当前位置：首页 > news >正文

win7-winlogon!StateMachineHandleCallTransition函数分析winlogon分析第五部分

news 2025/10/7 13:47:03

点击登录框的administrator之后：

kd> bp 0059fb2b
kd> g
Breakpoint 11 hit
winlogon!StateMachineHandleCallTransition:
001b:0059ecb0 8bff mov edi,edi
kd> kc
#
00 winlogon!StateMachineHandleCallTransition 关键函数：
01 winlogon!StateMachineRun
02 winlogon!WlStateMachineRun
03 winlogon!WinMain
04 winlogon!_initterm_e
05 kernel32!BaseThreadInitThunk
06 ntdll!__RtlUserThreadStart
07 ntdll!_RtlUserThreadStart

kd> p
winlogon!StateMachineHandleCallTransition+0x2:
001b:0059ecb2 55 push ebp
kd> p
winlogon!StateMachineHandleCallTransition+0x3:
001b:0059ecb3 8bec mov ebp,esp
kd> p
winlogon!StateMachineHandleCallTransition+0x5:
001b:0059ecb5 53 push ebx
kd> p
winlogon!StateMachineHandleCallTransition+0x6:
001b:0059ecb6 8b5d10 mov ebx,dword ptr [ebp+10h]
kd> p
winlogon!StateMachineHandleCallTransition+0x9:
001b:0059ecb9 8b4314 mov eax,dword ptr [ebx+14h]
kd> p
winlogon!StateMachineHandleCallTransition+0xc:
001b:0059ecbc 56 push esi
kd> p
winlogon!StateMachineHandleCallTransition+0xd:
001b:0059ecbd 8b7508 mov esi,dword ptr [ebp+8]
kd> p
winlogon!StateMachineHandleCallTransition+0x10:
001b:0059ecc0 8b4e08 mov ecx,dword ptr [esi+8]
kd> p
winlogon!StateMachineHandleCallTransition+0x13:
001b:0059ecc3 57 push edi
kd> p
winlogon!StateMachineHandleCallTransition+0x14:
001b:0059ecc4 8b7d14 mov edi,dword ptr [ebp+14h]
kd> p
winlogon!StateMachineHandleCallTransition+0x17:
001b:0059ecc7 6bff0c imul edi,edi,0Ch
kd> p
winlogon!StateMachineHandleCallTransition+0x1a:
001b:0059ecca 8b440704 mov eax,dword ptr [edi+eax+4]
kd> p
winlogon!StateMachineHandleCallTransition+0x1e:
001b:0059ecce 8b0481 mov eax,dword ptr [ecx+eax*4]
kd> p
winlogon!StateMachineHandleCallTransition+0x21:
001b:0059ecd1 33c9 xor ecx,ecx
kd> p
winlogon!StateMachineHandleCallTransition+0x23:
001b:0059ecd3 894510 mov dword ptr [ebp+10h],eax
kd> p
winlogon!StateMachineHandleCallTransition+0x26:
001b:0059ecd6 394804 cmp dword ptr [eax+4],ecx
kd> p
winlogon!StateMachineHandleCallTransition+0x29:
001b:0059ecd9 740a je winlogon!StateMachineHandleCallTransition+0x35 (0059ece5)
kd> p
winlogon!StateMachineHandleCallTransition+0x2b:
001b:0059ecdb 394808 cmp dword ptr [eax+8],ecx
kd> p
winlogon!StateMachineHandleCallTransition+0x2e:
001b:0059ecde 7505 jne winlogon!StateMachineHandleCallTransition+0x35 (0059ece5)
kd> p
winlogon!StateMachineHandleCallTransition+0x30:
001b:0059ece0 39480c cmp dword ptr [eax+0Ch],ecx
kd> p
winlogon!StateMachineHandleCallTransition+0x33:
001b:0059ece3 741b je winlogon!StateMachineHandleCallTransition+0x50 (0059ed00)
kd> p
winlogon!StateMachineHandleCallTransition+0x50:
001b:0059ed00 83781001 cmp dword ptr [eax+10h],1
kd> p
winlogon!StateMachineHandleCallTransition+0x54:
001b:0059ed04 7509 jne winlogon!StateMachineHandleCallTransition+0x5f (0059ed0f)
kd> p
winlogon!StateMachineHandleCallTransition+0x56:
001b:0059ed06 8b4014 mov eax,dword ptr [eax+14h]
kd> p
winlogon!StateMachineHandleCallTransition+0x59:
001b:0059ed09 837804fe cmp dword ptr [eax+4],0FFFFFFFEh
kd> p
winlogon!StateMachineHandleCallTransition+0x5d:
001b:0059ed0d 7416 je winlogon!StateMachineHandleCallTransition+0x75 (0059ed25)
kd> p
winlogon!StateMachineHandleCallTransition+0x75:
001b:0059ed25 8b4314 mov eax,dword ptr [ebx+14h]
kd> p
winlogon!StateMachineHandleCallTransition+0x78:
001b:0059ed28 8b0407 mov eax,dword ptr [edi+eax]
kd> p
winlogon!StateMachineHandleCallTransition+0x7b:
001b:0059ed2b 8b4e10 mov ecx,dword ptr [esi+10h]
kd> p
winlogon!StateMachineHandleCallTransition+0x7e:
001b:0059ed2e ff3481 push dword ptr [ecx+eax*4]
kd> p
winlogon!StateMachineHandleCallTransition+0x81:
001b:0059ed31 50 push eax
kd> p
winlogon!StateMachineHandleCallTransition+0x82:
001b:0059ed32 ff36 push dword ptr [esi]
kd> p
winlogon!StateMachineHandleCallTransition+0x84:
001b:0059ed34 e8f3130000 call winlogon!SignalManagerResetSignal (005a012c)
kd> p
winlogon!StateMachineHandleCallTransition+0x89:
001b:0059ed39 83bea001000020 cmp dword ptr [esi+1A0h],20h
kd> p
winlogon!StateMachineHandleCallTransition+0x90:
001b:0059ed40 7217 jb winlogon!StateMachineHandleCallTransition+0xa9 (0059ed59)
kd> p
winlogon!StateMachineHandleCallTransition+0xa9:
001b:0059ed59 8b8ea0010000 mov ecx,dword ptr [esi+1A0h]
kd> p
winlogon!StateMachineHandleCallTransition+0xaf:
001b:0059ed5f 8b4314 mov eax,dword ptr [ebx+14h]
kd> p
winlogon!StateMachineHandleCallTransition+0xb2:
001b:0059ed62 8b440704 mov eax,dword ptr [edi+eax+4]
kd> p
winlogon!StateMachineHandleCallTransition+0xb6:
001b:0059ed66 83c103 add ecx,3
kd> p
winlogon!StateMachineHandleCallTransition+0xb9:
001b:0059ed69 6bc90c imul ecx,ecx,0Ch
kd> p
winlogon!StateMachineHandleCallTransition+0xbc:
001b:0059ed6c 890431 mov dword ptr [ecx+esi],eax
kd> p
winlogon!StateMachineHandleCallTransition+0xbf:
001b:0059ed6f 8b8ea0010000 mov ecx,dword ptr [esi+1A0h]
kd> p
winlogon!StateMachineHandleCallTransition+0xc5:
001b:0059ed75 8b4314 mov eax,dword ptr [ebx+14h]
kd> p
winlogon!StateMachineHandleCallTransition+0xc8:
001b:0059ed78 6bc90c imul ecx,ecx,0Ch
kd> p
winlogon!StateMachineHandleCallTransition+0xcb:
001b:0059ed7b 8b0407 mov eax,dword ptr [edi+eax]
kd> p
winlogon!StateMachineHandleCallTransition+0xce:
001b:0059ed7e 89443120 mov dword ptr [ecx+esi+20h],eax
kd> p
winlogon!StateMachineHandleCallTransition+0xd2:
001b:0059ed82 ff86a0010000 inc dword ptr [esi+1A0h]
kd> p
winlogon!StateMachineHandleCallTransition+0xd8:
001b:0059ed88 83bea001000020 cmp dword ptr [esi+1A0h],20h
kd> p
winlogon!StateMachineHandleCallTransition+0xdf:
001b:0059ed8f 7507 jne winlogon!StateMachineHandleCallTransition+0xe8 (0059ed98)
kd> p
winlogon!StateMachineHandleCallTransition+0xe8:
001b:0059ed98 8b7510 mov esi,dword ptr [ebp+10h]
kd> p
winlogon!StateMachineHandleCallTransition+0xeb:
001b:0059ed9b 837e0400 cmp dword ptr [esi+4],0
kd> p
winlogon!StateMachineHandleCallTransition+0xef:
001b:0059ed9f 7433 je winlogon!StateMachineHandleCallTransition+0x124 (0059edd4)
kd> p
winlogon!StateMachineHandleCallTransition+0xf1:
001b:0059eda1 a10c405b00 mov eax,dword ptr [winlogon!WPP_GLOBAL_Control (005b400c)]
kd> p
winlogon!StateMachineHandleCallTransition+0xf6:
001b:0059eda6 3d0c405b00 cmp eax,offset winlogon!WPP_GLOBAL_Control (005b400c)
kd> p
winlogon!StateMachineHandleCallTransition+0xfb:
001b:0059edab 7421 je winlogon!StateMachineHandleCallTransition+0x11e (0059edce)
kd> p
winlogon!StateMachineHandleCallTransition+0xfd:
001b:0059edad f6401c01 test byte ptr [eax+1Ch],1
kd> p
winlogon!StateMachineHandleCallTransition+0x101:
001b:0059edb1 741b je winlogon!StateMachineHandleCallTransition+0x11e (0059edce)
kd> p
winlogon!StateMachineHandleCallTransition+0x103:
001b:0059edb3 80781905 cmp byte ptr [eax+19h],5
kd> p
winlogon!StateMachineHandleCallTransition+0x107:
001b:0059edb7 7215 jb winlogon!StateMachineHandleCallTransition+0x11e (0059edce)
kd> p
winlogon!StateMachineHandleCallTransition+0x11e:
001b:0059edce ff750c push dword ptr [ebp+0Ch]
kd> p
winlogon!StateMachineHandleCallTransition+0x121:
001b:0059edd1 ff5604 call dword ptr [esi+4]

出现桌面：

kd> p
[SC-CLIENT] d1c:cf4 ScOpenServiceChannelHandle: RI_ScOpenServiceChannelHandle failed with status 5
winlogon!StateMachineHandleCallTransition+0x124:
001b:0059edd4 5f pop edi

winlogon!StateMachineHandleCallTransition+0x124:
001b:0059edd4 5f pop edi
kd> p
winlogon!StateMachineHandleCallTransition+0x125:
001b:0059edd5 5e pop esi
kd> p
winlogon!StateMachineHandleCallTransition+0x126:
001b:0059edd6 5b pop ebx
kd> p
winlogon!StateMachineHandleCallTransition+0x127:
001b:0059edd7 5d pop ebp
kd> p
winlogon!StateMachineHandleCallTransition+0x128:
001b:0059edd8 c21000 ret 10h
kd> p
winlogon!StateMachineRun+0x369:
001b:0059f149 8b75fc mov esi,dword ptr [ebp-4]