📄 registry.cod
字号:
EXTRN __imp__RtlInitUnicodeString@8:NEAR
; COMDAT _SerialGetRegistryKeyValue@20
PAGESRP0 SEGMENT
$SG14878 DB 'EX: Pageable code called at IRQL %d', 0aH, 00H
ORG $+3
$SG14881 DB 'f:\w2ddk\src\kernel\serial\registry.c', 00H
ORG $+2
$SG14882 DB 'FALSE', 00H
ORG $+2
$SG14889 DB 'SERIAL: Enter SerialGetRegistryKeyValue', 0aH, 00H
; Function compile flags: /Ogs
_Handle$ = 8
_KeyNameString$ = 12
_KeyNameStringLength$ = 16
_Data$ = 20
_DataLength$ = 24
_keyName$ = -16
_length$ = -4
_ntStatus$ = -8
_SerialGetRegistryKeyValue@20 PROC NEAR ; COMDAT
; 304 : {
00081 55 push ebp
00082 8b ec mov ebp, esp
00084 83 ec 10 sub esp, 16 ; 00000010H
00087 53 push ebx
00088 56 push esi
; 305 : UNICODE_STRING keyName;
; 306 : ULONG length;
; 307 : PKEY_VALUE_FULL_INFORMATION fullInfo;
; 308 :
; 309 : NTSTATUS ntStatus = STATUS_INSUFFICIENT_RESOURCES;
; 310 :
; 311 : PAGED_CODE();
00089 8b 35 00 00 00
00 mov esi, DWORD PTR __imp__KeGetCurrentIrql@0
0008f c7 45 f8 9a 00
00 c0 mov DWORD PTR _ntStatus$[ebp], -1073741670 ; c000009aH
00096 ff d6 call esi
00098 3c 01 cmp al, 1
0009a 76 29 jbe SHORT $L14883
0009c ff d6 call esi
0009e 0f b6 c0 movzx eax, al
000a1 50 push eax
000a2 68 00 00 00 00 push OFFSET FLAT:$SG14878
000a7 e8 00 00 00 00 call _DbgPrint
000ac 59 pop ecx
000ad 59 pop ecx
000ae 6a 00 push 0
000b0 68 37 01 00 00 push 311 ; 00000137H
000b5 68 00 00 00 00 push OFFSET FLAT:$SG14881
000ba 68 00 00 00 00 push OFFSET FLAT:$SG14882
000bf ff 15 00 00 00
00 call DWORD PTR __imp__RtlAssert@16
$L14883:
; 312 :
; 313 : SerialDump(SERTRACECALLS, ("SERIAL: Enter SerialGetRegistryKeyValue\n"));
000c5 f6 05 00 00 00
00 40 test BYTE PTR _SerialDebugLevel, 64 ; 00000040H
000cc 74 0b je SHORT $L14884
000ce 68 00 00 00 00 push OFFSET FLAT:$SG14889
000d3 e8 00 00 00 00 call _DbgPrint
000d8 59 pop ecx
$L14884:
; 314 :
; 315 :
; 316 : RtlInitUnicodeString (&keyName, KeyNameString);
000d9 ff 75 0c push DWORD PTR _KeyNameString$[ebp]
000dc 8d 45 f0 lea eax, DWORD PTR _keyName$[ebp]
000df 50 push eax
000e0 ff 15 00 00 00
00 call DWORD PTR __imp__RtlInitUnicodeString@8
; 317 :
; 318 : length = sizeof(KEY_VALUE_FULL_INFORMATION) + KeyNameStringLength
; 319 : + DataLength;
000e6 8b 75 18 mov esi, DWORD PTR _DataLength$[ebp]
000e9 8b 45 10 mov eax, DWORD PTR _KeyNameStringLength$[ebp]
; 320 : fullInfo = ExAllocatePool(PagedPool, length);
000ec 68 43 4f 4d 58 push 1481461571 ; 584d4f43H
000f1 8d 44 30 18 lea eax, DWORD PTR [eax+esi+24]
000f5 50 push eax
000f6 6a 01 push 1
000f8 89 45 fc mov DWORD PTR _length$[ebp], eax
000fb ff 15 00 00 00
00 call DWORD PTR __imp__ExAllocatePoolWithTag@12
00101 8b d8 mov ebx, eax
; 321 :
; 322 : if (fullInfo) {
00103 85 db test ebx, ebx
00105 74 44 je SHORT $L14897
; 323 : ntStatus = ZwQueryValueKey (Handle,
; 324 : &keyName,
; 325 : KeyValueFullInformation,
; 326 : fullInfo,
; 327 : length,
; 328 : &length);
00107 8d 45 fc lea eax, DWORD PTR _length$[ebp]
0010a 50 push eax
0010b 8d 45 f0 lea eax, DWORD PTR _keyName$[ebp]
0010e ff 75 fc push DWORD PTR _length$[ebp]
00111 53 push ebx
00112 6a 01 push 1
00114 50 push eax
00115 ff 75 08 push DWORD PTR _Handle$[ebp]
00118 ff 15 00 00 00
00 call DWORD PTR __imp__ZwQueryValueKey@24
; 329 :
; 330 : if (NT_SUCCESS(ntStatus)) {
0011e 85 c0 test eax, eax
00120 89 45 f8 mov DWORD PTR _ntStatus$[ebp], eax
00123 7c 1f jl SHORT $L14900
; 331 : //
; 332 : // If there is enough room in the data buffer, copy the output
; 333 : //
; 334 :
; 335 : if (DataLength >= fullInfo->DataLength) {
00125 8b 4b 0c mov ecx, DWORD PTR [ebx+12]
00128 3b f1 cmp esi, ecx
0012a 72 18 jb SHORT $L14900
; 336 : RtlCopyMemory (Data,
; 337 : ((PUCHAR) fullInfo) + fullInfo->DataOffset,
; 338 : fullInfo->DataLength);
0012c 8b 73 08 mov esi, DWORD PTR [ebx+8]
0012f 8b c1 mov eax, ecx
00131 57 push edi
00132 8b 7d 14 mov edi, DWORD PTR _Data$[ebp]
00135 03 f3 add esi, ebx
00137 c1 e9 02 shr ecx, 2
0013a f3 a5 rep movsd
0013c 8b c8 mov ecx, eax
0013e 83 e1 03 and ecx, 3
00141 f3 a4 rep movsb
00143 5f pop edi
$L14900:
; 339 : }
; 340 : }
; 341 :
; 342 : ExFreePool(fullInfo);
00144 53 push ebx
00145 ff 15 00 00 00
00 call DWORD PTR __imp__ExFreePool@4
$L14897:
; 343 : }
; 344 :
; 345 : return ntStatus;
0014b 8b 45 f8 mov eax, DWORD PTR _ntStatus$[ebp]
0014e 5e pop esi
0014f 5b pop ebx
; 346 : }
00150 c9 leave
00151 c2 14 00 ret 20 ; 00000014H
_SerialGetRegistryKeyValue@20 ENDP
PAGESRP0 ENDS
PUBLIC _SerialPutRegistryKeyValue@24
EXTRN __imp__ZwSetValueKey@24:NEAR
EXTRN __imp__RtlAppendUnicodeToString@8:NEAR
; COMDAT _SerialPutRegistryKeyValue@24
PAGESRP0 SEGMENT
$SG14918 DB 'EX: Pageable code called at IRQL %d', 0aH, 00H
ORG $+3
$SG14921 DB 'f:\w2ddk\src\kernel\serial\registry.c', 00H
ORG $+2
$SG14922 DB 'FALSE', 00H
ORG $+2
$SG14929 DB 'SERIAL: Enter SerialPutRegistryKeyValue', 0aH, 00H
; Function compile flags: /Ogs
_Handle$ = 8
_PKeyNameString$ = 12
_KeyNameStringLength$ = 16
_Dtype$ = 20
_PData$ = 24
_DataLength$ = 28
_keyname$ = -8
_SerialPutRegistryKeyValue@24 PROC NEAR ; COMDAT
; 380 : {
00081 55 push ebp
00082 8b ec mov ebp, esp
00084 51 push ecx
00085 51 push ecx
00086 56 push esi
; 381 : NTSTATUS status;
; 382 : UNICODE_STRING keyname;
; 383 :
; 384 : PAGED_CODE();
00087 8b 35 00 00 00
00 mov esi, DWORD PTR __imp__KeGetCurrentIrql@0
0008d ff d6 call esi
0008f 3c 01 cmp al, 1
00091 76 29 jbe SHORT $L14923
00093 ff d6 call esi
00095 0f b6 c0 movzx eax, al
00098 50 push eax
00099 68 00 00 00 00 push OFFSET FLAT:$SG14918
0009e e8 00 00 00 00 call _DbgPrint
000a3 59 pop ecx
000a4 59 pop ecx
000a5 6a 00 push 0
000a7 68 80 01 00 00 push 384 ; 00000180H
000ac 68 00 00 00 00 push OFFSET FLAT:$SG14921
000b1 68 00 00 00 00 push OFFSET FLAT:$SG14922
000b6 ff 15 00 00 00
00 call DWORD PTR __imp__RtlAssert@16
$L14923:
; 385 :
; 386 : SerialDump(SERTRACECALLS,("SERIAL: Enter SerialPutRegistryKeyValue\n"));
000bc f6 05 00 00 00
00 40 test BYTE PTR _SerialDebugLevel, 64 ; 00000040H
000c3 74 0b je SHORT $L14924
000c5 68 00 00 00 00 push OFFSET FLAT:$SG14929
000ca e8 00 00 00 00 call _DbgPrint
000cf 59 pop ecx
$L14924:
; 387 :
; 388 : RtlInitUnicodeString(&keyname, NULL);
000d0 8d 45 f8 lea eax, DWORD PTR _keyname$[ebp]
000d3 6a 00 push 0
000d5 50 push eax
000d6 ff 15 00 00 00
00 call DWORD PTR __imp__RtlInitUnicodeString@8
; 389 : keyname.MaximumLength = (USHORT)(KeyNameStringLength + sizeof(WCHAR));
000dc 8b 45 10 mov eax, DWORD PTR _KeyNameStringLength$[ebp]
; 390 : keyname.Buffer = ExAllocatePool(PagedPool, keyname.MaximumLength);
000df 68 43 4f 4d 58 push 1481461571 ; 584d4f43H
000e4 83 c0 02 add eax, 2
000e7 66 89 45 fa mov WORD PTR _keyname$[ebp+2], ax
000eb 0f b7 c0 movzx eax, ax
000ee 50 push eax
000ef 6a 01 push 1
000f1 ff 15 00 00 00
00 call DWORD PTR __imp__ExAllocatePoolWithTag@12
; 391 :
; 392 : if (keyname.Buffer == NULL) {
000f7 85 c0 test eax, eax
000f9 89 45 fc mov DWORD PTR _keyname$[ebp+4], eax
000fc 75 07 jne SHORT $L14940
; 393 : return STATUS_INSUFFICIENT_RESOURCES;
000fe b8 9a 00 00 c0 mov eax, -1073741670 ; c000009aH
00103 eb 32 jmp SHORT $L14914
$L14940:
; 394 : }
; 395 :
; 396 : RtlAppendUnicodeToString(&keyname, PKeyNameString);
00105 ff 75 0c push DWORD PTR _PKeyNameString$[ebp]
00108 8d 45 f8 lea eax, DWORD PTR _keyname$[ebp]
0010b 50 push eax
0010c ff 15 00 00 00
00 call DWORD PTR __imp__RtlAppendUnicodeToString@8
; 397 :
; 398 : status = ZwSetValueKey(Handle, &keyname, 0, Dtype, PData, DataLength);
00112 ff 75 1c push DWORD PTR _DataLength$[ebp]
00115 8d 45 f8 lea eax, DWORD PTR _keyname$[ebp]
00118 ff 75 18 push DWORD PTR _PData$[ebp]
0011b ff 75 14 push DWORD PTR _Dtype$[ebp]
0011e 6a 00 push 0
00120 50 push eax
00121 ff 75 08 push DWORD PTR _Handle$[ebp]
00124 ff 15 00 00 00
00 call DWORD PTR __imp__ZwSetValueKey@24
; 399 :
; 400 : ExFreePool(keyname.Buffer);
0012a ff 75 fc push DWORD PTR _keyname$[ebp+4]
0012d 8b f0 mov esi, eax
0012f ff 15 00 00 00
00 call DWORD PTR __imp__ExFreePool@4
; 401 :
; 402 : return status;
00135 8b c6 mov eax, esi
$L14914:
00137 5e pop esi
; 403 : }
00138 c9 leave
00139 c2 18 00 ret 24 ; 00000018H
_SerialPutRegistryKeyValue@24 ENDP
PAGESRP0 ENDS
END
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -