今天想写一个注册表监控玩玩,不料。。碰一坑。。 想dt REG_PRE_CREATE_KEY_INFORMATION结构,死活显示不出来,老是显示该符号找不到!
我先说说我的环境: 双机调试,windbg+virtualbox. 虚拟机里的系统是xp sp3,也是被调试的系统.windbg放在物理机上。 1.windbg符号设置: SRV*D:\Sym\winxpsp3*http://msdl.microsoft.com/download/symbols
2.kd> lml start end module name 7c920000 7c9b3000 ntdll (pdb symbols) d:\symbols\winxpsp3\ntdll.pdb\1751003260CA42598C0FB326585000ED2\ntdll.pdb 804d8000 806ef380 nt (pdb symbols) d:\symbols\winxpsp3\ntoskrnl.pdb\C51C20EDB8624D43A7985BE44182DE442\ntoskrnl.pdb 806f0000 80703d00 hal (pdb symbols) d:\symbols\winxpsp3\halacpi.pdb\52475CC399844839AD8ADF647D0AF71A1\halacpi.pdb bf000000 bf011600 dxg (pdb symbols) d:\symbols\winxpsp3\dxg.pdb\1BF735C70BDA42F7A25DCAEAA44B79001\dxg.pdb bf012000 bf029000 VBoxDisp (export symbols) VBoxDisp.dll bf800000 bf9caa80 win32k (pdb symbols) d:\symbols\winxpsp3\win32k.pdb\4366589EA5CD465FBA0BC25440B93A0C2\win32k.pdb f4751000 f477b180 kmixer (pdb symbols) d:\symbols\winxpsp3\kmixer.pdb\974481661DB04BA896523C719B37A8BF1\kmixer.pdb f47cc000 f480ca80 HTTP (pdb symbols) d:\symbols\winxpsp3\http.pdb\B5A46191250E412D80E9D9E9DDA2F4DA1\http.pdb f4add000 f4b34600 srv (pdb symbols) d:\symbols\winxpsp3\srv.pdb\B71D43221C284A288535837C8BDEA3302\srv.pdb f4b5d000 f4b89180 mrxdav (pdb symbols) d:\symbols\winxpsp3\mrxdav.pdb\EDD7D9E6E63B43DBA5059A72CE89286E1\mrxdav.pdb
......
基本上大部份模块均加载上了符号!
3.执行如下命令 kd> dt _REG_PRE_CREATE_KEY_INFORMATION Symbol _REG_PRE_CREATE_KEY_INFORMATION not found. kd> dt REG_PRE_CREATE_KEY_INFORMATION Symbol REG_PRE_CREATE_KEY_INFORMATION not found.
而我在msdn中查看文档显示下: REG_PRE_CREATE_KEY_INFORMATION The REG_PRE_CREATE_KEY_INFORMATION structure contains the name of a registry key that is about to be created.
typedef struct _REG_PRE_CREATE_KEY_INFORMATION { PUNICODE_STRING CompleteName; } REG_PRE_CREATE_KEY_INFORMATION, *PREG_PRE_CREATE_KEY_INFORMATION;
Members CompleteName A pointer to a UNICODE_STRING structure that contains the complete path of the registry key. Requirements Versions: Available only on Microsoft Windows XP.
说明这个结构信息xp是支持的呀!
为什么会造成这种情况,我很迷惑。自己也去百度找了,没找到相关信息。 这到底是什么原因造成的呢,该如何解决!求求各位兄弟姐妹指点一下,拜谢!
|