Debugging/Windows
Registry
haewon83
2023. 5. 16. 14:23
오늘은 지난 번 Windows Security 자료에 이어서 Windows OS의 Configuration Manager와 관련이 있는 Registry에 대해서 알아보도록 하겠습니다.
Hive
Kernel에서 Registry를 관리하는 Component는 Configuration Manager
Registry는 Hive 파일에 저장되어 있다가, System이 Boot 되는 시점에 Memory에 로드되는 방식
Registry Structure는 다음과 같이 구성
대부분의 Hive는 파일에 저장되며, Hardware 같은 Hive는 System Boot 시점마다 생성 ## <-- 이런 Hive는 Volatile Hive
Hive 경로와 Hive가 저장되는 파일 경로
Hive 파일은 Primary 파일과 두 개의 Log 파일(숨김 파일)로 구성
| C:\Windows\System32\config>dir /a Volume in drive C has no label. Volume Serial Number is 78DC-9DD2 Directory of C:\Windows\System32\config 04/25/2023 06:01 PM <DIR> . 04/25/2023 06:01 PM <DIR> .. 04/21/2023 04:35 PM 32,768 BBI 09/15/2018 03:09 PM 65,536 BBI.LOG1 09/15/2018 03:09 PM 49,152 BBI.LOG2 09/15/2018 03:09 PM 65,536 BBI{1c37910b-b8ad-11e8-aa21-e41d2d101530}.TM.blf 09/15/2018 03:09 PM 524,288 BBI{1c37910b-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms 09/15/2018 03:09 PM 524,288 BBI{1c37910b-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms 04/21/2023 11:32 PM 28,672 BCD-Template 04/21/2023 11:32 PM 28,672 BCD-Template.LOG 04/26/2023 03:38 PM 49,020,928 COMPONENTS 09/15/2018 03:09 PM 8,241,152 COMPONENTS.LOG1 09/15/2018 03:09 PM 20,480 COMPONENTS.LOG2 04/25/2023 05:58 PM 65,536 COMPONENTS{1c379064-b8ad-11e8-aa21-e41d2d101530}.TM.blf 04/21/2023 04:26 PM 524,288 COMPONENTS{1c379064-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms 04/25/2023 05:58 PM 524,288 COMPONENTS{1c379064-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms 04/21/2023 04:35 PM 524,288 DEFAULT 09/15/2018 03:09 PM 73,728 DEFAULT.LOG1 09/15/2018 03:09 PM 81,920 DEFAULT.LOG2 04/21/2023 06:44 PM 3,932,160 DRIVERS 09/15/2018 03:09 PM 57,344 DRIVERS.LOG1 09/15/2018 03:09 PM 1,015,808 DRIVERS.LOG2 04/21/2023 06:44 PM 65,536 DRIVERS{1c37907b-b8ad-11e8-aa21-e41d2d101530}.TM.blf 04/21/2023 06:44 PM 524,288 DRIVERS{1c37907b-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms 04/21/2023 10:33 PM 524,288 DRIVERS{1c37907b-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms 04/21/2023 10:33 PM 32,768 ELAM 09/15/2018 03:09 PM 32,768 ELAM.LOG1 09/15/2018 03:09 PM 0 ELAM.LOG2 04/21/2023 10:33 PM 65,536 ELAM{1c379127-b8ad-11e8-aa21-e41d2d101530}.TM.blf 04/21/2023 10:33 PM 524,288 ELAM{1c379127-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000001.regtrans-ms 04/21/2023 10:33 PM 524,288 ELAM{1c379127-b8ad-11e8-aa21-e41d2d101530}.TMContainer00000000000000000002.regtrans-ms 09/15/2018 04:19 PM <DIR> Journal 04/25/2023 07:16 PM 6,952 netlogon.dnb 04/25/2023 07:16 PM 2,253 netlogon.dns 04/21/2023 10:33 PM <DIR> RegBack 04/21/2023 04:35 PM 65,536 SAM 09/15/2018 03:09 PM 65,536 SAM.LOG1 09/15/2018 03:09 PM 49,152 SAM.LOG2 04/21/2023 04:35 PM 65,536 SECURITY 09/15/2018 03:09 PM 16,384 SECURITY.LOG1 09/15/2018 03:09 PM 57,344 SECURITY.LOG2 04/21/2023 04:35 PM 110,100,480 SOFTWARE 09/15/2018 03:09 PM 13,156,352 SOFTWARE.LOG1 09/15/2018 03:09 PM 25,165,824 SOFTWARE.LOG2 04/21/2023 04:35 PM 15,990,784 SYSTEM 09/15/2018 03:09 PM 1,048,576 SYSTEM.LOG1 09/15/2018 03:09 PM 4,046,848 SYSTEM.LOG2 09/15/2018 04:19 PM <DIR> systemprofile 04/21/2023 10:33 PM <DIR> TxR 43 File(s) 237,532,149 bytes 6 Dir(s) 10,214,916,096 bytes free |
HKEY_CURRENT_USER
- A symbolic link to a key under HKEY_USERS representing a user's profile hive
- Points to the currently logged-on user’s profiles
- The following table lists user-profile subkeys and their descriptions
HKEY_USERS
- The HKEY_USERS key contains
- The user-profile hives of logged-on accounts
- The root of all user profiles on the computer
- A subkey for each loaded user profile and user class registration database on the system
- A subkey named HKU\.DEFAULT that is linked to the default workstation profile
HKEY_CLASSES_ROOT
- HKCR consists of two types of information
- File extension associations
- COM class registrations
- TrustedInstaller, SQL Server Agent
- The data under HKEY_CLASSES_ROOT comes from two sources
- The per-user class registration data in HKCU\SOFTWARE\Classes
- System wide class registration data in HKLM\SOFTWARE\Classes
Last Known Good Configuration
- Last known good is helpful when there is a change to CurrentControlSet
- Details about the Last Known Good registry configuration are as follows
Registry Hive 목록 조회
FileName Column에 이름이 없이 <NONAME>으로 되어 있는 Hive들은 Volatile Hive
아래 결과에서 중요한 두 값은 HiveAddr과 BaseBlock Addr
| 3: kd> !reg hivelist ------------------------------------------------------------------------------------------------------------------------------------------------------- | HiveAddr |Stable Length| Stable Map |Volatile Length| Volatile Map |MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName ------------------------------------------------------------------------------------------------------------------------------------------------------- | ffff900e91a0f000 | 1000 | ffff900e91a0f120 | 1000 | ffff900e91a0f398 | ffff900e91a33000 | <NONAME> | ffff900e91a47000 | ec7000 | ffff900e91a57000 | 23000 | ffff900e91a47398 | ffff900e91a56000 | SYSTEM | ffff900e91acd000 | 16000 | ffff900e91acd120 | 10000 | ffff900e91acd398 | ffff900e91aec000 | <NONAME> | ffff900e93bbf000 | 7000 | ffff900e93bbf120 | 0 | 0000000000000000 | ffff900e952fe000 | kVolume2\EFI\Microsoft\Boot\BCD | ffff900e933c5000 | 4705000 | ffff900e93502000 | 2e000 | ffff900e933c5398 | ffff900e91b26000 | emRoot\System32\Config\SOFTWARE | ffff900e95410000 | 21000 | ffff900e95410120 | 1000 | ffff900e95410398 | ffff900e95423000 | temRoot\System32\Config\DEFAULT | ffff900e95403000 | 5000 | ffff900e95403120 | 1000 | ffff900e95403398 | ffff900e95435000 | emRoot\System32\Config\SECURITY | ffff900e95406000 | a000 | ffff900e95406120 | 0 | 0000000000000000 | ffff900e95436000 | \SystemRoot\System32\Config\SAM | ffff900e95654000 | 29000 | ffff900e95654120 | 1000 | ffff900e95654398 | ffff900e9566a000 | files\NetworkService\NTUSER.DAT | ffff900e957bb000 | 6000 | ffff900e957bb120 | 0 | 0000000000000000 | ffff900e9581b000 | \SystemRoot\System32\Config\BBI | ffff900e95829000 | 2b000 | ffff900e95829120 | 0 | 0000000000000000 | ffff900e9586f000 | rofiles\LocalService\NTUSER.DAT | ffff900e96949000 | b9000 | ffff900e96949120 | 0 | 0000000000000000 | ffff900e95dff000 | \AppCompat\Programs\Amcache.hve ------------------------------------------------------------------------------------------------------------------------------------------------------- |
Base Block
Hive의 첫 번째 Block을 Base Block이라고 하며, Base Block에는 Hive의 On-Disk Structure를 설명하는 내용이 보관
Hive 주소와 Base Block 주소를 위 결과에서 획득했다면 아래 명령어로 Base Block 내용 조회 가능
| !reg baseblock <HiveAddr> <Base Block Addr> 3: kd> !reg baseblock ffff900e91a47000 ffff900e91a56000 FileName : SYSTEM Signature: HBASE_BLOCK_SIGNATURE Sequence1: 599 Sequence2: 599 TimeStamp: 0 0 Major : 1 Minor : 5 Type : HFILE_TYPE_PRIMARY Format : HBASE_FORMAT_MEMORY RootCell : 20 Length : ec7000 Cluster : 1 CheckSum : bd2c2af3 |
Bin/Block
Registry Hive 구조
Registry는 Hive 집합
Hive는 Base Block과 여러 Bin들의 집합
Block은 4K 단위로 할당
Bin에는 Bin Header(hbin)와 Cell이 위치
Cell은 Registry Key, Value 등과 같은 실제 Registry 정보를 담고 있음
Cell
Cell 유형
Cell Index 값을 이용하여, Cell 주소 확인 방법
Base Block에는 RootCell 이라는 Field가 있고, 이 Field 값은 Cell Index 값을 보관
이 Cell Index 값을 이용하여 Root Cell의 Virtual Address를 획득하는 방법
위 그림처럼 Cell의 Virtual Address를 획득하는 방법은 Paging Table에서 Virtual Address를 찾아가는 방법과 유사
| 3: kd> !reg hivelist ------------------------------------------------------------------------------------------------------------------------------------------------------- | HiveAddr |Stable Length| Stable Map |Volatile Length| Volatile Map |MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName ------------------------------------------------------------------------------------------------------------------------------------------------------- | ffffe68a9920f000 | 1000 | ffffe68a9920f120 | 1000 | ffffe68a9920f398 | ffffe68a99232000 | <NONAME> | ffffe68a99245000 | e23000 | ffffe68a99258000 | 22000 | ffffe68a99245398 | ffffe68a99257000 | SYSTEM | ffffe68a992cb000 | 16000 | ffffe68a992cb120 | 10000 | ffffe68a992cb398 | ffffe68a992e9000 | <NONAME> | ffffe68a99aa1000 | 7000 | ffffe68a99aa1120 | 0 | 0000000000000000 | ffffe68a99706000 | kVolume2\EFI\Microsoft\Boot\BCD | ffffe68a99ad5000 | 4654000 | ffffe68a99f7d000 | 8000 | ffffe68a99ad5398 | ffffe68a99cd4000 | emRoot\System32\Config\SOFTWARE | ffffe68a9cb03000 | 23000 | ffffe68a9cb03120 | 1000 | ffffe68a9cb03398 | ffffe68a9cb21000 | temRoot\System32\Config\DEFAULT | ffffe68a9cbd2000 | 5000 | ffffe68a9cbd2120 | 1000 | ffffe68a9cbd2398 | ffffe68a9cc13000 | emRoot\System32\Config\SECURITY | ffffe68a9cc59000 | b000 | ffffe68a9cc59120 | 0 | 0000000000000000 | ffffe68a9cc6e000 | \SystemRoot\System32\Config\SAM | ffffe68a9cd41000 | 28000 | ffffe68a9cd41120 | 0 | 0000000000000000 | ffffe68a9cd51000 | files\NetworkService\NTUSER.DAT | ffffe68a9ce6c000 | 5000 | ffffe68a9ce6c120 | 0 | 0000000000000000 | ffffe68a9ccdc000 | \SystemRoot\System32\Config\BBI | ffffe68a9ce77000 | 29000 | ffffe68a9ce77120 | 0 | 0000000000000000 | ffffe68a9ccde000 | rofiles\LocalService\NTUSER.DAT | ffffe68a9dcef000 | 75000 | ffffe68a9dcef120 | 0 | 0000000000000000 | ffffe68a9d083000 | \AppCompat\Programs\Amcache.hve 3: kd> dt _HBASE_BLOCK ffffe68a99257000 Rootcell nt!_HBASE_BLOCK +0x024 RootCell : 0x20 3: kd> !reg cellindex ffffe68a99245000 0x20 Map = ffffe68a99258000 Type = 0 Table = 0 Block = 0 Offset = 20 MapTable = ffffe68a9925a000 MapEntry = ffffe68a9925a000 BinAddress = ffffe68a99a08009, BlockOffset = 0000000000000000 BlockAddress = ffffe68a99a08000 pcell: ffffe68a99a08024 ### <-- Virtual Address of the cell |
Cell Signature 및 Key Node 확인
| 3: kd> db ffffe68a99a08024 l2 ffffe68a`99a08024 6e 6b nk ### <-- key node 3: kd> !reg knode ffffe68a99a08024 Signature: CM_KEY_NODE_SIGNATURE (kn) Name : ROOT ParentCell : 0x318 Security : 0x78 [cell index] Class : 0xffffffff [cell index] Flags : 0x2c MaxNameLen : 0x26 MaxClassLen : 0x0 MaxValueNameLen : 0x0 MaxValueDataLen : 0x0 LastWriteTime : 0x 1d9855c:0xb4972ad3 |
Key는 Data Block을 표현하고, Key는 두 개의 Subkey List(Stable, Volatile)를 가지고 있음
Stable key는 변경되는 내용들은 Hive에 Flush 되어 저장되는 key고 Volatile의 경우는 memory에만 유지되는 값
Subkey List의 각 Entry의 첫 번째 4Byte는 Key의 이름을 보여주고, 두 번째 4Byte는 knode 구조체를 가리키는 Cell index
| !reg subkeylist <HiveAddr> <KnodeAddr> 3: kd> !reg subkeylist ffffe68a99245000 ffffe68a99a08024 HiveAddr ffffe68a99245000, KnodeAddr ffffe68a99a08024 Dumping SubkeyList of Key <ROOT> : SubKeyCount[Stable ]: 0x11 SubKeyLists[Stable ]: 0x418 SubKeyCount[Volatile]: 0x1 SubKeyLists[Volatile]: 0x80000210 [ 17] Stable SubKeys: [Idx] [SubKeyAddr] [SubKeyName] [0] ffffe68a99a0822c ActivationBroker [1] ffffe68a99b6ea24 ControlSet001 [2] ffffe68a9c0b13fc ControlSet002 [3] ffffe68a999157a4 DriverDatabase [4] ffffe68a99b6d974 HardwareConfig [5] ffffe68a9c538f7c Input [6] ffffe68a9c539094 Keyboard Layout [7] ffffe68a9c539204 Maps [8] ffffe68a99b6dc14 MountedDevices [9] ffffe68a9c5397fc ResourceManager [10] ffffe68a9c539a54 ResourcePolicyStore [11] ffffe68a99b6dfa4 RNG [12] ffffe68a9c54eb3c Select [13] ffffe68a99b6e264 Setup [14] ffffe68a9c54ec34 Software [15] ffffe68a9c54f1dc WaaS [16] ffffe68a99b6e84c WPA [ 1] Volatile SubKeys: [Idx] [SubKeyAddr] [VolatileSubKeyName] [0] ffffe68a992e8024 CurrentControlSet Use '!reg knode <SubKeyAddr>' to dump the key |
Value List의 경우에는 각 value 값을 가리키는 Cell Index 목록
| !reg valuelist <HiveAddr> <KnodeAddr> 3: kd> !reg knode ffffe68a9c54eb3c ffffe68a9c54eb3c Signature: CM_KEY_NODE_SIGNATURE (kn) Name : Select ### <-- ParentCell : 0x20 Security : 0x23a80 [cell index] Class : 0xffffffff [cell index] Flags : 0x20 MaxNameLen : 0x0 MaxClassLen : 0x0 MaxValueNameLen : 0x1a MaxValueDataLen : 0x4 LastWriteTime : 0x 1d98595:0xa8f2732b SubKeyCount[Stable ]: 0x0 SubKeyLists[Stable ]: 0xffffffff SubKeyCount[Volatile]: 0x0 SubKeyLists[Volatile]: 0xffffffff ValueList.Count : 0x4 ValueList.List : 0x96fbb0 3: kd> !reg valuelist ffffe68a99245000 ffffe68a9c54eb3c Dumping ValueList of Key <Select> : [Idx] [ValAddr] [ValueName] [ 0] ffffe68a9c54eb94 Current [ 1] ffffe68a9c54ebcc Default [ 2] ffffe68a9c54ebec Failed [ 3] ffffe68a9c54ec0c LastKnownGood Use '!reg kvalue <ValAddr>' to dump the value |
kvalue는 registry value로 type와 data entry 포함
| !reg kvalue <Address> 3: kd> !reg kvalue ffffe68a9c54eb94 Signature: CM_KEY_VALUE_SIGNATURE (kv) Name : Current {compressed} DataLength: 80000004 Data : 1 [cell index] Type : 4 |
Registry Namespace
Application이 Registry Key를 Open 할 때, Reference 하는 Key Object에 대한 Handle을 Return
이는 Configuration Manager가 Object Namespace에 Registry Namespace를 Key Object Type으로 정의해서 가능
| 3: kd> !object \registry Object: ffffe68a992437a0 Type: (ffffaa02c5926ae0) Key ObjectHeader: ffffe68a99243770 (new version) HandleCount: 1 PointerCount: 32770 Directory Object: 00000000 Name: \REGISTRY |
Registry Namespace는 Hivelist에서 Volatile 형태로 위치
| 3: kd> !reg hivelist ------------------------------------------------------------------------------------------------------------------------------------------------------- | HiveAddr |Stable Length| Stable Map |Volatile Length| Volatile Map |MappedViews|PinnedViews|U(Cnt)| BaseBlock | FileName ------------------------------------------------------------------------------------------------------------------------------------------------------- | ffffe68a9920f000 | 1000 | ffffe68a9920f120 | 1000 | ffffe68a9920f398 | ffffe68a99232000 | <NONAME> ### <-- | ffffe68a99245000 | e23000 | ffffe68a99258000 | 22000 | ffffe68a99245398 | ffffe68a99257000 | SYSTEM | ffffe68a992cb000 | 16000 | ffffe68a992cb120 | 10000 | ffffe68a992cb398 | ffffe68a992e9000 | <NONAME> | ffffe68a99aa1000 | 7000 | ffffe68a99aa1120 | 0 | 0000000000000000 | ffffe68a99706000 | kVolume2\EFI\Microsoft\Boot\BCD | ffffe68a99ad5000 | 4654000 | ffffe68a99f7d000 | 8000 | ffffe68a99ad5398 | ffffe68a99cd4000 | emRoot\System32\Config\SOFTWARE | ffffe68a9cb03000 | 23000 | ffffe68a9cb03120 | 1000 | ffffe68a9cb03398 | ffffe68a9cb21000 | temRoot\System32\Config\DEFAULT | ffffe68a9cbd2000 | 5000 | ffffe68a9cbd2120 | 1000 | ffffe68a9cbd2398 | ffffe68a9cc13000 | emRoot\System32\Config\SECURITY | ffffe68a9cc59000 | b000 | ffffe68a9cc59120 | 0 | 0000000000000000 | ffffe68a9cc6e000 | \SystemRoot\System32\Config\SAM | ffffe68a9cd41000 | 28000 | ffffe68a9cd41120 | 0 | 0000000000000000 | ffffe68a9cd51000 | files\NetworkService\NTUSER.DAT | ffffe68a9ce6c000 | 5000 | ffffe68a9ce6c120 | 0 | 0000000000000000 | ffffe68a9ccdc000 | \SystemRoot\System32\Config\BBI | ffffe68a9ce77000 | 29000 | ffffe68a9ce77120 | 0 | 0000000000000000 | ffffe68a9ccde000 | rofiles\LocalService\NTUSER.DAT | ffffe68a9dcef000 | 75000 | ffffe68a9dcef120 | 0 | 0000000000000000 | ffffe68a9d083000 | \AppCompat\Programs\Amcache.hve ------------------------------------------------------------------------------------------------------------------------------------------------------- 3: kd> !reg cellindex ffffe68a9920f000 20 Map = ffffe68a9920f120 Type = 0 Table = 0 Block = 0 Offset = 20 MapTable = ffffe68a99240000 MapEntry = ffffe68a99240000 BinAddress = ffffe68a99254009, BlockOffset = 0000000000000000 BlockAddress = ffffe68a99254000 pcell: ffffe68a99254024 ### <-- 3: kd> !reg knode ffffe68a99254024 Signature: CM_KEY_NODE_SIGNATURE (kn) Name : REGISTRY ### <-- ParentCell : 0xffffffff Security : 0x78 [cell index] Class : 0xffffffff [cell index] Flags : 0x2c MaxNameLen : 0xe MaxClassLen : 0x0 MaxValueNameLen : 0x0 MaxValueDataLen : 0x0 LastWriteTime : 0x 1d9855c:0xb49003da |
Key Control Blocks(KCB)
Application이 Registry Key를 생성하거나 접근할 때 Return 받은 Handle은 Configuration Manager가 Object Manager와 함께 할당한 Key Object와 동일
System 프로세스는 HIVELIST라는 Key를 이용하여 현재 Load되어 있는 Hive를 관리
| 3: kd> !process 4 0 Searching for Process with Cid == 4 PROCESS ffffaa02c5878080 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001ad000 ObjectTable: ffffe68a99203d80 HandleCount: 1520. Image: System 3: kd> !handle 0 7 ffffaa02c5878080 key Searching for handles of type key PROCESS ffffaa02c5878080 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000 DirBase: 001ad000 ObjectTable: ffffe68a99203d80 HandleCount: 1520. Image: System Kernel handle table at ffffe68a99203d80 with 1520 entries in use 0060: Object: ffffe68a992437a0 GrantedAccess: 00000000 (Protected) (Inherit) (Audit) Entry: ffffe68a99225180 Object: ffffe68a992437a0 Type: (ffffaa02c5926ae0) Key ObjectHeader: ffffe68a99243770 (new version) HandleCount: 1 PointerCount: 32770 Directory Object: 00000000 Name: \REGISTRY 0064: Object: ffffe68a992c35b0 GrantedAccess: 0002001f Entry: ffffe68a99225190 Object: ffffe68a992c35b0 Type: (ffffaa02c5926ae0) Key ObjectHeader: ffffe68a992c3580 (new version) HandleCount: 1 PointerCount: 32759 Directory Object: 00000000 Name: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\HIVELIST ### <-- |
Handle Table에 있는 Key Object의 Address는 KCB를 가리키는 것은 아니고, Key Body를 참조
| 3: kd> !reg kbody ffffe68a992c35b0 ### <-- Type : KEY_BODY_TYPE KCB : ffffe68a992f3268 ### <-- NotifyBlock : 0000000000000000 KeyBodyList : 0xffffe68a992c35d0 0xffffe68a992c35d0 3: kd> !reg kcb ffffe68a992f3268 Key : \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\HIVELIST RefCount : 0x0000000000000001 Flags : CompressedName, ExtFlags : Parent : 0xffffe68a992f3138 KeyHive : 0xffffe68a99245000 ### <-- SYSTEM HIVE KeyCell : 0x800002a8 [cell index] ### <-- TotalLevels : 6 LayerHeight : 0 MaxNameLen : 0x0 MaxValueNameLen : 0x3a MaxValueDataLen : 0x96 LastWriteTime : 0x 1d9855c:0xbb1161ac KeyBodyListHead : 0xffffe68a992f32d8 0xffffe68a992f32d8 SubKeyCount : 0 ValueCache.Count : 9 ValueCache.List : 0x0000000080020d68 Owner : 0x0000000000000000 KCBLock : 0xffffe68a992f3358 KeyLock : 0xffffe68a992f3368 3: kd> !reg cellindex 0xffffe68a99245000 0x800002a8 Map = ffffe68a99245398 Type = 1 Table = 0 Block = 0 Offset = 2a8 MapTable = ffffe68a992e3000 MapEntry = ffffe68a992e3000 BinAddress = ffffe68a992e8009, BlockOffset = 0000000000000000 BlockAddress = ffffe68a992e8000 pcell: ffffe68a992e82ac 3: kd> !reg knode ffffe68a992e82ac Signature: CM_KEY_NODE_SIGNATURE (kn) Name : hivelist ParentCell : 0x23c28 Security : 0x80000088 [cell index] Class : 0xffffffff [cell index] Flags : 0x20 MaxNameLen : 0x0 MaxClassLen : 0x0 MaxValueNameLen : 0x3a MaxValueDataLen : 0x96 LastWriteTime : 0x 1d9855c:0xbb1161ac SubKeyCount[Stable ]: 0x0 SubKeyLists[Stable ]: 0xffffffff SubKeyCount[Volatile]: 0x0 SubKeyLists[Volatile]: 0xffffffff ValueList.Count : 0x9 ValueList.List : 0x80020d68 3: kd> !reg valuelist 0xffffe68a99245000 ffffe68a992e82ac Dumping ValueList of Key <hivelist> : [Idx] [ValAddr] [ValueName] [ 0] ffffe68a992e8314 \REGISTRY\MACHINE\HARDWARE [ 1] ffffe68a999bcf8c \REGISTRY\MACHINE\BCD00000000 [ 2] ffffe68a999bcfd4 \REGISTRY\MACHINE\SYSTEM [ 3] ffffe68a999c1a04 \REGISTRY\MACHINE\SOFTWARE [ 4] ffffe68a999c1acc \REGISTRY\USER\.DEFAULT [ 5] ffffe68a999c2b2c \REGISTRY\MACHINE\SECURITY [ 6] ffffe68a999c2bfc \REGISTRY\MACHINE\SAM [ 7] ffffe68a999c2c9c \REGISTRY\USER\S-1-5-20 [ 8] ffffe68a999c2d94 \REGISTRY\USER\S-1-5-19 Use '!reg kvalue <ValAddr>' to dump the value |
Key에 대한 Open Handle을 가지고 있는 Process를 찾는 방법
| 3: kd> !reg findkcb \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\HIVELIST Found KCB = ffffe68a992f3268 :: \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\HIVELIST 3: kd> dt ffffe68a992f3268 nt!_CM_KEY_CONTROL_BLOCK +0x000 RefCount : 1 +0x004 ExtFlags : 0y0000000000000000 (0) +0x004 PrivateAlloc : 0y1 +0x004 Discarded : 0y0 +0x004 HiveUnloaded : 0y0 +0x004 Decommissioned : 0y0 +0x004 SpareExtFlag : 0y0 +0x004 TotalLevels : 0y0000000110 (0x6) +0x008 KeyHash : _CM_KEY_HASH +0x008 ConvKey : _CM_PATH_HASH +0x010 NextHash : (null) +0x018 KeyHive : 0xffffe68a`99245000 _HHIVE +0x020 KeyCell : 0x800002a8 +0x028 KcbPushlock : _EX_PUSH_LOCK +0x030 Owner : (null) +0x030 SharedCount : 0n0 +0x038 DelayedDeref : 0y0 +0x038 DelayedClose : 0y0 +0x038 Parking : 0y0 +0x039 LayerSemantics : 0 '' +0x03a LayerHeight : 0n0 +0x03c Spare1 : 0 +0x040 ParentKcb : 0xffffe68a`992f3138 _CM_KEY_CONTROL_BLOCK +0x048 NameBlock : 0xffffe68a`992278e0 _CM_NAME_CONTROL_BLOCK +0x050 CachedSecurity : 0xffffe68a`9920b2f0 _CM_KEY_SECURITY_CACHE +0x058 ValueCache : _CACHED_CHILD_LIST +0x068 IndexHint : (null) +0x068 HashKey : 0 +0x068 SubKeyCount : 0 +0x070 KeyBodyListHead : _LIST_ENTRY [ 0xffffe68a`992f32d8 - 0xffffe68a`992f32d8 ] +0x070 FreeListEntry : _LIST_ENTRY [ 0xffffe68a`992f32d8 - 0xffffe68a`992f32d8 ] +0x080 KeyBodyArray : [4] 0xffffe68a`992c35b0 _CM_KEY_BODY ### <-- +0x0a0 KcbLastWriteTime : _LARGE_INTEGER 0x01d9855c`bb1161ac +0x0a8 KcbMaxNameLen : 0 +0x0aa KcbMaxValueNameLen : 0x3a +0x0ac KcbMaxValueDataLen : 0x96 +0x0b0 KcbUserFlags : 0y0000 +0x0b0 KcbVirtControlFlags : 0y0000 +0x0b0 KcbDebug : 0y00000000 (0) +0x0b0 Flags : 0y0000000000100000 (0x20) +0x0b4 Spare3 : 0 +0x0b8 LayerInfo : (null) +0x0c0 RealKeyName : (null) +0x0c8 KCBUoWListHead : _LIST_ENTRY [ 0xffffe68a`992f3330 - 0xffffe68a`992f3330 ] +0x0d8 DelayQueueEntry : _LIST_ENTRY [ 0xffffe68a`992f3340 - 0xffffe68a`992f3340 ] +0x0d8 Stolen : 0xffffe68a`992f3340 "@3/???" +0x0e8 TransKCBOwner : (null) +0x0f0 KCBLock : _CM_INTENT_LOCK +0x100 KeyLock : _CM_INTENT_LOCK +0x110 TransValueCache : _CHILD_LIST +0x118 TransValueListOwner : (null) +0x120 FullKCBName : (null) +0x120 FullKCBNameStale : 0y0 +0x120 Reserved : 0y000000000000000000000000000000000000000000000000000000000000000 (0) +0x128 SequenceNumber : 0xa 3: kd> dt 0xffffe68a`992c35b0 _CM_KEY_BODY nt!_CM_KEY_BODY +0x000 Type : 0x6b793032 +0x008 KeyControlBlock : 0xffffe68a`992f3268 _CM_KEY_CONTROL_BLOCK +0x010 NotifyBlock : (null) +0x018 ProcessID : 0x00000000`00000004 Void ### <-- +0x020 KeyBodyList : _LIST_ENTRY [ 0xffffe68a`992c35d0 - 0xffffe68a`992c35d0 ] +0x030 Flags : 0y0000000000000000 (0) +0x030 HandleTags : 0y0000000000000000 (0) +0x038 Trans : _CM_TRANS_PTR +0x040 KtmUow : (null) +0x048 ContextListHead : _LIST_ENTRY [ 0xffffe68a`992c35f8 - 0xffffe68a`992c35f8 ] +0x058 EnumerationResumeContext : (null) |
[참고 자료]
Registry 구조 by 해커남
https://m.blog.naver.com/ifkiller/70157957567
https://bsodtutorials.wordpress.com/2014/02/14/exploring-the-windows-registry-part-1/
https://bsodtutorials.wordpress.com/2014/02/21/exploring-the-windows-registry-part-2/
https://bsodtutorials.wordpress.com/2014/02/27/exploring-the-windows-registry-part-3/
https://bsodtutorials.wordpress.com/2020/07/19/debugging-stop-0x51-finding-the-hive-address/