当前位置：首页 > news >正文

winlogon!StateMachineRun函数会用到核心数据结构winlogon中的重要全局状态机状态数组

news 2025/10/8 5:03:38

第0部分：

kd> g
Breakpoint 0 hit
winlogon!WMsgKMessageHandler:
001b:009cf97b 8bff            mov     edi,edi
kd> g
Breakpoint 8 hit
winlogon!WlStateMachineSetSignal:
001b:009d0bc1 8bff            mov     edi,edi
kd> g
Breakpoint 2 hit
winlogon!SignalManagerSetSignal:
001b:009efe64 6a1c            push    1Ch
kd> g
Breakpoint 17 hit
winlogon!StateMachineRun+0x29c:
001b:009ef07c 837df8ff        cmp     dword ptr [ebp-8],0FFFFFFFFh
kd> g
Breakpoint 16 hit
winlogon!StateMachineRun+0x3b4:
001b:009ef194 8b150c40a000    mov     edx,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
kd> p
winlogon!StateMachineRun+0x3ba:
001b:009ef19a 837b0800        cmp     dword ptr [ebx+8],0
kd> r
eax=00000000 ebx=00a02cc4 ecx=88c16ca2 edx=00a04b38 esi=000ef93c edi=00141038
eip=009ef19a esp=000ef840 ebp=000ef9dc iopl=0         nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000212
winlogon!StateMachineRun+0x3ba:
001b:009ef19a 837b0800        cmp     dword ptr [ebx+8],0 ds:0023:00a02ccc={winlogon!WLGeneric_Logged_On_Execute (009d4d1e)}
kd> dd 00a02cc4
00a02cc4 009c2290 00000000 009d4d1e 009d4dd8
00a02cd4 00000010 00a02bf0 00000005 00a02cb0
00a02ce4 0000001c 00000000 fffffffe 00000000
00a02cf4 009c2264 009d636f 00000000 00000000
00a02d04 00000001 00a02ce8 00000000 00000000
00a02d14 0000001d 00000000 fffffffe 00000000
00a02d24 009c2238 009d4f39 00000000 00000000
00a02d34 00000001 00a02d18 00000000 00000000
kd> u 009d4d1e
winlogon!WLGeneric_Logged_On_Execute:
009d4d1e 6a08            push    8
009d4d20 6860d99f00      push    offset winlogon!_snprintf_s+0x40a (009fd960)
009d4d25 e8728a0100      call    winlogon!_SEH_prolog4 (009ed79c)
009d4d2a a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4d2f 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4d34 7424            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)
009d4d36 f7401c00010000 test    dword ptr [eax+1Ch],100h
009d4d3d 741b            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)
kd> p
winlogon!StateMachineRun+0x3be:
001b:009ef19e 744d            je      winlogon!StateMachineRun+0x40d (009ef1ed)
kd> p
winlogon!StateMachineRun+0x3c0:
001b:009ef1a0 81fa0c40a000    cmp     edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)
kd> p
winlogon!StateMachineRun+0x3c6:
001b:009ef1a6 741f            je      winlogon!StateMachineRun+0x3e7 (009ef1c7)
kd> p
winlogon!StateMachineRun+0x3c8:
001b:009ef1a8 f6421c01        test    byte ptr [edx+1Ch],1
kd> p
winlogon!StateMachineRun+0x3cc:
001b:009ef1ac 7419            je      winlogon!StateMachineRun+0x3e7 (009ef1c7)
kd> p
winlogon!StateMachineRun+0x3ce:
001b:009ef1ae 807a1905        cmp     byte ptr [edx+19h],5
kd> p
winlogon!StateMachineRun+0x3d2:
001b:009ef1b2 7213            jb      winlogon!StateMachineRun+0x3e7 (009ef1c7)
kd> p
winlogon!StateMachineRun+0x3e7:
001b:009ef1c7 6aff            push    0FFFFFFFFh
kd> p
winlogon!StateMachineRun+0x3e9:
001b:009ef1c9 ff7604          push    dword ptr [esi+4]
kd> p
winlogon!StateMachineRun+0x3ec:
001b:009ef1cc ff15fc109c00    call    dword ptr [winlogon!_imp__WaitForSingleObject (009c10fc)]
kd> p
winlogon!StateMachineRun+0x3f2:
001b:009ef1d2 85c0            test    eax,eax
kd> p
winlogon!StateMachineRun+0x3f4:
001b:009ef1d4 7417            je      winlogon!StateMachineRun+0x40d (009ef1ed)
kd> p
winlogon!StateMachineRun+0x40d:
001b:009ef1ed 8d45d8          lea     eax,[ebp-28h]
kd> p
winlogon!StateMachineRun+0x410:
001b:009ef1f0 50              push    eax
kd> p
winlogon!StateMachineRun+0x411:
001b:009ef1f1 8d45f4          lea     eax,[ebp-0Ch]
kd> p
winlogon!StateMachineRun+0x414:
001b:009ef1f4 50              push    eax
kd> p
winlogon!StateMachineRun+0x415:
001b:009ef1f5 ff7710          push    dword ptr [edi+10h]
kd> p
winlogon!StateMachineRun+0x418:
001b:009ef1f8 ff7314          push    dword ptr [ebx+14h]
kd> p
winlogon!StateMachineRun+0x41b:
001b:009ef1fb ff7310          push    dword ptr [ebx+10h]
kd> p
winlogon!StateMachineRun+0x41e:
001b:009ef1fe ff37            push    dword ptr [edi]
kd> p
winlogon!StateMachineRun+0x420:
001b:009ef200 e8e8110000      call    winlogon!SignalManagerGetSignal (009f03ed)
kd> p
winlogon!StateMachineRun+0x425:
001b:009ef205 837df4ff        cmp     dword ptr [ebp-0Ch],0FFFFFFFFh
kd> p
winlogon!StateMachineRun+0x429:
001b:009ef209 752a            jne     winlogon!StateMachineRun+0x455 (009ef235)
kd> p
winlogon!StateMachineRun+0x455:
001b:009ef235 8b45f4          mov     eax,dword ptr [ebp-0Ch]
kd> p
winlogon!StateMachineRun+0x458:
001b:009ef238 8b4b14          mov     ecx,dword ptr [ebx+14h]
kd> p
winlogon!StateMachineRun+0x45b:
001b:009ef23b 6bc00c          imul    eax,eax,0Ch
kd> p
winlogon!StateMachineRun+0x45e:
001b:009ef23e 8b0408          mov     eax,dword ptr [eax+ecx]
kd> p
winlogon!StateMachineRun+0x461:
001b:009ef241 8365f000        and     dword ptr [ebp-10h],0
kd> p
winlogon!StateMachineRun+0x465:
001b:009ef245 837b1800        cmp     dword ptr [ebx+18h],0
kd> p
winlogon!StateMachineRun+0x469:
001b:009ef249 8945ec          mov     dword ptr [ebp-14h],eax
kd> g
Breakpoint 7 hit
winlogon!StateMachineRun+0x1a4:
001b:009eef84 397b08          cmp     dword ptr [ebx+8],edi
kd> u 009d4d1e
winlogon!WLGeneric_Logged_On_Execute:
009d4d1e 6a08            push    8
009d4d20 6860d99f00      push    offset winlogon!_snprintf_s+0x40a (009fd960)
009d4d25 e8728a0100      call    winlogon!_SEH_prolog4 (009ed79c)
009d4d2a a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4d2f 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4d34 7424            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)
009d4d36 f7401c00010000 test    dword ptr [eax+1Ch],100h
009d4d3d 741b            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)
kd> bp winlogon!WLGeneric_Logged_On_Execute
kd> p
winlogon!StateMachineRun+0x1a7:
001b:009eef87 0f84aa000000    je      winlogon!StateMachineRun+0x257 (009ef037)
kd> g
Breakpoint 12 hit
winlogon!StateMachineWorkerCallback:
001b:009ee92f 8bff            mov     edi,edi
kd> g
Breakpoint 13 hit
winlogon!WLGeneric_CAD_Execute:
001b:009d4e12 8bff            mov     edi,edi
kd> kc
#
00 winlogon!WLGeneric_CAD_Execute
01 winlogon!StateMachineWorkerCallback
02 ntdll!TppWorkpExecuteCallback
03 ntdll!TppWorkerThread
04 kernel32!BaseThreadInitThunk
05 ntdll!__RtlUserThreadStart
06 ntdll!_RtlUserThreadStart

第一部分：

点击返回后

kd> bp 009ef07c
breakpoint 17 redefined
kd> g
Breakpoint 1 hit
USER32!NtUserSwitchDesktop:
001b:752fd072 b852120000      mov     eax,1252h
kd> kc
#
00 USER32!NtUserSwitchDesktop
01 USER32!SwitchDesktop
02 winlogon!ResilientSwitchDesktopWithFade
03 winlogon!CSession::SwitchDesktop
04 winlogon!WlAccessibilitySwitchDesktop
05 winlogon!HandleSecurityOptions
06 winlogon!WLGeneric_CAD_Execute
07 winlogon!StateMachineWorkerCallback
08 ntdll!TppWorkpExecuteCallback
09 ntdll!TppWorkerThread
0a kernel32!BaseThreadInitThunk
0b ntdll!__RtlUserThreadStart
0c ntdll!_RtlUserThreadStart
kd> g
Breakpoint 8 hit
winlogon!WlStateMachineSetSignal:
001b:009d0bc1 8bff            mov     edi,edi
kd> kc
#
00 winlogon!WlStateMachineSetSignal
01 winlogon!HandleSecurityOptions
02 winlogon!HandleSecurityOptions
03 winlogon!WLGeneric_CAD_Execute
04 winlogon!StateMachineWorkerCallback
05 ntdll!TppWorkpExecuteCallback
06 ntdll!TppWorkerThread
07 kernel32!BaseThreadInitThunk
08 ntdll!__RtlUserThreadStart
09 ntdll!_RtlUserThreadStart
kd> g
Breakpoint 2 hit
winlogon!SignalManagerSetSignal:
001b:009efe64 6a1c            push    1Ch
kd> g
Breakpoint 17 hit
winlogon!StateMachineRun+0x29c:
001b:009ef07c 837df8ff        cmp     dword ptr [ebp-8],0FFFFFFFFh

点击返回后返回到17

第二部分：

kd> p
winlogon!StateMachineRun+0x2a0:
001b:009ef080 7517            jne     winlogon!StateMachineRun+0x2b9 (009ef099)
kd> p
winlogon!StateMachineRun+0x2b9:
001b:009ef099 8b150c40a000    mov     edx,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
kd> p
winlogon!StateMachineRun+0x2bf:
001b:009ef09f 81fa0c40a000    cmp     edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)
kd> p
winlogon!StateMachineRun+0x2c5:
001b:009ef0a5 7424            je      winlogon!StateMachineRun+0x2eb (009ef0cb)
kd> p
winlogon!StateMachineRun+0x2c7:
001b:009ef0a7 f6421c01        test    byte ptr [edx+1Ch],1
kd> p
winlogon!StateMachineRun+0x2cb:
001b:009ef0ab 741e            je      winlogon!StateMachineRun+0x2eb (009ef0cb)
kd> p
winlogon!StateMachineRun+0x2cd:
001b:009ef0ad 807a1905        cmp     byte ptr [edx+19h],5
kd> p
winlogon!StateMachineRun+0x2d1:
001b:009ef0b1 7218            jb      winlogon!StateMachineRun+0x2eb (009ef0cb)
kd> p
winlogon!StateMachineRun+0x2eb:
001b:009ef0cb 8b45f8          mov     eax,dword ptr [ebp-8]
kd> p
winlogon!StateMachineRun+0x2ee:
001b:009ef0ce 8b4b14          mov     ecx,dword ptr [ebx+14h]
kd> p
winlogon!StateMachineRun+0x2f1:
001b:009ef0d1 6bc00c          imul    eax,eax,0Ch
kd> p
winlogon!StateMachineRun+0x2f4:
001b:009ef0d4 f744080801000000 test    dword ptr [eax+ecx+8],1
kd> p
winlogon!StateMachineRun+0x2fc:
001b:009ef0dc 7473            je      winlogon!StateMachineRun+0x371 (009ef151)
kd> p
winlogon!StateMachineRun+0x371:
001b:009ef151 837b0c00        cmp     dword ptr [ebx+0Ch],0
kd> r
eax=00000000 ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038
eip=009ef151 esp=000ef840 ebp=000ef9dc iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
winlogon!StateMachineRun+0x371:
001b:009ef151 837b0c00        cmp     dword ptr [ebx+0Ch],0 ds:0023:00a03074={winlogon!WLGeneric_CAD_Exit (009d4e7a)}
kd> dd 00a03068
00a03068 009c2080 00000000 009d4e12 009d4e7a
00a03078 0000000c 00a02fc8 00000004 00a03058
00a03088 00000029 009c2068 009d4ede 00000000
00a03098 00000000 00000006 00a030b0 00000000
00a030a8 00000000 0000002a 00000004 0000001c
00a030b8 00000002 00000002 0000004c 00000000
00a030c8 00000012 0000001c 00000002 0000001f
00a030d8 00000030 00000000 00000007 0000001c

00a03068 winlogon!g_xWLGeneric_CAD_State = <no type information> 重要全局状态数组+C偏移是返回函数指针

cmp dword ptr [ebx+0Ch],0重要的判断的地方。

kd> u 009d4e7a
winlogon!WLGeneric_CAD_Exit:
009d4e7a 8bff            mov     edi,edi
009d4e7c 55              push    ebp
009d4e7d 8bec            mov     ebp,esp
009d4e7f a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4e84 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4e89 7424            je      winlogon!WLGeneric_CAD_Exit+0x35 (009d4eaf)
009d4e8b f7401c00010000 test    dword ptr [eax+1Ch],100h
009d4e92 741b            je      winlogon!WLGeneric_CAD_Exit+0x35 (009d4eaf)
kd> u 009d4e12
winlogon!WLGeneric_CAD_Execute:
009d4e12 8bff            mov     edi,edi
009d4e14 55              push    ebp
009d4e15 8bec            mov     ebp,esp
009d4e17 a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4e1c 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4e21 7424            je      winlogon!WLGeneric_CAD_Execute+0x35 (009d4e47)
009d4e23 f7401c00010000 test    dword ptr [eax+1Ch],100h
009d4e2a 741b            je      winlogon!WLGeneric_CAD_Execute+0x35 (009d4e47)

第三部分：

kd> x winlogon!g*_State
00a03270          winlogon!g_xWLGeneric_HandleSecureLuaBeforeShell_State = <no type information>
00a0262c          winlogon!g_xWLGeneric_Authenticating_State = <no type information>
00a03068          winlogon!g_xWLGeneric_CAD_State = <no type information>
00a024b4          winlogon!g_xWLGeneric_DisplayLegalNotice_State = <no type information>
00a02490          winlogon!g_xWLGeneric_AccesNotifyAsUser_State = <no type information>
00a033b0          winlogon!g_xWLGeneric_Killing_Scrnsaver_Logged_On_State = <no type information>
00a022d4          winlogon!g_xWLGeneric_Welcome_State = <no type information>
00a03510          winlogon!g_xWLGeneric_MPRChangeNotify_State = <no type information>
00a02430          winlogon!g_xWLGeneric_PowerTransition_ShowResumeMsg_State = <no type information>
00a03164          winlogon!g_xWLGeneric_SecureCredUI_Operation_State = <no type information>
00a02d54          winlogon!g_xWLGeneric_PowerTransition_Logged_On_State = <no type information>
00a02bcc          winlogon!g_xWLGeneric_ChangeLogon_ReportResult_State = <no type information>
00a032a0          winlogon!g_xWLGeneric_AbortPendingLuaRequest_State = <no type information>
00a03b14          winlogon!g_xWLGeneric_Locked_Disconnected_State = <no type information>
00a026c8          winlogon!g_xWLGeneric_Logon_ReportSuccessResult_State = <no type information>
00a02b54          winlogon!g_xWLGeneric_MPRChangeLogonNotify_State = <no type information>
00a02384          winlogon!g_xWLGeneric_Killing_Scrnsaver_Welcome_State = <no type information>
00a02204          winlogon!g_xWLGeneric_NotifyCreateSession_State = <no type information>
00a03d3c          winlogon!g_xWLGeneric_LogoffNotify_State = <no type information>
00a02cf4          winlogon!g_xWLGeneric_DelayedSwitchDesktop_State = <no type information>
00a02dac          winlogon!g_xWLGeneric_Logged_On_Hibernating_State = <no type information>
00a03658          winlogon!g_xWLGeneric_InitiateLock_State = <no type information>
00a036f0          winlogon!g_xWLGeneric_Locked_State = <no type information>
00a02348          winlogon!g_xWLGeneric_TimeoutHandler_Welcome_State = <no type information>
00a025e0          winlogon!g_xWLGeneric_Handle_LogonUI_Failure_State = <no type information>
00a033e0          winlogon!g_xWLGeneric_TO_Disconnected_State = <no type information>
00a02534          winlogon!g_xWLGeneric_Request_Logon_Credz_State = <no type information>
00a02788          winlogon!g_xWLGeneric_Logon_ReportLastLogon_State = <no type information>
00a03a68          winlogon!g_xWLGeneric_Killing_Scrnsaver_Locked_State = <no type information>
00a02edc          winlogon!g_xWLGeneric_InitiateDisconnect_State = <no type information>
00a0378c          winlogon!g_xWLGeneric_Request_Unlock_Credz_State = <no type information>
00a035c4          winlogon!g_xWLGeneric_PostChangeActions_State = <no type information>
00a0399c          winlogon!g_xWLGeneric_Unlock_ReportFailedResult_State = <no type information>
00a038ac          winlogon!g_xWLGeneric_Unlock_ReportLastLogon_State = <no type information>
00a03888          winlogon!g_xWLGeneric_Unlock_Checking_LastLogonPolicy_State = <no type information>
00a021e0          winlogon!g_xWLGeneric_Start_State = <no type information>
00a0384c          winlogon!g_xWLGeneric_Unlock_ReportSuccessResult_State = <no type information>
00a034d4          winlogon!g_xWLGeneric_ChangingPassword_State = <no type information>
00a02e9c          winlogon!g_xWLGeneric_TimeoutHandler_Logged_On_Resume_State = <no type information>
00a03b64          winlogon!g_xWLGeneric_Locked_Reconnect_State = <no type information>
00a03a1c          winlogon!g_xWLGeneric_TimeoutHandler_Locked_State = <no type information>
00a02acc          winlogon!g_xWLGeneric_Request_LogonChange_Credz_State = <no type information>
00a023b4          winlogon!g_xWLGeneric_PowerTransition_Welcome_State = <no type information>
00a02704          winlogon!g_xWLGeneric_Logon_Checking_LastLogonPolicy_State = <no type information>
00a03d6c          winlogon!g_xWLGeneric_PseudoLogging_Off1_State = <no type information>
00a03c4c          winlogon!g_xWLGeneric_ReconnectionUpdate_State = <no type information>
00a032f4          winlogon!g_xWLGeneric_TimeoutHandler_Logged_On_State = <no type information>
00a02f24          winlogon!g_xWLGeneric_Logged_On_Disconnected_State = <no type information>
00a02de8          winlogon!g_xWLGeneric_InitiateLock_On_Resume_State = <no type information>
00a02cc4          winlogon!g_xWLGeneric_Logged_On_State = <no type information>
00a03da8          winlogon!g_xWLGeneric_PseudoLogging_Off2_State = <no type information>
00a02f74          winlogon!g_xWLGeneric_Logged_On_Reconnect_State = <no type information>
00a027ac          winlogon!g_xWLGeneric_Logon_ReportFailedResult_State = <no type information>
00a03acc          winlogon!g_xWLGeneric_CompleteLockRequest_State = <no type information>
00a02848          winlogon!g_xWLGeneric_WaitForDisconnectAfterFailedAuth_State = <no type information>
00a03dd8          winlogon!g_xWLGeneric_PseudoLogging_Off3_State = <no type information>
00a03bec          winlogon!g_xWLGeneric_Locked_Hibernating_State = <no type information>
00a0286c          winlogon!g_xWLGeneric_FindDestinationSession_State = <no type information>
00a02460          winlogon!g_xWLGeneric_AccesNotifyAsSystem_State = <no type information>
00a02e60          winlogon!g_xWLGeneric_Locked_Resume_State = <no type information>
00a03a9c          winlogon!g_xWLGeneric_PostUnlockActions_State = <no type information>
00a0308c          winlogon!g_xWLGeneric_CAD_Return_State = <no type information>
00a02d24          winlogon!g_xWLGeneric_CredsAreStaleReminder_State = <no type information>
00a03e14          winlogon!g_xWLGeneric_NotifyTerminateSession_State = <no type information>
00a02400          winlogon!g_xWLGeneric_Welcome_Hibernating_State = <no type information>
00a03240          winlogon!g_xWLGeneric_ReadyForSecureLua_State = <no type information>
00a02e24          winlogon!g_xWLGeneric_Logged_On_Resume_State = <no type information>
00a03210          winlogon!g_xWLGeneric_StartSecureLua_State = <no type information>
00a02a3c          winlogon!g_xWLGeneric_ShellStartup_State = <no type information>
00a032d0          winlogon!g_xWLGeneric_TaskManager_State = <no type information>
00a02b18          winlogon!g_xWLGeneric_ChangingLogonPassword_State = <no type information>
00a03b98          winlogon!g_xWLGeneric_PowerTransition_Locked_State = <no type information>
00a03488          winlogon!g_xWLGeneric_Request_Change_Credz_State = <no type information>
00a029e8          winlogon!g_xWLGeneric_ActivationAndNotifyStartShell_State = <no type information>
00a03c7c          winlogon!g_xWLGeneric_InitiateForceLogoff_State = <no type information>
00a037d4          winlogon!g_xWLGeneric_Unlocking_State = <no type information>
00a0290c          winlogon!g_xWLGeneric_NotifyLogon_State = <no type information>
00a03534          winlogon!g_xWLGeneric_Change_ReportResult_State = <no type information>
00a02668          winlogon!g_xWLGeneric_MPRLogonNotify_State = <no type information>
00a03c1c          winlogon!g_xWLGeneric_AbortPendingLockRequest_State = <no type information>
00a03d0c          winlogon!g_xWLGeneric_Logging_Off_State = <no type information>
00a02fa4          winlogon!g_xWLGeneric_ShellRestart_State = <no type information>
00a03cb8          winlogon!g_xWLGeneric_NotifyEndShell_State = <no type information>

第四部分：

kd> x winlogon!g_xWLGeneric_CAD_State
00a03068          winlogon!g_xWLGeneric_CAD_State = <no type information>
kd> p
winlogon!StateMachineRun+0x377:
001b:009ef157 81fa0c40a000    cmp     edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)
kd> r
eax=00000000 ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038
eip=009ef157 esp=000ef840 ebp=000ef9dc iopl=0         nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000202
winlogon!StateMachineRun+0x377:
001b:009ef157 81fa0c40a000    cmp     edx,offset winlogon!WPP_GLOBAL_Control (00a0400c)
kd> p
winlogon!StateMachineRun+0x37d:
001b:009ef15d 741f            je      winlogon!StateMachineRun+0x39e (009ef17e)
kd> p
winlogon!StateMachineRun+0x37f:
001b:009ef15f f6421c01        test    byte ptr [edx+1Ch],1
kd> r
eax=00000000 ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038
eip=009ef15f esp=000ef840 ebp=000ef9dc iopl=0         nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000212
winlogon!StateMachineRun+0x37f:
001b:009ef15f f6421c01        test    byte ptr [edx+1Ch],1 ds:0023:00a04b54=ff
kd> p
winlogon!StateMachineRun+0x383:
001b:009ef163 7419            je      winlogon!StateMachineRun+0x39e (009ef17e)
kd> p
winlogon!StateMachineRun+0x385:
001b:009ef165 807a1905        cmp     byte ptr [edx+19h],5
kd> p
winlogon!StateMachineRun+0x389:
001b:009ef169 7213            jb      winlogon!StateMachineRun+0x39e (009ef17e)
kd> p
winlogon!StateMachineRun+0x39e:
001b:009ef17e 8b45f8          mov     eax,dword ptr [ebp-8]
kd> p
winlogon!StateMachineRun+0x3a1:
001b:009ef181 8b4b14          mov     ecx,dword ptr [ebx+14h]
kd> p
winlogon!StateMachineRun+0x3a4:
001b:009ef184 6bc00c          imul    eax,eax,0Ch
kd> p
winlogon!StateMachineRun+0x3a7:
001b:009ef187 8b0408          mov     eax,dword ptr [eax+ecx]
kd> p
winlogon!StateMachineRun+0x3aa:
001b:009ef18a 894638          mov     dword ptr [esi+38h],eax
kd> p
winlogon!StateMachineRun+0x3ad:
001b:009ef18d 8d4610          lea     eax,[esi+10h]
kd> p
winlogon!StateMachineRun+0x3b0:
001b:009ef190 50              push    eax
kd> p
winlogon!StateMachineRun+0x3b1:
001b:009ef191 ff530c          call    dword ptr [ebx+0Ch]
kd> r
eax=000ef85c ebx=00a03068 ecx=00a02fc8 edx=00a04b38 esi=000ef84c edi=00141038
eip=009ef191 esp=000ef83c ebp=000ef9dc iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000206
winlogon!StateMachineRun+0x3b1:
001b:009ef191 ff530c          call    dword ptr [ebx+0Ch] ds:0023:00a03074={winlogon!WLGeneric_CAD_Exit (009d4e7a)}
kd> dd 00a03068
00a03068 009c2080 00000000 009d4e12 009d4e7a
00a03078 0000000c 00a02fc8 00000004 00a03058
00a03088 00000029 009c2068 009d4ede 00000000
00a03098 00000000 00000006 00a030b0 00000000
00a030a8 00000000 0000002a 00000004 0000001c
00a030b8 00000002 00000002 0000004c 00000000
00a030c8 00000012 0000001c 00000002 0000001f
00a030d8 00000030 00000000 00000007 0000001c

第五部分：

00a0308c对应状态

00a0308c winlogon!g_xWLGeneric_CAD_Return_State = <no type information>

kd> p
winlogon!StateMachineRun+0x3ce:
001b:009ef1ae 807a1905        cmp     byte ptr [edx+19h],5
kd> p
winlogon!StateMachineRun+0x3d2:
001b:009ef1b2 7213            jb      winlogon!StateMachineRun+0x3e7 (009ef1c7)
kd> p
winlogon!StateMachineRun+0x3e7:
001b:009ef1c7 6aff            push    0FFFFFFFFh
kd> p
winlogon!StateMachineRun+0x3e9:
001b:009ef1c9 ff7604          push    dword ptr [esi+4]
kd> p
winlogon!StateMachineRun+0x3ec:
001b:009ef1cc ff15fc109c00    call    dword ptr [winlogon!_imp__WaitForSingleObject (009c10fc)]
kd> p
winlogon!StateMachineRun+0x3f2:
001b:009ef1d2 85c0            test    eax,eax
kd> p
winlogon!StateMachineRun+0x3f4:
001b:009ef1d4 7417            je      winlogon!StateMachineRun+0x40d (009ef1ed)
kd> p
winlogon!StateMachineRun+0x40d:
001b:009ef1ed 8d45d8          lea     eax,[ebp-28h]
kd> p
winlogon!StateMachineRun+0x410:
001b:009ef1f0 50              push    eax
kd> p
winlogon!StateMachineRun+0x411:
001b:009ef1f1 8d45f4          lea     eax,[ebp-0Ch]
kd> p
winlogon!StateMachineRun+0x414:
001b:009ef1f4 50              push    eax
kd> p
winlogon!StateMachineRun+0x415:
001b:009ef1f5 ff7710          push    dword ptr [edi+10h]
kd> p
winlogon!StateMachineRun+0x418:
001b:009ef1f8 ff7314          push    dword ptr [ebx+14h]
kd> p
winlogon!StateMachineRun+0x41b:
001b:009ef1fb ff7310          push    dword ptr [ebx+10h]
kd> p
winlogon!StateMachineRun+0x41e:
001b:009ef1fe ff37            push    dword ptr [edi]
kd> p
winlogon!StateMachineRun+0x420:
001b:009ef200 e8e8110000      call    winlogon!SignalManagerGetSignal (009f03ed)
kd> p
winlogon!StateMachineRun+0x425:
001b:009ef205 837df4ff        cmp     dword ptr [ebp-0Ch],0FFFFFFFFh
kd> g
Breakpoint 6 hit
winlogon!StateMachineRun+0x1a1:
001b:009eef81 ff5304          call    dword ptr [ebx+4]
kd> r
eax=000ef898 ebx=00a0308c ecx=00000000 edx=76fda084 esi=000ef888 edi=00000000
eip=009eef81 esp=000ef83c ebp=000ef9dc iopl=0         nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000297
winlogon!StateMachineRun+0x1a1:
001b:009eef81 ff5304          call    dword ptr [ebx+4] ds:0023:00a03090={winlogon!WLGeneric_CAD_Return_Enter (009d4ede)}
kd> dd 00a0308c
00a0308c 009c2068 009d4ede 00000000 00000000
00a0309c 00000006 00a030b0 00000000 00000000
00a030ac 0000002a 00000004 0000001c 00000002
00a030bc 00000002 0000004c 00000000 00000012
00a030cc 0000001c 00000002 0000001f 00000030
00a030dc 00000000 00000007 0000001c 00000002
00a030ec 00000000 0000001c 00000000 00000002
00a030fc 0000001c 00000002 00000012 0000001c
kd> u 009d4ede
winlogon!WLGeneric_CAD_Return_Enter:
009d4ede 8bff            mov     edi,edi
009d4ee0 55              push    ebp
009d4ee1 8bec            mov     ebp,esp
009d4ee3 a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4ee8 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4eed 7424            je      winlogon!WLGeneric_CAD_Return_Enter+0x35 (009d4f13)
009d4eef f7401c00010000 test    dword ptr [eax+1Ch],100h
009d4ef6 741b            je      winlogon!WLGeneric_CAD_Return_Enter+0x35 (009d4f13)
kd> p
Breakpoint 3 hit
winlogon!WLGeneric_CAD_Return_Enter:
001b:009d4ede 8bff            mov     edi,edi
kd> kc
#
00 winlogon!WLGeneric_CAD_Return_Enter
01 winlogon!StateMachineRun
02 winlogon!WlStateMachineRun
03 winlogon!WinMain
04 winlogon!_initterm_e
05 kernel32!BaseThreadInitThunk
06 ntdll!__RtlUserThreadStart
07 ntdll!_RtlUserThreadStart

kd> p
winlogon!WLGeneric_CAD_Return_Enter+0x3c:
001b:009d4f1a ff7004          push    dword ptr [eax+4]
kd> p
winlogon!WLGeneric_CAD_Return_Enter+0x3f:
001b:009d4f1d e8d51e0100      call    winlogon!WlAccessibilitySwitchDesktop (009e6df7)
kd> p
Breakpoint 1 hit
USER32!NtUserSwitchDesktop:
001b:752fd072 b852120000      mov     eax,1252h
kd> kc
#
00 USER32!NtUserSwitchDesktop
01 USER32!SwitchDesktop
02 winlogon!ResilientSwitchDesktopWithFade
03 winlogon!CSession::SwitchDesktop
04 winlogon!WlAccessibilitySwitchDesktop
05 winlogon!WLGeneric_CAD_Return_Enter
06 winlogon!StateMachineRun
07 winlogon!WlStateMachineRun
08 winlogon!WinMain
09 winlogon!_initterm_e
0a kernel32!BaseThreadInitThunk
0b ntdll!__RtlUserThreadStart
0c ntdll!_RtlUserThreadStart

kd> g
Breakpoint 8 hit
winlogon!WlStateMachineSetSignal:
001b:009d0bc1 8bff            mov     edi,edi
kd> kc
#
00 winlogon!WlStateMachineSetSignal
01 winlogon!WLGeneric_CAD_Return_Enter
02 winlogon!StateMachineRun
03 winlogon!WlStateMachineRun
04 winlogon!WinMain
05 winlogon!_initterm_e
06 kernel32!BaseThreadInitThunk
07 ntdll!__RtlUserThreadStart
08 ntdll!_RtlUserThreadStart
kd> g
Breakpoint 2 hit
winlogon!SignalManagerSetSignal:
001b:009efe64 6a1c            push    1Ch
kd> g
Breakpoint 15 hit
winlogon!WLGeneric_CAD_Return_Enter+0x52:
001b:009d4f30 5d              pop     ebp
kd> p
winlogon!WLGeneric_CAD_Return_Enter+0x53:
001b:009d4f31 c20400          ret     4
kd> p
Breakpoint 7 hit
winlogon!StateMachineRun+0x1a4:
001b:009eef84 397b08          cmp     dword ptr [ebx+8],edi
kd> pr
eax=00000000 ebx=00a0308c ecx=009f00fd edx=000001c4 esi=000ef888 edi=00000000
eip=009eef87 esp=000ef840 ebp=000ef9dc iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
winlogon!StateMachineRun+0x1a7:
001b:009eef87 0f84aa000000    je      winlogon!StateMachineRun+0x257 (009ef037) [br=1]

00a0308c winlogon!g_xWLGeneric_CAD_Return_State = <no type information>
kd> dd 00a0308c
00a0308c 009c2068 009d4ede 00000000 00000000
00a0309c 00000006 00a030b0 00000000 00000000
00a030ac 0000002a 00000004 0000001c 00000002
00a030bc 00000002 0000004c 00000000 00000012
00a030cc 0000001c 00000002 0000001f 00000030
00a030dc 00000000 00000007 0000001c 00000002
00a030ec 00000000 0000001c 00000000 00000002
00a030fc 0000001c 00000002 00000012 0000001c

ebx+8对应的exit函数没有！！！

查看全文

http://www.dtcms.com/a/452760.html