第一部分:
1: kd> x rpcrt4!addresslist
77c839dc RPCRT4!AddressList = 0x00000000
1: kd> g
Breakpoint 2 hit
RPCRT4!OSF_ADDRESS::CompleteListen:
001b:77c0c973 55 push ebp
1: kd> g
Breakpoint 11 hit
RPCRT4!COMMON_AddressManager:
001b:77c66bfc 55 push ebp
1: kd> kc
00 RPCRT4!COMMON_AddressManager
01 RPCRT4!COMMON_ServerCompleteListen
02 RPCRT4!OSF_ADDRESS::CompleteListen
03 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
04 RPCRT4!I_RpcServerUseProtseqEp2W
05 RPCRT4!RpcServerUseProtseqEpExW
06 RPCRT4!RpcServerUseProtseqEpW
07 LSASRV!DPAPIInitialize
08 LSASRV!LsapInitLsa
09 lsass!main
0a lsass!mainNoCRTStartup
0b kernel32!BaseProcessStart
1: kd> dv
pAddress = 0x00b01b18
1: kd> dt nmp_address 00b01b18
RPCRT4!NMP_ADDRESS
+0x000 __VFN_table : 0xbaadf00d
+0x004 type : 2
+0x008 id : 0n3
+0x00c fAborted : 0n-1163005939
+0x010 ObjectList : _LIST_ENTRY [ 0xbaadf00d - 0xbaadf00d ]
+0x018 Endpoint : 0x00b01c4e -> 0x5c
+0x01c pAddressVector : 0x00b01df0 NETWORK_ADDRESS_VECTOR
+0x020 SubmitListen : 0x77c7176c void RPCRT4!NMP_SubmitConnect+0
+0x024 InAddressList : 0 ( NotInList )
+0x028 EndpointFlags : 0xbaadf00d
+0x02c pNext : (null)
+0x030 pFirstAddress : 0x00b01b18 BASE_ADDRESS
+0x034 pNextAddress : (null)
+0x038 fDynamicEndpoint : 0n-1163005939
+0x03c Listen : BASE_OVERLAPPED
+0x058 NewConnection : 0x77c72b6d long RPCRT4!NMP_NewConnection+0
+0x05c hConnectPipe : (null)
+0x060 sparePipes : HandleCache
+0x068 SecurityDescriptor : 0x00b01cc8 Void
+0x06c LocalEndpoint : 0x00b01c48 -> 0x5c
第三部分:
RPC_STATUS
OSF_ADDRESS::CompleteListen (
)
{
if (ServerInfo->CompleteListen != 0)
{
ServerInfo->CompleteListen(InqRpcTransportAddress());
}
inline RPC_TRANSPORT_ADDRESS
OSF_ADDRESS::InqRpcTransportAddress (
)
{
return((RPC_TRANSPORT_ADDRESS)
(((char *) this) + sizeof(OSF_ADDRESS)));
}
0: kd> dx -id 0,0,898bcd88 -r1 ((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00)
((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00) : 0x77bece00 [Type: RPC_CONNECTION_TRANSPORT *]
+0x000\] TransInterfaceVersion : 0x2004 \[Type: unsigned int
+0x004\] TransId : 0xf \[Type: unsigned short
+0x006\] TransAddrId : 0x11 \[Type: unsigned short
+0x008\] ProtocolSequence : 0x77bd2264 : 0x6e \[Type: unsigned short \*
+0x07c\] CompleteListen : 0x77c66e46 \[Type: void (\*)(void \*)
0: kd> u 77c66e46
RPCRT4!COMMON_ServerCompleteListen [d:\srv03rtm\com\rpc\runtime\trans\common\complete.cxx @ 199]:
77c66e46 ?? ???
^ Memory access error in 'u 77c66e46'
void RPC_ENTRY
COMMON_ServerCompleteListen(
IN RPC_TRANSPORT_ADDRESS ThisAddress
)
{
BASE_ADDRESS *pList = (BASE_ADDRESS *) ThisAddress;
while(pList)
{
COMMON_AddressManager(pList);
pList = pList->pNextAddress;
}
第四部分:
RPC_STATUS
OSF_ADDRESS::ServerSetupAddress (
IN RPC_CHAR * NetworkAddress,
IN RPC_CHAR * *Endpoint,
IN unsigned int PendingQueueSize,
IN void * SecurityDescriptor, OPTIONAL
IN unsigned long EndpointFlags,
IN unsigned long NICFlags
)
{
RPC_STATUS Status;
Status = ServerInfo->Listen(InqRpcTransportAddress(),
NetworkAddress,
Endpoint,
PendingQueueSize,
SecurityDescriptor,
EndpointFlags,
NICFlags);
1: kd> dx -id 0,0,898bcd88 -r1 ((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00)
((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00) : 0x77bece00 [Type: RPC_CONNECTION_TRANSPORT *]
+0x000\] TransInterfaceVersion : 0x2004 \[Type: unsigned int
+0x004\] TransId : 0xf \[Type: unsigned short
+0x006\] TransAddrId : 0x11 \[Type: unsigned short
+0x008\] ProtocolSequence : 0x77bd2264 : 0x6e \[Type: unsigned short \*
+0x074\] Listen : 0x77c72beb \[Type: long (\*)(void \*,unsigned short \*,unsigned short \* \*,unsigned int,void \*,unsigned long,unsigned long)
1: kd> u 77c72beb
RPCRT4!NMP_ServerListen [d:\srv03rtm\com\rpc\runtime\trans\common\nptrans.cxx @ 823]:
77c72beb 55 push ebp
77c72bec 8bec mov ebp,esp
RPC_STATUS
NMP_ServerListen(
IN RPC_TRANSPORT_ADDRESS ThisAddress,
IN PWSTR NetworkAddress,
IN OUT PWSTR *pEndpoint,
IN UINT PendingQueueSize,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ULONG EndpointFlags,
IN ULONG NICFlags
)
{
BOOL b;
INT i;
RPC_STATUS status;
PWSTR LocalPipeEndpoint;
PNMP_ADDRESS pAddress = (PNMP_ADDRESS)ThisAddress;
BOOL fEndpointCreated = FALSE;
pAddress->type = ADDRESS;
pAddress->id = NMP;
pAddress->NewConnection = NMP_NewConnection;
pAddress->SubmitListen = NMP_SubmitConnect;
pAddress->InAddressList = NotInList;
pAddress->pNext = 0;
pAddress->hConnectPipe = 0;
1: kd> x rpcrt4!addresslist
77c839dc RPCRT4!AddressList = 0x00000000
// The address should not be in the list.
BASE_ADDRESS *pT = AddressList;
while(pT) //不符合条件
{
ASSERT(pT != pAddress);
pT = pT->pNext;
}
#endif
pAddress->pNext = AddressList;
AddressList = pAddress;
pAddress->InAddressList = InTheList;
1: kd> dt rpcrt4!addresslist
0x00b01b18
+0x000 __VFN_table : 0xbaadf00d
+0x004 type : 2
+0x008 id : 0n3
+0x00c fAborted : 0n-1163005939
+0x010 ObjectList : _LIST_ENTRY [ 0xbaadf00d - 0xbaadf00d ]
+0x018 Endpoint : 0x00b01c4e -> 0x5c
+0x01c pAddressVector : 0x00b01df0 NETWORK_ADDRESS_VECTOR
+0x020 SubmitListen : 0x77c7176c void RPCRT4!NMP_SubmitConnect+0
+0x024 InAddressList : 1 ( InTheList )
+0x028 EndpointFlags : 0xbaadf00d
+0x02c pNext : (null)
+0x030 pFirstAddress : 0x00b01b18 BASE_ADDRESS
+0x034 pNextAddress : (null)
+0x038 fDynamicEndpoint : 0n-1163005939
1: kd> dt nmp_address 00b01b18
RPCRT4!NMP_ADDRESS
+0x000 __VFN_table : 0xbaadf00d
+0x004 type : 2
+0x008 id : 0n3
+0x00c fAborted : 0n-1163005939
+0x010 ObjectList : _LIST_ENTRY [ 0xbaadf00d - 0xbaadf00d ]
+0x018 Endpoint : 0x00b01c4e -> 0x5c
+0x01c pAddressVector : 0x00b01df0 NETWORK_ADDRESS_VECTOR
+0x020 SubmitListen : 0x77c7176c void RPCRT4!NMP_SubmitConnect+0
+0x024 InAddressList : 1 ( InTheList )
+0x028 EndpointFlags : 0xbaadf00d
+0x02c pNext : (null)
+0x030 pFirstAddress : 0x00b01b18 BASE_ADDRESS
+0x034 pNextAddress : (null)
+0x038 fDynamicEndpoint : 0n-1163005939
+0x03c Listen : BASE_OVERLAPPED
+0x058 NewConnection : 0x77c72b6d long RPCRT4!NMP_NewConnection+0
+0x05c hConnectPipe : (null)
+0x060 sparePipes : HandleCache
+0x068 SecurityDescriptor : 0x00b01cc8 Void
+0x06c LocalEndpoint : 0x00b01c48 -> 0x5c