解读 OpenRegistryKey
解读 OpenRegistryKey
//----- (100EAC60)--------------------------------------------------------
int __fastcallCSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenRegistryKey(
int a1,
struct_RTL_TRACING_FACILITY *a2,
int a3, // Flags 0 - 4
int a4, // Access_Mask,来自直接注册表提供者的 SysOpenKey
int a5, // 字符串
CKey **a6, //Key 输出
_DWORD *a7) // 输出
{
v14 =a1;
v9 =a5;
v7 =a6;
v8 =a7;
v19 =-1073741595;
v21 =1;
v22 =0;
v23 =0;
// 输出 a7
if ( v8 )
*v8=0;
if ( a3 &0xFFFFFFFC) // Flags
{
}
// a6 输出不能为空
if (!v7)
{
}
// a5
if (*(_DWORD*)v9<= 0u ||**(_WORD**)(v9+8) !=92 )
{
//这里可以看出,字符串为内部表示格式,起先就当成NtFilePath,走了弯路,实际上是NtRegistryPath
v10 =1789;
v11 ="(KeyName.Length > 0) &&(KeyName.Buffer[0] == L'\\\\')";
goto LABEL_15;
}
v12 = CSystemIsolationLayer::OpenRegistryKey(
*(_DWORD**)(v14- 4),
a3,
a4,
v9,
v7,
v8);
if (v12 >=0)
{
v23 =1;
v19 =0;
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::
~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v20,
v9);
return 0;
}
v19 =v12;
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::
~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v20,
v9);
return v19;
}
//----- (100FBD8C)--------------------------------------------------------
int __thiscall CSystemIsolationLayer::OpenRegistryKey(
_DWORD *this,
char a2, //flag
int a3, //Access_Mask
int a4, // 字符串
CKey **a5, // 输出
_DWORD *a6) // 输出
{
v6 =this;
v7 =0;
v15 =this;
if (a6 )
*a6=0;
v26 =-1;
v33 =0;
v34 =0;
v22 =0;
v23 =0;
v24 =0;
v25 =0;
v8 =RtlInitUnicodeStringFromLUnicodeStringSafely(a4,(int)&v31);
v9 =v6[7];
// 下面的是对Object_Attribues 对象的赋值
v16 =24; // 对象的大小,6个字段
v17 =0; // RootDirectory
v18 =&v31; // ObjectName
v19 =64; // Attribues
v20 =0; // SecurityDescriptor
v21 =0; // SecurityQualityOfService
// 可能是 SetCurrentTransaction
v10 = *(int (__thiscall**)(int,int*))(*(_DWORD*)v9+ 12);
v8 =v10(v9,&v30);
if (a2 &1)
v7 =1;
v11 =v30;
v12 =v15[5];
v13 =*(_DWORD*)v12;
// SysOpenKey
v8 =(*(int(__thiscall**)(int,signed int,int *,int,int *, int,int,int *))(v13+ 36))(
v12,
v7, // flag
&v33, // CSilHandle
a3, // Access_Mask
&v16, // Object_Attribues
2*(a2&2), // flag 相关
v11, // Transaction
&v32); // 返回值,控制是否创建实例
if (v8 <0)
goto LABEL_12;
v26 =v34;
// CSystemIsolationLayer 中四个提供程序
// 因此,从这开始,向下的七个字段,就定义了 CreateKeySource
v22 =v15[4];
v23 =v15[5];
v24 =v15[6];
v25 =v15[7];
v27 =*(_DWORD*)a4;
v28 =*(_DWORD*)(a4+4);
v29 =*(_DWORD*)(a4+8);
if (v32 !=2)
{
v8 =CRtlRefCountedObjectBase<CKey,IRtlKey,IRtlSystemObject,IRtlSystemContainer,Detail::CRtlRefCountedObjectBaseNoInterface>::CreateInstance<CreateKeySource,IRtlKey>(
(structCreateKeySource*)&v22,
a5);
if (v8 >=0)
{
if (a6 )
*a6=1;
goto LABEL_15;
}
LABEL_12:
CSilHandle::Close((CSilHandle *)&v33);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v33);
return v8;
}
if (a6 )
*a6=2;
LABEL_15:
CSilHandle::Close((CSilHandle *)&v33);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v33);
return 0;
}
//----- (100EE490)--------------------------------------------------------
int __fastcall DirectRegistryProvider::SysOpenKey(
DirectRegistryProvider *this,
struct_RTL_TRACING_FACILITY *a2,
unsigned __int32 a3,
structCSilHandle *a4,
ACCESS_MASK DesiredAccess, // 这是证明前面 ACCESS_MASK的源头
struct_OBJECT_ATTRIBUTES *a6,
unsigned __int32 a7,
void *a8,
unsigned __int32 *a9)
{
v44 =-1073741595;
v9 =this;
v10 =a4;
ObjectAttributes = a6;
v35 =a8;
v42 =a9;
v38 =0;
KeyHandle =0;
v48 =0;
v49 =0;
v47 =1;
// 返回结果 a9
if ( v42 )
*v42=0;
v43 =0;
v45 =(unsigned __int32)v9; // this, DirectRegistryProvider
v11 =((int(__thiscall*)(constchar**, unsigned __int32*))AutoInterface<IRtlRegistryProvider*,Auto<IRtlRegistryProvider*>>
::CreateInterfaceFrom<CQueuedRegistryProvider*>)(
&v43,
&v45);
v37 = a7&4;
if (a7 &4)
{
v45 =0;
v12 =*(_DWORD*)v9;
v13 =a7 &0xFFFFFFFB;
v14 =DesiredAccess;
v15 =a3 |2;
// DirectRegistryProvider::SysOpenKey
if ( (*(int(__thiscall**)(DirectRegistryProvider*, unsigned __int32,struct CSilHandle*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32, void *, unsigned__int32 *))(v12+ 36))(
v9,
v15,
v10,
v14,
ObjectAttributes,
v13,
v35,
&v45)>= 0
&&v45 !=3)
{
if (v42 )
*v42= v45;
v49 =1;
v44 =0;
goto LABEL_12;
}
}
v11 =`anonymous namespace'::TransformKeyPermissions(&DesiredAccess);
if (v11 <0)
{ }
v36 =0;
HIWORD(v33)= 256;
do
{
v16 =(int(__stdcall*)(HANDLE*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32))*((_DWORD*)v9+ 4);
if (v16 &&!v35 )
{
v32 =a7;
LABEL_36:
v25 =ObjectAttributes;
v26 =DesiredAccess;
//NTOpenKeyEx
v22 = v16(&KeyHandle, v26, v25, v32);
goto LABEL_37;
}
v17 =(int(__stdcall*)(HANDLE*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32, void *))*((_DWORD*)v9+ 5);
if (v17 && v35)
{
v18 =v35;
v19 =a7;
v20 =ObjectAttributes;
v21 =DesiredAccess;
v22 =v17(&KeyHandle,v21, v20, v19, v18);
goto LABEL_37;
}
if (!v37)
{
if (v35 )
{
v16 =(int(__stdcall*)(HANDLE*, ACCESS_MASK, POBJECT_ATTRIBUTES,unsigned__int32))*((_DWORD*)v9+ 2);
if ( !v16)
{
v31 =5313;
v44 =-1073740759;
goto LABEL_60;
}
v32 =(unsigned __int32)v35;
goto LABEL_36;
}
v22 =NtOpenKey(&KeyHandle,DesiredAccess, ObjectAttributes);
LABEL_37:
v23 =(DirectRegistryProvider*)v22;
goto LABEL_38;
}
v45 =0;
v23 =DirectRegistryProvider::OpenExistingKeyWithBackupRestore(
v9,
DesiredAccess,
ObjectAttributes,
v35,
(structCSilHandle *)&v38,
&v45);
if (v45 ==4)
{
v23 =(DirectRegistryProvider*)-1073741670;
goto LABEL_39;
}
if (v45 ==8)
{
v23 =(DirectRegistryProvider*)-1073741772;
LABEL_26:
v24 =BYTE2(v33);
continue;
}
if (v45 ==16)
v23 =(DirectRegistryProvider*)-1073741790;
LABEL_38:
if (v23 !=(DirectRegistryProvider*)-1073741670)
goto LABEL_26;
LABEL_39:
v11 =DelayForInsufficientResources(&v36,(_BYTE*)&v33+3);
if (v11 <0)
goto LABEL_41;
v24 =1;
BYTE2(v33)= 1;
}
while (BYTE3(v33)&& v23 ==(DirectRegistryProvider*)-1073741670);
if ((signed int)v23>=0)
{
if (v24 )
RtlTrace(
0,
(unsigned__int32)&Facility_SIL,
(struct_RTL_TRACING_FACILITY*)&"Transient insufficient resources at NtOpenKey for{oa}",
(constchar *const )1,
(unsigned__int32)"oa",
RtlTraceFormat_PCOBJECT_ATTRIBUTES,
ObjectAttributes);
v27 =v43;
v43 =0;
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v38);
v38 =v27;
if (v42 )
{
*v42=1;
v27 =v38;
}
v28 =(void*)*((_DWORD*)v10+ 1);
*((_DWORD*)v10+ 1) = KeyHandle;
KeyHandle =v28;
v29 =*(constchar**)v10;
*(_DWORD*)v10=v27;
v38 =v29;
LABEL_57:
v49 =1;
v44 =0;
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v43);
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v46,
(int)v10);
CSilHandle::Close((CSilHandle *)&v38);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v38);
return 0;
}
if ((v23==(DirectRegistryProvider*)-1073741772
||v23 ==(DirectRegistryProvider*)-1073741766)
&&a3 &1)
{
if (v42 )
*v42=2;
goto LABEL_57;
}
if (v23 ==(DirectRegistryProvider*)-1073741790&& a3 &2)
{
if (v42 )
*v42=3;
goto LABEL_57;
}
v31 =5349;
v44 =(int)v23;
LABEL_60:
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v43);
CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>::~CEnterExitTracer<CSimpleNtStatusCarryingFrame,5>(
(int)&v46,
v31);
CSilHandle::Close((CSilHandle *)&v38);
AutoPointerBase<Cdf::IRtlCdfStringTableEnumerator*,Auto<Cdf::IRtlCdfStringTableEnumerator*>>::Close(&v38);
v38 ="base\\wcp\\sil\\merged\\ntu\\ntsystem.cpp";
KeyHandle ="DirectRegistryProvider::SysOpenKey";
v40 =v31;
v41 =0;
CBaseFrame<CVoidRaiseFrame>::ReportErrorOrigination(
&v44,
(int)&v38);
return v44;
}