rdpwsx!GCCConferenceCreateResponse函数里面的rdpwsx!gccEncodeUserData函数分析

sitelist2025-11-04 9:00

rdpwsx!GCCConferenceCreateResponse函数里面的rdpwsx!gccEncodeUserData函数分析

第一部分:

20:33:22.171 89C6060C.E18BA820 GCC: GCCConferenceCreateResponse entry
20:33:22.171 89C6060C.E18BA820 GCC: gccEncodeUserData entry
20:33:22.171 89C6060C.E18BA820 GCC: gccEncodeUserData exit - 0x0

20:33:22.171 89C6060C.E18BA820 GCC: Calling MCSConnectProviderResponse - hDomain 0xd737a8, result 0x0, pUserData 0xd73318, UserDataLength 0x11b

第二部分:

MCSError

gccEncodeUserData(IN USHORT usMembers,

IN GCCUserData **ppDataList,

OUT PBYTE *pUserData,

OUT UINT *pUserDataLength)

{

MCSError mcsError;

PBYTE pBerData;

UINT UserDataLength;

UINT len;

TRACE((DEBUG_GCC_DBFLOW,
"GCC: gccEncodeUserData entry\n"));

if (ppDataList)

{
len = (*ppDataList)->octet_string->octet_string_length;

pBerData = TSHeapAlloc(0,

len + 32,

TS_HTAG_GCC_USERDATA_OUT);

if (pBerData)

{

UserDataLength = 0;

pBerData[UserDataLength++] = 0x00;

pBerData[UserDataLength++] = 0x05;

pBerData[UserDataLength++] = 0x00;

pBerData[UserDataLength++] = 0x14;

pBerData[UserDataLength++] = 0x7c;

pBerData[UserDataLength++] = 0x00;

pBerData[UserDataLength++] = 0x01;

pBerData[UserDataLength++] = 0x2a;

pBerData[UserDataLength++] = 0x14;

pBerData[UserDataLength++] = 0x76;

pBerData[UserDataLength++] = 0x0a;

pBerData[UserDataLength++] = 0x01;

pBerData[UserDataLength++] = 0x01;

pBerData[UserDataLength++] = 0x00;

pBerData[UserDataLength++] = 0x01;

pBerData[UserDataLength++] = 0xc0;

pBerData[UserDataLength++] = 0x00;

pBerData[UserDataLength++] = (*ppDataList)->key.u.h221_non_standard_id.octet_string[0];

pBerData[UserDataLength++] = (*ppDataList)->key.u.h221_non_standard_id.octet_string[1];

pBerData[UserDataLength++] = (*ppDataList)->key.u.h221_non_standard_id.octet_string[2];

pBerData[UserDataLength++] = (*ppDataList)->key.u.h221_non_standard_id.octet_string[3];

1: kd> dv

usMembers = 1

ppDataList = 0x00000104

pUserData = 0x00f5e904

pUserDataLength = 0x00f5e8fc

len = 0x104

1: kd> dx -r1 ((rdpwsx!GCCUserData * *)0x104)

((rdpwsx!GCCUserData * *)0x104) : 0x104 : Unable to read memory at Address 0x104 [Type: GCCUserData * *]

Unable to read memory at Address 0x104

1: kd> dx -r1 ((rdpwsx!GCCUserData * *)0xd63de8)

((rdpwsx!GCCUserData * *)0xd63de8) : 0xd63de8 [Type: GCCUserData * *]

0xd644e0 [Type: GCCUserData *]

1: kd> dx -r1 ((rdpwsx!GCCUserData *)0xd644e0)

((rdpwsx!GCCUserData *)0xd644e0) : 0xd644e0 [Type: GCCUserData *]

+0x000\] key \[Type: GCCObjectKey

+0x00c\] octet_string : 0xd644f4 \[Type: GCCOctetString \*

1: kd> dx -r1 (*((rdpwsx!GCCObjectKey *)0xd644e0))

(*((rdpwsx!GCCObjectKey *)0xd644e0)) [Type: GCCObjectKey]

+0x000\] key_type : GCC_H221_NONSTANDARD_KEY (2) \[Type: GCCObjectKeyType

+0x004\] u \[Type: __unnamed

1: kd> dx -r1 (*((rdpwsx!__unnamed *)0xd644e4))

(*((rdpwsx!__unnamed *)0xd644e4)) [Type: __unnamed]

+0x000\] object_id \[Type: GCCLongString

+0x000\] h221_non_standard_id \[Type: GCCOctetString

1: kd> dx -r1 (*((rdpwsx!GCCOctetString *)0xd644e4))

(*((rdpwsx!GCCOctetString *)0xd644e4)) [Type: GCCOctetString]

+0x000\] octet_string_length : 0x4 \[Type: unsigned short

+0x004\] octet_string : 0xd644f0 : 0x4d \[Type: unsigned char \*

1: kd> dx -r1 ((rdpwsx!unsigned char *)0xd644f0)

((rdpwsx!unsigned char *)0xd644f0) : 0xd644f0 : 0x4d [Type: unsigned char *]

0x4d [Type: unsigned char]
1: kd> db 0xd644f0
00d644f0 4d 63 44 6e 04 01 00 00-fc 44 d6 00 01 0c 08 00 McDn.....D......

00d64500 04 00 08 00 03 0c 10 00-eb 03 03 00 ec 03 ed 03 ................

00d64510 ee 03 00 00 02 0c ec 00-02 00 00 00 02 00 00 00 ................

00d64520 20 00 00 00 b8 00 00 00-a6 59 7e 75 8e 7a f7 13 ........Y~u.z..

00d64530 c3 92 b4 96 77 6d ff 9d-80 46 40 2a f2 48 ed b3 ....wm...F@*.H..

00d64540 2e bf 58 b0 09 d0 09 a1-01 00 00 00 01 00 00 00 ..X.............

00d64550 01 00 00 00 06 00 5c 00-52 53 41 31 48 00 00 00 ......\.RSA1H...

00d64560 00 02 00 00 3f 00 00 00-01 00 01 00 17 4f a2 0c ....?........O..

if (len >= 128)
pBerData[UserDataLength++] = (0x80 | (len >> 8));

1: kd> db 00d635e0

00d635e0 00 05 00 14 7c 00 01 2a-14 76 0a 01 01 00 01 c0 ....|..*.v......

00d635f0 00 4d 63 44 6e 81 04 01-0c 08 00 04 00 08 00 03 .McDn...........

00d63600 0c 10 00 eb 03 03 00 ec-03 ed 03 ee 03 00 00 02 ................

00d63610 0c ec 00 02 00 00 00 02-00 00 00 20 00 00 00 b8 ........... ....

00d63620 00 00 00 af 55 da 3d fc-20 eb b8 cd 43 ea 77 a1 ....U.=. ...C.w.

00d63630 10 1a 81 7a 78 bf 68 6e-7e 8a a3 66 5f 98 b8 7d ...zx.hn~..f_..}

00d63640 b8 c5 45 01 00 00 00 01-00 00 00 01 00 00 00 06 ..E.............

00d63650 00 5c 00 52 53 41 31 48-00 00 00 00 02 00 00 3f .\.RSA1H.......?

pBerData[UserDataLength++] =

((*ppDataList)->octet_string->octet_string_length) & 0xff;

memcpy(&pBerData[UserDataLength],

(*ppDataList)->octet_string->octet_string, len);

1: kd> r

eax=00d635e0 ebx=00000104 ecx=00000041 edx=00000017 esi=00d644fc edi=00d635f7

eip=70fc0ba4 esp=00f5e8d0 ebp=00f5e8dc iopl=0 nv up ei pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

rdpwsx!gccEncodeUserData+0x100:

001b:70fc0ba4 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

1: kd> dx -r1 ((rdpwsx!GCCOctetString *)0xd644f4)

((rdpwsx!GCCOctetString *)0xd644f4) : 0xd644f4 [Type: GCCOctetString *]

+0x000\] octet_string_length : 0x104 \[Type: unsigned short

+0x004\] octet_string : 0xd644fc : 0x1 \[Type: unsigned char \*

1: kd> db 0xd644fc

00d644fc 01 0c 08 00 04 00 08 00-03 0c 10 00 eb 03 03 00 ................

00d6450c ec 03 ed 03 ee 03 00 00-02 0c ec 00 02 00 00 00 ................

00d6451c 02 00 00 00 20 00 00 00-b8 00 00 00 a6 59 7e 75 .... ........Y~u

00d6452c 8e 7a f7 13 c3 92 b4 96-77 6d ff 9d 80 46 40 2a .z......wm...F@*

00d6453c f2 48 ed b3 2e bf 58 b0-09 d0 09 a1 01 00 00 00 .H....X.........

00d6454c 01 00 00 00 01 00 00 00-06 00 5c 00 52 53 41 31 ..........\.RSA1

00d6455c 48 00 00 00 00 02 00 00-3f 00 00 00 01 00 01 00 H.......?.......

00d6456c 17 4f a2 0c 85 2f f9 e4-73 f4 66 1a 40 92 24 d6 .O.../..s.f.@.$.

1: kd> db 0xd644fc+80

00d6457c 13 af 58 e4 a5 be 3a 76-a7 02 81 ca a9 02 40 36 ..X...:v......@6

00d6458c 42 52 52 16 a4 0b be 11-aa 78 eb 38 9f ba e5 b8 BRR......x.8....

00d6459c ed a8 14 eb 98 ae b0 4e-d0 6a 56 08 f2 ae f0 a0 .......N.jV.....

00d645ac 00 00 00 00 00 00 00 00-08 00 48 00 f5 01 1b ff ..........H.....

00d645bc d4 4f 85 66 cb 8f ed 01-e3 46 4e 9a 1a 5b c0 41 .O.f.....FN..[.A

00d645cc 30 e8 49 08 ec 64 de 84-94 29 84 65 2f 42 1d 6e 0.I..d...).e/B.n

00d645dc cd e9 cf 37 b8 55 2a 69-ed ba c9 60 1d 30 83 7e ...7.U*i...`.0.~

00d645ec 95 37 f6 3f 98 28 ed 86-ab fd 10 84 00 00 00 00 .7.?.(..........

1: kd> db 0xd644fc+80*2

00d645fc 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00d6460c 00 00 00 00 00 00 00 01-ca 01 00 00 00 00 00 18 ................

00d6461c 00 07 00 01 00 00 00 00-00 00 00 00 00 00 00 00 ................

00d6462c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00d6463c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00d6464c 00 00 00 00 00 00 00 00-00 00 00 00 35 17 32 00 ............5.2.

00d6465c 00 10 00 00 78 01 d6 00-78 01 d6 00 00 00 00 00 ....x...x.......

00d6466c 00 00 00 02 c0 0c 00 1b-00 00 00 00 00 00 00 03 ................

memcpy(&pBerData[UserDataLength],

(*ppDataList)->octet_string->octet_string, len);//之后

1: kd> db 00d635e0

00d635e0 00 05 00 14 7c 00 01 2a-14 76 0a 01 01 00 01 c0 ....|..*.v......

00d635f0 00 4d 63 44 6e 81 04 01-0c 08 00 04 00 08 00 03 .McDn...........

00d63600 0c 10 00 eb 03 03 00 ec-03 ed 03 ee 03 00 00 02 ................

00d63610 0c ec 00 02 00 00 00 02-00 00 00 20 00 00 00 b8 ........... ....

00d63620 00 00 00 a6 59 7e 75 8e-7a f7 13 c3 92 b4 96 77 ....Y~u.z......w

00d63630 6d ff 9d 80 46 40 2a f2-48 ed b3 2e bf 58 b0 09 m...F@*.H....X..

00d63640 d0 09 a1 01 00 00 00 01-00 00 00 01 00 00 00 06 ................

00d63650 00 5c 00 52 53 41 31 48-00 00 00 00 02 00 00 3f .\.RSA1H.......?

1: kd> db 00d635e0+80

00d63660 00 00 00 01 00 01 00 17-4f a2 0c 85 2f f9 e4 73 ........O.../..s

00d63670 f4 66 1a 40 92 24 d6 13-af 58 e4 a5 be 3a 76 a7 .f.@.$...X...:v.

00d63680 02 81 ca a9 02 40 36 42-52 52 16 a4 0b be 11 aa .....@6BRR......

00d63690 78 eb 38 9f ba e5 b8 ed-a8 14 eb 98 ae b0 4e d0 x.8...........N.

00d636a0 6a 56 08 f2 ae f0 a0 00-00 00 00 00 00 00 00 08 jV..............

00d636b0 00 48 00 f5 01 1b ff d4-4f 85 66 cb 8f ed 01 e3 .H......O.f.....

00d636c0 46 4e 9a 1a 5b c0 41 30-e8 49 08 ec 64 de 84 94 FN..[.A0.I..d...

00d636d0 29 84 65 2f 42 1d 6e cd-e9 cf 37 b8 55 2a 69 ed ).e/B.n...7.U*i.

1: kd> db 00d635e0+80*2

00d636e0 ba c9 60 1d 30 83 7e 95-37 f6 3f 98 28 ed 86 ab ..`.0.~.7.?.(...

00d636f0 fd 10 84 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00d63700 00 00 00 00 00 00 00 00-13 00 26 00 69 01 0c 00 ..........&.i...

00d63710 54 53 49 4e 60 00 0d 00-ff ff ff ff 00 00 00 00 TSIN`...........

00d63720 00 00 00 00 00 00 00 00-00 00 00 00 a8 37 d6 00 .............7..

00d63730 00 00 00 00 9c 02 00 00-88 4c 0b 00 00 00 00 00 .........L......

00d63740 90 01 00 00 01 00 00 00-01 02 00 00 00 00 00 00 ................

00d63750 00 00 00 00 01 00 00 00-01 00 00 00 08 45 b7 a0 .............E..

*pUserData = (PBYTE) pBerData;

*pUserDataLength = len + UserDataLength;

1: kd> dv

usMembers = 1

ppDataList = 0x00000104

pUserData = 0x00f5e904

pUserDataLength = 0x00f5e8fc

len = 0x104

1: kd> dx -r1 ((rdpwsx!unsigned int *)0xf5e8fc)

((rdpwsx!unsigned int *)0xf5e8fc) : 0xf5e8fc : 0x11b [Type: unsigned int *]

0x11b [Type: unsigned int]

1: kd> dx -r1 ((rdpwsx!unsigned char * *)0xf5e904)

((rdpwsx!unsigned char * *)0xf5e904) : 0xf5e904 [Type: unsigned char * *]

0xd635e0 : 0x0 [Type: unsigned char *]

1: kd> dx -r1 ((rdpwsx!unsigned char *)0xd635e0)

((rdpwsx!unsigned char *)0xd635e0) : 0xd635e0 : 0x0 [Type: unsigned char *]

0x0 [Type: unsigned char]

TRACE((DEBUG_GCC_DBFLOW,

"GCC: gccEncodeUserData exit - 0x%x\n",

mcsError));

1: kd> p

21:56:52.046 89410AD4.E178D118 GCC: gccDisconnectProviderIndication exit - 0x0

21:56:52.046 8975D91C.E31087D0 GCC: gccEncodeUserData exit - 0x0

rdpwsx!gccEncodeUserData+0x15b:

001b:70fc0bff 83c414 add esp,14h

NTSTATUS

TSrvConfCreateResp(IN OUT PTSRVINFO pTSrvInfo)

{

NTSTATUS ntStatus;

GCCError GCCrc;

GCCUserData **pDataList;

PUSERDATAINFO pUserDataInfo;

TRACE((DEBUG_TSHRSRV_FLOW,

"TShrSRV: TSrvConfCreateResp entry\n"));

ntStatus = pTSrvInfo->ntStatus;

pUserDataInfo = NULL;

if (NT_SUCCESS(ntStatus))

{

TRACE((DEBUG_TSHRSRV_DEBUG, "TShrSRV: Attempting ConfCreate response\n"));

// Perform WDTShare connection initialization

ntStatus = TSrvInitWD(pTSrvInfo, &pUserDataInfo);

pTSrvInfo->ntStatus = ntStatus;

if (NT_SUCCESS(ntStatus))

{

// The exchange of info with WDTShare has proceeded successfully,

// So we can now create a digestable data transfer structure

// for GCC

pDataList = TSrvCreateGCCDataList(pTSrvInfo, pUserDataInfo);

if (pDataList)

{

// Accept the conference creation request

TRACE((DEBUG_TSHRSRV_NORMAL, "TShrSRV: Accepting conference domain %p\n",

pTSrvInfo->hDomain));

GCCrc = GCCConferenceCreateResponse(

NULL, // conference_modifier

pTSrvInfo->hDomain, // domain handle

0, // use_password_in_the_clear

NULL, // domain_parameters

0, // number_of_network_addresses

NULL, // local_network_address_list

1, // number_of_user_data_members

(GCCUserData**)pDataList, // user_data_list

GCC_RESULT_SUCCESSFUL); // reason

GCCUserData **

TSrvCreateGCCDataList(IN PTSRVINFO pTSrvInfo, PUSERDATAINFO pUserDataInfo)

{

DWORD i;

GCCUserData **ppDataList;

GCCUserData *pUserData;

TRACE((DEBUG_TSHRSRV_FLOW,

"TShrSRV: TSrvCreateGCCDataList entry\n"));

ppDataList = NULL;

TS_ASSERT(pUserDataInfo);

if (pUserDataInfo)

{

TRACE((DEBUG_TSHRSRV_DETAIL, "TShrSRV: Creating UserData list\n"));

TS_ASSERT(pUserDataInfo->ulUserDataMembers > 0);

// Allocate UserData list memory

ppDataList = TSHeapAlloc(HEAP_ZERO_MEMORY,

sizeof(GCCUserData *) * pUserDataInfo->ulUserDataMembers,

TS_HTAG_TSS_USERDATA_LIST);

if (ppDataList)

{

TRACE((DEBUG_TSHRSRV_DETAIL,

"TShrSRV: Allocated 0x%x bytes for 0x%x member UserData array\n",

sizeof(GCCUserData *) * pUserDataInfo->ulUserDataMembers,

pUserDataInfo->ulUserDataMembers));

for (i=0; i<pUserDataInfo->ulUserDataMembers; i++)

{

pUserData = &pUserDataInfo->rgUserData[i];

// Key data rebase

if (pUserData->key.key_type == GCC_OBJECT_KEY)

{

(PUCHAR) pUserData->key.u.object_id.long_string +=

(ULONG_PTR) pUserDataInfo;

}
else
{
(PUCHAR) pUserData->key.u.h221_non_standard_id.octet_string +=
(ULONG_PTR)pUserDataInfo;
}

// Client data ptr, and data rebase

if (pUserData->octet_string)

{

(PUCHAR) pUserData->octet_string +=

(ULONG_PTR)pUserDataInfo;

if (pUserData->octet_string->octet_string)
{
(PUCHAR) pUserData->octet_string->octet_string +=
(ULONG_PTR) pUserDataInfo;
}

}

// Assign the table list entry

ppDataList[i] = pUserData;

}

}

else

{

TRACE((DEBUG_TSHRSRV_WARN,

"TShrSRV: Unable to allocate 0x%x bytes for 0x%x member UserData array\n",

sizeof(GCCUserData *) * pUserDataInfo->ulUserDataMembers,

pUserDataInfo->ulUserDataMembers));

}

}

else

{

TRACE((DEBUG_TSHRSRV_WARN, "TShrSRV: Not creating UserData list - no UserData\n"));

}

TRACE((DEBUG_TSHRSRV_FLOW,

"TShrSRV: TSrvCreateGCCDataList exit = 0x%x\n", ppDataList));

return (ppDataList);

}

NTSTATUS

TSrvInitWD(IN PTSRVINFO pTSrvInfo, IN OUT PUSERDATAINFO *ppUserDataInfo)

{

NTSTATUS ntStatus;

PVOID pSecData;

TRACE((DEBUG_TSHRSRV_FLOW,

"TShrSRV: TSrvInitWD entry\n"));

// Pass on connection information

TRACE((DEBUG_TSHRSRV_NORMAL,

"TShrSRV: Performing WDTShare connection info exchange\n"));

ntStatus = TSrvInitWDConnectInfo(pTSrvInfo->hStack,
pTSrvInfo,
ppUserDataInfo,
IOCTL_TSHARE_CONF_CONNECT,
NULL, 0, TRUE, &pSecData);

if (!NT_SUCCESS(ntStatus))

{

TRACE((DEBUG_TSHRSRV_DEBUG,

"TShrSRV: WDTShare connection info exchange unsuccessful - 0x%x\n", ntStatus));

}

TRACE((DEBUG_TSHRSRV_FLOW,

"TShrSRV: TSrvInitWD exit - 0x%x\n", ntStatus));

return (ntStatus);

}

热门推荐
01GitHub 镜像站点02《大数据技术原理与应用》实验报告三 熟悉HBase常用操作03UV安装并设置国内源04综合整理:pdf预览显示:你尝试预览的文件可能对你的计算机有害。如果你信任此文件以及其来源,请打开此文件以看其内容,如何解决以正常预览文件05BongoCat - 跨平台键盘猫动画工具06Linux下V2Ray安装配置指南07npm使用国内淘宝镜像的方法08jdk21下载、安装(Windows、Linux、macOS)09NVIDIA显卡驱动、CUDA、cuDNN 和 TensorRT 版本匹配指南10GitLab 零基础入门指南:从安装到项目管理全流程