突然翻到这个东西,似乎之前没发过,就发来了。
[font=宋体][color=#808080]Attribute VB_Name = "mHiveControl"
[/color][color=#008000]'By 炉子[0GiNr]
'http://hi.baidu.com/breakinglove_
'http://0ginr.com
[/color][color=#0000FF]Option [/color][color=#808080]Explicit
[/color][color=#0000FF]Public Declare Function [/color][color=#808080]RegRestoreKey [/color][color=#0000FF]Lib [/color][color=#808080]"advapi32.dll" [/color][color=#0000FF]Alias [/color][color=#808080]"RegRestoreKeyA" ( _
[/color][color=#0000FF]ByVal [/color][color=#808080]hKey [/color][color=#0000FF]As Long[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]lpFile [/color][color=#0000FF]As String[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]dwFlags [/color][color=#0000FF]As [/color][color=#808080]RegRestoreFlags) [/color][color=#0000FF]As Long
Public Declare Function [/color][color=#808080]RegSaveKeyEx [/color][color=#0000FF]Lib [/color][color=#808080]"advapi32.dll" [/color][color=#0000FF]Alias [/color][color=#808080]"RegSaveKeyExA" ( _
[/color][color=#0000FF]ByVal [/color][color=#808080]hKey [/color][color=#0000FF]As Long[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]lpFile [/color][color=#0000FF]As String[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]lpSecurityAttributes [/color][color=#0000FF]As Long[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]dwFlags [/color][color=#0000FF]As [/color][color=#808080]RegSaveExFlags) [/color][color=#0000FF]As Long
Public Enum [/color][color=#808080]RegKeys
HKEY_CLASSES_ROOT = [/color][color=#800080]&H80000000
[/color][color=#808080]HKEY_CURRENT_USER = [/color][color=#800080]&H80000001
[/color][color=#808080]HKEY_LOCAL_MACHINE = [/color][color=#800080]&H80000002
[/color][color=#808080]HKEY_USERS = [/color][color=#800080]&H80000003
[/color][color=#808080]HKEY_CURRENT_CONFIG = [/color][color=#800080]&H80000005
[/color][color=#0000FF]End Enum
Public Enum [/color][color=#808080]RegRestoreFlags
REG_FORCE_RESTORE = [/color][color=#800080]&H8
[/color][color=#808080]REG_WHOLE_HIVE_VOLATILE = [/color][color=#800080]&H1
[/color][color=#0000FF]End Enum
Public Enum [/color][color=#808080]RegSaveExFlags
REG_STANDARD_FORMAT = [/color][color=#800080]&H1
[/color][color=#808080]REG_LATEST_FORMAT = [/color][color=#800080]&H2
[/color][color=#808080]REG_NO_COMPRESSION = [/color][color=#800080]&H4
[/color][color=#0000FF]End Enum
Public [/color][color=#808080]Type LARGE_INTEGER
LowPart [/color][color=#0000FF]As Long
[/color][color=#808080]HighPart [/color][color=#0000FF]As Long
End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type RegfBlock
dwSignature [/color][color=#0000FF]As Long [/color][color=#008000]'字符串 - "regf" = 0x66676572
[/color][color=#808080]dwUnknown1 [/color][color=#0000FF]As Long [/color][color=#008000]'未知
[/color][color=#808080]dwUnknown2 [/color][color=#0000FF]As Long [/color][color=#008000]'总是为 0x00000004
[/color][color=#808080]liLastEdit [/color][color=#0000FF]As [/color][color=#808080]LARGE_INTEGER [/color][color=#008000]'NT 时间格式
[/color][color=#808080]dwNumber1 [/color][color=#0000FF]As Long [/color][color=#008000]'恒为1
[/color][color=#808080]dwNumber2 [/color][color=#0000FF]As Long [/color][color=#008000]'恒为3
[/color][color=#808080]dwNumber3 [/color][color=#0000FF]As Long [/color][color=#008000]'恒为0
[/color][color=#808080]dwNumber4 [/color][color=#0000FF]As Long [/color][color=#008000]'恒为1 - 或许这个1301是版本1.3.0.1?
[/color][color=#808080]dwOffsetOfFirstKeyRecord [/color][color=#0000FF]As Long [/color][color=#008000]'第一个键纪录的偏移
[/color][color=#808080]dwBlockSize [/color][color=#0000FF]As Long [/color][color=#008000]'数据块大小(文件大小-4kb)
[/color][color=#808080]dwNumber5 [/color][color=#0000FF]As Long [/color][color=#008000]'恒为1
[/color][color=#808080]bytUnknownData([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]&H1CC[/color][color=#808080]) [/color][color=#0000FF]As Byte [/color][color=#008000]'无需分析
[/color][color=#808080]dwSum [/color][color=#0000FF]As Long [/color][color=#008000]'从 0x00000000 至 0x000001FB 的所有DWORD的数据总和
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type UnkownDataAfterRegfBlock [/color][color=#008000]'紧随 RegfBlock 之后
[/color][color=#808080]bytReserved([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]&HE00[/color][color=#808080]) [/color][color=#0000FF]As Byte [/color][color=#008000]'未知
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type HBinHeader
dwSignature [/color][color=#0000FF]As Long [/color][color=#008000]'字符串 - "hbin" = 0x6E696268
[/color][color=#808080]dwOffsetFromFirstHBinRecord [/color][color=#0000FF]As Long [/color][color=#008000]'第一个 Hbin 记录的偏移
[/color][color=#808080]dwOffsetFromNextHBinRecord [/color][color=#0000FF]As Long [/color][color=#008000]'下一个 Hbin 记录的偏移
[/color][color=#808080]dwUnknownData([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]&H10[/color][color=#808080]) [/color][color=#0000FF]As Byte
[/color][color=#808080]dwBlockSize [/color][color=#0000FF]As Long [/color][color=#008000]'Hbin 记录长度
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type HBinData [/color][color=#008000]'如果这个段是一个负值(第 31 位被置1),则这个块是空的,并且长度被置为负的块大小
[/color][color=#808080]dwDataBlockSize [/color][color=#0000FF]As Long
[/color][color=#808080]szData() [/color][color=#0000FF]As Byte [/color][color=#008000]'长度取决于 dwDataBlockSize
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type NkRecord [/color][color=#008000]'NameKey
[/color][color=#808080]wSignature [/color][color=#0000FF]As Integer [/color][color=#008000]'字符串 - "nk" = 0x6B6E
[/color][color=#808080]wKeyType [/color][color=#0000FF]As Integer [/color][color=#008000]'根键为 0x2C,否则为0x20
[/color][color=#808080]liLastEdit [/color][color=#0000FF]As [/color][color=#808080]LARGE_INTEGER [/color][color=#008000]'NT 时间格式
[/color][color=#808080]bytUnknowData([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]&H4[/color][color=#808080]) [/color][color=#0000FF]As Byte
[/color][color=#808080]dwOffsetOfParentKey [/color][color=#0000FF]As Long [/color][color=#008000]'父键的偏移
[/color][color=#808080]dwSubKeyNumber [/color][color=#0000FF]As Long [/color][color=#008000]'子键数目
[/color][color=#808080]bytUnknowData2([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]&H4[/color][color=#808080]) [/color][color=#0000FF]As Byte
[/color][color=#808080]dwOffsetOfSubKeyLfRecords [/color][color=#0000FF]As Long [/color][color=#008000]'子键的 Lf 记录的偏移
[/color][color=#808080]bytUnknowData3([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]&H4[/color][color=#808080]) [/color][color=#0000FF]As Byte
[/color][color=#808080]dwValuesNumber [/color][color=#0000FF]As Long [/color][color=#008000]'项的数目
[/color][color=#808080]dwOffsetOfValueList [/color][color=#0000FF]As Long [/color][color=#008000]'NkRecordValueList 的偏移
[/color][color=#808080]dwOffsetOfSkRecord [/color][color=#0000FF]As Long [/color][color=#008000]'Sk 记录的偏移
[/color][color=#808080]dwOffsetOfClassName [/color][color=#0000FF]As Long [/color][color=#008000]'类名的偏移(???)
[/color][color=#808080]bytUnused([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]&H10[/color][color=#808080]) [/color][color=#0000FF]As Byte
[/color][color=#808080]dwUnused [/color][color=#0000FF]As Long [/color][color=#008000]'无用数据
[/color][color=#808080]wNameLength [/color][color=#0000FF]As Integer [/color][color=#008000]'项名长度
[/color][color=#808080]wClassNameLength [/color][color=#0000FF]As Integer [/color][color=#008000]'类名的长度(???)
[/color][color=#808080]szKeyName([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080]) [/color][color=#0000FF]As Byte [/color][color=#008000]'长度取决于 dwNameLength
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type NkRecordValueList
dwValueOffset([/color][color=#800080]1[/color][color=#808080]) [/color][color=#0000FF]As Long [/color][color=#008000]'数组数量取决于 dwValuesNumber
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type VkRecord [/color][color=#008000]'ValueKey
[/color][color=#808080]wSignature [/color][color=#0000FF]As Integer [/color][color=#008000]'字符串 - "vk" = 0x6B76
[/color][color=#808080]wNameLength [/color][color=#0000FF]As Integer [/color][color=#008000]'项名长度
[/color][color=#808080]dwDataLength [/color][color=#0000FF]As Long [/color][color=#008000]'数据长度 - 如果 dwDataLength <=4 那么这个值的数据就是该项的数据 (DWORD);如果为 0 那么这个项无数据
[/color][color=#808080]dwDataOffset [/color][color=#0000FF]As Long [/color][color=#008000]'数据偏移
[/color][color=#808080]dwValueType [/color][color=#0000FF]As Long [/color][color=#008000]'数据类别 - 数据类别见 DataTypes
[/color][color=#808080]wFlags [/color][color=#0000FF]As Integer [/color][color=#008000]'如果第 0 位被置1,那么这条数据是有名称的,否则意味着这条数据是无名称的(“默认”)
[/color][color=#808080]wUnused [/color][color=#0000FF]As Integer [/color][color=#008000]'无用数据
[/color][color=#808080]szName([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080]) [/color][color=#0000FF]As Byte
End [/color][color=#808080]Type
[/color][color=#0000FF]Public Enum [/color][color=#808080]DataTypes
REG_SZ = [/color][color=#800080]&H1 [/color][color=#008000]'字符串 UNICODE
[/color][color=#808080]REG_EXPEND_SZ = [/color][color=#800080]&H2 [/color][color=#008000]'可展开的字符串(使用环境变量,例如 "%SystemRoot%\system32") UNICODE
[/color][color=#808080]REG_BINARY = [/color][color=#800080]&H3 [/color][color=#008000]'二进制数据
[/color][color=#808080]REG_DWORD = [/color][color=#800080]&H4 [/color][color=#008000]'DWORD
[/color][color=#808080]REG_MULTI_SZ = [/color][color=#800080]&H7 [/color][color=#008000]'多个字符串,使用 vbNullChar 分隔 UNICODE
[/color][color=#808080]REG_UNKNOWN = [/color][color=#800080]&HFFFFFFFF
[/color][color=#0000FF]End Enum
Public [/color][color=#808080]Type HashRecord [/color][color=#008000]'Lf 记录的哈希记录
[/color][color=#808080]dwRecordOffset [/color][color=#0000FF]As Long [/color][color=#008000]'所属的 Lf 记录的偏移
[/color][color=#808080]szKeyName([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]4[/color][color=#808080]) [/color][color=#0000FF]As Byte [/color][color=#008000]'键名的前4字节 如果修改了键名,这个也需要修改
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type LfRecord
wSignature [/color][color=#0000FF]As Integer [/color][color=#008000]'字符串 - "lf" = 0x666C
[/color][color=#808080]wKeyNumber [/color][color=#0000FF]As Integer [/color][color=#008000]'键的数目
[/color][color=#808080]dwHashRecord([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080]) [/color][color=#0000FF]As [/color][color=#808080]HashRecord
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public [/color][color=#808080]Type SkRecord [/color][color=#008000]'SecurityKey
[/color][color=#808080]wSignature [/color][color=#0000FF]As Integer [/color][color=#008000]'字符串 - "sk" = 0x6B73
[/color][color=#808080]wUnused [/color][color=#0000FF]As Integer
[/color][color=#808080]dwPreviousSkRecordOffset [/color][color=#0000FF]As Long [/color][color=#008000]'前一个Sk记录的偏移
[/color][color=#808080]dwNextSkRecordOffset [/color][color=#0000FF]As Long [/color][color=#008000]'后一个Sk记录的偏移
[/color][color=#808080]dwUsageCounter [/color][color=#0000FF]As Long [/color][color=#008000]'使用计数 (???)
[/color][color=#808080]dwRecordSize [/color][color=#0000FF]As Long [/color][color=#008000]'Sk记录的字节数
'剩余部分为权限设置数据
[/color][color=#0000FF]End [/color][color=#808080]Type
[/color][color=#0000FF]Public Declare Function [/color][color=#808080]SafeCopyMemory _
[/color][color=#0000FF]Lib [/color][color=#808080]"NTDLL.DLL" [/color][color=#0000FF]Alias [/color][color=#808080]"ZwWriteVirtualMemory" _
([/color][color=#0000FF]ByVal [/color][color=#808080]ProcessHandle [/color][color=#0000FF]As Long[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]pDest [/color][color=#0000FF]As Long[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]pSrc [/color][color=#0000FF]As Long[/color][color=#808080], _
[/color][color=#0000FF]ByVal [/color][color=#808080]NumberOfBytesToCopy [/color][color=#0000FF]As Long[/color][color=#808080], _
[/color][color=#0000FF]ByRef [/color][color=#808080]NumberOfBytesCopied [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As Long
Public Const [/color][color=#808080]ZwGetCurrentProcess [/color][color=#0000FF]As Long [/color][color=#808080]= -[/color][color=#800080]1 [/color][color=#008000]'//0xFFFFFFFF
[/color][color=#0000FF]Dim [/color][color=#808080]m_pHive [/color][color=#0000FF]As Long
Dim [/color][color=#808080]m_RegfBlock [/color][color=#0000FF]As [/color][color=#808080]RegfBlock, m_HBinHeader [/color][color=#0000FF]As [/color][color=#808080]HBinHeader, m_RootNkRecord [/color][color=#0000FF]As [/color][color=#808080]NkRecord
[/color][color=#0000FF]Dim [/color][color=#808080]m_RaisedErr [/color][color=#0000FF]As Boolean
Dim [/color][color=#808080]m_pRootNk [/color][color=#0000FF]As Long
Private Const [/color][color=#808080]GlobalOffset [/color][color=#0000FF]As Long [/color][color=#808080]= [/color][color=#800080]&H1004
[/color][color=#0000FF]Private Const [/color][color=#808080]RegDefault [/color][color=#0000FF]As String [/color][color=#808080]= "(Default)"
[/color][color=#0000FF]Public Sub [/color][color=#808080]dbg()
[/color][color=#0000FF]Dim [/color][color=#808080]a [/color][color=#0000FF]As [/color][color=#808080]NkRecord
Debug.Print Hex(LenB(a))
[/color][color=#0000FF]End Sub
[/color][color=#008000]'hHive should be the base of the hive file in memory
[/color][color=#0000FF]Public Function [/color][color=#808080]PreProcessHive([/color][color=#0000FF]ByVal [/color][color=#808080]hHive [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As Boolean
Dim [/color][color=#808080]st [/color][color=#0000FF]As Long
Dim [/color][color=#808080]hBase [/color][color=#0000FF]As Long
Dim [/color][color=#808080]unKnownData [/color][color=#0000FF]As [/color][color=#808080]UnkownDataAfterRegfBlock
[/color][color=#008000]'save hive pointer
[/color][color=#808080]m_pHive = hHive
hBase = hHive
[/color][color=#008000]'read regf block
[/color][color=#808080]st = CopyMemory(VarPtr(m_RegfBlock), hBase, LenB(m_RegfBlock))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]InitFaild_
[/color][color=#008000]'read hbin header
[/color][color=#808080]hBase = hBase + LenB(m_RegfBlock) + LenB(unKnownData)
st = CopyMemory(VarPtr(m_HBinHeader), hBase, LenB(m_HBinHeader))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]InitFaild_
[/color][color=#008000]'read root nk header
[/color][color=#0000FF]Dim [/color][color=#808080]HbData [/color][color=#0000FF]As [/color][color=#808080]HBinData
st = CopyMemory(VarPtr(HbData), hBase + LenB(m_HBinHeader), LenB(HbData))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]InitFaild_
hBase = hBase + GetHBinSize(HbData)
st = CopyMemory(VarPtr(m_RootNkRecord), hBase, LenB(m_RootNkRecord))
m_pRootNk = hBase
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]InitFaild_
[/color][color=#008000]'return
[/color][color=#808080]PreProcessHive = [/color][color=#0000FF]True
Exit Function
[/color][color=#808080]InitFaild_:
PreProcessHive = [/color][color=#0000FF]False
End Function
[/color][color=#008000]'这两段是测试用的。
[/color][color=#0000FF]Public Sub [/color][color=#808080]NOP()
NOP1 (m_pRootNk)
DoEvents
[/color][color=#0000FF]End Sub
Public Sub [/color][color=#808080]NOP1([/color][color=#0000FF]ByVal [/color][color=#808080]lpNk [/color][color=#0000FF]As Long[/color][color=#808080])
[/color][color=#008000]'MsgBox GetKeyNameByPointer(m_pRootNk)
[/color][color=#0000FF]Dim [/color][color=#808080]szReturn [/color][color=#0000FF]As String
Dim [/color][color=#808080]I [/color][color=#0000FF]As Long[/color][color=#808080], J [/color][color=#0000FF]As Long
Dim [/color][color=#808080]nks() [/color][color=#0000FF]As Long
Dim [/color][color=#808080]lfs() [/color][color=#0000FF]As Long
[/color][color=#808080]lfs = GetSubKeyListNkPointers(lpNk)
[/color][color=#0000FF]For [/color][color=#808080]I = LBound(lfs) [/color][color=#0000FF]To [/color][color=#808080]UBound(lfs)
[/color][color=#0000FF]Dim [/color][color=#808080]vks() [/color][color=#0000FF]As Long
[/color][color=#808080]vks = GetValueListVkPointers(lfs(I))
szReturn = szReturn & "KeyName:" & GetKeyNameByPointer(lfs(I)) & vbCrLf
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]m_RaisedErr) [/color][color=#0000FF]Then
For [/color][color=#808080]J = LBound(vks) [/color][color=#0000FF]To [/color][color=#808080]UBound(vks)
[/color][color=#0000FF]If [/color][color=#808080](vks(J)) = [/color][color=#800080]0 [/color][color=#0000FF]Then Exit For
Dim [/color][color=#808080]dt [/color][color=#0000FF]As [/color][color=#808080]DataTypes
dt = GetValueTypeByPointer(vks(J))
[/color][color=#0000FF]Dim [/color][color=#808080]ret() [/color][color=#0000FF]As Byte
[/color][color=#808080]ret = GetValueDataByPointer(vks(J), dt)
[/color][color=#0000FF]If [/color][color=#808080]dt = REG_DWORD [/color][color=#0000FF]Then
Dim [/color][color=#808080]K [/color][color=#0000FF]As Long
Call [/color][color=#808080]CopyMemory(VarPtr(K), VarPtr(ret([/color][color=#800080]1[/color][color=#808080])), [/color][color=#800080]4[/color][color=#808080])
szReturn = szReturn & vbTab & GetValueNameByPointer(vks(J)) & vbTab & K & vbCrLf
[/color][color=#0000FF]ElseIf [/color][color=#808080]dt = REG_SZ [/color][color=#0000FF]Then
Dim [/color][color=#808080]szValue [/color][color=#0000FF]As String[/color][color=#808080]: szValue = ret
szReturn = szReturn & vbTab & GetValueNameByPointer(vks(J)) & vbTab & szValue & vbCrLf
[/color][color=#0000FF]Else
[/color][color=#808080]szReturn = szReturn & vbTab & GetValueNameByPointer(vks(J)) & vbTab & "(Unsupportted value type = " & dt & ")" & vbCrLf
[/color][color=#0000FF]End If
[/color][color=#808080]DoEvents
[/color][color=#0000FF]Next
Else
[/color][color=#808080]ClearError
[/color][color=#0000FF]End If
Next
[/color][color=#808080]DoEvents
WriteFile App.Path & "\Output.txt", StrConv(szReturn, vbFromUnicode)
[/color][color=#0000FF]End Sub
[/color][color=#008000]'get the size of the HBIN block
[/color][color=#0000FF]Private Function [/color][color=#808080]GetHBinSize([/color][color=#0000FF]ByRef [/color][color=#808080]pHBinInfo [/color][color=#0000FF]As [/color][color=#808080]HBinData) [/color][color=#0000FF]As Long
Dim [/color][color=#808080]HBHdrInfo [/color][color=#0000FF]As [/color][color=#808080]HBinHeader
[/color][color=#0000FF]If [/color][color=#808080](pHBinInfo.dwDataBlockSize [/color][color=#0000FF]And [/color][color=#800080]&H80000000[/color][color=#808080]) [/color][color=#0000FF]Then
[/color][color=#008000]'the 31bit of 0x80000000 is 1, others are 0
[/color][color=#808080]GetHBinSize = LenB(HBHdrInfo) + LenB(pHBinInfo.dwDataBlockSize)
[/color][color=#0000FF]Exit Function
Else
[/color][color=#808080]GetHBinSize = LenB(HBHdrInfo) + LenB(pHBinInfo.dwDataBlockSize) + pHBinInfo.dwDataBlockSize
[/color][color=#0000FF]End If
End Function
[/color][color=#008000]'get key name from NK record
[/color][color=#0000FF]Public Function [/color][color=#808080]GetKeyNameByPointer([/color][color=#0000FF]ByVal [/color][color=#808080]pNkRecord [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As String
Dim [/color][color=#808080]retByt() [/color][color=#0000FF]As Byte
Dim [/color][color=#808080]szRetKeyName [/color][color=#0000FF]As String
Dim [/color][color=#808080]Offset [/color][color=#0000FF]As Long
Dim [/color][color=#808080]NkRec [/color][color=#0000FF]As [/color][color=#808080]NkRecord
[/color][color=#0000FF]Dim [/color][color=#808080]st [/color][color=#0000FF]As Boolean
ReDim [/color][color=#808080]pVkRec([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080])
st = CopyMemory(VarPtr(NkRec), pNkRecord, LenB(NkRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]With [/color][color=#808080]NkRec
[/color][color=#0000FF]If [/color][color=#808080](.wNameLength = [/color][color=#800080]0[/color][color=#808080]) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]ReDim [/color][color=#808080]retByt(.wNameLength)
Offset = VarPtr(.szKeyName([/color][color=#800080]1[/color][color=#808080])) - VarPtr(NkRec) + pNkRecord [/color][color=#008000]' - m_pHive
[/color][color=#808080]st = CopyMemory(VarPtr(retByt(LBound(retByt))), Offset, .wNameLength)
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
szRetKeyName = StrConv(retByt, vbUnicode)
[/color][color=#0000FF]If [/color][color=#808080](InStr(szRetKeyName, vbNullChar)) [/color][color=#0000FF]Then [/color][color=#808080]szRetKeyName = Left(szRetKeyName, InStr(szRetKeyName, vbNullChar) - [/color][color=#800080]1[/color][color=#808080])
[/color][color=#0000FF]End With
[/color][color=#808080]FinishFunc_:
[/color][color=#0000FF]Erase [/color][color=#808080]retByt
GetKeyNameByPointer = szRetKeyName
[/color][color=#0000FF]Exit Function
[/color][color=#808080]ExitFunc_:
m_RaisedErr = [/color][color=#0000FF]True
[/color][color=#008000]'Resume FinishFunc_
[/color][color=#0000FF]End Function
[/color][color=#008000]'get key name from NK record
[/color][color=#0000FF]Public Function [/color][color=#808080]GetValueNameByPointer([/color][color=#0000FF]ByVal [/color][color=#808080]pVkRecord [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As String
Dim [/color][color=#808080]retByt() [/color][color=#0000FF]As Byte
Dim [/color][color=#808080]szRetName [/color][color=#0000FF]As String
Dim [/color][color=#808080]Offset [/color][color=#0000FF]As Long
Dim [/color][color=#808080]VkRec [/color][color=#0000FF]As [/color][color=#808080]VkRecord
[/color][color=#0000FF]Dim [/color][color=#808080]st [/color][color=#0000FF]As Boolean
ReDim [/color][color=#808080]pVkRec([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080])
st = CopyMemory(VarPtr(VkRec), pVkRecord, LenB(VkRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]With [/color][color=#808080]VkRec
[/color][color=#0000FF]If [/color][color=#808080](.wNameLength = [/color][color=#800080]0[/color][color=#808080]) [/color][color=#0000FF]Then [/color][color=#808080]szRetName = RegDefault: [/color][color=#0000FF]GoTo [/color][color=#808080]FinishFunc_
[/color][color=#0000FF]ReDim [/color][color=#808080]retByt(.wNameLength)
Offset = VarPtr(.szName([/color][color=#800080]1[/color][color=#808080])) - VarPtr(VkRec) + pVkRecord [/color][color=#008000]' - m_pHive
[/color][color=#808080]st = CopyMemory(VarPtr(retByt(LBound(retByt))), Offset, .wNameLength)
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
szRetName = StrConv(retByt, vbUnicode)
[/color][color=#0000FF]If [/color][color=#808080](InStr(szRetName, vbNullChar)) [/color][color=#0000FF]Then [/color][color=#808080]szRetName = Left(szRetName, InStr(szRetName, vbNullChar) - [/color][color=#800080]1[/color][color=#808080])
[/color][color=#0000FF]End With
[/color][color=#808080]FinishFunc_:
[/color][color=#0000FF]Erase [/color][color=#808080]retByt
GetValueNameByPointer = szRetName
[/color][color=#0000FF]Exit Function
[/color][color=#808080]ExitFunc_:
m_RaisedErr = [/color][color=#0000FF]True
[/color][color=#008000]'Resume FinishFunc_
[/color][color=#0000FF]End Function
[/color][color=#008000]'get value list, pNkRecord should be the NK record to list, return val is a array pointer to VK record
[/color][color=#0000FF]Public Function [/color][color=#808080]GetValueListVkPointers([/color][color=#0000FF]ByVal [/color][color=#808080]pNkRecord [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As Long[/color][color=#808080]()
[/color][color=#0000FF]Dim [/color][color=#808080]pVkRec() [/color][color=#0000FF]As Long
Dim [/color][color=#808080]NkRec [/color][color=#0000FF]As [/color][color=#808080]NkRecord
[/color][color=#0000FF]Dim [/color][color=#808080]dwNumber [/color][color=#0000FF]As Long
Dim [/color][color=#808080]lOffset [/color][color=#0000FF]As Long
Dim [/color][color=#808080]st [/color][color=#0000FF]As Boolean
ReDim [/color][color=#808080]pVkRec([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080])
st = CopyMemory(VarPtr(NkRec), pNkRecord, LenB(NkRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]With [/color][color=#808080]NkRec
dwNumber = .dwValuesNumber
[/color][color=#0000FF]If [/color][color=#808080](dwNumber = [/color][color=#800080]0[/color][color=#808080]) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]ReDim [/color][color=#808080]pVkRec([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#808080]dwNumber)
st = CopyMemory(VarPtr(lOffset), VarPtr(.dwOffsetOfValueList) - VarPtr(NkRec) + pNkRecord, LenB(lOffset))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
lOffset = lOffset + m_pHive + GlobalOffset
st = CopyMemory(VarPtr(pVkRec(LBound(pVkRec))), lOffset, dwNumber * LenB(pVkRec(LBound(pVkRec))))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]End With
[/color][color=#008000]'add offset to them :)
[/color][color=#0000FF]Dim [/color][color=#808080]I [/color][color=#0000FF]As Long
For [/color][color=#808080]I = LBound(pVkRec) [/color][color=#0000FF]To [/color][color=#808080]UBound(pVkRec)
pVkRec(I) = pVkRec(I) + GlobalOffset + m_pHive
[/color][color=#0000FF]Next
[/color][color=#808080]FinishFunc_:
GetValueListVkPointers = pVkRec
[/color][color=#0000FF]Exit Function
[/color][color=#808080]ExitFunc_:
m_RaisedErr = [/color][color=#0000FF]True
[/color][color=#008000]'Resume FinishFunc_
[/color][color=#0000FF]End Function
[/color][color=#008000]'get sub-key list, pNkRecord should be the NK record to list, return val is a array pointer to HASH record
[/color][color=#0000FF]Public Function [/color][color=#808080]GetSubKeyListNkPointers([/color][color=#0000FF]ByVal [/color][color=#808080]pNkRecord [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As Long[/color][color=#808080]()
[/color][color=#0000FF]Dim [/color][color=#808080]pNkRec() [/color][color=#0000FF]As Long
Dim [/color][color=#808080]NkRec [/color][color=#0000FF]As [/color][color=#808080]NkRecord
[/color][color=#0000FF]Dim [/color][color=#808080]LfRec [/color][color=#0000FF]As [/color][color=#808080]LfRecord
[/color][color=#0000FF]Dim [/color][color=#808080]HashRec() [/color][color=#0000FF]As [/color][color=#808080]HashRecord
[/color][color=#0000FF]Dim [/color][color=#808080]st [/color][color=#0000FF]As Boolean
ReDim [/color][color=#808080]pNkRec([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080])
st = CopyMemory(VarPtr(NkRec), pNkRecord, LenB(NkRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]With [/color][color=#808080]NkRec
[/color][color=#0000FF]Dim [/color][color=#808080]dwNumber [/color][color=#0000FF]As Long
Dim [/color][color=#808080]dwPosi [/color][color=#0000FF]As Long
[/color][color=#808080]dwNumber = .dwSubKeyNumber
[/color][color=#0000FF]If [/color][color=#808080](dwNumber = [/color][color=#800080]0[/color][color=#808080]) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]ReDim [/color][color=#808080]HashRec([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#808080]dwNumber)
st = CopyMemory(VarPtr(dwPosi), VarPtr(.dwOffsetOfSubKeyLfRecords) - VarPtr(NkRec) + pNkRecord, LenB(dwPosi))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
dwPosi = dwPosi + GlobalOffset + m_pHive
st = CopyMemory(VarPtr(LfRec), dwPosi, LenB(LfRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
dwPosi = dwPosi + VarPtr(LfRec.dwHashRecord([/color][color=#800080]1[/color][color=#808080])) - VarPtr(LfRec)
st = CopyMemory(VarPtr(HashRec(LBound(HashRec))), dwPosi, dwNumber * LenB(HashRec(LBound(HashRec))))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]End With
[/color][color=#008000]'calc NK record address
[/color][color=#0000FF]Dim [/color][color=#808080]I [/color][color=#0000FF]As Long
ReDim [/color][color=#808080]pNkRec([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#808080]dwNumber)
[/color][color=#0000FF]For [/color][color=#808080]I = LBound(pNkRec) [/color][color=#0000FF]To [/color][color=#808080]UBound(pNkRec)
pNkRec(I) = HashRec(I).dwRecordOffset + GlobalOffset + m_pHive
[/color][color=#0000FF]Next
[/color][color=#808080]FinishFunc_:
GetSubKeyListNkPointers = pNkRec
[/color][color=#0000FF]Exit Function
[/color][color=#808080]ExitFunc_:
m_RaisedErr = [/color][color=#0000FF]True
[/color][color=#008000]'Resume FinishFunc_
[/color][color=#0000FF]End Function
[/color][color=#008000]'get NK record pointer by HASH record
[/color][color=#0000FF]Public Function [/color][color=#808080]GetKeyNkRecordPointer([/color][color=#0000FF]ByVal [/color][color=#808080]pHashRecord [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As Long
Dim [/color][color=#808080]ret [/color][color=#0000FF]As Long
Dim [/color][color=#808080]HashRec [/color][color=#0000FF]As [/color][color=#808080]HashRecord
[/color][color=#0000FF]Dim [/color][color=#808080]st [/color][color=#0000FF]As Boolean
[/color][color=#808080]st = CopyMemory(VarPtr(HashRec), pHashRecord, LenB(HashRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]With [/color][color=#808080]HashRec
ret = .dwRecordOffset + GlobalOffset + m_pHive
[/color][color=#0000FF]End With
[/color][color=#808080]FinishFunc_:
GetKeyNkRecordPointer = ret
[/color][color=#0000FF]Exit Function
[/color][color=#808080]ExitFunc_:
m_RaisedErr = [/color][color=#0000FF]True
[/color][color=#008000]'Resume FinishFunc_
[/color][color=#0000FF]End Function
[/color][color=#008000]'get key value by VK record
[/color][color=#0000FF]Public Function [/color][color=#808080]GetValueDataByPointer([/color][color=#0000FF]ByVal [/color][color=#808080]pVkRecord [/color][color=#0000FF]As Long[/color][color=#808080], [/color][color=#0000FF]ByVal [/color][color=#808080]dwValueType [/color][color=#0000FF]As [/color][color=#808080]DataTypes) [/color][color=#0000FF]As Byte[/color][color=#808080]()
[/color][color=#0000FF]Dim [/color][color=#808080]ret() [/color][color=#0000FF]As Byte
Dim [/color][color=#808080]VkRec [/color][color=#0000FF]As [/color][color=#808080]VkRecord
[/color][color=#0000FF]Dim [/color][color=#808080]lOffset [/color][color=#0000FF]As Long
Dim [/color][color=#808080]st [/color][color=#0000FF]As Boolean
ReDim [/color][color=#808080]ret([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080])
st = CopyMemory(VarPtr(VkRec), pVkRecord, LenB(VkRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then ReDim [/color][color=#808080]ret([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#800080]1[/color][color=#808080]): [/color][color=#0000FF]GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]With [/color][color=#808080]VkRec
lOffset = .dwDataOffset + GlobalOffset + m_pHive
[/color][color=#0000FF]Select Case [/color][color=#808080]dwValueType
[/color][color=#0000FF]Case [/color][color=#808080]REG_DWORD
[/color][color=#0000FF]ReDim [/color][color=#808080]ret([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#808080]LenB(.dwDataOffset))
st = CopyMemory(VarPtr(ret(LBound(ret))), VarPtr(.dwDataOffset), UBound(ret) - LBound(ret) + [/color][color=#800080]1[/color][color=#808080])
[/color][color=#0000FF]Case [/color][color=#808080]REG_SZ
[/color][color=#0000FF]If [/color][color=#808080](.dwDataOffset = [/color][color=#800080]0[/color][color=#808080]) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]ReDim [/color][color=#808080]ret([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#808080].dwDataLength)
st = CopyMemory(VarPtr(ret(LBound(ret))), lOffset, UBound(ret) - LBound(ret) + [/color][color=#800080]1[/color][color=#808080])
[/color][color=#0000FF]Case Else
[/color][color=#008000]'unsupportted.
[/color][color=#0000FF]If [/color][color=#808080](.dwDataOffset = [/color][color=#800080]0[/color][color=#808080]) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]ReDim [/color][color=#808080]ret([/color][color=#800080]1 [/color][color=#0000FF]To [/color][color=#808080].dwDataLength)
st = CopyMemory(VarPtr(ret(LBound(ret))), lOffset, UBound(ret) - LBound(ret) + [/color][color=#800080]1[/color][color=#808080])
[/color][color=#0000FF]End Select
[/color][color=#008000]'If (.dwDataOffset < 5) Then GoTo ExitFunc_
'lOffset = .dwDataOffset + GlobalOffset + m_pHive
'ReDim ret(1 To .dwDataLength)
'st = CopyMemory(VarPtr(ret(LBound(ret))), lOffset, .dwDataLength)
'If (Not st) Then ReDim ret(1 To 1): GoTo ExitFunc_
[/color][color=#0000FF]End With
[/color][color=#808080]FinishFunc_:
GetValueDataByPointer = ret
[/color][color=#0000FF]Exit Function
[/color][color=#808080]ExitFunc_:
m_RaisedErr = [/color][color=#0000FF]True
[/color][color=#008000]'Resume FinishFunc_
[/color][color=#0000FF]End Function
[/color][color=#008000]'get key value by VK record
[/color][color=#0000FF]Public Function [/color][color=#808080]GetValueTypeByPointer([/color][color=#0000FF]ByVal [/color][color=#808080]pVkRecord [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As [/color][color=#808080]DataTypes
[/color][color=#0000FF]Dim [/color][color=#808080]VkRec [/color][color=#0000FF]As [/color][color=#808080]VkRecord
[/color][color=#0000FF]Dim [/color][color=#808080]st [/color][color=#0000FF]As Boolean
Dim [/color][color=#808080]ret [/color][color=#0000FF]As [/color][color=#808080]DataTypes
ret = REG_UNKNOWN
st = CopyMemory(VarPtr(VkRec), pVkRecord, LenB(VkRec))
[/color][color=#0000FF]If [/color][color=#808080]([/color][color=#0000FF]Not [/color][color=#808080]st) [/color][color=#0000FF]Then GoTo [/color][color=#808080]ExitFunc_
[/color][color=#0000FF]With [/color][color=#808080]VkRec
ret = .dwValueType
[/color][color=#0000FF]End With
[/color][color=#808080]FinishFunc_:
GetValueTypeByPointer = ret
[/color][color=#0000FF]Exit Function
[/color][color=#808080]ExitFunc_:
m_RaisedErr = [/color][color=#0000FF]True
[/color][color=#008000]'Resume FinishFunc_
[/color][color=#0000FF]End Function
Public Sub [/color][color=#808080]ClearError()
m_RaisedErr = [/color][color=#0000FF]False
End Sub
[/color][color=#008000]'return TRUE if the operation is successful
[/color][color=#0000FF]Public Function [/color][color=#808080]NT_SUCCESS([/color][color=#0000FF]ByVal [/color][color=#808080]Status [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As Boolean
[/color][color=#808080]NT_SUCCESS = (Status >= [/color][color=#800080]0[/color][color=#808080])
[/color][color=#0000FF]End Function
[/color][color=#008000]'copy data
[/color][color=#0000FF]Public Function [/color][color=#808080]CopyMemory([/color][color=#0000FF]ByVal [/color][color=#808080]pDst [/color][color=#0000FF]As Long[/color][color=#808080], [/color][color=#0000FF]ByVal [/color][color=#808080]pSrc [/color][color=#0000FF]As Long[/color][color=#808080], [/color][color=#0000FF]ByVal [/color][color=#808080]nLength [/color][color=#0000FF]As Long[/color][color=#808080]) [/color][color=#0000FF]As Boolean
Dim [/color][color=#808080]st [/color][color=#0000FF]As Long
[/color][color=#808080]st = SafeCopyMemory(ZwGetCurrentProcess, pDst, pSrc, nLength, [/color][color=#0000FF]ByVal [/color][color=#800080]0[/color][color=#808080])
CopyMemory = NT_SUCCESS(st)
[/color][color=#0000FF]End Function
[/color][/font]
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
,炉子,高手!,也来pediy了....
