当前位置：首页 > news >正文

mstscax!CMCS==MCSSendConnectInitial函数分析之mstsc.exe源代码分析第二次交互

news 2025/10/31 7:22:37

EXPOSE_CD_SIMPLE_NOTIFICATION_FN(CMCS, MCSSendConnectInitial);

1: kd> kc
#
00 WS2_32!send
01 WS2_32!DTHOOK_send
02 mstscax!CTD::TDFlushSendQueue
03 mstscax!CTD::TD_SendBuffer
04 mstscax!CXT::XTSendCR
05 mstscax!CXT::MACROGENERATED_Static_XTSendCR
06 mstscax!CCD::CDWndProc
07 mstscax!CCD::CDStaticWndProc
08 USER32!InternalCallWinProc
09 USER32!UserCallWinProcCheckWow
0a USER32!DispatchMessageWorker
0b USER32!DispatchMessageW
0c mstscax!CSND::SND_Main
0d mstscax!CSND::SND_StaticMain
0e mstscax!CUT::UTStaticThreadEntry
0f mstscax!_threadstartex
10 kernel32!BaseThreadStart
1: kd> x mstscax!CMCS::MCSSendConnectInitial
5d03a770          mstscax!CMCS::MCSSendConnectInitial (unsigned long)
1: kd> bp mstscax!CMCS::MCSSendConnectInitial
1: kd> g
Breakpoint 18 hit
mstscax!CMCS::MCSSendConnectInitial:
001b:5d03a770 55              push    ebp
1: kd> kc
#
00 mstscax!CMCS::MCSSendConnectInitial
01 mstscax!CMCS::MACROGENERATED_Static_MCSSendConnectInitial
02 mstscax!CCD::CDWndProc
03 mstscax!CCD::CDStaticWndProc
04 USER32!InternalCallWinProc
05 USER32!UserCallWinProcCheckWow
06 USER32!DispatchMessageWorker
07 USER32!DispatchMessageW
08 mstscax!CSND::SND_Main
09 mstscax!CSND::SND_StaticMain
0a mstscax!CUT::UTStaticThreadEntry
0b mstscax!_threadstartex
0c kernel32!BaseThreadStart
1: kd> kv
# ChildEBP RetAddr Args to Child
00 00d3fd60 5cfe1480 00a49e80 00000000 00d3fdd8 mstscax!CMCS::MCSSendConnectInitial (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\mcsint.cpp @ 31]
01 00d3fd70 5cfe4c64 00a49e80 00000000 77e67495 mstscax!CMCS::MACROGENERATED_Static_MCSSendConnectInitial+0x10 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\mcs.h @

884]
02 00d3fdd8 5cfe47f6 00a474a8 000300de 0000800b mstscax!CCD::CDWndProc+0x234 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\cdint.cpp @ 267]
03 00d3fdfc 77ce7ee3 000300de 0000800b 00000000 mstscax!CCD::CDStaticWndProc+0x56 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\cdint.cpp @ 181]
04 00d3fe28 77cf2bff 5cfe47a0 000300de 0000800b USER32!InternalCallWinProc+0x1b [d:\srv03rtm\windows\core\ntuser\client\i386\callproc.asm @ 102]
05 00d3fea0 77cbe3db 00000000 5cfe47a0 000300de USER32!UserCallWinProcCheckWow+0x151 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 165]
06 00d3ff08 77cc4014 00d3ff40 00000000 00d3ff5c USER32!DispatchMessageWorker+0x3e3 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\clmsg.c @ 2497]
07 00d3ff18 5cfceda0 00d3ff40 00000000 804edc60 USER32!DispatchMessageW+0xd (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\windows\core\ntuser\client\cltxt.h @ 1046]
08 00d3ff5c 5cf7ad3c 00a49558 00d3ff84 5d04ca97 mstscax!CSND::SND_Main+0x1d0 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\sndapi.cpp @ 83]
09 00d3ff68 5d04ca97 00a49558 5cf31068 5cf30ff0 mstscax!CSND::SND_StaticMain+0xc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\core\snd.h @ 40]
0a 00d3ff84 5d0d43ea 00000000 00000000 00000000 mstscax!CUT::UTStaticThreadEntry+0x77 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\termsrv\newclient\util\nutint.cpp @ 209]
0b 00d3ffb8 77e41be7 00ab1ba0 00000000 00000000 mstscax!_threadstartex+0x6f (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\crts\crtw32\startup\threadex.c @ 268]
0c 00d3ffec 00000000 5d0d437b 00ab1ba0 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
windbg> .open -a 5cfe1480

/****************************************************************************/
/* Name:      MCSSendConnectInitial                                         */
/*                                                                          */
/* Purpose:   This function generates and sends a MCS connect-initial PDU. */
/****************************************************************************/
DCVOID DCINTERNAL CMCS::MCSSendConnectInitial(ULONG_PTR unused)
{
XT_BUFHND              bufHandle;
PDCUINT8               pData = NULL;
DCUINT                 pduLength;
DCUINT                 dataLength;
DCBOOL                 intRC;
MCS_PDU_CONNECTINITIAL ciPDU = MCS_DATA_CONNECTINITIAL;

DC_BEGIN_FN("MCSSendConnectInitial");

DC_IGNORE_PARAMETER(unused);

    /************************************************************************/
/* Calculate the size of the data to send. The pdu length is the size */
/* of the Connect-Initial header plus the user data. The data length   */
/* is the length transmitted in the length field of the PDU, which      */
/* doesn't include the PDU type (2 bytes) or the length field (3        */
/* bytes). Thus we need to subtract 5 bytes.                           */
/************************************************************************/

计算要发送的数据大小。PDU长度即为该大小
连接初始报头加上用户数据。数据长度是PDU长度字段中传输的长度，即
不包含PDU类型（2个字节）或长度字段（3个字节）（以字节为单位）。

因此，我们需要减去5个字节。

pduLength = sizeof(ciPDU) + _MCS.userDataLength;
dataLength = pduLength - 5;

TRC_NRM((TB, _T("CI total length:%u (data:%u) (hc:%u user-data:%u)"),
pduLength,
dataLength,
sizeof(ciPDU),
_MCS.userDataLength));

    /************************************************************************/
/* Assume that the total CI length is less than the maximum MCS send    */
/* packet size.                                                         */
/************************************************************************/
TRC_ASSERT((dataLength <= MCS_MAX_SNDPKT_LENGTH),
(TB, _T("Datalength out of range: %u"), dataLength));
TRC_ASSERT((_MCS.pReceivedPacket != NULL), (TB, _T("Null rcv packet buffer")));

/************************************************************************/
/* Update the MCS CI header with the data size. */
/************************************************************************/
ciPDU.length = MCSLocalToWire16((DCUINT16)dataLength);

/************************************************************************/
/* Update the MCS user-data octet string length. */
/************************************************************************/
ciPDU.udLength = MCSLocalToWire16((DCUINT16)_MCS.userDataLength);

    /************************************************************************/
/* Get a private buffer from XT.                                        */
/************************************************************************/
intRC = _pXt->XT_GetPrivateBuffer(pduLength, &pData, &bufHandle);
if (!intRC)
{
/********************************************************************/
/* We've failed to get a private buffer. This ONLY happens when TD */
/* has disconnected while the layers above are still trying to      */
/* connect. Since TD has now disconnected and is refusing to give */
/* us a buffer we might as well just give up trying to get a        */
/* buffer.                                                          */
/********************************************************************/
TRC_NRM((TB, _T("Failed to get a private buffer - just quit")));
DC_QUIT;
}

/************************************************************************/
/* Now fill in the buffer that we've just got. */
/************************************************************************/
DC_MEMCPY(pData, &ciPDU, sizeof(ciPDU));

DC_MEMCPY((pData + sizeof(ciPDU)),
_MCS.pReceivedPacket,
_MCS.userDataLength);

/************************************************************************/
/* Trace out the PDU. */
/************************************************************************/
TRC_DATA_NRM("Connect-Initial PDU", pData, pduLength);

    /************************************************************************/
/* Send the buffer. If everything has worked OK, we should receive a   */
/* Connect-Response PDU shortly.                                        */
/************************************************************************/
_pXt->XT_SendBuffer(pData, pduLength, bufHandle);

DC_EXIT_POINT:
DC_END_FN();
} /* MCSSendConnectInitial */

1: kd> p
mstscax!CMCS::MCSSendConnectInitial+0x1b6:
001b:5d03a926 c74580e801f35c mov     dword ptr [ebp-80h],offset mstscax!__filename (5cf301e8)
1: kd> p
mstscax!CMCS::MCSSendConnectInitial+0x1bd:
001b:5d03a92d e84e5e0900      call    mstscax!TRC_ProfileTraceEnabled (5d0d0780)
1: kd> t
mstscax!TRC_ProfileTraceEnabled:
001b:5d0d0780 55              push    ebp

1: kd> x mstscax!trcpConfig
5d0f4070          mstscax!trcpConfig = 0x00a50000
1: kd> dx -r1 ((mstscax!tagTRC_CONFIG *)0xa50000)
((mstscax!tagTRC_CONFIG *)0xa50000)                 : 0xa50000 [Type: tagTRC_CONFIG *]
[+0x000] traceLevel       : 0x3 [Type: unsigned long]
[+0x004] dataTruncSize    : 0x40 [Type: unsigned long]
[+0x008] funcNameLength   : 0xc [Type: unsigned long]
[+0x00c] components       : 0xfffffc1f [Type: unsigned long]
[+0x010] maxFileSize      : 0x186a0 [Type: unsigned long]
[+0x014] flags            : 0x388 [Type: unsigned long]
[+0x018] prefixList       [Type: unsigned short [100]]
[+0x0e0] fileNames        [Type: unsigned short [2][260]]

1: kd> dx -r1 ((mstscax!tagTRC_CONFIG *)0xa50000)
((mstscax!tagTRC_CONFIG *)0xa50000)                 : 0xa50000 [Type: tagTRC_CONFIG *]
[+0x000] traceLevel       : 0x1 [Type: unsigned long]
[+0x004] dataTruncSize    : 0x40 [Type: unsigned long]
[+0x008] funcNameLength   : 0xc [Type: unsigned long]
[+0x00c] components       : 0xfffffc1f [Type: unsigned long]
[+0x010] maxFileSize      : 0x186a0 [Type: unsigned long]
[+0x014] flags            : 0x3a8 [Type: unsigned long]
[+0x018] prefixList       [Type: unsigned short [100]]
[+0x0e0] fileNames        [Type: unsigned short [2][260]]

0: kd> g
18:41:29.35 079c:01e4 MCSSendConne 0039 Enter {
18:41:29.37 079c:01e4 MCSSendConne 0057 CI total length:405 (data:400) (hc:102 user-data:303)
18:41:29.37 079c:01e4 TD_GetPrivat 0454 Enter {
18:41:29.37 079c:01e4 TD_GetPrivat 0514 Exit }
18:41:29.37 079c:01e4 MCSSendConne 0106 Connect-Initial PDU
18:41:29.37 079c:01e4 XT_SendBuffe 0087 Enter {
18:41:29.37 079c:01e4 TD_SendBuffe 0537 Enter {
18:41:29.37 079c:01e4 TDFlushSendQ 1181 Enter {

Breakpoint 16 hit
WS2_32!send:
001b:7056b0f0 55 push ebp
1: kd> kc
#
00 WS2_32!send
01 WS2_32!DTHOOK_send
02 mstscax!CTD::TDFlushSendQueue
03 mstscax!CTD::TD_SendBuffer
04 mstscax!CXT::XT_SendBuffer
05 mstscax!CMCS::MCSSendConnectInitial
06 mstscax!CMCS::MACROGENERATED_Static_MCSSendConnectInitial
07 mstscax!CCD::CDWndProc
08 mstscax!CCD::CDStaticWndProc
09 USER32!InternalCallWinProc
0a USER32!UserCallWinProcCheckWow
0b USER32!DispatchMessageWorker
0c USER32!DispatchMessageW
0d mstscax!CSND::SND_Main
0e mstscax!CSND::SND_StaticMain
0f mstscax!CUT::UTStaticThreadEntry
10 mstscax!_threadstartex
11 kernel32!BaseThreadStart

1: kd> !handle 0000030c

PROCESS 8969a8e8 SessionId: 0 Cid: 079c Peb: 7ffdf000 ParentCid: 07e4
DirBase: 77609000 ObjectTable: e1260120 HandleCount: 115.
Image: mstsc.exe

Handle table at e1260120 with 115 entries in use

030c: Object: 89271140 GrantedAccess: 0016019f (Inherit) Entry: e1130618
Object: 89271140 Type: (89df9710) File
ObjectHeader: 89271128 (old version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: \Endpoint {Afd}

1: kd> db 000a5400
000a5400 03 00 01 9c 02 f0 80 7f-65 82 01 90 04 01 01 04 ........e.......
000a5410 01 01 01 01 ff 30 19 02-01 22 02 01 02 02 01 00 .....0..."......
000a5420 02 01 01 02 01 00 02 01-01 02 02 ff ff 02 01 02 ................
000a5430 30 19 02 01 01 02 01 01-02 01 01 02 01 01 02 01 0...............
000a5440 00 02 01 01 02 02 04 20-02 01 02 30 1c 02 02 ff ....... ...0....
000a5450 ff 02 02 fc 17 02 02 ff-ff 02 01 01 02 01 00 02 ................
000a5460 01 01 02 02 ff ff 02 01-02 04 82 01 2f 00 05 00 ............/...
000a5470 14 7c 00 01 81 26 00 08-00 10 00 01 c0 00 44 75 .|...&........Du

查看全文

http://www.dtcms.com/a/548491.html