HHIVE Hive (0xb2232008) ULONG Signature = 0 PGET_CELL_ROUTINE GetCellRoutine = 0x00000000 PRELEASE_CELL_ROUTINE ReleaseCellRoutine = 0x00000000 PALLOCATE_ROUTINE Allocate = 0x8082f6c6 PFREE_ROUTINE Free = 0x8082f6f3 PFILE_READ_ROUTINE FileRead = 0x80822f70b PFILE_WRITE_ROUTINE FileWrite = 0x8082f77d PFILE_SET_SIZE_ROUTINE FileSetSize = 0x8082f7ef PFILE_FLUSH_ROUTINE FileFlush = 0x8082f888 PHBASE_BLOCK BaseBlock = 0xb2220000 RTL_BITMAP ULONG DirtyVector.SizeOfBitMap = 352 RTL_BITMAP PULONG DirtyVector.Buffer = 0xe108cfb0 ULONG DirtyCount = 220 ULONG DirtyAlloc = 0 ULONG BaseBlockAlloc = 0 ULONG Cluster = 1 BOOLEAN Flat = 0 BOOLEAN ReadOnly = 0 BOOLEAN Log = 0 BOOLEAN DirtyFlag = 0 ULONG HvBinHeadersUse = 0 ULONG HvFreeCellsUse = 0 ULONG HvUsedcellsUse = 0 ULONG CmUsedCellsUse = 0 ULONG HiveFlags = 0 ULONG LogSize = 0 ULONG RefreshCount = 0 ULONG StorageTypeCount = 2 ULONG Version = 3 DUAL ULONG Storage[0].Length = 329 DUAL PHMAP_DIRECTORY Storage[0].Map = 0x00000000 DUAL PHMAP_ENTRY Storage[0].BlockList = 0xb221e000 DUAL ULONG Storage[0].Guard = 0 DUAL HCELL_INDEX Storage[0].FreeDisplay[24] = [20] = 0x00013cc0, [22] = 0x00148c70, Rest = 0xffffffff DUAL ULONG Storage[0].FreeSummary = 0 DUAL LIST_ENTRY PLIST_ENTRY Storage[0].FreeBins.Flink = 0x00000000 DUAL LIST_ENTRY PLIST_ENTRY Storage[0].FreeBins.Blink = 0x00000000 DUAL ULONG Storage[1].Length = 27 DUAL PHMAP_DIRECTORY Storage[1].Map = 0x00000000 DUAL PHMAP_ENTRY Storage[1].BlockList = 0xe1ae9950 DUAL ULONG Storage[1].Guard = 0 DUAL HCELL_INDEX Storage[1].FreeDisplay[24] = [3] = 0x80018fe0, [5] = 0x8000dfd0, [9] = 0x80003fb0, [23] = 0x8001a820, Rest = 0xffffffff DUAL ULONG Storage[1].FreeSummary = 0 DUAL LIST_ENTRY PLIST_ENTRY Storage[1].FreeBins.Flink = 0x00000000 DUAL LIST_ENTRY PLIST_ENTRY Storage[1].FreeBins.Blink = 0x00000000 CM_KEY_INDEX Parent (0xe149c1e4) WORD Signature = "ri" WORD Count = 2 ULONG List[0] = 0x8000c020 ULONG List[1] = 0x8001a020 ---------------------------------------------------------------------------------------------------------------- -------- 0x8001a020 -------- HMAP_ENTRY 0x8000c020 = 0xe1ae9950[0x0c] (0xe1ae9a10) ULONG BlockAddress = 0xe1ab2000 ULONG BinAddress = 0xe1ab2000 PCM_VIEW_OF_FILE CmView = 0x0020006b ULONG MemAlloc = 0x0061004c CM_KEY_INDEX 0x8000c020 = 0xe1ae9950[0x0c].BlockAddress + CellOffset(0x020) + 4 (0xe1ab2024) WORD Signature = "li" WORD Count = 506 ULONG List[0] = 0x80000180 ULONG List[1] = 0x80019860 ULONG List[2] = 0x80019800 ... ULONG List[503] = 0x8000b920 ULONG List[504] = 0x8000b8c0 ULONG List[505] = 0x8000b860 ... (ULONG List[506] = 0x8000b800 -> split off old data) (ULONG List[507] = 0x8000b7a0 -> split off old data) (ULONG List[508] = 0x8000b740 -> split off old data) ---------------------------- -------- 0x8000b860 -------- (List[505]) HMAP_ENTRY 0x8000b860 = 0xe1ae9950[0x0b] (0xe1ae9a00) ULONG BlockAddress = 0xe1ab1000 ULONG BinAddress = 0xe1ab1000 PCM_VIEW_OF_FILE CmView = 0x00000000 ULONG MemAlloc = 0x00000000 CM_KEY_NODE 0x8000b860 = 0xe1ae9950[0x0b].BlockAddress + CellOffset(0x860) + 4 (0xe1ab1864) WORD Signature = "nk" WORD Flags = 0x21 LARGE_INTEGER LastWriteTime = 0x01cfcbbad1697d80 = 130546917454740864 = unixtime 1410218145.4740864 = Sep 9 01:15:45 CEST 2014 ULONG Spare = 0 ULONG Parent = 0x80000110 ULONG SubKeyCounts[0] = 0 ULONG SubKeyCounts[1] = 0 ULONG SubKeyLists[0] = 0xffffffff ULONG SubKeyLists[1] = 0xffffffff CHILD_LIST ULONG ValueList.Count = 0 CHILD_LIST ULONG ValueList.List = 0xffffffff CM_KEY_REFERENCE ULONG ChildHiveReference.KeyCell = 0xffffffff CM_KEY_REFERENCE PHHIVE ChildHiveReference.KeyHive = 0xffffffff ULONG Security = 0xffffffff ULONG Class = 0xffffffff ULONG MaxNameLen:16 = 0 ULONG UserFlags:4 = 0 ULONG VirtControlFlags:4 = 0 ULONG Debug:8 = 0 ULONG MaxClassLen = 0 ULONG MaxValueNameLen = 0 ULONG MaxValueDataLen = 0 ULONG WorkVar = 0 WORD NameLength = 9 WORD ClassLength = 0 WCHAR Name[0-8] = "Child0508" ---------------------------- ---------------------------------------------------------------------------------------------------------------- -------- 0x8001a020 -------- HMAP_ENTRY 0x8001a020 = 0xe1ae9950[0x1a] (0xe1ae9af0) ULONG BlockAddress = 0xe1aeb000 ULONG BinAddress = 0xe1aeb000 PCM_VIEW_OF_FILE CmView = 0x00000000 ULONG MemAlloc = 0x00000000 CM_KEY_INDEX 0x8001a020 = 0xe1ae9950[0x1a].BlockAddress + CellOffset(0x020) + 4 (0xe1aeb024) WORD Signature = "li" WORD Count = 508 ULONG List[0] = 0x8000b800 ULONG List[1] = 0x800198c0 ULONG List[2] = 0x8000b7a0 ... ULONG List[505] = 0x800002d0 ULONG List[506] = 0x80000270 ULONG List[507] = 0x800001f0 ---------------------------- -------- 0x8000b800 -------- (List[0]) HMAP_ENTRY 0x8000b800 = 0xe1ae9950[0x0b] (0xe1ae9a00) ULONG BlockAddress = 0xe1ab1000 ULONG BinAddress = 0xe1ab1000 PCM_VIEW_OF_FILE CmView = 0x00000000 ULONG MemAlloc = 0x00000000 CM_KEY_NODE 0x8000b800 = 0xe1ae9950[0x0b].BlockAddress + CellOffset(0x800) + 4 (0xe1ab1804) WORD Signature = "nk" WORD Flags = 0x21 LARGE_INTEGER LastWriteTime = 0x01cfcbbad1697d80 = 130546917454740864 = unixtime 1410218145.4740864 = Sep 9 01:15:45 CEST 2014 ULONG Spare = 0 ULONG Parent = 0x80000110 ULONG SubKeyCounts[0] = 0 ULONG SubKeyCounts[1] = 0 ULONG SubKeyLists[0] = 0xffffffff ULONG SubKeyLists[1] = 0xffffffff CHILD_LIST ULONG ValueList.Count = 0 CHILD_LIST ULONG ValueList.List = 0xffffffff CM_KEY_REFERENCE ULONG ChildHiveReference.KeyCell = 0xffffffff CM_KEY_REFERENCE PHHIVE ChildHiveReference.KeyHive = 0xffffffff ULONG Security = 0xffffffff ULONG Class = 0xffffffff ULONG MaxNameLen:16 = 0 ULONG UserFlags:4 = 0 ULONG VirtControlFlags:4 = 0 ULONG Debug:8 = 0 ULONG MaxClassLen = 0 ULONG MaxValueNameLen = 0 ULONG MaxValueDataLen = 0 ULONG WorkVar = 0 WORD NameLength = 9 WORD ClassLength = 0 WCHAR Name[0-8] = "Child0507" ---------------------------- -------- 0x800198c0 -------- (List[1]) HMAP_ENTRY 0x800198c0 = 0xe1ae9950[0x19] (0xe1ae9ae0) ULONG BlockAddress = 0xe1ae8000 ULONG BinAddress = 0xe1ae8000 PCM_VIEW_OF_FILE CmView = 0x00000000 ULONG MemAlloc = 0x00000000 CM_KEY_NODE 0x800198c0 = 0xe1ae9950[0x19].BlockAddress + CellOffset(0x8c0) + 4 (0xe1ae88c4) WORD Signature = "nk" WORD Flags = 0x21 LARGE_INTEGER LastWriteTime = 0x01cfcbbad174ee40 = 130546917455490624 = unixtime 1410218145.5490624 = Sep 9 01:15:45 CEST 2014 ULONG Spare = 0 ULONG Parent = 0x80000110 ULONG SubKeyCounts[0] = 0 ULONG SubKeyCounts[1] = 0 ULONG SubKeyLists[0] = 0xffffffff ULONG SubKeyLists[1] = 0xffffffff CHILD_LIST ULONG ValueList.Count = 0 CHILD_LIST ULONG ValueList.List = 0xffffffff CM_KEY_REFERENCE ULONG ChildHiveReference.KeyCell = 0xffffffff CM_KEY_REFERENCE PHHIVE ChildHiveReference.KeyHive = 0xffffffff ULONG Security = 0xffffffff ULONG Class = 0xffffffff ULONG MaxNameLen:16 = 0 ULONG UserFlags:4 = 0 ULONG VirtControlFlags:4 = 0 ULONG Debug:8 = 0 ULONG MaxClassLen = 0 ULONG MaxValueNameLen = 0 ULONG MaxValueDataLen = 0 ULONG WorkVar = 0 WORD NameLength = 9 WORD ClassLength = 0 WCHAR Name[0-8] = "Child1013" ---------------------------- -------- 0x8000b7a0 -------- (List[2]) HMAP_ENTRY 0x8000b7a0 = 0xe1ae9950[0x0b] (0xe1ae9a00) ULONG BlockAddress = 0xe1ab1000 ULONG BinAddress = 0xe1ab1000 PCM_VIEW_OF_FILE CmView = 0x00000000 ULONG MemAlloc = 0x00000000 CM_KEY_NODE 0x8000b7a0 = 0xe1ae9950[0x0b].BlockAddress + CellOffset(0x7a0) + 4 (0xe1ab17a4) WORD Signature = "nk" WORD Flags = 0x21 LARGE_INTEGER LastWriteTime = 0x01cfcbbad1697d80 = 130546917454740864 = unixtime 1410218145.4740864 = Sep 9 01:15:45 CEST 2014 ULONG Spare = 0 ULONG Parent = 0x80000110 ULONG SubKeyCounts[0] = 0 ULONG SubKeyCounts[1] = 0 ULONG SubKeyLists[0] = 0xffffffff ULONG SubKeyLists[1] = 0xffffffff CHILD_LIST ULONG ValueList.Count = 0 CHILD_LIST ULONG ValueList.List = 0xffffffff CM_KEY_REFERENCE ULONG ChildHiveReference.KeyCell = 0xffffffff CM_KEY_REFERENCE PHHIVE ChildHiveReference.KeyHive = 0xffffffff ULONG Security = 0xffffffff ULONG Class = 0xffffffff ULONG MaxNameLen:16 = 0 ULONG UserFlags:4 = 0 ULONG VirtControlFlags:4 = 0 ULONG Debug:8 = 0 ULONG MaxClassLen = 0 ULONG MaxValueNameLen = 0 ULONG MaxValueDataLen = 0 ULONG WorkVar = 0 WORD NameLength = 9 WORD ClassLength = 0 WCHAR Name[0-8] = "Child0506" ---------------------------- -------- 0x800001f0 -------- (List[507]) HMAP_ENTRY 0x800001f0 = 0xe1ae9950[0x00] (0xe1ae9950) ULONG BlockAddress = 0xe149c000 ULONG BinAddress = 0xe149c000 PCM_VIEW_OF_FILE CmView = 0x00000400 ULONG MemAlloc = 0x000002e4 CM_KEY_NODE 0x800001f0 = 0xe1ae9950[0x00].BlockAddress + CellOffset(0x1f0) + 4 (0xe149c1f4) WORD Signature = "nk" WORD Flags = 0x21 LARGE_INTEGER LastWriteTime = 0x01cfcbbad1605680 = 130546917454141056 = unixtime 1410218145.4141056 = Sep 9 01:15:45 CEST 2014 ULONG Spare = 0 ULONG Parent = 0x80000110 ULONG SubKeyCounts[0] = 0 ULONG SubKeyCounts[1] = 0 ULONG SubKeyLists[0] = 0xffffffff ULONG SubKeyLists[1] = 0xffffffff CHILD_LIST ULONG ValueList.Count = 0 CHILD_LIST ULONG ValueList.List = 0xffffffff CM_KEY_REFERENCE ULONG ChildHiveReference.KeyCell = 0xffffffff CM_KEY_REFERENCE PHHIVE ChildHiveReference.KeyHive = 0xffffffff ULONG Security = 0xffffffff ULONG Class = 0xffffffff ULONG MaxNameLen:16 = 0 ULONG UserFlags:4 = 0 ULONG VirtControlFlags:4 = 0 ULONG Debug:8 = 0 ULONG MaxClassLen = 0 ULONG MaxValueNameLen = 0 ULONG MaxValueDataLen = 0 ULONG WorkVar = 0 WORD NameLength = 9 WORD ClassLength = 0 WCHAR Name[0-8] = "Child0001" ---------------------------- ---------------------------------------------------------------------------------------------------------------- -------- 0x80000110 -------- (Parent) HMAP_ENTRY 0x80000110 = 0xe1ae9950[0x00] (0xe1ae9950) ULONG BlockAddress = 0xe149c000 ULONG BinAddress = 0xe149c000 PCM_VIEW_OF_FILE CmView = 0x00000400 ULONG MemAlloc = 0x000002e4 CM_KEY_NODE 0x800001f0 = 0xe1ae9950[0x00].BlockAddress + CellOffset(0x110) + 4 (0xe149c114) WORD Signature = "nk" WORD Flags = 0x21 LARGE_INTEGER LastWriteTime = 0x01cfcbbad1773800 = 130546917455640576 = unixtime 1410218145.5640576 = Sep 9 01:15:45 CEST 2014 ULONG Spare = 0 ULONG Parent = 0x00000070 ULONG SubKeyCounts[0] = 0 ULONG SubKeyCounts[1] = 1014 ULONG SubKeyLists[0] = 0xffffffff ULONG SubKeyLists[1] = 0x800001e0 CHILD_LIST ULONG ValueList.Count = 0 CHILD_LIST ULONG ValueList.List = 0xffffffff CM_KEY_REFERENCE ULONG ChildHiveReference.KeyCell = 0xffffffff CM_KEY_REFERENCE PHHIVE ChildHiveReference.KeyHive = 0x800001e0 ULONG Security = 0xffffffff ULONG Class = 0xffffffff ULONG MaxNameLen:16 = 18 ULONG UserFlags:4 = 0 ULONG VirtControlFlags:4 = 0 ULONG Debug:8 = 0 ULONG MaxClassLen = 0 ULONG MaxValueNameLen = 0 ULONG MaxValueDataLen = 0 ULONG WorkVar = 0 WORD NameLength = 8 WORD ClassLength = 0 WCHAR Name[0-7] = "RosTests" ---------------------------- -------- 0x800001e0 -------- (Parent SubKeyLists[1]) HMAP_ENTRY 0x800001e0 = 0xe1ae9950[0x00] (0xe1ae9950) ULONG BlockAddress = 0xe149c000 ULONG BinAddress = 0xe149c000 PCM_VIEW_OF_FILE CmView = 0x00000400 ULONG MemAlloc = 0x000002e4 CM_KEY_NODE 0x800001f0 = 0xe1ae9950[0x00].BlockAddress + CellOffset(0x1e0) + 4 (0xe149c1e4) (same as original Parent) WORD Signature = "ri" WORD Count = 2 ULONG List[0] = 0x8000c020 ULONG List[1] = 0x8001a020 ---------------------------- Parent -> 2 Items --List[0] (0x8000c020) -> 506 Items ----... ----... ----List[505] (0x8000b860) = "Child0508" --List[1] (0x8001a020) -> 508 Items ----List[0] (0x8000b800) = "Child0507" ----List[1] (0x800198c0) = "Child1013" ----List[2] (0x8000b7a0) = "Child0506" ----... ----... ----List[507] (0x800001f0) = "Child0001"