x64dbg自带的注册外壳的程序是咋写的？

冥界3大法王 · 发表于 2022-7-4 08:13

我说的是： x96dbg.exe

用RegShot分析了下，注册表键值内容如下：

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dd32\DefaultIcon]
@="C:\\x64dbg_Compile_1\\bin\\x32\\x32dbg.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dd64\DefaultIcon]
@="C:\\x64dbg_Compile_1\\bin\\x64\\x64dbg.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg]
"Icon"="\"C:\\x64dbg_Compile_1\\bin\\x96dbg.exe\",0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg\Command]
@=hex(2):22,00,43,00,3a,00,5c,00,78,00,36,00,34,00,64,00,62,00,67,00,5f,00,43,\
00,6f,00,6d,00,70,00,69,00,6c,00,65,00,5f,00,31,00,5c,00,62,00,69,00,6e,00,\
5c,00,78,00,39,00,36,00,64,00,62,00,67,00,2e,00,65,00,78,00,65,00,22,00,20,\
00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg]
"Icon"="\"C:\\x64dbg_Compile_1\\bin\\x96dbg.exe\",0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command]
@=hex(2):22,00,43,00,3a,00,5c,00,78,00,36,00,34,00,64,00,62,00,67,00,5f,00,43,\
00,6f,00,6d,00,70,00,69,00,6c,00,65,00,5f,00,31,00,5c,00,62,00,69,00,6e,00,\
5c,00,78,00,39,00,36,00,64,00,62,00,67,00,2e,00,65,00,78,00,65,00,22,00,20,\
00,22,00,25,00,31,00,22,00,00,00
@=hex(2):22,00,43,00,3a,00,5c,00,47,00,6f,00,75,00,43,00,68,00,75,00,53,00,68,\
00,65,00,6e,00,67,00,31,00,5c,00,62,00,69,00,6e,00,5c,00,78,00,39,00,36,00,\
64,00,62,00,67,00,2e,00,65,00,78,00,65,00,22,00,20,00,22,00,25,00,31,00,22,\
00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter"=dword:0000008b
"GlobalAssocChangedCounter"=dword:0000008c

本身还会创建一个INI

[Launcher]
x32dbg=C:\GouChuSheng1\bin\x32\x32dbg.exe
x64dbg=C:\GouChuSheng1\bin\x64\x64dbg.exe

因为虚拟机里有几份，所以路径有点乱。
凑合看吧。
就差资源管理器右击扩展的那个不太会写到自家的程序里了！

求实现思路。

hackerbob · 发表于 2022-7-4 08:36

你说的是右键菜单吗

冥界3大法王 · 发表于 2022-7-4 08:41

hackerbob 发表于 2022-7-4 08:36
你说的是右键菜单吗

@hackerbob
没错，比如在某个 EXE上面右击，
选择用x96dbg打开，
就会自动选择是x32dbg or x64dbg打开调试了。

塞北的雪 · 发表于 2022-7-4 09:03

一般这种都是用regsvr32 注册一个dll就自动导入相关注册表吧，比如emeditor就是这样的逻辑

或者简单的，往注册表写下面这个就可以了

[JavaScript] 纯文本查看 复制代码

[HKEY_CLASSES_ROOT\exefile\shell\测试\command]
@="calc.exe"

冥界3大法王 · 发表于 2022-7-4 09:29

塞北的雪发表于 2022-7-4 09:03
一般这种都是用regsvr32 注册一个dll就自动导入相关注册表吧，比如emeditor就是这样的逻辑

或者简单的， ...

@塞北的雪
我明白的你的意思，类似注册表键值如下这种：
"C:\x64dbg_Compile_1\bin\x96dbg.exe" "%1"
路径改成自己的程序果然能调用出来。

[Asm] 纯文本查看 复制代码

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg] 
"Icon"="\"X:\\0.自创工具for delphi10.4.1\\34.x96dbg外壳工具\\Win32\\Release\\Project5.exe\",0" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg] 
"Icon"="\"X:\\0.自创工具for delphi10.4.1\\34.x96dbg外壳工具\\Win32\\Release\\Project5.exe\",0" 

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Debug with x64dbg\Command] 
@=hex(2):22,00,58,00,3a,00,5c,00,30,00,2e,00,ea,81,1b,52,e5,5d,77,51,66,00,6f,\
  00,72,00,20,00,64,00,65,00,6c,00,70,00,68,00,69,00,31,00,30,00,2e,00,34,00,\
  2e,00,31,00,5c,00,33,00,34,00,2e,00,78,00,39,00,36,00,64,00,62,00,67,00,16,\
  59,f3,58,e5,5d,77,51,5c,00,57,00,69,00,6e,00,33,00,32,00,5c,00,52,00,65,00,\
  6c,00,65,00,61,00,73,00,65,00,5c,00,50,00,72,00,6f,00,6a,00,65,00,63,00,74,\
  00,35,00,2e,00,65,00,78,00,65,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\dllfile\shell\Debug with x64dbg\Command] 
@=hex(2):22,00,58,00,3a,00,5c,00,30,00,2e,00,ea,81,1b,52,e5,5d,77,51,66,00,6f,\
  00,72,00,20,00,64,00,65,00,6c,00,70,00,68,00,69,00,31,00,30,00,2e,00,34,00,\
  2e,00,31,00,5c,00,33,00,34,00,2e,00,78,00,39,00,36,00,64,00,62,00,67,00,16,\
  59,f3,58,e5,5d,77,51,5c,00,57,00,69,00,6e,00,33,00,32,00,5c,00,52,00,65,00,\
  6c,00,65,00,61,00,73,00,65,00,5c,00,50,00,72,00,6f,00,6a,00,65,00,63,00,74,\
  00,35,00,2e,00,65,00,78,00,65,00,22,00,20,00,22,00,25,00,31,00,22,00,00,00

冥界3大法王 · 发表于 2022-7-4 09:36

资源管理器右击调试exe ,dll的调出来了，但是没把x32dbg or x64dbg 给调出来。

塞北的雪 · 发表于 2022-7-4 09:57

先调用一个启动器Loader，然后启动器再根据环境或配置启动不同的程序

冥界3大法王 · 发表于 2022-7-4 10:00

塞北的雪发表于 2022-7-4 09:57
先调用一个启动器Loader，然后启动器再根据环境或配置启动不同的程序

问得不就是启动器的实现代码啊。

塞北的雪 · 发表于 2022-7-4 15:11

if %PROCESSOR_ARCHITECTURE%==AMD64 (start C:\Windows\System32\calc.exe) else (start C:\Windows\System32\notepad.exe)

爱飞的猫 · 发表于 2022-7-9 06:30

冥界3大法王发表于 2022-7-4 10:00
问得不就是启动器的实现代码啊。

https://github.com/x64dbg/x64dbg ... g_launcher.cpp#L550
有没有一种可能这玩意是开源的

帐号		自动登录	找回密码
密码			注册[Register]

[求助] x64dbg自带的注册外壳的程序是咋写的？

点评