windbg脚本实践2----监控特定注册表键值创建和删除

　在Cmxxkey层面下断点，配合bp /t (/p)  命令可以监控指定线程 进程 对指定注册表键值的创建和删除。

$$*****************************************************************
$$ Script by kms_hhl to monitor regvalue delete set
$$ Create Time 2014_11
$$ Execute by $$><D:\BaiduYunTongBu\百度云同步盘\windbg_sc\6sc_regvalue_monitor_x32.txt
$$*****************************************************************

bp nt!CmDeleteValueKey"
r @$t0=0
r @$t0=poi(@esp+8+4)
as /mu $regdelvalue @$t0
.block
{
        .if ($sicmp(\" ${$regdelvalue} \", \" type \") == 0)
        {
        .echo found the pattern
        .echo $regdelvalue
        ad *
        }
.else
        {
        .echo not found the pattern
        .echo ' $regdelvalue
        ad *
        gc
        }
}"


bp nt!CmSetValueKey"
r @$t1=0
r @$t1=poi(poi(@esp+8)+4)
as /mu $regsetvalue @$t1
.block
{
    .if ($spat(\" ${$regsetvalue} \",\" *start* \"))
        {
        .echo found the pattern
        .echo $regsetvalue
        ad *
        }
.else
        {
        .echo not found the pattern
        .echo ' $regsetvalue
        ad *
        gc
        }
}"