在網(wǎng)上找了一圈。。也沒有找到相關(guān)的資料。。一點(diǎn)都沒有。。。? 還有有大米公開的代碼供參考。。。 趕緊把學(xué)習(xí)的成果記錄下來。。
CM_KEY_NODE 的結(jié)構(gòu):
?+0x014 SubKeyCounts????? : [2] Uint4B???????????????? //SubKeyCounts[0] 子鍵的個(gè)數(shù)
?+0x01c SubKeyLists?????? : [2] Uint4B????????????? //SubKeyLists[0] 子鍵列表相差本 BIN 的偏移
這里的subKeyList是一個(gè)偏移。。指向 CM_KEY_INDEX結(jié)構(gòu)。。最復(fù)雜的也是這個(gè)結(jié)構(gòu)。。
他有好幾種變形。。。
可以是:
lf 結(jié)構(gòu)
??? + lf
????+lh
li 結(jié)構(gòu)
ri 結(jié)構(gòu)
可以根據(jù) signature判斷當(dāng)前的index 屬于那種結(jié)構(gòu)。。對(duì)于每一種結(jié)構(gòu)都有對(duì)應(yīng)的 格式
struct lf_key {
? short id;???????? /* 0x0000?Word?ID: ASCII-"lf" = 0x666C or "lh" = 0x686c */
? short no_keys;??? /* 0x0002?Word?number of keys????????? */
??????????????????? /* 0x0004??????Hash-Records??????????? */
?
?union {
??? struct lf_hash {
????? long ofs_nk;??? /* 0x0000?D-Word?Offset of corresponding "nk"-Record? */
????? char name[4];?? /* 0x0004?D-Word?ASCII: the first 4 characters of the key-name,? */
??? } hash[1];
????? /* WinXP uses a more real hash instead (base 37 of uppercase name chars)? */
????? /* ??padded with 0's. Case sensitiv!???????????????????????? */
??? struct lh_hash {
????? long ofs_nk;??? /* 0x0000?D-Word?Offset of corresponding "nk"-Record? */
????? long hash;????? /* 0x0004?D-Word?ASCII: the first 4 characters of the key-name,? */
??? } lh_hash[1];
? };
};
/* 3.x version of the above, contains only offset table, NOT
?* any start of names "hash". Thus needs 'nk' lookups for searches.
?*/
struct li_key {
? short id;???????? /* 0x0000?Word?ID: ASCII-"li" = 0x696C */
? short no_keys;??? /* 0x0002?Word?number of keys????????? */
??????????????????? /* 0x0004??????Hash-Records??????????? */
? struct li_hash {
??? long ofs_nk;??? /* 0x0000?D-Word?Offset of corresponding "nk"-Record? */
? } hash[1];
};
/* This is a list of pointers to struct li_key, ie
?* an extention record if many li's.
?* This happens in NT4&5 when the lf hashlist grows larger
?* than about 400-500 entries/subkeys??, then the nk_key->ofs_lf points to this
?* instead of directly to an lf.
?* The sub-indices this points to seems to be li (yes!) in NT4 and 2k.
?* In XP and newer they point to lh which is more efficient.
?* Likely to happen in HKLM\Software\classes (file extention list) and
?* in SAM when many users.
?*/
struct ri_key {
? short id;???????? /* 0x0000?Word?ID: ASCII-"ri" = 0x6972 */
? short no_lis;??? /* 0x0002?Word?number of pointers to li */
??????????????????? /* 0x0004??????Hash-Records??????????? */
? struct ri_hash {
????? long ofs_li;??? /* 0x0000?D-Word?Offset of corresponding "li"-Record? */
? } hash[1];
};
?
當(dāng)subkey的數(shù)量大約500時(shí)。。是ri結(jié)構(gòu)。。ri結(jié)構(gòu)保存了li結(jié)構(gòu)或lf結(jié)構(gòu)的索引。。
?
枚舉一個(gè)Key的subKey的code:
?
Code
?
如果沒有ri結(jié)構(gòu):找到subkey的 CM_Key_NODE結(jié)構(gòu)的過程是這樣的:
????????????????????????????????????????????????? index.hash[i].ofs_nk
1.subKeyList--------》index結(jié)構(gòu)----------------------------》key_Node
?
有ri結(jié)構(gòu):
???????????????????????????????????????????????????????? rikey->hash[r].ofs_li????????????????????????????index.hash[i].ofs_nk???
subkeylist ----------------> ri_index--------------------------------->li/lf結(jié)構(gòu)----------------------------------》 Key_node
?
真日啊 。。。費(fèi)勁。。
?
?
?
?
?
?
?
?
?
更多文章、技術(shù)交流、商務(wù)合作、聯(lián)系博主
微信掃碼或搜索:z360901061
微信掃一掃加我為好友
QQ號(hào)聯(lián)系: 360901061
您的支持是博主寫作最大的動(dòng)力,如果您喜歡我的文章,感覺我的文章對(duì)您有幫助,請(qǐng)用微信掃描下面二維碼支持博主2元、5元、10元、20元等您想捐的金額吧,狠狠點(diǎn)擊下面給點(diǎn)支持吧,站長非常感激您!手機(jī)微信長按不能支付解決辦法:請(qǐng)將微信支付二維碼保存到相冊(cè),切換到微信,然后點(diǎn)擊微信右上角掃一掃功能,選擇支付二維碼完成支付。
【本文對(duì)您有幫助就好】元
