RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之初始化中的u.ConnSendContext----RPC源代码分析

RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION函数分析之初始化中的u.ConnSendContext

第一部分：
1: kd> kc
 #
00 RPCRT4!OSF_CCONNECTION::OSF_CCONNECTION
01 RPCRT4!OSF_CASSOCIATION::AllocateCCall
02 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
03 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
04 RPCRT4!I_RpcGetBufferWithObject
05 RPCRT4!I_RpcGetBuffer
06 RPCRT4!NdrGetBuffer
07 RPCRT4!NdrClientCall2
08 ADVAPI32!LsarGetUserName
09 ADVAPI32!LsaGetUserName
0a ntdll!RtlpWaitOrTimerCallout

第二部分：
RPC_STATUS
OSF_CASSOCIATION::AllocateCCall (
    IN OSF_BINDING_HANDLE *BindingHandle,
    IN PRPC_MESSAGE Message,
    IN CLIENT_AUTH_INFO * ClientAuthInfo,
    OUT OSF_CCALL ** pCCall,
    OUT BOOL *fBindingHandleReferenceRemoved
    )
{

    Status = LookForExistingConnection (
                                            BindingHandle,
                                            fExclusive,
                                            ClientAuthInfo,
                                            PresentationContextsToUse,
                                            NumberOfBindingsToUse,
                                            &CConnection,
                                            &PresentationContextSupported,
                                            &InitialCallState,
                                            BOOL(fUseSeparateConnection)) ;

    AssociationMutex.Clear();

    if (Status != RPC_S_OK)
        {
        ReleaseBindingList(BindingsList);
        return Status;
        }

    if (CConnection == 0)
        {
        //
        // Allocate a new connection
        //
        RPC_CONNECTION_TRANSPORT *ClientInfo
            = (RPC_CONNECTION_TRANSPORT *) TransInfo->InqTransInfo();

        Status = RPC_S_OK;

        CConnection = new(ClientInfo->ClientConnectionSize
                          + ClientInfo->SendContextSize
                          + sizeof(PVOID))
                          OSF_CCONNECTION(
                              this,
                              ClientInfo,
                              BindingHandle->InqComTimeout(),
                              ClientAuthInfo,
                              fExclusive,
                              BOOL(fUseSeparateConnection),
                              &Status);

第三部分：

1: kd> dv
               this = 00ce1958
      MyAssociation = 0x00ce1840
      RpcClientInfo = 0x77bece00
            Timeout = 5
     ClientAuthInfo = 0x00ce1768
         fExclusive = 0n1
fSeparateConnection = 0n0
            pStatus = 0x007cf938

    inline void
    InitConnectionSupportHeaderSign (
        void
        )
    {
        Flags.SetFlagUnsafe(cshsDontKnow);
    }

 Association = MyAssociation;
    // CASSOC++
    Association->AddReference();

    ObjectType = OSF_CCONNECTION_TYPE;
    ClientInfo = RpcClientInfo;

第四部分：

1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00)
((RPCRT4!RPC_CONNECTION_TRANSPORT *)0x77bece00)                 : 0x77bece00 [Type: RPC_CONNECTION_TRANSPORT *]
    [+0x000] TransInterfaceVersion : 0x2004 [Type: unsigned int]
    [+0x004] TransId          : 0xf [Type: unsigned short]
    [+0x006] TransAddrId      : 0x11 [Type: unsigned short]
    [+0x008] ProtocolSequence : 0x77bd2264 : 0x6e [Type: unsigned short *]

    [+0x030] AddressSize      : 0x70 [Type: unsigned int]
    [+0x034] ClientConnectionSize : 0x54 [Type: unsigned int]
    [+0x038] ServerConnectionSize : 0x54 [Type: unsigned int]
    [+0x03c] SendContextSize  : 0x24 [Type: unsigned int]
 

第五部分：u.ConnSendContext的地址的由来！！！

#define TransConnection() ((RPC_TRANSPORT_CONNECTION) \
                                       ((char *) this+sizeof(OSF_CCONNECTION)))

    [+0x034] ClientConnectionSize : 0x54 [Type: unsigned int]

    [+0x03c] SendContextSize  : 0x24 [Type: unsigned int]

//关键地方
    u.ConnSendContext = (char *) TransConnection()
                      + ClientInfo->ClientConnectionSize
                      + sizeof(PVOID);
    *((PVOID *) ((char *) u.ConnSendContext - sizeof(PVOID))) = (PVOID) this;    

00ce1b28  = 00ce1958

1: kd> dd 00ce1958++0x17c+54
00ce1b28  00ce1958 baadf00d baadf00d baadf00d
00ce1b38  baadf00d baadf00d baadf00d baadf00d

1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!OSF_CCONNECTION::__unnamed *)0xce1aac))
(*((RPCRT4!OSF_CCONNECTION::__unnamed *)0xce1aac))                 [Type: OSF_CCONNECTION::__unnamed]
    [+0x000] ConnSendContext  : 0xce1b2c [Type: void *]
    [+0x000] NextConnection   : 0xce1b2c [Type: OSF_CCONNECTION *]

第六部分：u.ConnSendContext作为参数的地方和具体含义

    if (fAsync)
        {
        Status = TransAsyncSend(BindingHandle,
                                BindPacket,
                                BindPacketLength,
                                u.ConnSendContext);
        }

RPC_STATUS
OSF_CCONNECTION::TransAsyncSend (
    IN OSF_BINDING_HANDLE * BindingHandle,
    IN void  * Buffer,
    IN UINT BufferLength,
    IN void  *SendContext
    )
{

    Status = ClientInfo->Send(TransConnection(),
                              BufferLength,
                              (BUFFER) Buffer,
                              SendContext);

1: kd> u 77c6d738
RPCRT4!CO_Send [d:\srv03rtm\com\rpc\runtime\trans\common\cotrans.cxx @ 59]:
77c6d738 ??              ???

RPC_STATUS
RPC_ENTRY
CO_Send(
    RPC_TRANSPORT_CONNECTION ThisConnection,
    UINT Length,
    BUFFER Buffer,
    PVOID SendContext
    )
{
    PCONNECTION pConnection = (PCONNECTION)ThisConnection;
    CO_SEND_CONTEXT *pSend = (CO_SEND_CONTEXT *)SendContext;
    BOOL b;

1: kd> dt CO_SEND_CONTEXT            //正好24个字节
RPCRT4!CO_SEND_CONTEXT
   +0x000 Write            : BASE_OVERLAPPED
   +0x01c pWriteBuffer     : Ptr32 UChar
   +0x020 maxWriteBuffer   : Uint4B