-
-
[求助]Windbg中查看注册表的问题
-
发表于: 2007-11-18 22:01
-
请问大虾能不能获得\REGISTRY的knode地址?我看了!reg命令,好像没有这样的功能
!dreg又不能在kmode下使用
kd> !reg
reg <command> <params> - Registry extensions
kcb <Address> - Dump registry key-control-blocks
knode <Address> - Dump registry key-node struct
kbody <Address> - Dump registry key-body struct
kvalue <Address> - Dump registry key-value struct
valuelist <HiveAddr> <KnodeAddr> - Dumps list of values for a particular knode
subkeylist <HiveAddr> <KnodeAddr> - Dumps list of subkeys for a particular knode
baseblock <HiveAddr> - Dump the baseblock for the specified hive
seccache <HiveAddr> - Dump the security cache for the specified hive
hashindex <conv_key> - Find the hash entry given a Kcb ConvKey
openkeys <HiveAddr|0> - Dump the keys opened inside the specified hive
openhandles <HiveAddr|0> - Dump the handles opened inside the specified hive
findkcb <FullKeyPath> - Find the kcb for the corresponding path
hivelist - Displays the list of the hives in the system
viewlist <HiveAddr> - Dump the pinned/mapped view list for the specified hive
freebins <HiveAddr> - Dump the free bins for the specified hive
freecells <BinAddr> - Dump the free cells in the specified bin
dirtyvector<HiveAddr> - Dump the dirty vector for the specified hive
cellindex <HiveAddr> <cellindex> - Finds the VA for a specified cell index
freehints <HiveAddr> <Storage> <Display> - Dumps freehint info
translist <RmAddr|0> - Displays the list of active transactions in this RM
uowlist <TransAddr> - Displays the list of UoW attached to this transaction
postblocklist - Displays the list of threads which have 1 or more postblocks posted
notifylist - Displays the list of notify blocks in the system
ixlock <LockAddr> - Dumps ownership of an intent lock
dumppool [s|r] - Dump registry allocated paged pool
s - Save list of registry pages to temporary file
r - Restore list of registry pages from temp. file
!dreg又不能在kmode下使用
kd> !reg
reg <command> <params> - Registry extensions
kcb <Address> - Dump registry key-control-blocks
knode <Address> - Dump registry key-node struct
kbody <Address> - Dump registry key-body struct
kvalue <Address> - Dump registry key-value struct
valuelist <HiveAddr> <KnodeAddr> - Dumps list of values for a particular knode
subkeylist <HiveAddr> <KnodeAddr> - Dumps list of subkeys for a particular knode
baseblock <HiveAddr> - Dump the baseblock for the specified hive
seccache <HiveAddr> - Dump the security cache for the specified hive
hashindex <conv_key> - Find the hash entry given a Kcb ConvKey
openkeys <HiveAddr|0> - Dump the keys opened inside the specified hive
openhandles <HiveAddr|0> - Dump the handles opened inside the specified hive
findkcb <FullKeyPath> - Find the kcb for the corresponding path
hivelist - Displays the list of the hives in the system
viewlist <HiveAddr> - Dump the pinned/mapped view list for the specified hive
freebins <HiveAddr> - Dump the free bins for the specified hive
freecells <BinAddr> - Dump the free cells in the specified bin
dirtyvector<HiveAddr> - Dump the dirty vector for the specified hive
cellindex <HiveAddr> <cellindex> - Finds the VA for a specified cell index
freehints <HiveAddr> <Storage> <Display> - Dumps freehint info
translist <RmAddr|0> - Displays the list of active transactions in this RM
uowlist <TransAddr> - Displays the list of UoW attached to this transaction
postblocklist - Displays the list of threads which have 1 or more postblocks posted
notifylist - Displays the list of notify blocks in the system
ixlock <LockAddr> - Dumps ownership of an intent lock
dumppool [s|r] - Dump registry allocated paged pool
s - Save list of registry pages to temporary file
r - Restore list of registry pages from temp. file
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
!reg的几个子命令我都试过了,翻文档也一无所获
|
|
|
|
