RPCRT4!OSF_CCALL::ActivateCall函数分析之RPCRT4!OSF_CCALL结构中的Bindings--RPC源代码分析

第一部分：

1: kd> t

RPCRT4!OSF_CCALL::ActivateCall:

001b:77bf5789 55 push ebp

1: kd> kc

00 RPCRT4!OSF_CCALL::ActivateCall

01 RPCRT4!OSF_CASSOCIATION::AllocateCCall

02 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall

03 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax

04 RPCRT4!I_RpcGetBufferWithObject

05 RPCRT4!I_RpcGetBuffer

06 RPCRT4!NdrGetBuffer

07 RPCRT4!NdrClientCall2

08 ADVAPI32!LsarGetUserName

09 ADVAPI32!LsaGetUserName

0a ntdll!RtlpWaitOrTimerCallout

1: kd> dv

this = 00ce1b98

BindingHandle = 0x00ce1730

Binding = 0x00ce1fa8

AvailableBindingsList = 0x00000000

CallIdToUse = 1

InitialCallState = NeedOpenAndBind (0n0)

DispatchTable = 0x00000000

CConnection = 0x00ce1958

Status = 0n1

1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CCALL *)0xce1b98)

((RPCRT4!OSF_CCALL *)0xce1b98) : 0xce1b98 [Type: OSF_CCALL *]

+0x004\] MagicLong : 0x89abcdef \[Type: unsigned long

+0x008\] ObjectType : 32 \[Type: int

+0x00c\] RefCount \[Type: INTERLOCKED_INTEGER

+0x010\] NestingCall : 0xbaadf00d \[Type: CALL \*

+0x014\] pAsync : 0xbaadf00d \[Type: _RPC_ASYNC_STATE \*

+0x018\] NotificationIssued : -1163005939 \[Type: long

+0x01c\] AsyncStatus : -1163005939 \[Type: long

+0x020\] CachedAPCInfo \[Type: RPC_APC_INFO

+0x030\] CachedAPCInfoAvailable : 1 \[Type: int

+0x034\] CallingThread : 0xbaadf00d \[Type: THREAD \*

+0x038\] UuidSpecified : -1163005939 \[Type: int

+0x03c\] ObjectUuid : {BAADF00D-F00D-BAAD-0DF0-ADBA0DF0ADBA} \[Type: _GUID

+0x04c\] EEInfo : 0x0 \[Type: tagExtendedErrorInfo \*

+0x050\] CurrentState : -1163005939 \[Type: OSF_CCALL_STATE

+0x054\] Connection : 0xbaadf00d \[Type: OSF_CCONNECTION \*

+0x058\] BindingHandle : 0xbaadf00d \[Type: OSF_BINDING_HANDLE \*

+0x05c\] CallbackLevel : 0 \[Type: int

+0x060\] Bindings \[Type: OSF_CCALL::__unnamed

+0x068\] CurrentBuffer : 0xbaadf00d \[Type: void \*

+0x06c\] fDataLengthNegotiated : -1163005939 \[Type: int

+0x070\] CurrentOffset : -1163005939 \[Type: int

+0x074\] CurrentBufferLength : 0xbaadf00d \[Type: unsigned long

+0x078\] CallId : 0xbaadf00d \[Type: unsigned long

+0x07c\] RcvBufferLength : 0xbaadf00d \[Type: unsigned int

+0x080\] FirstSend : -1163005939 \[Type: int

+0x084\] DispatchTableCallback : 0xbaadf00d \[Type: RPC_DISPATCH_TABLE \*

+0x088\] MaximumFragmentLength : 0xbaadf00d \[Type: unsigned int

+0x08c\] MaxSecuritySize : 0xbaadf00d \[Type: unsigned int

+0x090\] MaxDataLength : 0xbaadf00d \[Type: unsigned int

+0x094\] ProcNum : -1163005939 \[Type: int

+0x098\] ReservedForSecurity : 0x0 \[Type: unsigned char \*

+0x09c\] SecBufferLength : 0x0 \[Type: unsigned int

+0x0a0\] HeaderSize : 0xbaadf00d \[Type: unsigned int

+0x0a4\] AdditionalSpaceForSecurity : 0xbaadf00d \[Type: unsigned int

+0x0a8\] SavedHeaderSize : 0x0 \[Type: unsigned long

+0x0ac\] SavedHeader : 0x0 \[Type: void \*

+0x0b0\] LastBuffer : 0xbaadf00d \[Type: void \*

+0x0b4\] SyncEvent \[Type: EVENT

+0x0b8\] ActualBufferLength : 0xbaadf00d \[Type: unsigned int

+0x0bc\] NeededLength : 0xbaadf00d \[Type: unsigned int

+0x0c0\] CallSendContext : 0xce1cd0 \[Type: void \*

+0x0c4\] fAdvanceCallCount \[Type: INTERLOCKED_INTEGER

+0x0c8\] fPeerChoked : -1163005939 \[Type: int

+0x0cc\] Flags \[Type: CompositeFlags

+0x0d0\] fLastSendComplete : -1163005939 \[Type: int

+0x0d4\] CallMutex \[Type: MUTEX

+0x0ec\] RecursiveCallsKey : -1163005939 \[Type: int

+0x0f0\] AllocHint : 0xbaadf00d \[Type: unsigned long

+0x0f4\] CallStack : -1163005939 \[Type: int

+0x0f8\] fCallCancelled : -1163005939 \[Type: int

+0x0fc\] CancelState : -1163005939 \[Type: CANCEL_STATE

+0x100\] BufferQueue \[Type: QUEUE

+0x12c\] InReply : 0 \[Type: int

+0x130\] fChoked : -1163005939 \[Type: int

第二部分：

1: kd> dv

this = 00ce1b98

BindingHandle = 0x00ce1730

Connection = CConnection;

this->BindingHandle = BindingHandle;

第三部分：

1: kd> dv

this = 0x00ce18b4

BindingHandle = 0x00ce1730

Binding = 0x00ce1fa8

AvailableBindingsList = 0x00000000

CallIdToUse = 1

CallId = CallIdToUse;

1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CASSOCIATION *)0xce1840)

((RPCRT4!OSF_CASSOCIATION *)0xce1840) : 0xce1840 [Type: OSF_CASSOCIATION *]

+0x004\] MagicLong : 0x89abcdef \[Type: unsigned long

+0x008\] ObjectType : 512 \[Type: int

**[+0x070] CallIdCounter : 0x2 [**Type: unsigned long]

第四部分：CallIdCounter是RPCRT4!OSF_CASSOCIATION结构成员

RPC_STATUS

OSF_CASSOCIATION::AllocateCCall (

IN OSF_BINDING_HANDLE *BindingHandle,

IN PRPC_MESSAGE Message,

IN CLIENT_AUTH_INFO * ClientAuthInfo,

OUT OSF_CCALL ** pCCall,

OUT BOOL *fBindingHandleReferenceRemoved

)

{

CallIdToUse = CallIdCounter++;

CurrentState = InitialCallState;

Status = Connection->AddActiveCall(

CallIdToUse,

this);

第五部分：RPCRT4!OSF_CCONNECTION结构中的ActiveCalls

1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CCONNECTION *)0xce1958)

((RPCRT4!OSF_CCONNECTION *)0xce1958) : 0xce1958 [Type: OSF_CCONNECTION *]

+0x004\] MagicLong : 0x89abcdef \[Type: unsigned long

+0x008\] ObjectType : 128 \[Type: int

+0x0b0\] ActiveCalls \[Type: OSF_CCALL_DICT2

1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!OSF_CCALL_DICT2 *)0xce1a08))

(*((RPCRT4!OSF_CCALL_DICT2 *)0xce1a08)) [Type: OSF_CCALL_DICT2]

+0x000\] DictKeys : 0xce1a14 \[Type: void \* \*

+0x004\] DictItems : 0xce1a24 \[Type: void \* \*

+0x008\] cDictSlots : 0x4 \[Type: unsigned int

+0x00c\] InitialDictKeys \[Type: void \* \[4\]

+0x01c\] InitialDictItems \[Type: void \* \[4\]

1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!void * (*)[4])0xce1a14))

(*((RPCRT4!void * (*)[4])0xce1a14)) [Type: void * [4]]

0\] : 0x0 \[Type: void \*

1\] : 0x0 \[Type: void \*

2\] : 0x0 \[Type: void \*

3\] : 0x0 \[Type: void \*

1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!void * (*)[4])0xce1a24))

(*((RPCRT4!void * (*)[4])0xce1a24)) [Type: void * [4]]

0\] : 0x0 \[Type: void \*

1\] : 0x0 \[Type: void \*

2\] : 0x0 \[Type: void \*

3\] : 0x0 \[Type: void \*

第六部分：

Bindings.SelectedBinding = Binding;

Bindings.AvailableBindingsList = AvailableBindingsList;

1: kd> dv

this = 0x00ce18b4

BindingHandle = 0x00ce1730

Binding = 0x00ce1fa8 这里有Binding

AvailableBindingsList = 0x00000000

1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_BINDING *)0xce1fa8)

((RPCRT4!OSF_BINDING *)0xce1fa8) : 0xce1fa8 [Type: OSF_BINDING *]

+0x000\] InterfaceId \[Type: _RPC_SYNTAX_IDENTIFIER

+0x014\] TransferSyntaxInfo \[Type: TRANSFER_SYNTAX_INFO_ATOM

+0x030\] NextBinding : 0x0 \[Type: MTSyntaxBinding \*

+0x034\] PresentationContext : 0 \[Type: int

+0x038\] CapabilitiesBitmap : 1 \[Type: int

+0x03c\] RefCount \[Type: INTERLOCKED_INTEGER

+0x040\] Flags \[Type: CompositeFlags

第七部分：参考

inline OSF_BINDING *

GetListOfAvaialbleBindings (

OUT BOOL *fMultipleBindingsAvailable

)

{

if (Bindings.AvailableBindingsList)

{

*fMultipleBindingsAvailable = TRUE;

return Bindings.AvailableBindingsList;

}

else

{

*fMultipleBindingsAvailable = FALSE;

return Bindings.SelectedBinding;

}

}

第八部分：

1: kd> dt osf_ccall 00ce1b98

RPCRT4!OSF_CCALL

+0x000 __VFN_table : 0x77bd3278

+0x004 MagicLong : 0x89abcdef

+0x008 ObjectType : 0n32

+0x060 Bindings : OSF_CCALL::__unnamed

1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!OSF_CCALL::__unnamed *)0xce1bf8))

(*((RPCRT4!OSF_CCALL::__unnamed *)0xce1bf8)) [Type: OSF_CCALL::__unnamed]

+0x000\] **SelectedBinding : 0xce1fa8** \[Type: OSF_BINDING \*

+0x004\] **AvailableBindingsList : 0x0** \[Type: OSF_BINDING \*

1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_BINDING *)0xce1fa8)

((RPCRT4!OSF_BINDING *)0xce1fa8) : 0xce1fa8 [Type: OSF_BINDING *]

+0x000\] InterfaceId \[Type: _RPC_SYNTAX_IDENTIFIER

+0x014\] TransferSyntaxInfo \[Type: TRANSFER_SYNTAX_INFO_ATOM

+0x030\] NextBinding : 0x0 \[Type: MTSyntaxBinding \*

+0x034\] PresentationContext : 0 \[Type: int

+0x038\] CapabilitiesBitmap : 1 \[Type: int

+0x03c\] RefCount \[Type: INTERLOCKED_INTEGER

+0x040\] Flags \[Type: CompositeFlags

第九部分：

1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CCONNECTION *)0xce1958)

((RPCRT4!OSF_CCONNECTION *)0xce1958) : 0xce1958 [Type: OSF_CCONNECTION *]

+0x004\] MagicLong : 0x89abcdef \[Type: unsigned long

+0x008\] ObjectType : 128 \[Type: int

+0x054\] fExclusive : 1 \[Type: int

if (Connection->fExclusive == 0) //不成立

{

//

第十部分：最终结果

1: kd> dt osf_ccall 00ce1b98

RPCRT4!OSF_CCALL

+0x000 __VFN_table : 0x77bd3278

+0x004 MagicLong : 0x89abcdef

+0x008 ObjectType : 0n32

+0x00c RefCount : INTERLOCKED_INTEGER

+0x010 NestingCall : 0xbaadf00d CALL

+0x014 pAsync : (null)

+0x018 NotificationIssued : 0n-1163005939

+0x01c AsyncStatus : 0n-1163005939

+0x020 CachedAPCInfo : RPC_APC_INFO

+0x030 CachedAPCInfoAvailable : 0n1

+0x034 CallingThread : (null)

+0x038 UuidSpecified : 0n-1163005939

+0x03c ObjectUuid : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}

+0x04c EEInfo : (null)

+0x050 CurrentState : 0 ( NeedOpenAndBind )

+0x054 Connection : 0x00ce1958 OSF_CCONNECTION

+0x058 BindingHandle : 0x00ce1730 OSF_BINDING_HANDLE

+0x05c CallbackLevel : 0n0

+0x060 Bindings : OSF_CCALL::__unnamed

+0x068 CurrentBuffer : (null)

+0x06c fDataLengthNegotiated : 0n0

+0x070 CurrentOffset : 0n0

+0x074 CurrentBufferLength : 0xbaadf00d

+0x078 CallId : 1

+0x07c RcvBufferLength : 0

+0x080 FirstSend : 0n-1163005939

+0x084 DispatchTableCallback : (null)

+0x088 MaximumFragmentLength : 0

+0x08c MaxSecuritySize : 0

+0x090 MaxDataLength : 0

+0x094 ProcNum : 0n-1163005939

+0x098 ReservedForSecurity : (null)

+0x09c SecBufferLength : 0

+0x0a0 HeaderSize : 0

+0x0a4 AdditionalSpaceForSecurity : 0

+0x0a8 SavedHeaderSize : 0

+0x0ac SavedHeader : (null)

+0x0b0 LastBuffer : (null)

+0x0b4 SyncEvent : EVENT

+0x0b8 ActualBufferLength : 0xbaadf00d

+0x0bc NeededLength : 0

+0x0c0 CallSendContext : 0x00ce1cd0 Void

+0x0c4 fAdvanceCallCount : INTERLOCKED_INTEGER

+0x0c8 fPeerChoked : 0n0

+0x0cc Flags : CompositeFlags

+0x0d0 fLastSendComplete : 0n-1163005939

+0x0d4 CallMutex : MUTEX

+0x0ec RecursiveCallsKey : 0n-1

+0x0f0 AllocHint : 0

+0x0f4 CallStack : 0n0

+0x0f8 fCallCancelled : 0n0

+0x0fc CancelState : 0 ( CANCEL_NOTREGISTERED )

+0x100 BufferQueue : QUEUE

+0x12c InReply : 0n0

+0x130 fChoked : 0n-1163005939