mstscax!CMCS==MCSSendConnectInitial函数分析之mstsc.exe源代码分析第二次交互

mstscax!CMCS==MCSSendConnectInitial函数分析之mstsc.exe源代码分析第二次交互

EXPOSE_CD_SIMPLE_NOTIFICATION_FN(CMCS, MCSSendConnectInitial);

1: kd> kc

00 WS2_32!send

01 WS2_32!DTHOOK_send

02 mstscax!CTD::TDFlushSendQueue

03 mstscax!CTD::TD_SendBuffer

04 mstscax!CXT::XTSendCR

05 mstscax!CXT::MACROGENERATED_Static_XTSendCR

06 mstscax!CCD::CDWndProc

07 mstscax!CCD::CDStaticWndProc

08 USER32!InternalCallWinProc

09 USER32!UserCallWinProcCheckWow

0a USER32!DispatchMessageWorker

0b USER32!DispatchMessageW

0c mstscax!CSND::SND_Main

0d mstscax!CSND::SND_StaticMain

0e mstscax!CUT::UTStaticThreadEntry

0f mstscax!_threadstartex

10 kernel32!BaseThreadStart

1: kd> x mstscax!CMCS::MCSSendConnectInitial

5d03a770 mstscax!CMCS::MCSSendConnectInitial (unsigned long)

1: kd> bp mstscax!CMCS::MCSSendConnectInitial

1: kd> g

Breakpoint 18 hit

mstscax!CMCS::MCSSendConnectInitial:

001b:5d03a770 55 push ebp

1: kd> kc

00 mstscax!CMCS::MCSSendConnectInitial

01 mstscax!CMCS::MACROGENERATED_Static_MCSSendConnectInitial

02 mstscax!CCD::CDWndProc

03 mstscax!CCD::CDStaticWndProc

04 USER32!InternalCallWinProc

05 USER32!UserCallWinProcCheckWow

06 USER32!DispatchMessageWorker

07 USER32!DispatchMessageW

08 mstscax!CSND::SND_Main

09 mstscax!CSND::SND_StaticMain

0a mstscax!CUT::UTStaticThreadEntry

0b mstscax!_threadstartex

0c kernel32!BaseThreadStart

1: kd> kv

ChildEBP RetAddr Args to Child

00 00d3fd60 5cfe1480 00a49e80 00000000 00d3fdd8 mstscax!CMCS::MCSSendConnectInitial (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\mcsint.cpp @ 31]

01 00d3fd70 5cfe4c64 00a49e80 00000000 77e67495 mstscax!CMCS::MACROGENERATED_Static_MCSSendConnectInitial+0x10 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\mcs.h @

884]

02 00d3fdd8 5cfe47f6 00a474a8 000300de 0000800b mstscax!CCD::CDWndProc+0x234 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\cdint.cpp @ 267]

03 00d3fdfc 77ce7ee3 000300de 0000800b 00000000 mstscax!CCD::CDStaticWndProc+0x56 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\cdint.cpp @ 181]

04 00d3fe28 77cf2bff 5cfe47a0 000300de 0000800b USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]

05 00d3fea0 77cbe3db 00000000 5cfe47a0 000300de USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 165]

06 00d3ff08 77cc4014 00d3ff40 00000000 00d3ff5c USER32!DispatchMessageWorker+0x3e3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 2497]

07 00d3ff18 5cfceda0 00d3ff40 00000000 804edc60 USER32!DispatchMessageW+0xd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 1046]

08 00d3ff5c 5cf7ad3c 00a49558 00d3ff84 5d04ca97 mstscax!CSND::SND_Main+0x1d0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\sndapi.cpp @ 83]

09 00d3ff68 5d04ca97 00a49558 5cf31068 5cf30ff0 mstscax!CSND::SND_StaticMain+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\snd.h @ 40]

0a 00d3ff84 5d0d43ea 00000000 00000000 00000000 mstscax!CUT::UTStaticThreadEntry+0x77 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\util\nutint.cpp @ 209]

0b 00d3ffb8 77e41be7 00ab1ba0 00000000 00000000 mstscax!_threadstartex+0x6f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\crts\crtw32\startup\threadex.c @ 268]

0c 00d3ffec 00000000 5d0d437b 00ab1ba0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]

windbg> .open -a 5cfe1480

/****************************************************************************/

/* Name: MCSSendConnectInitial */

/* */

/* Purpose: This function generates and sends a MCS connect-initial PDU. */

/****************************************************************************/

DCVOID DCINTERNAL CMCS::MCSSendConnectInitial(ULONG_PTR unused)

{

XT_BUFHND bufHandle;

PDCUINT8 pData = NULL;

DCUINT pduLength;

DCUINT dataLength;

DCBOOL intRC;

MCS_PDU_CONNECTINITIAL ciPDU = MCS_DATA_CONNECTINITIAL;

DC_BEGIN_FN("MCSSendConnectInitial");

DC_IGNORE_PARAMETER(unused);

/************************************************************************/

/* Calculate the size of the data to send. The pdu length is the size */

/* of the Connect-Initial header plus the user data. The data length */

/* is the length transmitted in the length field of the PDU, which */

/* doesn't include the PDU type (2 bytes) or the length field (3 */

/* bytes). Thus we need to subtract 5 bytes. */

/************************************************************************/

计算要发送的数据大小。PDU长度即为该大小

连接初始报头加上用户数据。数据长度是PDU长度字段中传输的长度，即

不包含PDU类型（2个字节）或长度字段（3个字节）（以字节为单位）。

因此，我们需要减去5个字节。

pduLength = sizeof(ciPDU) + _MCS.userDataLength;

dataLength = pduLength - 5;

TRC_NRM((TB, _T("CI total length:%u (data:%u) (hc:%u user-data:%u)"),

pduLength,

dataLength,

sizeof(ciPDU),

_MCS.userDataLength));

/************************************************************************/

/* Assume that the total CI length is less than the maximum MCS send */

/* packet size. */

/************************************************************************/

TRC_ASSERT((dataLength <= MCS_MAX_SNDPKT_LENGTH),

(TB, _T("Datalength out of range: %u"), dataLength));

TRC_ASSERT((_MCS.pReceivedPacket != NULL), (TB, _T("Null rcv packet buffer")));

/************************************************************************/

/* Update the MCS CI header with the data size. */

/************************************************************************/

ciPDU.length = MCSLocalToWire16((DCUINT16)dataLength);

/************************************************************************/

/* Update the MCS user-data octet string length. */

/************************************************************************/

ciPDU.udLength = MCSLocalToWire16((DCUINT16)_MCS.userDataLength);

/************************************************************************/

/* Get a private buffer from XT. */

/************************************************************************/

intRC = _pXt->XT_GetPrivateBuffer(pduLength, &pData, &bufHandle);

if (!intRC)

{

/********************************************************************/

/* We've failed to get a private buffer. This ONLY happens when TD */

/* has disconnected while the layers above are still trying to */

/* connect. Since TD has now disconnected and is refusing to give */

/* us a buffer we might as well just give up trying to get a */

/* buffer. */

/********************************************************************/

TRC_NRM((TB, _T("Failed to get a private buffer - just quit")));

DC_QUIT;

}

/************************************************************************/

/* Now fill in the buffer that we've just got. */

/************************************************************************/

DC_MEMCPY(pData, &ciPDU, sizeof(ciPDU));

DC_MEMCPY((pData + sizeof(ciPDU)),

_MCS.pReceivedPacket,

_MCS.userDataLength);

/************************************************************************/

/* Trace out the PDU. */

/************************************************************************/

TRC_DATA_NRM("Connect-Initial PDU", pData, pduLength);

/************************************************************************/

/* Send the buffer. If everything has worked OK, we should receive a */

/* Connect-Response PDU shortly. */

/************************************************************************/

_pXt->XT_SendBuffer(pData, pduLength, bufHandle);

DC_EXIT_POINT:

DC_END_FN();

} /* MCSSendConnectInitial */

1: kd> p

mstscax!CMCS::MCSSendConnectInitial+0x1b6:

001b:5d03a926 c74580e801f35c mov dword ptr [ebp-80h],offset mstscax!__filename (5cf301e8)

1: kd> p

mstscax!CMCS::MCSSendConnectInitial+0x1bd:

001b:5d03a92d e84e5e0900 call mstscax!TRC_ProfileTraceEnabled (5d0d0780)

1: kd> t

mstscax!TRC_ProfileTraceEnabled:

001b:5d0d0780 55 push ebp

1: kd> x mstscax!trcpConfig

5d0f4070 mstscax!trcpConfig = 0x00a50000

1: kd> dx -r1 ((mstscax!tagTRC_CONFIG *)0xa50000)

((mstscax!tagTRC_CONFIG *)0xa50000) : 0xa50000 [Type: tagTRC_CONFIG *]

+0x000\] traceLevel : 0x3 \[Type: unsigned long

+0x004\] dataTruncSize : 0x40 \[Type: unsigned long

+0x008\] funcNameLength : 0xc \[Type: unsigned long

+0x00c\] components : 0xfffffc1f \[Type: unsigned long

+0x010\] maxFileSize : 0x186a0 \[Type: unsigned long

+0x014\] flags : 0x388 \[Type: unsigned long

+0x018\] prefixList \[Type: unsigned short \[100\]

+0x0e0\] fileNames \[Type: unsigned short \[2\]\[260\]

1: kd> x mstscax!trcpConfig

5d0f4070 mstscax!trcpConfig = 0x00a50000

1: kd> dx -r1 ((mstscax!tagTRC_CONFIG *)0xa50000)

((mstscax!tagTRC_CONFIG *)0xa50000) : 0xa50000 [Type: tagTRC_CONFIG *]

+0x000\] traceLevel : 0x3 \[Type: unsigned long

+0x004\] dataTruncSize : 0x40 \[Type: unsigned long

+0x008\] funcNameLength : 0xc \[Type: unsigned long

+0x00c\] components : 0xfffffc1f \[Type: unsigned long

+0x010\] maxFileSize : 0x186a0 \[Type: unsigned long

+0x014\] flags : 0x388 \[Type: unsigned long

+0x018\] prefixList \[Type: unsigned short \[100\]

+0x0e0\] fileNames \[Type: unsigned short \[2\]\[260\]

1: kd> ed 0xa50000 1

1: kd> ed 0xa50000+14 3a8

1: kd> dx -r1 ((mstscax!tagTRC_CONFIG *)0xa50000)

((mstscax!tagTRC_CONFIG *)0xa50000) : 0xa50000 [Type: tagTRC_CONFIG *]

+0x000\] traceLevel : 0x1 \[Type: unsigned long

+0x004\] dataTruncSize : 0x40 \[Type: unsigned long

+0x008\] funcNameLength : 0xc \[Type: unsigned long

+0x00c\] components : 0xfffffc1f \[Type: unsigned long

+0x010\] maxFileSize : 0x186a0 \[Type: unsigned long

+0x014\] flags : 0x3a8 \[Type: unsigned long

+0x018\] prefixList \[Type: unsigned short \[100\]

+0x0e0\] fileNames \[Type: unsigned short \[2\]\[260\]

0: kd> g
18:41:29.35 079c:01e4 MCSSendConne 0039 Enter {
18:41:29.37 079c:01e4 MCSSendConne 0057 CI total length:405 (data:400) (hc:102 user-data:303)
18:41:29.37 079c:01e4 TD_GetPrivat 0454 Enter {
18:41:29.37 079c:01e4 TD_GetPrivat 0514 Exit }
18:41:29.37 079c:01e4 MCSSendConne 0106 Connect-Initial PDU
18:41:29.37 079c:01e4 XT_SendBuffe 0087 Enter {
18:41:29.37 079c:01e4 TD_SendBuffe 0537 Enter {
18:41:29.37 079c:01e4 TDFlushSendQ 1181 Enter {

Breakpoint 16 hit

WS2_32!send:

001b:7056b0f0 55 push ebp

1: kd> kc

00 WS2_32!send

01 WS2_32!DTHOOK_send

02 mstscax!CTD::TDFlushSendQueue

03 mstscax!CTD::TD_SendBuffer
04 mstscax!CXT::XT_SendBuffer
05 mstscax!CMCS::MCSSendConnectInitial

06 mstscax!CMCS::MACROGENERATED_Static_MCSSendConnectInitial

07 mstscax!CCD::CDWndProc

08 mstscax!CCD::CDStaticWndProc

09 USER32!InternalCallWinProc

0a USER32!UserCallWinProcCheckWow

0b USER32!DispatchMessageWorker

0c USER32!DispatchMessageW

0d mstscax!CSND::SND_Main

0e mstscax!CSND::SND_StaticMain

0f mstscax!CUT::UTStaticThreadEntry

10 mstscax!_threadstartex

11 kernel32!BaseThreadStart

1: kd> !handle 0000030c

PROCESS 8969a8e8 SessionId: 0 Cid: 079c Peb: 7ffdf000 ParentCid: 07e4

DirBase: 77609000 ObjectTable: e1260120 HandleCount: 115.

Image: mstsc.exe

Handle table at e1260120 with 115 entries in use

030c: Object: 89271140 GrantedAccess: 0016019f (Inherit) Entry: e1130618

Object: 89271140 Type: (89df9710) File

ObjectHeader: 89271128 (old version)

HandleCount: 1 PointerCount: 2

Directory Object: 00000000 Name: \Endpoint {Afd}

1: kd> db 000a5400

000a5400 03 00 01 9c 02 f0 80 7f-65 82 01 90 04 01 01 04 ........e.......

000a5410 01 01 01 01 ff 30 19 02-01 22 02 01 02 02 01 00 .....0..."......

000a5420 02 01 01 02 01 00 02 01-01 02 02 ff ff 02 01 02 ................

000a5430 30 19 02 01 01 02 01 01-02 01 01 02 01 01 02 01 0...............

000a5440 00 02 01 01 02 02 04 20-02 01 02 30 1c 02 02 ff ....... ...0....

000a5450 ff 02 02 fc 17 02 02 ff-ff 02 01 01 02 01 00 02 ................

000a5460 01 01 02 02 ff ff 02 01-02 04 82 01 2f 00 05 00 ............/...

000a5470 14 7c 00 01 81 26 00 08-00 10 00 01 c0 00 44 75 .|...&........Du