}
|
|
} else {
|
|
dprintf("Could not read hive at %p\n",CmHive);
|
|
return;
|
|
}
|
|
|
|
if (GetFieldValue(CmHive, "nt!_CMHIVE", "MappedViews", MappedViews) ||
|
|
GetFieldValue(CmHive, "nt!_CMHIVE", "PinnedViews", PinnedViews) ||
|
|
GetFieldOffset("nt!_CMHIVE", "PinViewListHead", &OffsetPinnedHead) ||
|
|
GetFieldOffset("nt!_CMHIVE", "LRUViewListHead", &OffsetMappedHead) ||
|
|
GetFieldOffset("nt!_CM_VIEW_OF_FILE", "PinViewList", &OffsetPinned) ||
|
|
GetFieldOffset("nt!_CM_VIEW_OF_FILE", "LRUViewList", &OffsetMapped)
|
|
) {
|
|
dprintf("Could not read hive at %p\n",CmHive);
|
|
return;
|
|
}
|
|
|
|
PinViewListHead = CmHive + OffsetPinnedHead;
|
|
LRUViewListHead = CmHive + OffsetMappedHead;
|
|
if ( !GetFieldValue(PinViewListHead, "nt!_LIST_ENTRY", "Flink", Flink) &&
|
|
!GetFieldValue(PinViewListHead, "nt!_LIST_ENTRY", "Blink", Blink)
|
|
) {
|
|
dprintf("%4u Pinned Views ; PinViewListHead = %p %p\n",PinnedViews,Flink,Blink);
|
|
if( PinnedViews ) {
|
|
dprintf("--------------------------------------------------------------------------------------------------------------\n");
|
|
dprintf("| ViewAddr |FileOffset| Size |ViewAddress| Bcb | LRUViewList | PinViewList | UseCount |\n");
|
|
dprintf("--------------------------------------------------------------------------------------------------------------\n");
|
|
|
|
|
|
for(;PinnedViews;PinnedViews--) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
|
|
ViewAddr = Flink;
|
|
ViewAddr -= OffsetPinned;
|
|
|
|
dprintf("| %p ",ViewAddr);
|
|
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "FileOffset", WorkVar) ) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "Size", WorkVar) ) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "ViewAddress", Address) ) {
|
|
dprintf("| %p ",Address);
|
|
}
|
|
if( Address == 0 ) {
|
|
dprintf("could not read memory - paged out\n");
|
|
break;
|
|
}
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "Bcb", Address) ) {
|
|
dprintf("| %p ",Address);
|
|
}
|
|
|
|
|
|
if( !GetFieldValue(ViewAddr + OffsetMapped, "nt!_LIST_ENTRY", "Flink", List1) ) {
|
|
dprintf("| %p",List1);
|
|
}
|
|
if( !GetFieldValue(ViewAddr + OffsetMapped, "nt!_LIST_ENTRY", "Blink", List2) ) {
|
|
dprintf(" %p ",List2);
|
|
}
|
|
|
|
if( !GetFieldValue(ViewAddr + OffsetPinned, "nt!_LIST_ENTRY", "Flink", Flink) ) {
|
|
dprintf("| %p",Flink);
|
|
}
|
|
if( !GetFieldValue(ViewAddr + OffsetPinned, "nt!_LIST_ENTRY", "Blink", Blink) ) {
|
|
dprintf(" %p |",Blink);
|
|
}
|
|
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "UseCount", WorkVar) ) {
|
|
dprintf(" %8lx |\n",WorkVar);
|
|
}
|
|
|
|
}
|
|
dprintf("--------------------------------------------------------------------------------------------------------------\n");
|
|
}
|
|
}
|
|
|
|
dprintf("\n");
|
|
if ( !GetFieldValue(LRUViewListHead, "nt!_LIST_ENTRY", "Flink", Flink) &&
|
|
!GetFieldValue(LRUViewListHead, "nt!_LIST_ENTRY", "Blink", Blink)
|
|
) {
|
|
dprintf("%4u Mapped Views ; LRUViewListHead = %p %p\n",MappedViews,Flink,Blink);
|
|
if( MappedViews ) {
|
|
dprintf("--------------------------------------------------------------------------------------------------------------\n");
|
|
dprintf("| ViewAddr |FileOffset| Size |ViewAddress| Bcb | LRUViewList | PinViewList | UseCount |\n");
|
|
dprintf("--------------------------------------------------------------------------------------------------------------\n");
|
|
|
|
|
|
for(;MappedViews;MappedViews--) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
ViewAddr = Flink;
|
|
ViewAddr -= OffsetMapped;
|
|
|
|
dprintf("| %p ",ViewAddr);
|
|
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "FileOffset", WorkVar) ) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "Size", WorkVar) ) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "ViewAddress", Address) ) {
|
|
dprintf("| %p ",Address);
|
|
}
|
|
if( Address == 0 ) {
|
|
dprintf("could not read memory - paged out\n");
|
|
break;
|
|
}
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "Bcb", Address) ) {
|
|
dprintf("| %p ",Address);
|
|
}
|
|
|
|
|
|
if( !GetFieldValue(ViewAddr + OffsetMapped, "nt!_LIST_ENTRY", "Flink", Flink) ) {
|
|
dprintf("| %p",Flink);
|
|
}
|
|
if( !GetFieldValue(ViewAddr + OffsetMapped, "nt!_LIST_ENTRY", "Blink", Blink) ) {
|
|
dprintf(" %p ",Blink);
|
|
}
|
|
|
|
if( !GetFieldValue(ViewAddr + OffsetPinned, "nt!_LIST_ENTRY", "Flink", List1) ) {
|
|
dprintf("| %p",List1);
|
|
}
|
|
if( !GetFieldValue(ViewAddr + OffsetPinned, "nt!_LIST_ENTRY", "Blink", List2) ) {
|
|
dprintf(" %p |",List2);
|
|
}
|
|
|
|
if( !GetFieldValue(ViewAddr, "nt!_CM_VIEW_OF_FILE", "UseCount", WorkVar) ) {
|
|
dprintf(" %8lx |\n",WorkVar);
|
|
}
|
|
|
|
}
|
|
dprintf("--------------------------------------------------------------------------------------------------------------\n");
|
|
}
|
|
}
|
|
dprintf("\n");
|
|
|
|
}
|
|
|
|
void
|
|
regfreebins(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
dumps all the free bins for the specified hive
|
|
|
|
Called as:
|
|
|
|
!freebins <HiveAddr>
|
|
|
|
Arguments:
|
|
|
|
args - hive.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 CmHive,AnchorAddr,BinAddr,Flink,Blink;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG WorkVar,OffsetFreeBins,Offset;
|
|
ULONG DUAL_Size,StorageOffset;
|
|
FIELD_INFO offField = {"Hive.Storage", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "_CMHIVE", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 1, &offField
|
|
};
|
|
USHORT Nr = 0;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&CmHive)) {
|
|
|
|
CmHive = GetExpression(args+ strlen(Dummy));
|
|
}
|
|
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.Signature", WorkVar)) {
|
|
if( WorkVar != HHIVE_SIGNATURE ) {
|
|
dprintf("Invalid Hive signature: %lx\n",WorkVar);
|
|
return;
|
|
}
|
|
} else {
|
|
dprintf("Could not read hive at %p\n",CmHive);
|
|
return;
|
|
}
|
|
|
|
// Get the offset of Hive.Storage in _CMHIVE
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
dprintf("Cannot find _CMHIVE type.\n");
|
|
return;
|
|
}
|
|
|
|
StorageOffset = (ULONG) offField.address;
|
|
DUAL_Size = GetTypeSize("_DUAL");
|
|
|
|
GetFieldOffset("nt!_FREE_HBIN", "ListEntry", &Offset);
|
|
GetFieldOffset("_DUAL", "FreeBins", &OffsetFreeBins);
|
|
|
|
dprintf("Stable Storage ... \n");
|
|
|
|
dprintf("-------------------------------------------------------------------\n");
|
|
dprintf("| Address |FileOffset| Size | Flags | Flink | Blink |\n");
|
|
dprintf("-------------------------------------------------------------------\n");
|
|
Nr = 0;
|
|
|
|
AnchorAddr = CmHive + StorageOffset + OffsetFreeBins;
|
|
|
|
if ( !GetFieldValue(AnchorAddr, "nt!_LIST_ENTRY", "Flink", Flink) &&
|
|
!GetFieldValue(AnchorAddr, "nt!_LIST_ENTRY", "Blink", Blink)
|
|
) {
|
|
while((ULONG64)Flink != (ULONG64)AnchorAddr ) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
BinAddr = Flink - Offset;
|
|
dprintf("| %p ",BinAddr);
|
|
|
|
if(!GetFieldValue(BinAddr, "nt!_FREE_HBIN", "FileOffset", WorkVar)) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if(!GetFieldValue(BinAddr, "nt!_FREE_HBIN", "Size", WorkVar)) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if(!GetFieldValue(BinAddr, "nt!_FREE_HBIN", "Flags", WorkVar)) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
|
|
if( !GetFieldValue(BinAddr + Offset, "nt!_LIST_ENTRY", "Flink", Flink) ) {
|
|
dprintf("| %p ",Flink);
|
|
}
|
|
if( !GetFieldValue(BinAddr + Offset, "nt!_LIST_ENTRY", "Blink", Blink) ) {
|
|
dprintf("| %p |\n",Blink);
|
|
}
|
|
|
|
Nr++;
|
|
}
|
|
|
|
}
|
|
|
|
dprintf("-------------------------------------------------------------------\n");
|
|
|
|
dprintf("%4u FreeBins\n",Nr);
|
|
|
|
dprintf("\n");
|
|
|
|
dprintf("Volatile Storage ... \n");
|
|
|
|
dprintf("-------------------------------------------------------------------\n");
|
|
dprintf("| Address |FileOffset| Size | Flags | Flink | Blink |\n");
|
|
dprintf("-------------------------------------------------------------------\n");
|
|
|
|
AnchorAddr = CmHive + StorageOffset + DUAL_Size + OffsetFreeBins;
|
|
Nr = 0;
|
|
|
|
if ( !GetFieldValue(AnchorAddr, "nt!_LIST_ENTRY", "Flink", Flink) &&
|
|
!GetFieldValue(AnchorAddr, "nt!_LIST_ENTRY", "Blink", Blink)
|
|
) {
|
|
while((ULONG64)Flink != (ULONG64)AnchorAddr ) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
BinAddr = Flink - Offset;
|
|
dprintf("| %p ",BinAddr);
|
|
|
|
if(!GetFieldValue(BinAddr, "nt!_FREE_HBIN", "FileOffset", WorkVar)) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if(!GetFieldValue(BinAddr, "nt!_FREE_HBIN", "Size", WorkVar)) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
if(!GetFieldValue(BinAddr, "nt!_FREE_HBIN", "Flags", WorkVar)) {
|
|
dprintf("| %8lx ",WorkVar);
|
|
}
|
|
|
|
if( !GetFieldValue(BinAddr + Offset, "nt!_LIST_ENTRY", "Flink", Flink) ) {
|
|
dprintf("| %p ",Flink);
|
|
}
|
|
if( !GetFieldValue(BinAddr + Offset, "nt!_LIST_ENTRY", "Blink", Blink) ) {
|
|
dprintf("| %p |\n",Blink);
|
|
}
|
|
|
|
Nr++;
|
|
}
|
|
|
|
}
|
|
|
|
dprintf("-------------------------------------------------------------------\n");
|
|
|
|
dprintf("%4u FreeBins\n",Nr);
|
|
|
|
dprintf("\n");
|
|
}
|
|
|
|
void
|
|
regdirtyvector(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
displays the dirty vector of the hive
|
|
|
|
Called as:
|
|
|
|
!dirtyvector <HiveAddr>
|
|
|
|
Arguments:
|
|
|
|
args - convkey.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 CmHive,BufferAddr;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG WorkVar,SizeOfBitMap,i;
|
|
ULONG BitsPerULONG;
|
|
ULONG BitsPerBlock;
|
|
ULONG DirtyBuffer;
|
|
ULONG Mask;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&CmHive)) {
|
|
|
|
CmHive = GetExpression(args+ strlen(Dummy));
|
|
}
|
|
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.Signature", WorkVar)) {
|
|
if( WorkVar != HHIVE_SIGNATURE ) {
|
|
dprintf("Invalid Hive signature: %lx\n",WorkVar);
|
|
return;
|
|
}
|
|
} else {
|
|
dprintf("Could not read hive at %p\n",CmHive);
|
|
return;
|
|
}
|
|
|
|
dprintf("HSECTOR_SIZE = %lx\n",HSECTOR_SIZE);
|
|
dprintf("HBLOCK_SIZE = %lx\n",HBLOCK_SIZE);
|
|
dprintf("PAGE_SIZE = %lx\n",PageSize);
|
|
dprintf("\n");
|
|
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.DirtyAlloc", WorkVar)) {
|
|
dprintf("DirtyAlloc = : 0x%lx\n",WorkVar);
|
|
}
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.DirtyCount", WorkVar)) {
|
|
dprintf("DirtyCount = : 0x%lx\n",WorkVar);
|
|
}
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.DirtyVector.Buffer", BufferAddr)) {
|
|
dprintf("Buffer = : 0x%p\n",BufferAddr);
|
|
}
|
|
dprintf("\n");
|
|
|
|
if(GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.DirtyVector.SizeOfBitMap", SizeOfBitMap)) {
|
|
return;
|
|
}
|
|
|
|
BitsPerULONG = 8*ULongSize;
|
|
BitsPerBlock = HBLOCK_SIZE / HSECTOR_SIZE;
|
|
|
|
dprintf(" Address 32k 32k");
|
|
for(i=0;i<SizeOfBitMap;i++) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
if( !(i%(2*BitsPerULONG ) ) ){
|
|
dprintf("\n 0x%8lx ",i*HSECTOR_SIZE);
|
|
}
|
|
|
|
if( !(i%BitsPerBlock) ) {
|
|
dprintf(" ");
|
|
}
|
|
if( !(i%BitsPerULONG) ) {
|
|
//
|
|
// fetch in a new DWORD
|
|
//
|
|
if( !ReadMemory(BufferAddr,
|
|
&DirtyBuffer,
|
|
sizeof(DirtyBuffer),
|
|
&BytesRead)) {
|
|
dprintf("\tRead %lx bytes from %lx\n",BytesRead,BufferAddr);
|
|
return;
|
|
}
|
|
BufferAddr += ULongSize;
|
|
dprintf("\t");
|
|
}
|
|
|
|
Mask = ((DirtyBuffer >> (i%BitsPerULONG)) & 0x1);
|
|
//Mask <<= (BitsPerULONG - (i%BitsPerULONG) - 1);
|
|
//Mask &= DirtyBuffer;
|
|
dprintf("%s",Mask?"1":"0");
|
|
}
|
|
dprintf("\n\n");
|
|
|
|
}
|
|
|
|
CCHAR CmKDFindFirstSetLeft[256] = {
|
|
0, 0, 1, 1, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3, 3, 3,
|
|
4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4, 4,
|
|
5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
|
|
5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5,
|
|
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
|
|
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
|
|
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
|
|
6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7,
|
|
7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7};
|
|
|
|
#define CmKDComputeIndex(Index, Size) \
|
|
{ \
|
|
Index = (Size >> HHIVE_FREE_DISPLAY_SHIFT) - 1; \
|
|
if (Index >= HHIVE_LINEAR_INDEX ) { \
|
|
\
|
|
/* \
|
|
** Too big for the linear lists, compute the exponential \
|
|
** list. \
|
|
*/ \
|
|
\
|
|
if (Index > 255) { \
|
|
/* \
|
|
** Too big for all the lists, use the last index. \
|
|
*/ \
|
|
Index = HHIVE_FREE_DISPLAY_SIZE-1; \
|
|
} else { \
|
|
Index = CmKDFindFirstSetLeft[Index] + \
|
|
HHIVE_FREE_DISPLAY_BIAS; \
|
|
} \
|
|
} \
|
|
}
|
|
|
|
void
|
|
regfreecells(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
displays the free cells map in a bin
|
|
|
|
Called as:
|
|
|
|
!freecells <BinAddr>
|
|
|
|
Arguments:
|
|
|
|
args - convkey.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 BinAddr;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG WorkVar,FileOffset,Size,BinHeaderSize;
|
|
ULONG NrOfCellsPerIndex;
|
|
ULONG NrOfCellsTotal;
|
|
ULONG TotalFreeSize;
|
|
ULONG Index;
|
|
ULONG CurrIndex,Offset;
|
|
LONG Current;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&BinAddr)) {
|
|
|
|
BinAddr = GetExpression(args+ strlen(Dummy));
|
|
}
|
|
|
|
if(!GetFieldValue(BinAddr, "nt!_HBIN", "Signature", WorkVar)) {
|
|
if( WorkVar != HBIN_SIGNATURE ) {
|
|
dprintf("\tInvalid Bin signature %lx \n",WorkVar);
|
|
return;
|
|
}
|
|
} else {
|
|
dprintf("Could not read bin at %p\n",BinAddr);
|
|
return;
|
|
}
|
|
|
|
if(GetFieldValue(BinAddr, "nt!_HBIN", "FileOffset", FileOffset) ||
|
|
GetFieldValue(BinAddr, "nt!_HBIN", "Size", Size)
|
|
) {
|
|
dprintf("Could not read bin at %p\n",BinAddr);
|
|
}
|
|
|
|
BinHeaderSize = GetTypeSize("nt!_HBIN");
|
|
dprintf("Bin Offset = 0x%lx Size = 0x%lx\n",FileOffset,Size);
|
|
|
|
NrOfCellsTotal = 0;
|
|
TotalFreeSize = 0;
|
|
|
|
for(CurrIndex = 0;CurrIndex<HHIVE_FREE_DISPLAY_SIZE;CurrIndex++) {
|
|
dprintf("\n FreeDisplay[%2lu] :: ",CurrIndex);
|
|
|
|
NrOfCellsPerIndex = 0;
|
|
Offset = BinHeaderSize;
|
|
while( Offset < Size ) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
if( !ReadMemory(BinAddr + Offset,
|
|
&Current,
|
|
sizeof(Current),
|
|
&BytesRead) ) {
|
|
dprintf("\tRead %lx bytes from %lx\n",BytesRead,BinAddr + Offset);
|
|
return;
|
|
}
|
|
|
|
if(Current>0) {
|
|
//
|
|
// free cell
|
|
//
|
|
CmKDComputeIndex(Index, Current);
|
|
if( Index == CurrIndex ) {
|
|
//
|
|
// dum it here as this is the right index
|
|
//
|
|
NrOfCellsTotal++;
|
|
NrOfCellsPerIndex++;
|
|
TotalFreeSize += Current;
|
|
dprintf(" %lx [%lx]",Offset,Current);
|
|
if( !(NrOfCellsPerIndex % 8) && ((Offset + Current) < Size) ) {
|
|
dprintf("\n");
|
|
}
|
|
}
|
|
} else {
|
|
Current *= -1;
|
|
}
|
|
Offset += Current;
|
|
}
|
|
}
|
|
|
|
dprintf("\nTotal: FreeCells = %lu, FreeSpace = 0x%lx BinUsage = %.2f%%\n",NrOfCellsTotal,TotalFreeSize,
|
|
(float)(((float)(Size-BinHeaderSize-TotalFreeSize)/(float)(Size-BinHeaderSize))*100.00)
|
|
);
|
|
|
|
}
|
|
|
|
void
|
|
regfreehints(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
displays the freehints information for the hive
|
|
|
|
Called as:
|
|
|
|
!freehints <HiveAddr> <StorageCount> <DisplayCount>
|
|
|
|
Arguments:
|
|
|
|
args - convkey.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 CmHive,BufferAddr;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG WorkVar;
|
|
ULONG Mask;
|
|
ULONG BitsPerULONG;
|
|
ULONG BitsPerBlock;
|
|
ULONG BitsPerLine;
|
|
ULONG Stable_Length=0, Volatile_Length=0;
|
|
ULONG64 Stable_Map=0, Volatile_Map=0;
|
|
ULONG DisplayCount;
|
|
ULONG StorageCount;
|
|
ULONG SizeOfBitmap;
|
|
ULONG i;
|
|
FIELD_INFO offField = {"Hive.Storage", NULL, 0, DBG_DUMP_FIELD_RETURN_ADDRESS, 0, NULL};
|
|
SYM_DUMP_PARAM TypeSym ={
|
|
sizeof (SYM_DUMP_PARAM), "_CMHIVE", DBG_DUMP_NO_PRINT, 0,
|
|
NULL, NULL, NULL, 1, &offField
|
|
};
|
|
ULONG DUAL_Size,StorageOffset,RTL_BITMAP_Size,OffsetFreeDisplay;
|
|
ULONG64 DirtyBufferAddr;
|
|
ULONG DirtyBuffer;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&CmHive)) {
|
|
if (GetExpressionEx(args+ strlen(Dummy), &CmHive, &args)) {
|
|
if (!sscanf(args,"%lu %lu",&StorageCount,&DisplayCount)) {
|
|
StorageCount = DisplayCount = 0;
|
|
}
|
|
}
|
|
}
|
|
|
|
if(!GetFieldValue(CmHive, "nt!_CMHIVE", "Hive.Signature", WorkVar)) {
|
|
if( WorkVar != HHIVE_SIGNATURE ) {
|
|
dprintf("Invalid Hive signature: %lx\n",WorkVar);
|
|
return;
|
|
}
|
|
} else {
|
|
dprintf("Could not read hive at %p\n",CmHive);
|
|
return;
|
|
}
|
|
|
|
dprintf("HSECTOR_SIZE = %lx\n",HSECTOR_SIZE);
|
|
dprintf("HBLOCK_SIZE = %lx\n",HBLOCK_SIZE);
|
|
dprintf("PAGE_SIZE = %lx\n",PageSize);
|
|
dprintf("\n");
|
|
|
|
BitsPerULONG = 8*ULongSize;
|
|
BitsPerBlock = 0x10000 / HBLOCK_SIZE; // 64k blocks
|
|
BitsPerLine = 0x40000 / HBLOCK_SIZE; // 256k lines (vicinity reasons)
|
|
|
|
if(!GetHiveMaps(CmHive,&Stable_Map,&Stable_Length,&Volatile_Map,&Volatile_Length) ) {
|
|
return;
|
|
}
|
|
|
|
if( StorageCount == 0 ) {
|
|
SizeOfBitmap = Stable_Length / HBLOCK_SIZE;
|
|
} else {
|
|
SizeOfBitmap = Volatile_Length / HBLOCK_SIZE;
|
|
}
|
|
|
|
// Get the offset of Hive.FreeDisplay in _CMHIVE
|
|
if (Ioctl(IG_DUMP_SYMBOL_INFO, &TypeSym, TypeSym.size)) {
|
|
dprintf("Cannot find _CMHIVE type.\n");
|
|
return;
|
|
}
|
|
|
|
StorageOffset = (ULONG) offField.address;
|
|
DUAL_Size = GetTypeSize("_DUAL");
|
|
RTL_BITMAP_Size = GetTypeSize("nt!_RTL_BITMAP");
|
|
dprintf("bitmap size = %lu\n",RTL_BITMAP_Size);
|
|
GetFieldOffset("_DUAL", "FreeDisplay", &OffsetFreeDisplay);
|
|
|
|
BufferAddr = CmHive + StorageOffset + DUAL_Size * StorageCount + OffsetFreeDisplay + DisplayCount * RTL_BITMAP_Size;
|
|
if(GetFieldValue(BufferAddr, "nt!_RTL_BITMAP", "Buffer", DirtyBufferAddr) ) {
|
|
dprintf("Cannot read bitmap address\n");
|
|
return;
|
|
}
|
|
|
|
dprintf("Storage = %s , FreeDisplay[%lu]: \n",StorageCount?"Volatile":"Stable",DisplayCount);
|
|
|
|
dprintf("\n%8s %16s %16s %16s %16s","Address","64K (0x10000)","64K (0x10000)","64K (0x10000)","64K (0x10000)");
|
|
|
|
for(i=0;i<SizeOfBitmap;i++) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
if( !(i%BitsPerLine) ){
|
|
dprintf("\n 0x%8lx ",i*HBLOCK_SIZE);
|
|
}
|
|
|
|
if( !(i%BitsPerBlock) ) {
|
|
dprintf(" ");
|
|
}
|
|
if( !(i%BitsPerULONG) ) {
|
|
//
|
|
// fetch in a new DWORD
|
|
//
|
|
if( !ReadMemory(DirtyBufferAddr,
|
|
&DirtyBuffer,
|
|
sizeof(DirtyBuffer),
|
|
&BytesRead) ) {
|
|
dprintf("\tRead %lx bytes from %lx\n",BytesRead,DirtyBufferAddr);
|
|
return;
|
|
}
|
|
DirtyBufferAddr += ULongSize;
|
|
}
|
|
|
|
Mask = ((DirtyBuffer >> (i%BitsPerULONG)) & 0x1);
|
|
//Mask <<= (BitsPerULONG - (i%BitsPerULONG) - 1);
|
|
//Mask &= DirtyBuffer;
|
|
dprintf("%s",Mask?"1":"0");
|
|
}
|
|
|
|
dprintf("\n\n");
|
|
|
|
}
|
|
|
|
void
|
|
regseccache(
|
|
LPSTR args
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
displays the base block structure
|
|
|
|
Called as:
|
|
|
|
!seccache <HiveAddr>
|
|
|
|
Arguments:
|
|
|
|
args - convkey.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
ULONG64 HiveAddr,SecCache;
|
|
DWORD BytesRead;
|
|
CHAR Dummy[ 256 ];
|
|
ULONG WorkVar,i,Cell;
|
|
LONG WorkHint;
|
|
ULONG CacheEntrySize = GetTypeSize("_CM_KEY_SECURITY_CACHE_ENTRY");
|
|
ULONG64 CachedSec;
|
|
|
|
if (sscanf(args,"%255s %lX",Dummy,&HiveAddr)) {
|
|
HiveAddr = GetExpression(args + strlen(Dummy));
|
|
}
|
|
|
|
if(!GetFieldValue(HiveAddr, "nt!_CMHIVE", "Hive.Signature", WorkVar)) {
|
|
if( WorkVar != HHIVE_SIGNATURE ) {
|
|
dprintf("Invalid Hive signature: %lx\n",WorkVar);
|
|
return;
|
|
}
|
|
}
|
|
if (!GetFieldValue(HiveAddr, "nt!_CMHIVE", "SecurityCacheSize", WorkVar)) {
|
|
dprintf("SecurityCacheSize = : 0x%lx\n",WorkVar);
|
|
}
|
|
if (!GetFieldValue(HiveAddr, "nt!_CMHIVE", "SecurityCount", WorkVar)) {
|
|
dprintf("SecurityCount = : 0x%lx\n",WorkVar);
|
|
}
|
|
if (!GetFieldValue(HiveAddr, "nt!_CMHIVE", "SecurityHitHint", WorkHint)) {
|
|
dprintf("SecurityHitHint = : 0x%lx\n",WorkHint);
|
|
}
|
|
|
|
if (!GetFieldValue(HiveAddr, "nt!_CMHIVE", "SecurityCache", SecCache)) {
|
|
dprintf("SecurityCache = : 0x%p\n\n",SecCache);
|
|
dprintf("[Entry No.] [Security Cell] [Security Cache]\n");
|
|
|
|
for( i=0;i<WorkVar;i++) {
|
|
if (CheckControlC()) {
|
|
break;
|
|
}
|
|
|
|
if (GetFieldValue(SecCache + i*CacheEntrySize, "nt!_CM_KEY_SECURITY_CACHE_ENTRY", "Cell", Cell)) {
|
|
continue;
|
|
}
|
|
if (GetFieldValue(SecCache + i*CacheEntrySize, "nt!_CM_KEY_SECURITY_CACHE_ENTRY", "CachedSecurity", CachedSec)) {
|
|
continue;
|
|
}
|
|
dprintf("%[%8lu] 0x%8lx ",i,Cell);
|
|
dprintf("0x%p\n",CachedSec);
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
void ParseArgs(
|
|
LPSTR args,
|
|
LPSTR Dummy,
|
|
ULONG SizeOfDummy
|
|
)
|
|
{
|
|
ULONG i =0;
|
|
while( (args[i]!= 0) && (args[i] != ' ') && (i < SizeOfDummy-1) ) {
|
|
Dummy[i] = args[i];
|
|
i++;
|
|
}
|
|
Dummy[i] = 0;
|
|
}
|
|
|
|
void ParseKcbNameInArg(
|
|
LPSTR args,
|
|
LPSTR KcbName
|
|
)
|
|
{
|
|
ULONG i =0;
|
|
ULONG j =0;
|
|
while( (args[i]!= 0) && (args[i] != ' ') ) {
|
|
i++;
|
|
}
|
|
while( args[i] == ' ' ) {
|
|
i++;
|
|
}
|
|
while( args[i]!= 0 ) {
|
|
KcbName[j] = args[i];
|
|
i++;j++;
|
|
}
|
|
KcbName[j] = 0;
|
|
}
|
|
|
|
DECLARE_API( reg )
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Dispatch point for all registry extensions
|
|
|
|
Called as:
|
|
|
|
!reg <command> <params>
|
|
|
|
Arguments:
|
|
|
|
args - Supplies the address of the HCELL_INDEX.
|
|
|
|
Return Value:
|
|
|
|
.
|
|
|
|
--*/
|
|
|
|
{
|
|
CHAR Dummy[ 512 ];
|
|
|
|
ParseArgs((LPSTR)args,(LPSTR)Dummy, sizeof(Dummy));
|
|
|
|
// Get the offsets
|
|
if (!GotOnce) {
|
|
if (GetFieldOffset("_HMAP_DIRECTORY", "Directory", &DirectoryOffset)){
|
|
return E_INVALIDARG;
|
|
}
|
|
if (GetFieldOffset("_HMAP_ENTRY", "BlockAddress", &BlockAddrOffset)) {
|
|
return E_INVALIDARG;
|
|
}
|
|
if (GetFieldOffset("_HMAP_TABLE", "Table", &TableOffset)) {
|
|
return E_INVALIDARG;
|
|
}
|
|
PtrSize = DBG_PTR_SIZE;
|
|
ULongSize = sizeof(ULONG); //
|
|
HMapSize = GetTypeSize("_HMAP_ENTRY");
|
|
|
|
GotOnce = TRUE;
|
|
}
|
|
|
|
dprintf("\n");
|
|
if (!strcmp(Dummy, "kcb")) {
|
|
regkcb((LPSTR)args);
|
|
} else if (!strcmp(Dummy, "cellindex")) {
|
|
regcellindex((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "hashindex")) {
|
|
reghashindex((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "openkeys")) {
|
|
regopenkeys((LPSTR)args,NULL);
|
|
} else if( !strcmp(Dummy, "knode")) {
|
|
regknode((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "kbody")) {
|
|
regkbody((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "kvalue")) {
|
|
regkvalue((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "baseblock")) {
|
|
regbaseblock((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "findkcb")) {
|
|
ParseKcbNameInArg((LPSTR)args,(LPSTR)Dummy);
|
|
regopenkeys((LPSTR)args,(LPSTR)Dummy);
|
|
} else if( !strcmp(Dummy, "hivelist")) {
|
|
reghivelist();
|
|
} else if( !strcmp(Dummy, "seccache")) {
|
|
regseccache((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "viewlist")) {
|
|
regviewlist((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "freebins")) {
|
|
regfreebins((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "dirtyvector")) {
|
|
regdirtyvector((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "freecells")) {
|
|
regfreecells((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "freehints")) {
|
|
regfreehints((LPSTR)args);
|
|
} else if( !strcmp(Dummy, "dumppool")) {
|
|
regdumppool((LPSTR)args);
|
|
} else {
|
|
// dump general usage
|
|
dprintf("reg <command> <params> - Registry extensions\n");
|
|
dprintf(" kcb <Address> - Dump registry key-control-blocks\n");
|
|
dprintf(" knode <Address> - Dump registry key-node struct\n");
|
|
dprintf(" kbody <Address> - Dump registry key-body struct\n");
|
|
dprintf(" kvalue <Address> - Dump registry key-value struct\n");
|
|
dprintf(" baseblock <HiveAddr> - Dump the baseblock for the specified hive\n");
|
|
dprintf(" seccache <HiveAddr> - Dump the security cache for the specified hive\n");
|
|
dprintf(" hashindex <conv_key> - Find the hash entry given a Kcb ConvKey\n");
|
|
dprintf(" openkeys <HiveAddr|0> - Dump the keys opened inside the specified hive\n");
|
|
dprintf(" findkcb <FullKeyPath> - Find the kcb for the corresponding path\n");
|
|
dprintf(" hivelist - Displays the list of the hives in the system\n");
|
|
dprintf(" viewlist <HiveAddr> - Dump the pinned/mapped view list for the specified hive\n");
|
|
dprintf(" freebins <HiveAddr> - Dump the free bins for the specified hive\n");
|
|
dprintf(" freecells <BinAddr> - Dump the free cells in the specified bin\n");
|
|
dprintf(" dirtyvector<HiveAddr> - Dump the dirty vector for the specified hive\n");
|
|
dprintf(" cellindex <HiveAddr> <cellindex> - Finds the VA for a specified cell index\n");
|
|
dprintf(" freehints <HiveAddr> <Storage> <Display> - Dumps freehint info\n");
|
|
dprintf(" dumppool [s|r] - Dump registry allocated paged pool\n");
|
|
dprintf(" s - Save list of registry pages to temporary file\n");
|
|
dprintf(" r - Restore list of registry pages from temp. file\n");
|
|
}
|
|
|
|
return S_OK;
|
|
}
|