RDPWD!ShareClass::UPSendOrders函数中的RDPWD!ShareClass::SC_FlushAndAllocPackage函数分析

1: kd> kc

00 RDPWD!ShareClass::SC_FlushAndAllocPackage

01 RDPWD!ShareClass::UPSendOrders

02 RDPWD!ShareClass::UP_SendUpdates

03 RDPWD!ShareClass::DCS_TimeToDoStuff

04 RDPWD!WD_Ioctl

05 termdd!_IcaCallSd

06 termdd!_IcaCallStack

07 termdd!IcaCallDriver

08 termdd!IcaDeviceControlVirtual

09 termdd!IcaDeviceControlChannel

0a termdd!IcaDeviceControl

0b termdd!IcaDispatch

0c nt!IofCallDriver

0d win32k!CtxDeviceIoControlFile

0e win32k!EngFileIoControl

0f RDPDD!SCH_DDOutputAvailable

10 RDPDD!DrvSetPointerShape

11 win32k!vSetPointer

12 win32k!GreSetPointer

13 win32k!zzzUpdateCursorImage

14 win32k!zzzSetCursor

15 win32k!xxxDWP_SetCursor

16 win32k!xxxRealDefWindowProc

17 win32k!xxxDefWindowProc

18 win32k!xxxDesktopWndProc

19 win32k!xxxSendMessageTimeout

1a win32k!xxxSendMessage

1b win32k!xxxMouseActivate

1c win32k!xxxScanSysQueue

1d win32k!xxxRealInternalGetMessage

1e win32k!xxxDesktopThread

1f win32k!xxxCreateSystemThreads

20 win32k!NtUserCallOneParam

21 nt!_KiSystemService

22 SharedUserData!SystemCallStub

23 winsrv!NtUserCallOneParam

1: kd> dv

this = 0xe16de018

pPkgInfo = 0xb9f43b14

trc_fn = 0xb9eac483 "???"

trc_file = 0x00000008 "--- memory read error at address 0x00000008 ---"

status = 0n774

__fnname = char [24] "SC_FlushAndAllocPackage"

1: kd> dx -r1 ((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14)

((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14) : 0xb9f43b14 [Type: _tagPDU_PACKAGE_INFO *]

+0x000\] cbLen : 0x1e58 \[Type: unsigned int

+0x004\] cbInUse : 0x37d \[Type: unsigned int

+0x008\] pBuffer : 0xee027020 : 0x83 \[Type: unsigned char \*

+0x00c\] pOutBuf : 0x898d31b0 \[Type: void \*

NTSTATUS __fastcall ShareClass::SC_FlushAndAllocPackage(PPDU_PACKAGE_INFO pPkgInfo)

{

NTSTATUS status = STATUS_SUCCESS;

DC_BEGIN_FN("SC_FlushAndAllocPackage");

if (pPkgInfo->cbLen) {

if (pPkgInfo->cbInUse) {

// Send the package contents.

if (scUseFastPathOutput)

// Send with fast-path flag.

SM_SendData(scPSMHandle, (PVOID)pPkgInfo->pOutBuf,

pPkgInfo->cbInUse, TS_HIGHPRIORITY, 0, TRUE, RNS_SEC_ENCRYPT, FALSE);

else

1: kd> t

RDPWD!SM_SendData:

b9e78370 55 push ebp

1: kd> kc 9

00 RDPWD!SM_SendData

01 RDPWD!ShareClass::SC_FlushAndAllocPackage

02 RDPWD!ShareClass::UPSendOrders

03 RDPWD!ShareClass::UP_SendUpdates

04 RDPWD!ShareClass::DCS_TimeToDoStuff

05 RDPWD!WD_Ioctl

06 termdd!_IcaCallSd

07 termdd!_IcaCallStack

08 termdd!IcaCallDriver

1: kd> dv

pSMHandle = 0xffffffff

pData = 0xb9f43b14

dataLen = 0x37d

priority = 1

else {

if (pRealSMHandle->encryptDisplayData) {

// S->C is encrypted

encryptHeaderLen = pRealSMHandle->encryptHeaderLen;

}

else {

sendLen = dataLen + encryptHeaderLen; 0x389 =0x37d+

}

1: kd> ?0x389-0x37d

Evaluate expression: 12 = 0000000c

1: kd> dv

pSMHandle = 0xe1a3f7c8

pData = 0x898d31b0

dataLen = 0x37d

priority = 1

channelID = 0

bFastPathOutput = 0n1

flags = 8

fForceEncrypt = 0x00 ''

pRealSMHandle = 0xe1a3f7c8

trc_fn = 0xb9ec137c "SM_SendData"

trc_file = 0xb9ec12e0 "asmapi"

pSecHeader2 = 0x897985d0

fUseSafeChecksum = 0n0

pSecHeader = 0x00000000

sendLen = 0x389

pSecHeader = (PRNS_SECURITY_HEADER)((PBYTE)pData - encryptHeaderLen);

1: kd> dt tagRNS_SECURITY_HEADER 0x898d31b0-c

RDPWD!tagRNS_SECURITY_HEADER

+0x000 flags : 0xc008

+0x002 flagsHi : 0xbd81

TRC_DATA_DBG("Data buffer before encryption", pData, dataLen);

if (pRealSMHandle->encryptionMethodSelected == SM_FIPS_ENCRYPTION_FLAG) {

rc = TSFIPS_EncryptData(

&(pRealSMHandle->FIPSData),

pData,

dataLen + pSecHeader2->padlen,

pSecHeader2->padlen,

pSecHeader2->dataSignature,

pRealSMHandle->totalEncryptCount);

}

else {

rc = EncryptData(

pRealSMHandle->encryptionLevel,

pRealSMHandle->currentEncryptKey,

&pRealSMHandle->rc4EncryptKey,

pRealSMHandle->keyLength,

pData,

dataLen,

pRealSMHandle->macSaltKey,

((PRNS_SECURITY_HEADER1)pSecHeader)->dataSignature,

fUseSafeChecksum,

pRealSMHandle->totalEncryptCount

1: kd> dt tagSM_HANDLE_DATA 0xe1a3f7c8

RDPWD!tagSM_HANDLE_DATA

+0x000 encryptionLevel : 2 +0x000 encryptionLevel : 2

+0x004 encryptionMethodsSupported : 0x1b

+0x008 encryptionMethodSelected : 2 +0x008 encryptionMethodSelected : 2

+0x00c frenchClient : 0 ''

+0x00d encryptAfterLogon : 0 ''

+0x00e encrypting : 0x1 ''

+0x00f encryptDisplayData : 0x1 ''

+0x010 encryptingLicToClient : 0x1 ''

+0x011 useSafeChecksumMethod : 0x1 ''

+0x012 bDisconnectWorkerSent : 0 ''

+0x013 dead : 0 ''

+0x014 state : 6

+0x018 nDiscardVCDataWhenDead : 0

+0x01c nDiscardPDUBadState : 0

+0x020 nDiscardNonVCPDUWhenDead : 0

+0x024 pUserData : (null)

+0x028 pWDHandle : 0xe1a3f010 tagTSHARE_WD

+0x02c pLicenseHandle : 0xee320738 Void

+0x030 userID : 0x3ea

+0x034 channelID : 0x3eb

+0x038 maxPDUSize : 0xffef

+0x03c CertType : 1 ( CERT_TYPE_PROPRIETORY )

+0x040 pEncClientRandom : (null)

+0x044 encClientRandomLen : 0

+0x048 recvdClientRandom : 0x1 ''

+0x049 bForwardDataToSC : 0x1 ''

+0x04a bSessionKeysMade : 0x1 ''

+0x04c keyLength : 0x10

+0x050 encryptCount : 0xa

+0x054 totalEncryptCount : 0xa

+0x058 encryptHeaderLen : 0xc

+0x05c encryptHeaderLenIfForceEncrypt : 0

+0x060 startEncryptKey : [16] "???" +0x060 startEncryptKey : [16] "???"

+0x070 currentEncryptKey : [16] "???"

+0x080 rc4EncryptKey : RC4_KEYSTRUCT

+0x184 decryptCount : 0xe

+0x188 totalDecryptCount : 0xe

+0x18c startDecryptKey : [16] "G???"

+0x19c currentDecryptKey : [16] "G???"

+0x1ac rc4DecryptKey : RC4_KEYSTRUCT

+0x2ae macSaltKey : [16] "???"

+0x2c0 consoleBufferList : _LIST_ENTRY [ 0xe1a3fa88 - 0xe1a3fa88 ]

+0x2c8 consoleBufferCount : 0

+0x2cc FIPSData : _SM_FIPS_Data

+0x060 startEncryptKey : [16] "???"

+0x080 rc4EncryptKey : RC4_KEYSTRUCT

1: kd> dx -id 0,0,89082020 -r1 (*((RDPWD!unsigned char (*)[16])0xe1a3f838))

(*((RDPWD!unsigned char (*)[16])0xe1a3f838)) [Type: unsigned char [16]]

0\] : 0xb9 \[Type: unsigned char

1\] : 0xa7 \[Type: unsigned char

2\] : 0x13 \[Type: unsigned char

3\] : 0xf2 \[Type: unsigned char

4\] : 0x0 \[Type: unsigned char

5\] : 0xb2 \[Type: unsigned char

6\] : 0xb0 \[Type: unsigned char

7\] : 0xeb \[Type: unsigned char

8\] : 0x64 \[Type: unsigned char

9\] : 0x88 \[Type: unsigned char

10\] : 0xdd \[Type: unsigned char

11\] : 0x5b \[Type: unsigned char

12\] : 0x89 \[Type: unsigned char

13\] : 0x34 \[Type: unsigned char

14\] : 0x51 \[Type: unsigned char

15\] : 0x19 \[Type: unsigned char

1: kd> dx -id 0,0,89082020 -r1 (*((RDPWD!RC4_KEYSTRUCT *)0xe1a3f848))

(*((RDPWD!RC4_KEYSTRUCT *)0xe1a3f848)) [Type: RC4_KEYSTRUCT]

+0x000\] S \[Type: unsigned char \[256\]

+0x100\] i : 0x3d \[Type: unsigned char

+0x101\] j : 0x3d \[Type: unsigned char

1: kd> dx -id 0,0,89082020 -r1 (*((RDPWD!unsigned char (*)[256])0xe1a3f848))

(*((RDPWD!unsigned char (*)[256])0xe1a3f848)) [Type: unsigned char [256]]

0\] : 0xe4 \[Type: unsigned char

1\] : 0x6a \[Type: unsigned char

2\] : 0xea \[Type: unsigned char

3\] : 0xd3 \[Type: unsigned char

4\] : 0x6e \[Type: unsigned char

5\] : 0xdb \[Type: unsigned char

6\] : 0x85 \[Type: unsigned char

7\] : 0x19 \[Type: unsigned char

8\] : 0x53 \[Type: unsigned char

/****************************************************************************/

/* Encryption levels - bit field. */

/****************************************************************************/

#define SM_40BIT_ENCRYPTION_FLAG 0x01

#define SM_128BIT_ENCRYPTION_FLAG 0x02

#define SM_56BIT_ENCRYPTION_FLAG 0x08

#define SM_FIPS_ENCRYPTION_FLAG 0x10

if (rc) {

TRC_DBG((TB, "Data encrypted"));

1: kd> p

22:27:18.890 89076524.00000000 RDP E1A3F010 SM_SendData 1199 Data encrypted

// Send it!

rc = NM_SendData(pRealSMHandle->pWDHandle->pNMInfo, (BYTE *)pSecHeader,

sendLen, priority, channelID, bFastPathOutput);

}

1: kd> t

RDPWD!NM_SendData:

b9e71540 55 push ebp

1: kd> kc 9

00 RDPWD!NM_SendData

01 RDPWD!SM_SendData

02 RDPWD!ShareClass::SC_FlushAndAllocPackage

03 RDPWD!ShareClass::UPSendOrders

04 RDPWD!ShareClass::UP_SendUpdates

05 RDPWD!ShareClass::DCS_TimeToDoStuff

06 RDPWD!WD_Ioctl

07 termdd!_IcaCallSd

08 termdd!_IcaCallStack

1: kd> dv

pNMHandle = 0x00000023

pData = 0x00000000 ""

dataSize = 0x389

priority = 1

userID = 0 //channelID

FastPathOutputFlags = 0xc1

trc_fn = 0x8966dfa0 " p???"

trc_file = 0x897985d0 "hp???"

pRealNMHandle = 0xb9f43a2c

__fnname = char [12] "NM_SendData"

pOutBuf = 0x00000000

MCSErr = 0n-1176038080 (No matching enumerant)

rc = 0n8

else {

// 2-byte form of length, first byte has high bit 1 and 7

// most significant bits.

dataSize += 3;

pData -= 3;

*(pData + 1) = (BYTE)(0x80 | ((dataSize & 0x7F00) >> 8));

*(pData + 2) = (BYTE)(dataSize & 0xFF);

}

1: kd> dv

Status = 0n-1175175672

SdWrite = struct _SD_RAWWRITE

pNMHandle = 0xe1a3fe30

pData = 0x898d31a5 "???"

dataSize = 0x388

priority = 1

userID = 0

FastPathOutputFlags = 0xc1

trc_fn = 0xb9ec1224 "NM_SendData"

trc_file = 0xb9ec11c0 "anmapi"

pRealNMHandle = 0xe1a3fe30

__fnname = char [12] "NM_SendData"

pOutBuf = 0x898d3018

MCSErr = MCS_NO_SUCH_CONNECTION (0n8)

rc = 0n1

1: kd> db 0x898d31a5

898d31a5 08 83 88 eb e9 ea 4a a9-fb 6a 4f 17 d7 b7 eb 24 ......J..jO....$

898d31b5 96 cf 24 ab 9b 93 e0 e2-1c b7 bd 84 ae b5 4b 43 ..$...........KC

898d31c5 e2 51 37 0f 1a 5b a5 dd-fb ed 02 23 cb fe 5c bf .Q7..[.....#..\.

898d31d5 86 75 6d 71 56 71 aa 0e-c0 2e d1 03 9f 66 bf 34 .umqVq.......f.4

898d31e5 90 fb a0 46 f7 80 5c 95-bd c9 f9 0c 97 38 dd d0 ...F..\......8..

898d31f5 47 0b 12 e2 df ea 7b f6-18 80 a2 5b f8 6e 2d 81 G.....{....[.n-.

898d3205 f0 c2 c8 9a 5c fe 22 46-30 84 46 45 44 9e 43 9c ....\."F0.FED.C.

898d3215 ff b2 d1 29 09 ee 1d a2-fa 20 9a b3 fe 06 39 52 ...)..... ....9R

dataSize = 0x388

83 88

pOutBuf = 0x898d3018

1: kd> dx -r1 ((RDPWD!_OUTBUF *)0x898d3018)

((RDPWD!_OUTBUF *)0x898d3018) : 0x898d3018 [Type: _OUTBUF *]

+0x000\] OutBufLength : 0x1e88 \[Type: unsigned long

+0x004\] PoolIndex : 4 \[Type: int

+0x008\] Links \[Type: _LIST_ENTRY

+0x010\] pBuffer : 0x898d31a4 : 0x8 \[Type: unsigned char \*

+0x014\] ByteCount : 0x389 \[Type: unsigned long

+0x018\] MaxByteCount : 0x1e88 \[Type: unsigned long

+0x01c\] ThreadId : 0x0 \[Type: _ETHREAD \*

+0x020\] pIrp : 0x898d3050 \[Type: _IRP \*

+0x024\] pMdl : 0x898d3158 \[Type: _MDL \*

+0x028\] pPrivate : 0x89076d20 \[Type: void \*

+0x02c\] StartTime : 0x0 \[Type: unsigned long

+0x030\] Sequence : 0x0 \[Type: unsigned char

+0x031\] Fragment : 0x0 \[Type: unsigned char

+0x034 ( 0: 0)\] fWait : 0x1 \[Type: unsigned long

+0x034 ( 1: 1)\] fControl : 0x0 \[Type: unsigned long

+0x034 ( 2: 2)\] fRetransmit : 0x0 \[Type: unsigned long

+0x034 ( 3: 3)\] fCompress : 0x1 \[Type: unsigned long

+0x034 ( 4: 4)\] fIrpCompleted : 0x0 \[Type: unsigned long

// Set up the OutBuf with its final contents.

pOutBuf->pBuffer = pData;

pOutBuf->ByteCount = dataSize;

1: kd> dx -r1 ((RDPWD!_OUTBUF *)0x898d3018)

((RDPWD!_OUTBUF *)0x898d3018) : 0x898d3018 [Type: _OUTBUF *]

+0x000\] OutBufLength : 0x1e88 \[Type: unsigned long

+0x004\] PoolIndex : 4 \[Type: int

+0x008\] Links \[Type: _LIST_ENTRY

+0x010\] pBuffer : 0x898d31a5 : 0xc0 \[Type: unsigned char \*

+0x014\] ByteCount : 0x388 \[Type: unsigned long

1: kd> db 0x898d31a5

898d31a5 c0 83 88 eb e9 ea 4a a9-fb 6a 4f 17 d7 b7 eb 24 ......J..jO....$

898d31b5 96 cf 24 ab 9b 93 e0 e2-1c b7 bd 84 ae b5 4b 43 ..$...........KC

898d31c5 e2 51 37 0f 1a 5b a5 dd-fb ed 02 23 cb fe 5c bf .Q7..[.....#..\.

898d31d5 86 75 6d 71 56 71 aa 0e-c0 2e d1 03 9f 66 bf 34 .umqVq.......f.4

898d31e5 90 fb a0 46 f7 80 5c 95-bd c9 f9 0c 97 38 dd d0 ...F..\......8..

898d31f5 47 0b 12 e2 df ea 7b f6-18 80 a2 5b f8 6e 2d 81 G.....{....[.n-.

898d3205 f0 c2 c8 9a 5c fe 22 46-30 84 46 45 44 9e 43 9c ....\."F0.FED.C.

898d3215 ff b2 d1 29 09 ee 1d a2-fa 20 9a b3 fe 06 39 52 ...)..... ....9R

SdWrite = struct _SD_RAWWRITE

1: kd> dx -r1 (*((RDPWD!_SD_RAWWRITE *)0xb9f439c0))

(*((RDPWD!_SD_RAWWRITE *)0xb9f439c0)) [Type: _SD_RAWWRITE]

+0x000\] pOutBuf : 0x30 \[Type: _OUTBUF \*

+0x004\] pBuffer : 0xb9e626b0 : 0x55 \[Type: unsigned char \*

+0x008\] ByteCount : 0x8966dfa0 \[Type: unsigned long

// Send downward.

SdWrite.pBuffer = NULL;

SdWrite.ByteCount = 0;

SdWrite.pOutBuf = pOutBuf;

SdWrite = struct _SD_RAWWRITE

1: kd> dx -r1 (*((RDPWD!_SD_RAWWRITE *)0xb9f439c0))

(*((RDPWD!_SD_RAWWRITE *)0xb9f439c0)) [Type: _SD_RAWWRITE]

+0x000\] pOutBuf : 0x898d3018 \[Type: _OUTBUF \*

+0x004\] pBuffer : 0x0 \[Type: unsigned char \*

+0x008\] ByteCount : 0x0 \[Type: unsigned long

Status = IcaCallNextDriver(pRealNMHandle->pWDHandle->pContext,

SD$RAWWRITE, &SdWrite);

NTSTATUS

IcaCallNextDriver(

IN PSDCONTEXT pContext,

IN ULONG ProcIndex,

IN PVOID pParms

)

{

1: kd> kc 9

00 termdd!_IcaCallSd

01 termdd!IcaCallNextDriver

02 RDPWD!NM_SendData

03 RDPWD!SM_SendData

04 RDPWD!ShareClass::SC_FlushAndAllocPackage

05 RDPWD!ShareClass::UPSendOrders

06 RDPWD!ShareClass::UP_SendUpdates

07 RDPWD!ShareClass::DCS_TimeToDoStuff

08 RDPWD!WD_Ioctl

1: kd> dv

pSdLink = 0x89080a00

ProcIndex = 2

pParms = 0xb9f439c0

1: kd> p

termdd!_IcaCallSd+0x26:

bac481ea ff7510 push dword ptr [ebp+10h]

1: kd> t

TDTCP!TdRawWrite:

ba0c9cd6 55 push ebp

1: kd> kc 9

00 TDTCP!TdRawWrite

01 termdd!_IcaCallSd

02 termdd!IcaCallNextDriver

03 RDPWD!NM_SendData

04 RDPWD!SM_SendData

05 RDPWD!ShareClass::SC_FlushAndAllocPackage

06 RDPWD!ShareClass::UPSendOrders

07 RDPWD!ShareClass::UP_SendUpdates

08 RDPWD!ShareClass::DCS_TimeToDoStuff

1: kd> dv

pTd = 0x894c7868

pSdRawWrite = 0xb9f439c0

Status = 0n-1175176768

oldIrql = 0xb9 ''

pWorkItem = 0x00000008

pSdRawWrite = 0xb9f439c0

1: kd> dx -r1 ((TDTCP!_SD_RAWWRITE *)0xb9f439c0)

((TDTCP!_SD_RAWWRITE *)0xb9f439c0) : 0xb9f439c0 [Type: _SD_RAWWRITE *]

+0x000\] pOutBuf : 0x898d3018 \[Type: _OUTBUF \*

+0x004\] pBuffer : 0x0 \[Type: unsigned char \*

+0x008\] ByteCount : 0x0 \[Type: unsigned long

NTSTATUS TdRawWrite(PTD pTd, PSD_RAWWRITE pSdRawWrite)

{

// Call the device driver

// From this point on we must NOT free the outbuf.

// It will be free'd by the write complete routine.

Status = IoCallDriver(pTd->pDeviceObject, pOutBuf->pIrp);

if (NT_SUCCESS(Status)) {

// Update output counters

pTd->pStatus->Output.Bytes += pOutBuf->ByteCount;

pTd->pStatus->Output.Frames++;

// Insert outbuf on busy list

InsertTailList(&pTd->IoBusyOutBuf, &pOutBuf->Links);

1: kd> dx -r1 ((TDTCP!_TD *)0x894c7868)

((TDTCP!_TD *)0x894c7868) : 0x894c7868 [Type: _TD *]

+0x000\] pContext : 0x89080a14 \[Type: _SDCONTEXT \*

+0x004\] PdFlag : 0x4e \[Type: unsigned long

+0x008\] SdClass : SdNetwork (2) \[Type: _SDCLASS

+0x00c\] Params \[Type: _PDPARAMSW

+0x244\] pClient : 0x890770c8 \[Type: _CLIENTMODULES \*

+0x248\] pStatus : 0x89077228 \[Type: _PROTOCOLSTATUS \*

+0x24c\] pFileObject : 0x89095ec8 \[Type: _FILE_OBJECT \*

+0x250\] pDeviceObject : 0x894368b0 : Device for "\\Driver\\Tcpip" \[Type: _DEVICE_OBJECT \*

+0x254\] LastError : 0x0 \[Type: unsigned long

+0x258\] ReadErrorCount : 0x0 \[Type: unsigned long

+0x25c\] ReadErrorThreshold : 0x0 \[Type: unsigned long

+0x260\] WriteErrorCount : 0x0 \[Type: unsigned long

+0x264\] WriteErrorThreshold : 0x0 \[Type: unsigned long

+0x268\] ZeroByteReadCount : 0x0 \[Type: unsigned long

+0x26c\] PortNumber : 0xd3d \[Type: unsigned long

+0x270\] OutBufHeader : 0x0 \[Type: unsigned long

+0x274\] OutBufTrailer : 0x0 \[Type: unsigned long

+0x278\] OutBufLength : 0x212 \[Type: unsigned long

+0x27c\] IoBusyOutBuf \[Type: _LIST_ENTRY

1: kd> dx -r1 (*((TDTCP!_LIST_ENTRY *)0x894c7ae4))

(*((TDTCP!_LIST_ENTRY *)0x894c7ae4)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x898d3020 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x898d3020 \[Type: _LIST_ENTRY \*

1: kd> dx -r1 ((TDTCP!_SD_RAWWRITE *)0xb9f439c0)

((TDTCP!_SD_RAWWRITE *)0xb9f439c0) : 0xb9f439c0 [Type: _SD_RAWWRITE *]

+0x000\] pOutBuf : 0x898d3018 \[Type: _OUTBUF \*

+0x004\] pBuffer : 0x0 \[Type: unsigned char \*

+0x008\] ByteCount : 0x0 \[Type: unsigned long

1: kd> dx -r1 ((TDTCP!_OUTBUF *)0x898d3018)

((TDTCP!_OUTBUF *)0x898d3018) : 0x898d3018 [Type: _OUTBUF *]

+0x000\] OutBufLength : 0x1e88 \[Type: unsigned long

+0x004\] PoolIndex : 4 \[Type: int

+0x008\] Links \[Type: _LIST_ENTRY

+0x010\] pBuffer : 0x898d31a5 : 0xc0 \[Type: unsigned char \*

+0x014\] ByteCount : 0x388 \[Type: unsigned long

+0x018\] MaxByteCount : 0x1e88 \[Type: unsigned long

+0x01c\] ThreadId : 0x0 \[Type: _ETHREAD \*

+0x020\] pIrp : 0x898d3050 \[Type: _IRP \*

+0x024\] pMdl : 0x898d3158 \[Type: _MDL \*

+0x028\] pPrivate : 0x894c7868 \[Type: void \*

+0x02c\] StartTime : 0x0 \[Type: unsigned long

+0x030\] Sequence : 0x0 \[Type: unsigned char

+0x031\] Fragment : 0x0 \[Type: unsigned char

+0x034 ( 0: 0)\] fWait : 0x1 \[Type: unsigned long

+0x034 ( 1: 1)\] fControl : 0x0 \[Type: unsigned long

+0x034 ( 2: 2)\] fRetransmit : 0x0 \[Type: unsigned long

+0x034 ( 3: 3)\] fCompress : 0x1 \[Type: unsigned long

+0x034 ( 4: 4)\] fIrpCompleted : 0x0 \[Type: unsigned long

1: kd> dx -r1 (*((TDTCP!_LIST_ENTRY *)0x898d3020))

(*((TDTCP!_LIST_ENTRY *)0x898d3020)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x894c7ae4 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x894c7ae4 \[Type: _LIST_ENTRY \*

// Preallocate a completion workitem now and chain it to list of workitems.

Status = IcaAllocateWorkItem(&pWorkItem);

InsertTailList( &pTd->WorkItemHead, pWorkItem );

1: kd> dv

pTd = 0x894c7868

pSdRawWrite = 0x00000000

Status = 0n0

oldIrql = 0x00 ''

pWorkItem = 0x896a0e58 [ 0x894c7b38 - 0x894c7b38 ]

1: kd> dx -r1 ((TDTCP!_LIST_ENTRY *)0x896a0e58)

((TDTCP!_LIST_ENTRY *)0x896a0e58) : 0x896a0e58 [Type: _LIST_ENTRY *]

+0x000\] Flink : 0x894c7b38 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x894c7b38 \[Type: _LIST_ENTRY \*

1: kd> dx -r1 ((TDTCP!_TD *)0x894c7868)

((TDTCP!_TD *)0x894c7868) : 0x894c7868 [Type: _TD *]

+0x000\] pContext : 0x89080a14 \[Type: _SDCONTEXT \*

+0x004\] PdFlag : 0x4e \[Type: unsigned long

+0x008\] SdClass : SdNetwork (2) \[Type: _SDCLASS

+0x00c\] Params \[Type: _PDPARAMSW

+0x244\] pClient : 0x890770c8 \[Type: _CLIENTMODULES \*

+0x248\] pStatus : 0x89077228 \[Type: _PROTOCOLSTATUS \*

+0x24c\] pFileObject : 0x89095ec8 \[Type: _FILE_OBJECT \*

+0x250\] pDeviceObject : 0x894368b0 : Device for "\\Driver\\Tcpip" \[Type: _DEVICE_OBJECT \*

+0x254\] LastError : 0x0 \[Type: unsigned long

+0x258\] ReadErrorCount : 0x0 \[Type: unsigned long

+0x25c\] ReadErrorThreshold : 0x0 \[Type: unsigned long

+0x260\] WriteErrorCount : 0x0 \[Type: unsigned long

+0x264\] WriteErrorThreshold : 0x0 \[Type: unsigned long

+0x268\] ZeroByteReadCount : 0x0 \[Type: unsigned long

+0x26c\] PortNumber : 0xd3d \[Type: unsigned long

+0x270\] OutBufHeader : 0x0 \[Type: unsigned long

+0x274\] OutBufTrailer : 0x0 \[Type: unsigned long

+0x278\] OutBufLength : 0x212 \[Type: unsigned long

+0x27c\] IoBusyOutBuf \[Type: _LIST_ENTRY

+0x284\] SyncWriteEvent \[Type: _KEVENT

+0x294\] pInputThread : 0x896c6b20 \[Type: _KTHREAD \*

+0x298\] InBufCount : 1 \[Type: long

+0x29c\] InBufListLock : 0x89076349 \[Type: unsigned long

+0x2a0\] InBufBusyHead \[Type: _LIST_ENTRY

+0x2a8\] InBufDoneHead \[Type: _LIST_ENTRY

+0x2b0\] InBufHeader : 0x0 \[Type: unsigned long

+0x2b4\] InputEvent \[Type: _KEVENT

+0x2c4 ( 0: 0)\] fClosing : 0x0 \[Type: unsigned long

+0x2c4 ( 1: 1)\] fCallbackInProgress : 0x0 \[Type: unsigned long

+0x2c4 ( 2: 2)\] fSyncWriteWaiter : 0x0 \[Type: unsigned long

+0x2c8\] pPrivate : 0x0 \[Type: void \*

+0x2cc\] pAfd : 0x89754e28 \[Type: void \*

+0x2d0\] WorkItemHead \[Type: _LIST_ENTRY\] \[+0x2d0\] WorkItemHead \[Type: _LIST_ENTRY

+0x2d8\] pSelfDeviceObject : 0x0 \[Type: _DEVICE_OBJECT \*

+0x2dc\] UserBrokenReason : 0x0 \[Type: unsigned long

1: kd> dx -r1 (*((TDTCP!_LIST_ENTRY *)0x894c7b38))

(*((TDTCP!_LIST_ENTRY *)0x894c7b38)) [Type: _LIST_ENTRY]

+0x000\] Flink : 0x896a0e58 \[Type: _LIST_ENTRY \*

+0x004\] Blink : 0x896a0e58 \[Type: _LIST_ENTRY \*

// Register I/O completion routine

if ( pTd->pSelfDeviceObject == NULL ) {

IoSetCompletionRoutine(pOutBuf->pIrp,

_TdWriteCompleteRoutine, pOutBuf, TRUE, TRUE,

TRUE);

1: kd> t

nt!IofCallDriver:

80a266fa 55 push ebp

1: kd> kc 9

00 nt!IofCallDriver

01 TDTCP!TdRawWrite

02 termdd!_IcaCallSd

03 termdd!IcaCallNextDriver

04 RDPWD!NM_SendData

05 RDPWD!SM_SendData

06 RDPWD!ShareClass::SC_FlushAndAllocPackage

07 RDPWD!ShareClass::UPSendOrders

08 RDPWD!ShareClass::UP_SendUpdates

NTSTATUS

FASTCALL

IofCallDriver(

IN PDEVICE_OBJECT DeviceObject,

IN OUT PIRP Irp

)

{

if (pIofCallDriver != NULL) {

// This routine will either jump immediately to IovCallDriver or

// IoPerfCallDriver.

return pIofCallDriver(DeviceObject, Irp, _ReturnAddress());

}

return IopfCallDriver(DeviceObject, Irp);

}

1: kd> r

eax=0000000f ebx=00000000 ecx=89475e90 edx=898d3050 esi=898d3050 edi=894368b0

eip=80a26758 esp=b9f43928 ebp=b9f4393c iopl=0 nv up ei ng nz ac po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000292

nt!IofCallDriver+0x5e:

80a26758 ff548138 call dword ptr [ecx+eax*4+38h] ds:0023:89475f04={tcpip!TCPDispatchInternalDeviceControl (baa030ec)}

1: kd> t

tcpip!TCPDispatchInternalDeviceControl:

baa030ec 55 push ebp

1: kd> kc 9

00 tcpip!TCPDispatchInternalDeviceControl

01 nt!IofCallDriver

02 TDTCP!TdRawWrite

03 termdd!_IcaCallSd

04 termdd!IcaCallNextDriver

05 RDPWD!NM_SendData

06 RDPWD!SM_SendData

07 RDPWD!ShareClass::SC_FlushAndAllocPackage

08 RDPWD!ShareClass::UPSendOrders

1: kd> dv

DeviceObject = 0x894368b0 Device for "\Driver\Tcpip"

Irp = 0x898d3050

if (PtrToUlong(irpSp->FileObject->FsContext2) == TDI_CONNECTION_FILE) {

// Send and receive are the performance path, so check for them

// right away.

if (irpSp->MinorFunction == TDI_SEND) {

return (TCPSendData(Irp, irpSp));

}

1: kd> kc 1

00 tcpip!TCPSendData

1: kd> kc 10

00 tcpip!TCPSendData
01 tcpip!TCPDispatchInternalDeviceControl
02 nt!IofCallDriver
03 TDTCP!TdRawWrite
04 termdd!_IcaCallSd
05 termdd!IcaCallNextDriver
06 RDPWD!NM_SendData
07 RDPWD!SM_SendData
08 RDPWD!ShareClass::SC_FlushAndAllocPackage

09 RDPWD!ShareClass::UPSendOrders

0a RDPWD!ShareClass::UP_SendUpdates

0b RDPWD!ShareClass::DCS_TimeToDoStuff

0c RDPWD!WD_Ioctl

0d termdd!_IcaCallSd

0e termdd!_IcaCallStack

0f termdd!IcaCallDriver