LoadableTransportInfo函数分析之RPCRT4!LOADABLE_TRANSPORT::LOADABLE_TRANSPORT初始化过程
LoadableTransportInfo函数分析
第一部分:
RPC_STATUS
LoadableTransportInfo (
IN RPC_CHAR * DllName,
IN RPC_CHAR PAPI * RpcProtocolSequence,
OUT TRANS_INFO * PAPI *pTransInfo
)
{
。。。。。。。
pTransportInterface = (*TransportLoad)(RpcProtocolSequence);
if ( pTransportInterface == 0 )
{
ClearGlobalMutex();
delete LoadableTransportDll;
return RPC_S_PROTSEQ_NOT_SUPPORTED;
}
if ( pTransportInterface->TransInterfaceVersion
> RPC_TRANSPORT_INTERFACE_VERSION )
{
ClearGlobalMutex();
delete LoadableTransportDll;
return RPC_S_PROTSEQ_NOT_SUPPORTED;
}
//
// When we reach here, we have successfully loaded and initialized
// the loadable transport DLL. Now we need to create the client
// loadable transport and stick it in the dictionary.
//
LoadableTransport = new LOADABLE_TRANSPORT(
pTransportInterface,
DllName,
RpcProtocolSequence,
LoadableTransportDll,
GetHandleForThread,
ReleaseHandleForThread,
&Status,
pTransInfo);
第二部分:
1: kd> kc
#
00 RPCRT4!LoadableTransportInfo
01 RPCRT4!OsfMapRpcProtocolSequence
02 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
03 RPCRT4!I_RpcServerUseProtseqEp2W
04 RPCRT4!RpcServerUseProtseqEpExW
05 RPCRT4!RpcServerUseProtseqEpW
06 LSASRV!RpcpAddInterface
07 LSASRV!LsapRPCInit
08 LSASRV!LsapInitLsa
09 lsass!main
0a lsass!mainNoCRTStartup
0b kernel32!BaseProcessStart
//
// When we reach here, we have successfully loaded and initialized
// the loadable transport DLL. Now we need to create the client
// loadable transport and stick it in the dictionary.
//
LoadableTransport = new LOADABLE_TRANSPORT(
pTransportInterface,
DllName,
RpcProtocolSequence,
LoadableTransportDll,
GetHandleForThread,
ReleaseHandleForThread,
&Status,
pTransInfo);
1: kd> kc
#
00 RPCRT4!LOADABLE_TRANSPORT::LOADABLE_TRANSPORT
01 RPCRT4!LoadableTransportInfo
02 RPCRT4!OsfMapRpcProtocolSequence
03 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
04 RPCRT4!I_RpcServerUseProtseqEp2W
05 RPCRT4!RpcServerUseProtseqEpExW
06 RPCRT4!RpcServerUseProtseqEpW
07 LSASRV!RpcpAddInterface
08 LSASRV!LsapRPCInit
09 LSASRV!LsapInitLsa
0a lsass!main
0b lsass!mainNoCRTStartup
0c kernel32!BaseProcessStart
1: kd> dv
this = 0x77c8376c
pTransportInterface = 0x77bece00
DllName = 0x009436a0
ProtocolSequence = 0x73304bd0
LoadableTransportDll = 0x00943700
GetHandleForThread = 0x77c661e1
ReleaseHandleForThread = 0x77c66278
Status = 0x0006fe10
TransInfo = 0x0006fe4c
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!RPC_TRANSPORT_INTERFACE_HEADER *)0x77bece00)
((RPCRT4!RPC_TRANSPORT_INTERFACE_HEADER *)0x77bece00) : 0x77bece00 [Type: RPC_TRANSPORT_INTERFACE_HEADER *]
[+0x000] TransInterfaceVersion : 0x2004 [Type: unsigned int]
[+0x004] TransId : 0xf [Type: unsigned short]
[+0x006] TransAddrId : 0x11 [Type: unsigned short]
[+0x008] ProtocolSequence : 0x77bd2264 : 0x6e [Type: unsigned short *]
[+0x00c] WellKnownEndpoint : 0x77becea8 : "\pipe\epmapper" [Type: char *]
[+0x010] ProcessCalls : 0x77c66ea4 [Type: long (*)(int,unsigned int *,long *,void * *,unsigned int *,void * *,void * *)]
[+0x014] PnpNotify : 0x77c66e6f [Type: void (*)()]
[+0x018] PnpListen : 0x77c66d26 [Type: void (*)()]
[+0x01c] TowerConstruct : 0x77c6b290 [Type: long (*)(char *,char *,char *,unsigned short *,unsigned long *,unsigned char * *)]
[+0x020] TowerExplode : 0x77c6b5c7 [Type: long (*)(unsigned char *,unsigned char *,unsigned long,char * *,char * *,char * *)]
[+0x024] PostEvent : 0x77c66be8 [Type: long (*)(unsigned long,void *)]
[+0x028] fDatagram : 0 [Type: int]
[+0x02c] GetNetworkAddressVector : 0x77c71869 [Type: NETWORK_ADDRESS_VECTOR * (*)(void *)]
第三部分:
*TransInfo = new TRANS_INFO(pTransportInterface,
ProtocolSequence,
this) ;
1: kd> dt TRANS_INFO
RPCRT4!TRANS_INFO
+0x000 pTransportInterface : Ptr32 RPC_TRANSPORT_INTERFACE_HEADER
+0x004 LoadableTrans : Ptr32 LOADABLE_TRANSPORT
+0x008 RpcProtocolSequence : [257] Uint2B
1: kd> dt RPCRT4!LOADABLE_TRANSPORT 00943a80
+0x000 ThreadsStarted : 0n-1163005939
+0x004 DllName : [257] 0x72
+0x208 NumThreads : 0n-1163005939
+0x20c LoadedDll : 0xbaadf00d DLL
+0x210 ProtseqDict : TRANS_INFO_DICT
+0x22c ThreadsDoingLongWait : INTERLOCKED_INTEGER
+0x230 Reserved0 : [7] 0n-1163005939
+0x24c ProcessCallsFunc : 0xbaadf00d long +ffffffffbaadf00d
+0x250 nOptimalNumberOfThreads : 0n-1163005939
+0x254 PnpListen : 0xbaadf00d void +ffffffffbaadf00d
+0x258 GetHandleForThread : 0xbaadf00d void* +ffffffffbaadf00d
+0x25c ReleaseHandleForThread : 0xbaadf00d void +ffffffffbaadf00d
+0x260 Reserved1 : [3] 0n-1163005939
+0x26c Reserved2 : [7] 0n-1163005939
+0x288 nThreadsAtCompletionPort : INTERLOCKED_INTEGER
+0x28c Reserved3 : [7] 0n-1163005939
+0x2a8 nActivityValue : 0n-1163005939
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!TRANS_INFO_DICT *)0x943c90))
(*((RPCRT4!TRANS_INFO_DICT *)0x943c90)) [Type: TRANS_INFO_DICT]
[+0x000] DictSlots : 0x943c9c [Type: void * *]
[+0x004] cDictSlots : 0x4 [Type: unsigned int]
[+0x008] cDictSize : 0x0 [Type: unsigned int]
[+0x00c] InitialDictSlots [Type: void * [4]]
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!void * (*)[4])0x943c9c))
(*((RPCRT4!void * (*)[4])0x943c9c)) [Type: void * [4]]
[0] : 0x0 [Type: void *]
[1] : 0x0 [Type: void *]
[2] : 0x0 [Type: void *]
[3] : 0x0 [Type: void *]
1: kd> p
RPCRT4!LOADABLE_TRANSPORT::LOADABLE_TRANSPORT+0x51:
001b:77c1905d e8b1f0ffff call RPCRT4!TRANS_INFO::TRANS_INFO (77c18113)
1: kd> t
RPCRT4!TRANS_INFO::TRANS_INFO:
001b:77c18113 55 push ebp
1: kd> kc
#
00 RPCRT4!TRANS_INFO::TRANS_INFO
01 RPCRT4!LOADABLE_TRANSPORT::LOADABLE_TRANSPORT
02 RPCRT4!LoadableTransportInfo
03 RPCRT4!OsfMapRpcProtocolSequence
04 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
05 RPCRT4!I_RpcServerUseProtseqEp2W
06 RPCRT4!RpcServerUseProtseqEpExW
07 RPCRT4!RpcServerUseProtseqEpW
08 LSASRV!RpcpAddInterface
09 LSASRV!LsapRPCInit
0a LSASRV!LsapInitLsa
0b lsass!main
0c lsass!mainNoCRTStartup
0d kernel32!BaseProcessStart
inline
TRANS_INFO::TRANS_INFO (
IN RPC_TRANSPORT_INTERFACE pTransportInterface,
IN RPC_CHAR *ProtocolSeq,
IN LOADABLE_TRANSPORT *LoadableTrans
)
{
this->pTransportInterface = pTransportInterface ;
RpcpStringCopy(RpcProtocolSequence, ProtocolSeq) ;
this->LoadableTrans = LoadableTrans ;
}
1: kd> dv
this = 0x77c8376c
pTransportInterface = 0x77bece00
ProtocolSeq = 0x73304bd0
LoadableTrans = 0x00943a80
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!LOADABLE_TRANSPORT *)0x943a80)
((RPCRT4!LOADABLE_TRANSPORT *)0x943a80) : 0x943a80 [Type: LOADABLE_TRANSPORT *]
[+0x000] ThreadsStarted : -1163005939 [Type: long]
[+0x004] DllName [Type: unsigned short [257]]
[+0x208] NumThreads : -1163005939 [Type: long]
[+0x20c] LoadedDll : 0x943700 [Type: DLL *]
[+0x210] ProtseqDict [Type: TRANS_INFO_DICT]
[+0x22c] ThreadsDoingLongWait [Type: INTERLOCKED_INTEGER]
[+0x230] Reserved0 [Type: long [7]]
[+0x24c] ProcessCallsFunc : 0xbaadf00d [Type: long (*)(int,unsigned int *,long *,void * *,unsigned int *,void * *,void * *)]
[+0x250] nOptimalNumberOfThreads : -1163005939 [Type: long]
[+0x254] PnpListen : 0xbaadf00d [Type: void (*)()]
[+0x258] GetHandleForThread : 0xbaadf00d [Type: void * (*)()]
[+0x25c] ReleaseHandleForThread : 0xbaadf00d [Type: void (*)(void *)]
[+0x260] Reserved1 [Type: long [3]]
[+0x26c] Reserved2 [Type: long [7]]
[+0x288] nThreadsAtCompletionPort [Type: INTERLOCKED_INTEGER]
[+0x28c] Reserved3 [Type: long [7]]
[+0x2a8] nActivityValue : -1163005939 [Type: int]
第四部分:
1: kd> dv
this = 0x73304be2
pTransportInterface = 0x77bece00
DllName = 0x009436a0
ProtocolSequence = 0x73304bd0
LoadableTransportDll = 0x00943700
GetHandleForThread = 0x77c661e1
ReleaseHandleForThread = 0x77c66278
Status = 0x0006fe10
TransInfo = 0x0006fe4c
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!TRANS_INFO * *)0x6fe4c)
((RPCRT4!TRANS_INFO * *)0x6fe4c) : 0x6fe4c [Type: TRANS_INFO * *]
0x943d70 [Type: TRANS_INFO *]
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!TRANS_INFO *)0x943d70)
((RPCRT4!TRANS_INFO *)0x943d70) : 0x943d70 [Type: TRANS_INFO *]
[+0x000] pTransportInterface : 0x77bece00 [Type: RPC_TRANSPORT_INTERFACE_HEADER *]
[+0x004] LoadableTrans : 0x943a80 [Type: LOADABLE_TRANSPORT *]
[+0x008] RpcProtocolSequence [Type: unsigned short [257]]
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!LOADABLE_TRANSPORT *)0x943a80)
((RPCRT4!LOADABLE_TRANSPORT *)0x943a80) : 0x943a80 [Type: LOADABLE_TRANSPORT *]
[+0x000] ThreadsStarted : -1163005939 [Type: long]
[+0x004] DllName [Type: unsigned short [257]]
[+0x208] NumThreads : -1163005939 [Type: long]
[+0x20c] LoadedDll : 0x943700 [Type: DLL *]
[+0x210] ProtseqDict [Type: TRANS_INFO_DICT]
[+0x22c] ThreadsDoingLongWait [Type: INTERLOCKED_INTEGER]
[+0x230] Reserved0 [Type: long [7]]
[+0x24c] ProcessCallsFunc : 0xbaadf00d [Type: long (*)(int,unsigned int *,long *,void * *,unsigned int *,void * *,void * *)]
[+0x250] nOptimalNumberOfThreads : -1163005939 [Type: long]
[+0x254] PnpListen : 0xbaadf00d [Type: void (*)()]
[+0x258] GetHandleForThread : 0xbaadf00d [Type: void * (*)()]
[+0x25c] ReleaseHandleForThread : 0xbaadf00d [Type: void (*)(void *)]
[+0x260] Reserved1 [Type: long [3]]
[+0x26c] Reserved2 [Type: long [7]]
[+0x288] nThreadsAtCompletionPort [Type: INTERLOCKED_INTEGER]
[+0x28c] Reserved3 [Type: long [7]]
[+0x2a8] nActivityValue : -1163005939 [Type: int]
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!TRANS_INFO_DICT *)0x943c90))
(*((RPCRT4!TRANS_INFO_DICT *)0x943c90)) [Type: TRANS_INFO_DICT]
[+0x000] DictSlots : 0x943c9c [Type: void * *]
[+0x004] cDictSlots : 0x4 [Type: unsigned int]
[+0x008] cDictSize : 0x0 [Type: unsigned int]
[+0x00c] InitialDictSlots [Type: void * [4]]
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!void * (*)[4])0x943c9c))
(*((RPCRT4!void * (*)[4])0x943c9c)) [Type: void * [4]]
[0] : 0x0 [Type: void *]
[1] : 0x0 [Type: void *]
[2] : 0x0 [Type: void *]
[3] : 0x0 [Type: void *]
if (ProtseqDict.Insert(*TransInfo) == -1)
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!void * (*)[4])0x943c9c))
(*((RPCRT4!void * (*)[4])0x943c9c)) [Type: void * [4]]
[0] : 0x943d70 [Type: void *]
[1] : 0x0 [Type: void *]
[2] : 0x0 [Type: void *]
[3] : 0x0 [Type: void *]
第五部分:
ThreadsStarted = 0;
nActivityValue = 0;
nOptimalNumberOfThreads = gNumberOfProcessors + 1;
ProcessCallsFunc = pTransportInterface->ProcessCalls;
1: kd> dt RPCRT4!LOADABLE_TRANSPORT 00943a80
+0x000 ThreadsStarted : 0n0
+0x004 DllName : [257] 0x72
+0x208 NumThreads : 0n-1163005939
+0x20c LoadedDll : 0x00943700 DLL
+0x210 ProtseqDict : TRANS_INFO_DICT
+0x22c ThreadsDoingLongWait : INTERLOCKED_INTEGER
+0x230 Reserved0 : [7] 0n-1163005939
+0x24c ProcessCallsFunc : 0x77c66ea4 long RPCRT4!COMMON_ProcessCalls+0 RPCRT4!COMMON_ProcessCalls+0
+0x250 nOptimalNumberOfThreads : 0n3
+0x254 PnpListen : 0xbaadf00d void +ffffffffbaadf00d
+0x258 GetHandleForThread : 0xbaadf00d void* +ffffffffbaadf00d
+0x25c ReleaseHandleForThread : 0xbaadf00d void +ffffffffbaadf00d
+0x260 Reserved1 : [3] 0n-1163005939
+0x26c Reserved2 : [7] 0n-1163005939
+0x288 nThreadsAtCompletionPort : INTERLOCKED_INTEGER
+0x28c Reserved3 : [7] 0n-1163005939
+0x2a8 nActivityValue : 0n0
1: kd> dt RPCRT4!LOADABLE_TRANSPORT 00943a80
+0x000 ThreadsStarted : 0n0
+0x004 DllName : [257] 0x72
+0x208 NumThreads : 0n0
+0x20c LoadedDll : 0x00943700 DLL
+0x210 ProtseqDict : TRANS_INFO_DICT
+0x22c ThreadsDoingLongWait : INTERLOCKED_INTEGER
+0x230 Reserved0 : [7] 0n-1163005939
+0x24c ProcessCallsFunc : 0x77c66ea4 long RPCRT4!COMMON_ProcessCalls+0
+0x250 nOptimalNumberOfThreads : 0n3
+0x254 PnpListen : 0x77c66d26 void RPCRT4!COMMON_ListenForPNPNotifications+0
+0x258 GetHandleForThread : 0x77c661e1 void* RPCRT4!GetCompletionPortHandleForThread+0
+0x25c ReleaseHandleForThread : 0x77c66278 void RPCRT4!ReleaseCompletionPortHandleForThread+0
+0x260 Reserved1 : [3] 0n-1163005939
+0x26c Reserved2 : [7] 0n-1163005939
+0x288 nThreadsAtCompletionPort : INTERLOCKED_INTEGER
+0x28c Reserved3 : [7] 0n-1163005939
+0x2a8 nActivityValue : 0n0
1: kd> kc
#
00 RPCRT4!LOADABLE_TRANSPORT::LOADABLE_TRANSPORT
01 RPCRT4!LoadableTransportInfo
02 RPCRT4!OsfMapRpcProtocolSequence
03 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
04 RPCRT4!I_RpcServerUseProtseqEp2W
05 RPCRT4!RpcServerUseProtseqEpExW
06 RPCRT4!RpcServerUseProtseqEpW
07 LSASRV!RpcpAddInterface
08 LSASRV!LsapRPCInit
09 LSASRV!LsapInitLsa
0a lsass!main
0b lsass!mainNoCRTStartup
0c kernel32!BaseProcessStart