当前位置: 首页 > news >正文

从winlogon!StateMachineWorkerCallback看ntdll!TpPostWork原理

news 2025/10/8 10:52:36

第一部分:


kd> p
ntdll!TpPostWork+0xce:
001b:7704dbb5 ff7508          push    dword ptr [ebp+8]
kd> p
ntdll!TpPostWork+0xd1:
001b:7704dbb8 e812fdffff      call    ntdll!TppWorkPost (7704d8cf)
kd> r
eax=00000000 ebx=76faa458 ecx=88c16ca2 edx=76fda084 esi=76faa1c8 edi=76faa294
eip=7704dbb8 esp=000ef7d4 ebp=000ef834 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
ntdll!TpPostWork+0xd1:
001b:7704dbb8 e812fdffff      call    ntdll!TppWorkPost (7704d8cf)
kd> dd 000ef834+8
000ef83c  00142b38 00000000 009c2f5c 00a0400c
000ef84c  00142a68 00000108 00a032f4 00000000
000ef85c  00141038 00a046f8 00b60de0 00000000
000ef86c  00000108 00000000 00000000 00000000
000ef87c  00000000 00000007 00000000 00142b38
000ef88c  0000010c 00a02cc4 ffffffff 00141038
000ef89c  00a046f8 00000000 00000000 0000010c
000ef8ac  00000000 00000000 00000000 00000000
kd> dd 00142b38
00142b38  00000001 76faa1ac 00000000 00000000
00142b48  00000000 00142b4c 00142b4c 00000000
00142b58  00000000 00000000 00000000 00000000
00142b68  009ee92f 000ef888 00000000 00000000

第二部分:
kd> g
Breakpoint 12 hit
winlogon!StateMachineWorkerCallback:
001b:009ee92f 8bff            mov     edi,edi
kd> p
winlogon!StateMachineWorkerCallback+0x2:
001b:009ee931 55              push    ebp
kd> p
winlogon!StateMachineWorkerCallback+0x3:
001b:009ee932 8bec            mov     ebp,esp
kd> p
winlogon!StateMachineWorkerCallback+0x5:
001b:009ee934 53              push    ebx
kd> p
winlogon!StateMachineWorkerCallback+0x6:
001b:009ee935 56              push    esi
kd> p
winlogon!StateMachineWorkerCallback+0x7:
001b:009ee936 57              push    edi
kd> p
winlogon!StateMachineWorkerCallback+0x8:
001b:009ee937 a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
kd> p
winlogon!StateMachineWorkerCallback+0xd:
001b:009ee93c 8b5d0c          mov     ebx,dword ptr [ebp+0Ch]
kd> p
winlogon!StateMachineWorkerCallback+0x10:
001b:009ee93f be0c40a000      mov     esi,offset winlogon!WPP_GLOBAL_Control (00a0400c)
kd> r
eax=00a04b38 ebx=000ef900 ecx=000ef900 edx=60c5677d esi=00142cd8 edi=76faa1c8
eip=009ee93f esp=00d7fa04 ebp=00d7fa10 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
winlogon!StateMachineWorkerCallback+0x10:
001b:009ee93f be0c40a000      mov     esi,offset winlogon!WPP_GLOBAL_Control (00a0400c)
kd> p
winlogon!StateMachineWorkerCallback+0x15:
001b:009ee944 bfbc629c00      mov     edi,offset winlogon!_sz_SspiCli_dll+0xc (009c62bc)
kd> p
winlogon!StateMachineWorkerCallback+0x1a:
001b:009ee949 3bc6            cmp     eax,esi
kd> p
winlogon!StateMachineWorkerCallback+0x1c:
001b:009ee94b 743f            je      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x1e:
001b:009ee94d f6401c01        test    byte ptr [eax+1Ch],1
kd> p
winlogon!StateMachineWorkerCallback+0x22:
001b:009ee951 741a            je      winlogon!StateMachineWorkerCallback+0x3e (009ee96d)
kd> p
winlogon!StateMachineWorkerCallback+0x24:
001b:009ee953 80781905        cmp     byte ptr [eax+19h],5
kd> p
winlogon!StateMachineWorkerCallback+0x28:
001b:009ee957 7214            jb      winlogon!StateMachineWorkerCallback+0x3e (009ee96d)
kd> p
winlogon!StateMachineWorkerCallback+0x3e:
001b:009ee96d 3bc6            cmp     eax,esi
kd> p
winlogon!StateMachineWorkerCallback+0x40:
001b:009ee96f 741b            je      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x42:
001b:009ee971 f6401c01        test    byte ptr [eax+1Ch],1
kd> p
winlogon!StateMachineWorkerCallback+0x46:
001b:009ee975 7415            je      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x48:
001b:009ee977 80781905        cmp     byte ptr [eax+19h],5
kd> p
winlogon!StateMachineWorkerCallback+0x4c:
001b:009ee97b 720f            jb      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x5d:
001b:009ee98c 8b4308          mov     eax,dword ptr [ebx+8]
kd> p
winlogon!StateMachineWorkerCallback+0x60:
001b:009ee98f 8d4b10          lea     ecx,[ebx+10h]
kd> p
winlogon!StateMachineWorkerCallback+0x63:
001b:009ee992 51              push    ecx
kd> p
winlogon!StateMachineWorkerCallback+0x64:
001b:009ee993 ff5008          call    dword ptr [eax+8]
kd> r
eax=00a03068 ebx=000ef900 ecx=000ef910 edx=60c5677d esi=00a0400c edi=009c62bc
eip=009ee993 esp=00d7fa00 ebp=00d7fa10 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
winlogon!StateMachineWorkerCallback+0x64:
001b:009ee993 ff5008          call    dword ptr [eax+8] ds:0023:00a03070={winlogon!WLGeneric_CAD_Execute (009d4e12)}
kd> dd 00a03068
00a03068  009c2080 00000000 009d4e12 009d4e7a
00a03078  0000000c 00a02fc8 00000004 00a03058
00a03088  00000029 009c2068 009d4ede 00000000
00a03098  00000000 00000006 00a030b0 00000000
00a030a8  00000000 0000002a 00000004 0000001c
00a030b8  00000002 00000002 0000004c 00000000
00a030c8  00000012 0000001c 00000002 0000001f
00a030d8  00000030 00000000 00000007 0000001c
kd> u 009d4e12
winlogon!WLGeneric_CAD_Execute:
009d4e12 8bff            mov     edi,edi
009d4e14 55              push    ebp
009d4e15 8bec            mov     ebp,esp
009d4e17 a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4e1c 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4e21 7424            je      winlogon!WLGeneric_CAD_Execute+0x35 (009d4e47)
009d4e23 f7401c00010000  test    dword ptr [eax+1Ch],100h
009d4e2a 741b            je      winlogon!WLGeneric_CAD_Execute+0x35 (009d4e47)
kd> dd 000ef900
000ef900  00142cd8 00000114 00a03068 ffffffff
000ef910  00141038 00a046f8 00000000 00000000
000ef920  00000114 00000000 00000000 00000000
000ef930  00000000 00000003 00000000 00142da8
000ef940  00000118 00a02cc4 00000000 00141038
000ef950  00a046f8 00000000 00000000 00000118
000ef960  00000000 00000000 00000000 00000000
000ef970  00000000 00000003 00141038 00a046f8


第三部分:实战1

kd> g
Breakpoint 17 hit
winlogon!StateMachineRun+0x29c:
001b:009ef07c 837df8ff        cmp     dword ptr [ebp-8],0FFFFFFFFh
kd> g
Breakpoint 7 hit
winlogon!StateMachineRun+0x1a4:
001b:009eef84 397b08          cmp     dword ptr [ebx+8],edi
kd> g
Breakpoint 19 hit
ntdll!TpPostWork+0xd1:
001b:7704dbb8 e812fdffff      call    ntdll!TppWorkPost (7704d8cf)
kd> .process
Implicit process is now 9416cc88
kd> r
eax=00000000 ebx=76faa458 ecx=88c16ca2 edx=76fda084 esi=76faa1c8 edi=76faa294
eip=7704dbb8 esp=000ef7d4 ebp=000ef834 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
ntdll!TpPostWork+0xd1:
001b:7704dbb8 e812fdffff      call    ntdll!TppWorkPost (7704d8cf)
kd> dd 000ef834+8
000ef83c  00142a68 00000000 009c2f5c 00a0400c
000ef84c  00142a68 00000108 00a02cc4 ffffffff
000ef85c  00141038 00a046f8 00000000 00000000
000ef86c  00000108 00000000 00000000 00000000
000ef87c  00000000 00000000 00000000 00142b38
000ef88c  0000010c 00a02cc4 00000000 00141038
000ef89c  00a046f8 00000000 00000000 0000010c
000ef8ac  00000000 00000000 00000000 00000000
kd> dd 00142a68
00142a68  00000001 76faa1ac 00000000 00000000
00142a78  00000000 00142a7c 00142a7c 00000000
00142a88  00000000 00000000 00000000 00000000
00142a98  009ee92f 000ef84c 00000000 00000000
00142aa8  00000000 00115d98 00142b80 00118620
00142ab8  00000000 7704d107 009eeb27 009eee6b
00142ac8  009d0bb8 009cec63 009ed618 00000000
00142ad8  00000000 00000000 00000000 00000000
kd> u 009ee92f
winlogon!StateMachineWorkerCallback:
009ee92f 8bff            mov     edi,edi
009ee931 55              push    ebp
009ee932 8bec            mov     ebp,esp
009ee934 53              push    ebx
009ee935 56              push    esi
009ee936 57              push    edi
009ee937 a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009ee93c 8b5d0c          mov     ebx,dword ptr [ebp+0Ch]
kd> dd 000ef84c
000ef84c  00142a68 00000108 00a02cc4 ffffffff
000ef85c  00141038 00a046f8 00000000 00000000
000ef86c  00000108 00000000 00000000 00000000
000ef87c  00000000 00000000 00000000 00142b38
000ef88c  0000010c 00a02cc4 00000000 00141038
000ef89c  00a046f8 00000000 00000000 0000010c
000ef8ac  00000000 00000000 00000000 00000000
000ef8bc  00000000 00000003 00142c08 00000110
kd> dd 00a02cc4
00a02cc4  009c2290 00000000 009d4d1e 009d4dd8
00a02cd4  00000010 00a02bf0 00000005 00a02cb0
00a02ce4  0000001c 00000000 fffffffe 00000000
00a02cf4  009c2264 009d636f 00000000 00000000
00a02d04  00000001 00a02ce8 00000000 00000000
00a02d14  0000001d 00000000 fffffffe 00000000
00a02d24  009c2238 009d4f39 00000000 00000000
00a02d34  00000001 00a02d18 00000000 00000000
kd> u 009d4d1e
winlogon!WLGeneric_Logged_On_Execute:
009d4d1e 6a08            push    8
009d4d20 6860d99f00      push    offset winlogon!_snprintf_s+0x40a (009fd960)
009d4d25 e8728a0100      call    winlogon!_SEH_prolog4 (009ed79c)
009d4d2a a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4d2f 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4d34 7424            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)
009d4d36 f7401c00010000  test    dword ptr [eax+1Ch],100h
009d4d3d 741b            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)

第四部分:实战2


kd> g
Breakpoint 12 hit
winlogon!StateMachineWorkerCallback:
001b:009ee92f 8bff            mov     edi,edi
kd> p
winlogon!StateMachineWorkerCallback+0x2:
001b:009ee931 55              push    ebp
kd> p
winlogon!StateMachineWorkerCallback+0x3:
001b:009ee932 8bec            mov     ebp,esp
kd> p
winlogon!StateMachineWorkerCallback+0x5:
001b:009ee934 53              push    ebx
kd> p
winlogon!StateMachineWorkerCallback+0x6:
001b:009ee935 56              push    esi
kd> p
winlogon!StateMachineWorkerCallback+0x7:
001b:009ee936 57              push    edi
kd> p
winlogon!StateMachineWorkerCallback+0x8:
001b:009ee937 a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
kd> p
winlogon!StateMachineWorkerCallback+0xd:
001b:009ee93c 8b5d0c          mov     ebx,dword ptr [ebp+0Ch]
kd> p
winlogon!StateMachineWorkerCallback+0x10:
001b:009ee93f be0c40a000      mov     esi,offset winlogon!WPP_GLOBAL_Control (00a0400c)
kd> p
winlogon!StateMachineWorkerCallback+0x15:
001b:009ee944 bfbc629c00      mov     edi,offset winlogon!_sz_SspiCli_dll+0xc (009c62bc)
kd> r
eax=00a04b38 ebx=000ef84c ecx=000ef84c edx=6300b1be esi=00a0400c edi=76faa1c8
eip=009ee944 esp=00d7fa04 ebp=00d7fa10 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
winlogon!StateMachineWorkerCallback+0x15:
001b:009ee944 bfbc629c00      mov     edi,offset winlogon!_sz_SspiCli_dll+0xc (009c62bc)

kd> dd 000ef84c
000ef84c  00142a68 00000108 00a02cc4 ffffffff
000ef85c  00141038 00a046f8 00000000 00000000
000ef86c  00000108 00000000 00000000 00000000
000ef87c  00000000 00000000 00000000 00142b38
000ef88c  0000010c 00a02cc4 00000000 00141038
000ef89c  00a046f8 00000000 00000000 0000010c
000ef8ac  00000000 00000000 00000000 00000000
000ef8bc  00000000 00000003 00142c08 00000110

kd> p
winlogon!StateMachineWorkerCallback+0x1a:
001b:009ee949 3bc6            cmp     eax,esi
kd> p
winlogon!StateMachineWorkerCallback+0x1c:
001b:009ee94b 743f            je      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x1e:
001b:009ee94d f6401c01        test    byte ptr [eax+1Ch],1
kd> p
winlogon!StateMachineWorkerCallback+0x22:
001b:009ee951 741a            je      winlogon!StateMachineWorkerCallback+0x3e (009ee96d)
kd> p
winlogon!StateMachineWorkerCallback+0x24:
001b:009ee953 80781905        cmp     byte ptr [eax+19h],5
kd> p
winlogon!StateMachineWorkerCallback+0x28:
001b:009ee957 7214            jb      winlogon!StateMachineWorkerCallback+0x3e (009ee96d)
kd> p
winlogon!StateMachineWorkerCallback+0x3e:
001b:009ee96d 3bc6            cmp     eax,esi
kd> p
winlogon!StateMachineWorkerCallback+0x40:
001b:009ee96f 741b            je      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x42:
001b:009ee971 f6401c01        test    byte ptr [eax+1Ch],1
kd> p
winlogon!StateMachineWorkerCallback+0x46:
001b:009ee975 7415            je      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x48:
001b:009ee977 80781905        cmp     byte ptr [eax+19h],5
kd> p
winlogon!StateMachineWorkerCallback+0x4c:
001b:009ee97b 720f            jb      winlogon!StateMachineWorkerCallback+0x5d (009ee98c)
kd> p
winlogon!StateMachineWorkerCallback+0x5d:
001b:009ee98c 8b4308          mov     eax,dword ptr [ebx+8]
kd> p
winlogon!StateMachineWorkerCallback+0x60:
001b:009ee98f 8d4b10          lea     ecx,[ebx+10h]
kd> r
eax=00a02cc4 ebx=000ef84c ecx=000ef84c edx=6300b1be esi=00a0400c edi=009c62bc
eip=009ee98f esp=00d7fa04 ebp=00d7fa10 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
winlogon!StateMachineWorkerCallback+0x60:
001b:009ee98f 8d4b10          lea     ecx,[ebx+10h]
kd> dd 00a02cc4
00a02cc4  009c2290 00000000 009d4d1e 009d4dd8
00a02cd4  00000010 00a02bf0 00000005 00a02cb0
00a02ce4  0000001c 00000000 fffffffe 00000000
00a02cf4  009c2264 009d636f 00000000 00000000
00a02d04  00000001 00a02ce8 00000000 00000000
00a02d14  0000001d 00000000 fffffffe 00000000
00a02d24  009c2238 009d4f39 00000000 00000000
00a02d34  00000001 00a02d18 00000000 00000000
kd> u 009d4d1e
winlogon!WLGeneric_Logged_On_Execute:
009d4d1e 6a08            push    8
009d4d20 6860d99f00      push    offset winlogon!_snprintf_s+0x40a (009fd960)
009d4d25 e8728a0100      call    winlogon!_SEH_prolog4 (009ed79c)
009d4d2a a10c40a000      mov     eax,dword ptr [winlogon!WPP_GLOBAL_Control (00a0400c)]
009d4d2f 3d0c40a000      cmp     eax,offset winlogon!WPP_GLOBAL_Control (00a0400c)
009d4d34 7424            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)
009d4d36 f7401c00010000  test    dword ptr [eax+1Ch],100h
009d4d3d 741b            je      winlogon!WLGeneric_Logged_On_Execute+0x3c (009d4d5a)
kd> p
winlogon!StateMachineWorkerCallback+0x63:
001b:009ee992 51              push    ecx
kd> p
winlogon!StateMachineWorkerCallback+0x64:
001b:009ee993 ff5008          call    dword ptr [eax+8]
kd> r
eax=00a02cc4 ebx=000ef84c ecx=000ef85c edx=6300b1be esi=00a0400c edi=009c62bc
eip=009ee993 esp=00d7fa00 ebp=00d7fa10 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
winlogon!StateMachineWorkerCallback+0x64:
001b:009ee993 ff5008          call    dword ptr [eax+8] ds:0023:00a02ccc={winlogon!WLGeneric_Logged_On_Execute (009d4d1e)}
kd> t
Breakpoint 18 hit
winlogon!WLGeneric_Logged_On_Execute:
001b:009d4d1e 6a08            push    8
kd> kc
#
00 winlogon!WLGeneric_Logged_On_Execute
01 winlogon!StateMachineWorkerCallback
02 ntdll!TppWorkpExecuteCallback
03 ntdll!TppWorkerThread
04 kernel32!BaseThreadInitThunk
05 ntdll!__RtlUserThreadStart
06 ntdll!_RtlUserThreadStart

http://www.dtcms.com/a/454300.html

相关文章:

  • Intel Loihi芯片的脉冲神经网络编程范式迁移
  • 个人博客网站源码网站子目录是什么
  • 网站开发用哪些字体wordpress响应+延时
  • 400网站建设地方门户网站用户
  • LangGraph 集成 MCP Server
  • 深度学习基础:从原理到实践——第一章感知机(下)
  • Python3 list()函数
  • 凡科建站的怎么取消手机网站厦门编程培训机构
  • 建站时长是什么原因造成的专业手机移动网站建设
  • 免费空间 个人网站 google广告联盟wordpress raw
  • 怎么做网站搜索引擎大连高新园区
  • 常州高端网站制作公司排名站长查询
  • 西宁做网站多少钱阜阳市城乡建设 档案馆网站
  • 基于PLC的饮料灌装系统
  • 北京模板建站网站飘动广告代码
  • 小企业网站建设哪家便宜支持wordpress的mysql
  • 中山市交通建设发展集团网站济源网站建设电话
  • SVG 适合静态图,Canvas 适合大数据?图表库的场景选择
  • 网站备案 新增接入有哪些网站是中国风网站
  • 广州车陂网站建设中心网站设计与制作报价
  • 国内论坛网站有哪些融资网站建设
  • 海宁长安网站开发网络商城推广营销
  • 南京做网站优化公司分析网站建设前期的seo准备工作
  • 顺德做网站公司哪家好ps做网站难吗
  • 如何使用 INFINI Gateway 对比 ES 索引数据
  • 云南省建设厅合同网站scala网站开发
  • 中国优秀企业网站欣赏深圳建设集团网站
  • 网站页面太多是否做静态广州从化建设网站官网
  • 做网站建设一年能赚多少钱hyein seo是什么牌子
  • 什么样的网站需要改版国外租车网站模板