RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之创建一个RPCRT4!OSF_CCALL--RPC源代码分析

RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之创建一个RPCRT4!OSF_CCALL

第一部分：
1: kd> p
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x167:
001b:77bf6957 393dec35c877    cmp     dword ptr [RPCRT4!gfRPCVerifierEnabled (77c835ec)],edi
1: kd> r
eax=0000015c ebx=007cf938 ecx=00ce1ad4 edx=00000000 esi=00ce1958 edi=00000000
eip=77bf6957 esp=007cf8c0 ebp=007cf8cc iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x167:
001b:77bf6957 393dec35c877    cmp     dword ptr [RPCRT4!gfRPCVerifierEnabled (77c835ec)],edi ds:0023:77c835ec=00000000
1: kd> x RPCRT4!gfRPCVerifierEnabled
77c835ec          RPCRT4!gfRPCVerifierEnabled = 0n0

        else
            {
            CachedCCall = new (ClientInfo->SendContextSize+sizeof(PVOID))
            OSF_CCALL(pStatus);
            }

第二部分：
1: kd> p
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x184:
001b:77bf6974 e83a150200      call    RPCRT4!operator new (77c17eb3)
1: kd> p
RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION+0x189:
001b:77bf6979 3bc7            cmp     eax,edi
1: kd> r
eax=00ce1b98

第三部分：
1: kd> dt ccall 00ce1b98
RPCRT4!CCALL
   +0x000 __VFN_table : 0xbaadf00d
   +0x004 MagicLong        : 0xbaadf00d
   +0x008 ObjectType       : 0n-1163005939
   +0x00c RefCount         : INTERLOCKED_INTEGER
   +0x010 NestingCall      : 0xbaadf00d CALL
   +0x014 pAsync           : 0xbaadf00d _RPC_ASYNC_STATE
   +0x018 NotificationIssued : 0n-1163005939
   +0x01c AsyncStatus      : 0n-1163005939
   +0x020 CachedAPCInfo    : RPC_APC_INFO
   +0x030 CachedAPCInfoAvailable : 0n-1163005939
   +0x034 CallingThread    : 0xbaadf00d THREAD
   +0x038 UuidSpecified    : 0n-1163005939
   +0x03c ObjectUuid       : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}
   +0x04c EEInfo           : 0xbaadf00d tagExtendedErrorInfo

第四部分：
1: kd> t
RPCRT4!OSF_CCALL::OSF_CCALL:
001b:77bf5662 55              push    ebp
1: kd> kc
 #
00 RPCRT4!OSF_CCALL::OSF_CCALL
01 RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION
02 RPCRT4!OSF_CASSOCIATION::AllocateCCall
03 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
04 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
05 RPCRT4!I_RpcGetBufferWithObject
06 RPCRT4!I_RpcGetBuffer
07 RPCRT4!NdrGetBuffer
08 RPCRT4!NdrClientCall2
09 ADVAPI32!LsarGetUserName
0a ADVAPI32!LsaGetUserName
0b ntdll!RtlpWaitOrTimerCallout

OSF_CCALL::OSF_CCALL (
    RPC_STATUS __RPC_FAR * pStatus
    ) : CallMutex(pStatus),
      SyncEvent(pStatus, 0),
      fAdvanceCallCount(0)
{
    LogEvent(SU_CCALL, EV_CREATE, this);

    ObjectType = OSF_CCALL_TYPE;
    ReservedForSecurity = 0;
    SecBufferLength = 0;
    SavedHeaderSize = 0;
    SavedHeader = 0;
    InReply = 0;
    EEInfo = NULL;
    CachedAPCInfoAvailable = 1;
    CallbackLevel = 0;

    CallSendContext = (char *) this+sizeof(OSF_CCALL)+sizeof(PVOID);
    *((PVOID *) ((char *) CallSendContext - sizeof(PVOID))) = (PVOID) this;
}

1: kd> dv
           this = 00ce1b98
        pStatus = 0x007cf938

1: kd> p
RPCRT4!OSF_CCALL::OSF_CCALL+0x6c:
001b:77bf56ce 8d8638010000    lea     eax,[esi+138h]
1: kd> r
eax=00000000 ebx=00000001 ecx=00000000 edx=00000000 esi=00ce1b98

    [+0x0c0] CallSendContext  : 0x0 [Type: void *]

第五部分：

  ObjectType = OSF_CCALL_TYPE;
    ReservedForSecurity = 0;
    SecBufferLength = 0;
    SavedHeaderSize = 0;
    SavedHeader = 0;
    InReply = 0;
    EEInfo = NULL;
    CachedAPCInfoAvailable = 1;
    CallbackLevel = 0;

1: kd> dt RPCRT4!OSF_CCALL 00ce1b98
   +0x000 __VFN_table : 0x77bd3278
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n32            ObjectType = OSF_CCALL_TYPE;
   +0x00c RefCount         : INTERLOCKED_INTEGER
   +0x010 NestingCall      : 0xbaadf00d CALL
   +0x014 pAsync           : 0xbaadf00d _RPC_ASYNC_STATE
   +0x018 NotificationIssued : 0n-1163005939
   +0x01c AsyncStatus      : 0n-1163005939
   +0x020 CachedAPCInfo    : RPC_APC_INFO
   +0x030 CachedAPCInfoAvailable : 0n1
   +0x034 CallingThread    : 0xbaadf00d THREAD
   +0x038 UuidSpecified    : 0n-1163005939
   +0x03c ObjectUuid       : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}
   +0x04c EEInfo           : (null)
   +0x050 CurrentState     : 0xbaadf00d (No matching name)
   +0x054 Connection       : 0xbaadf00d OSF_CCONNECTION
   +0x058 BindingHandle    : 0xbaadf00d OSF_BINDING_HANDLE
   +0x05c CallbackLevel    : 0n0
   +0x060 Bindings         : OSF_CCALL::__unnamed
   +0x068 CurrentBuffer    : 0xbaadf00d Void
   +0x06c fDataLengthNegotiated : 0n-1163005939
   +0x070 CurrentOffset    : 0n-1163005939
   +0x074 CurrentBufferLength : 0xbaadf00d
   +0x078 CallId           : 0xbaadf00d
   +0x07c RcvBufferLength  : 0xbaadf00d
   +0x080 FirstSend        : 0n-1163005939
   +0x084 DispatchTableCallback : 0xbaadf00d RPC_DISPATCH_TABLE
   +0x088 MaximumFragmentLength : 0xbaadf00d
   +0x08c MaxSecuritySize  : 0xbaadf00d
   +0x090 MaxDataLength    : 0xbaadf00d
   +0x094 ProcNum          : 0n-1163005939
   +0x098 ReservedForSecurity : (null)
   +0x09c SecBufferLength  : 0
   +0x0a0 HeaderSize       : 0xbaadf00d
   +0x0a4 AdditionalSpaceForSecurity : 0xbaadf00d
   +0x0a8 SavedHeaderSize  : 0
   +0x0ac SavedHeader      : (null)
   +0x0b0 LastBuffer       : 0xbaadf00d Void
   +0x0b4 SyncEvent        : EVENT
   +0x0b8 ActualBufferLength : 0xbaadf00d
   +0x0bc NeededLength     : 0xbaadf00d
   +0x0c0 CallSendContext  : 0x00ce1cd0 Void
   +0x0c4 fAdvanceCallCount : INTERLOCKED_INTEGER
   +0x0c8 fPeerChoked      : 0n-1163005939
   +0x0cc Flags            : CompositeFlags
   +0x0d0 fLastSendComplete : 0n-1163005939
   +0x0d4 CallMutex        : MUTEX
   +0x0ec RecursiveCallsKey : 0n-1163005939
   +0x0f0 AllocHint        : 0xbaadf00d
   +0x0f4 CallStack        : 0n-1163005939
   +0x0f8 fCallCancelled   : 0n-1163005939
   +0x0fc CancelState      : 0xbaadf00d (No matching name)
   +0x100 BufferQueue      : QUEUE
   +0x12c InReply          : 0n0
   +0x130 fChoked          : 0n-1163005939

   +0x0c0 CallSendContext  : 0x00ce1cd0 Void
   
1: kd> dd 00ce1b98+138
00ce1cd0  baadf00d baadf00d baadf00d baadf00d
00ce1ce0  baadf00d baadf00d baadf00d baadf00d

    *((PVOID *) ((char *) CallSendContext - sizeof(PVOID))) = (PVOID) this;

1: kd> dd 00ce1b98+134
00ce1ccc  00ce1b98

第六部分：

1: kd> dt osf_CConnection 00ce1958
RPCRT4!OSF_CCONNECTION
   +0x000 __VFN_table : 0x77bd3994
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n128
   +0x00c RefCount         : INTERLOCKED_INTEGER
   +0x010 Association      : 0x00ce1840 OSF_CASSOCIATION
   +0x014 CurrentCall      : 0xbaadf00d OSF_CCALL
   +0x018 ConnectionKey    : 0n-1
   +0x01c State            : 0 ( ConnUninitialized )
   +0x020 WireAuthId       : 0 ''
   +0x022 MaxFrag          : 0x200
   +0x024 ThreadId         : 0xffffffff
   +0x028 CachedCCallAvailable : 0n-1163005939
   +0x02c MaxSavedHeaderSize : 0
   +0x030 CachedCCall      : 0x00ce1b98 OSF_CCALL

第七部分：

    CachedCCallAvailable = 0;
    CurrentCall = CachedCCall;
    ConnectionReady = 0;

}

1: kd> dt osf_CConnection 00ce1958
RPCRT4!OSF_CCONNECTION
   +0x000 __VFN_table : 0x77bd3994
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n128
   +0x00c RefCount         : INTERLOCKED_INTEGER
   +0x010 Association      : 0x00ce1840 OSF_CASSOCIATION
   +0x014 CurrentCall      : 0x00ce1b98 OSF_CCALL