sfc_os!SfcQueueValidationRequest函数分析之sfc_os!IsFileInQueue

第一部分：

1: kd> kc

00 sfc_os!SfcQueueValidationRequest

01 sfc_os!SfcWatchProtectedDirectoriesWorkerThread

02 kernel32!BaseThreadStart

1: kd> dv

RegVal = 0x01129164

ChangeType = 5

vrd = 0x012bfef0

Status = 0n1988337684

vrdexisting = 0x012bffdc

//

// if we're in GUI-Setup, don't queue any validation requests

//

if (SFCDisable == SFC_DISABLE_SETUP) {

return STATUS_SUCCESS;

}

1: kd> x sfc_os!SFCDisable

768421b8 sfc_os!SFCDisable = 0

vrd->NextValidTime = GetTickCount() + (1000*SFCStall);

vrd->RegVal = RegVal;

vrd->ChangeType = ChangeType;

vrd->Signature = SFC_VRD_SIGNATURE;

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048)

((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048) : 0x1fe0048 [Type: _VALIDATION_REQUEST_DATA *]

+0x000\] Entry \[Type: _LIST_ENTRY

+0x008\] Signature : 0x69696969 \[Type: unsigned long

+0x010\] ImageValData \[Type: _COMPLETE_VALIDATION_DATA

+0x130\] RegVal : 0x1129164 \[Type: _SFC_REGISTRY_VALUE \*

+0x134\] SourceInfo \[Type: _SOURCE_INFO

+0xd74\] ChangeType : 0x5 \[Type: unsigned long

+0xd78\] CopyCompleted : 0 \[Type: int

+0xd7c\] Win32Error : 0x0 \[Type: unsigned long

+0xd80\] SyncOnly : 0 \[Type: int

+0xd84\] RetryCount : 0x0 \[Type: unsigned long

+0xd88\] Flags : 0x0 \[Type: unsigned long

+0xd8c\] NextValidTime : 0xffd4b349 \[Type: unsigned long

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164)

((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164) : 0x1129164 [Type: _SFC_REGISTRY_VALUE *]

+0x000\] Entry \[Type: _LIST_ENTRY

+0x008\] FileName : "pidgen.dll" \[Type: _UNICODE_STRING

+0x010\] DirName : "c:\\windows\\system32" \[Type: _UNICODE_STRING

+0x018\] FullPathName : "c:\\windows\\system32\\pidgen.dll" \[Type: _UNICODE_STRING

+0x020\] InfName : "" \[Type: _UNICODE_STRING

+0x028\] SourceFileName : "" \[Type: _UNICODE_STRING

+0x030\] OriginalFileName \[Type: unsigned short \[128\]

+0x130\] DirHandle : 0x24 \[Type: void \*

+0x134\] pvWinSxsCookie : 0x0 \[Type: void \*

+0x138\] dwWinSxsFlags : 0x0 \[Type: unsigned long

第二部分：

1: kd> p

sfc_os!SfcQueueValidationRequest+0xb9:

001b:76838ee2 e860e7ffff call sfc_os!IsFileInQueue (76837647)

1: kd> t

sfc_os!IsFileInQueue:

001b:76837647 55 push ebp

1: kd> kc

00 sfc_os!IsFileInQueue

01 sfc_os!SfcQueueValidationRequest

02 sfc_os!SfcWatchProtectedDirectoriesWorkerThread

03 kernel32!BaseThreadStart

1: kd> x sfc_os!SfcErrorQueue

76840e80 sfc_os!SfcErrorQueue = struct _LIST_ENTRY [ 0x12380d0 - 0x12380d0 ]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))

(*((sfc_os!_LIST_ENTRY *)0x76840e80)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x12380d0 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x12380d0 \[Type: _LIST_ENTRY \*

1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0

sfc_os!VALIDATION_REQUEST_DATA

+0x000 Entry : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]

+0x008 Signature : 0x69696969

+0x010 ImageValData : _COMPLETE_VALIDATION_DATA

+0x130 RegVal : 0x01129164 _SFC_REGISTRY_VALUE RegVal : 0x01129164

+0x134 SourceInfo : _SOURCE_INFO

+0xd74 ChangeType : 3

+0xd78 CopyCompleted : 0n1

+0xd7c Win32Error : 0

+0xd80 SyncOnly : 0n0

+0xd84 RetryCount : 0

+0xd88 Flags : 1

+0xd8c NextValidTime : 0xffd2d959

if (RegVal == vrd->RegVal) {

return vrd; //VALIDATION_REQUEST_DATA 0x12380d0

}

if (!vrdexisting || (vrdexisting->Flags & VRD_FLAG_REQUEST_PROCESSED) ) {

DebugPrint1( LVL_VERBOSE,

L"Inserting [%ws] into error queue for validation",

RegVal->FullPathName.Buffer );

InsertTailList( &SfcErrorQueue, &vrd->Entry );

ErrorQueueCount += 1;

//

// do this to avoid free later on

//

vrdexisting = NULL;

}

第三部分：

1: kd> p

sfc_os!IsFileInQueue+0x27:

001b:7683766e 5d pop ebp

1: kd> r

eax=012380d0

D:\srv03rtm\base\subsys\sm/sfc/dll/sfcp.h:471:#define VRD_FLAG_REQUEST_PROCESSED 0x00000001

+0xd88 Flags : 1

1: kd> x sfc_os!ErrorQueueCount

76840e7c sfc_os!ErrorQueueCount = 1

1: kd> x sfc_os!ErrorQueueCount

76840e7c sfc_os!ErrorQueueCount = 2

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))

(*((sfc_os!_LIST_ENTRY *)0x76840e80)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x12380d0 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x1fe0048 \[Type: _LIST_ENTRY \*

1: kd> dt VALIDATION_REQUEST_DATA 0x1fe0048

sfc_os!VALIDATION_REQUEST_DATA

+0x000 Entry : _LIST_ENTRY [ 0x76840e80 - 0x12380d0 ]

+0x008 Signature : 0x69696969

+0x010 ImageValData : _COMPLETE_VALIDATION_DATA

+0x130 RegVal : 0x01129164 _SFC_REGISTRY_VALUE

+0x134 SourceInfo : _SOURCE_INFO

+0xd74 ChangeType : 5 //+0xd74 ChangeType : 5

+0xd78 CopyCompleted : 0n0

+0xd7c Win32Error : 0

+0xd80 SyncOnly : 0n0

+0xd84 RetryCount : 0

+0xd88 Flags : 0 //+0xd88 Flags : 0

+0xd8c NextValidTime : 0xffd4b349

1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0

sfc_os!VALIDATION_REQUEST_DATA

+0x000 Entry : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]

+0x008 Signature : 0x69696969

+0x010 ImageValData : _COMPLETE_VALIDATION_DATA

+0x130 RegVal : 0x01129164 _SFC_REGISTRY_VALUE RegVal : 0x01129164

+0x134 SourceInfo : _SOURCE_INFO

+0xd74 ChangeType : 3 //+0xd74 ChangeType : 3

+0xd78 CopyCompleted : 0n1

+0xd7c Win32Error : 0

+0xd80 SyncOnly : 0n0

+0xd84 RetryCount : 0

+0xd88 Flags : 1 //+0xd88 Flags : 1

+0xd8c NextValidTime : 0xffd2d959

第四部分：

1: kd> x sfc_os!hErrorThread

76840e88 sfc_os!hErrorThread = 0x00000b4c

1: kd> !handle b4c

PROCESS 89ce3d88 SessionId: 0 Cid: 01d4 Peb: 7ffdf000 ParentCid: 018c

DirBase: 7c1c9000 ObjectTable: e136a268 HandleCount: 564.

Image: winlogon.exe

Handle table at e136a268 with 564 entries in use

0b4c: Object: 892d6da0 GrantedAccess: 001f03ff Entry: e1792698

Object: 892d6da0 Type: (89dd5710) Thread

ObjectHeader: 892d6d88 (old version)

HandleCount: 3 PointerCount: 5

THREAD 892d6da0 Cid 01d4.03bc Teb: 7ffdc000 Win32Thread: e10ecea8 RUNNING on processor 0

IRP List:

899d7838: (0006,01d8) Flags: 00000884 Mdl: 00000000

8936dcd8: (0006,0190) Flags: 00000000 Mdl: 00000000

Not impersonating

DeviceMap e10026b8

Owning Process 89ce3d88 Image: winlogon.exe

Attached Process N/A Image: N/A

Wait Start TickCount 274695963 Ticks: 0

Context Switch Count 441 IdealProcessor: 0 LargeStack

UserTime 00:00:00.156

KernelTime 00:00:00.156

Win32 Start Address sfc_os!SfcQueueValidationThread (0x7683856f)

Stack Init b9af1000 Current b9af0924 Base b9af1000 Limit b9aec000 Call 00000000

Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0

ChildEBP RetAddr

b9af06f4 80aed4e8 nt!ExpAssertResource+0x71 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 2913]

b9af0718 f713659e nt!ExReleaseResourceLite+0x18 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 1410]

b9af071c f7135f80 Ntfs!NtfsCommonCreate+0x1da0 (FPO: [SEH]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4202]

b9af0908 f712f53e Ntfs!NtfsCommonCreate+0x1782 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4210]

b9af0a08 80a2675c Ntfs!NtfsFsdCreate+0x1f6 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 904]

b9af0a24 80c75af1 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]

b9af0b20 80c7607c nt!IopParseDevice+0xd7d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 1317]

b9af0b58 80d1cb2c nt!IopParseFile+0x78 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 2014]

b9af0bd4 80d16798 nt!ObpLookupObjectName+0x14a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obdir.c @ 1834]

b9af0c28 80c61f73 nt!ObOpenObjectByName+0x13e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obref.c @ 767]

b9af0ca4 80c63967 nt!IopCreateFile+0x44d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 5494]

b9af0cf0 80c6892f nt!IoCreateFile+0x73 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 4788]

b9af0d38 80afbcb2 nt!NtOpenFile+0x57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\open.c @ 95]

b9af0d38 7ffe0304 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b9af0d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]

007cf674 77f2f1d8 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])

007cf678 7682f536 ntdll!NtOpenFile+0xc (FPO: [6,0,0]) [d:\srv03rtm\base\ntdll\daytona\obj\i386\usrstubs.asm @ 1099]

007cf6c4 76837870 sfc_os!SfcOpenFile+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\fileio.c @ 87]

007cf6ec 7683297d sfc_os!SfcGetValidationData+0x8b (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2126]

007cf724 76838b81 sfc_os!SfcRestoreFromCache+0x2fa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\restore.c @ 1483]

007cffb8 77e41be7 sfc_os!SfcQueueValidationThread+0x612 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1702]

007cffec 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]

第五部分：changtype=3

Breakpoint 4 hit

sfc_os!SfcQueueValidationRequest:

001b:76838e29 6a1c push 1Ch

1: kd> dv

RegVal = 0x01129164

ChangeType = 3

vrd = 0x012bfef0

Status = 0n1988337684

vrdexisting = 0x012bffdc