在Cmxxkey层面下断点,配合bp /t (/p) 命令可以监控指定线程 进程 对指定注册表键值的创建和删除。
$$***************************************************************** $$ Script by kms_hhl to monitor regvalue delete set $$ Create Time 2014_11 $$ Execute by $$><D:BaiduYunTongBu百度云同步盘windbg_sc6sc_regvalue_monitor_x32.txt $$***************************************************************** bp nt!CmDeleteValueKey" r @$t0=0 r @$t0=poi(@esp+8+4) as /mu $regdelvalue @$t0 .block { .if ($sicmp(" ${$regdelvalue} ", " type ") == 0) { .echo found the pattern .echo $regdelvalue ad * } .else { .echo not found the pattern .echo ' $regdelvalue ad * gc } }" bp nt!CmSetValueKey" r @$t1=0 r @$t1=poi(poi(@esp+8)+4) as /mu $regsetvalue @$t1 .block { .if ($spat(" ${$regsetvalue} "," *start* ")) { .echo found the pattern .echo $regsetvalue ad * } .else { .echo not found the pattern .echo ' $regsetvalue ad * gc } }"