当前位置：首页 > news >正文

RDPWD!ShareClass::UPSendOrders函数中的RDPWD!ShareClass::SC_FlushAndAllocPackage函数分析

news 2025/10/28 13:42:40

1: kd> kc
#
00 RDPWD!ShareClass::SC_FlushAndAllocPackage
01 RDPWD!ShareClass::UPSendOrders
02 RDPWD!ShareClass::UP_SendUpdates
03 RDPWD!ShareClass::DCS_TimeToDoStuff
04 RDPWD!WD_Ioctl
05 termdd!_IcaCallSd
06 termdd!_IcaCallStack
07 termdd!IcaCallDriver
08 termdd!IcaDeviceControlVirtual
09 termdd!IcaDeviceControlChannel
0a termdd!IcaDeviceControl
0b termdd!IcaDispatch
0c nt!IofCallDriver
0d win32k!CtxDeviceIoControlFile
0e win32k!EngFileIoControl
0f RDPDD!SCH_DDOutputAvailable
10 RDPDD!DrvSetPointerShape
11 win32k!vSetPointer
12 win32k!GreSetPointer
13 win32k!zzzUpdateCursorImage
14 win32k!zzzSetCursor
15 win32k!xxxDWP_SetCursor
16 win32k!xxxRealDefWindowProc
17 win32k!xxxDefWindowProc
18 win32k!xxxDesktopWndProc
19 win32k!xxxSendMessageTimeout
1a win32k!xxxSendMessage
1b win32k!xxxMouseActivate
1c win32k!xxxScanSysQueue
1d win32k!xxxRealInternalGetMessage
1e win32k!xxxDesktopThread
1f win32k!xxxCreateSystemThreads
20 win32k!NtUserCallOneParam
21 nt!_KiSystemService
22 SharedUserData!SystemCallStub
23 winsrv!NtUserCallOneParam

1: kd> dv
this = 0xe16de018
pPkgInfo = 0xb9f43b14
trc_fn = 0xb9eac483 "???"
trc_file = 0x00000008 "--- memory read error at address 0x00000008 ---"
status = 0n774
__fnname = char [24] "SC_FlushAndAllocPackage"
1: kd> dx -r1 ((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14)
((RDPWD!_tagPDU_PACKAGE_INFO *)0xb9f43b14)                 : 0xb9f43b14 [Type: _tagPDU_PACKAGE_INFO *]
[+0x000] cbLen            : 0x1e58 [Type: unsigned int]
[+0x004] cbInUse          : 0x37d [Type: unsigned int]
[+0x008] pBuffer          : 0xee027020 : 0x83 [Type: unsigned char *]
[+0x00c] pOutBuf          : 0x898d31b0 [Type: void *]

NTSTATUS __fastcall ShareClass::SC_FlushAndAllocPackage(PPDU_PACKAGE_INFO pPkgInfo)
{
NTSTATUS status = STATUS_SUCCESS;

DC_BEGIN_FN("SC_FlushAndAllocPackage");

if (pPkgInfo->cbLen) {
if (pPkgInfo->cbInUse) {
// Send the package contents.
if (scUseFastPathOutput)
// Send with fast-path flag.
SM_SendData(scPSMHandle, (PVOID)pPkgInfo->pOutBuf,
pPkgInfo->cbInUse, TS_HIGHPRIORITY, 0, TRUE, RNS_SEC_ENCRYPT, FALSE);
else

1: kd> t
RDPWD!SM_SendData:
b9e78370 55 push ebp
1: kd> kc 9
#
00 RDPWD!SM_SendData
01 RDPWD!ShareClass::SC_FlushAndAllocPackage
02 RDPWD!ShareClass::UPSendOrders
03 RDPWD!ShareClass::UP_SendUpdates
04 RDPWD!ShareClass::DCS_TimeToDoStuff
05 RDPWD!WD_Ioctl
06 termdd!_IcaCallSd
07 termdd!_IcaCallStack
08 termdd!IcaCallDriver
1: kd> dv
pSMHandle = 0xffffffff
pData = 0xb9f43b14
dataLen = 0x37d
priority = 1

else {
if (pRealSMHandle->encryptDisplayData) {
// S->C is encrypted
encryptHeaderLen = pRealSMHandle->encryptHeaderLen;
}

else {
sendLen = dataLen + encryptHeaderLen; 0x389 =0x37d+
}

1: kd> ?0x389-0x37d
Evaluate expression: 12 = 0000000c

1: kd> dv
pSMHandle = 0xe1a3f7c8
pData = 0x898d31b0
dataLen = 0x37d
priority = 1
channelID = 0
bFastPathOutput = 0n1
flags = 8
fForceEncrypt = 0x00 ''
pRealSMHandle = 0xe1a3f7c8
trc_fn = 0xb9ec137c "SM_SendData"
trc_file = 0xb9ec12e0 "asmapi"
pSecHeader2 = 0x897985d0
fUseSafeChecksum = 0n0
pSecHeader = 0x00000000
sendLen = 0x389

pSecHeader = (PRNS_SECURITY_HEADER)((PBYTE)pData - encryptHeaderLen);

1: kd> dt tagRNS_SECURITY_HEADER 0x898d31b0-c
RDPWD!tagRNS_SECURITY_HEADER
+0x000 flags : 0xc008
+0x002 flagsHi : 0xbd81

TRC_DATA_DBG("Data buffer before encryption", pData, dataLen);

if (pRealSMHandle->encryptionMethodSelected == SM_FIPS_ENCRYPTION_FLAG) {
rc = TSFIPS_EncryptData(
&(pRealSMHandle->FIPSData),
pData,
dataLen + pSecHeader2->padlen,
pSecHeader2->padlen,
pSecHeader2->dataSignature,
pRealSMHandle->totalEncryptCount);
}
else {
rc = EncryptData(
pRealSMHandle->encryptionLevel,
pRealSMHandle->currentEncryptKey,
&pRealSMHandle->rc4EncryptKey,
pRealSMHandle->keyLength,
pData,
dataLen,
pRealSMHandle->macSaltKey,
((PRNS_SECURITY_HEADER1)pSecHeader)->dataSignature,
fUseSafeChecksum,
pRealSMHandle->totalEncryptCount

1: kd> dt tagSM_HANDLE_DATA 0xe1a3f7c8
RDPWD!tagSM_HANDLE_DATA
+0x000 encryptionLevel : 2                   +0x000 encryptionLevel : 2
+0x004 encryptionMethodsSupported : 0x1b
+0x008 encryptionMethodSelected : 2               +0x008 encryptionMethodSelected : 2
+0x00c frenchClient     : 0 ''
+0x00d encryptAfterLogon : 0 ''
+0x00e encrypting       : 0x1 ''
+0x00f encryptDisplayData : 0x1 ''
+0x010 encryptingLicToClient : 0x1 ''
+0x011 useSafeChecksumMethod : 0x1 ''
+0x012 bDisconnectWorkerSent : 0 ''
+0x013 dead             : 0 ''
+0x014 state            : 6
+0x018 nDiscardVCDataWhenDead : 0
+0x01c nDiscardPDUBadState : 0
+0x020 nDiscardNonVCPDUWhenDead : 0
+0x024 pUserData        : (null)
+0x028 pWDHandle        : 0xe1a3f010 tagTSHARE_WD
+0x02c pLicenseHandle   : 0xee320738 Void
+0x030 userID           : 0x3ea
+0x034 channelID        : 0x3eb
+0x038 maxPDUSize       : 0xffef
+0x03c CertType         : 1 ( CERT_TYPE_PROPRIETORY )
+0x040 pEncClientRandom : (null)
+0x044 encClientRandomLen : 0
+0x048 recvdClientRandom : 0x1 ''
+0x049 bForwardDataToSC : 0x1 ''
+0x04a bSessionKeysMade : 0x1 ''
+0x04c keyLength        : 0x10
+0x050 encryptCount     : 0xa
+0x054 totalEncryptCount : 0xa
+0x058 encryptHeaderLen : 0xc
+0x05c encryptHeaderLenIfForceEncrypt : 0
+0x060 startEncryptKey : [16] "???"               +0x060 startEncryptKey : [16] "???"
+0x070 currentEncryptKey : [16] "???"
+0x080 rc4EncryptKey    : RC4_KEYSTRUCT
+0x184 decryptCount     : 0xe
+0x188 totalDecryptCount : 0xe
+0x18c startDecryptKey : [16] "G???"
+0x19c currentDecryptKey : [16] "G???"
+0x1ac rc4DecryptKey    : RC4_KEYSTRUCT
+0x2ae macSaltKey       : [16] "???"
+0x2c0 consoleBufferList : _LIST_ENTRY [ 0xe1a3fa88 - 0xe1a3fa88 ]
+0x2c8 consoleBufferCount : 0
+0x2cc FIPSData         : _SM_FIPS_Data

+0x060 startEncryptKey : [16] "???"

+0x080 rc4EncryptKey : RC4_KEYSTRUCT

1: kd> dx -id 0,0,89082020 -r1 (*((RDPWD!unsigned char (*)[16])0xe1a3f838))
(*((RDPWD!unsigned char (*)[16])0xe1a3f838))                 [Type: unsigned char [16]]
[0]              : 0xb9 [Type: unsigned char]
[1]              : 0xa7 [Type: unsigned char]
[2]              : 0x13 [Type: unsigned char]
[3]              : 0xf2 [Type: unsigned char]
[4]              : 0x0 [Type: unsigned char]
[5]              : 0xb2 [Type: unsigned char]
[6]              : 0xb0 [Type: unsigned char]
[7]              : 0xeb [Type: unsigned char]
[8]              : 0x64 [Type: unsigned char]
[9]              : 0x88 [Type: unsigned char]
[10]             : 0xdd [Type: unsigned char]
[11]             : 0x5b [Type: unsigned char]
[12]             : 0x89 [Type: unsigned char]
[13]             : 0x34 [Type: unsigned char]
[14]             : 0x51 [Type: unsigned char]
[15]             : 0x19 [Type: unsigned char]

1: kd> dx -id 0,0,89082020 -r1 (*((RDPWD!RC4_KEYSTRUCT *)0xe1a3f848))
(*((RDPWD!RC4_KEYSTRUCT *)0xe1a3f848))                 [Type: RC4_KEYSTRUCT]
[+0x000] S                [Type: unsigned char [256]]
[+0x100] i                : 0x3d [Type: unsigned char]
[+0x101] j                : 0x3d [Type: unsigned char]
1: kd> dx -id 0,0,89082020 -r1 (*((RDPWD!unsigned char (*)[256])0xe1a3f848))
(*((RDPWD!unsigned char (*)[256])0xe1a3f848))                 [Type: unsigned char [256]]
[0]              : 0xe4 [Type: unsigned char]
[1]              : 0x6a [Type: unsigned char]
[2]              : 0xea [Type: unsigned char]
[3]              : 0xd3 [Type: unsigned char]
[4]              : 0x6e [Type: unsigned char]
[5]              : 0xdb [Type: unsigned char]
[6]              : 0x85 [Type: unsigned char]
[7]              : 0x19 [Type: unsigned char]
[8]              : 0x53 [Type: unsigned char]

/****************************************************************************/
/* Encryption levels - bit field.                                           */
/****************************************************************************/
#define SM_40BIT_ENCRYPTION_FLAG        0x01
#define SM_128BIT_ENCRYPTION_FLAG       0x02
#define SM_56BIT_ENCRYPTION_FLAG        0x08
#define SM_FIPS_ENCRYPTION_FLAG         0x10

if (rc) {
TRC_DBG((TB, "Data encrypted"));

1: kd> p
22:27:18.890 89076524.00000000 RDP E1A3F010 SM_SendData 1199 Data encrypted

// Send it!
rc = NM_SendData(pRealSMHandle->pWDHandle->pNMInfo, (BYTE *)pSecHeader,
sendLen, priority, channelID, bFastPathOutput);
}

1: kd> t
RDPWD!NM_SendData:
b9e71540 55 push ebp
1: kd> kc 9
#
00 RDPWD!NM_SendData
01 RDPWD!SM_SendData
02 RDPWD!ShareClass::SC_FlushAndAllocPackage
03 RDPWD!ShareClass::UPSendOrders
04 RDPWD!ShareClass::UP_SendUpdates
05 RDPWD!ShareClass::DCS_TimeToDoStuff
06 RDPWD!WD_Ioctl
07 termdd!_IcaCallSd
08 termdd!_IcaCallStack
1: kd> dv
pNMHandle = 0x00000023
pData = 0x00000000 ""
dataSize = 0x389
priority = 1
userID = 0 //channelID
FastPathOutputFlags = 0xc1
trc_fn = 0x8966dfa0 " p???"
trc_file = 0x897985d0 "hp???"
pRealNMHandle = 0xb9f43a2c
__fnname = char [12] "NM_SendData"
pOutBuf = 0x00000000
MCSErr = 0n-1176038080 (No matching enumerant)
rc = 0n8

else {
// 2-byte form of length, first byte has high bit 1 and 7
// most significant bits.
dataSize += 3;
pData -= 3;
*(pData + 1) = (BYTE)(0x80 | ((dataSize & 0x7F00) >> 8));
*(pData + 2) = (BYTE)(dataSize & 0xFF);
}

1: kd> dv
Status = 0n-1175175672
SdWrite = struct _SD_RAWWRITE
pNMHandle = 0xe1a3fe30
pData = 0x898d31a5 "???"
dataSize = 0x388
priority = 1
userID = 0
FastPathOutputFlags = 0xc1
trc_fn = 0xb9ec1224 "NM_SendData"
trc_file = 0xb9ec11c0 "anmapi"
pRealNMHandle = 0xe1a3fe30
__fnname = char [12] "NM_SendData"
pOutBuf = 0x898d3018
MCSErr = MCS_NO_SUCH_CONNECTION (0n8)
rc = 0n1
1: kd> db 0x898d31a5
898d31a5 08 83 88 eb e9 ea 4a a9-fb 6a 4f 17 d7 b7 eb 24 ......J..jO....$
898d31b5 96 cf 24 ab 9b 93 e0 e2-1c b7 bd 84 ae b5 4b 43 ..$...........KC
898d31c5 e2 51 37 0f 1a 5b a5 dd-fb ed 02 23 cb fe 5c bf .Q7..[.....#..\.
898d31d5 86 75 6d 71 56 71 aa 0e-c0 2e d1 03 9f 66 bf 34 .umqVq.......f.4
898d31e5 90 fb a0 46 f7 80 5c 95-bd c9 f9 0c 97 38 dd d0 ...F..\......8..
898d31f5 47 0b 12 e2 df ea 7b f6-18 80 a2 5b f8 6e 2d 81 G.....{....[.n-.
898d3205 f0 c2 c8 9a 5c fe 22 46-30 84 46 45 44 9e 43 9c ....\."F0.FED.C.
898d3215 ff b2 d1 29 09 ee 1d a2-fa 20 9a b3 fe 06 39 52 ...)..... ....9R

dataSize = 0x388
83 88

pOutBuf = 0x898d3018

1: kd> dx -r1 ((RDPWD!_OUTBUF *)0x898d3018)
((RDPWD!_OUTBUF *)0x898d3018)                 : 0x898d3018 [Type: _OUTBUF *]
[+0x000] OutBufLength     : 0x1e88 [Type: unsigned long]
[+0x004] PoolIndex        : 4 [Type: int]
[+0x008] Links            [Type: _LIST_ENTRY]
[+0x010] pBuffer          : 0x898d31a4 : 0x8 [Type: unsigned char *]
[+0x014] ByteCount        : 0x389 [Type: unsigned long]
[+0x018] MaxByteCount     : 0x1e88 [Type: unsigned long]
[+0x01c] ThreadId         : 0x0 [Type: _ETHREAD *]
[+0x020] pIrp             : 0x898d3050 [Type: _IRP *]
[+0x024] pMdl             : 0x898d3158 [Type: _MDL *]
[+0x028] pPrivate         : 0x89076d20 [Type: void *]
[+0x02c] StartTime        : 0x0 [Type: unsigned long]
[+0x030] Sequence         : 0x0 [Type: unsigned char]
[+0x031] Fragment         : 0x0 [Type: unsigned char]
[+0x034 ( 0: 0)] fWait            : 0x1 [Type: unsigned long]
[+0x034 ( 1: 1)] fControl         : 0x0 [Type: unsigned long]
[+0x034 ( 2: 2)] fRetransmit      : 0x0 [Type: unsigned long]
[+0x034 ( 3: 3)] fCompress        : 0x1 [Type: unsigned long]
[+0x034 ( 4: 4)] fIrpCompleted    : 0x0 [Type: unsigned long]

// Set up the OutBuf with its final contents.
pOutBuf->pBuffer = pData;
pOutBuf->ByteCount = dataSize;

1: kd> db 0x898d31a5
898d31a5 c0 83 88 eb e9 ea 4a a9-fb 6a 4f 17 d7 b7 eb 24 ......J..jO....$
898d31b5 96 cf 24 ab 9b 93 e0 e2-1c b7 bd 84 ae b5 4b 43 ..$...........KC
898d31c5 e2 51 37 0f 1a 5b a5 dd-fb ed 02 23 cb fe 5c bf .Q7..[.....#..\.
898d31d5 86 75 6d 71 56 71 aa 0e-c0 2e d1 03 9f 66 bf 34 .umqVq.......f.4
898d31e5 90 fb a0 46 f7 80 5c 95-bd c9 f9 0c 97 38 dd d0 ...F..\......8..
898d31f5 47 0b 12 e2 df ea 7b f6-18 80 a2 5b f8 6e 2d 81 G.....{....[.n-.
898d3205 f0 c2 c8 9a 5c fe 22 46-30 84 46 45 44 9e 43 9c ....\."F0.FED.C.
898d3215 ff b2 d1 29 09 ee 1d a2-fa 20 9a b3 fe 06 39 52 ...)..... ....9R

SdWrite = struct _SD_RAWWRITE

1: kd> dx -r1 (*((RDPWD!_SD_RAWWRITE *)0xb9f439c0))
(*((RDPWD!_SD_RAWWRITE *)0xb9f439c0))                 [Type: _SD_RAWWRITE]
[+0x000] pOutBuf          : 0x30 [Type: _OUTBUF *]
[+0x004] pBuffer          : 0xb9e626b0 : 0x55 [Type: unsigned char *]
[+0x008] ByteCount        : 0x8966dfa0 [Type: unsigned long]

// Send downward.
SdWrite.pBuffer = NULL;
SdWrite.ByteCount = 0;
SdWrite.pOutBuf = pOutBuf;

SdWrite = struct _SD_RAWWRITE

1: kd> dx -r1 (*((RDPWD!_SD_RAWWRITE *)0xb9f439c0))
(*((RDPWD!_SD_RAWWRITE *)0xb9f439c0))                 [Type: _SD_RAWWRITE]
[+0x000] pOutBuf          : 0x898d3018 [Type: _OUTBUF *]
[+0x004] pBuffer          : 0x0 [Type: unsigned char *]
[+0x008] ByteCount        : 0x0 [Type: unsigned long]

Status = IcaCallNextDriver(pRealNMHandle->pWDHandle->pContext,
SD$RAWWRITE, &SdWrite);

NTSTATUS
IcaCallNextDriver(
IN PSDCONTEXT pContext,
IN ULONG ProcIndex,
IN PVOID pParms
)
{

1: kd> kc 9
#
00 termdd!_IcaCallSd
01 termdd!IcaCallNextDriver
02 RDPWD!NM_SendData
03 RDPWD!SM_SendData
04 RDPWD!ShareClass::SC_FlushAndAllocPackage
05 RDPWD!ShareClass::UPSendOrders
06 RDPWD!ShareClass::UP_SendUpdates
07 RDPWD!ShareClass::DCS_TimeToDoStuff
08 RDPWD!WD_Ioctl

1: kd> dv
pSdLink = 0x89080a00
ProcIndex = 2
pParms = 0xb9f439c0

1: kd> p
termdd!_IcaCallSd+0x26:
bac481ea ff7510 push dword ptr [ebp+10h]
1: kd> t
TDTCP!TdRawWrite:
ba0c9cd6 55 push ebp
1: kd> kc 9
#
00 TDTCP!TdRawWrite
01 termdd!_IcaCallSd
02 termdd!IcaCallNextDriver
03 RDPWD!NM_SendData
04 RDPWD!SM_SendData
05 RDPWD!ShareClass::SC_FlushAndAllocPackage
06 RDPWD!ShareClass::UPSendOrders
07 RDPWD!ShareClass::UP_SendUpdates
08 RDPWD!ShareClass::DCS_TimeToDoStuff
1: kd> dv
pTd = 0x894c7868
pSdRawWrite = 0xb9f439c0
Status = 0n-1175176768
oldIrql = 0xb9 ''
pWorkItem = 0x00000008

dv
pSdRawWrite = 0xb9f439c0

1: kd> dx -r1 ((TDTCP!_SD_RAWWRITE *)0xb9f439c0)
((TDTCP!_SD_RAWWRITE *)0xb9f439c0)                 : 0xb9f439c0 [Type: _SD_RAWWRITE *]
[+0x000] pOutBuf          : 0x898d3018 [Type: _OUTBUF *]
[+0x004] pBuffer          : 0x0 [Type: unsigned char *]
[+0x008] ByteCount        : 0x0 [Type: unsigned long]

NTSTATUS TdRawWrite(PTD pTd, PSD_RAWWRITE pSdRawWrite)
{

// Call the device driver
// From this point on we must NOT free the outbuf.
// It will be free'd by the write complete routine.
Status = IoCallDriver(pTd->pDeviceObject, pOutBuf->pIrp);
if (NT_SUCCESS(Status)) {
// Update output counters
pTd->pStatus->Output.Bytes += pOutBuf->ByteCount;
pTd->pStatus->Output.Frames++;

// Insert outbuf on busy list
InsertTailList(&pTd->IoBusyOutBuf, &pOutBuf->Links);

1: kd> dx -r1 (*((TDTCP!_LIST_ENTRY *)0x894c7ae4))
(*((TDTCP!_LIST_ENTRY *)0x894c7ae4))                 [Type: _LIST_ENTRY]
[+0x000] Flink            : 0x898d3020 [Type: _LIST_ENTRY *]
[+0x004] Blink            : 0x898d3020 [Type: _LIST_ENTRY *]

1: kd> dx -r1 ((TDTCP!_OUTBUF *)0x898d3018)
((TDTCP!_OUTBUF *)0x898d3018)                 : 0x898d3018 [Type: _OUTBUF *]
[+0x000] OutBufLength     : 0x1e88 [Type: unsigned long]
[+0x004] PoolIndex        : 4 [Type: int]
[+0x008] Links            [Type: _LIST_ENTRY]
[+0x010] pBuffer          : 0x898d31a5 : 0xc0 [Type: unsigned char *]
[+0x014] ByteCount        : 0x388 [Type: unsigned long]
[+0x018] MaxByteCount     : 0x1e88 [Type: unsigned long]
[+0x01c] ThreadId         : 0x0 [Type: _ETHREAD *]
[+0x020] pIrp             : 0x898d3050 [Type: _IRP *]
[+0x024] pMdl             : 0x898d3158 [Type: _MDL *]
[+0x028] pPrivate         : 0x894c7868 [Type: void *]
[+0x02c] StartTime        : 0x0 [Type: unsigned long]
[+0x030] Sequence         : 0x0 [Type: unsigned char]
[+0x031] Fragment         : 0x0 [Type: unsigned char]
[+0x034 ( 0: 0)] fWait            : 0x1 [Type: unsigned long]
[+0x034 ( 1: 1)] fControl         : 0x0 [Type: unsigned long]
[+0x034 ( 2: 2)] fRetransmit      : 0x0 [Type: unsigned long]
[+0x034 ( 3: 3)] fCompress        : 0x1 [Type: unsigned long]
[+0x034 ( 4: 4)] fIrpCompleted    : 0x0 [Type: unsigned long]
1: kd> dx -r1 (*((TDTCP!_LIST_ENTRY *)0x898d3020))
(*((TDTCP!_LIST_ENTRY *)0x898d3020))                 [Type: _LIST_ENTRY]
[+0x000] Flink            : 0x894c7ae4 [Type: _LIST_ENTRY *]
[+0x004] Blink            : 0x894c7ae4 [Type: _LIST_ENTRY *]

// Preallocate a completion workitem now and chain it to list of workitems.
Status = IcaAllocateWorkItem(&pWorkItem);

InsertTailList( &pTd->WorkItemHead, pWorkItem );

1: kd> dv
pTd = 0x894c7868
pSdRawWrite = 0x00000000
Status = 0n0
oldIrql = 0x00 ''
pWorkItem = 0x896a0e58 [ 0x894c7b38 - 0x894c7b38 ]
1: kd> dx -r1 ((TDTCP!_LIST_ENTRY *)0x896a0e58)
((TDTCP!_LIST_ENTRY *)0x896a0e58)                 : 0x896a0e58 [Type: _LIST_ENTRY *]
[+0x000] Flink            : 0x894c7b38 [Type: _LIST_ENTRY *]
[+0x004] Blink            : 0x894c7b38 [Type: _LIST_ENTRY *]

1: kd> dx -r1 ((TDTCP!_TD *)0x894c7868)
((TDTCP!_TD *)0x894c7868)                 : 0x894c7868 [Type: _TD *]
[+0x000] pContext         : 0x89080a14 [Type: _SDCONTEXT *]
[+0x004] PdFlag           : 0x4e [Type: unsigned long]
[+0x008] SdClass          : SdNetwork (2) [Type: _SDCLASS]
[+0x00c] Params           [Type: _PDPARAMSW]
[+0x244] pClient          : 0x890770c8 [Type: _CLIENTMODULES *]
[+0x248] pStatus          : 0x89077228 [Type: _PROTOCOLSTATUS *]
[+0x24c] pFileObject      : 0x89095ec8 [Type: _FILE_OBJECT *]
[+0x250] pDeviceObject    : 0x894368b0 : Device for "\Driver\Tcpip" [Type: _DEVICE_OBJECT *]
[+0x254] LastError        : 0x0 [Type: unsigned long]
[+0x258] ReadErrorCount   : 0x0 [Type: unsigned long]
[+0x25c] ReadErrorThreshold : 0x0 [Type: unsigned long]
[+0x260] WriteErrorCount : 0x0 [Type: unsigned long]
[+0x264] WriteErrorThreshold : 0x0 [Type: unsigned long]
[+0x268] ZeroByteReadCount : 0x0 [Type: unsigned long]
[+0x26c] PortNumber       : 0xd3d [Type: unsigned long]
[+0x270] OutBufHeader     : 0x0 [Type: unsigned long]
[+0x274] OutBufTrailer    : 0x0 [Type: unsigned long]
[+0x278] OutBufLength     : 0x212 [Type: unsigned long]
[+0x27c] IoBusyOutBuf     [Type: _LIST_ENTRY]
[+0x284] SyncWriteEvent   [Type: _KEVENT]
[+0x294] pInputThread     : 0x896c6b20 [Type: _KTHREAD *]
[+0x298] InBufCount       : 1 [Type: long]
[+0x29c] InBufListLock    : 0x89076349 [Type: unsigned long]
[+0x2a0] InBufBusyHead    [Type: _LIST_ENTRY]
[+0x2a8] InBufDoneHead    [Type: _LIST_ENTRY]
[+0x2b0] InBufHeader      : 0x0 [Type: unsigned long]
[+0x2b4] InputEvent       [Type: _KEVENT]
[+0x2c4 ( 0: 0)] fClosing         : 0x0 [Type: unsigned long]
[+0x2c4 ( 1: 1)] fCallbackInProgress : 0x0 [Type: unsigned long]
[+0x2c4 ( 2: 2)] fSyncWriteWaiter : 0x0 [Type: unsigned long]
[+0x2c8] pPrivate         : 0x0 [Type: void *]
[+0x2cc] pAfd             : 0x89754e28 [Type: void *]
[+0x2d0] WorkItemHead     [Type: _LIST_ENTRY]           [+0x2d0] WorkItemHead     [Type: _LIST_ENTRY]
[+0x2d8] pSelfDeviceObject : 0x0 [Type: _DEVICE_OBJECT *]
[+0x2dc] UserBrokenReason : 0x0 [Type: unsigned long]
1: kd> dx -r1 (*((TDTCP!_LIST_ENTRY *)0x894c7b38))
(*((TDTCP!_LIST_ENTRY *)0x894c7b38))                 [Type: _LIST_ENTRY]
[+0x000] Flink            : 0x896a0e58 [Type: _LIST_ENTRY *]
[+0x004] Blink            : 0x896a0e58 [Type: _LIST_ENTRY *]

// Register I/O completion routine
if ( pTd->pSelfDeviceObject == NULL ) {
IoSetCompletionRoutine(pOutBuf->pIrp,
_TdWriteCompleteRoutine, pOutBuf, TRUE, TRUE,
TRUE);

1: kd> t
nt!IofCallDriver:
80a266fa 55 push ebp
1: kd> kc 9
#
00 nt!IofCallDriver
01 TDTCP!TdRawWrite
02 termdd!_IcaCallSd
03 termdd!IcaCallNextDriver
04 RDPWD!NM_SendData
05 RDPWD!SM_SendData
06 RDPWD!ShareClass::SC_FlushAndAllocPackage
07 RDPWD!ShareClass::UPSendOrders
08 RDPWD!ShareClass::UP_SendUpdates

NTSTATUS
FASTCALL
IofCallDriver(
IN PDEVICE_OBJECT DeviceObject,
IN OUT PIRP Irp
)
{
if (pIofCallDriver != NULL) {

//
// This routine will either jump immediately to IovCallDriver or
// IoPerfCallDriver.
//
return pIofCallDriver(DeviceObject, Irp, _ReturnAddress());
}

return IopfCallDriver(DeviceObject, Irp);
}

1: kd> r
eax=0000000f ebx=00000000 ecx=89475e90 edx=898d3050 esi=898d3050 edi=894368b0
eip=80a26758 esp=b9f43928 ebp=b9f4393c iopl=0         nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00000292
nt!IofCallDriver+0x5e:
80a26758 ff548138        call    dword ptr [ecx+eax*4+38h] ds:0023:89475f04={tcpip!TCPDispatchInternalDeviceControl (baa030ec)}

1: kd> t
tcpip!TCPDispatchInternalDeviceControl:
baa030ec 55 push ebp
1: kd> kc 9
#
00 tcpip!TCPDispatchInternalDeviceControl
01 nt!IofCallDriver
02 TDTCP!TdRawWrite
03 termdd!_IcaCallSd
04 termdd!IcaCallNextDriver
05 RDPWD!NM_SendData
06 RDPWD!SM_SendData
07 RDPWD!ShareClass::SC_FlushAndAllocPackage
08 RDPWD!ShareClass::UPSendOrders
1: kd> dv
DeviceObject = 0x894368b0 Device for "\Driver\Tcpip"
Irp = 0x898d3050

if (PtrToUlong(irpSp->FileObject->FsContext2) == TDI_CONNECTION_FILE) {
//
// Send and receive are the performance path, so check for them
// right away.
//
if (irpSp->MinorFunction == TDI_SEND) {
return (TCPSendData(Irp, irpSp));
}

1: kd> kc 1
#
00 tcpip!TCPSendData
1: kd> kc 10
#
00 tcpip!TCPSendData
01 tcpip!TCPDispatchInternalDeviceControl
02 nt!IofCallDriver
03 TDTCP!TdRawWrite
04 termdd!_IcaCallSd
05 termdd!IcaCallNextDriver
06 RDPWD!NM_SendData
07 RDPWD!SM_SendData
08 RDPWD!ShareClass::SC_FlushAndAllocPackage
09 RDPWD!ShareClass::UPSendOrders
0a RDPWD!ShareClass::UP_SendUpdates
0b RDPWD!ShareClass::DCS_TimeToDoStuff
0c RDPWD!WD_Ioctl
0d termdd!_IcaCallSd
0e termdd!_IcaCallStack
0f termdd!IcaCallDriver