从winlogon!SignalManagerWaitForSignal来看神秘的状态机的状态数组结构

第一部分：

call    winlogon!SignalManagerWaitForSignal    需要[ebx+14h]和[ebx+10h]！！！

kd> u 009ef07c-10
winlogon!StateMachineRun+0x28c:
009ef06c ff7710          push    dword ptr [edi+10h]
009ef06f ff7314          push    dword ptr [ebx+14h]
009ef072 ff7310          push    dword ptr [ebx+10h]
009ef075 ff37            push    dword ptr [edi]
009ef077 e83e090000      call    winlogon!SignalManagerWaitForSignal (009ef9ba)
009ef07c 837df8ff        cmp     dword ptr [ebp-8],0FFFFFFFFh
009ef080 7517            jne     winlogon!StateMachineRun+0x2b9 (009ef099)
009ef082 6a00            push    0

28    00a02cc4          winlogon!g_xWLGeneric_Logged_On_State = <no type information>

kd> dd 00a02cc4
00a02cc4  009c2290 00000000 009d4d1e 009d4dd8
00a02cd4  00000010 00a02bf0 00000005 00a02cb0
00a02ce4  0000001c 00000000 fffffffe 00000000

kd> dd 00a02bf0
00a02bf0  00000017 0000001d 00000001 00000002

24    00a02acc          winlogon!g_xWLGeneric_Request_LogonChange_Credz_State = <no type information>

kd> dd 00a02acc
00a02acc  009c2330 00000000 009e2a1f 009e2b88
00a02adc  00000008 00a02a60 00000003 00a02ac0

winlogon!SignalManagerGetSignal函数也需要[ebx+14h]和[ebx+10h]！！！

第二部分：

kd> p
winlogon!StateMachineRun+0x40d:
001b:009ef1ed 8d45d8          lea     eax,[ebp-28h]
kd> p
winlogon!StateMachineRun+0x410:
001b:009ef1f0 50              push    eax
kd> p
winlogon!StateMachineRun+0x411:
001b:009ef1f1 8d45f4          lea     eax,[ebp-0Ch]
kd> p
winlogon!StateMachineRun+0x414:
001b:009ef1f4 50              push    eax
kd> p
winlogon!StateMachineRun+0x415:
001b:009ef1f5 ff7710          push    dword ptr [edi+10h]
kd> p
winlogon!StateMachineRun+0x418:
001b:009ef1f8 ff7314          push    dword ptr [ebx+14h]
kd> p
winlogon!StateMachineRun+0x41b:
001b:009ef1fb ff7310          push    dword ptr [ebx+10h]
kd> p
winlogon!StateMachineRun+0x41e:
001b:009ef1fe ff37            push    dword ptr [edi]
kd> p
winlogon!StateMachineRun+0x420:
001b:009ef200 e8e8110000      call    winlogon!SignalManagerGetSignal (009f03ed)

第三部分：

call    winlogon!SignalManagerWaitForSignal    需要[ebx+14h]和[ebx+10h]！！！

kd> u 009ef07c-10
winlogon!StateMachineRun+0x28c:
009ef06c ff7710          push    dword ptr [edi+10h]
009ef06f ff7314          push    dword ptr [ebx+14h]
009ef072 ff7310          push    dword ptr [ebx+10h]
009ef075 ff37            push    dword ptr [edi]
009ef077 e83e090000      call    winlogon!SignalManagerWaitForSignal (009ef9ba)
009ef07c 837df8ff        cmp     dword ptr [ebp-8],0FFFFFFFFh
009ef080 7517            jne     winlogon!StateMachineRun+0x2b9 (009ef099)
009ef082 6a00            push    0

第四部分：

kd> g
Breakpoint 21 hit
winlogon!StateMachineRun+0x297:
001b:009ef077 e83e090000      call    winlogon!SignalManagerWaitForSignal (009ef9ba)
kd> kc
 #
00 winlogon!StateMachineRun
01 winlogon!WlStateMachineRun
02 winlogon!WinMain
03 winlogon!_initterm_e
04 kernel32!BaseThreadInitThunk
05 ntdll!__RtlUserThreadStart
06 ntdll!_RtlUserThreadStart
kd> r
eax=000ef9d4 ebx=00a02cc4 ecx=88c16ca2 edx=76fda084 esi=000ef8c4 edi=00141038
eip=009ef077 esp=000ef828 ebp=000ef9dc iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000297
winlogon!StateMachineRun+0x297:
001b:009ef077 e83e090000      call    winlogon!SignalManagerWaitForSignal (009ef9ba)
kd> dd 000ef828
000ef828  001182f0 00000010 00a02bf0 00a03e38
000ef838  000ef9d4 000ef9a4 00000000 009c2f5c
000ef848  00a0400c 00142a68 00000108 00a02cc4

kd> dd 00a02bf0
00a02bf0  00000017

24    00a02acc          winlogon!g_xWLGeneric_Request_LogonChange_Credz_State = <no type information>

ebx=00a02cc4

00a02cc4          winlogon!g_xWLGeneric_Logged_On_State = <no type information>

kd> dd 00a02cc4
00a02cc4  009c2290 00000000 009d4d1e 009d4dd8
00a02cd4  00000010 00a02bf0 00000005 00a02cb0
00a02ce4  0000001c 00000000 fffffffe 00000000
00a02cf4  009c2264 009d636f 00000000 00000000
00a02d04  00000001 00a02ce8 00000000 00000000
00a02d14  0000001d 00000000 fffffffe 00000000
00a02d24  009c2238 009d4f39 00000000 00000000
00a02d34  00000001 00a02d18 00000000 00000000

kd> dd 00a03e38
00a03e38  00a02000 00a0200c 00a02018 00a02024
00a03e48  00a02030 00a0203c 00a02048 00a02054
00a03e58  00a02060 00a0206c 00a02078 00a02084
00a03e68  00a02090 00a0209c 00a020a8 00a020b4
00a03e78  00a020c0 00a020cc 00a020d8 00a020e4
00a03e88  00a020f0 00a020fc 00a02108 00a02114
00a03e98  00a02120 00a0212c 00a02138 00a02144
00a03ea8  00a02150 00a0215c 00a02168 00a02174

kd> u 00a02000
winlogon!g_xAction_Succeeded_Signal:
00a02000 dc2b            fsubr   qword ptr [ebx]
00a02002 9c              pushfd
00a02003 0001            add     byte ptr [ecx],al
00a02005 0000            add     byte ptr [eax],al
00a02007 0000            add     byte ptr [eax],al
00a02009 0000            add     byte ptr [eax],al
00a0200b 00c0            add     al,al
00a0200d 2b9c0001000000  sub     ebx,dword ptr [eax+eax+1]
kd> u 00a0200c
winlogon!g_xAction_Failed_Signal:
00a0200c c02b9c          shr     byte ptr [ebx],9Ch
00a0200f 0001            add     byte ptr [ecx],al
00a02011 0000            add     byte ptr [eax],al
00a02013 0001            add     byte ptr [ecx],al
00a02015 0000            add     byte ptr [eax],al
00a02017 00902b9c0000    add     byte ptr [eax+9C2Bh],dl
00a0201d 0000            add     byte ptr [eax],al
00a0201f 0002            add     byte ptr [edx],al
kd> u 00a02018
winlogon!g_xLogoff_NtUserCompleted_Signal:
00a020