rdpwsx!TSrvInitWD函数分析到rdpwd!WDWConfConnect

rdpwsx!TSrvInitWD函数分析到rdpwd!WDWConfConnect

21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWD entry

21:19:13.843 892CDCFC.E13610C8 GCC: mcsCallback exit - 0x0

21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing WDTShare connection info exchange

21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWDConnectInfo entry
21:19:13.843 892767D4.E11B61D0 TShrSRV: Allocated 0x80 bytes to recieve WDTShare return data
21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing connect (size=128)

21:19:13.843 892CDCFC.E13610C8 TermDD: IcaReferenceChannel: cc 5, vc 31, ref 1
21:19:13.859 892767D4.E11B61D0 TermDD: IcaDeviceControlStack, fc 2304 (enter)

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl 0489 IOCTL_TSHARE_CONF_CONNECT (2304)

21:19:13.859 892CDCFC.E13610C8 TermDD: IcaDefeferenceChannel: cc 5, vc 31, ref 2

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl 0816 Got TSHARE_CONF_CONNECT IOCtl

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1484 GCC_H221_NONSTANDARD_KEY

44 75 63 61 Duca

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1615 Our client's User Data

01 C0 D4 00 04 00 08 00 40 06 38 04 01 CA 03 AA ........@.8.....

04 08 00 00 CE 0E 00 00 4F 00 53 00 2D 00 32 00 ........O.S.-.2.

30 00 32 00 35 00 30 00 37 00 30 00 31 00 58 00 0.2.5.0.7.0.1.X.

45 00 42 00 4C 00 00 00 04 00 00 00 00 00 00 00 E.B.L...........

0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 01 CA 01 00 00 00 00 00 18 00 07 00 ................

01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 04 C0 0C 00 0D 00 00 00 00 00 00 00 ................

02 C0 0C 00 1B 00 00 00 00 00 00 00 03 C0 2C 00 ..............,.

03 00 00 00 72 64 70 64 72 00 00 00 00 00 80 80 ....rdpdr.......

63 6C 69 70 72 64 72 00 00 00 A0 C0 72 64 70 73 cliprdr.....rdps

6E 64 00 00 00 00 00 C0 nd......

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1631 Core data

01 C0 D4 00 04 00 08 00 40 06 38 04 01 CA 03 AA ........@.8.....

04 08 00 00 CE 0E 00 00 4F 00 53 00 2D 00 32 00 ........O.S.-.2.

30 00 32 00 35 00 30 00 37 00 30 00 31 00 58 00 0.2.5.0.7.0.1.X.

45 00 42 00 4C 00 00 00 04 00 00 00 00 00 00 00 E.B.L...........

0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 01 CA 01 00 00 00 00 00 18 00 07 00 ................

01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 ....

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1674 Cluster data

04 C0 0C 00 0D 00 00 00 00 00 00 00 ............

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1650 Security data

02 C0 0C 00 1B 00 00 00 00 00 00 00 ............

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1662 Net data

03 C0 2C 00 03 00 00 00 72 64 70 64 72 00 00 00 ..,.....rdpdr...

00 00 80 80 63 6C 69 70 72 64 72 00 00 00 A0 C0 ....cliprdr.....

72 64 70 73 6E 64 00 00 00 00 00 C0 rdpsnd......

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWConnect 0305 Client version is 0x80004

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWConnect 0328 ErrorInfoPDU supported = 1

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWConnect 0346 Client requests color depth 24, server limit 16

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWConnect 0350 Limiting requested color depth...

21:19:13.875 892767D4.E11B61D0 RDP+E10C2010+WDWConnect +0374+Restricted requested color depth 24 to 16

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWConnect 0431 16 BPP (565)

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWConnect 0502 Client supports load balance redirection

RDPWD: New: ShareClass at E88E0A90, size=1392

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWNewShareC 2528 Created Share Class

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init 0234 encryption level is 2

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init 0265 Encrypting

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init 0308 Encryption methods supported 0000001b: Level 2

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init 0365 Set state from SM_STATE_STARTED to SM_STATE_INITIALIZED

21:19:13.875 892767D4.E11B61D0 RDP+E10C2010+SM_Connect +0500+Client supports encryption: 1b

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect 0502 Server supports encryption: 1b

21:19:13.875 892767D4.E11B61D0 RDP+E10C2010+SM_Connect +0639+Encryption Method=2, Level=2, Display=1

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect 0650 Init Fips succeed

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect 0689 Set state from SM_STATE_INITIALIZED to SM_STATE_NM_CONNECTING

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect 0691 Connect to Network Manager

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0181 Net User Data

03 C0 2C 00 03 00 00 00 72 64 70 64 72 00 00 00 ..,.....rdpdr...

00 00 80 80 63 6C 69 70 72 64 72 00 00 00 A0 C0 ....cliprdr.....

72 64 70 73 6E 64 00 00 00 00 00 C0 rdpsnd......

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0185 Protocol version 0x80004 (0x8/0x4)

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0247 Channel 0 (was 0): rdpdr

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0247 Channel 1 (was 1): cliprdr

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0247 Channel 2 (was 2): rdpsnd

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0289 Attach User

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0303 AttachUser OK, hUser E88724C8

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0312 Attached as user 3ea, hUser E88724C8

21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0336 Joined broadcast channel 3eb (hChannel E167E190) OK

21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0356 Joined user channel (hChannel E8872614) OK

21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0394 Joined VC 0: 1004 (hChannel E1189EA0)

21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0394 Joined VC 1: 1005 (hChannel E167E148)

21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0394 Joined VC 2: 1006 (hChannel E118F638)

21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0419 Copy 3 channels to user data out

21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0428 Channel 0 (0) = 0x3ec

21:19:13.921 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0428 Channel 1 (1) = 0x3ed

21:19:13.921 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0428 Channel 2 (2) = 0x3ee

21:19:13.921 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0434 Tell SM we're connecting

21:19:13.921 892767D4.E11B61D0 RDP E10C2010 SM_OnConnect 0117 Connected OK as user 3ea

21:19:13.921 892767D4.E11B61D0 RDP E10C2010 SM_OnConnect 0132 Set state from SM_STATE_NM_CONNECTING to SM_STATE_SM_CONNECTING

21:19:13.921 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0677 pOutData at 00D76148

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0711 Key octet at 00D76168 (offs 00000020)

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0719 Data octet pointer at 00D7616C (offs 00000024)

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0733 Core data at 00D76174 (offs 0000002C)

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0738 Net data at 00D7617C (offs 00000034)

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0747 Sec data at 00D7618C (offs 00000044)

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0757 Build 80 bytes of returned user data

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0758 Returned user data

50 00 00 00 04 00 08 00 98 5C D7 00 01 00 00 00 P........\......

02 00 00 00 04 00 00 00 20 00 00 00 24 00 00 00 ........ ...$...

4D 63 44 6E 24 00 00 10 2C 00 00 00 01 0C 08 00 McDn$...,.......

04 00 08 00 03 0C 10 00 EB 03 03 00 EC 03 ED 03 ................

EE 03 00 00 02 0C 0C 00 02 00 00 00 02 00 00 00 ................

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 SM_OnConnect 0142 Free user data

21:19:13.937 892767D4.E11B61D0 RDP E10C2010 NM_Connect 0451 Free user data

21:19:13.937 892767D4.E11B61D0 TermDD: IcaDeviceControlStack, fc 2304, 0x0

21:19:13.937 892767D4.E11B61D0 TShrSRV: TSrvInitWDConnectInfo exit - 0x0

21:19:13.937 892767D4.E11B61D0 TShrSRV: TSrvInitWD exit - 0x0

21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWD entry

21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing WDTShare connection info exchange

NTSTATUS

TSrvInitWD(IN PTSRVINFO pTSrvInfo, IN OUT PUSERDATAINFO *ppUserDataInfo)

{

NTSTATUS ntStatus;

PVOID pSecData;

TRACE((DEBUG_TSHRSRV_FLOW,

"TShrSRV: TSrvInitWD entry\n"));

// Pass on connection information

TRACE((DEBUG_TSHRSRV_NORMAL,

"TShrSRV: Performing WDTShare connection info exchange\n"));

ntStatus = TSrvInitWDConnectInfo(pTSrvInfo->hStack,

pTSrvInfo,

ppUserDataInfo,

IOCTL_TSHARE_CONF_CONNECT,

NULL, 0, TRUE, &pSecData);

if (!NT_SUCCESS(ntStatus))

{

TRACE((DEBUG_TSHRSRV_DEBUG,

"TShrSRV: WDTShare connection info exchange unsuccessful - 0x%x\n", ntStatus));

}

TRACE((DEBUG_TSHRSRV_FLOW,

"TShrSRV: TSrvInitWD exit - 0x%x\n", ntStatus));

return (ntStatus);

}

#define IOCTL_TSHARE_CONF_CONNECT _ICA_CTL_CODE(0x900, METHOD_NEITHER)

1: kd> ?0x900

Evaluate expression: 2304 = 00000900

21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWDConnectInfo entry

21:19:13.843 892767D4.E11B61D0 TShrSRV: Allocated 0x80 bytes to recieve WDTShare return data

21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing connect (size=128)

NTSTATUS

TSrvInitWDConnectInfo(IN HANDLE hStack,

IN PTSRVINFO pTSrvInfo,

IN OUT PUSERDATAINFO *ppUserDataInfo,

IN ULONG ioctl,

IN PBYTE pModuleData,

IN ULONG cbModuleData,

IN BOOLEAN bGetCert,

OUT PVOID *ppSecInfo)

{

int i;

ULONG ulInBufferSize;

ULONG ulBytesReturned;

PUSERDATAINFO pUserDataInfo;

PUSERDATAINFO pUserDataInfo2;

NTSTATUS ntStatus;

TRACE((DEBUG_TSHRSRV_FLOW,
"TShrSRV: TSrvInitWDConnectInfo entry\n"));

// For a standard connection we receive client user data as part of the

// GCC connection request. Shadow connections are initiated via RPC and

// the input buffer contains the format sent by the other TS.

if (ioctl == IOCTL_TSHARE_CONF_CONNECT) {

TS_ASSERT(pTSrvInfo->pUserDataInfo);

TS_ASSERT(pTSrvInfo->pUserDataInfo->cbSize);

}

// Allocate a block of memory to receive return UserData from

// WDTShare. This data will subsequently be sent to the client

// via TSrvConfCreateResp.

pUserDataInfo = TSHeapAlloc(0, 128, TS_HTAG_TSS_USERDATA_OUT);

if (pUserDataInfo != NULL) {

// Set the UserData cbSize element. This is so that WDTShare can

// determine if there is sufficient space available to place the

// return data into

pUserDataInfo->cbSize = 128 ;

TRACE((DEBUG_TSHRSRV_DETAIL,
"TShrSRV: Allocated 0x%x bytes to recieve WDTShare return data\n",
pUserDataInfo->cbSize));

// Exchange UserData with WDTShare. If the provided output buffer

// (pUserDataInfo) is large enough then the data will be exchanged

// in one call. If the buffer is not large enough, then it is up to

// WDTShare to tell TShareSRV how to react. For general errors we

// just exit. For STATUS_BUFFER_TOO_SMALL errors, TShareSrv looks at

// the returned cbSize to determine how to adjust the buffer. If

// WDTShare did not increase the cbSize then TShareSrv will increase

// it by a default amount (128 bytes). TShareSrv will use the new value

// to reallocate the output buffer and try the WDTShare call again.

// (Note that TShareSrv will only try this a max of 20 times)

for (i = 0; i < 20; i++) {
TRACE((DEBUG_TSHRSRV_NORMAL, "TShrSRV: Performing connect (size=%ld)\n",
pUserDataInfo->cbSize));

ulBytesReturned = 0;

// Pass the actual client user data to the WD
if (ioctl == IOCTL_TSHARE_CONF_CONNECT) {

ntStatus = IcaStackIoControl(hStack,

ioctl,

pTSrvInfo->pUserDataInfo,

pTSrvInfo->pUserDataInfo->cbSize,

pUserDataInfo,

pUserDataInfo->cbSize,

&ulBytesReturned);

}

// Pass the shadow module data to the WD

else {

ntStatus = IcaStackIoControl(hStack,

ioctl,

pModuleData,

cbModuleData,

pUserDataInfo,

pUserDataInfo->cbSize,

&ulBytesReturned);

#define IOCTL_TSHARE_CONF_CONNECT _ICA_CTL_CODE(0x900, METHOD_NEITHER)

1: kd> ?0x900

Evaluate expression: 2304 = 00000900

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl 0489 IOCTL_TSHARE_CONF_CONNECT (2304)
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl 0816 Got TSHARE_CONF_CONNECT IOCtl

NTSTATUS WD_Ioctl(PTSHARE_WD pTSWd, PSD_IOCTL pSdIoctl)

{

NTSTATUS status = STATUS_SUCCESS;

UINT32 bufferLen;

unsigned fn;

PVIDEO_MODE_INFORMATION pVidInfo;

DC_BEGIN_FN("WD_Ioctl");

else {

// Non-perf path IOCTLs.

fn = WDW_IOCTL_FUNCTION(pSdIoctl->IoControlCode);

TRC_NRM((TB, "%s (%d)",

fn == 0x900 ? "IOCTL_TSHARE_CONF_CONNECT" :

fn));

}

case IOCTL_TSHARE_CONF_CONNECT:

{
TRC_NRM((TB, "Got TSHARE_CONF_CONNECT IOCtl"));

status = WDWConfConnect(pTSWd, pSdIoctl);

}

break;

NTSTATUS WDWConfConnect(PTSHARE_WD pTSWd, PSD_IOCTL pSdIoctl)

{

NTSTATUS status = STATUS_SUCCESS;

unsigned DataLen;

PRNS_UD_CS_CORE pClientCoreData;

PRNS_UD_CS_SEC pClientSecurityData;

PRNS_UD_CS_NET pClientNetData;

PTS_UD_CS_CLUSTER pClientClusterData;

DC_BEGIN_FN("WDWConfConnect");

// First make sure we've received enough data for the initial headers

// and that the sizes presented in the data block are valid. An attacker

// might try sending malformed data here to fault the server.

DataLen = pSdIoctl->InputBufferLength;

if (sizeof(USERDATAINFO)>DataLen) {

TRC_ERR((TB,"Apparent attack via user data, size %u too small for UD hdr",

DataLen));

WDW_LogAndDisconnect(pTSWd, TRUE, Log_RDP_BadUserData, pSdIoctl->InputBuffer,

DataLen);

status = STATUS_UNSUCCESSFUL;

DC_QUIT;

}

if (((PUSERDATAINFO)pSdIoctl->InputBuffer)->cbSize > DataLen) {

TRC_ERR((TB,"Apparent attack via user data, the cbSize is set to a length bigger then the total buffer %u",

((PUSERDATAINFO)pSdIoctl->InputBuffer)->cbSize > DataLen));

WDW_LogAndDisconnect(pTSWd, TRUE, Log_RDP_BadUserData, pSdIoctl->InputBuffer,

DataLen);

status = STATUS_UNSUCCESSFUL;

DC_QUIT;

}

// Validate that the output buffer is big enough.

if ((pSdIoctl->OutputBuffer == NULL) ||

(pSdIoctl->OutputBufferLength < MIN_USERDATAINFO_SIZE)) {

TRC_ERR((TB, "No Out Buffer on TSHARE_CONF_CONNECT."));

status = STATUS_BUFFER_TOO_SMALL;

DC_QUIT;

}

if (((PUSERDATAINFO)pSdIoctl->OutputBuffer)->cbSize < MIN_USERDATAINFO_SIZE) {

// Buffer has been supplied but is too small, - so tell

// TShareSRV how big a buffer we actually need.

((PUSERDATAINFO)pSdIoctl->OutputBuffer)->cbSize = MIN_USERDATAINFO_SIZE;

TRC_ERR((TB, "Telling TShareSRV to have another go with %d",

MIN_USERDATAINFO_SIZE));

status = STATUS_BUFFER_TOO_SMALL;

DC_QUIT;

}

// Parse the input data.
if (WDWParseUserData(pTSWd, (PUSERDATAINFO)pSdIoctl->InputBuffer, DataLen,
NULL, 0, &pClientCoreData, &pClientSecurityData,
&pClientNetData, &pClientClusterData)) {

status = WDWConnect(pTSWd, pClientCoreData, pClientSecurityData,

pClientNetData, pClientClusterData, pSdIoctl, FALSE);

}

else {

status = STATUS_UNSUCCESSFUL;

TRC_ERR((TB, "Could not parse the user data successfully"));

}

DC_EXIT_POINT:

DC_END_FN();

return status;

} /* WDWConfConnect */