RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之初始化中的u.ConnSendContext
第一部分:
1: kd> kc
00 RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION
01 RPCRT4!OSF_CASSOCIATION::AllocateCCall
02 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
03 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
04 RPCRT4!I_RpcGetBufferWithObject
05 RPCRT4!I_RpcGetBuffer
06 RPCRT4!NdrGetBuffer
07 RPCRT4!NdrClientCall2
08 ADVAPI32!LsarGetUserName
09 ADVAPI32!LsaGetUserName
0a ntdll!RtlpWaitOrTimerCallout
第二部分:
RPC_STATUS
OSF_CASSOCIATION::AllocateCCall (
IN OSF_BINDING_HANDLE *BindingHandle,
IN PRPC_MESSAGE Message,
IN CLIENT_AUTH_INFO * ClientAuthInfo,
OUT OSF_CCALL ** pCCall,
OUT BOOL *fBindingHandleReferenceRemoved
)
{
Status = LookForExistingConnection (
BindingHandle,
fExclusive,
ClientAuthInfo,
PresentationContextsToUse,
NumberOfBindingsToUse,
&CConnection,
&PresentationContextSupported,
&InitialCallState,
BOOL(fUseSeparateConnection)) ;
AssociationMutex.Clear();
if (Status != RPC_S_OK)
{
ReleaseBindingList(BindingsList);
return Status;
}
if (CConnection == 0)
{
//
// Allocate a new connection
//
RPC_CONNECTION_TRANSPORT *ClientInfo
= (RPC_CONNECTION_TRANSPORT *) TransInfo->InqTransInfo();
Status = RPC_S_OK;
CConnection = new(ClientInfo->ClientConnectionSize
-
ClientInfo->SendContextSize
-
sizeof(PVOID))
OSF_CCONNECTION(
this,
ClientInfo,
BindingHandle->InqComTimeout(),
ClientAuthInfo,
fExclusive,
BOOL(fUseSeparateConnection),
&Status);
第三部分:
1: kd> dv
this = 00ce1958
MyAssociation = 0x00ce1840
RpcClientInfo = 0x77bece00
Timeout = 5
ClientAuthInfo = 0x00ce1768
fExclusive = 0n1
fSeparateConnection = 0n0
pStatus = 0x007cf938
inline void
InitConnectionSupportHeaderSign (
void
)
{
Flags.SetFlagUnsafe(cshsDontKnow);
}
Association = MyAssociation;
// CASSOC++
Association->AddReference();
ObjectType = OSF_CCONNECTION_TYPE;
ClientInfo = RpcClientInfo;
第四部分:
1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00)
((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00) : 0x77bece00 [Type: RPC_CONNECTION_TRANSPORT *]
+0x000\] TransInterfaceVersion : 0x2004 \[Type: unsigned int
+0x004\] TransId : 0xf \[Type: unsigned short
+0x006\] TransAddrId : 0x11 \[Type: unsigned short
+0x008\] ProtocolSequence : 0x77bd2264 : 0x6e \[Type: unsigned short \*
+0x030\] AddressSize : 0x70 \[Type: unsigned int
+0x034\] ClientConnectionSize : 0x54 \[Type: unsigned int
+0x038\] ServerConnectionSize : 0x54 \[Type: unsigned int
+0x03c\] SendContextSize : 0x24 \[Type: unsigned int
第五部分:u.ConnSendContext的地址的由来!!!
#define TransConnection() ((RPC_TRANSPORT_CONNECTION) \
((char *) this+sizeof(OSF_CCONNECTION)))
+0x034\] ClientConnectionSize : 0x54 \[Type: unsigned int
+0x03c\] SendContextSize : 0x24 \[Type: unsigned int
//关键地方
**u.ConnSendContext = (char *) TransConnection()
- ClientInfo->ClientConnectionSize
- sizeof(PVOID);**
*((PVOID *) ((char *) u.ConnSendContext - sizeof(PVOID))) = (PVOID) this;
00ce1b28 = 00ce1958
1: kd> dd 00ce1958++0x17c+54
00ce1b28 00ce1958 baadf00d baadf00d baadf00d
00ce1b38 baadf00d baadf00d baadf00d baadf00d
1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!OSF_CCONNECTION::__unnamed *)0xce1aac))
(*((RPCRT4!OSF_CCONNECTION::__unnamed *)0xce1aac)) [Type: OSF_CCONNECTION::__unnamed]
+0x000\] ConnSendContext : 0xce1b2c \[Type: void \*
+0x000\] NextConnection : 0xce1b2c \[Type: OSF_CCONNECTION \*
第六部分:u.ConnSendContext作为参数的地方和具体含义
if (fAsync)
{
Status = TransAsyncSend(BindingHandle,
BindPacket,
BindPacketLength,
u.ConnSendContext);
}
RPC_STATUS
OSF_CCONNECTION::TransAsyncSend (
IN OSF_BINDING_HANDLE * BindingHandle,
IN void * Buffer,
IN UINT BufferLength,
IN void *SendContext
)
{
Status = ClientInfo->Send(TransConnection(),
BufferLength,
(BUFFER) Buffer,
SendContext);
1: kd> u 77c6d738
RPCRT4!CO_Send [d:\srv03rtm\com\rpc\runtime\trans\common\cotrans.cxx @ 59]:
77c6d738 ?? ???
RPC_STATUS
RPC_ENTRY
CO_Send(
RPC_TRANSPORT_CONNECTION ThisConnection,
UINT Length,
BUFFER Buffer,
PVOID SendContext
)
{
PCONNECTION pConnection = (PCONNECTION)ThisConnection;
CO_SEND_CONTEXT *pSend = (CO_SEND_CONTEXT *)SendContext;
BOOL b;
1: kd> dt CO_SEND_CONTEXT //正好24个字节
RPCRT4!CO_SEND_CONTEXT
+0x000 Write : BASE_OVERLAPPED
+0x01c pWriteBuffer : Ptr32 UChar
+0x020 maxWriteBuffer : Uint4B