当前位置：首页 > news >正文

smss源代码分析之smss!SmpLoadSubSystemsForMuSession函数分析加载csrss.exe

news 来源：原创 2025/5/3 7:21:30

第一部分：

    Next = SmpSubSystemsToLoad.Flink;
    while ( Next != &SmpSubSystemsToLoad ) {
        p = CONTAINING_RECORD( Next,
                               SMP_REGISTRY_VALUE,
                               Entry
                             );
#if SMP_SHOW_REGISTRY_DATA
        DbgPrint( "SMSS: Loaded SubSystem( %wZ = %wZ )\n", &p->Name, &p->Value );
#endif
        if (!_wcsicmp( p->Name.Buffer, L"debug" )) {
            Status = SmpExecuteCommand( &p->Value, *pMuSessionId, pWindowsSubSysProcessId, SMP_SUBSYSTEM_FLAG | SMP_DEBUG_FLAG );
        }
        else {
            Status = SmpExecuteCommand( &p->Value, *pMuSessionId, pWindowsSubSysProcessId, SMP_SUBSYSTEM_FLAG );
        }

第二部分：
0: kd> dt _SMP_REGISTRY_VALUE 00163fd0
smss!_SMP_REGISTRY_VALUE
   +0x000 Entry            : _LIST_ENTRY [ 0x164168 - 0x4858f618 ]
   +0x008 Name             : _UNICODE_STRING "Debug"
   +0x010 Value            : _UNICODE_STRING ""
   +0x018 AnsiValue        : 0x00164018 ""

0: kd> x smss!SmpSubSystemsToLoad
4858f618          smss!SmpSubSystemsToLoad = struct _LIST_ENTRY [ 0x163fd0 - 0x164168 ]
0: kd> dx -r1 (*((smss!_LIST_ENTRY *)0x4858f618))
(*((smss!_LIST_ENTRY *)0x4858f618))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0x163fd0 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x164168 [Type: _LIST_ENTRY *]
0: kd> dx -r1 ((smss!_LIST_ENTRY *)0x163fd0)
((smss!_LIST_ENTRY *)0x163fd0)                 : 0x163fd0 [Type: _LIST_ENTRY *]
    [+0x000] Flink            : 0x164168 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0x4858f618 [Type: _LIST_ENTRY *]

0: kd> dt _SMP_REGISTRY_VALUE 0x164168
smss!_SMP_REGISTRY_VALUE
   +0x000 Entry            : _LIST_ENTRY [ 0x4858f618 - 0x163fd0 ]
   +0x008 Name             : _UNICODE_STRING "Windows"
   +0x010 Value            : _UNICODE_STRING "C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
   +0x018 AnsiValue        : 0x001641a0 "C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

0: kd> x smss!SmpSubSystemsToLoad
4858f618 smss!SmpSubSystemsToLoad = struct _LIST_ENTRY [ 0x163fd0 - 0x164168 ]

        if (!_wcsicmp( p->Name.Buffer, L"debug" )) {
            Status = SmpExecuteCommand( &p->Value, *pMuSessionId, pWindowsSubSysProcessId, SMP_SUBSYSTEM_FLAG | SMP_DEBUG_FLAG );
        }

第三部分：

    if (Flags & SMP_DEBUG_FLAG) {
        return( STATUS_SUCCESS );
    }

第四部分：

0: kd> t
Breakpoint 3 hit
smss!SmpExecuteCommand:
001b:4858a860 55              push    ebp
0: kd> kc
#
00 smss!SmpExecuteCommand
01 smss!SmpLoadSubSystemsForMuSession
02 smss!SmpLoadDataFromRegistry
03 smss!SmpInit
04 smss!main
05 smss!NtProcessStartup
0: kd> dv
            CommandLine = 0x00164178 "C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
            MuSessionId = 0
pWindowsSubSysProcessId = 0x4858f614
                  Flags = 8
          ImageFileName = ""
       CurrentDirectory = 394 ''
              Arguments = 3266