I am analyzing an executable based on its execution trace. I have obtained the execution trace using NtTrace tool. The output is a sequence of native api calls with arguments. I have managed to interpret most of the API calls except the following ones:
NtQueryKey( KeyHandle=0x46a, KeyInformationClass=7 [KeyHandleTagsInformation], KeyInformation=0x312c4e0, Length=4, ResultLength=0x312c4dc [4] ) => 0
NtDeviceIoControlFile( FileHandle=0xbe4, Event=0xce8, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x124cf2b0 [0/0xffc], IoControlCode=0x00012017, InputBuffer=0x124cf298, InputBufferLength=0x10, OutputBuffer=null, OutputBufferLength=0 ) => 0
In NtQueryKey
, how can I map the KeyHandle=0x46a
to an actual registry key. Further, in NtDeviceIoControlFile
based on IoControlCode=0x00012017
is it possible to find whether it is a TCP_RECV, TCP_SEND, etc...
Thank you.
Just look back in the trace to find the point at which that key handled was opened. You may have to repeat this process recursively if the key was opened relative to another key. In the future, I recommend using procmon from sysinternals. The output is much better.