[myid]

Hi, everyone. I have a very strange question.

My definition of HvpGetCellMapped:

Code: Select all

#ifdef AMD64
typedef PCM_KEY_NODE (__fastcall *PHVPGETCELLMAPPED)(PVOID, ULONG);
#else
typedef PCM_KEY_NODE (__stdcall *PHVPGETCELLMAPPED)(PVOID, ULONG);
#endif

I use WINDBG to confirm that I have got the real address of HvpGetCellMapped.

I call HvpGetCellMapped on WIN2003X86, it will return a valid address of PCM_KEY_NODE.
If I call HvpGetCellMapped on WIN2003X64, it will return an invalid address like 0x6d12345.

Who can tell me the reason?

[EP_X0FF]

How do you call it? And more importantly - why you need this unexported routine.

If you plan to work with registry on low level it is much simpler to parse hive files on disk.

[myid]

How do you call it? And more importantly - why you need this unexported routine.

If you plan to work with registry on low level it is much simpler to parse hive files on disk.

1.I learn how to hide RegKey. In another word, I just want to practice my programming skill.
2.How to parse hive files on disk? NTREG is not useful.

[Vrtule]

Hello,

does the routine on x64 returns always a 32-bit value for you? I mean are higher bits of the result (than 31) ever set?

Also, some hives probably don't use the HvpGetCellMapped at all. The purely volatile hives are the example. I did not verified this claim but AFAIR there exists multiple HvpGetCellXXX variants.

If you plan to work with registry on low level it is much simpler to parse hive files on disk.

Or in memory. Well, it is not tha teasy but also not so hard.

If you want to know more about internal registry structures, I think I posted some links to the Articles topic in this forum.

2.How to parse hive files on disk? NTREG is not useful.

I think there is no need to use NTREG when there is the Offline Registry Library. THe library is a part of the WDK package (it used to be at least) and allows you to parse registry files without using any undocumented stuff. The library has only several dependencies so it is quite easy to reverse engineer it and learn how the registry file format really looks like.

The problems with parsing registry files on disk are:
1) the files are inaccessible in normal means when connected to the registry tree,
2) volatile keys are not stored in them.

[myid]

Hello,

does the routine on x64 returns always a 32-bit value for you? I mean are higher bits of the result (than 31) ever set?

Also, some hives probably don't use the HvpGetCellMapped at all. The purely volatile hives are the example. I did not verified this claim but AFAIR there exists multiple HvpGetCellXXX variants.

If you plan to work with registry on low level it is much simpler to parse hive files on disk.

Or in memory. Well, it is not tha teasy but also not so hard.

If you want to know more about internal registry structures, I think I posted some links to the Articles topic in this forum.

2.How to parse hive files on disk? NTREG is not useful.

I think there is no need to use NTREG when there is the Offline Registry Library. THe library is a part of the WDK package (it used to be at least) and allows you to parse registry files without using any undocumented stuff. The library has only several dependencies so it is quite easy to reverse engineer it and learn how the registry file format really looks like.

The problems with parsing registry files on disk are:
1) the files are inaccessible in normal means when connected to the registry tree,
2) volatile keys are not stored in them.

Thank you for your reply.
But I cannot find any demo code of parse registry files in WDK.

[Vrtule]

Well, I also seem unable to find any Offreg-related example in the MSDN. But Google found the following sample (and probably more):
https://code.google.com/p/malwarecookbo ... mple.c?r=4

AFAIK Offreg APIs are not complicated so it should be possible to use the library after reading this article:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

[myid]

Well, I also seem unable to find any Offreg-related example in the MSDN. But Google found the following sample (and probably more):
https://code.google.com/p/malwarecookbo ... mple.c?r=4

AFAIK Offreg APIs are not complicated so it should be possible to use the library after reading this article:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

Thank you! You are so kind!

[myid]

Well, I also seem unable to find any Offreg-related example in the MSDN. But Google found the following sample (and probably more):
https://code.google.com/p/malwarecookbo ... mple.c?r=4

AFAIK Offreg APIs are not complicated so it should be possible to use the library after reading this article:
http://msdn.microsoft.com/en-us/library ... s.85).aspx

Hi, I study these APIs at last 2 days.
But I found that OFFREG.DLL only support to WIN7.
If I want to analyse REG file of WIN8, how to do that?

[Vrtule]

Does the library detect on which Windows version it is run, or does your information come only from the documentation?

Well, I did not try to parse registry hive files on Windows 8+. I parsed only registry in memory and that is nearly the same as for earlier Windows versions.

Maybe, they just forgot to update the documentation.

[myid]

Does the library detect on which Windows version it is run, or does your information come only from the documentation?

Well, I did not try to parse registry hive files on Windows 8+. I parsed only registry in memory and that is nearly the same as for earlier Windows versions.

Maybe, they just forgot to update the documentation.

I copy OffReg.dll from WDK9600(WDK8.1).
It cannot parse the HIVE file from WIN8.1 but it can parse the HIVE file from WIN7.
What a pity!