BREAK_ON_OPEN
or when creating a subkey as part of such a key.
BREAK_ON_OPEN
flag, and therefore this flag could be set on the key only by editing the registry BREAK_ON_OPEN
file in the HEX editor.
Flag | Value | Note |
---|---|---|
BREAK_ON_OPEN | 0x01 | Opening the key |
BREAK_ON_DELETE | 0x02 | Key removal |
BREAK_ON_SECURITY_CHANGE | 0x04 | Security descriptor change |
BREAK_ON_CREATE_SUBKEY | 0x08 | Creating a subkey |
BREAK_ON_DELETE_SUBKEY | 0x10 | Removing a subkey |
BREAK_ON_SET_VALUE | 0x20 | Setting value |
BREAK_ON_DELETE_VALUE | 0x40 | Delete value |
BREAK_ON_KEY_VIRTUALIZE | 0x80 | Key virtualization |
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
”, where the information about mounted volumes is stored, and to determine the Windows component that writes data there. To do this, mark the specified key with the BREAK_ON_SET_VALUE
debug flag, BREAK_ON_SET_VALUE
on the breakpoints, change the value of the CmpRegDebugBreakEnabled variable to one, and format the test disk, which we then mount.
# Child-SP RetAddr Call Site 00 ffffd000`79b851a0 fffff803`7ccf88fa nt!CmSetValueKey+0x158 01 ffffd000`79b852b0 fffff803`7c69eac3 nt!NtSetValueKey+0x73e 02 ffffd000`79b85470 fffff803`7c697e40 nt!KiSystemServiceCopyEnd+0x13 03 ffffd000`79b85678 fffff803`7d08f11e nt!KiServiceLinkage 04 ffffd000`79b85680 fffff801`46d6fcaa nt!RtlWriteRegistryValue+0x9e 05 ffffd000`79b856f0 fffff801`46d6b58c mountmgr+0xecaa 06 ffffd000`79b85820 fffff803`7cd9cd78 mountmgr+0xa58c 07 ffffd000`79b85850 fffff803`7cd9bdd5 nt!PnpNotifyDriverCallback+0x1b8 08 ffffd000`79b85900 fffff803`7cdd6755 nt!PnpNotifyDeviceClassChange+0x2f9 09 ffffd000`79b859d0 fffff803`7c66dcb7 nt!PnpDeviceEventWorker+0x4c1 0a ffffd000`79b85b50 fffff803`7c5e7071 nt!ExpWorkerThread+0x177 0b ffffd000`79b85be0 fffff803`7c699836 nt!PspSystemThreadStartup+0x23d 0c ffffd000`79b85c60 00000000`00000000 nt!KiStartSystemThread+0x16
fffff801`46d6fca4 ff15fe44ffff call qword ptr [mountmgr+0x31a8 (fffff801`46d641a8)] // nt!RtlWriteRegistryValue fffff801`46d6fcaa 488d55b7 lea rdx,[rbp-49h]
Source: https://habr.com/ru/post/321288/