1: kd> t
RDPWD!ShareClass::SC_AddToPackage:
b9e6da20 55 push ebp
1: kd> kc
00 RDPWD!ShareClass::SC_AddToPackage
01 RDPWD!ShareClass::UPSendOrders
02 RDPWD!ShareClass::UP_SendUpdates
03 RDPWD!ShareClass::DCS_TimeToDoStuff
04 RDPWD!WD_Ioctl
05 termdd!_IcaCallSd
06 termdd!_IcaCallStack
07 termdd!IcaCallDriver
08 termdd!IcaDeviceControlVirtual
09 termdd!IcaDeviceControlChannel
0a termdd!IcaDeviceControl
0b termdd!IcaDispatch
0c nt!IofCallDriver
0d win32k!CtxDeviceIoControlFile
0e win32k!EngFileIoControl
0f RDPDD!SCH_DDOutputAvailable
10 RDPDD!DrvSetPointerShape
11 win32k!vSetPointer
12 win32k!GreSetPointer
13 win32k!zzzUpdateCursorImage
14 win32k!zzzSetCursor
15 win32k!xxxDWP_SetCursor
16 win32k!xxxRealDefWindowProc
17 win32k!xxxDefWindowProc
18 win32k!xxxDesktopWndProc
19 win32k!xxxSendMessageTimeout
1a win32k!xxxSendMessage
1b win32k!xxxMouseActivate
1c win32k!xxxScanSysQueue
1d win32k!xxxRealInternalGetMessage
1e win32k!xxxDesktopThread
1f win32k!xxxCreateSystemThreads
20 win32k!NtUserCallOneParam
21 nt!_KiSystemService
22 SharedUserData!SystemCallStub
23 winsrv!NtUserCallOneParam
1: kd> dv
this = 0xe16de018
pPkgInfo = 0xb9f43b14
cbLen = 0x9bd
bShadow = 0n1
trc_fn = 0xb9ec3e68 "SC_AddToPackage"
trc_file = 0xb9ec3c38 "ascapi"
CompressedSize = 0xb9e6da23
__fnname = char [16] "SC_AddToPackage"
pPktHdr = 0x00000008 "--- memory read error at address 0x00000008 ---"
compressResult = 0x00 ''
1: kd> dx -r1 ((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14)
((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14) : 0xb9f43b14 [Type: _tagPDU_PACKAGE_INFO *]
+0x000\] cbLen : 0x1e58 \[Type: unsigned int
+0x004\] cbInUse : 0x4 \[Type: unsigned int
+0x008\] pBuffer : 0xee027020 : 0x83 \[Type: unsigned char \*
+0x00c\] pOutBuf : 0x898d31b0 \[Type: void \*
1: kd> dx -r1 ((RDPWD!ShareClass *)0xe16de018)
((RDPWD!ShareClass *)0xe16de018) : 0xe16de018 [Type: ShareClass *]
+0x000\] m_pTSWd : 0xe1a3f010 \[Type: tagTSHARE_WD \*
+0x004\] m_pSmInfo : 0xe1a3f7c8 \[Type: void \*
+0x008\] m_desktopHeight : 0x438 \[Type: unsigned int
+0x00c\] m_desktopWidth : 0x780 \[Type: unsigned int
+0x010\] m_desktopBpp : 0x10 \[Type: unsigned int
+0x014\] m_pShm : 0xee030020 \[Type: tagSHM_SHARED_MEMORY \*
+0x018\] baResetBounds : 0x0 \[Type: unsigned char
+0x01c\] caStates \[Type: int \[3\]
+0x028\] caPendingMessages \[Type: tagCAMSGDATA \[4\]
+0x048\] caWhoHasControlToken : 0x1 \[Type: unsigned int
+0x04c\] cmNewTxCacheSize : 0x15 \[Type: unsigned int
+0x050\] cmSendNativeColorDepth : 0x1 \[Type: unsigned char
+0x051\] cmNeedToSendCursorShape : 0x1 \[Type: unsigned char
+0x052\] cmCursorHidden : 0x0 \[Type: unsigned char
+0x054\] cmLastCursorStamp : 0x0 \[Type: unsigned int
+0x058\] cpcLocalCombinedCapsQueried : 0x1 \[Type: unsigned char
+0x05c\] cpcLocalCombinedCaps : 0xe16de084 \[Type: tagTS_COMBINED_CAPABILITIES \*
+0x060\] cpcRemoteCombinedCaps \[Type: tagTS_COMBINED_CAPABILITIES \* \[3\]
+0x06c\] cpcLocalCaps \[Type: unsigned char \[400\]
+0x1fc\] usrRemoteFontInfoSent : 0x1 \[Type: unsigned char
+0x1fd\] usrRemoteFontInfoReceived : 0x1 \[Type: unsigned char
+0x1fe\] dcsInitialized : 0x1 \[Type: unsigned char
+0x1ff\] dcsUserLoggedOn : 0x0 \[Type: unsigned char
+0x200\] dcsUpdateShmPending : 0x0 \[Type: unsigned char
+0x201\] dcsCallbackTimerPending : 0x0 \[Type: unsigned char
+0x204\] dcsLastMiscTime : 0xbda7c5aa \[Type: unsigned int
+0x208\] dcsLastArcUpdateTime : {0x0} \[Type: _ULARGE_INTEGER
+0x210\] dcsMinArcUpdateInterval : {0x861c46800} \[Type: _ULARGE_INTEGER
+0x218\] imKeyStates \[Type: unsigned char \[266\]
+0x324\] imLastLowLevelMouseEventTime : 0xbd8b2972 \[Type: unsigned int
+0x328\] imLastKnownMousePos \[Type: _POINTL
+0x330\] oaSyncRequired : 0x0 \[Type: unsigned char
+0x331\] oeSendSolidPatternBrushOnly : 0x0 \[Type: unsigned char
+0x332\] oeColorIndexSupported : 0x1 \[Type: unsigned char
+0x333\] oeOrderSupported \[Type: unsigned char \[32\]
=0xb9ec2bc8\] oeLocalOrdersSupported \[Type: unsigned char \[32\]
+0x353\] pmMustSendPalette : 0x1 \[Type: unsigned char
+0x354\] sbcBitmapCachingEnabled : 0x1 \[Type: unsigned char
+0x355\] sbcGlyphCachingEnabled : 0x1 \[Type: unsigned char
+0x356\] sbcGlyphSupportLevel : 0x3 \[Type: unsigned short
+0x358\] sbcNewCapsData : 0x0 \[Type: unsigned char
+0x359\] sbcCachingOn : 0x1 \[Type: unsigned char
+0x35a\] sbcSyncRequired : 0x0 \[Type: unsigned char
+0x35b\] sbcPersistentKeysReceived : 0x1 \[Type: unsigned char
+0x35c\] sbcBrushCachingEnabled : 0x1 \[Type: unsigned char
+0x35d\] sbcClearCache \[Type: unsigned char \[5\]
+0x364\] sbcBrushSupportLevel : 0x1 \[Type: unsigned int
+0x368\] sbcGlyphCacheSizes \[Type: tagSBC_CACHE_SIZE \[10\]
+0x3b8\] sbcFragCacheSizes \[Type: tagSBC_CACHE_SIZE \[1\]
+0x3c0\] sbcTotalKeysExpected : 0x38 \[Type: unsigned int
+0x3c4\] sbcNumKeysExpected \[Type: unsigned int \[5\]
+0x3d8\] sbcTotalNumErrorPDUs : 0x0 \[Type: unsigned int
+0x3dc\] sbcKeyDatabase : 0x0 \[Type: SBC_BITMAP_CACHE_KEY_INFO \*
+0x3e0\] sbcKeyDatabaseSize : 0x0 \[Type: unsigned int
+0x3e4\] sbcCurrentBitmapCaps \[Type: tagTS_BITMAPCACHE_CAPABILITYSET_REV2
+0x400\] sbcOffscreenCacheInfo \[Type: tagSBC_OFFSCREEN_BITMAP_CACHE_INFO
+0x40c\] sbcOffscreenCachingEnabled : 0x1 \[Type: unsigned char
+0x40d\] sbcDisableOffscreenCaching : 0x0 \[Type: unsigned char
+0x410\] sbcDrawNineGridCacheInfo \[Type: tagSBC_DRAWNINEGRID_BITMAP_CACHE_INFO
+0x41c\] sbcDrawNineGridCachingEnabled : 0x1 \[Type: unsigned char
+0x41d\] sbcDisableDrawNineGridCaching : 0x0 \[Type: unsigned char
+0x41e\] sbcDrawGdiplusEnabled : 0x1 \[Type: unsigned char
+0x420\] sbcDrawGdiplusInfo \[Type: tagSBC_DRAWGDIPLUS_INFO
+0x444\] sbcDisableDrawGdiplus : 0x0 \[Type: unsigned char
=0xb9ec2be8\] sbcDefaultBitmapCaps \[Type: tagTS_BITMAPCACHE_CAPABILITYSET_REV2
=0xb9ec2c08\] sbcMaxGlyphCacheSizes \[Type: tagSBC_CACHE_SIZE \[10\]
=0xb9ec2c58\] sbcMaxFragCacheSizes \[Type: tagSBC_CACHE_SIZE \[1\]
+0x448\] sbcClientBitsPerPel : 0x10 \[Type: unsigned int
+0x44c\] scState : 0x3 \[Type: unsigned int
+0x450\] scPartyArray \[Type: ShareClass::tagSC_PARTY_INFO \[3\]
+0x4f8\] scNumberInShare : 0x2 \[Type: unsigned int
+0x4fc\] scLastNetID : 0x3f0 \[Type: unsigned int
+0x500\] scLastLocID : 0x1 \[Type: unsigned int
+0x504\] scUserID : 0x3ea \[Type: unsigned int
+0x508\] scShareID : 0x103ea \[Type: unsigned int
+0x50c\] scGeneration : 0x1 \[Type: unsigned int
+0x510\] scPSMHandle : 0xe1a3f7c8 \[Type: void \*
+0x514\] scNoBitmapCompressionHdr : 0x400 \[Type: unsigned short
+0x516\] scUseFastPathOutput : 0x1 \[Type: unsigned char
+0x517\] scUseShadowCompression : 0x0 \[Type: unsigned char
+0x518\] scUseLongCredentials : 0x1 \[Type: unsigned char
+0x519\] scEnablePeriodicArcUpdate : 0x0 \[Type: unsigned char
+0x51a\] scUseAutoReconnect : 0x1 \[Type: unsigned char
+0x51b\] scCompressionUsedValue : 0x80 \[Type: unsigned char
+0x51c\] scUpdatePDUHeaderSpace : 0x4 \[Type: unsigned int
1: kd> dx -r1 ((RDPWD!ShareClass *)0xe16de018)
((RDPWD!ShareClass *)0xe16de018) : 0xe16de018 [Type: ShareClass *]
+0x000\] m_pTSWd : 0xe1a3f010 \[Type: tagTSHARE_WD \*
1: kd> dx -r1 ((RDPWD!tagTSHARE_WD *)0xe1a3f010)
((RDPWD!tagTSHARE_WD *)0xe1a3f010) : 0xe1a3f010 [Type: tagTSHARE_WD *]
+0x000\] hDomainKernel : 0xe19cb008 \[Type: void \*
+0x004\] pContext : 0x8966dfb4 \[Type: _SDCONTEXT \*
+0x008\] dead : 0x0 \[Type: unsigned char
+0x009\] bInShadowShare : 0x0 \[Type: unsigned char
+0x00a\] HotkeyVk : 0x0 \[Type: unsigned char
+0x00c\] HotkeyModifiers : 0x0 \[Type: unsigned short
+0x010\] pShadowInfo : 0x0 \[Type: tagSHADOW_INFO \*
+0x014\] pShadowCert : 0x0 \[Type: _SHADOWCERT \*
+0x018\] pShadowRandom : 0x0 \[Type: _CLIENTRANDOM \*
+0x01c\] pUserData : 0x0 \[Type: _USERDATAINFO \*
+0x020\] shadowState : 0x0 \[Type: unsigned int
+0x500\] bCompress : 0x1 \[Type: unsigned char
if (m_pTSWd->bCompress) {
UCHAR *pSrcBuf = pPktHdr + scUpdatePDUHeaderSpace;
// Compress or copy the data into the OutBuf.
if ((cbLen > WD_MIN_COMPRESS_INPUT_BUF) &&
(cbLen < MAX_COMPRESS_INPUT_BUF) &&
((m_pTSWd->shadowState == SHADOW_NONE) || scUseShadowCompression)) {
// Copy the header over to the OutBuf
memcpy((BYTE *)pPkgInfo->pOutBuf + pPkgInfo->cbInUse, pPktHdr,
scUpdatePDUHeaderSpace);
pPktHdr = (BYTE *)pPkgInfo->pOutBuf + pPkgInfo->cbInUse;
// Attempt to compress the PDU body directly into the OutBuf
compressResult = compress(pSrcBuf,
pPktHdr + scUpdatePDUHeaderSpace,
&CompressedSize, m_pTSWd->pMPPCContext);
1: kd> db 0x898d31b4
898d31b4 80 00 00 00 43 01 03 09-00 20 0c 05 10 01 40 0a ....C.... ....@.
898d31c4 bf df c3 20 9f d6 7e 28-64 34 e0 04 40 06 99 7f ... ..~(d4..@...
898d31d4 7f 03 08 00 20 04 fb f2-01 f7 b2 11 f0 a4 04 85 .... ...........
898d31e4 1e 40 01 ce 01 1b 98 c1-80 00 12 00 0d c0 7c 96 .@............|.
898d31f4 09 00 0c f9 50 0c 02 01-00 07 24 00 02 01 00 01 ....P.....$.....
898d3204 0c f9 32 00 00 12 14 7a-1f fd 41 c0 01 08 42 21 ..2....z..A...B!
898d3214 f7 10 d0 eb 98 89 f5 ce-e4 19 7f bf 88 86 80 86 ................
898d3224 dd 04 4f c3 40 6e 61 62-10 41 10 fb 98 58 65 d4 ..O.@nab.A...Xe.
// Fill in the header based on whether we're using fast-path.
if (scUseFastPathOutput) {
if (m_pTSWd->bCompress) {
// Set up compression flags if we're compressing, whether
// or not the compression succeeded above.
pPktHdr[1] = compressResult
1: kd> dv
this = 0xe16de018
pPkgInfo = 0xb9f43b14
cbLen = 0x9bd
bShadow = 0n1
trc_fn = 0xb9ec3e68 "SC_AddToPackage"
trc_file = 0xb9ec3c38 "ascapi"
CompressedSize = 0x375
__fnname = char [16] "SC_AddToPackage"
pPktHdr = 0x898d31b4 "???"
compressResult = 0x21 '!'
1: kd> db 0x898d31b4
898d31b4 80 21 00 00 43 01 03 09-00 20 0c 05 10 01 40 0a .!..C.... ....@.
898d31c4 bf df c3 20 9f d6 7e 28-64 34 e0 04 40 06 99 7f ... ..~(d4..@...
898d31d4 7f 03 08 00 20 04 fb f2-01 f7 b2 11 f0 a4 04 85 .... ...........
898d31e4 1e 40 01 ce 01 1b 98 c1-80 00 12 00 0d c0 7c 96 .@............|.
898d31f4 09 00 0c f9 50 0c 02 01-00 07 24 00 02 01 00 01 ....P.....$.....
898d3204 0c f9 32 00 00 12 14 7a-1f fd 41 c0 01 08 42 21 ..2....z..A...B!
898d3214 f7 10 d0 eb 98 89 f5 ce-e4 19 7f bf 88 86 80 86 ................
898d3224 dd 04 4f c3 40 6e 61 62-10 41 10 fb 98 58 65 d4 ..O.@nab.A...Xe.
1: kd> dv
this = 0xe16de018
pPkgInfo = 0xb9f43b14
cbLen = 0x9bd
bShadow = 0n1
trc_fn = 0xb9ec3e68 "SC_AddToPackage"
trc_file = 0xb9ec3c38 "ascapi"
CompressedSize = 0x375 CompressedSize = 0x375
__fnname = char [16] "SC_AddToPackage"
pPktHdr = 0x898d31b4 "???"
compressResult = 0x21 '!'
1: kd> dx -r1 ((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14)
((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14) : 0xb9f43b14 [Type: _tagPDU_PACKAGE_INFO *]
+0x000\] cbLen : 0x1e58 \[Type: unsigned int
+0x004\] cbInUse : 0x4 \[Type: unsigned int
+0x008\] pBuffer : 0xee027020 : 0x83 \[Type: unsigned char \*
+0x00c\] pOutBuf : 0x898d31b0 \[Type: void \*
// Advance the usage size past the header and compressed or
// uncompressed data.
pPkgInfo->cbInUse += CompressedSize + scUpdatePDUHeaderSpace;
1: kd> dx -r1 ((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14)
((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14) : 0xb9f43b14 [Type: _tagPDU_PACKAGE_INFO *]
+0x000\] cbLen : 0x1e58 \[Type: unsigned int
+0x004\] cbInUse : 0x37d \[Type: unsigned int
+0x008\] pBuffer : 0xee027020 : 0x83 \[Type: unsigned char \*
+0x00c\] pOutBuf : 0x898d31b0 \[Type: void \*
+0x008\] pBuffer : 0xee027020 : 0x83 1: kd\> db 0xee027020 ee027020 83 00 00 00 80 00 00 00-43 01 03 09 00 20 0c 05 ........C.... .. ee027030 10 01 40 0a ff ff 0c 84-00 00 00 00 00 00 00 00 ..@............. ee027040 19 0d 38 01 10 01 cc ff-7f 03 08 00 20 04 05 10 ..8......... ... ee027050 01 40 0a 00 0c 84 00 00-00 00 00 00 00 00 11 00 .@.............. ee027060 01 00 00 09 0a 3c 80 07-38 04 6e 63 06 00 00 48 .....\<..8.nc...H ee027070 00 37 01 02 00 00 09 00-0c 48 00 37 01 06 01 00 .7.......H.7.... ee027080 80 07 24 00 02 01 00 01-0c 80 07 24 00 02 00 00 ..$........$.... ee027090 09 0a 3d 0f 00 01 00 0e-00 08 42 11 0f f1 0d 0e ..=.......B..... 返回到: NTSTATUS RDPCALL SHCLASS UPSendOrders(PPDU_PACKAGE_INFO pPkgInfo) { // Add the data we have and allow MPPC compression to // take place. TRC_DBG((TB, "Send orders pkt. size(%d)", cbOrderBytes)); SC_AddToPackage(pPkgInfo, (cbOrderBytes + upUpdateHdrSize), TRUE); #ifdef DC_HICOLOR // Having sent some data, we can again resort to the // Very Large Buffer later if we need to bTriedVeryLargeBuffer = FALSE; #endif // No need to try a larger size. break; } 返回到: