winlogon!StateMachineRun函数会用到核心数据结构winlogon中的重要全局状态机状态数组

第0部分：

kd> g

Breakpoint 0 hit

winlogon!WMsgKMessageHandler:

001b:009cf97b 8bff mov edi,edi

kd> g

Breakpoint 8 hit

winlogon!WlStateMachineSetSignal:

001b:009d0bc1 8bff mov edi,edi

kd> g

Breakpoint 2 hit

winlogon!SignalManagerSetSignal:

001b:009efe64 6a1c push 1Ch

kd> g

Breakpoint 17 hit

winlogon!StateMachineRun+0x29c:

001b:009ef07c 837df8ff cmp dword ptr [ebp-8],0FFFFFFFFh

kd> g

Breakpoint 16 hit

winlogon!StateMachineRun+0x3b4:

001b:009ef194 8b150c40a000 mov edx,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

kd> p

winlogon!StateMachineRun+0x3ba:

001b:009ef19a 837b0800 cmp dword ptr [ebx+8],0

kd> r

eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef93c edi=00141038

eip=009ef19a esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl nz ac po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212

winlogon!StateMachineRun+0x3ba:

001b:009ef19a 837b0800 cmp dword ptr [ebx+8],0 ds:0023:00a02ccc={winlogon!WLGeneric_Logged_On_Execute (009d4d1e)}

kd> dd 00a02cc4

00a02cc4 009c2290 00000000 009d4d1e 009d4dd8

00a02cd4 00000010 00a02bf0 00000005 00a02cb0

00a02ce4 0000001c 00000000 fffffffe 00000000

00a02cf4 009c2264 009d636f 00000000 00000000

00a02d04 00000001 00a02ce8 00000000 00000000

00a02d14 0000001d 00000000 fffffffe 00000000

00a02d24 009c2238 009d4f39 00000000 00000000

00a02d34 00000001 00a02d18 00000000 00000000

kd> u 009d4d1e

winlogon!WLGeneric_Logged_On_Execute:

009d4d1e 6a08 push 8

009d4d20 6860d99f00 push offset winlogon!_snprintf_s+0x40a (009fd960)

009d4d25 e8728a0100 call winlogon!_SEH_prolog4 (009ed79c)

009d4d2a a10c40a000 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

009d4d2f 3d0c40a000 cmp eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)

009d4d34 7424 je winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)

009d4d36 f7401c00010000 test dword ptr [eax+1Ch],100h

009d4d3d 741b je winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)

kd> p

winlogon!StateMachineRun+0x3be:

001b:009ef19e 744d je winlogon!StateMachineRun+0x40d (009ef1ed)

kd> p

winlogon!StateMachineRun+0x3c0:

001b:009ef1a0 81fa0c40a000 cmp edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)

kd> p

winlogon!StateMachineRun+0x3c6:

001b:009ef1a6 741f je winlogon!StateMachineRun+0x3e7 (009ef1c7)

kd> p

winlogon!StateMachineRun+0x3c8:

001b:009ef1a8 f6421c01 test byte ptr [edx+1Ch],1

kd> p

winlogon!StateMachineRun+0x3cc:

001b:009ef1ac 7419 je winlogon!StateMachineRun+0x3e7 (009ef1c7)

kd> p

winlogon!StateMachineRun+0x3ce:

001b:009ef1ae 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x3d2:

001b:009ef1b2 7213 jb winlogon!StateMachineRun+0x3e7 (009ef1c7)

kd> p

winlogon!StateMachineRun+0x3e7:

001b:009ef1c7 6aff push 0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x3e9:

001b:009ef1c9 ff7604 push dword ptr [esi+4]

kd> p

winlogon!StateMachineRun+0x3ec:

001b:009ef1cc ff15fc109c00 call dword ptr [winlogon!_imp__WaitForSingleObject (009c10fc)]

kd> p

winlogon!StateMachineRun+0x3f2:

001b:009ef1d2 85c0 test eax,eax

kd> p

winlogon!StateMachineRun+0x3f4:

001b:009ef1d4 7417 je winlogon!StateMachineRun+0x40d (009ef1ed)

kd> p

winlogon!StateMachineRun+0x40d:

001b:009ef1ed 8d45d8 lea eax,[ebp-28h]

kd> p

winlogon!StateMachineRun+0x410:

001b:009ef1f0 50 push eax

kd> p

winlogon!StateMachineRun+0x411:

001b:009ef1f1 8d45f4 lea eax,[ebp-0Ch]

kd> p

winlogon!StateMachineRun+0x414:

001b:009ef1f4 50 push eax

kd> p

winlogon!StateMachineRun+0x415:

001b:009ef1f5 ff7710 push dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x418:

001b:009ef1f8 ff7314 push dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x41b:

001b:009ef1fb ff7310 push dword ptr [ebx+10h]

kd> p

winlogon!StateMachineRun+0x41e:

001b:009ef1fe ff37 push dword ptr [edi]

kd> p

winlogon!StateMachineRun+0x420:

001b:009ef200 e8e8110000 call winlogon!SignalManagerGetSignal (009f03ed)

kd> p

winlogon!StateMachineRun+0x425:

001b:009ef205 837df4ff cmp dword ptr [ebp-0Ch],0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x429:

001b:009ef209 752a jne winlogon!StateMachineRun+0x455 (009ef235)

kd> p

winlogon!StateMachineRun+0x455:

001b:009ef235 8b45f4 mov eax,dword ptr [ebp-0Ch]

kd> p

winlogon!StateMachineRun+0x458:

001b:009ef238 8b4b14 mov ecx,dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x45b:

001b:009ef23b 6bc00c imul eax,eax,0Ch

kd> p

winlogon!StateMachineRun+0x45e:

001b:009ef23e 8b0408 mov eax,dword ptr [eax+ecx]

kd> p

winlogon!StateMachineRun+0x461:

001b:009ef241 8365f000 and dword ptr [ebp-10h],0

kd> p

winlogon!StateMachineRun+0x465:

001b:009ef245 837b1800 cmp dword ptr [ebx+18h],0

kd> p

winlogon!StateMachineRun+0x469:

001b:009ef249 8945ec mov dword ptr [ebp-14h],eax

kd> g

Breakpoint 7 hit

winlogon!StateMachineRun+0x1a4:

001b:009eef84 397b08 cmp dword ptr [ebx+8],edi

kd> u 009d4d1e

winlogon!WLGeneric_Logged_On_Execute:

009d4d1e 6a08 push 8

009d4d20 6860d99f00 push offset winlogon!_snprintf_s+0x40a (009fd960)

009d4d25 e8728a0100 call winlogon!_SEH_prolog4 (009ed79c)

009d4d2a a10c40a000 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

009d4d2f 3d0c40a000 cmp eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)

009d4d34 7424 je winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)

009d4d36 f7401c00010000 test dword ptr [eax+1Ch],100h

009d4d3d 741b je winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)

kd> bp winlogon!WLGeneric_Logged_On_Execute

kd> p

winlogon!StateMachineRun+0x1a7:

001b:009eef87 0f84aa000000 je winlogon!StateMachineRun+0x257 (009ef037)

kd> g

Breakpoint 12 hit

winlogon!StateMachineWorkerCallback:

001b:009ee92f 8bff mov edi,edi

kd> g

Breakpoint 13 hit

winlogon!WLGeneric_CAD_Execute:

001b:009d4e12 8bff mov edi,edi

kd> kc

00 winlogon!WLGeneric_CAD_Execute

01 winlogon!StateMachineWorkerCallback

02 ntdll!TppWorkpExecuteCallback

03 ntdll!TppWorkerThread

04 kernel32!BaseThreadInitThunk

05 ntdll!__RtlUserThreadStart

06 ntdll!_RtlUserThreadStart

第一部分：

点击返回后

kd> bp 009ef07c

breakpoint 17 redefined

kd> g

Breakpoint 1 hit

USER32!NtUserSwitchDesktop:

001b:752fd072 b852120000 mov eax,1252h

kd> kc

00 USER32!NtUserSwitchDesktop

01 USER32!SwitchDesktop

02 winlogon!ResilientSwitchDesktopWithFade

03 winlogon!CSession::SwitchDesktop

04 winlogon!WlAccessibilitySwitchDesktop

05 winlogon!HandleSecurityOptions

06 winlogon!WLGeneric_CAD_Execute

07 winlogon!StateMachineWorkerCallback

08 ntdll!TppWorkpExecuteCallback

09 ntdll!TppWorkerThread

0a kernel32!BaseThreadInitThunk

0b ntdll!__RtlUserThreadStart

0c ntdll!_RtlUserThreadStart

kd> g

Breakpoint 8 hit

winlogon!WlStateMachineSetSignal:

001b:009d0bc1 8bff mov edi,edi

kd> kc

00 winlogon!WlStateMachineSetSignal

01 winlogon!HandleSecurityOptions

02 winlogon!HandleSecurityOptions

03 winlogon!WLGeneric_CAD_Execute

04 winlogon!StateMachineWorkerCallback

05 ntdll!TppWorkpExecuteCallback

06 ntdll!TppWorkerThread

07 kernel32!BaseThreadInitThunk

08 ntdll!__RtlUserThreadStart

09 ntdll!_RtlUserThreadStart

kd> g

Breakpoint 2 hit

winlogon!SignalManagerSetSignal:

001b:009efe64 6a1c push 1Ch

kd> g

Breakpoint 17 hit

winlogon!StateMachineRun+0x29c:

001b:009ef07c 837df8ff cmp dword ptr [ebp-8],0FFFFFFFFh

点击返回后返回到17

第二部分：

kd> p

winlogon!StateMachineRun+0x2a0:

001b:009ef080 7517 jne winlogon!StateMachineRun+0x2b9 (009ef099)

kd> p

winlogon!StateMachineRun+0x2b9:

001b:009ef099 8b150c40a000 mov edx,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

kd> p

winlogon!StateMachineRun+0x2bf:

001b:009ef09f 81fa0c40a000 cmp edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)

kd> p

winlogon!StateMachineRun+0x2c5:

001b:009ef0a5 7424 je winlogon!StateMachineRun+0x2eb (009ef0cb)

kd> p

winlogon!StateMachineRun+0x2c7:

001b:009ef0a7 f6421c01 test byte ptr [edx+1Ch],1

kd> p

winlogon!StateMachineRun+0x2cb:

001b:009ef0ab 741e je winlogon!StateMachineRun+0x2eb (009ef0cb)

kd> p

winlogon!StateMachineRun+0x2cd:

001b:009ef0ad 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x2d1:

001b:009ef0b1 7218 jb winlogon!StateMachineRun+0x2eb (009ef0cb)

kd> p

winlogon!StateMachineRun+0x2eb:

001b:009ef0cb 8b45f8 mov eax,dword ptr [ebp-8]

kd> p

winlogon!StateMachineRun+0x2ee:

001b:009ef0ce 8b4b14 mov ecx,dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x2f1:

001b:009ef0d1 6bc00c imul eax,eax,0Ch

kd> p

winlogon!StateMachineRun+0x2f4:

001b:009ef0d4 f744080801000000 test dword ptr [eax+ecx+8],1

kd> p

winlogon!StateMachineRun+0x2fc:

001b:009ef0dc 7473 je winlogon!StateMachineRun+0x371 (009ef151)

kd> p

winlogon!StateMachineRun+0x371:

001b:009ef151 837b0c00 cmp dword ptr [ebx+0Ch],0

kd> r

eax=00000000 ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038

eip=009ef151 esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

winlogon!StateMachineRun+0x371:

001b:009ef151 837b0c00 cmp dword ptr [ebx+0Ch],0 ds:0023:00a03074={winlogon!WLGeneric_CAD_Exit (009d4e7a)}

kd> dd 00a03068

00a03068 009c2080 00000000 009d4e12 009d4e7a

00a03078 0000000c 00a02fc8 00000004 00a03058

00a03088 00000029 009c2068 009d4ede 00000000

00a03098 00000000 00000006 00a030b0 00000000

00a030a8 00000000 0000002a 00000004 0000001c

00a030b8 00000002 00000002 0000004c 00000000

00a030c8 00000012 0000001c 00000002 0000001f

00a030d8 00000030 00000000 00000007 0000001c

00a03068 winlogon!g_xWLGeneric_CAD_State = <no type information> 重要全局状态数组+C偏移是返回函数指针

cmp dword ptr [ebx+0Ch],0重要的判断的地方。

kd> u 009d4e7a

winlogon!WLGeneric_CAD_Exit:

009d4e7a 8bff mov edi,edi

009d4e7c 55 push ebp

009d4e7d 8bec mov ebp,esp

009d4e7f a10c40a000 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

009d4e84 3d0c40a000 cmp eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)

009d4e89 7424 je winlogon!WLGeneric_CAD_Exit+0x35 (009d4eaf)

009d4e8b f7401c00010000 test dword ptr [eax+1Ch],100h

009d4e92 741b je winlogon!WLGeneric_CAD_Exit+0x35 (009d4eaf)

kd> u 009d4e12

winlogon!WLGeneric_CAD_Execute:

009d4e12 8bff mov edi,edi

009d4e14 55 push ebp

009d4e15 8bec mov ebp,esp

009d4e17 a10c40a000 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

009d4e1c 3d0c40a000 cmp eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)

009d4e21 7424 je winlogon!WLGeneric_CAD_Execute+0x35 (009d4e47)

009d4e23 f7401c00010000 test dword ptr [eax+1Ch],100h

009d4e2a 741b je winlogon!WLGeneric_CAD_Execute+0x35 (009d4e47)

第三部分：

kd> x winlogon!g*_State

00a03270 winlogon!g_xWLGeneric_HandleSecureLuaBeforeShell_State = <no type information>

00a0262c winlogon!g_xWLGeneric_Authenticating_State = <no type information>
00a03068 winlogon!g_xWLGeneric_CAD_State = <no type information>

00a024b4 winlogon!g_xWLGeneric_DisplayLegalNotice_State = <no type information>

00a02490 winlogon!g_xWLGeneric_AccesNotifyAsUser_State = <no type information>

00a033b0 winlogon!g_xWLGeneric_Killing_Scrnsaver_Logged_On_State = <no type information>

00a022d4 winlogon!g_xWLGeneric_Welcome_State = <no type information>

00a03510 winlogon!g_xWLGeneric_MPRChangeNotify_State = <no type information>

00a02430 winlogon!g_xWLGeneric_PowerTransition_ShowResumeMsg_State = <no type information>

00a03164 winlogon!g_xWLGeneric_SecureCredUI_Operation_State = <no type information>

00a02d54 winlogon!g_xWLGeneric_PowerTransition_Logged_On_State = <no type information>

00a02bcc winlogon!g_xWLGeneric_ChangeLogon_ReportResult_State = <no type information>

00a032a0 winlogon!g_xWLGeneric_AbortPendingLuaRequest_State = <no type information>

00a03b14 winlogon!g_xWLGeneric_Locked_Disconnected_State = <no type information>

00a026c8 winlogon!g_xWLGeneric_Logon_ReportSuccessResult_State = <no type information>

00a02b54 winlogon!g_xWLGeneric_MPRChangeLogonNotify_State = <no type information>

00a02384 winlogon!g_xWLGeneric_Killing_Scrnsaver_Welcome_State = <no type information>

00a02204 winlogon!g_xWLGeneric_NotifyCreateSession_State = <no type information>

00a03d3c winlogon!g_xWLGeneric_LogoffNotify_State = <no type information>

00a02cf4 winlogon!g_xWLGeneric_DelayedSwitchDesktop_State = <no type information>

00a02dac winlogon!g_xWLGeneric_Logged_On_Hibernating_State = <no type information>

00a03658 winlogon!g_xWLGeneric_InitiateLock_State = <no type information>

00a036f0 winlogon!g_xWLGeneric_Locked_State = <no type information>

00a02348 winlogon!g_xWLGeneric_TimeoutHandler_Welcome_State = <no type information>

00a025e0 winlogon!g_xWLGeneric_Handle_LogonUI_Failure_State = <no type information>

00a033e0 winlogon!g_xWLGeneric_TO_Disconnected_State = <no type information>

00a02534 winlogon!g_xWLGeneric_Request_Logon_Credz_State = <no type information>

00a02788 winlogon!g_xWLGeneric_Logon_ReportLastLogon_State = <no type information>

00a03a68 winlogon!g_xWLGeneric_Killing_Scrnsaver_Locked_State = <no type information>

00a02edc winlogon!g_xWLGeneric_InitiateDisconnect_State = <no type information>

00a0378c winlogon!g_xWLGeneric_Request_Unlock_Credz_State = <no type information>

00a035c4 winlogon!g_xWLGeneric_PostChangeActions_State = <no type information>

00a0399c winlogon!g_xWLGeneric_Unlock_ReportFailedResult_State = <no type information>

00a038ac winlogon!g_xWLGeneric_Unlock_ReportLastLogon_State = <no type information>

00a03888 winlogon!g_xWLGeneric_Unlock_Checking_LastLogonPolicy_State = <no type information>

00a021e0 winlogon!g_xWLGeneric_Start_State = <no type information>

00a0384c winlogon!g_xWLGeneric_Unlock_ReportSuccessResult_State = <no type information>

00a034d4 winlogon!g_xWLGeneric_ChangingPassword_State = <no type information>

00a02e9c winlogon!g_xWLGeneric_TimeoutHandler_Logged_On_Resume_State = <no type information>

00a03b64 winlogon!g_xWLGeneric_Locked_Reconnect_State = <no type information>

00a03a1c winlogon!g_xWLGeneric_TimeoutHandler_Locked_State = <no type information>

00a02acc winlogon!g_xWLGeneric_Request_LogonChange_Credz_State = <no type information>

00a023b4 winlogon!g_xWLGeneric_PowerTransition_Welcome_State = <no type information>

00a02704 winlogon!g_xWLGeneric_Logon_Checking_LastLogonPolicy_State = <no type information>

00a03d6c winlogon!g_xWLGeneric_PseudoLogging_Off1_State = <no type information>

00a03c4c winlogon!g_xWLGeneric_ReconnectionUpdate_State = <no type information>

00a032f4 winlogon!g_xWLGeneric_TimeoutHandler_Logged_On_State = <no type information>

00a02f24 winlogon!g_xWLGeneric_Logged_On_Disconnected_State = <no type information>

00a02de8 winlogon!g_xWLGeneric_InitiateLock_On_Resume_State = <no type information>

00a02cc4 winlogon!g_xWLGeneric_Logged_On_State = <no type information>

00a03da8 winlogon!g_xWLGeneric_PseudoLogging_Off2_State = <no type information>

00a02f74 winlogon!g_xWLGeneric_Logged_On_Reconnect_State = <no type information>

00a027ac winlogon!g_xWLGeneric_Logon_ReportFailedResult_State = <no type information>

00a03acc winlogon!g_xWLGeneric_CompleteLockRequest_State = <no type information>

00a02848 winlogon!g_xWLGeneric_WaitForDisconnectAfterFailedAuth_State = <no type information>

00a03dd8 winlogon!g_xWLGeneric_PseudoLogging_Off3_State = <no type information>

00a03bec winlogon!g_xWLGeneric_Locked_Hibernating_State = <no type information>

00a0286c winlogon!g_xWLGeneric_FindDestinationSession_State = <no type information>

00a02460 winlogon!g_xWLGeneric_AccesNotifyAsSystem_State = <no type information>

00a02e60 winlogon!g_xWLGeneric_Locked_Resume_State = <no type information>

00a03a9c winlogon!g_xWLGeneric_PostUnlockActions_State = <no type information>
00a0308c winlogon!g_xWLGeneric_CAD_Return_State = <no type information>

00a02d24 winlogon!g_xWLGeneric_CredsAreStaleReminder_State = <no type information>

00a03e14 winlogon!g_xWLGeneric_NotifyTerminateSession_State = <no type information>

00a02400 winlogon!g_xWLGeneric_Welcome_Hibernating_State = <no type information>

00a03240 winlogon!g_xWLGeneric_ReadyForSecureLua_State = <no type information>

00a02e24 winlogon!g_xWLGeneric_Logged_On_Resume_State = <no type information>

00a03210 winlogon!g_xWLGeneric_StartSecureLua_State = <no type information>

00a02a3c winlogon!g_xWLGeneric_ShellStartup_State = <no type information>

00a032d0 winlogon!g_xWLGeneric_TaskManager_State = <no type information>

00a02b18 winlogon!g_xWLGeneric_ChangingLogonPassword_State = <no type information>

00a03b98 winlogon!g_xWLGeneric_PowerTransition_Locked_State = <no type information>

00a03488 winlogon!g_xWLGeneric_Request_Change_Credz_State = <no type information>

00a029e8 winlogon!g_xWLGeneric_ActivationAndNotifyStartShell_State = <no type information>

00a03c7c winlogon!g_xWLGeneric_InitiateForceLogoff_State = <no type information>

00a037d4 winlogon!g_xWLGeneric_Unlocking_State = <no type information>

00a0290c winlogon!g_xWLGeneric_NotifyLogon_State = <no type information>

00a03534 winlogon!g_xWLGeneric_Change_ReportResult_State = <no type information>

00a02668 winlogon!g_xWLGeneric_MPRLogonNotify_State = <no type information>

00a03c1c winlogon!g_xWLGeneric_AbortPendingLockRequest_State = <no type information>

00a03d0c winlogon!g_xWLGeneric_Logging_Off_State = <no type information>

00a02fa4 winlogon!g_xWLGeneric_ShellRestart_State = <no type information>

00a03cb8 winlogon!g_xWLGeneric_NotifyEndShell_State = <no type information>

第四部分：

kd> x winlogon!g_xWLGeneric_CAD_State

00a03068 winlogon!g_xWLGeneric_CAD_State = <no type information>

kd> p

winlogon!StateMachineRun+0x377:

001b:009ef157 81fa0c40a000 cmp edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)

kd> r

eax=00000000 ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038

eip=009ef157 esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

winlogon!StateMachineRun+0x377:

001b:009ef157 81fa0c40a000 cmp edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)

kd> p

winlogon!StateMachineRun+0x37d:

001b:009ef15d 741f je winlogon!StateMachineRun+0x39e (009ef17e)

kd> p

winlogon!StateMachineRun+0x37f:

001b:009ef15f f6421c01 test byte ptr [edx+1Ch],1

kd> r

eax=00000000 ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038

eip=009ef15f esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl nz ac po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212

winlogon!StateMachineRun+0x37f:

001b:009ef15f f6421c01 test byte ptr [edx+1Ch],1 ds:0023:00a04b54=ff

kd> p

winlogon!StateMachineRun+0x383:

001b:009ef163 7419 je winlogon!StateMachineRun+0x39e (009ef17e)

kd> p

winlogon!StateMachineRun+0x385:

001b:009ef165 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x389:

001b:009ef169 7213 jb winlogon!StateMachineRun+0x39e (009ef17e)

kd> p

winlogon!StateMachineRun+0x39e:

001b:009ef17e 8b45f8 mov eax,dword ptr [ebp-8]

kd> p

winlogon!StateMachineRun+0x3a1:

001b:009ef181 8b4b14 mov ecx,dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x3a4:

001b:009ef184 6bc00c imul eax,eax,0Ch

kd> p

winlogon!StateMachineRun+0x3a7:

001b:009ef187 8b0408 mov eax,dword ptr [eax+ecx]

kd> p

winlogon!StateMachineRun+0x3aa:

001b:009ef18a 894638 mov dword ptr [esi+38h],eax

kd> p

winlogon!StateMachineRun+0x3ad:

001b:009ef18d 8d4610 lea eax,[esi+10h]

kd> p

winlogon!StateMachineRun+0x3b0:

001b:009ef190 50 push eax

kd> p

winlogon!StateMachineRun+0x3b1:

001b:009ef191 ff530c call dword ptr [ebx+0Ch]

kd> r

eax=000ef85c ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038

eip=009ef191 esp=000ef83c ebp=000ef9dc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

winlogon!StateMachineRun+0x3b1:

001b:009ef191 ff530c call dword ptr [ebx+0Ch] ds:0023:00a03074={winlogon!WLGeneric_CAD_Exit (009d4e7a)}

kd> dd 00a03068

00a03068 009c2080 00000000 009d4e12 009d4e7a

00a03078 0000000c 00a02fc8 00000004 00a03058

00a03088 00000029 009c2068 009d4ede 00000000

00a03098 00000000 00000006 00a030b0 00000000

00a030a8 00000000 0000002a 00000004 0000001c

00a030b8 00000002 00000002 0000004c 00000000

00a030c8 00000012 0000001c 00000002 0000001f

00a030d8 00000030 00000000 00000007 0000001c

第五部分：

00a0308c对应状态

00a0308c winlogon!g_xWLGeneric_CAD_Return_State = <no type information>

kd> p

winlogon!StateMachineRun+0x3ce:

001b:009ef1ae 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x3d2:

001b:009ef1b2 7213 jb winlogon!StateMachineRun+0x3e7 (009ef1c7)

kd> p

winlogon!StateMachineRun+0x3e7:

001b:009ef1c7 6aff push 0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x3e9:

001b:009ef1c9 ff7604 push dword ptr [esi+4]

kd> p

winlogon!StateMachineRun+0x3ec:

001b:009ef1cc ff15fc109c00 call dword ptr [winlogon!_imp__WaitForSingleObject (009c10fc)]

kd> p

winlogon!StateMachineRun+0x3f2:

001b:009ef1d2 85c0 test eax,eax

kd> p

winlogon!StateMachineRun+0x3f4:

001b:009ef1d4 7417 je winlogon!StateMachineRun+0x40d (009ef1ed)

kd> p

winlogon!StateMachineRun+0x40d:

001b:009ef1ed 8d45d8 lea eax,[ebp-28h]

kd> p

winlogon!StateMachineRun+0x410:

001b:009ef1f0 50 push eax

kd> p

winlogon!StateMachineRun+0x411:

001b:009ef1f1 8d45f4 lea eax,[ebp-0Ch]

kd> p

winlogon!StateMachineRun+0x414:

001b:009ef1f4 50 push eax

kd> p

winlogon!StateMachineRun+0x415:

001b:009ef1f5 ff7710 push dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x418:

001b:009ef1f8 ff7314 push dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x41b:

001b:009ef1fb ff7310 push dword ptr [ebx+10h]

kd> p

winlogon!StateMachineRun+0x41e:

001b:009ef1fe ff37 push dword ptr [edi]

kd> p

winlogon!StateMachineRun+0x420:

001b:009ef200 e8e8110000 call winlogon!SignalManagerGetSignal (009f03ed)

kd> p

winlogon!StateMachineRun+0x425:

001b:009ef205 837df4ff cmp dword ptr [ebp-0Ch],0FFFFFFFFh

kd> g

Breakpoint 6 hit

winlogon!StateMachineRun+0x1a1:

001b:009eef81 ff5304 call dword ptr [ebx+4]

kd> r

eax=000ef898 ebx=00a0308c ecx=00000000 edx=76fda084 esi=000ef888 edi=00000000

eip=009eef81 esp=000ef83c ebp=000ef9dc iopl=0 nv up ei ng nz ac pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297

winlogon!StateMachineRun+0x1a1:

001b:009eef81 ff5304 call dword ptr [ebx+4] ds:0023:00a03090={winlogon!WLGeneric_CAD_Return_Enter (009d4ede)}

kd> dd 00a0308c

00a0308c 009c2068 009d4ede 00000000 00000000

00a0309c 00000006 00a030b0 00000000 00000000

00a030ac 0000002a 00000004 0000001c 00000002

00a030bc 00000002 0000004c 00000000 00000012

00a030cc 0000001c 00000002 0000001f 00000030

00a030dc 00000000 00000007 0000001c 00000002

00a030ec 00000000 0000001c 00000000 00000002

00a030fc 0000001c 00000002 00000012 0000001c

kd> u 009d4ede

winlogon!WLGeneric_CAD_Return_Enter:

009d4ede 8bff mov edi,edi

009d4ee0 55 push ebp

009d4ee1 8bec mov ebp,esp

009d4ee3 a10c40a000 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

009d4ee8 3d0c40a000 cmp eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)

009d4eed 7424 je winlogon!WLGeneric_CAD_Return_Enter+0x35 (009d4f13)

009d4eef f7401c00010000 test dword ptr [eax+1Ch],100h

009d4ef6 741b je winlogon!WLGeneric_CAD_Return_Enter+0x35 (009d4f13)

kd> p

Breakpoint 3 hit

winlogon!WLGeneric_CAD_Return_Enter:

001b:009d4ede 8bff mov edi,edi

kd> kc

00 winlogon!WLGeneric_CAD_Return_Enter
01 winlogon!StateMachineRun

02 winlogon!WlStateMachineRun

03 winlogon!WinMain

04 winlogon!_initterm_e

05 kernel32!BaseThreadInitThunk

06 ntdll!__RtlUserThreadStart

07 ntdll!_RtlUserThreadStart

kd> p

winlogon!WLGeneric_CAD_Return_Enter+0x3c:

001b:009d4f1a ff7004 push dword ptr [eax+4]

kd> p

winlogon!WLGeneric_CAD_Return_Enter+0x3f:

001b:009d4f1d e8d51e0100 call winlogon!WlAccessibilitySwitchDesktop (009e6df7)

kd> p

Breakpoint 1 hit

USER32!NtUserSwitchDesktop:

001b:752fd072 b852120000 mov eax,1252h

kd> kc

00 USER32!NtUserSwitchDesktop

01 USER32!SwitchDesktop

02 winlogon!ResilientSwitchDesktopWithFade

03 winlogon!CSession::SwitchDesktop

04 winlogon!WlAccessibilitySwitchDesktop

05 winlogon!WLGeneric_CAD_Return_Enter

06 winlogon!StateMachineRun

07 winlogon!WlStateMachineRun

08 winlogon!WinMain

09 winlogon!_initterm_e

0a kernel32!BaseThreadInitThunk

0b ntdll!__RtlUserThreadStart

0c ntdll!_RtlUserThreadStart

kd> g

Breakpoint 8 hit

winlogon!WlStateMachineSetSignal:

001b:009d0bc1 8bff mov edi,edi

kd> kc

00 winlogon!WlStateMachineSetSignal

01 winlogon!WLGeneric_CAD_Return_Enter

02 winlogon!StateMachineRun

03 winlogon!WlStateMachineRun

04 winlogon!WinMain

05 winlogon!_initterm_e

06 kernel32!BaseThreadInitThunk

07 ntdll!__RtlUserThreadStart

08 ntdll!_RtlUserThreadStart

kd> g

Breakpoint 2 hit

winlogon!SignalManagerSetSignal:

001b:009efe64 6a1c push 1Ch

kd> g

Breakpoint 15 hit

winlogon!WLGeneric_CAD_Return_Enter+0x52:

001b:009d4f30 5d pop ebp

kd> p

winlogon!WLGeneric_CAD_Return_Enter+0x53:

001b:009d4f31 c20400 ret 4

kd> p

Breakpoint 7 hit

winlogon!StateMachineRun+0x1a4:

001b:009eef84 397b08 cmp dword ptr [ebx+8],edi

kd> pr

eax=00000000 ebx=00a0308c ecx=009f00fd edx=000001c4 esi=000ef888 edi=00000000

eip=009eef87 esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

winlogon!StateMachineRun+0x1a7:

001b:009eef87 0f84aa000000 je winlogon!StateMachineRun+0x257 (009ef037) [br=1]

00a0308c winlogon!g_xWLGeneric_CAD_Return_State = <no type information>

kd> dd 00a0308c

00a0308c 009c2068 009d4ede 00000000 00000000

00a0309c 00000006 00a030b0 00000000 00000000

00a030ac 0000002a 00000004 0000001c 00000002

00a030bc 00000002 0000004c 00000000 00000012

00a030cc 0000001c 00000002 0000001f 00000030

00a030dc 00000000 00000007 0000001c 00000002

00a030ec 00000000 0000001c 00000000 00000002

00a030fc 0000001c 00000002 00000012 0000001c

ebx+8对应的exit函数没有！！！