RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之创建一个RPCRT4!OSF_CCALL
第一部分:
1: kd> p
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x167:
001b:77bf6957 393dec35c877 cmp dword ptr [RPCRT4!gfRPCVerifierEnabled (77c835ec)],edi
1: kd> r
eax=0000015c ebx=007cf938 ecx=00ce1ad4 edx=00000000 esi=00ce1958 edi=00000000
eip=77bf6957 esp=007cf8c0 ebp=007cf8cc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x167:
001b:77bf6957 393dec35c877 cmp dword ptr [RPCRT4!gfRPCVerifierEnabled (77c835ec)],edi ds:0023:77c835ec=00000000
1: kd> x RPCRT4!gfRPCVerifierEnabled
77c835ec RPCRT4!gfRPCVerifierEnabled = 0n0
else
{
CachedCCall = new (ClientInfo->SendContextSize+sizeof(PVOID))
OSF_CCALL(pStatus);
}
第二部分:
1: kd> p
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x184:
001b:77bf6974 e83a150200 call RPCRT4!operator new (77c17eb3)
1: kd> p
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x189:
001b:77bf6979 3bc7 cmp eax,edi
1: kd> r
eax=00ce1b98
第三部分:
1: kd> dt ccall 00ce1b98
RPCRT4!CCALL
+0x000 __VFN_table : 0xbaadf00d
+0x004 MagicLong : 0xbaadf00d
+0x008 ObjectType : 0n-1163005939
+0x00c RefCount : INTERLOCKED_INTEGER
+0x010 NestingCall : 0xbaadf00d CALL
+0x014 pAsync : 0xbaadf00d _RPC_ASYNC_STATE
+0x018 NotificationIssued : 0n-1163005939
+0x01c AsyncStatus : 0n-1163005939
+0x020 CachedAPCInfo : RPC_APC_INFO
+0x030 CachedAPCInfoAvailable : 0n-1163005939
+0x034 CallingThread : 0xbaadf00d THREAD
+0x038 UuidSpecified : 0n-1163005939
+0x03c ObjectUuid : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}
+0x04c EEInfo : 0xbaadf00d tagExtendedErrorInfo
第四部分:
1: kd> t
RPCRT4!OSF_CCALL::OSF_CCALL:
001b:77bf5662 55 push ebp
1: kd> kc
#
00 RPCRT4!OSF_CCALL::OSF_CCALL
01 RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION
02 RPCRT4!OSF_CASSOCIATION::AllocateCCall
03 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
04 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
05 RPCRT4!I_RpcGetBufferWithObject
06 RPCRT4!I_RpcGetBuffer
07 RPCRT4!NdrGetBuffer
08 RPCRT4!NdrClientCall2
09 ADVAPI32!LsarGetUserName
0a ADVAPI32!LsaGetUserName
0b ntdll!RtlpWaitOrTimerCallout
OSF_CCALL::OSF_CCALL (
RPC_STATUS __RPC_FAR * pStatus
) : CallMutex(pStatus),
SyncEvent(pStatus, 0),
fAdvanceCallCount(0)
{
LogEvent(SU_CCALL, EV_CREATE, this);
ObjectType = OSF_CCALL_TYPE;
ReservedForSecurity = 0;
SecBufferLength = 0;
SavedHeaderSize = 0;
SavedHeader = 0;
InReply = 0;
EEInfo = NULL;
CachedAPCInfoAvailable = 1;
CallbackLevel = 0;
CallSendContext = (char *) this+sizeof(OSF_CCALL)+sizeof(PVOID);
*((PVOID *) ((char *) CallSendContext - sizeof(PVOID))) = (PVOID) this;
}
1: kd> dv
this = 00ce1b98
pStatus = 0x007cf938
1: kd> p
RPCRT4!OSF_CCALL::OSF_CCALL+0x6c:
001b:77bf56ce 8d8638010000 lea eax,[esi+138h]
1: kd> r
eax=00000000 ebx=00000001 ecx=00000000 edx=00000000 esi=00ce1b98
[+0x0c0] CallSendContext : 0x0 [Type: void *]
第五部分:
ObjectType = OSF_CCALL_TYPE;
ReservedForSecurity = 0;
SecBufferLength = 0;
SavedHeaderSize = 0;
SavedHeader = 0;
InReply = 0;
EEInfo = NULL;
CachedAPCInfoAvailable = 1;
CallbackLevel = 0;
1: kd> dt RPCRT4!OSF_CCALL 00ce1b98
+0x000 __VFN_table : 0x77bd3278
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n32 ObjectType = OSF_CCALL_TYPE;
+0x00c RefCount : INTERLOCKED_INTEGER
+0x010 NestingCall : 0xbaadf00d CALL
+0x014 pAsync : 0xbaadf00d _RPC_ASYNC_STATE
+0x018 NotificationIssued : 0n-1163005939
+0x01c AsyncStatus : 0n-1163005939
+0x020 CachedAPCInfo : RPC_APC_INFO
+0x030 CachedAPCInfoAvailable : 0n1
+0x034 CallingThread : 0xbaadf00d THREAD
+0x038 UuidSpecified : 0n-1163005939
+0x03c ObjectUuid : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}
+0x04c EEInfo : (null)
+0x050 CurrentState : 0xbaadf00d (No matching name)
+0x054 Connection : 0xbaadf00d OSF_CCONNECTION
+0x058 BindingHandle : 0xbaadf00d OSF_BINDING_HANDLE
+0x05c CallbackLevel : 0n0
+0x060 Bindings : OSF_CCALL::__unnamed
+0x068 CurrentBuffer : 0xbaadf00d Void
+0x06c fDataLengthNegotiated : 0n-1163005939
+0x070 CurrentOffset : 0n-1163005939
+0x074 CurrentBufferLength : 0xbaadf00d
+0x078 CallId : 0xbaadf00d
+0x07c RcvBufferLength : 0xbaadf00d
+0x080 FirstSend : 0n-1163005939
+0x084 DispatchTableCallback : 0xbaadf00d RPC_DISPATCH_TABLE
+0x088 MaximumFragmentLength : 0xbaadf00d
+0x08c MaxSecuritySize : 0xbaadf00d
+0x090 MaxDataLength : 0xbaadf00d
+0x094 ProcNum : 0n-1163005939
+0x098 ReservedForSecurity : (null)
+0x09c SecBufferLength : 0
+0x0a0 HeaderSize : 0xbaadf00d
+0x0a4 AdditionalSpaceForSecurity : 0xbaadf00d
+0x0a8 SavedHeaderSize : 0
+0x0ac SavedHeader : (null)
+0x0b0 LastBuffer : 0xbaadf00d Void
+0x0b4 SyncEvent : EVENT
+0x0b8 ActualBufferLength : 0xbaadf00d
+0x0bc NeededLength : 0xbaadf00d
+0x0c0 CallSendContext : 0x00ce1cd0 Void
+0x0c4 fAdvanceCallCount : INTERLOCKED_INTEGER
+0x0c8 fPeerChoked : 0n-1163005939
+0x0cc Flags : CompositeFlags
+0x0d0 fLastSendComplete : 0n-1163005939
+0x0d4 CallMutex : MUTEX
+0x0ec RecursiveCallsKey : 0n-1163005939
+0x0f0 AllocHint : 0xbaadf00d
+0x0f4 CallStack : 0n-1163005939
+0x0f8 fCallCancelled : 0n-1163005939
+0x0fc CancelState : 0xbaadf00d (No matching name)
+0x100 BufferQueue : QUEUE
+0x12c InReply : 0n0
+0x130 fChoked : 0n-1163005939
+0x0c0 CallSendContext : 0x00ce1cd0 Void
1: kd> dd 00ce1b98+138
00ce1cd0 baadf00d baadf00d baadf00d baadf00d
00ce1ce0 baadf00d baadf00d baadf00d baadf00d
*((PVOID *) ((char *) CallSendContext - sizeof(PVOID))) = (PVOID) this;
1: kd> dd 00ce1b98+134
00ce1ccc 00ce1b98
第六部分:
1: kd> dt osf_CConnection 00ce1958
RPCRT4!OSF_CCONNECTION
+0x000 __VFN_table : 0x77bd3994
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n128
+0x00c RefCount : INTERLOCKED_INTEGER
+0x010 Association : 0x00ce1840 OSF_CASSOCIATION
+0x014 CurrentCall : 0xbaadf00d OSF_CCALL
+0x018 ConnectionKey : 0n-1
+0x01c State : 0 ( ConnUninitialized )
+0x020 WireAuthId : 0 ''
+0x022 MaxFrag : 0x200
+0x024 ThreadId : 0xffffffff
+0x028 CachedCCallAvailable : 0n-1163005939
+0x02c MaxSavedHeaderSize : 0
+0x030 CachedCCall : 0x00ce1b98 OSF_CCALL
第七部分:
CachedCCallAvailable = 0;
CurrentCall = CachedCCall;
ConnectionReady = 0;
}
1: kd> dt osf_CConnection 00ce1958
RPCRT4!OSF_CCONNECTION
+0x000 __VFN_table : 0x77bd3994
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n128
+0x00c RefCount : INTERLOCKED_INTEGER
+0x010 Association : 0x00ce1840 OSF_CASSOCIATION
+0x014 CurrentCall : 0x00ce1b98 OSF_CCALL
)
)
)
