RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之创建一个RPCRT4!OSF_CCALL--RPC源代码分析

sitelist2025-04-22 15:15

RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之创建一个RPCRT4!OSF_CCALL

第一部分:

1: kd> p

RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x167:

001b:77bf6957 393dec35c877 cmp dword ptr [RPCRT4!gfRPCVerifierEnabled (77c835ec)],edi

1: kd> r

eax=0000015c ebx=007cf938 ecx=00ce1ad4 edx=00000000 esi=00ce1958 edi=00000000

eip=77bf6957 esp=007cf8c0 ebp=007cf8cc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x167:

001b:77bf6957 393dec35c877 cmp dword ptr [RPCRT4!gfRPCVerifierEnabled (77c835ec)],edi ds:0023:77c835ec=00000000

1: kd> x RPCRT4!gfRPCVerifierEnabled

77c835ec RPCRT4!gfRPCVerifierEnabled = 0n0

else

{

CachedCCall = new (ClientInfo->SendContextSize+sizeof(PVOID))

OSF_CCALL(pStatus);

}

第二部分:

1: kd> p

RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x184:

001b:77bf6974 e83a150200 call RPCRT4!operator new (77c17eb3)

1: kd> p

RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x189:

001b:77bf6979 3bc7 cmp eax,edi

1: kd> r

eax=00ce1b98

第三部分:

1: kd> dt ccall 00ce1b98

RPCRT4!CCALL

+0x000 __VFN_table : 0xbaadf00d

+0x004 MagicLong : 0xbaadf00d

+0x008 ObjectType : 0n-1163005939

+0x00c RefCount : INTERLOCKED_INTEGER

+0x010 NestingCall : 0xbaadf00d CALL

+0x014 pAsync : 0xbaadf00d _RPC_ASYNC_STATE

+0x018 NotificationIssued : 0n-1163005939

+0x01c AsyncStatus : 0n-1163005939

+0x020 CachedAPCInfo : RPC_APC_INFO

+0x030 CachedAPCInfoAvailable : 0n-1163005939

+0x034 CallingThread : 0xbaadf00d THREAD

+0x038 UuidSpecified : 0n-1163005939

+0x03c ObjectUuid : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}

+0x04c EEInfo : 0xbaadf00d tagExtendedErrorInfo

第四部分:

1: kd> t

RPCRT4!OSF_CCALL::OSF_CCALL:

001b:77bf5662 55 push ebp

1: kd> kc

00 RPCRT4!OSF_CCALL::OSF_CCALL

01 RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION

02 RPCRT4!OSF_CASSOCIATION::AllocateCCall

03 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall

04 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax

05 RPCRT4!I_RpcGetBufferWithObject

06 RPCRT4!I_RpcGetBuffer

07 RPCRT4!NdrGetBuffer

08 RPCRT4!NdrClientCall2

09 ADVAPI32!LsarGetUserName

0a ADVAPI32!LsaGetUserName

0b ntdll!RtlpWaitOrTimerCallout

OSF_CCALL::OSF_CCALL (

RPC_STATUS __RPC_FAR * pStatus

) : CallMutex(pStatus),

SyncEvent(pStatus, 0),

fAdvanceCallCount(0)

{

LogEvent(SU_CCALL, EV_CREATE, this);

ObjectType = OSF_CCALL_TYPE;

ReservedForSecurity = 0;

SecBufferLength = 0;

SavedHeaderSize = 0;

SavedHeader = 0;

InReply = 0;

EEInfo = NULL;

CachedAPCInfoAvailable = 1;

CallbackLevel = 0;

CallSendContext = (char *) this+sizeof(OSF_CCALL)+sizeof(PVOID);

*((PVOID *) ((char *) CallSendContext - sizeof(PVOID))) = (PVOID) this;

}

1: kd> dv

this = 00ce1b98

pStatus = 0x007cf938

1: kd> p

RPCRT4!OSF_CCALL::OSF_CCALL+0x6c:

001b:77bf56ce 8d8638010000 lea eax,[esi+138h]

1: kd> r

eax=00000000 ebx=00000001 ecx=00000000 edx=00000000 esi=00ce1b98

+0x0c0\] CallSendContext : 0x0 \[Type: void \*

第五部分:

ObjectType = OSF_CCALL_TYPE;

ReservedForSecurity = 0;

SecBufferLength = 0;

SavedHeaderSize = 0;

SavedHeader = 0;

InReply = 0;

EEInfo = NULL;

CachedAPCInfoAvailable = 1;

CallbackLevel = 0;

1: kd> dt RPCRT4!OSF_CCALL 00ce1b98

+0x000 __VFN_table : 0x77bd3278

+0x004 MagicLong : 0x89abcdef

+0x008 ObjectType : 0n32 ObjectType = OSF_CCALL_TYPE;

+0x00c RefCount : INTERLOCKED_INTEGER

+0x010 NestingCall : 0xbaadf00d CALL

+0x014 pAsync : 0xbaadf00d _RPC_ASYNC_STATE

+0x018 NotificationIssued : 0n-1163005939

+0x01c AsyncStatus : 0n-1163005939

+0x020 CachedAPCInfo : RPC_APC_INFO

+0x030 CachedAPCInfoAvailable : 0n1

+0x034 CallingThread : 0xbaadf00d THREAD

+0x038 UuidSpecified : 0n-1163005939

+0x03c ObjectUuid : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}

+0x04c EEInfo : (null)

+0x050 CurrentState : 0xbaadf00d (No matching name)

+0x054 Connection : 0xbaadf00d OSF_CCONNECTION

+0x058 BindingHandle : 0xbaadf00d OSF_BINDING_HANDLE

+0x05c CallbackLevel : 0n0

+0x060 Bindings : OSF_CCALL::__unnamed

+0x068 CurrentBuffer : 0xbaadf00d Void

+0x06c fDataLengthNegotiated : 0n-1163005939

+0x070 CurrentOffset : 0n-1163005939

+0x074 CurrentBufferLength : 0xbaadf00d

+0x078 CallId : 0xbaadf00d

+0x07c RcvBufferLength : 0xbaadf00d

+0x080 FirstSend : 0n-1163005939

+0x084 DispatchTableCallback : 0xbaadf00d RPC_DISPATCH_TABLE

+0x088 MaximumFragmentLength : 0xbaadf00d

+0x08c MaxSecuritySize : 0xbaadf00d

+0x090 MaxDataLength : 0xbaadf00d

+0x094 ProcNum : 0n-1163005939

+0x098 ReservedForSecurity : (null)

+0x09c SecBufferLength : 0

+0x0a0 HeaderSize : 0xbaadf00d

+0x0a4 AdditionalSpaceForSecurity : 0xbaadf00d

+0x0a8 SavedHeaderSize : 0

+0x0ac SavedHeader : (null)

+0x0b0 LastBuffer : 0xbaadf00d Void

+0x0b4 SyncEvent : EVENT

+0x0b8 ActualBufferLength : 0xbaadf00d

+0x0bc NeededLength : 0xbaadf00d

+0x0c0 CallSendContext : 0x00ce1cd0 Void

+0x0c4 fAdvanceCallCount : INTERLOCKED_INTEGER

+0x0c8 fPeerChoked : 0n-1163005939

+0x0cc Flags : CompositeFlags

+0x0d0 fLastSendComplete : 0n-1163005939

+0x0d4 CallMutex : MUTEX

+0x0ec RecursiveCallsKey : 0n-1163005939

+0x0f0 AllocHint : 0xbaadf00d

+0x0f4 CallStack : 0n-1163005939

+0x0f8 fCallCancelled : 0n-1163005939

+0x0fc CancelState : 0xbaadf00d (No matching name)

+0x100 BufferQueue : QUEUE

+0x12c InReply : 0n0

+0x130 fChoked : 0n-1163005939

+0x0c0 CallSendContext : 0x00ce1cd0 Void

1: kd> dd 00ce1b98+138

00ce1cd0 baadf00d baadf00d baadf00d baadf00d

00ce1ce0 baadf00d baadf00d baadf00d baadf00d

*((PVOID *) ((char *) CallSendContext - sizeof(PVOID))) = (PVOID) this;

1: kd> dd 00ce1b98+134

00ce1ccc 00ce1b98

第六部分:

1: kd> dt osf_CConnection 00ce1958

RPCRT4!OSF_CCONNECTION

+0x000 __VFN_table : 0x77bd3994

+0x004 MagicLong : 0x89abcdef

+0x008 ObjectType : 0n128

+0x00c RefCount : INTERLOCKED_INTEGER

+0x010 Association : 0x00ce1840 OSF_CASSOCIATION

+0x014 CurrentCall : 0xbaadf00d OSF_CCALL

+0x018 ConnectionKey : 0n-1

+0x01c State : 0 ( ConnUninitialized )

+0x020 WireAuthId : 0 ''

+0x022 MaxFrag : 0x200

+0x024 ThreadId : 0xffffffff

+0x028 CachedCCallAvailable : 0n-1163005939

+0x02c MaxSavedHeaderSize : 0

+0x030 CachedCCall : 0x00ce1b98 OSF_CCALL

第七部分:

CachedCCallAvailable = 0;

CurrentCall = CachedCCall;

ConnectionReady = 0;

}

1: kd> dt osf_CConnection 00ce1958

RPCRT4!OSF_CCONNECTION

+0x000 __VFN_table : 0x77bd3994

+0x004 MagicLong : 0x89abcdef

+0x008 ObjectType : 0n128

+0x00c RefCount : INTERLOCKED_INTEGER

+0x010 Association : 0x00ce1840 OSF_CASSOCIATION

+0x014 CurrentCall : 0x00ce1b98 OSF_CCALL

相关推荐
sitelist8 小时前
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之初始化中的u.ConnSendContext----RPC源代码分析
osf_cconnection·connsendcontext
热门推荐
01KGG转MP3工具|非KGM文件|解密音频02我决定放弃搞 Java 了03RAG 实践- Ollama+RagFlow 部署本地知识库04从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑05YOLOv8改进 | 细节创新篇 | iAFF迭代注意力特征融合助力多目标细节涨点06DeepSeek各版本说明与优缺点分析07yolov8,yolo11,yolo12 服务器训练到部署全流程 笔记08Scipy||第三章 线性代数 (scipy.linalg)09本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程10如何在WPS和Word/Excel中直接使用DeepSeek功能