RPCRT4!OsfCreateRpcAddress函数分析之AssociationBucketMutexMemory数组的填充

第一部分：
1: kd> p
RPCRT4!OsfCreateRpcAddress+0x28:
001b:77c0f4f5 e888e5ffff      call    RPCRT4!OSF_ADDRESS::OSF_ADDRESS (77c0da82)
1: kd> t
RPCRT4!OSF_ADDRESS::OSF_ADDRESS:
001b:77c0da82 ??              ???
1: kd> kc
 #
00 RPCRT4!OSF_ADDRESS::OSF_ADDRESS
01 RPCRT4!OsfCreateRpcAddress
02 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
03 RPCRT4!I_RpcServerUseProtseqEp2W
04 RPCRT4!RpcServerUseProtseqEpExW
05 RPCRT4!RpcServerUseProtseqEpW
06 LSASRV!RpcpAddInterface
07 LSASRV!LsapRPCInit
08 LSASRV!LsapInitLsa
09 lsass!main
0a lsass!mainNoCRTStartup
0b kernel32!BaseProcessStart

OSF_ADDRESS::OSF_ADDRESS (
    IN TRANS_INFO  * RpcTransInfo,
    IN OUT RPC_STATUS  * Status
    ) : RPC_ADDRESS(Status)
/*++

Routine Description:

--*/
{
    RPC_CONNECTION_TRANSPORT *RpcServerInfo =
        (RPC_CONNECTION_TRANSPORT *) RpcTransInfo->InqTransInfo();
    int i;

1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!RPC_TRANSPORT_INTERFACE_HEADER *)0x77bece00)
((RPCRT4!RPC_TRANSPORT_INTERFACE_HEADER *)0x77bece00)                 : 0x77bece00 [Type: RPC_TRANSPORT_INTERFACE_HEADER *]
    [+0x000] TransInterfaceVersion : 0x2004 [Type: unsigned int]
    [+0x004] TransId          : 0xf [Type: unsigned short]
    [+0x006] TransAddrId      : 0x11 [Type: unsigned short]
    [+0x008] ProtocolSequence : 0x77bd2264 : 0x6e [Type: unsigned short *]
    [+0x00c] WellKnownEndpoint : 0x77becea8 : "\pipe\epmapper" [Type: char *]
    [+0x010] ProcessCalls     : 0x77c66ea4 [Type: long (*)(int,unsigned int *,long *,void * *,unsigned int *,void * *,void * *)]
    [+0x014] PnpNotify        : 0x77c66e6f [Type: void (*)()]
    [+0x018] PnpListen        : 0x77c66d26 [Type: void (*)()]
    [+0x01c] TowerConstruct   : 0x77c6b290 [Type: long (*)(char *,char *,char *,unsigned short *,unsigned long *,unsigned char * *)]
    [+0x020] TowerExplode     : 0x77c6b5c7 [Type: long (*)(unsigned char *,unsigned char *,unsigned long,char * *,char * *,char * *)]
    [+0x024] PostEvent        : 0x77c66be8 [Type: long (*)(unsigned long,void *)]
    [+0x028] fDatagram        : 0 [Type: int]
    [+0x02c] GetNetworkAddressVector : 0x77c71869 [Type: NETWORK_ADDRESS_VECTOR * (*)(void *)]

1: kd> dt RPC_CONNECTION_TRANSPORT 0x77bece00
RPCRT4!RPC_CONNECTION_TRANSPORT
   +0x000 TransInterfaceVersion : 0x2004
   +0x004 TransId          : 0xf
   +0x006 TransAddrId      : 0x11
   +0x008 ProtocolSequence : 0x77bd2264  -> 0x6e
   +0x00c WellKnownEndpoint : 0x77becea8  "\pipe\epmapper"
   +0x010 ProcessCalls     : 0x77c66ea4     long  RPCRT4!COMMON_ProcessCalls+0
   +0x014 PnpNotify        : 0x77c66e6f     void  RPCRT4!COMMON_StartPnpNotifications+0
   +0x018 PnpListen        : 0x77c66d26     void  RPCRT4!COMMON_ListenForPNPNotifications+0
   +0x01c TowerConstruct   : 0x77c6b290     long  RPCRT4!COMMON_TowerConstruct+0
   +0x020 TowerExplode     : 0x77c6b5c7     long  RPCRT4!COMMON_TowerExplode+0
   +0x024 PostEvent        : 0x77c66be8     long  RPCRT4!COMMON_PostRuntimeEvent+0
   +0x028 fDatagram        : 0n0
   +0x02c GetNetworkAddressVector : 0x77c71869     NETWORK_ADDRESS_VECTOR*  RPCRT4!NMP_GetNetworkAddressVector+0
   +0x030 AddressSize      : 0x70
   +0x034 ClientConnectionSize : 0x54
   +0x038 ServerConnectionSize : 0x54
   +0x03c SendContextSize  : 0x24
   +0x040 ResolverHintSize : 0
   +0x044 MaximumFragmentSize : 0x10b8
   +0x048 Initialize       : 0x77c72b3f     long  RPCRT4!NMP_Initialize+0
   +0x04c InitComplete     : (null)
   +0x050 Open             : 0x77c71fa4     long  RPCRT4!NMP_Open+0
   +0x054 SyncSendRecv     : 0x77c72703     long  RPCRT4!NMP_SyncSendRecv+0
   +0x058 SyncRecv         : 0x77c6de5b     long  RPCRT4!CO_SyncRecv+0
   +0x05c Abort            : 0x77c72a5f     long  RPCRT4!NMP_Abort+0
   +0x060 Close            : 0x77c71cb0     long  RPCRT4!NMP_Close+0
   +0x064 Send             : 0x77c6d738     long  RPCRT4!CO_Send+0
   +0x068 Recv             : 0x77c6d96a     long  RPCRT4!CO_Recv+0
   +0x06c SyncSend         : 0x77c72589     long  RPCRT4!NMP_SyncSend+0
   +0x070 TurnOnOffKeepAlives : (null)
   +0x074 Listen           : 0x77c72beb     long  RPCRT4!NMP_ServerListen+0
   +0x078 AbortListen      : 0x77c7153b     void  RPCRT4!NMP_ServerAbortListen+0
   +0x07c CompleteListen   : 0x77c66e46     void  RPCRT4!COMMON_ServerCompleteListen+0
   +0x080 QueryClientAddress : 0x77c71d52     long  RPCRT4!NMP_ConnectionQueryClientAddress+0
   +0x084 QueryLocalAddress : (null)
   +0x088 QueryClientId    : 0x77c71eb3     long  RPCRT4!NMP_ConnectionQueryClientId+0
   +0x08c QueryClientIpAddress : (null)
   +0x090 ImpersonateClient : 0x77c71cf1     long  RPCRT4!NMP_ConnectionImpersonateClient+0
   +0x094 RevertToSelf     : 0x77c7181e     long  RPCRT4!NMP_ConnectionRevertToSelf+0
   +0x098 FreeResolverHint : (null)
   +0x09c CopyResolverHint : (null)
   +0x0a0 CompareResolverHint : (null)
   +0x0a4 SetLastBufferToFree : (null)

    ObjectType = OSF_ADDRESS_TYPE;
    ActiveCallCount = 0;
    ServerListeningFlag = 0;
    ServerInfo = RpcServerInfo;
    TransInfo = RpcTransInfo;
    SetupAddressOccurred = 0;

1: kd> dt rpcrt4!OSF_ADDRESS 00b00070
   +0x000 __VFN_table : 0x77bd77cc
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n2048
   +0x00c TransInfo        : 0x00943d70 TRANS_INFO
   +0x010 Endpoint         : (null)
   +0x014 RpcProtocolSequence : (null)
   +0x018 NetworkAddress   : (null)
   +0x01c StaticEndpointFlag : 0xbaadf00d
   +0x020 ActiveCallCount  : 0n0
   +0x024 PendingQueueSize : 0xbaadf00d
   +0x028 SecurityDescriptor : 0xbaadf00d Void
   +0x02c NICFlags         : 0xbaadf00d
   +0x030 EndpointFlags    : 0xbaadf00d
   +0x034 Server           : 0xbaadf00d RPC_SERVER
   +0x038 AddressMutex     : MUTEX
   +0x050 DictKey          : 0n-1163005939
   +0x054 Associations     : [8] OSF_ASSOCIATION_DICT
   +0x134 AssociationBucketMutexMemory : [192]  ".???"
   +0x1f4 ServerInfo       : 0x77bece00 RPC_CONNECTION_TRANSPORT
   +0x1f8 SetupAddressOccurred : 0
   +0x1fc ServerListeningFlag : 0n0
   +0x200 DebugCell        : 0xbaadf00d tagDebugEndpointInfo
   +0x204 DebugCellTag     : 0n-1163005939

1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0x56:
001b:77c0dad8 8d8604020000    lea     eax,[esi+204h]
1: kd> r
eax=00943d70 ebx=00000000 ecx=00b00188 edx=77fba380 esi=00b00070 edi=77bece00
eip=77c0dad8 esp=0006fe10 ebp=0006fe1c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0x56:
001b:77c0dad8 8d8604020000    lea     eax,[esi+204h]
1: kd> dt rpcrt4!OSF_ADDRESS 00b00070
   +0x000 __VFN_table : 0x77bd77cc
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n2048
   +0x00c TransInfo        : 0x00943d70 TRANS_INFO
   +0x010 Endpoint         : (null)
   +0x014 RpcProtocolSequence : (null)
   +0x018 NetworkAddress   : (null)
   +0x01c StaticEndpointFlag : 0xbaadf00d
   +0x020 ActiveCallCount  : 0n0
   +0x024 PendingQueueSize : 0xbaadf00d
   +0x028 SecurityDescriptor : 0xbaadf00d Void
   +0x02c NICFlags         : 0xbaadf00d
   +0x030 EndpointFlags    : 0xbaadf00d
   +0x034 Server           : 0xbaadf00d RPC_SERVER
   +0x038 AddressMutex     : MUTEX
   +0x050 DictKey          : 0n-1163005939
   +0x054 Associations     : [8] OSF_ASSOCIATION_DICT
   +0x134 AssociationBucketMutexMemory : [192]  ".???"
   +0x1f4 ServerInfo       : 0x77bece00 RPC_CONNECTION_TRANSPORT
   +0x1f8 SetupAddressOccurred : 0
   +0x1fc ServerListeningFlag : 0n0
   +0x200 DebugCell        : 0xbaadf00d tagDebugEndpointInfo
   +0x204 DebugCellTag     : 0n-1163005939

第二部分：

1: kd> dt rpcrt4!NumberOfAssociationsDictionaries
NumberOfAssociationsDictionaries = 0n8

    inline MUTEX *GetAssociationBucketMutex(IN int HashIndex)
    {
        MUTEX *pMutex;
        pMutex = (MUTEX *)(&AssociationBucketMutexMemory[MutexAllocationSize * HashIndex]);
        ASSERT((((ULONG_PTR)pMutex) % 4) == 0);
        return pMutex;
    }

const int NumberOfAssociationsDictionaries = 8;
const int MutexAllocationSize = ( ((unsigned long)(sizeof(MUTEX)) + ((4)-1)) & ~(4 - 1) );

        new (GetAssociationBucketMutex(i)) MUTEX (Status,
                                                  TRUE      // pre-allocate semaphores
                                                  );

        // if there is a failure, remember it, so that subsequent successes
        // don't overwrite the failure
        if ((*Status != RPC_S_OK) && (OriginalFailureStatus == RPC_S_OK))
            {
            OriginalFailureStatus = *Status;
            }

1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xce:
001b:77c0db50 e8e73b0100      call    RPCRT4!MUTEX::CommonConstructor (77c2173c)
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3:
001b:77c0db55 8b07            mov     eax,dword ptr [edi]
1: kd> r
eax=00000000 ebx=00000000 ecx=7ffde000 edx=77fba380 esi=00b00070

1: kd> dd 0xb001a4
00b001a4  000bd128 ffffffff

1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xce:
001b:77c0db50 e8e73b0100      call    RPCRT4!MUTEX::CommonConstructor (77c2173c)
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3:
001b:77c0db55 8b07            mov     eax,dword ptr [edi]
1: kd> r
eax=00000000 ebx=00000000 ecx=7ffde000 edx=77fba380 esi=00b00070 edi=0006fe30

1: kd> dd 0xb001a4
00b001a4  000bd128 ffffffff 00000000 00000000
00b001b4  00000000 00000000 000bd198 ffffffff
00b001c4  00000000 00000000 00000000 00000000

    inline MUTEX *GetAssociationBucketMutex(IN int HashIndex)
    {
        MUTEX *pMutex;
        pMutex = (MUTEX *)(&AssociationBucketMutexMemory[MutexAllocationSize * HashIndex]);
        ASSERT((((ULONG_PTR)pMutex) % 4) == 0);
        return pMutex;
    }

1: kd> dd 0xb001a4
00b001a4  000bd128 ffffffff 00000000 00000000
00b001b4  00000000 00000000 000bd198 ffffffff
00b001c4  00000000 00000000 00000000 00000000
00b001d4  baadf00d baadf00d baadf00d baadf00d
00b001e4  baadf00d baadf00d baadf00d baadf00d
00b001f4  baadf00d baadf00d baadf00d baadf00d

1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc2:
001b:77c0db44 3bc3            cmp     eax,ebx
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc4:
001b:77c0db46 740d            je      RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3 (77c0db55)
1: kd> r
eax=00b001d4 ebx=00000000 ecx=00b00070 edx=77fba380 esi=00b00070 edi=0006fe30
eip=77c0db46 esp=0006fe10 ebp=0006fe1c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc4:
001b:77c0db46 740d            je      RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3 (77c0db55) [br=0]

1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xce:
001b:77c0db50 e8e73b0100      call    RPCRT4!MUTEX::CommonConstructor (77c2173c)
1: kd> t
RPCRT4!MUTEX::CommonConstructor:
001b:77c2173c 55              push    ebp
1: kd> kc
 #
00 RPCRT4!MUTEX::CommonConstructor
01 RPCRT4!OSF_ADDRESS::OSF_ADDRESS
02 RPCRT4!OsfCreateRpcAddress
03 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
04 RPCRT4!I_RpcServerUseProtseqEp2W
05 RPCRT4!RpcServerUseProtseqEpExW
06 RPCRT4!RpcServerUseProtseqEpW
07 LSASRV!RpcpAddInterface
08 LSASRV!LsapRPCInit
09 LSASRV!LsapInitLsa
0a lsass!main
0b lsass!mainNoCRTStartup
0c kernel32!BaseProcessStart

NTSTATUS
RtlInitializeCriticalSectionAndSpinCount (
    IN PRTL_CRITICAL_SECTION CriticalSection,
    ULONG SpinCount
    )
{
    PRTL_CRITICAL_SECTION_DEBUG DebugInfo;

    CriticalSection->LockCount = -1;
    CriticalSection->RecursionCount = 0;
    CriticalSection->OwningThread = 0;
    CriticalSection->LockSemaphore = 0;
    if ( NtCurrentPeb()->NumberOfProcessors > 1 ) {
        CriticalSection->SpinCount = SpinCount & MAX_SPIN_COUNT;
    } else {
        CriticalSection->SpinCount = 0;
    }

    ASSERT (GlobalKeyedEventHandle != NULL);

    //
    // Initialize debugging information.
    //

    DebugInfo = (PRTL_CRITICAL_SECTION_DEBUG) RtlpAllocateDebugInfo ();

    if (DebugInfo == NULL) {
        return STATUS_NO_MEMORY;
    }

    DebugInfo->Type = RTL_CRITSECT_TYPE;
    DebugInfo->ContentionCount = 0;
    DebugInfo->EntryCount = 0;

    //
    // It is important to set critical section pointers and potential
    // stack trace before we insert the resource in the process'
    // resource list because the list can be randomly traversed from
    // other threads that check for orphaned resources.
    //

    DebugInfo->CriticalSection = CriticalSection;
    CriticalSection->DebugInfo = DebugInfo;

1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb001d4))
(*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb001d4))                 [Type: _RTL_CRITICAL_SECTION]
    [+0x000] DebugInfo        : 0xbd1c0 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
    [+0x004] LockCount        : -1 [Type: long]
    [+0x008] RecursionCount   : 0 [Type: long]
    [+0x00c] OwningThread     : 0x0 [Type: void *]
    [+0x010] LockSemaphore    : 0x0 [Type: void *]
    [+0x014] SpinCount        : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd1c0)
((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd1c0)                 : 0xbd1c0 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
    [+0x000] Type             : 0x0 [Type: unsigned short]
    [+0x002] CreatorBackTraceIndex : 0x0 [Type: unsigned short]
    [+0x004] CriticalSection  : 0xb001d4 [Type: _RTL_CRITICAL_SECTION *]
    [+0x008] ProcessLocksList [Type: _LIST_ENTRY]
    [+0x010] EntryCount       : 0x0 [Type: unsigned long]
    [+0x014] ContentionCount  : 0x0 [Type: unsigned long]
    [+0x018] Spare            [Type: unsigned long [2]]
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_LIST_ENTRY *)0xbd1c8))
(*((RPCRT4!_LIST_ENTRY *)0xbd1c8))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x77fba3f8 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0xbd1a0 [Type: _LIST_ENTRY *]

1: kd> dd 0xb001a4
00b001a4  000bd128 ffffffff 00000000 00000000
00b001b4  00000000 00000000 000bd198 ffffffff
00b001c4  00000000 00000000 00000000 00000000
00b001d4  000bd1c0 ffffffff

第三部分：RPCRT4!OSF_ADDRESS::GetAssociationBucketMutex函数的作用

1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xbd:
001b:77c0db3f e861ebffff      call    RPCRT4!OSF_ADDRESS::GetAssociationBucketMutex (77c0c6a5)
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc2:
001b:77c0db44 3bc3            cmp     eax,ebx
1: kd> r
eax=00b001ec

第四部分：ntdll!RtlInitializeCriticalSectionAndSpinCount初始化临界区和自旋锁
1: kd> t
ntdll!RtlInitializeCriticalSectionAndSpinCount:
001b:77f415d2 55              push    ebp
1: kd> kc
 #
00 ntdll!RtlInitializeCriticalSectionAndSpinCount
01 RPCRT4!MUTEX::CommonConstructor
02 RPCRT4!OSF_ADDRESS::OSF_ADDRESS
03 RPCRT4!OsfCreateRpcAddress
04 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
05 RPCRT4!I_RpcServerUseProtseqEp2W
06 RPCRT4!RpcServerUseProtseqEpExW
07 RPCRT4!RpcServerUseProtseqEpW
08 LSASRV!RpcpAddInterface
09 LSASRV!LsapRPCInit
0a LSASRV!LsapInitLsa
0b lsass!main
0c lsass!mainNoCRTStartup
0d kernel32!BaseProcessStart
1: kd> dv
 CriticalSection = 0x00b001ec
       SpinCount = 0x80000000
         ReqSize = 0x1d4
pThreadLocalData = 0x80000000
    pEventHeader = 0x00b001ec

    DebugInfo->Type = RTL_CRITSECT_TYPE;
    DebugInfo->ContentionCount = 0;
    DebugInfo->EntryCount = 0;

1: kd> p
ntdll!RtlInitializeCriticalSectionAndSpinCount+0x70:
001b:77f41642 895e10          mov     dword ptr [esi+10h],ebx
1: kd> p
ntdll!RtlInitializeCriticalSectionAndSpinCount+0x73:
001b:77f41645 897e04          mov     dword ptr [esi+4],edi
1: kd> r
eax=000bd1e8 ebx=00000000 ecx=77f2b57e edx=00080c14 esi=000bd1e8 edi=00b001ec

esi=000bd1e8

#define RTL_CRITSECT_TYPE 0
#define RTL_RESOURCE_TYPE 1

1: kd> dt RTL_CRITICAL_SECTION_DEBUG 000bd1e8
MPR!RTL_CRITICAL_SECTION_DEBUG
   +0x000 Type             : 0
   +0x002 CreatorBackTraceIndex : 8
   +0x004 CriticalSection  : 0x00080178 _RTL_CRITICAL_SECTION
   +0x008 ProcessLocksList : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x010 EntryCount       : 0
   +0x014 ContentionCount  : 0
   +0x018 Spare            : [2] 0

1: kd> dt RTL_CRITICAL_SECTION_DEBUG 000bd1e8
MPR!RTL_CRITICAL_SECTION_DEBUG
   +0x000 Type             : 0
   +0x002 CreatorBackTraceIndex : 8
   +0x004 CriticalSection  : 0x00b001ec _RTL_CRITICAL_SECTION
   +0x008 ProcessLocksList : _LIST_ENTRY [ 0x0 - 0x0 ]
   +0x010 EntryCount       : 0
   +0x014 ContentionCount  : 0
   +0x018 Spare            : [2] 0

1: kd> dt RtlCriticalSectionList
ntdll!RtlCriticalSectionList
 [ 0x77fb9a08 - 0xbd1c8 ]
   +0x000 Flink            : 0x77fb9a08 _LIST_ENTRY [ 0x77fb9a28 - 0x77fba3f8 ]
   +0x004 Blink            : 0x000bd1c8 _LIST_ENTRY [ 0x77fba3f8 - 0xbd1a0 ]

    if (CriticalSection != &RtlCriticalSectionLock) {

        RtlEnterCriticalSection(&RtlCriticalSectionLock);
        InsertTailList(&RtlCriticalSectionList, &DebugInfo->ProcessLocksList);
        RtlLeaveCriticalSection(&RtlCriticalSectionLock );

1: kd> dt RtlCriticalSectionList
ntdll!RtlCriticalSectionList
 [ 0x77fb9a08 - 0xbd1f0 ]
   +0x000 Flink            : 0x77fb9a08 _LIST_ENTRY [ 0x77fb9a28 - 0x77fba3f8 ]
   +0x004 Blink            : 0x000bd1f0 _LIST_ENTRY [ 0x77fba3f8 - 0xbd1c8 ]

1: kd> dt RTL_CRITICAL_SECTION_DEBUG 0x000bd1f0-8
MPR!RTL_CRITICAL_SECTION_DEBUG
   +0x000 Type             : 0
   +0x002 CreatorBackTraceIndex : 0
   +0x004 CriticalSection  : 0x00b001ec _RTL_CRITICAL_SECTION
   +0x008 ProcessLocksList : _LIST_ENTRY [ 0x77fba3f8 - 0xbd1c8 ]
   +0x010 EntryCount       : 0
   +0x014 ContentionCount  : 0
   +0x018 Spare            : [2] 0

1: kd> dd 0xb001a4
00b001a4  000bd128 ffffffff 00000000 00000000
00b001b4  00000000 00000000 000bd198 ffffffff
00b001c4  00000000 00000000 00000000 00000000
00b001d4  000bd1c0 ffffffff 00000000 00000000
00b001e4  00000000 00000000 000bd1e8 ffffffff
00b001f4  00000000 00000000 00000000 00000000

1: kd> dd 0xb001a4
00b001a4  000bd128 ffffffff 00000000 00000000
00b001b4  00000000 00000000 000bd198 ffffffff
00b001c4  00000000 00000000 00000000 00000000
00b001d4  000bd1c0 ffffffff 00000000 00000000
00b001e4  00000000 00000000 000bd1e8 ffffffff
00b001f4  00000000 00000000 00000000 00000000
00b00204  000bd210 ffffffff 00000000 00000000
00b00214  00000000 00000000 000bd238 ffffffff
1: kd> dd 0xb00224
00b00224  00000000 00000000 00000000 00000000
00b00234  000bd260 ffffffff 00000000 00000000
00b00244  00000000 00000000 000bd288 ffffffff
00b00254  00000000 00000000 00000000 00000000

第五部分：例子8和最终结果。

1: kd> dt MUTEX 0xb00244+8
RPCRT4!MUTEX
   +0x000 CriticalSection  : _RTL_CRITICAL_SECTION
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb0024c))
(*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb0024c))                 [Type: _RTL_CRITICAL_SECTION]
    [+0x000] DebugInfo        : 0xbd288 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
    [+0x004] LockCount        : -1 [Type: long]
    [+0x008] RecursionCount   : 0 [Type: long]
    [+0x00c] OwningThread     : 0x0 [Type: void *]
    [+0x010] LockSemaphore    : 0x0 [Type: void *]
    [+0x014] SpinCount        : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd288)
((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd288)                 : 0xbd288 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
    [+0x000] Type             : 0x0 [Type: unsigned short]
    [+0x002] CreatorBackTraceIndex : 0x0 [Type: unsigned short]
    [+0x004] CriticalSection  : 0xb0024c [Type: _RTL_CRITICAL_SECTION *]
    [+0x008] ProcessLocksList [Type: _LIST_ENTRY]
    [+0x010] EntryCount       : 0x0 [Type: unsigned long]
    [+0x014] ContentionCount  : 0x0 [Type: unsigned long]
    [+0x018] Spare            [Type: unsigned long [2]]
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_LIST_ENTRY *)0xbd290))
(*((RPCRT4!_LIST_ENTRY *)0xbd290))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x77fba3f8 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0xbd268 [Type: _LIST_ENTRY *]

1: kd> x  ntdll!RtlCriticalSectionList
77fba3f8          ntdll!RtlCriticalSectionList = struct _LIST_ENTRY [ 0x77fb9a08 - 0xbd290 ]
1: kd> dx -id 0,0,897f4020 -r1 (*((ntdll!_LIST_ENTRY *)0x77fba3f8))
(*((ntdll!_LIST_ENTRY *)0x77fba3f8))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x77fb9a08 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0xbd290 [Type: _LIST_ENTRY *]

1: kd> dt rpcrt4!OSF_ADDRESS 00b00070
   +0x000 __VFN_table : 0x77bd77cc
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n2048
   +0x00c TransInfo        : 0x00943d70 TRANS_INFO
   +0x010 Endpoint         : (null)
   +0x014 RpcProtocolSequence : (null)
   +0x018 NetworkAddress   : (null)
   +0x01c StaticEndpointFlag : 0xbaadf00d
   +0x020 ActiveCallCount  : 0n0
   +0x024 PendingQueueSize : 0xbaadf00d
   +0x028 SecurityDescriptor : 0xbaadf00d Void
   +0x02c NICFlags         : 0xbaadf00d
   +0x030 EndpointFlags    : 0xbaadf00d
   +0x034 Server           : 0xbaadf00d RPC_SERVER
   +0x038 AddressMutex     : MUTEX
   +0x050 DictKey          : 0n-1163005939
   +0x054 Associations     : [8] OSF_ASSOCIATION_DICT
   +0x134 AssociationBucketMutexMemory : [192]  "(???"
   +0x1f4 ServerInfo       : 0x77bece00 RPC_CONNECTION_TRANSPORT
   +0x1f8 SetupAddressOccurred : 0
   +0x1fc ServerListeningFlag : 0n0
   +0x200 DebugCell        : 0x00af0020 tagDebugEndpointInfo
   +0x204 DebugCellTag     : 0n0

1: kd> r
eax=00b00070 ebx=73304bd0 ecx=7ffde000 edx=77fba380 esi=00000000 edi=20000500
eip=77c0f514 esp=0006fe30 ebp=0006fe34 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
RPCRT4!OsfCreateRpcAddress+0x47:
001b:77c0f514 c9              leave
1: kd> p
RPCRT4!OsfCreateRpcAddress+0x48:
001b:77c0f515 c20400          ret     4