当前位置：首页 > news >正文

RDPWD!WDWParseUserData函数分析之Loop through user data--非常重要

news 2025/11/2 11:30:28

参考：

21:19:13.859 892CDCFC.E13610C8 TermDD: IcaDefeferenceChannel: cc 5, vc 31, ref 2
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WD_Ioctl     0816 Got TSHARE_CONF_CONNECT IOCtl
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1484 GCC_H221_NONSTANDARD_KEY
44 75 63 61                                       Duca
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1615 Our client's User Data
01 C0 D4 00 04 00 08 00 40 06 38 04 01 CA 03 AA   ........@.8.....
04 08 00 00 CE 0E 00 00 4F 00 53 00 2D 00 32 00   ........O.S.-.2.
30 00 32 00 35 00 30 00 37 00 30 00 31 00 58 00   0.2.5.0.7.0.1.X.
45 00 42 00 4C 00 00 00 04 00 00 00 00 00 00 00   E.B.L...........
0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 01 CA 01 00 00 00 00 00 18 00 07 00   ................
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 04 C0 0C 00 0D 00 00 00 00 00 00 00   ................
02 C0 0C 00 1B 00 00 00 00 00 00 00 03 C0 2C 00   ..............,.
03 00 00 00 72 64 70 64 72 00 00 00 00 00 80 80   ....rdpdr.......
63 6C 69 70 72 64 72 00 00 00 A0 C0 72 64 70 73   cliprdr.....rdps
6E 64 00 00 00 00 00 C0                           nd......
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1631 Core data
01 C0 D4 00 04 00 08 00 40 06 38 04 01 CA 03 AA   ........@.8.....
04 08 00 00 CE 0E 00 00 4F 00 53 00 2D 00 32 00   ........O.S.-.2.
30 00 32 00 35 00 30 00 37 00 30 00 31 00 58 00   0.2.5.0.7.0.1.X.
45 00 42 00 4C 00 00 00 04 00 00 00 00 00 00 00   E.B.L...........
0C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 01 CA 01 00 00 00 00 00 18 00 07 00   ................
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00                                       ....
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1674 Cluster data
04 C0 0C 00 0D 00 00 00 00 00 00 00               ............
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1650 Security data
02 C0 0C 00 1B 00 00 00 00 00 00 00               ............
21:19:13.859 892767D4.E11B61D0 RDP E10C2010 WDWParseUser 1662 Net data
03 C0 2C 00 03 00 00 00 72 64 70 64 72 00 00 00   ..,.....rdpdr...
00 00 80 80 63 6C 69 70 72 64 72 00 00 00 A0 C0   ....cliprdr.....
72 64 70 73 6E 64 00 00 00 00 00 C0               rdpsnd......

参考：

21:57:02.484 89617F7C.E31087D0 TShrSRV: TSrvInitWD entry
21:57:02.484 89410AD4.E178D118 GCC: mcsCallback exit - 0x0
21:57:02.484 89410AD4.E178D118 TermDD: IcaReferenceChannel: cc 5, vc 31, ref 1
21:57:02.484 89617F7C.E31087D0 TShrSRV: Performing WDTShare connection info exchange
21:57:02.484 89410AD4.E178D118 TermDD: IcaDefeferenceChannel: cc 5, vc 31, ref 2
21:57:02.484 89617F7C.E31087D0 TShrSRV: TSrvInitWDConnectInfo entry
21:57:02.484 89617F7C.E31087D0 TShrSRV: Allocated 0x80 bytes to recieve WDTShare return data
21:57:02.484 89617F7C.E31087D0 TShrSRV: Performing connect (size=128)
21:57:02.484 89617F7C.E31087D0 TermDD: IcaDeviceControlStack, fc 2304 (enter)
21:57:02.484 89617F7C.E31087D0 RDP E1026010 WD_Ioctl     0489 IOCTL_TSHARE_CONF_CONNECT (2304)
21:57:02.484 89617F7C.E31087D0 RDP E1026010 WD_Ioctl     0816 Got TSHARE_CONF_CONNECT IOCtl
Breakpoint 12 hit
RDPWD!WDWParseUserData:
b9d45f20 55              push    ebp
0: kd> kc
#
00 RDPWD!WDWParseUserData
01 RDPWD!WDWConfConnect
02 RDPWD!WD_Ioctl
03 termdd!_IcaCallSd
04 termdd!_IcaCallStack
05 termdd!IcaDeviceControlStack
06 termdd!IcaDeviceControl
07 termdd!IcaDispatch
08 nt!IofCallDriver
09 nt!IopSynchronousServiceTail
0a nt!IopXxxControlFile
0b nt!NtDeviceIoControlFile
0c nt!_KiSystemService
0d SharedUserData!SystemCallStub
0e ntdll!NtDeviceIoControlFile
0f icaapi!IcaIoControl
10 icaapi!_IcaStackIoControlWorker
11 icaapi!IcaStackIoControl
12 rdpwsx!TSrvInitWDConnectInfo
13 rdpwsx!TSrvInitWD
14 rdpwsx!TSrvConfCreateResp
15 rdpwsx!TSrvDoConnectResponse
16 rdpwsx!TSrvDoConnect
17 rdpwsx!TSrvStackConnect
18 rdpwsx!WsxIcaStackIoControl
19 termsrv!WsxStackIoControl
1a icaapi!_IcaStackIoControl
1b icaapi!_IcaStackWaitForIca
1c icaapi!IcaStackConnectionAccept
1d termsrv!TransferConnectionToIdleWinStation
1e termsrv!WinStationTransferThread
1f kernel32!BaseThreadStart
0: kd> dv
               pTSWd = 0xe1026010
           pUserData = 0x00d632f0
         UserDataLen = 0x154
             pHeader = 0x00000000
        cbParsedData = 0
    ppClientCoreData = 0xb9c28484
ppClientSecurityData = 0xb9c28488
     ppClientNetData = 0xb9c2848c
ppClientClusterData = 0xb9c28474
       clientH221Key = char [5] "???"
              trc_fn = 0xb9c28be0 "???"
            trc_file = 0x00000030 "--- memory read error at address 0x00000030 ---"
             dataLen = 0xb9d226b0
             success = 0n-1990576696
                pStr = 0x895c6ae0 "???"
     pClientUserData = 0xb9c28494
            __fnname = char [17] "WDWParseUserData"
                pEnd = 0x00000000
              pOctet = 0xb9d45f21
              keyLen = 8
0: kd> dx -r1 ((RDPWD!_USERDATAINFO *)0xd632f0)
((RDPWD!_USERDATAINFO *)0xd632f0)                 : 0xd632f0 [Type: _USERDATAINFO *]
    [+0x000] cbSize           : 0x154 [Type: unsigned long]
    [+0x004] version          : 0x0 [Type: unsigned long]
    [+0x008] hDomain          : 0xd63f88 [Type: void *]
    [+0x00c] ulUserDataMembers : 0x1 [Type: unsigned long]
    [+0x010] rgUserData       [Type: GCCUserData [1]]
0: kd> dx -r1 (*((RDPWD!GCCUserData (*)[1])0xd63300))
(*((RDPWD!GCCUserData (*)[1])0xd63300))                 [Type: GCCUserData [1]]
    [0]              [Type: GCCUserData]
0: kd> dx -r1 (*((RDPWD!GCCUserData *)0xd63300))
(*((RDPWD!GCCUserData *)0xd63300))                 [Type: GCCUserData]
    [+0x000] key              [Type: GCCObjectKey]
    [+0x00c] octet_string     : 0x34 [Type: GCCOctetString *]
0: kd> dx -r1 (*((RDPWD!GCCObjectKey *)0xd63300))
(*((RDPWD!GCCObjectKey *)0xd63300))                 [Type: GCCObjectKey]
    [+0x000] key_type         : GCC_H221_NONSTANDARD_KEY (2) [Type: GCCObjectKeyType]
    [+0x004] u                [Type: __unnamed]
0: kd> dx -r1 (*((RDPWD!__unnamed *)0xd63304))
(*((RDPWD!__unnamed *)0xd63304))                 [Type: __unnamed]
    [+0x000] object_id        [Type: GCCLongString]
    [+0x000] h221_non_standard_id [Type: GCCOctetString]
0: kd> dx -r1 (*((RDPWD!GCCOctetString *)0xd63304))
(*((RDPWD!GCCOctetString *)0xd63304))                 [Type: GCCOctetString]
    [+0x000] octet_string_length : 0x4 [Type: unsigned short]
    [+0x004] octet_string     : 0x30 : Unable to read memory at Address 0x30 [Type: unsigned char *]
0: kd> dx -r1 ((RDPWD!unsigned char *)0x30)
((RDPWD!unsigned char *)0x30)                 : 0x30 : Unable to read memory at Address 0x30 [Type: unsigned char *]
    Unable to read memory at Address 0x30
0: kd> db 0xd63304
00d63304 04 00 fc 70 30 00 00 00-34 00 00 00 00 00 00 00 ...p0...4.......
00d63314 00 00 00 00 00 00 00 00-00 00 00 00 44 75 63 61 ............Duca
00d63324 18 01 00 00 3c 00 00 00-01 c0 d4 00 04 00 08 00 ....<...........
00d63334 40 06 38 04 01 ca 03 aa-04 08 00 00 ce 0e 00 00 @.8.............
00d63344 57 00 49 00 4e 00 37 00-2d 00 32 00 30 00 32 00 W.I.N.7.-.2.0.2.
00d63354 34 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 4...............
00d63364 04 00 00 00 00 00 00 00-0c 00 00 00 00 00 00 00 ................
00d63374 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

/****************************************************************************/
/* H221 keys.                                                               */
/****************************************************************************/
#define H221_KEY_LEN            4
#define SERVER_H221_KEY         "McDn"
#define CLIENT_H221_KEY         "Duca"

char clientH221Key[] = CLIENT_H221_KEY;

    // Actual GCC user data so parse it to make sure it's good.
    if (pHeader == NULL) {
        // We assume the data length was checked by the caller for at least
        // the length of the USERDATAINFO header. We have to validate the rest.

        // We are expecting exactly 1 piece of user data.
        if (pUserData->ulUserDataMembers == 1) {
            // Check that it has a non-standard key.

pClientUserData = &(pUserData->rgUserData[0]);

0: kd> dv      pClientUserData
pClientUserData = 0x00d63300
0: kd> dx -r1 ((RDPWD!GCCUserData *)0xd63300)
((RDPWD!GCCUserData *)0xd63300)                 : 0xd63300 [Type: GCCUserData *]
    [+0x000] key              [Type: GCCObjectKey]
    [+0x00c] octet_string     : 0x34 [Type: GCCOctetString *]

            if (pClientUserData->key.key_type == GCC_H221_NONSTANDARD_KEY) {
                // Check it has our non-standard key.
                keyLen = pClientUserData->key.u.h221_non_stan

查看全文

http://www.dtcms.com/a/558140.html