I am analyzing an executable based on its execution trace. I have obtained the execution trace using NtTrace tool. The output is a sequence of native api calls with arguments. I have managed to interpret most of the API calls except the following ones:
NtQueryKey( KeyHandle=0x46a, KeyInformationClass=7 [KeyHandleTagsInformation], KeyInformation=0x312c4e0, Length=4, ResultLength=0x312c4dc [4] ) => 0
NtDeviceIoControlFile( FileHandle=0xbe4, Event=0xce8, ApcRoutine=null, ApcContext=null, IoStatusBlock=0x124cf2b0 [0/0xffc], IoControlCode=0x00012017, InputBuffer=0x124cf298, InputBufferLength=0x10, OutputBuffer=null, OutputBufferLength=0 ) => 0
In NtQueryKey, how can I map the KeyHandle=0x46a to an actual registry key. Further, in NtDeviceIoControlFile based on IoControlCode=0x00012017 is it possible to find whether it is a TCP_RECV, TCP_SEND, etc...
Thank you.