I try to analyze windows 7 x64 registry and can't understand some things. I've read that I should find _CMHIVE structure with use of signature "0xBEE0BEE0". I did it and found these structures, but there aren't any file name or smth like that. But I have found this name after signature "regf", but this signature is located far away from _CMHIVE. For example, the physical address of structure _CHIVE is 13cd9010 and the physical address of signature "regf" is 1389a00. Why is it so and which structure should I find in memory dump to analyze registry? P.S. Also I can't find how to translate virtual address of hive to physical on x64(for example virtual address of hive is fffff8a00005e010)
Aucun commentaire:
Enregistrer un commentaire