当前位置：首页 > news >正文

IoControlCode=20IOCTL_ICA_STACK_CONNECTION_SEND分析

news 2025/11/1 16:32:29

第-2部分：

NTSTATUS
IcaStackConnectionAccept( IN HANDLE hIca,
IN HANDLE pContext,
IN PWINSTATIONNAME pWinStationName,
IN PWINSTATIONCONFIG2 pWinStationConfig,
IN PVOID pEndpoint,
IN ULONG EndpointLength,
IN PICA_STACK_STATE_HEADER pStackState,
IN ULONG BufferLength,
IN PICA_TRACE pTrace )
{

/*
* Send host module data to client
*/
Status = _IcaStackIoControl( pStack,
IOCTL_ICA_STACK_CONNECTION_SEND,
NULL,
0,
NULL,
0,
NULL );
if ( !NT_SUCCESS(Status) )
goto badaccept;

TRACESTACK(( pContext, TC_ICAAPI, TT_API1, "TSAPI: IcaStackConnectionAccept, success\n" ));

第-1部分：

NTSTATUS WD_Ioctl(PTSHARE_WD pTSWd, PSD_IOCTL pSdIoctl)
{

case IOCTL_ICA_STACK_CONNECTION_SEND :
{
// Wait for the connected indication from SM.
TRC_DBG((TB, "About to wait for connected indication"));
status = WDW_WaitForConnectionEvent(pTSWd,
pTSWd->pConnEvent, 60000);
TRC_DBG((TB, "Back from wait for connected indication"));
if (status != STATUS_SUCCESS) {
TRC_ERR((TB, "Connected indication timed out (%x)",
status));
status = STATUS_IO_TIMEOUT;
DC_QUIT;
}

// Pass the IOCtl on to the next driver.
status = IcaCallNextDriver(pTSWd->pContext, SD$IOCTL, pSdIoctl);
}
break;

第0部分：

NTSTATUS TdIoctl(PTD pTd, PSD_IOCTL pSdIoctl)
{

case IOCTL_ICA_STACK_CONNECTION_SEND :
Status = StackConnectionSend(pTd, pSdIoctl);
break;

21:19:14.000 892767D4.E11B61D0 TERMSRV: Enter WsxIcaIoControl, IoControlCode=20
Breakpoint 19 hit
rdpwsx!WsxIcaStackIoControl:
001b:70fbf35c 55              push    ebp
0: kd> g
21:19:14.000 892767D4.E11B61D0 TShrSRV: WsxIcaStackIoControl entry
21:19:14.000 892767D4.E11B61D0 TShrSRV: 00D75938:00D75C00 IoctlDetail: Ioctl 0x380053 (IOCTL_ICA_STACK_CONNECTION_SEND)
21:19:14.000 892767D4.E11B61D0 TShrSRV: pvContext=00D75938, hIca=0000041C, hStack=000E27A8
21:19:14.000 892767D4.E11B61D0 TShrSRV: pInBuffer=00000000, InBufferSize=0x0, pOutBuffer=00000000, OutBufferSize=0x0
21:19:14.000 892767D4.E11B61D0 TermDD: IcaDeviceControlStack, fc 20 (enter)
21:19:14.000 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     0489 IOCTL_ICA_STACK_CONNECTION_SEND (20)
21:19:14.000 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     1014 About to wait for connected indication
21:19:14.000 892767D4.E11B61D0 TermDD: IcaWaitForMultipleObjects, 60000 (enter)
21:19:14.000 892767D4.E11B61D0 RDP E10C2010 WDW_WaitForC 0920 Primary event hit
21:19:14.000 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     1017 Back from wait for connected indication
21:19:14.000 892767D4.E11B61D0 TermDD: IcaCallNextDriver, ProcIndex=5 (enter)

Breakpoint 21 hit
TDTCP!TdIoctl:
b9894ec2 55 push ebp
1: kd> kc
#
00 TDTCP!TdIoctl
01 termdd!_IcaCallSd
02 termdd!IcaCallNextDriver
03 RDPWD!WD_Ioctl
04 termdd!_IcaCallSd
05 termdd!_IcaCallStack
06 termdd!IcaDeviceControlStack
07 termdd!IcaDeviceControl
08 termdd!IcaDispatch
09 nt!IofCallDriver
0a nt!IopSynchronousServiceTail
0b nt!IopXxxControlFile
0c nt!NtDeviceIoControlFile
0d nt!_KiSystemService
0e SharedUserData!SystemCallStub
0f ntdll!NtDeviceIoControlFile
10 ICAAPI!IcaIoControl
11 ICAAPI!_IcaStackIoControlWorker
12 ICAAPI!IcaStackIoControl
13 rdpwsx!WsxIcaStackIoControl
14 termsrv!WsxStackIoControl
15 ICAAPI!_IcaStackIoControl
16 ICAAPI!IcaStackConnectionAccept
17 termsrv!TransferConnectionToIdleWinStation
18 termsrv!WinStationTransferThread
19 kernel32!BaseThreadStart

case IOCTL_ICA_STACK_CONNECTION_SEND :
Status = StackConnectionSend(pTd, pSdIoctl);
break;

Breakpoint 22 hit
TDTCP!StackConnectionSend:
b9896504 55 push ebp

*******************************************************************************
* DeviceConnectionSend
*
* Initialize host module data structure, which gets sent to the client.
******************************************************************************/
NTSTATUS DeviceConnectionSend(PTD pTd)
{
return TdiDeviceConnectionSend(pTd);
}

NTSTATUS
TdiDeviceConnectionSend( PTD pTd )
{
PCLIENTMODULES pClient;

/*
* Get pointer to client structure
*/
pClient = pTd->pClient;

/*
* Initialize Td host module structure
*/
pClient->TdVersionL = VERSION_HOSTL_TDTCP;
pClient->TdVersionH = VERSION_HOSTH_TDTCP;
pClient->TdVersion = VERSION_HOSTH_TDTCP;

return( STATUS_SUCCESS );
}

1: kd> dv
pTd = 0x892d16d8
1: kd> dx -id 0,0,ffffffff89656928 -r1 ((TDTCP!_TD *)0x892d16d8)
((TDTCP!_TD *)0x892d16d8)                 : 0x892d16d8 [Type: _TD *]
[+0x000] pContext         : 0x8960d4b4 [Type: _SDCONTEXT *]
[+0x004] PdFlag           : 0x4e [Type: unsigned long]
[+0x008] SdClass          : SdNetwork (2) [Type: _SDCLASS]
[+0x00c] Params           [Type: _PDPARAMSW]
[+0x244] pClient          : 0x892a6a88 [Type: _CLIENTMODULES *]
[+0x248] pStatus          : 0x892a6be8 [Type: _PROTOCOLSTATUS *]
[+0x24c] pFileObject      : 0x89312db8 [Type: _FILE_OBJECT *]
[+0x250] pDeviceObject    : 0x89ad7038 : Device for "\Driver\Tcpip" [Type: _DEVICE_OBJECT *]
[+0x254] LastError        : 0x0 [Type: unsigned long]
[+0x258] ReadErrorCount   : 0x0 [Type: unsigned long]
[+0x25c] ReadErrorThreshold : 0x0 [Type: unsigned long]
[+0x260] WriteErrorCount : 0x0 [Type: unsigned long]
[+0x264] WriteErrorThreshold : 0x0 [Type: unsigned long]
[+0x268] ZeroByteReadCount : 0x0 [Type: unsigned long]
[+0x26c] PortNumber       : 0xd3d [Type: unsigned long]
[+0x270] OutBufHeader     : 0x0 [Type: unsigned long]
[+0x274] OutBufTrailer    : 0x0 [Type: unsigned long]
[+0x278] OutBufLength     : 0x212 [Type: unsigned long]
[+0x27c] IoBusyOutBuf     [Type: _LIST_ENTRY]
[+0x284] SyncWriteEvent   [Type: _KEVENT]
[+0x294] pInputThread     : 0x895f6798 [Type: _KTHREAD *]
[+0x298] InBufCount       : 1 [Type: long]
[+0x29c] InBufListLock    : 0x0 [Type: unsigned long]
[+0x2a0] InBufBusyHead    [Type: _LIST_ENTRY]
[+0x2a8] InBufDoneHead    [Type: _LIST_ENTRY]
[+0x2b0] InBufHeader      : 0x0 [Type: unsigned long]
[+0x2b4] InputEvent       [Type: _KEVENT]
[+0x2c4 ( 0: 0)] fClosing         : 0x0 [Type: unsigned long]
[+0x2c4 ( 1: 1)] fCallbackInProgress : 0x0 [Type: unsigned long]
[+0x2c4 ( 2: 2)] fSyncWriteWaiter : 0x0 [Type: unsigned long]
[+0x2c8] pPrivate         : 0x0 [Type: void *]
[+0x2cc] pAfd             : 0x8936ac78 [Type: void *]
[+0x2d0] WorkItemHead     [Type: _LIST_ENTRY]
[+0x2d8] pSelfDeviceObject : 0x0 [Type: _DEVICE_OBJECT *]
[+0x2dc] UserBrokenReason : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,ffffffff89656928 -r1 ((TDTCP!_CLIENTMODULES *)0x892a6a88)
((TDTCP!_CLIENTMODULES *)0x892a6a88)                 : 0x892a6a88 [Type: _CLIENTMODULES *]
[+0x000] pUiModule        : 0x0 [Type: unsigned char *]
[+0x004] pUiExtModule     [Type: unsigned char * [5]]
[+0x018] pWdModule        : 0x0 [Type: unsigned char *]
[+0x01c] pVdModule        [Type: unsigned char * [32]]
[+0x09c] pPdModule        [Type: unsigned char * [20]]
[+0x0ec] pTdModule        : 0x0 [Type: unsigned char *]
[+0x0f0] pPrModule        : 0x0 [Type: unsigned char *]
[+0x0f4] pScriptModule    : 0x0 [Type: unsigned char *]
[+0x0f8] TextModeCount    : 0x0 [Type: unsigned long]
[+0x0fc] pTextModes       : 0x0 [Type: _FSTEXTMODE *]
[+0x100 ( 0: 0)] fTextOnly        : 0x0 [Type: unsigned long]
[+0x100 ( 1: 1)] fIcaDetected     : 0x0 [Type: unsigned long]
[+0x104] pHostWdModule    : 0x0 [Type: unsigned char *]
[+0x108] pHostPdModule    [Type: unsigned char * [20]]
[+0x158] pHostTdModule    : 0x0 [Type: unsigned char *]
[+0x15c] TdVersionL       : 0x1 [Type: unsigned char]
[+0x15d] TdVersionH       : 0x1 [Type: unsigned char]
[+0x15e] TdVersion        : 0x1 [Type: unsigned char]

NTSTATUS TdIoctl(PTD pTd, PSD_IOCTL pSdIoctl)
{

TRACE((pTd->pContext, TC_TD, TT_API1, "TdIoctl(0x%08x): Status=0x%08x\n",
pSdIoctl->IoControlCode, Status));

return Status;
}

0: kd> g
21:19:14.000 892767D4.E11B61D0 TdIoctl(0x00380053): Status=0x00000000
21:19:14.000 892767D4.E11B61D0 TermDD: IcaDeviceControlStack, fc 20, 0x0
21:19:14.000 892767D4.E11B61D0 TShrSRV: Return from IcaStackIoControl - 0x0
21:19:14.000 892767D4.E11B61D0 TShrSRV: WsxIcaStackIoControl exit - 0x0
21:19:14.000 892767D4.E11B61D0 TSAPI: IcaStackConnectionAccept, success
21:19:14.000 892767D4.E11B61D0 TERMSRV: IcaStackConnectionAccept, Status=0x0

查看全文

http://www.dtcms.com/a/555031.html