📄 binhive.c
字号:
return TRUE;
}
static BOOLEAN
CmiExportHive (PHHIVE Hive,
PCWSTR KeyName)
{
PCM_KEY_NODE KeyCell;
FRLDRHKEY Key;
ULONG SubKeyCount;
ULONG ValueCount;
PLIST_ENTRY Entry;
FRLDRHKEY SubKey;
PVALUE Value;
DbgPrint((DPRINT_REGISTRY, "CmiExportHive(%x, '%S') called\n", Hive, KeyName));
if (RegOpenKey (NULL, KeyName, &Key) != ERROR_SUCCESS)
{
DbgPrint((DPRINT_REGISTRY, "RegOpenKey() failed\n"));
return FALSE;
}
KeyCell = HvGetCell (Hive, Hive->HiveHeader->RootCell);
if (KeyCell == NULL)
{
DbgPrint((DPRINT_REGISTRY, "HvGetCell() failed\n"));
return FALSE;
}
ValueCount = RegGetValueCount (Key);
DbgPrint((DPRINT_REGISTRY, "ValueCount: %u\n", ValueCount));
if (ValueCount > 0)
{
/* Allocate value list cell */
if (!CmiAllocateValueListCell (Hive,
&KeyCell->ValueList.List,
ValueCount))
{
DbgPrint((DPRINT_REGISTRY, "CmiAllocateValueListCell() failed\n"));
return FALSE;
}
if (Key->DataSize != 0)
{
if (!CmiExportValue (Hive, Hive->HiveHeader->RootCell, Key, NULL))
return FALSE;
}
/* Enumerate values */
Entry = Key->ValueList.Flink;
while (Entry != &Key->ValueList)
{
Value = CONTAINING_RECORD(Entry,
VALUE,
ValueList);
if (!CmiExportValue (Hive, Hive->HiveHeader->RootCell, Key, Value))
return FALSE;
Entry = Entry->Flink;
}
}
SubKeyCount = RegGetSubKeyCount (Key);
DbgPrint((DPRINT_REGISTRY, "SubKeyCount: %u\n", SubKeyCount));
if (SubKeyCount > 0)
{
/* Allocate hash table cell */
if (!CmiAllocateHashTableCell (Hive,
&KeyCell->SubKeyLists[HvStable],
SubKeyCount))
{
DbgPrint((DPRINT_REGISTRY, "CmiAllocateHashTableCell() failed\n"));
return FALSE;
}
/* Enumerate subkeys */
Entry = Key->SubKeyList.Flink;
while (Entry != &Key->SubKeyList)
{
SubKey = CONTAINING_RECORD(Entry,
KEY,
KeyList);
if (!CmiExportSubKey (Hive, Hive->HiveHeader->RootCell, Key, SubKey))
return FALSE;
Entry = Entry->Flink;
}
}
return TRUE;
}
static BOOLEAN
RegImportValue (PHHIVE Hive,
PCM_KEY_VALUE ValueCell,
FRLDRHKEY Key)
{
PVOID DataCell;
PWCHAR wName;
LONG Error;
ULONG DataSize;
ULONG i;
if (ValueCell->Id != REG_VALUE_CELL_ID)
{
DbgPrint((DPRINT_REGISTRY, "Invalid key cell!\n"));
return FALSE;
}
if (ValueCell->Flags & REG_VALUE_NAME_PACKED)
{
wName = MmAllocateMemory ((ValueCell->NameSize + 1)*sizeof(WCHAR));
for (i = 0; i < ValueCell->NameSize; i++)
{
wName[i] = ((PCHAR)ValueCell->Name)[i];
}
wName[ValueCell->NameSize] = 0;
}
else
{
wName = MmAllocateMemory (ValueCell->NameSize + sizeof(WCHAR));
memcpy (wName,
ValueCell->Name,
ValueCell->NameSize);
wName[ValueCell->NameSize / sizeof(WCHAR)] = 0;
}
DataSize = ValueCell->DataSize & REG_DATA_SIZE_MASK;
DbgPrint((DPRINT_REGISTRY, "ValueName: '%S'\n", wName));
DbgPrint((DPRINT_REGISTRY, "DataSize: %u\n", DataSize));
if (DataSize <= sizeof(HCELL_INDEX) && (ValueCell->DataSize & REG_DATA_IN_OFFSET))
{
Error = RegSetValue(Key,
wName,
ValueCell->DataType,
(PCHAR)&ValueCell->DataOffset,
DataSize);
if (Error != ERROR_SUCCESS)
{
DbgPrint((DPRINT_REGISTRY, "RegSetValue() failed!\n"));
MmFreeMemory (wName);
return FALSE;
}
}
else
{
DataCell = HvGetCell (Hive, ValueCell->DataOffset);
DbgPrint((DPRINT_REGISTRY, "DataCell: %x\n", DataCell));
Error = RegSetValue (Key,
wName,
ValueCell->DataType,
DataCell,
DataSize);
if (Error != ERROR_SUCCESS)
{
DbgPrint((DPRINT_REGISTRY, "RegSetValue() failed!\n"));
MmFreeMemory (wName);
return FALSE;
}
}
MmFreeMemory (wName);
return TRUE;
}
static BOOLEAN
RegImportSubKey(PHHIVE Hive,
PCM_KEY_NODE KeyCell,
FRLDRHKEY ParentKey)
{
PHASH_TABLE_CELL HashCell;
PCM_KEY_NODE SubKeyCell;
PVALUE_LIST_CELL ValueListCell;
PCM_KEY_VALUE ValueCell = NULL;
PWCHAR wName;
FRLDRHKEY SubKey;
LONG Error;
ULONG i;
DbgPrint((DPRINT_REGISTRY, "KeyCell: %x\n", KeyCell));
DbgPrint((DPRINT_REGISTRY, "KeyCell->Id: %x\n", KeyCell->Id));
if (KeyCell->Id != REG_KEY_CELL_ID)
{
DbgPrint((DPRINT_REGISTRY, "Invalid key cell id!\n"));
return FALSE;
}
if (KeyCell->Flags & REG_KEY_NAME_PACKED)
{
wName = MmAllocateMemory ((KeyCell->NameSize + 1) * sizeof(WCHAR));
for (i = 0; i < KeyCell->NameSize; i++)
{
wName[i] = ((PCHAR)KeyCell->Name)[i];
}
wName[KeyCell->NameSize] = 0;
}
else
{
wName = MmAllocateMemory (KeyCell->NameSize + sizeof(WCHAR));
memcpy (wName,
KeyCell->Name,
KeyCell->NameSize);
wName[KeyCell->NameSize/sizeof(WCHAR)] = 0;
}
DbgPrint((DPRINT_REGISTRY, "KeyName: '%S'\n", wName));
/* Create new sub key */
Error = RegCreateKey (ParentKey,
wName,
&SubKey);
MmFreeMemory (wName);
if (Error != ERROR_SUCCESS)
{
DbgPrint((DPRINT_REGISTRY, "RegCreateKey() failed!\n"));
return FALSE;
}
DbgPrint((DPRINT_REGISTRY, "Subkeys: %u\n", KeyCell->SubKeyCounts));
DbgPrint((DPRINT_REGISTRY, "Values: %u\n", KeyCell->ValueList.Count));
/* Enumerate and add values */
if (KeyCell->ValueList.Count > 0)
{
ValueListCell = (PVALUE_LIST_CELL) HvGetCell (Hive, KeyCell->ValueList.List);
DbgPrint((DPRINT_REGISTRY, "ValueListCell: %x\n", ValueListCell));
for (i = 0; i < KeyCell->ValueList.Count; i++)
{
DbgPrint((DPRINT_REGISTRY, "ValueOffset[%d]: %x\n", i, ValueListCell->ValueOffset[i]));
ValueCell = (PCM_KEY_VALUE) HvGetCell (Hive, ValueListCell->ValueOffset[i]);
DbgPrint((DPRINT_REGISTRY, "ValueCell[%d]: %x\n", i, ValueCell));
if (!RegImportValue(Hive, ValueCell, SubKey))
return FALSE;
}
}
/* Enumerate and add subkeys */
if (KeyCell->SubKeyCounts[HvStable] > 0)
{
HashCell = (PHASH_TABLE_CELL) HvGetCell (Hive, KeyCell->SubKeyLists[HvStable]);
DbgPrint((DPRINT_REGISTRY, "HashCell: %x\n", HashCell));
DbgPrint((DPRINT_REGISTRY, "SubKeyCounts: %x\n", KeyCell->SubKeyCounts));
for (i = 0; i < KeyCell->SubKeyCounts[HvStable]; i++)
{
DbgPrint((DPRINT_REGISTRY, "KeyOffset[%d]: %x\n", i, HashCell->Table[i].KeyOffset));
SubKeyCell = (PCM_KEY_NODE) HvGetCell (Hive, HashCell->Table[i].KeyOffset);
DbgPrint((DPRINT_REGISTRY, "SubKeyCell[%d]: %x\n", i, SubKeyCell));
if (!RegImportSubKey(Hive, SubKeyCell, SubKey))
return FALSE;
}
}
return TRUE;
}
BOOLEAN
RegImportBinaryHive(PCHAR ChunkBase,
ULONG ChunkSize)
{
PCM_KEY_NODE KeyCell;
PHASH_TABLE_CELL HashCell;
PCM_KEY_NODE SubKeyCell;
FRLDRHKEY SystemKey;
ULONG i;
LONG Error;
PEREGISTRY_HIVE CmHive;
PHHIVE Hive;
NTSTATUS Status;
DbgPrint((DPRINT_REGISTRY, "RegImportBinaryHive(%x, %u) called\n",ChunkBase,ChunkSize));
CmHive = CmpAllocate(sizeof(EREGISTRY_HIVE), TRUE);
Status = HvInitialize (&CmHive->Hive, HV_OPERATION_MEMORY_INPLACE, 0, 0,
(ULONG_PTR)ChunkBase, 0,
CmpAllocate, CmpFree,
NULL, NULL, NULL, NULL, NULL);
if (!NT_SUCCESS(Status))
{
DbgPrint((DPRINT_REGISTRY, "Invalid hive id!\n"));
return FALSE;
}
Hive = &CmHive->Hive;
KeyCell = HvGetCell (Hive, Hive->HiveHeader->RootCell);
DbgPrint((DPRINT_REGISTRY, "KeyCell: %x\n", KeyCell));
DbgPrint((DPRINT_REGISTRY, "KeyCell->Id: %x\n", KeyCell->Id));
if (KeyCell->Id != REG_KEY_CELL_ID)
{
DbgPrint((DPRINT_REGISTRY, "Invalid key cell id!\n"));
return FALSE;
}
DbgPrint((DPRINT_REGISTRY, "Subkeys: %u\n", KeyCell->SubKeyCounts));
DbgPrint((DPRINT_REGISTRY, "Values: %u\n", KeyCell->ValueList.Count));
/* Open 'System' key */
Error = RegOpenKey(NULL,
L"\\Registry\\Machine\\SYSTEM",
&SystemKey);
if (Error != ERROR_SUCCESS)
{
DbgPrint((DPRINT_REGISTRY, "Failed to open 'system' key!\n"));
return FALSE;
}
/* Enumerate and add subkeys */
if (KeyCell->SubKeyCounts[HvStable] > 0)
{
HashCell = HvGetCell (Hive, KeyCell->SubKeyLists[HvStable]);
DbgPrint((DPRINT_REGISTRY, "HashCell: %x\n", HashCell));
DbgPrint((DPRINT_REGISTRY, "SubKeyCounts: %x\n", KeyCell->SubKeyCounts[HvStable]));
for (i = 0; i < KeyCell->SubKeyCounts[HvStable]; i++)
{
DbgPrint((DPRINT_REGISTRY, "KeyOffset[%d]: %x\n", i, HashCell->Table[i].KeyOffset));
SubKeyCell = HvGetCell (Hive, HashCell->Table[i].KeyOffset);
DbgPrint((DPRINT_REGISTRY, "SubKeyCell[%d]: %x\n", i, SubKeyCell));
if (!RegImportSubKey(Hive, SubKeyCell, SystemKey))
return FALSE;
}
}
return TRUE;
}
static VOID
CmiWriteHive(PHHIVE Hive,
PCHAR ChunkBase,
ULONG* ChunkSize)
{
PHBIN Bin;
ULONG i, Size;
/* Write hive header */
memcpy (ChunkBase, Hive->HiveHeader, HV_BLOCK_SIZE);
Size = HV_BLOCK_SIZE;
Bin = NULL;
for (i = 0; i < Hive->Storage[HvStable].Length; i++)
{
if (Hive->Storage[HvStable].BlockList[i].Bin != (ULONG_PTR)Bin)
{
Bin = (PHBIN)Hive->Storage[HvStable].BlockList[i].Bin;
memcpy (ChunkBase + (i + 1) * HV_BLOCK_SIZE,
Bin, Bin->Size);
Size += Bin->Size;
}
}
DbgPrint((DPRINT_REGISTRY, "ChunkSize: %x\n", Size));
*ChunkSize = Size;
}
BOOLEAN
RegExportBinaryHive(PCWSTR KeyName,
PCHAR ChunkBase,
ULONG* ChunkSize)
{
PEREGISTRY_HIVE CmHive;
PHHIVE Hive;
NTSTATUS Status;
DbgPrint((DPRINT_REGISTRY, "Creating binary hardware hive\n"));
CmHive = CmpAllocate(sizeof(EREGISTRY_HIVE), TRUE);
Status = HvInitialize (&CmHive->Hive, HV_OPERATION_CREATE_HIVE, 0, 0, 0, 0,
CmpAllocate, CmpFree,
NULL, NULL, NULL, NULL, NULL);
Hive = &CmHive->Hive;
if (!NT_SUCCESS(Status))
{
return FALSE;
}
/* Init root key cell */
if (!CmCreateRootNode (Hive, KeyName))
{
HvFree (Hive);
return FALSE;
}
if (!CmiExportHive (Hive, KeyName))
{
HvFree (Hive);
return FALSE;
}
CmiWriteHive (Hive, ChunkBase, ChunkSize);
HvFree (Hive);
return TRUE;
}
/* EOF */
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -