当前位置：首页 > article >正文

新建菜单项的创建之CmpGetValueListFromCache函数分析

article 2025/2/28 19:06:41

第一部分：
PCELL_DATA
CmpGetValueListFromCache(
    IN PHHIVE               Hive,
    IN PCACHED_CHILD_LIST   ChildList,
    OUT BOOLEAN             *IndexCached,
    OUT PHCELL_INDEX        ValueListToRelease
)

0: kd> dv

         KeyControlBlock = 0xe115f5b0
                   Index = 2
KeyValueInformationClass = KeyValueFullInformation (0n1)
     KeyValueInformation = 0x00fad9bc

ChildList = 0xe119a7c4

0: kd> dv
KeyControlBlock = 0xe115f5b0
Index = 2
KeyValueInformationClass = KeyValueFullInformation (0n1)

0: kd> dx -r1 ((ntkrnlmp!_CM_KEY_CONTROL_BLOCK *)0xe115f5b0)
((ntkrnlmp!_CM_KEY_CONTROL_BLOCK *)0xe115f5b0) : 0xe115f5b0 [Type: _CM_KEY_CONTROL_BLOCK *]

[+0x024] ValueCache [Type: _CACHED_CHILD_LIST]

0: kd> dx -r1 (*((ntkrnlmp!_CACHED_CHILD_LIST *)0xe115f5d4))
(*((ntkrnlmp!_CACHED_CHILD_LIST *)0xe115f5d4))                 [Type: _CACHED_CHILD_LIST]
    [+0x000] Count            : 0x8 [Type: unsigned long]
    [+0x004] ValueList        : 0xe119a7c1 [Type: unsigned long]
    [+0x004] RealKcb          : 0xe119a7c1 [Type: _CM_KEY_CONTROL_BLOCK *]

参考头文件：CMP_GET_CACHED_CELLDATA cmdata.h (base\ntos\inc)

#define CMP_GET_CACHED_CELLDATA(Cell) (&(((PCM_CACHED_VALUE_INDEX)(((ULONG_PTR) (Cell)) & ~CMP_CELL_CACHED_MASK))->Data.CellData))

0: kd> dt CM_CACHED_VALUE_INDEX 0xe119a7c0
nt!CM_CACHED_VALUE_INDEX
   +0x000 CellIndex        : 0x78420
   +0x004 Data             : __unnamed
0: kd> dx -id 0,0,89589d88 -r1 (*((ntkrnlmp!__unnamed *)0xe119a7c4))
(*((ntkrnlmp!__unnamed *)0xe119a7c4))                 [Type: __unnamed]
    [+0x000] CellData         [Type: _CELL_DATA]
    [+0x000] List             [Type: unsigned long [1]]
0: kd> dx -id 0,0,89589d88 -r1 (*((ntkrnlmp!_CELL_DATA *)0xe119a7c4))
(*((ntkrnlmp!_CELL_DATA *)0xe119a7c4))                 [Type: _CELL_DATA]
    [+0x000] u                [Type: _u]
0: kd> dx -id 0,0,89589d88 -r1 (*((ntkrnlmp!_u *)0xe119a7c4))
(*((ntkrnlmp!_u *)0xe119a7c4))                 [Type: _u]
    [+0x000] KeyNode          [Type: _CM_KEY_NODE]
    [+0x000] KeyValue         [Type: _CM_KEY_VALUE]
    [+0x000] KeySecurity      [Type: _CM_KEY_SECURITY]
    [+0x000] KeyIndex         [Type: _CM_KEY_INDEX]
    [+0x000] ValueData        [Type: _CM_BIG_DATA]
    [+0x000] KeyList          [Type: unsigned long [1]]
    [+0x000] KeyString        [Type: unsigned short [1]]

第二部分：
0: kd> dt CELL_DATA 0xe119a7c4
nt!CELL_DATA
   +0x000 u                : _u
0: kd> dx -id 0,0,89589d88 -r1 (*((ntkrnlmp!_u *)0xe119a7c4))
(*((ntkrnlmp!_u *)0xe119a7c4))                 [Type: _u]
    [+0x000] KeyNode          [Type: _CM_KEY_NODE]
    [+0x000] KeyValue         [Type: _CM_KEY_VALUE]
    [+0x000] KeySecurity      [Type: _CM_KEY_SECURITY]
    [+0x000] KeyIndex         [Type: _CM_KEY_INDEX]
    [+0x000] ValueData        [Type: _CM_BIG_DATA]
    [+0x000] KeyList          [Type: unsigned long [1]]
    [+0x000] KeyString        [Type: unsigned short [1]]
0: kd> dd 0xe119a7c4                   8个键值
e119a7c4 e19d0809 e19efc39 e11657a1 e116ace9
e119a7d4 e16c5b21 e19a8e81 e17a4711 e10ae231

0: kd> db e10ae259
e10ae259 00 24 00 76 6b 10 00 a0-03 00 00 20 a0 05 00 03 .$.vk...... ....
e10ae269 00 00 00 01 00 b2 b2 57-6f 72 64 70 61 64 20 44 .......Wordpad D
e10ae279 6f 63 75 6d 65 6e 74 06-04 02 00 4f 62 53 71 a9 ocument....ObSq.
e10ae289 e5 87 e1 79 68 98 e1 02-04 0f 0c 43 4d 56 49 70 ...yh......CMVIp
e10ae299 9b 06 00 91 22 88 e1 79-82 73 e1 51 ee 7b e1 a1 ...."..y.s.Q.{..
e10ae2a9 5e 9a e1 a9 c0 06 e1 b9-e5 87 e1 f9 7a 41 e1 81 ^...........zA..
e10ae2b9 67 83 e1 a1 13 79 e1 b9-bb 96 e1 79 c1 06 e1 a9 g....y.....y....
e10ae2c9 c8 77 e1 11 c5 2b e1 69-13 79 e1 b1 2e 88 e1 a1 .w...+.i.y......
0: kd> db e19efc39
e19efc39 00 24 00 76 6b 0c 00 a0-03 00 00 98 a7 05 00 03 .$.vk...........
e19efc49 00 00 00 01 00 b2 b2 42-69 74 6d 61 70 20 49 6d .......Bitmap Im
e19efc59 61 67 65 b2 b2 b2 b2 00-00 00 00 00 00 00 00 00 age.............
e19efc69 00 00 00 00 00 42 00 69-00 74 00 6d 00 61 00 70 .....B.i.t.m.a.p
e19efc79 00 20 00 49 00 6d 00 61-00 67 00 65 00 00 00 00 . .I.m.a.g.e....
e19efc89 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e19efc99 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e19efca9 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> db e19d0809
e19d0809 00 24 00 76 6b 09 00 a0-03 00 00 88 9b 05 00 03 .$.vk...........
e19d0819 00 00 00 01 00 b2 b2 42-72 69 65 66 63 61 73 65 .......Briefcase
e19d0829 b2 b2 b2 b2 b2 b2 b2 00-00 00 00 00 00 00 00 00 ................
e19d0839 00 00 00 00 00 42 00 72-00 69 00 65 00 66 00 63 .....B.r.i.e.f.c
e19d0849 00 61 00 73 00 65 00 00-00 00 00 00 00 00 00 00 .a.s.e..........
e19d0859 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e19d0869 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
e19d0879 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0: kd> db e116ace9
e116ace9 00 2c 00 76 6b 12 00 a0-03 00 00 c8 a3 05 00 03 .,.vk...........
e116acf9 00 00 00 01 00 b2 b2 52-69 63 68 20 54 65 78 74 .......Rich Text
e116ad09 20 44 6f 63 75 6d 65 6e-74 b2 b2 b2 b2 b2 b2 07 Document.......
e116ad19 06 12 0c 47 6c 61 40 78-00 00 00 a8 f2 82 e1 10 ...Gla@x........
e116ad29 bc 96 e1 70 7c 09 e1 8e-02 10 71 00 00 00 00 00 ...p|.....q.....
e116ad39 00 00 80 00 00 00 00 07-00 00 00 00 00 00 00 00 ................
e116ad49 00 00 00 14 00 00 80 25-03 00 00 58 0e 90 00 00 .......%...X....
e116ad59 00 00 00 ff ff ff 00 00-00 00 00 00 00 00 00 01 ................
0: kd> db e16c5b21
e16c5b21 00 24 00 76 6b 0d 00 a0-03 00 00 20 b0 05 00 03 .$.vk...... ....
e16c5b31 00 00 00 01 00 b2 b2 54-65 78 74 20 44 6f 63 75 .......Text Docu
e16c5b41 6d 65 6e 74 b2 b2 b2 06-08 02 00 43 4d 4e e2 a1 ment.......CMN..
e16c5b51 64 18 e1 71 4d 16 e1 02-08 06 0c 43 4d 56 61 00 d..qM......CMVa.
e16c5b61 00 24 00 76 6b 0c 00 1e-00 00 00 58 33 00 00 01 .$.vk......X3...
e16c5b71 00 00 00 01 00 b2 b2 43-6f 6e 74 65 6e 74 20 54 .......Content T
e16c5b81 79 70 65 b2 b2 b2 b2 06-08 07 1c 43 4d 70 62 01 ype........CMpb.
e16c5b91 00 00 00 34 8f 49 e1 54-4e 9c e1 74 43 86 e1 7c ...4.I.TN..tC..|
0: kd> db e19a8e81
e19a8e81 00 34 00 76 6b 1a 00 a0-03 00 00 50 a9 06 00 03 .4.vk......P....
e19a8e91 00 00 00 01 00 b2 b2 43-6f 6d 70 72 65 73 73 65 .......Compresse
e19a8ea1 64 20 28 7a 69 70 70 65-64 29 20 46 6f 6c 64 65 d (zipped) Folde
e19a8eb1 72 b2 b2 b2 b2 b2 b2 08-04 08 04 43 4d 4e e2 20 r..........CMN.
e19a8ec1 62 7b e1 3f 9a ce 0f 84-41 61 e1 26 00 7b 36 35 b{.?....Aa.&.{65
e19a8ed1 34 33 39 43 32 30 2d 36-30 34 46 2d 34 39 43 41 439C20-604F-49CA
e19a8ee1 2d 41 41 38 32 2d 44 43-30 31 41 31 30 41 46 31 -AA82-DC01A10AF1
e19a8ef1 37 31 7d 15 00 00 00 08-04 01 00 4f 62 4e 6d 01 71}........ObNm.
0: kd> db e17a4711
e17a4711 00 24 00 76 6b 0a 00 18-00 00 00 f8 ac 05 00 03 .$.vk...........
e17a4721 00 00 00 01 00 b2 b2 7e-72 65 73 65 72 76 65 64 .......~reserved
e17a4731 7e b2 b2 b2 b2 b2 b2 18-00 00 00 01 00 01 00 e9 ~...............
e17a4741 07 01 00 03 00 0f 00 0d-00 28 00 0a 00 0d 03 09 .........(......
e17a4751 06 01 00 4e 74 66 63 01-06 05 0c 43 4d 56 61 00 ...Ntfc....CMVa.
e17a4761 00 1c 00 76 6b 07 00 18-00 00 00 80 68 01 00 01 ...vk.......h...
e17a4771 00 00 00 01 00 b2 b2 49-6e 66 50 61 74 68 b2 05 .......InfPath..
e17a4781 06 06 0c 43 4d 56 61 00-00 24 00 76 6b 0e 00 08 ...CMVa..$.vk...
0: kd> db e10ae231
e10ae231 00 1c 00 76 6b 08 00 04-00 00 80 09 04 00 00 04 ...vk...........
e10ae241 00 00 00 01 00 b2 b2 4c-61 6e 67 75 61 67 65 05 .......Language.
e10ae251 04 06 0c 43 4d 56 61 00-00 24 00 76 6b 10 00 a0 ...CMVa..$.vk...
e10ae261 03 00 00 20 a0 05 00 03-00 00 00 01 00 b2 b2 57 ... ...........W
e10ae271 6f 72 64 70 61 64 20 44-6f 63 75 6d 65 6e 74 06 ordpad Document.
e10ae281 04 02 00 4f 62 53 71 a9-e5 87 e1 79 68 98 e1 02 ...ObSq....yh...
e10ae291 04 0f 0c 43 4d 56 49 70-9b 06 00 91 22 88 e1 79 ...CMVIp...."..y
e10ae2a1 82 73 e1 51 ee 7b e1 a1-5e 9a e1 a9 c0 06 e1 b9 .s.Q.{..^.......