当前位置：首页 > news >正文

NdrpConformantVaryingArrayUnmarshall函数分析--重要

news 2025/4/29 0:46:23

第一部分：
void
NdrpConformantVaryingArrayUnmarshall(
    PMIDL_STUB_MESSAGE pStubMsg,
    uchar **             ppMemory,
    PFORMAT_STRING      pFormat,
    uchar               fMustCopy,
    uchar               fMustAlloc )
{
    uchar *     pBufferStart;
    ulong       CopyOffset, CopySize;
    ushort      ElemSize;

IGNORED(fMustCopy);

// Align the buffer for conformance unmarshalling.
ALIGN(pStubMsg->Buffer,3);

    // Unmarshall offset and actual count.
    pStubMsg->Offset = *((ulong * &)pStubMsg->Buffer)++;
    pStubMsg->ActualCount = *((ulong * &)pStubMsg->Buffer)++;

ElemSize = *((ushort *)(pFormat + 2));

    //
    // Return if length is 0.
    //
    if ( ! pStubMsg->ActualCount )
        {
        // needs to allocate before return.
        if ( fMustAlloc )
            {
            *ppMemory = (uchar*)NdrAllocate( pStubMsg, (uint) pStubMsg->MaxCount * ElemSize );
            // Insert full pointer to ref id translation if needed.
            if ( pStubMsg->FullPtrRefId )
                FULL_POINTER_INSERT( pStubMsg, *ppMemory );
            }
        return;
        }

    CopyOffset = MultiplyWithOverflowCheck(pStubMsg->Offset , ElemSize );
    CopySize = MultiplyWithOverflowCheck( pStubMsg->ActualCount , ElemSize );

ALIGN(pStubMsg->Buffer, pFormat[1]);

pBufferStart = pStubMsg->Buffer;

    // Increment buffer pointer past array.
    CHECK_EOB_WITH_WRAP_RAISE_IB( pStubMsg->Buffer, CopySize );
    pStubMsg->Buffer += CopySize;

    // Increment format string to possible pointer description.
    pFormat += 12;
    CORRELATION_DESC_INCREMENT( pFormat );
    CORRELATION_DESC_INCREMENT( pFormat );

    if ( fMustAlloc )
        {
        *ppMemory = (uchar*)NdrAllocate( pStubMsg, (uint) pStubMsg->MaxCount * ElemSize );
        // Insert full pointer to ref id translation if needed.
        if ( pStubMsg->FullPtrRefId )
            FULL_POINTER_INSERT( pStubMsg, *ppMemory );
        }

    // Unmarshall embedded pointers first.
    if ( *pFormat == FC_PP )
        {

}

    // Always copy. Buffer reuse is not possible.
    RpcpMemoryCopy( *ppMemory + CopyOffset,
                    pBufferStart,
                    (uint) CopySize );
}

第二部分：

0: kd> t
RPCRT4!NdrpConformantVaryingArrayUnmarshall:
001b:77c45075 55 push ebp
0: kd> kc
#
00 RPCRT4!NdrpConformantVaryingArrayUnmarshall
01 RPCRT4!NdrConformantVaryingArrayUnmarshall
02 RPCRT4!NdrpPointerUnmarshall
03 RPCRT4!NdrpEmbeddedPointerUnmarshall
04 RPCRT4!NdrSimpleStructUnmarshall
05 RPCRT4!NdrpUnionUnmarshall
06 RPCRT4!NdrNonEncapsulatedUnionUnmarshall
07 RPCRT4!NdrpPointerUnmarshall
08 RPCRT4!NdrPointerUnmarshall
09 RPCRT4!NdrpPointerUnmarshall
0a RPCRT4!NdrPointerUnmarshall
0b RPCRT4!NdrpClientUnMarshal
0c RPCRT4!NdrClientCall2
0d ADVAPI32!LsarQueryInformationPolicy
0e ADVAPI32!LsaQueryInformationPolicy
0f services!ScGetAccountDomainInfo
10 services!ScInitServiceAccount
11 services!SvcctrlMain
12 services!main
13 services!mainCRTStartup
14 kernel32!BaseProcessStart

0: kd> dv
       pStubMsg = 0x0006fae0
       ppMemory = 0x0009648c
        pFormat = 0x77d7545e "???"
      fMustCopy = 0x01 ''
     fMustAlloc = 0x01 ''
       CopySize = 0x77d7545e
     CopyOffset = 0x77d7545e

第三部分：
/* 724 */
           0x1c,       /* FC_CVARRAY */
           0x1,       /* 1 */
/* 726 */   NdrFcShort( 0x2 ),   /* 2 */                       ElemSize
/* 728 */   0x17,       /* Corr desc: field pointer, FC_USHORT */
           0x55,       /* FC_DIV_2 */
/* 730 */   NdrFcShort( 0x2 ),   /* 2 */
/* 732 */   NdrFcShort( 0x1 ),   /* Corr flags: early, */
/* 734 */   0x17,       /* Corr desc: field pointer, FC_USHORT */
           0x55,       /* FC_DIV_2 */
/* 736 */   NdrFcShort( 0x0 ),   /* 0 */
/* 738 */   NdrFcShort( 0x1 ),   /* Corr flags: early, */
/* 740 */   0x5,       /* FC_WCHAR */
           0x5b,       /* FC_END */

ElemSize = *((ushort *)(pFormat + 2));

第四部分：

0: kd> db 0x7b0a70
007b0a70 4e 00 54 00 44 00 45 00-56 00 2d 00 51 00 51 00 N.T.D.E.V.-.Q.Q.
007b0a80 54 00 51 00 53 00 4e 00-4c 00 44 00 58 00 00 00 T.Q.S.N.L.D.X...

第五部分：

#define NDR_CORR_EXTENSION_SIZE 2

#define CORRELATION_DESC_INCREMENT( pFormat ) \
if ( pStubMsg->fHasNewCorrDesc ) \
pFormat += NDR_CORR_EXTENSION_SIZE;

    // Increment format string to possible pointer description.
    pFormat += 12;
    CORRELATION_DESC_INCREMENT( pFormat );
    CORRELATION_DESC_INCREMENT( pFormat );           一共加了12+2+2=16到了ebx=77d7546e

/* 736 */   NdrFcShort( 0x0 ),   /* 0 */
/* 738 */   NdrFcShort( 0x1 ),   /* Corr flags: early, */
/* 740 */   0x5,       /* FC_WCHAR */
           0x5b,       /* FC_END */

0: kd> db 77d7546e
77d7546e 05 5b 16 03 0c 00 4b 5c-46 5c 04 00 04 00 12 00 .[....K\F\......

第六部分：NdrAllocate函数的作用

    if ( fMustAlloc )
        {
        *ppMemory = (uchar*)NdrAllocate( pStubMsg, (uint) pStubMsg->MaxCount * ElemSize );
        // Insert full pointer to ref id translation if needed.

[+0x03c] MaxCount : 0x10 [Type: unsigned long]

0: kd> p
RPCRT4!NdrpConformantVaryingArrayUnmarshall+0x105:
001b:77c4517a e804a7ffff call RPCRT4!NdrAllocate (77c3f883)
0: kd> p
RPCRT4!NdrpConformantVaryingArrayUnmarshall+0x10a:
001b:77c4517f 8b4d0c mov ecx,dword ptr [ebp+0Ch]
0: kd> r
eax=000964b8

0: kd> db 0x00096488
00096488 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
00096498 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000964a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000964b8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

0: kd> dx -id 0,0,897e1020 -r1 ((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)
((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)                 : 0x6fae0 [Type: _MIDL_STUB_MESSAGE *]
    [+0x000] RpcMsg           : 0x6fab4 [Type: _RPC_MESSAGE *]
    [+0x004] Buffer           : 0x7b0a8e : 0x0 [Type: unsigned char *]
    [+0x008] BufferStart      : 0x7b0a50 : 0x0 [Type: unsigned char *]
    [+0x00c] BufferEnd        : 0x7b0ab0 : 0xd [Type: unsigned char *]
    [+0x010] BufferMark       : 0x7b0a58 : 0x1e [Type: unsigned char *]
    [+0x014] BufferLength     : 0x2a [Type: unsigned long]
    [+0x018] MemorySize       : 0x0 [Type: unsigned long]
    [+0x01c] Memory           : 0x96488 : 0x0 [Type: unsigned char *]
    [+0x020] IsClient         : 1 [Type: int]
    [+0x024] ReuseBuffer      : 0 [Type: int]
    [+0x028] pAllocAllNodesContext : 0x964fc [Type: NDR_ALLOC_ALL_NODES_CONTEXT *]

0: kd> dx -id 0,0,897e1020 -r1 ((RPCRT4!NDR_ALLOC_ALL_NODES_CONTEXT *)0x964fc)
((RPCRT4!NDR_ALLOC_ALL_NODES_CONTEXT *)0x964fc)                 : 0x964fc [Type: NDR_ALLOC_ALL_NODES_CONTEXT *]
    [+0x000] AllocAllNodesMemory : 0x964d8 : 0x0 [Type: unsigned char *]
    [+0x004] AllocAllNodesMemoryBegin : 0x96488 : 0x0 [Type: unsigned char *]
    [+0x008] AllocAllNodesMemoryEnd : 0x964fc : 0xd8 [Type: unsigned char *]
0: kd> dd 0x00096488
00096488 00000000 000964b8 00000000 00000000
00096498 00000000 00000000 00000000 00000000
000964a8 00000000 00000000 00000000 00000000
000964b8 0054004e 00450044 002d0056 00510051
000964c8 00510054 004e0053 0044004c 00000058
000964d8 00000000 00000000 00000000 00000000
000964e8 00000000 00000000 00000000 00000000
000964f8 00000000 000964d8 00096488 000964fc

void * RPC_ENTRY
NdrAllocate(
    PMIDL_STUB_MESSAGE pStubMsg,
    size_t              Len )
{
    void * pMemory;

    if ( pStubMsg->pAllocAllNodesContext )
        {

// Get the pointer.
pMemory = pStubMsg->pAllocAllNodesContext->AllocAllNodesMemory;

// Increment the block pointer.
pStubMsg->pAllocAllNodesContext->AllocAllNodesMemory += Len;

pStubMsg->pAllocAllNodesContext->AllocAllNodesMemory =000964b8
变为：
pStubMsg->pAllocAllNodesContext->AllocAllNodesMemory =000964d8

*ppMemory=000964d8

第七部分：
0: kd> p
RPCRT4!NdrpConformantVaryingArrayUnmarshall+0x124:
001b:77c45199 803b4b cmp byte ptr [ebx],4Bh
0: kd> r
eax=000964b8 ebx=77d7546e

// Unmarshall embedded pointers first.
if ( *pFormat == FC_PP ) //*pFormat =05

    // Unmarshall embedded pointers first.
    if ( *pFormat == FC_PP )
        {
       。。。。。。
        }

    // Always copy. Buffer reuse is not possible.
    RpcpMemoryCopy( *ppMemory + CopyOffset,
                    pBufferStart,
                    (uint) CopySize );

0: kd> dv
       pStubMsg = 0x00000002
       ppMemory = 0x0009648c
        pFormat = 0x0000001e "--- memory read error at address 0x0000001e ---"
      fMustCopy = 0x01 ''
     fMustAlloc = 0x01 ''
       CopySize = 0x1e           一共拷贝了30个字节，0xf个字符，每个字符2个字节。
     CopyOffset = 0

    // Always copy. Buffer reuse is not possible.
    RpcpMemoryCopy( *ppMemory + CopyOffset,
                    pBufferStart,
                    (uint) CopySize );

0: kd> db 0x00096488
00096488 00 00 00 00 b8 64 09 00-00 00 00 00 00 00 00 00 .....d..........
00096498 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000964a8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
000964b8 4e 00 54 00 44 00 45 00-56 00 2d 00 51 00 51 00 N.T.D.E.V.-.Q.Q.
000964c8 54 00 51 00 53 00 4e 00-4c 00 44 00 58 00 00 00 T.Q.S.N.L.D.X...

0: kd> dd 0x00096488
00096488 00000000 000964b8 00000000 00000000
00096498 00000000 00000000 00000000 00000000
000964a8 00000000 00000000 00000000 00000000
000964b8 0054004e 00450044 002d0056 00510051
000964c8 00510054 004e0053 0044004c 00000058
000964d8 00000000 00000000 00000000 00000000

查看全文

http://www.xdnf.cn/news/162919.html