winlogon!StateMachineRun函数里面的kernel32!WaitForSingleObject函数分析

kd> g

Breakpoint 16 hit

winlogon!StateMachineRun+0x3b4:

001b:009ef194 8b150c40a000 mov edx,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

kd> p

winlogon!StateMachineRun+0x3ba:

001b:009ef19a 837b0800 cmp dword ptr [ebx+8],0

kd> p

winlogon!StateMachineRun+0x3be:

001b:009ef19e 744d je winlogon!StateMachineRun+0x40d (009ef1ed)

kd> r

eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef8c4 edi=00141038

eip=009ef19e esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

winlogon!StateMachineRun+0x3be:

001b:009ef19e 744d je winlogon!StateMachineRun+0x40d (009ef1ed) [br=0]

kd> dd 00a02cc4

00a02cc4 009c2290 00000000 009d4d1e 009d4dd8

00a02cd4 00000010 00a02bf0 00000005 00a02cb0

00a02ce4 0000001c 00000000 fffffffe 00000000

00a02cf4 009c2264 009d636f 00000000 00000000

00a02d04 00000001 00a02ce8 00000000 00000000

00a02d14 0000001d 00000000 fffffffe 00000000

00a02d24 009c2238 009d4f39 00000000 00000000

00a02d34 00000001 00a02d18 00000000 00000000

kd> u 009d4d1e

winlogon!WLGeneric_Logged_On_Execute:

009d4d1e 6a08 push 8

009d4d20 6860d99f00 push offset winlogon!_snprintf_s+0x40a (009fd960)

009d4d25 e8728a0100 call winlogon!_SEH_prolog4 (009ed79c)

009d4d2a a10c40a000 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]

009d4d2f 3d0c40a000 cmp eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)

009d4d34 7424 je winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)

009d4d36 f7401c00010000 test dword ptr [eax+1Ch],100h

009d4d3d 741b je winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)

kd> p

winlogon!StateMachineRun+0x3c0:

001b:009ef1a0 81fa0c40a000 cmp edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)

kd> r

eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef8c4 edi=00141038

eip=009ef1a0 esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

winlogon!StateMachineRun+0x3c0:

001b:009ef1a0 81fa0c40a000 cmp edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)

kd> p

winlogon!StateMachineRun+0x3c6:

001b:009ef1a6 741f je winlogon!StateMachineRun+0x3e7 (009ef1c7)

kd> p

winlogon!StateMachineRun+0x3c8:

001b:009ef1a8 f6421c01 test byte ptr [edx+1Ch],1

kd> r

eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef8c4 edi=00141038

eip=009ef1a8 esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl nz ac po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212

winlogon!StateMachineRun+0x3c8:

001b:009ef1a8 f6421c01 test byte ptr [edx+1Ch],1 ds:0023:00a04b54=ff

kd> dd 00a04b38

00a04b38 00000000 00000000 00010001 00000002

00a04b48 0004000f ffffffff 00000401 ffffffff

00a04b58 00000000 00000000 0000001c 00000007

00a04b68 00141038 00000000 00000000 00000000

00a04b78 00000000 00000000 00000000 00000000

00a04b88 00000001 00000000 00000000 00000000

00a04b98 00000000 00000000 00000000 00000000

00a04ba8 00000000 00000000 00000000 00117c30

kd> p

winlogon!StateMachineRun+0x3cc:

001b:009ef1ac 7419 je winlogon!StateMachineRun+0x3e7 (009ef1c7)

kd> p

winlogon!StateMachineRun+0x3ce:

001b:009ef1ae 807a1905 cmp byte ptr [edx+19h],5

kd> p

winlogon!StateMachineRun+0x3d2:

001b:009ef1b2 7213 jb winlogon!StateMachineRun+0x3e7 (009ef1c7)

kd> p

winlogon!StateMachineRun+0x3e7:

001b:009ef1c7 6aff push 0FFFFFFFFh

kd> p

winlogon!StateMachineRun+0x3e9:

001b:009ef1c9 ff7604 push dword ptr [esi+4]

kd> r

eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef8c4 edi=00141038

eip=009ef1c9 esp=000ef83c ebp=000ef9dc iopl=0 nv up ei ng nz ac pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297

winlogon!StateMachineRun+0x3e9:

001b:009ef1c9 ff7604 push dword ptr [esi+4] ds:0023:000ef8c8=00000110

kd> dd 000ef8c4

000ef8c4 00142c08 00000110 00a02cc4 00000000

000ef8d4 00141038 00a046f8 00000000 00000000

000ef8e4 00000110 00000000 00000000 00000000

000ef8f4 00000000 00000000 00000007 00142cd8

000ef904 00000114 00a03068 00000000 00141038

000ef914 00a046f8 00000000 00000000 00000114

000ef924 00000000 00000000 00000000 00000000

000ef934 00000003 00000000 00142da8 00000118

kd> p

winlogon!StateMachineRun+0x3ec:

001b:009ef1cc ff15fc109c00 call dword ptr [winlogon!_imp__WaitForSingleObject (009c10fc)]

kd> !handle 110

PROCESS 9416cc88 SessionId: 1 Cid: 01c0 Peb: 7ffdc000 ParentCid: 0190

DirBase: 7c4e00c0 ObjectTable: 92128c60 HandleCount: 122.

Image: winlogon.exe

Handle table at 92128c60 with 122 entries in use

0110: Object: 8e6cd608 GrantedAccess: 001f0003 Entry: 92122220

Object: 8e6cd608 Type: (87bdb378) Event

ObjectHeader: 8e6cd5f0 (new version)

HandleCount: 1 PointerCount: 1

kd> !Object 8e6cd608

Object: 8e6cd608 Type: (87bdb378) Event

ObjectHeader: 8e6cd5f0 (new version)

HandleCount: 1 PointerCount: 1

kd> dt _kevent 8e6cd5f0

ntdll!_KEVENT

+0x000 Header : _DISPATCHER_HEADER

kd> dx -id 0,0,ffffffff9416cc88 -r1 (*((ntdll!_DISPATCHER_HEADER *)0xffffffff8e6cd5f0))

(*((ntdll!_DISPATCHER_HEADER *)0xffffffff8e6cd5f0)) [Type: _DISPATCHER_HEADER]

+0x000\] Type : 0x1 \[Type: unsigned char

+0x001\] TimerControlFlags : 0x0 \[Type: unsigned char

+0x001 ( 0: 0)\] Absolute : 0x0 \[Type: unsigned char

+0x001 ( 1: 1)\] Coalescable : 0x0 \[Type: unsigned char

+0x001 ( 2: 2)\] KeepShifting : 0x0 \[Type: unsigned char

+0x001 ( 7: 3)\] EncodedTolerableDelay : 0x0 \[Type: unsigned char

+0x001\] Abandoned : 0x0 \[Type: unsigned char

+0x001\] Signalling : 0x0 \[Type: unsigned char

+0x002\] ThreadControlFlags : 0x0 \[Type: unsigned char

+0x002 ( 0: 0)\] CpuThrottled : 0x0 \[Type: unsigned char

+0x002 ( 1: 1)\] CycleProfiling : 0x0 \[Type: unsigned char

+0x002 ( 2: 2)\] CounterProfiling : 0x0 \[Type: unsigned char

+0x002 ( 7: 3)\] Reserved : 0x0 \[Type: unsigned char

+0x002\] Hand : 0x0 \[Type: unsigned char

+0x002\] Size : 0x0 \[Type: unsigned char

+0x003\] TimerMiscFlags : 0x0 \[Type: unsigned char

+0x003 ( 0: 0)\] Index : 0x0 \[Type: unsigned char

+0x003 ( 5: 1)\] Processor : 0x0 \[Type: unsigned char

+0x003 ( 6: 6)\] Inserted : 0x0 \[Type: unsigned char

+0x003 ( 7: 7)\] Expired : 0x0 \[Type: unsigned char

+0x003\] DebugActive : 0x0 \[Type: unsigned char

+0x003 ( 0: 0)\] ActiveDR7 : 0x0 \[Type: unsigned char

+0x003 ( 1: 1)\] Instrumented : 0x0 \[Type: unsigned char

+0x003 ( 5: 2)\] Reserved2 : 0x0 \[Type: unsigned char

+0x003 ( 6: 6)\] UmsScheduled : 0x0 \[Type: unsigned char

+0x003 ( 7: 7)\] UmsPrimary : 0x0 \[Type: unsigned char

+0x003\] DpcActive : 0x0 \[Type: unsigned char

+0x000\] Lock : 1 \[Type: long

+0x004\] SignalState : 1 \[Type: long

+0x008\] WaitListHead \[Type: _LIST_ENTRY

kd> t

kernel32!WaitForSingleObject:

001b:76ed3c85 8bff mov edi,edi

kd> kc

00 kernel32!WaitForSingleObject

01 winlogon!StateMachineRun

02 winlogon!WlStateMachineRun

03 winlogon!WinMain

04 winlogon!_initterm_e

05 kernel32!BaseThreadInitThunk

06 ntdll!__RtlUserThreadStart

07 ntdll!_RtlUserThreadStart

kd> p

kernel32!WaitForSingleObject+0x2:

001b:76ed3c87 55 push ebp

kd> r

eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef8c4 edi=00141038

eip=76ed3c87 esp=000ef834 ebp=000ef9dc iopl=0 nv up ei ng nz ac pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297

kernel32!WaitForSingleObject+0x2:

001b:76ed3c87 55 push ebp

kd> dd 000ef834

000ef834 009ef1d2 00000110 ffffffff 00000000

000ef844 009c2f5c 00a0400c 00142a68 00000108

000ef854 00a02cc4 00000000 00141038 00a046f8

000ef864 00000000 00000000 00000108 00000000

000ef874 00000000 00000000 00000000 00000000

000ef884 00000007 00142b38 0000010c 00a032f4

000ef894 00000000 00141038 00a046f8 00b60de0

000ef8a4 00000000 0000010c 00000000 00000000

参考前面的：

kd> p

winlogon!StateMachineRun+0x3ad:

001b:009ef18d 8d4610 lea eax,[esi+10h]

kd> r

eax=00000007 ebx=00a02cc4 ecx=00a02bf0 edx=00a04b38 esi=000ef8c4 edi=00141038

eip=009ef18d esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

winlogon!StateMachineRun+0x3ad:

001b:009ef18d 8d4610 lea eax,[esi+10h]

kd> dd 000ef8c4

000ef8c4 00142c08 00000110 00a02cc4 00000000

000ef8d4 00141038 00a046f8 00000000 00000000

000ef8e4 00000110 00000000 00000000 00000000

000ef8f4 00000000 00000000 00000007 00142cd8

000ef904 00000114 00a03068 00000000 00141038

000ef914 00a046f8 00000000 00000000 00000114

000ef924 00000000 00000000 00000000 00000000

000ef934 00000003 00000000 00142da8 00000118

kd> dd 00141038

00141038 001182f0 00000053 00a03ec0 00000022

00141048 00a03e38 00000004 00118238 00000000

00141058 00000000 00000001 00000000 00000000

00141068 00000002 00000000 0000001c 0000000a

00141078 00000000 00000000 0000000b 00000000

00141088 00000019 0000000d 00000000 00000018

00141098 0000000e 00000000 00000000 0000000f

001410a8 00000000 00000000 00000010 00000000

kd> !handle 53

PROCESS 9416cc88 SessionId: 1 Cid: 01c0 Peb: 7ffdc000 ParentCid: 0190

DirBase: 7c4e00c0 ObjectTable: 92128c60 HandleCount: 122.

Image: winlogon.exe

Handle table at 92128c60 with 122 entries in use

0053: Object: 94178b80 GrantedAccess: 001f0003 Entry: 921220a0

Object: 94178b80 Type: (87bd6d20) IoCompletion

ObjectHeader: 94178b68 (new version)

HandleCount: 1 PointerCount: 3

kd> dt _kqueue 94178b68

ntdll!_KQUEUE

+0x000 Header : _DISPATCHER_HEADER

+0x010 EntryListHead : _LIST_ENTRY [ 0x82a0bf80 - 0x0 ]

+0x018 CurrentCount : 0xa0004

+0x01c MaximumCount : 0

+0x020 ThreadListHead : _LIST_ENTRY [ 0x8e6d3760 - 0x8e6dbaf8 ]

kd> dx -id 0,0,ffffffff9416cc88 -r1 (*((ntdll!_LIST_ENTRY *)0xffffffff94178b88))

(*((ntdll!_LIST_ENTRY *)0xffffffff94178b88)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x8e6d3760 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x8e6dbaf8 \[Type: _LIST_ENTRY \*

kd> dx -id 0,0,ffffffff9416cc88 -r1 ((ntdll!_LIST_ENTRY *)0x8e6d3760)

((ntdll!_LIST_ENTRY *)0x8e6d3760) : 0x8e6d3760 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x8221be08 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x94178b88 \[Type: _LIST_ENTRY \*

kd> !process

PROCESS 9416cc88 SessionId: 1 Cid: 01c0 Peb: 7ffdc000 ParentCid: 0190

DirBase: 7c4e00c0 ObjectTable: 92128c60 HandleCount: 122.

Image: winlogon.exe

VadRoot 8fe72b18 Vads 84 Clone 0 Private 435. Modified 243. Locked 0.

DeviceMap 8ba09a00

Token 9207fb48

ElapsedTime 21:23:13.984

UserTime 00:00:00.078

KernelTime 00:00:00.124

QuotaPoolUsage[PagedPool] 103996

QuotaPoolUsage[NonPagedPool] 5152

Working Set Sizes (now,min,max) (2012, 50, 345) (8048KB, 200KB, 1380KB)

PeakWorkingSetSize 2291

VirtualSize 46 Mb

PeakVirtualSize 65 Mb

PageFaultCount 6596

MemoryPriority BACKGROUND

BasePriority 13

CommitCharge 1047

THREAD 94165d48 Cid 01c0.01c4 Teb: 7ffdf000 Win32Thread: ffb55dd0 RUNNING on processor 0

THREAD 94177a38 Cid 01c0.01e4 Teb: 7ffdd000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable

94177d20 SynchronizationTimer

94177de8 SynchronizationTimer

8e779c18 NotificationEvent

82210b30 SynchronizationEvent

82210ae0 SynchronizationEvent

82210b80 SynchronizationEvent

941778f8 SynchronizationTimer

THREAD 8e6d36a0 Cid 01c0.037c Teb: 7ffde000 Win32Thread: fe4e39b8 WAIT: (WrQueue) UserMode Alertable

94178b80 QueueObject

THREAD 8e6dba38 Cid 01c0.0ad0 Teb: 7ffdb000 Win32Thread: ffa35dd0 WAIT: (WrQueue) UserMode Alertable

94178b80 QueueObject

THREAD 8221bd48 Cid 01c0.0af8 Teb: 7ffda000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable

94178b80 QueueObject

kd> p

kernel32!WaitForSingleObject+0x3:

001b:76ed3c88 8bec mov ebp,esp

kd> p

kernel32!WaitForSingleObject+0x5:

001b:76ed3c8a 6a00 push 0

kd> p

kernel32!WaitForSingleObject+0x7:

001b:76ed3c8c ff750c push dword ptr [ebp+0Ch]

kd> p

kernel32!WaitForSingleObject+0xa:

001b:76ed3c8f ff7508 push dword ptr [ebp+8]

kd> p

kernel32!WaitForSingleObject+0xd:

001b:76ed3c92 e8632b0200 call kernel32!WaitForSingleObjectExImplementation (76ef67fa)

kd> r

eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef8c4 edi=00141038

eip=76ed3c92 esp=000ef824 ebp=000ef830 iopl=0 nv up ei ng nz ac pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000297

kernel32!WaitForSingleObject+0xd:

001b:76ed3c92 e8632b0200 call kernel32!WaitForSingleObjectExImplementation (76ef67fa)

下面看看[edi]+3是状态机数组的地址！！！

edi+10h\]是信号数组地址！！！ kd\> p kernel32!WaitForSingleObject+0x12: 001b:76ed3c97 5d pop ebp kd\> p kernel32!WaitForSingleObject+0x13: 001b:76ed3c98 c20800 ret 8 kd\> p winlogon!StateMachineRun+0x3f2: 001b:009ef1d2 85c0 test eax,eax kd\> r eax=00000000 ebx=00a02cc4 ecx=74ee25eb edx=76fda084 esi=000ef8c4 edi=00141038 eip=009ef1d2 esp=000ef840 ebp=000ef9dc iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 winlogon!StateMachineRun+0x3f2: 001b:009ef1d2 85c0 test eax,eax kd\> p winlogon!StateMachineRun+0x3f4: 001b:009ef1d4 7417 je winlogon!StateMachineRun+0x40d (009ef1ed) kd\> p winlogon!StateMachineRun+0x40d: 001b:009ef1ed 8d45d8 lea eax,\[ebp-28h

kd> p

winlogon!StateMachineRun+0x410:

001b:009ef1f0 50 push eax

kd> p

winlogon!StateMachineRun+0x411:

001b:009ef1f1 8d45f4 lea eax,[ebp-0Ch]

kd> r

eax=000ef9b4 ebx=00a02cc4 ecx=74ee25eb edx=76fda084 esi=000ef8c4 edi=00141038

eip=009ef1f1 esp=000ef83c ebp=000ef9dc iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

winlogon!StateMachineRun+0x411:

001b:009ef1f1 8d45f4 lea eax,[ebp-0Ch]

kd> dd ef9b4

000ef9b4 00000000 00000000 00000000 00000000

000ef9c4 00000002 00000000 00000004 00000007

000ef9d4 0000000f 000ef8c4 000ef9f0 009d0bb8

000ef9e4 00141038 00a046f8 000efa4c 000efa70

000ef9f4 009cec63 00a046f8 000efa4c 6faa78ad

000efa04 00a05244 00111cd4 00000000 70de9c9c

000efa14 01dc3773 717e18cf 01dc3773 00000000

000efa24 000efa54 00400000 000efa48 00000003

kd> p

winlogon!StateMachineRun+0x414:

001b:009ef1f4 50 push eax

kd> r

eax=000ef9d0 ebx=00a02cc4 ecx=74ee25eb edx=76fda084 esi=000ef8c4 edi=00141038

eip=009ef1f4 esp=000ef83c ebp=000ef9dc iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

winlogon!StateMachineRun+0x414:

001b:009ef1f4 50 push eax

kd> p

winlogon!StateMachineRun+0x415:

001b:009ef1f5 ff7710 push dword ptr [edi+10h]

kd> p

winlogon!StateMachineRun+0x418:

001b:009ef1f8 ff7314 push dword ptr [ebx+14h]

kd> p

winlogon!StateMachineRun+0x41b:

001b:009ef1fb ff7310 push dword ptr [ebx+10h]

kd> p

winlogon!StateMachineRun+0x41e:

001b:009ef1fe ff37 push dword ptr [edi] //[edi]+3是状态机状态数组的地址！！！00a03ec0

kd> dd 00141038

00141038 001182f0 00000053 00a03ec0 00000022 //0x22=34个信号第一个是winlogon!g_xAction_Succeeded_Signal

00141048 00a03e38 00000004 00118238 00000000

00141058 00000000 00000001 00000000 00000000

00141068 00000002 00000000 0000001c 0000000a

00141078 00000000 00000000 0000000b 00000000

00141088 00000019 0000000d 00000000 00000018

00141098 0000000e 00000000 00000000 0000000f

001410a8 00000000 00000000 00000010 00000000

kd> dd 00a03e38

00a03e38 00a02000 00a0200c 00a02018 00a02024

00a03e48 00a02030 00a0203c 00a02048 00a02054

00a03e58 00a02060 00a0206c 00a02078 00a02084

00a03e68 00a02090 00a0209c 00a020a8 00a020b4

00a03e78 00a020c0 00a020cc 00a020d8 00a020e4

00a03e88 00a020f0 00a020fc 00a02108 00a02114

00a03e98 00a02120 00a0212c 00a02138 00a02144

00a03ea8 00a02150 00a0215c 00a02168 00a02174

kd> u 00a02000

winlogon!g_xAction_Succeeded_Signal:

00a02000 dc2b fsubr qword ptr [ebx]

00a02002 9c pushfd

00a02003 0001 add byte ptr [ecx],al

00a02005 0000 add byte ptr [eax],al

00a02007 0000 add byte ptr [eax],al

00a02009 0000 add byte ptr [eax],al

00a0200b 00c0 add al,al

00a0200d 2b9c0001000000 sub ebx,dword ptr [eax+eax+1]

kd> dd 00a02000

00a02000 009c2bdc 00000001 00000000 009c2bc0

00a02010 00000001 00000001 009c2b90 00000000

00a02020 00000002 009c2b78 00000000 00000003

00a02030 009c2b50 00000000 00000004 009c2b28

00a02040 00000000 00000005 009c2af8 00000000

00a02050 00000006 009c2ad8 00000000 00000007

00a02060 009c2ab0 00000000 00000008 009c2a88

00a02070 00000000 00000009 009c2a60 00000000

kd> u 009c2bdc

winlogon!`string':

009c2bdc 41 inc ecx

009c2bdd 006300 add byte ptr [ebx],ah

009c2be0 7400 je winlogon!`string'+0x6 (009c2be2)

009c2be2 69006f006e00 imul eax,dword ptr [eax],6E006Fh

009c2be8 5f pop edi

009c2be9 005300 add byte ptr [ebx],dl

009c2bec 7500 jne winlogon!`string'+0x12 (009c2bee)

009c2bee 6300 arpl word ptr [eax],ax

kd> db 009c2bdc

009c2bdc 41 00 63 00 74 00 69 00-6f 00 6e 00 5f 00 53 00 A.c.t.i.o.n._.S.

009c2bec 75 00 63 00 63 00 65 00-65 00 64 00 65 00 64 00 u.c.c.e.e.d.e.d.

009c2bfc 00 00 00 00 22 00 00 00-53 00 00 00 2c 64 51 d4 ...."...S...,dQ.

009c2c0c a6 63 d7 11 97 20 00 b0-d0 3e 03 47 22 c0 7c 4c .c... ...>.G".|L

009c2c1c 47 fe c0 8f bb 3d 1d 9d-e9 89 50 59 4e 00 55 00 G....=....PYN.U.

009c2c2c 4c 00 4c 00 00 00 00 00-3c 00 4e 00 55 00 4c 00 L.L.....<.N.U.L.

009c2c3c 4c 00 3e 00 00 00 00 00-45 52 52 4f 52 5f 53 55 L.>.....ERROR_SU

009c2c4c 43 43 45 53 53 20 21 3d-20 64 77 52 65 74 00 00 CCESS != dwRet..

kd> db 009c2bc0

009c2bc0 41 00 63 00 74 00 69 00-6f 00 6e 00 5f 00 46 00 A.c.t.i.o.n._.F.

009c2bd0 61 00 69 00 6c 00 65 00-64 00 00 00 41 00 63 00 a.i.l.e.d...A.c.

009c2be0 74 00 69 00 6f 00 6e 00-5f 00 53 00 75 00 63 00 t.i.o.n._.S.u.c.

009c2bf0 63 00 65 00 65 00 64 00-65 00 64 00 00 00 00 00 c.e.e.d.e.d.....

009c2c00 22 00 00 00 53 00 00 00-2c 64 51 d4 a6 63 d7 11 "...S...,dQ..c..

009c2c10 97 20 00 b0 d0 3e 03 47-22 c0 7c 4c 47 fe c0 8f . ...>.G".|LG...

009c2c20 bb 3d 1d 9d e9 89 50 59-4e 00 55 00 4c 00 4c 00 .=....PYN.U.L.L.

009c2c30 00 00 00 00 3c 00 4e 00-55 00 4c 00 4c 00 3e 00 ....<.N.U.L.L.>.

kd> dd 00a03e38+80

00a03eb8 00a02180 00a0218c 00a021e0 00a02204 //开始00a021e0

00a03ec8 00a022d4 00a02348 00a02384 00a023b4

00a03ed8 00a02400 00a02430 00a02460 00a02490

00a03ee8 00a024b4 00a02534 00a025e0 00a0262c

00a03ef8 00a02668 00a026c8 00a02704 00a02788

00a03f08 00a027ac 00a02848 00a0286c 00a0290c

00a03f18 00a029e8 00a02a3c 00a02acc 00a02b18

00a03f28 00a02b54 00a02bcc 00a02cc4 00a02cf4

kd> u 00a02180

winlogon!g_xWLGeneric_ChangePassword_Signal:

00a02180 90 nop

00a02181 27 daa

00a02182 9c pushfd

00a02183 0001 add byte ptr [ecx],al

00a02185 0000 add byte ptr [eax],al

00a02187 0020 add byte ptr [eax],ah

00a02189 0000 add byte ptr [eax],al

00a0218b 006827 add byte ptr [eax+27h],ch

kd> dd 00a02180

00a02180 009c2790 00000001 00000020 009c2768

00a02190 00000001 00000021 00000000 00000001

00a021a0 00000000 00000002 0000004f 00000000

00a021b0 00000001 ffffffff 00000000 00000012

00a021c0 ffffffff 00000000 0000001b ffffffff

00a021d0 00000000 00000009 00000008 00000001

00a021e0 009c275c 00000000 009d2154 009d22ed

00a021f0 00000006 00a02198 00000000 00000000

kd> u 00a0218c

winlogon!g_xWLGeneric_ChangeIsAlreadyDone_Signal:

00a0218c 68279c0001 push 1009C27h

00a02191 0000 add byte ptr [eax],al

00a02193 0021 add byte ptr [ecx],ah

00a02195 0000 add byte ptr [eax],al

00a02197 0000 add byte ptr [eax],al

00a02199 0000 add byte ptr [eax],al

00a0219b 0001 add byte ptr [ecx],al

00a0219d 0000 add byte ptr [eax],al

kd> dd 00a0218c

00a0218c 009c2768 00000001 00000021 00000000

00a0219c 00000001 00000000 00000002 0000004f

00a021ac 00000000 00000001 ffffffff 00000000

00a021bc 00000012 ffffffff 00000000 0000001b

00a021cc ffffffff 00000000 00000009 00000008

00a021dc 00000001 009c275c 00000000 009d2154

00a021ec 009d22ed 00000006 00a02198 00000000

00a021fc 00000000 00000000 009c2734 00000000

kd> u 00a021e0

winlogon!g_xWLGeneric_Start_State:

00a021e0 5c pop esp

00a021e1 27 daa

00a021e2 9c pushfd

00a021e3 0000 add byte ptr [eax],al

00a021e5 0000 add byte ptr [eax],al

00a021e7 0054219d add byte ptr [ecx-63h],dl

00a021eb 00ed add ch,ch

00a021ed 229d00060000 and bl,byte ptr [ebp+600h]

kd> dd 00a021e0

00a021e0 009c275c 00000000 009d2154 009d22ed

00a021f0 00000006 00a02198 00000000 00000000

00a02200 00000000 009c2734 00000000 009d274c

00a02210 009d23ae 00000006 00a02228 00000000

00a02220 00000000 00000001 00000000 00000002

00a02230 00000000 00000002 0000004f 00000000

00a02240 00000001 ffffffff 00000000 00000012

00a02250 ffffffff 00000000 0000001b ffffffff

kd> dd 00a03e38+80*2

00a03f38 00a02d24 00a02d54 00a02dac 00a02de8

00a03f48 00a02e24 00a02e60 00a02e9c 00a02edc

00a03f58 00a02f24 00a02f74 00a02fa4 00a03068

00a03f68 00a0308c 00a03164 00a03210 00a03240

00a03f78 00a03270 00a032a0 00a032d0 00a032f4

00a03f88 00a033b0 00a033e0 00a03488 00a034d4

00a03f98 00a03510 00a03534 00a035c4 00a03658

00a03fa8 00a036f0 00a0378c 00a037d4 00a0384c

kd> dd 00a03e38+80*3

00a03fb8 00a03888 00a038ac 00a0399c 00a03a1c

00a03fc8 00a03a68 00a03a9c 00a03acc 00a03b14

00a03fd8 00a03b64 00a03b98 00a03bec 00a03c1c

00a03fe8 00a03c4c 00a03c7c 00a03cb8 00a03d0c

00a03ff8 00a03d3c 00a03d6c 00a03da8 00a03dd8

00a04008 00a03e14 00a04b38 00000001 46822167 //结束00a03e14

00a04018 a34c298e ec2bb34d ffffffff 006d0075

00a04028 00740073 00720061 00750074 00000070

00a03ec0 状态机状态数组是存在的地址是00a03ec0！！！

kd> p

winlogon!StateMachineRun+0x420:

001b:009ef200 e8e8110000 call winlogon!SignalManagerGetSignal (009f03ed)

kd> t

winlogon!SignalManagerGetSignal:

001b:009f03ed 8bff mov edi,edi

kd> r

eax=000ef9d0 ebx=00a02cc4 ecx=74ee25eb edx=76fda084 esi=000ef8c4 edi=00141038

eip=009f03ed esp=000ef824 ebp=000ef9dc iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

winlogon!SignalManagerGetSignal:

001b:009f03ed 8bff mov edi,edi

kd> dd 000ef824 看看返回地址和参数情况

000ef824 009ef205 001182f0 00000010 00a02bf0

000ef834 00a03e38 000ef9d0 000ef9b4 00000000

000ef844 009c2f5c 00a0400c 00142a68 00000108

000ef854 00a02cc4 00000000 00141038 00a046f8

000ef864 00000000 00000000 00000108 00000000

000ef874 00000000 00000000 00000000 00000000

000ef884 00000007 00142b38 0000010c 00a032f4

000ef894 00000000 00141038 00a046f8 00b60de0

kd> u 00a02bf0

winlogon!g_xWLGeneric_Logged_On_Transition:

00a02bf0 17 pop ss

00a02bf1 0000 add byte ptr [eax],al

00a02bf3 001d00000001 add byte ptr ds:[1000000h],bl

00a02bf9 0000 add byte ptr [eax],al

00a02bfb 0002 add byte ptr [edx],al

00a02bfd 0000 add byte ptr [eax],al

00a02bff 004c0000 add byte ptr [eax+eax],cl

00a02c03 0000 add byte ptr [eax],al

kd> dd 001182f0

001182f0 001182c8 ffffffff 00000000 00000000

00118300 00000120 00000000 000000ec 00000022

00118310 001413b8 00141448 00141670 00141700

00118320 00141790 00141820 001418b0 00141940

00118330 001419d0 00141a60 00141af0 00141b80

00118340 00141c10 00141ca0 00141d30 00141dc0

00118350 00141e50 00141ee0 00141f70 00142000

00118360 00142090 00142120 001421b0 00142240

kd> dd 00a02000

00a02000 009c2bdc 00000001 00000000 009c2bc0

00a02010 00000001 00000001 009c2b90 00000000

00a02020 00000002 009c2b78 00000000 00000003

00a02030 009c2b50 00000000 00000004 009c2b28

00a02040 00000000 00000005 009c2af8 00000000

00a02050 00000006 009c2ad8 00000000 00000007

00a02060 009c2ab0 00000000 00000008 009c2a88

00a02070 00000000 00000009 009c2a60 00000000

kd> dd 00a02000+80

00a02080 0000000a 009c2a48 00000000 0000000b

00a02090 009c2a30 00000000 0000000c 009c2a04

00a020a0 00000000 0000000d 009c29e4 00000000

00a020b0 0000000e 009c29c4 00000000 0000000f

00a020c0 009c29a4 00000002 00000010 009c2988

00a020d0 00000000 00000011 009c2968 00000000

00a020e0 00000012 009c2948 00000000 00000013

00a020f0 009c2918 00000001 00000014 009c28ec

kd> dd 00a02000+80*2

00a02100 00000000 00000015 009c28c8 00000000

00a02110 00000016 009c2898 00000000 00000017

00a02120 009c2880 00000001 00000018 009c2868

00a02130 00000001 00000019 009c2848 00000001

00a02140 0000001a 009c282c 00000001 0000001b

00a02150 009c2814 00000001 0000001c 009c27f4

00a02160 00000001 0000001d 009c27c8 00000001

00a02170 0000001e 009c27b0 00000000 0000001f

kd> dd 00a02000+80*3

00a02180 009c2790 00000001 00000020 009c2768

00a02190 00000001 00000021