节省时间,我不把文章贴出来了,在二楼把代码贴出来,文件都在压缩包中:
运行结果:
- 标 题:Windows XP注册表文件格式简单分析
- 作 者:billh
- 时 间:2008-10-09 19:32:57
- 链 接:http://bbs.pediy.com/showthread.php?t=74337
节省时间,我不把文章贴出来了,在二楼把代码贴出来,文件都在压缩包中:
运行结果:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#define REGF 0x66676572 //fger
#define HBIN 0x6e696268 //nibh
#define CM_KEY_FAST_LEAF 0x666c // fl
#define CM_KEY_HASH_LEAF 0x686c // hl
//数据结构定义
typedef struct _CHILD_LIST
{
ULONG Count;
ULONG List;
}CHILD_LIST;
typedef struct _CM_KEY_NODE
{
USHORT Signature;
CHAR Reserve_1[18];
ULONG SubKeyCounts[2];
ULONG SubKeyLists[2];
CHILD_LIST ValueList;
CHAR Reserve_2[28];
USHORT NameLength;
SHORT ClassName;
CHAR Name;
} CM_KEY_NODE,*PCM_KEY_NODE;
typedef struct _CM_KEY_INDEX
{
USHORT Signature;
USHORT Count;
ULONG List[1];
} CM_KEY_INDEX, *PCM_KEY_INDEX;
typedef struct _CM_KEY_VALUE
{
USHORT Signature;
SHORT NameLength;
ULONG DataLength;
ULONG Data;
ULONG Type;
CHAR Reserve_1[4];
CHAR Name;
}CM_KEY_VALUE,*PCM_KEY_VALUE;
VOID TpyeKeyAndValue(PVOID FileMemAddr);
VOID TypeSubKey(PCHAR Bin,PCM_KEY_INDEX KeyIndex);
VOID TypeSubKeyName(PCHAR Bin,PCM_KEY_NODE KeyNode);
VOID TypeValue(PCHAR Bin,PCM_KEY_VALUE value);
int main(int argc,char *argv[])
{
HANDLE hFile;
HANDLE hFileMap;
DWORD FileSize;
PVOID FileMem;
#ifndef _DEBUG
if(argc!=2)
{
printf("*************************\n");
printf("Useage:\nHivePase FileName\n");
printf("*************************\n");
system("pause");
return 1;
}
hFile=CreateFile(argv[1],GENERIC_READ,0,NULL,
OPEN_EXISTING,FILE_FLAG_OVERLAPPED,NULL);
#else
hFile=CreateFile("c:\\test_root.dat",GENERIC_READ,0,NULL,
OPEN_EXISTING,FILE_FLAG_OVERLAPPED,NULL);
#endif
if(hFile==INVALID_HANDLE_VALUE)
{
printf("Error:File doesn's Exist!\n");
system("pause");
return 1;
}
FileSize=GetFileSize(hFile,NULL);
hFileMap=CreateFileMapping(hFile,NULL,PAGE_READONLY | SEC_COMMIT,0,FileSize,NULL);
if(hFileMap==NULL)
{
printf("CreateFileMapping Error!\n");
CloseHandle(hFile);
system("pause");
return 1;
}
CloseHandle(hFile);
FileMem=MapViewOfFile(hFileMap,FILE_MAP_READ,0,0,0);
if(FileMem==NULL)
{
printf("MapViewOfFile Error!\n");
CloseHandle(hFileMap);
system("pause");
return 1;
}
CloseHandle(hFileMap);
TpyeKeyAndValue(FileMem);
printf("\nSuccess!\n");
system("pause");
return 0;
}
VOID TpyeKeyAndValue(PVOID FileMemAddr)
{
char RootKeyName[256];
PCHAR RootBin;
PCM_KEY_NODE KeyNode;
PCM_KEY_INDEX KeyIndex;
if(*(ULONG*)FileMemAddr!=REGF)
{
printf("Not a Hive File!\n");
system("pause");
}
RootBin=(char*)FileMemAddr+0x1000;
KeyNode=(PCM_KEY_NODE)(RootBin+0x24);
if(*(ULONG*)RootBin!=HBIN)
{
printf("Hive File Error!\n");
system("pause");
}
ZeroMemory(RootKeyName,256);
strncpy(RootKeyName,&KeyNode->Name,KeyNode->NameLength);
printf("Root Key: %s\n",RootKeyName);
DWORD SubKeyLists=KeyNode->SubKeyLists[0];
KeyIndex=(PCM_KEY_INDEX)(RootBin+SubKeyLists+0x4);
TypeSubKey(RootBin,KeyIndex);
}
VOID TypeSubKey(PCHAR Bin,PCM_KEY_INDEX KeyIndex)
{
USHORT KeyCount;
PCM_KEY_NODE KeyNode;
KeyCount=KeyIndex->Count;
for(USHORT i=0;i<KeyCount;i++)
{
if(KeyIndex->Signature==CM_KEY_FAST_LEAF || KeyIndex->Signature==CM_KEY_HASH_LEAF)
{
DWORD KeyNodeOffset=KeyIndex->List[i*2];
KeyNode=(PCM_KEY_NODE)(Bin+KeyNodeOffset+0x4);
TypeSubKeyName(Bin,KeyNode);
}
else
{
DWORD KeyNodeOffset=KeyIndex->List[i*2];
KeyNode=(PCM_KEY_NODE)(Bin+KeyNodeOffset+0x4);
TypeSubKeyName(Bin,KeyNode);
}
}
}
VOID TypeSubKeyName(PCHAR Bin,PCM_KEY_NODE KeyNode)
{
char SubKeyName[256];
ULONG ValueLists;
ULONG ValueCount;
ULONG *ValueIndex;
PCM_KEY_VALUE value;
PCM_KEY_INDEX KeyIndex;
ZeroMemory(SubKeyName,256);
strncpy(SubKeyName,&KeyNode->Name,KeyNode->NameLength);
printf("Sub Key: %s\n",SubKeyName);
ValueLists=KeyNode->ValueList.List;
ValueCount=KeyNode->ValueList.Count;
if(ValueLists!=-1)
{
ValueIndex=(ULONG *)(Bin+ValueLists+0x4);
for(ULONG i=0;i<ValueCount;i++)
{
value=(PCM_KEY_VALUE)(Bin+ValueIndex[i]+0x4);
TypeValue(Bin,value);
}
}
if(KeyNode->SubKeyLists[0]!=-1)
{
KeyIndex=(PCM_KEY_INDEX)(Bin+KeyNode->SubKeyLists[0]+0x4);
TypeSubKey(Bin,KeyIndex);
}
}
VOID TypeValue(PCHAR Bin,PCM_KEY_VALUE value)
{
char ValueName[256];
ULONG DataLenth;
PCHAR Data;
ZeroMemory(ValueName,256);
strncpy(ValueName,&value->Name,value->NameLength);
printf("Value Name: %s\n",ValueName);
switch(value->Type)
{
case REG_SZ:
printf("REG_SZ ");
break;
case REG_BINARY:
printf("REG_BINARY ");
break;
case REG_DWORD:
printf("REG_DWORD ");
break;
case REG_MULTI_SZ:
printf("REG_MULIT_SZ ");
break;
case REG_EXPAND_SZ:
printf("REG_EXPAND_SZ ");
break;
default:
break;
}
if(value->Type==REG_DWORD)
{
Data=(PCHAR)&value->Data;
printf("%08x",*(ULONG*)Data);
}
else
{
if(value->DataLength & 0x80000000)
{
DataLenth=value->DataLength & 0x7FFFFFFF;
Data=(PCHAR)&value->Data;
for(ULONG i=0;i<DataLenth;i++)
{
if(value->Type==REG_BINARY)
{
printf("%1x",Data[i]);
}
else
{
printf("%c",Data[i]);
}
}
}
else
{
DataLenth=value->DataLength;
DWORD DataOffset=value->Data;
Data=Bin+DataOffset+0x4;
for(ULONG i=0;i<DataLenth;i++)
{
if(value->Type==REG_BINARY)
{
printf("%1x",Data[i]);
}
else
{
printf("%c",Data[i]);
}
}
}
}
printf("\n");
}