<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>注册表 内核 &#8211; swigger&#039;s BLOG</title>
	<atom:link href="https://www.swigger.net/tag/%E6%B3%A8%E5%86%8C%E8%A1%A8-%E5%86%85%E6%A0%B8/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.swigger.net</link>
	<description>醉卧沙场君莫笑 古来征战几人回</description>
	<lastBuildDate>Tue, 15 Apr 2008 15:22:07 +0000</lastBuildDate>
	<language>zh-Hans</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>
	<item>
		<title>windows 注册表的初始化</title>
		<link>https://www.swigger.net/2008/04/15/windows-%e6%b3%a8%e5%86%8c%e8%a1%a8%e7%9a%84%e5%88%9d%e5%a7%8b%e5%8c%96/</link>
		
		<dc:creator><![CDATA[admin]]></dc:creator>
		<pubDate>Tue, 15 Apr 2008 15:19:05 +0000</pubDate>
				<category><![CDATA[开发]]></category>
		<category><![CDATA[注册表 内核]]></category>
		<guid isPermaLink="false">http://www.swigger.net/?p=26</guid>

					<description><![CDATA[看了看wrk的代码，发现一个函数会调用ZwCreateFile打开注册表的文件， &#8230; <a href="https://www.swigger.net/2008/04/15/windows-%e6%b3%a8%e5%86%8c%e8%a1%a8%e7%9a%84%e5%88%9d%e5%a7%8b%e5%8c%96/">继续阅读 <span class="meta-nav">&#8594;</span></a>]]></description>
										<content:encoded><![CDATA[<p>看了看wrk的代码，发现一个函数会调用ZwCreateFile打开注册表的文件，这个函数就是CmpOpenHiveFiles</p>
<p>这个函数会打开两个注册表文件，master为不带后辍的，secondary为带后辍的。</p>
<p>system32\config\system和software就是这样被加载的。</p>
<p> </p>
<p>查找过程，先找SAM，这个词不常见，grep一下找到一个配置表:</p>
<p>[code lang=&#8221;c&#8221;]</p>
<p>HIVE_LIST_ENTRY CmpMachineHiveList[] = {<br />
    { L&#8221;HARDWARE&#8221;, L&#8221;MACHINE\\&#8221;, NULL, HIVE_VOLATILE    , 0                         ,   NULL,   FALSE,  FALSE,  FALSE},<br />
    { L&#8221;SECURITY&#8221;, L&#8221;MACHINE\\&#8221;, NULL, 0                , 0                         ,   NULL,   FALSE,  FALSE,  FALSE},<br />
    { L&#8221;SOFTWARE&#8221;, L&#8221;MACHINE\\&#8221;, NULL, 0                , 0                         ,   NULL,   FALSE,  FALSE,  FALSE},<br />
    { L&#8221;SYSTEM&#8221;,   L&#8221;MACHINE\\&#8221;, NULL, 0                , 0                         ,   NULL,   FALSE,  FALSE,  FALSE},<br />
    { L&#8221;DEFAULT&#8221;,  L&#8221;USER\\.DEFAULT&#8221;, NULL, 0           , CM_CMHIVE_FLAG_UNTRUSTED  ,   NULL,   FALSE,  FALSE,  FALSE},<br />
    { L&#8221;SAM&#8221;,      L&#8221;MACHINE\\&#8221;, NULL, HIVE_NOLAZYFLUSH , 0                         ,   NULL,   FALSE,  FALSE,  FALSE},<br />
    { NULL,        NULL,         0, 0                   , 0                         ,   NULL,   FALSE,  FALSE,  FALSE}<br />
    };</p>
<p>[/code]</p>
<p>注册表应该就是从这里初始化的了。</p>
<p>再找引用：</p>
<p>[code lang=&#8221;c&#8221;]</p>
<p>    for (i = 0; i &lt; CM_NUMBER_OF_MACHINE_HIVES; i++) {<br />
        ASSERT( CmpMachineHiveList[i].Name != NULL );<br />
        //  <br />
        // just spawn the Threads to load the hives in parallel<br />
        //  <br />
        Status = PsCreateSystemThread(<br />
            &amp;Thread,<br />
            THREAD_ALL_ACCESS,<br />
            NULL,<br />
            0,  <br />
            NULL,<br />
            CmpLoadHiveThread,<br />
            (PVOID)(ULONG_PTR)(ULONG)i<br />
            );  </p>
<p>        if (NT_SUCCESS(Status)) {<br />
            ZwClose(Thread);<br />
        } else {<br />
            //  <br />
            // cannot spawn thread; Fatal error<br />
            //  <br />
            CM_BUGCHECK(BAD_SYSTEM_CONFIG_INFO,BAD_HIVE_LIST,3,i,Status);<br />
        }   <br />
    }   </p>
<p>[/code]</p>
<p>这里为每个hive创建一个线程，进入CmpLoadHiveThread函数：</p>
<p>  [code lang=&#8221;c&#8221;] </p>
<p>// &lt;sysroot&gt;\config\hive<br />
    if (CmpMachineHiveList[i].CmHive == NULL) {</p>
<p>        //<br />
        // Hive has not been initialized in any way.<br />
        //</p>
<p>        CmpMachineHiveList[i].Allocate = TRUE;<br />
        Status = CmpInitHiveFromFile(&amp;FileName,<br />
                                     CmpMachineHiveList[i].HHiveFlags,<br />
                                     &amp;CmHive,<br />
                                     &amp;(CmpMachineHiveList[i].Allocate),<br />
                                     CM_CHECK_REGISTRY_CHECK_CLEAN<br />
                                     );</p>
<p>        if ( (!NT_SUCCESS(Status)) ||<br />
             (!CmpShareSystemHives &amp;&amp; (CmHive-&gt;FileHandles[HFILE_TYPE_LOG] == NULL)) )<br />
        {<br />
            ErrorParameters = &amp;FileName;<br />
            ExRaiseHardError(<br />
                STATUS_CANNOT_LOAD_REGISTRY_FILE,<br />
                1,<br />
                1,<br />
                (PULONG_PTR)&amp;ErrorParameters,<br />
                OptionOk,<br />
                &amp;ErrorResponse<br />
                );</p>
<p>        }</p>
<p> [/code]</p>
<p>CmpInitHiveFromFile会调用CmpOpenHiveFiles，后者会调用zwcreatefile打开相应的注册表文件。</p>
<p>如果要保护注册表，在创建线程前处理一下就好了。还只是猜想，哪天闲出毛病了再试试。</p>
<p> </p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
