rdpwsx!TSrvInitWD函数分析到rdpwd!WDWConfConnect

rdpwsx!TSrvInitWD函数分析到rdpwd!WDWConfConnect

21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWD entry
21:19:13.843 892CDCFC.E13610C8 GCC: mcsCallback exit - 0x0
21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing WDTShare connection info exchange
21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWDConnectInfo entry
21:19:13.843 892767D4.E11B61D0 TShrSRV: Allocated 0x80 bytes to recieve WDTShare return data
21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing connect (size=128)
21:19:13.843 892CDCFC.E13610C8 TermDD: IcaReferenceChannel: cc 5, vc 31, ref 1
21:19:13.859 892767D4.E11B61D0 TermDD: IcaDeviceControlStack, fc 2304 (enter)
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     0489 IOCTL_TSHARE_CONF_CONNECT (2304)
21:19:13.859 892CDCFC.E13610C8 TermDD: IcaDefeferenceChannel: cc 5, vc 31, ref 2
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     0816 Got TSHARE_CONF_CONNECT IOCtl
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1484 GCC_H221_NONSTANDARD_KEY
44 75 63 61                                       Duca
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1615 Our client's User Data
01 C0 D4 00 04 00 08 00 40 06 38 04 01 CA 03 AA   ........@.8.....
04 08 00 00 CE 0E 00 00 4F 00 53 00 2D 00 32 00   ........O.S.-.2.
30 00 32 00 35 00 30 00 37 00 30 00 31 00 58 00   0.2.5.0.7.0.1.X.
45 00 42 00 4C 00 00 00 04 00 00 00 00 00 00 00   E.B.L...........
0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 01 CA 01 00 00 00 00 00 18 00 07 00   ................
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 04 C0 0C 00 0D 00 00 00 00 00 00 00   ................
02 C0 0C 00 1B 00 00 00 00 00 00 00 03 C0 2C 00   ..............,.
03 00 00 00 72 64 70 64 72 00 00 00 00 00 80 80   ....rdpdr.......
63 6C 69 70 72 64 72 00 00 00 A0 C0 72 64 70 73   cliprdr.....rdps
6E 64 00 00 00 00 00 C0                           nd......
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1631 Core data
01 C0 D4 00 04 00 08 00 40 06 38 04 01 CA 03 AA   ........@.8.....
04 08 00 00 CE 0E 00 00 4F 00 53 00 2D 00 32 00   ........O.S.-.2.
30 00 32 00 35 00 30 00 37 00 30 00 31 00 58 00   0.2.5.0.7.0.1.X.
45 00 42 00 4C 00 00 00 04 00 00 00 00 00 00 00   E.B.L...........
0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 01 CA 01 00 00 00 00 00 18 00 07 00   ................
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00                                       ....
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1674 Cluster data
04 C0 0C 00 0D 00 00 00 00 00 00 00               ............
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1650 Security data
02 C0 0C 00 1B 00 00 00 00 00 00 00               ............
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1662 Net data
03 C0 2C 00 03 00 00 00 72 64 70 64 72 00 00 00   ..,.....rdpdr...
00 00 80 80 63 6C 69 70 72 64 72 00 00 00 A0 C0   ....cliprdr.....
72 64 70 73 6E 64 00 00 00 00 00 C0               rdpsnd......
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWConnect   0305 Client version is 0x80004
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWConnect   0328 ErrorInfoPDU supported = 1
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWConnect   0346 Client requests color depth 24, server limit 16
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWConnect   0350 Limiting requested color depth...
21:19:13.875 892767D4.E11B61D0 RDP+E10C2010+WDWConnect  +0374+Restricted requested color depth 24 to 16
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWConnect   0431 16 BPP (565)
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWConnect   0502 Client supports load balance redirection
RDPWD: New: ShareClass at E88E0A90, size=1392
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 WDWNewShareC 2528 Created Share Class
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init      0234 encryption level is 2
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init      0265 Encrypting
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init      0308 Encryption methods supported 0000001b: Level 2

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Init      0365 Set state from SM_STATE_STARTED to SM_STATE_INITIALIZED
21:19:13.875 892767D4.E11B61D0 RDP+E10C2010+SM_Connect  +0500+Client supports encryption: 1b
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect   0502 Server supports encryption: 1b
21:19:13.875 892767D4.E11B61D0 RDP+E10C2010+SM_Connect  +0639+Encryption Method=2, Level=2, Display=1
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect   0650 Init Fips succeed

21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect   0689 Set state from SM_STATE_INITIALIZED to SM_STATE_NM_CONNECTING
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 SM_Connect   0691 Connect to Network Manager
21:19:13.875 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0181 Net User Data
03 C0 2C 00 03 00 00 00 72 64 70 64 72 00 00 00   ..,.....rdpdr...
00 00 80 80 63 6C 69 70 72 64 72 00 00 00 A0 C0   ....cliprdr.....
72 64 70 73 6E 64 00 00 00 00 00 C0               rdpsnd......
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0185 Protocol version 0x80004 (0x8/0x4)
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0247 Channel 0 (was 0): rdpdr
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0247 Channel 1 (was 1): cliprdr
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0247 Channel 2 (was 2): rdpsnd
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0289 Attach User
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0303 AttachUser OK, hUser E88724C8
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0312 Attached as user 3ea, hUser E88724C8
21:19:13.890 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0336 Joined broadcast channel 3eb (hChannel E167E190) OK
21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0356 Joined user channel (hChannel E8872614) OK
21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0394 Joined VC 0: 1004 (hChannel E1189EA0)
21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0394 Joined VC 1: 1005 (hChannel E167E148)
21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0394 Joined VC 2: 1006 (hChannel E118F638)
21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0419 Copy 3 channels to user data out
21:19:13.906 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0428 Channel 0 (0) = 0x3ec
21:19:13.921 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0428 Channel 1 (1) = 0x3ed
21:19:13.921 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0428 Channel 2 (2) = 0x3ee
21:19:13.921 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0434 Tell SM we're connecting
21:19:13.921 892767D4.E11B61D0 RDP E10C2010 SM_OnConnect 0117 Connected OK as user 3ea
21:19:13.921 892767D4.E11B61D0 RDP E10C2010 SM_OnConnect 0132 Set state from SM_STATE_NM_CONNECTING to SM_STATE_SM_CONNECTING
21:19:13.921 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0677 pOutData at 00D76148
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0711 Key octet at 00D76168 (offs 00000020)
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0719 Data octet pointer at 00D7616C (offs 00000024)
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0733 Core data at 00D76174 (offs 0000002C)
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0738 Net data at 00D7617C (offs 00000034)
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0747 Sec data at 00D7618C (offs 00000044)
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0757 Build 80 bytes of returned user data
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 WDW_OnSMConn 0758 Returned user data
50 00 00 00 04 00 08 00 98 5C D7 00 01 00 00 00   P........\......
02 00 00 00 04 00 00 00 20 00 00 00 24 00 00 00   ........ ...$...
4D 63 44 6E 24 00 00 10 2C 00 00 00 01 0C 08 00   McDn$...,.......
04 00 08 00 03 0C 10 00 EB 03 03 00 EC 03 ED 03   ................
EE 03 00 00 02 0C 0C 00 02 00 00 00 02 00 00 00   ................
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 SM_OnConnect 0142 Free user data
21:19:13.937 892767D4.E11B61D0 RDP E10C2010 NM_Connect   0451 Free user data
21:19:13.937 892767D4.E11B61D0 TermDD: IcaDeviceControlStack, fc 2304, 0x0
21:19:13.937 892767D4.E11B61D0 TShrSRV: TSrvInitWDConnectInfo exit - 0x0
21:19:13.937 892767D4.E11B61D0 TShrSRV: TSrvInitWD exit - 0x0

21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWD entry
21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing WDTShare connection info exchange

NTSTATUS
TSrvInitWD(IN PTSRVINFO pTSrvInfo, IN OUT PUSERDATAINFO *ppUserDataInfo)
{
NTSTATUS    ntStatus;
PVOID       pSecData;

    TRACE((DEBUG_TSHRSRV_FLOW,
"TShrSRV: TSrvInitWD entry\n"));

    // Pass on connection information

    TRACE((DEBUG_TSHRSRV_NORMAL,
"TShrSRV: Performing WDTShare connection info exchange\n"));

    ntStatus = TSrvInitWDConnectInfo(pTSrvInfo->hStack,
pTSrvInfo,
ppUserDataInfo,
IOCTL_TSHARE_CONF_CONNECT,
NULL, 0, TRUE, &pSecData);

    if (!NT_SUCCESS(ntStatus))
{
TRACE((DEBUG_TSHRSRV_DEBUG,
"TShrSRV: WDTShare connection info exchange unsuccessful - 0x%x\n", ntStatus));
}

    TRACE((DEBUG_TSHRSRV_FLOW,
"TShrSRV: TSrvInitWD exit - 0x%x\n", ntStatus));

    return (ntStatus);
}

#define IOCTL_TSHARE_CONF_CONNECT       _ICA_CTL_CODE(0x900, METHOD_NEITHER)
1: kd> ?0x900
Evaluate expression: 2304 = 00000900

21:19:13.843 892767D4.E11B61D0 TShrSRV: TSrvInitWDConnectInfo entry
21:19:13.843 892767D4.E11B61D0 TShrSRV: Allocated 0x80 bytes to recieve WDTShare return data
21:19:13.843 892767D4.E11B61D0 TShrSRV: Performing connect (size=128)

NTSTATUS
TSrvInitWDConnectInfo(IN HANDLE hStack,
IN PTSRVINFO pTSrvInfo,
IN OUT PUSERDATAINFO *ppUserDataInfo,
IN ULONG ioctl,
IN PBYTE pModuleData,
IN ULONG cbModuleData,
IN BOOLEAN bGetCert,
OUT PVOID *ppSecInfo)
{
int                 i;
ULONG               ulInBufferSize;
ULONG               ulBytesReturned;
PUSERDATAINFO       pUserDataInfo;
PUSERDATAINFO       pUserDataInfo2;
NTSTATUS            ntStatus;

    TRACE((DEBUG_TSHRSRV_FLOW,
"TShrSRV: TSrvInitWDConnectInfo entry\n"));

    // For a standard connection we receive client user data as part of the
// GCC connection request.  Shadow connections are initiated via RPC and
// the input buffer contains the format sent by the other TS.
if (ioctl == IOCTL_TSHARE_CONF_CONNECT) {
TS_ASSERT(pTSrvInfo->pUserDataInfo);
TS_ASSERT(pTSrvInfo->pUserDataInfo->cbSize);
}

    // Allocate a block of memory to receive return UserData from
// WDTShare.  This data will subsequently be sent to the client
// via TSrvConfCreateResp.
pUserDataInfo = TSHeapAlloc(0, 128, TS_HTAG_TSS_USERDATA_OUT);
if (pUserDataInfo != NULL) {
// Set the UserData cbSize element.  This is so that WDTShare can
// determine if there is sufficient space available to place the
// return data into
pUserDataInfo->cbSize = 128 ;

        TRACE((DEBUG_TSHRSRV_DETAIL,
"TShrSRV: Allocated 0x%x bytes to recieve WDTShare return data\n",
pUserDataInfo->cbSize));

        // Exchange UserData with WDTShare.  If the provided output buffer
// (pUserDataInfo) is large enough then the data will be exchanged
// in one call.  If the buffer is not large enough, then it is up to
// WDTShare to tell TShareSRV how to react.  For general errors we
// just exit.  For STATUS_BUFFER_TOO_SMALL errors, TShareSrv looks at
// the returned cbSize to determine how to adjust the buffer.   If
// WDTShare did not increase the cbSize then TShareSrv will increase
// it by a default amount (128 bytes).  TShareSrv will use the new value
// to reallocate the output buffer and try the WDTShare call again.
// (Note that TShareSrv will only try this a max of 20 times)
for (i = 0; i < 20; i++) {
            TRACE((DEBUG_TSHRSRV_NORMAL, "TShrSRV: Performing connect (size=%ld)\n",
pUserDataInfo->cbSize));

            ulBytesReturned = 0;

            // Pass the actual client user data to the WD
            if (ioctl == IOCTL_TSHARE_CONF_CONNECT) {
ntStatus = IcaStackIoControl(hStack,
ioctl,
pTSrvInfo->pUserDataInfo,
pTSrvInfo->pUserDataInfo->cbSize,
pUserDataInfo,
pUserDataInfo->cbSize,
&ulBytesReturned);
}

            // Pass the shadow module data to the WD
else {
ntStatus = IcaStackIoControl(hStack,
ioctl,
pModuleData,
cbModuleData,
pUserDataInfo,
pUserDataInfo->cbSize,
&ulBytesReturned);

#define IOCTL_TSHARE_CONF_CONNECT       _ICA_CTL_CODE(0x900, METHOD_NEITHER)
1: kd> ?0x900
Evaluate expression: 2304 = 00000900

21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     0489 IOCTL_TSHARE_CONF_CONNECT (2304)
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     0816 Got TSHARE_CONF_CONNECT IOCtl

NTSTATUS WD_Ioctl(PTSHARE_WD pTSWd, PSD_IOCTL pSdIoctl)
{
NTSTATUS status = STATUS_SUCCESS;
UINT32   bufferLen;
unsigned fn;
PVIDEO_MODE_INFORMATION pVidInfo;

    DC_BEGIN_FN("WD_Ioctl");

    else {
// Non-perf path IOCTLs.
fn = WDW_IOCTL_FUNCTION(pSdIoctl->IoControlCode);
TRC_NRM((TB, "%s (%d)",

                fn == 0x900 ? "IOCTL_TSHARE_CONF_CONNECT" :

fn));
}

case IOCTL_TSHARE_CONF_CONNECT:
{
            TRC_NRM((TB, "Got TSHARE_CONF_CONNECT IOCtl"));
status = WDWConfConnect(pTSWd, pSdIoctl);
}
break;

NTSTATUS WDWConfConnect(PTSHARE_WD pTSWd, PSD_IOCTL pSdIoctl)
{
NTSTATUS status = STATUS_SUCCESS;
unsigned DataLen;
PRNS_UD_CS_CORE pClientCoreData;
PRNS_UD_CS_SEC  pClientSecurityData;
PRNS_UD_CS_NET  pClientNetData;
PTS_UD_CS_CLUSTER pClientClusterData;

    DC_BEGIN_FN("WDWConfConnect");

    // First make sure we've received enough data for the initial headers
// and that the sizes presented in the data block are valid. An attacker
// might try sending malformed data here to fault the server.
DataLen = pSdIoctl->InputBufferLength;
if (sizeof(USERDATAINFO)>DataLen) {
TRC_ERR((TB,"Apparent attack via user data, size %u too small for UD hdr",
DataLen));
WDW_LogAndDisconnect(pTSWd, TRUE, Log_RDP_BadUserData, pSdIoctl->InputBuffer,
DataLen);
status = STATUS_UNSUCCESSFUL;
DC_QUIT;
}

    if (((PUSERDATAINFO)pSdIoctl->InputBuffer)->cbSize > DataLen) {
TRC_ERR((TB,"Apparent attack via user data, the cbSize is set to a length bigger then the total buffer %u",
((PUSERDATAINFO)pSdIoctl->InputBuffer)->cbSize > DataLen));
WDW_LogAndDisconnect(pTSWd, TRUE, Log_RDP_BadUserData, pSdIoctl->InputBuffer,
DataLen);
status = STATUS_UNSUCCESSFUL;
DC_QUIT;
}

// Validate that the output buffer is big enough.
if ((pSdIoctl->OutputBuffer == NULL) ||
(pSdIoctl->OutputBufferLength < MIN_USERDATAINFO_SIZE)) {
TRC_ERR((TB, "No Out Buffer on TSHARE_CONF_CONNECT."));
status = STATUS_BUFFER_TOO_SMALL;
DC_QUIT;
}

    if (((PUSERDATAINFO)pSdIoctl->OutputBuffer)->cbSize < MIN_USERDATAINFO_SIZE) {
// Buffer has been supplied but is too small, - so tell
// TShareSRV how big a buffer we actually need.

((PUSERDATAINFO)pSdIoctl->OutputBuffer)->cbSize = MIN_USERDATAINFO_SIZE;

            TRC_ERR((TB, "Telling TShareSRV to have another go with %d",
MIN_USERDATAINFO_SIZE));

status = STATUS_BUFFER_TOO_SMALL;
DC_QUIT;
}

    // Parse the input data.
if (WDWParseUserData(pTSWd, (PUSERDATAINFO)pSdIoctl->InputBuffer, DataLen,
NULL, 0, &pClientCoreData, &pClientSecurityData,
&pClientNetData, &pClientClusterData)) {
status = WDWConnect(pTSWd, pClientCoreData, pClientSecurityData,
pClientNetData, pClientClusterData, pSdIoctl, FALSE);
}
else {
status = STATUS_UNSUCCESSFUL;
TRC_ERR((TB, "Could not parse the user data successfully"));
}

DC_EXIT_POINT:
DC_END_FN();
return status;
} /* WDWConfConnect */