首页
社区
课程
招聘
[转帖]Browsing the registry in kernel-mode
发表于: 2021-1-24 06:50 2009

[转帖]Browsing the registry in kernel-mode

2021-1-24 06:50
2009

Browsing the registry in kernel-mode

One of Windows kernel subsystem I recently dug into is the Configuration Manager (CM), mostly because I found very scarce public resources about it despite its criticality: this subsystem is responsible for managing the configuration of all Windows resources, and in user-land is exposed via a very familiar mechanism, the Windows Registry. It is a pretty well documented user-land mechanism, and so is its kernel driver API. My curiosity was around its inner working, and all the few (but brilliant) resources can be found in the link section below.


What I wondered was: How is the registry handled in the kernel (i.e. by the CM)? So in the same way that I explored other Windows subsystems, I tried to keep a practical approach, and the result was this WinDbg Js script, RegistryExplorer.js that’ll be referring to throughout this post. This script allows to browse and query via LINQ the registry in a kernel debugging session.


Notes: this is a collection of notes, do not blindly trust, assume mistakes. Also, you’ll find the KD commands are given to reproduce easily, but your offset/index may vary. Last, everything was done/tested against Windows 10 x64 1909: I assume those findings to be applicable to other versions, but it may not be the case.

https://blahcat.github.io/2021/01/11/browsing_registry_kernel_mode/



[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 5
支持
分享
最新回复 (2)
雪    币: 2318
活跃值: (8730)
能力值: ( LV2,RANK:15 )
在线值:
发帖
回帖
粉丝
2

上传的附件:
2021-1-24 08:55
1
雪    币: 97697
活跃值: (200824)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
3
2021-1-24 08:55
0
游客
登录 | 注册 方可回帖
返回
//