解读 OpenRegistryKey
来源:互联网 发布:cnc自动编程软件 编辑:程序博客网 时间:2024/06/04 18:56
解读 OpenRegistryKey
//----- (100EAC60)--------------------------------------------------------
int __fastcallCSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenRegistryKey(
int a1,
struct_RTL_TRACING_FACILITY *a2,
int a3, // Flags 0 - 4
int a4, // Access_Mask,来自直接注册表提供者的 SysOpenKey
int a5, // 字符串
CKey **a6, //Key输出
_DWORD *a7) //输出
{
v14 =a1;
v9 =a5;
v7 =a6;
v8 =a7;
v19 =-1073741595;
v21 =1;
v22 =0;
v23 =0;
// 输出 a7
if ( v8 )
*v8=0;
if ( a3 &0xFFFFFFFC) // Flags
{
}
// a6 输出不能为空
if (!v7)
{
}
// a5
if (*(_DWORD*)v9<= 0u ||**(_WORD**)(v9+8)!=92)
{
//这里可以看出,字符串为内部表示格式,起先就当成NtFilePath,走了弯路,实际上是NtRegistryPath
v10 =1789;
v11 ="(KeyName.Length > 0) &&(KeyName.Buffer[0] == L'\\\\')";
goto LABEL_15;
}
v12 = CSystemIsolationLayer::OpenRegistryKey(
*(_DWORD**)(v14-4),
a3,
a4,
v9,
v7,
v8);
if (v12 >=0)
{
v23 =1;
v19 =0;
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::
~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v20,
v9);
return 0;
}
v19 =v12;
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::
~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v20,
v9);
return v19;
}
//----- (100FBD8C)--------------------------------------------------------
int __thiscall CSystemIsolationLayer::OpenRegistryKey(
_DWORD *this,
char a2, //flag
int a3, //Access_Mask
int a4, // 字符串
CKey **a5, // 输出
_DWORD *a6) //输出
{
v6 =this;
v7 =0;
v15 =this;
if (a6 )
*a6=0;
v26 =-1;
v33 =0;
v34 =0;
v22 =0;
v23 =0;
v24 =0;
v25 =0;
v8 =RtlInitUnicodeStringFromLUnicodeStringSafely(a4,(int)&v31);
v9 =v6[7];
// 下面的是对Object_Attribues 对象的赋值
v16 =24; //对象的大小,6个字段
v17 =0; // RootDirectory
v18 =&v31; // ObjectName
v19 =64; // Attribues
v20 =0; // SecurityDescriptor
v21 =0; // SecurityQualityOfService
// 可能是 SetCurrentTransaction
v10 = *(int (__thiscall**)(int,int*))(*(_DWORD*)v9+12);
v8 =v10(v9,&v30);
if (a2 &1)
v7 =1;
v11 =v30;
v12 =v15[5];
v13 =*(_DWORD*)v12;
// SysOpenKey
v8 =(*(int(__thiscall**)(int,signed int,int *,int,int*, int,int,int*))(v13+36))(
v12,
v7, // flag
&v33, // CSilHandle
a3, // Access_Mask
&v16, // Object_Attribues
2*(a2&2), // flag 相关
v11, // Transaction
&v32); // 返回值,控制是否创建实例
if (v8 <0)
goto LABEL_12;
v26 =v34;
// CSystemIsolationLayer 中四个提供程序
// 因此,从这开始,向下的七个字段,就定义了 CreateKeySource
v22 =v15[4];
v23 =v15[5];
v24 =v15[6];
v25 =v15[7];
v27 =*(_DWORD*)a4;
v28 =*(_DWORD*)(a4+4);
v29 =*(_DWORD*)(a4+8);
if (v32 !=2)
{
v8 =CRtlRefCountedObjectBase<CKey,IRtlKey,IRtlSystemObject,IRtlSystemContainer,Detail::CRtlRefCountedObjectBaseNoInterface>::CreateInstance<CreateKeySource,IRtlKey>(
(structCreateKeySource*)&v22,
a5);
if (v8 >=0)
{
if (a6 )
*a6=1;
goto LABEL_15;
}
LABEL_12:
CSilHandle::Close((CSilHandle *)&v33);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v33);
return v8;
}
if (a6 )
*a6=2;
LABEL_15:
CSilHandle::Close((CSilHandle *)&v33);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v33);
return 0;
}
//----- (100EE490)--------------------------------------------------------
int __fastcall DirectRegistryProvider::SysOpenKey(
DirectRegistryProvider *this,
struct_RTL_TRACING_FACILITY *a2,
unsigned __int32 a3,
structCSilHandle *a4,
ACCESS_MASK DesiredAccess, // 这是证明前面 ACCESS_MASK的源头
struct_OBJECT_ATTRIBUTES *a6,
unsigned __int32 a7,
void *a8,
unsigned __int32 *a9)
{
v44 =-1073741595;
v9 =this;
v10 =a4;
ObjectAttributes = a6;
v35 =a8;
v42 =a9;
v38 =0;
KeyHandle =0;
v48 =0;
v49 =0;
v47 =1;
// 返回结果 a9
if ( v42 )
*v42=0;
v43 =0;
v45 =(unsigned __int32)v9; // this, DirectRegistryProvider
v11 =((int(__thiscall*)(constchar**,unsigned __int32*))AutoInterface<IRtlRegistryProvider*,Auto<IRtlRegistryProvider*>>
::CreateInterfaceFrom<CQueuedRegistryProvider*>)(
&v43,
&v45);
v37 = a7&4;
if (a7 &4)
{
v45 =0;
v12 =*(_DWORD*)v9;
v13 =a7 &0xFFFFFFFB;
v14 =DesiredAccess;
v15 =a3 |2;
// DirectRegistryProvider::SysOpenKey
if ( (*(int(__thiscall**)(DirectRegistryProvider*,unsigned __int32,struct CSilHandle*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32,void *, unsigned__int32*))(v12+36))(
v9,
v15,
v10,
v14,
ObjectAttributes,
v13,
v35,
&v45)>=0
&&v45 !=3)
{
if (v42 )
*v42= v45;
v49 =1;
v44 =0;
goto LABEL_12;
}
}
v11 =`anonymous namespace'::TransformKeyPermissions(&DesiredAccess);
if (v11 <0)
{ }
v36 =0;
HIWORD(v33)=256;
do
{
v16 =(int(__stdcall*)(HANDLE*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32))*((_DWORD*)v9+4);
if (v16 &&!v35)
{
v32 =a7;
LABEL_36:
v25 =ObjectAttributes;
v26 =DesiredAccess;
//NTOpenKeyEx
v22 = v16(&KeyHandle, v26, v25, v32);
goto LABEL_37;
}
v17 =(int(__stdcall*)(HANDLE*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32, void *))*((_DWORD*)v9+5);
if (v17 && v35)
{
v18 =v35;
v19 =a7;
v20 =ObjectAttributes;
v21 =DesiredAccess;
v22 =v17(&KeyHandle,v21, v20, v19, v18);
goto LABEL_37;
}
if (!v37)
{
if (v35 )
{
v16 =(int(__stdcall*)(HANDLE*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32))*((_DWORD*)v9+2);
if ( !v16)
{
v31 =5313;
v44 =-1073740759;
goto LABEL_60;
}
v32 =(unsigned __int32)v35;
goto LABEL_36;
}
v22 =NtOpenKey(&KeyHandle,DesiredAccess, ObjectAttributes);
LABEL_37:
v23 =(DirectRegistryProvider*)v22;
goto LABEL_38;
}
v45 =0;
v23 =DirectRegistryProvider::OpenExistingKeyWithBackupRestore(
v9,
DesiredAccess,
ObjectAttributes,
v35,
(structCSilHandle *)&v38,
&v45);
if (v45 ==4)
{
v23 =(DirectRegistryProvider*)-1073741670;
goto LABEL_39;
}
if (v45 ==8)
{
v23 =(DirectRegistryProvider*)-1073741772;
LABEL_26:
v24 =BYTE2(v33);
continue;
}
if (v45 ==16)
v23 =(DirectRegistryProvider*)-1073741790;
LABEL_38:
if (v23 !=(DirectRegistryProvider*)-1073741670)
goto LABEL_26;
LABEL_39:
v11 =DelayForInsufficientResources(&v36,(_BYTE*)&v33+3);
if (v11 <0)
goto LABEL_41;
v24 =1;
BYTE2(v33)=1;
}
while (BYTE3(v33)&& v23==(DirectRegistryProvider*)-1073741670);
if ((signed int)v23>=0)
{
if (v24 )
RtlTrace(
0,
(unsigned__int32)&Facility_SIL,
(struct_RTL_TRACING_FACILITY*)&"Transient insufficient resources at NtOpenKey for{oa}",
(constchar *const )1,
(unsigned__int32)"oa",
RtlTraceFormat_PCOBJECT_ATTRIBUTES,
ObjectAttributes);
v27 =v43;
v43 =0;
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v38);
v38 =v27;
if (v42 )
{
*v42=1;
v27 =v38;
}
v28 =(void*)*((_DWORD*)v10+1);
*((_DWORD*)v10+1) = KeyHandle;
KeyHandle =v28;
v29 =*(constchar**)v10;
*(_DWORD*)v10=v27;
v38 =v29;
LABEL_57:
v49 =1;
v44 =0;
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v43);
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v46,
(int)v10);
CSilHandle::Close((CSilHandle *)&v38);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v38);
return 0;
}
if ((v23==(DirectRegistryProvider*)-1073741772
||v23 ==(DirectRegistryProvider*)-1073741766)
&&a3 &1)
{
if (v42 )
*v42=2;
goto LABEL_57;
}
if (v23 ==(DirectRegistryProvider*)-1073741790&& a3 &2)
{
if (v42 )
*v42=3;
goto LABEL_57;
}
v31 =5349;
v44 =(int)v23;
LABEL_60:
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v43);
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v46,
v31);
CSilHandle::Close((CSilHandle *)&v38);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v38);
v38 ="base\\wcp\\sil\\merged\\ntu\\ntsystem.cpp";
KeyHandle ="DirectRegistryProvider::SysOpenKey";
v40 =v31;
v41 =0;
CBaseFrame<CVoidRaiseFrame>::ReportErrorOrigination(
&v44,
(int)&v38);
return v44;
}
- 解读 OpenRegistryKey
- 解读
- 解读数据?解读“人”!
- 解读数据?解读“人”!
- 解读P2P
- 解读深圳
- 解读睡眠
- Makefile解读
- Irda解读
- 解读防火墙
- sizeof解读
- 解读防火墙
- 解读防火墙
- 解读Makefile
- 事务解读
- Makefile解读
- 解读NTFS
- 解读CMVision
- 基于网络流量的SDN最短路径转发应用
- 【web】要点归纳
- C/C++ 野指针
- 表、栈和队列
- 下定决心踏上软考之路
- 解读 OpenRegistryKey
- Java C++ 声明定义
- UNIX设计的思想。让每个程序只具有一项专门的能力,然后让它们合作
- 38. Count and Say徒手尝试#2(Done)
- [leetcode]287.Find the Duplicate Number
- leetcode(87).389. Find the Difference
- MySQL 操作总结(一)
- c语言里面log函数怎么用
- 读取联系人