请问CmEnumerateKey函数的2个问题

Windows内核调试

请问CmEnumerateKey函数的2个问题

merry 2009-05-10, 22:43 下午

看到对函数CmEnumerateKey的一段说明,如下:
对CmEnumerateKey进行反汇编,会看到CmEnumerateKey通过读取结构HHive的成员GetCellRoutine,将其作为参数调用HvpGetCellMapped函数。

Q1:CmEnumerateKey函数的参数类型没有是_CELL_DATA*(GetCellRoutine),如何能将GetCellRoutine作为参数?
 
NTSTATUS
CmEnumerateKey(
IN PCM_KEY_CONTROL_BLOCK KeyControlBlock,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
IN PVOID KeyInformation,
IN ULONG Length,
IN PULONG ResultLength
)

Q2:在CmEnumerateKey的反汇编代码(如下)中,如何看出CmEnumerateKey通过读取结构HHive的成员,再调用HvpGetCellMapped?

lkd> u nt!cmenumeratekey
nt!CmEnumerateKey:
8094f2ec 6a18            push    18h
8094f2ee 6828928080      push    offset nt!`string'+0xf8 (80809228)
8094f2f3 e80810f1ff      call    nt!_SEH_prolog (80860300)
8094f2f8 e839a8ffff      call    nt!CmpLockRegistry (80949b36)
8094f2fd 8b4508          mov     eax,dword ptr [ebp+8]
8094f300 f6400502        test    byte ptr [eax+5],2
8094f304 7407            je      nt!CmEnumerateKey+0x21 (8094f30d)
8094f306 be7c0100c0      mov     esi,0C000017Ch
8094f30b eb74            jmp     nt!CmEnumerateKey+0x95 (8094f381)
8094f30d 8b7010          mov     esi,dword ptr [eax+10h]
8094f310 8975e0          mov     dword ptr [ebp-20h],esi
8094f313 8b7814          mov     edi,dword ptr [eax+14h]
8094f316 57              push    edi
8094f317 56              push    esi
8094f318 ff5604          call    dword ptr [esi+4]
8094f31b 85c0            test    eax,eax
8094f31d 7507            jne     nt!CmEnumerateKey+0x3a (8094f326)
8094f31f be9a0000c0      mov     esi,0C000009Ah
8094f324 eb5b            jmp     nt!CmEnumerateKey+0x95 (8094f381)
8094f326 ff750c          push    dword ptr [ebp+0Ch]
8094f329 50              push    eax
8094f32a 56              push    esi
8094f32b e8a6bdffff      call    nt!CmpFindSubKeyByNumber (8094b0d6)
8094f330 8bd8            mov     ebx,eax
8094f332 895ddc          mov     dword ptr [ebp-24h],ebx
8094f335 8b4608          mov     eax,dword ptr [esi+8]
8094f338 85c0            test    eax,eax
8094f33a 7404            je      nt!CmEnumerateKey+0x54 (8094f340)
8094f33c 57              push    edi
8094f33d 56              push    esi
8094f33e ffd0            call    eax
8094f340 83fbff          cmp     ebx,0FFFFFFFFh
8094f343 7507            jne     nt!CmEnumerateKey+0x60 (8094f34c)
8094f345 be1a000080      mov     esi,8000001Ah
8094f34a eb35            jmp     nt!CmEnumerateKey+0x95 (8094f381)
8094f34c 53              push    ebx
8094f34d 56              push    esi
8094f34e ff5604          call    dword ptr [esi+4]
8094f351 85c0            test    eax,eax
8094f353 74ca            je      nt!CmEnumerateKey+0x33 (8094f31f)
8094f355 8365fc00        and     dword ptr [ebp-4],0
8094f359 ff751c          push    dword ptr [ebp+1Ch]
8094f35c ff7518          push    dword ptr [ebp+18h]
8094f35f ff7514          push    dword ptr [ebp+14h]
8094f362 ff7510          push    dword ptr [ebp+10h]
8094f365 50              push    eax
8094f366 56              push    esi
8094f367 e8d8e20000      call    nt!CmpQueryKeyData (8095d644)
8094f36c 8945e4          mov     dword ptr [ebp-1Ch],eax
8094f36f 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
8094f373 8b4608          mov     eax,dword ptr [esi+8]
8094f376 85c0            test    eax,eax
8094f378 7404            je      nt!CmEnumerateKey+0x92 (8094f37e)
8094f37a 53              push    ebx
8094f37b 56              push    esi
8094f37c ffd0            call    eax
8094f37e 8b75e4          mov     esi,dword ptr [ebp-1Ch]
8094f381 e8fca7ffff      call    nt!CmpUnlockRegistry (80949b82)
8094f386 8bc6            mov     eax,esi
8094f388 eb2d            jmp     nt!CmEnumerateKey+0xcb (8094f3b7)
8094f38a 8b45ec          mov     eax,dword ptr [ebp-14h]
8094f38d 8b00            mov     eax,dword ptr [eax]
8094f38f 8b00            mov     eax,dword ptr [eax]
8094f391 8945d8          mov     dword ptr [ebp-28h],eax
8094f394 33c0            xor     eax,eax
8094f396 40              inc     eax
8094f397 c3              ret
8094f398 8b65e8          mov     esp,dword ptr [ebp-18h]
8094f39b 8b4de0          mov     ecx,dword ptr [ebp-20h]
8094f39e 8b4108          mov     eax,dword ptr [ecx+8]
8094f3a1 85c0            test    eax,eax
8094f3a3 7406            je      nt!CmEnumerateKey+0xbf (8094f3ab)
8094f3a5 ff75dc          push    dword ptr [ebp-24h]
8094f3a8 51              push    ecx
8094f3a9 ffd0            call    eax
8094f3ab e8d2a7ffff      call    nt!CmpUnlockRegistry (80949b82)
8094f3b0 834dfcff        or      dword ptr [ebp-4],0FFFFFFFFh
8094f3b4 8b45d8          mov     eax,dword ptr [ebp-28h]
8094f3b7 e87f0ff1ff      call    nt!_SEH_epilog (8086033b)
8094f3bc c21800          ret     18h

Re: 请问CmEnumerateKey函数的2个问题

benlong 2009-05-11, 09:13 上午
KeyControlBlock中+10h指向HHIVE,HHIVE中+4指向_CELL_DATA*,
即8094f318 ff5604 call dword ptr [esi+4]

Powered by Community Server Powered by CnForums.Net