当前位置：首页 > news >正文

NdrpPointerUnmarshallInternal函数分析之pFormatPointee指针的确定

news 2025/4/28 10:46:15

第一部分：

0: kd> p
RPCRT4!NdrPointerUnmarshall+0x29:
001b:77c46ce4 e8b6f6ffff      call    RPCRT4!NdrpPointerUnmarshall (77c4639f)
0: kd> t
Breakpoint 4 hit
RPCRT4!NdrpPointerUnmarshall:
001b:77c4639f 55              push    ebp
0: kd> kc
#
00 RPCRT4!NdrpPointerUnmarshall
01 RPCRT4!NdrPointerUnmarshall
02 RPCRT4!NdrpClientUnMarshal
03 RPCRT4!NdrClientCall2
04 ADVAPI32!LsarQueryInformationPolicy
05 ADVAPI32!LsaQueryInformationPolicy
06 services!ScGetAccountDomainInfo
07 services!ScInitServiceAccount
08 services!SvcctrlMain
09 services!main
0a services!mainCRTStartup
0b kernel32!BaseProcessStart
0: kd> dv
       pStubMsg = 0x0006fae0
       ppMemory = 0x0006fe90
        pMemory = 0x0006fea8 ""
pBufferPointer = 0x00000000
        pFormat = 0x77d7537e "???"

第二部分：

   //
    // Pointer to complex type.
    //
    if ( ! SIMPLE_POINTER(pFormat[1]) )

#define SIMPLE_POINTER( FC ) ((FC) & FC_SIMPLE_POINTER)

#define FC_SIMPLE_POINTER 0x08

第三部分：

#define POINTER_DEREF( FC ) ((FC) & FC_POINTER_DEREF)

#define FC_POINTER_DEREF 0x10

第四部分：

        (*pfnUnmarshallRoutines[ROUTINE_INDEX(*pFormatPointee)])
        ( pStubMsg,
          ppMemory,
          pFormatPointee,
          fPointeeAlloc );

//
// Routine index macro.
//
#define ROUTINE_INDEX(FC) ((FC) & 0x3F)

第五部分：

0: kd> dv
       pStubMsg = 0x0006fae0
       ppMemory = 0x0006fe90
        pMemory = 0x0006fea8 ""
pBufferPointer = 0x00000000
        pFormat = 0x77d7537e "???"
0: kd> db 0x77d7537e
77d7537e 11 14 02 00 12 01 02 00-2b 0d 26 00 04 00 01 00 ........+.&.....

extern const
PUNMARSHALL_ROUTINE * pfnUnmarshallRoutines = UnmarshallRoutinesTable;

extern const
PUNMARSHALL_ROUTINE UnmarshallRoutinesTable[] =
                    {
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,
                    NdrUDTSimpleTypeUnmarshall1,

                    NdrPointerUnmarshall,           0x11
                    NdrPointerUnmarshall,           0x12
                    NdrPointerUnmarshall,           0x13
                    NdrPointerUnmarshall,           0x14

第六部分：

    //
    // Pointer to complex type.
    //
    if ( ! SIMPLE_POINTER(pFormat[1]) )
        {
        PFORMAT_STRING pFormatPointee;

pFormatPointee = pFormat + 2;=02

        // Set the pointee format string.
        // Cast must be to a signed short since some offsets are negative.
        pFormatPointee += *((signed short *)pFormatPointee);

第七部分：
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x125:
001b:77c464c4 eb44            jmp     RPCRT4!NdrpPointerUnmarshall+0x16b (77c4650a)
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x16b:
001b:77c4650a 8a4301          mov     al,byte ptr [ebx+1]
0: kd> r
eax=0006fea8 ebx=77d7537e ecx=00000000 edx=00000000 esi=0006fae0 edi=0006fe90
eip=77c4650a esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000202
RPCRT4!NdrpPointerUnmarshall+0x16b:
001b:77c4650a 8a4301          mov     al,byte ptr [ebx+1]   ds:0023:77d7537f=14
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x16e:
001b:77c4650d a808            test    al,8
0: kd> r
eax=0006fe14 ebx=77d7537e ecx=00000000 edx=00000000 esi=0006fae0 edi=0006fe90
eip=77c4650d esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000202
RPCRT4!NdrpPointerUnmarshall+0x16e:
001b:77c4650d a808            test    al,8

   //
    // Pointer to complex type.
    //
    if ( ! SIMPLE_POINTER(pFormat[1]) )

0: kd> r
eax=0006fe14 ebx=77d7537e ecx=00000000 edx=00000000 esi=0006fae0 edi=0006fe90
eip=77c4650d esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000202
RPCRT4!NdrpPointerUnmarshall+0x16e:
001b:77c4650d a808            test    al,8

0: kd> db 77d7537e
77d7537e 11 14 02 00 12 01 02 00-2b 0d 26 00 04 00 01 00 ........+.&.....

/* 500 */
           0x11, 0x14,   /* FC_RP [alloced_on_stack] [pointer_deref] */
/* 502 */   NdrFcShort( 0x2 ),   /* Offset= 2 (504) */
/* 504 */
           0x12, 0x1,   /* FC_UP [all_nodes] */

第九部分：关键地方
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x179:
001b:77c46518 0fbf11          movsx   edx,word ptr [ecx]
0: kd> r
eax=0006fe14 ebx=77d7537e ecx=77d75380 edx=00000000 esi=0006fae0 edi=0006fe90
eip=77c46518 esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
RPCRT4!NdrpPointerUnmarshall+0x179:
001b:77c46518 0fbf11          movsx   edx,word ptr [ecx] ds:0023:77d75380=0002
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x17c:
001b:77c4651b 03ca            add     ecx,edx   //ecx=77d75380 edx=00000002
0: kd> r
eax=0006fe14 ebx=77d7537e ecx=77d75380 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c4651b esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
RPCRT4!NdrpPointerUnmarshall+0x17c:
001b:77c4651b 03ca            add     ecx,edx
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x17e:
001b:77c4651d a801            test    al,1
0: kd> r
eax=0006fe14 ebx=77d7537e ecx=77d75382 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c4651d esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000206
RPCRT4!NdrpPointerUnmarshall+0x17e:
001b:77c4651d a801            test    al,1

0: kd> db 77d75382
77d75382 12 01 02 00 2b 0d 26 00-04 00 01 00 02 00 30 00 ....+.&.......0.

pFormatPointee=ecx=77d75382

*pFormatPointee=0x12//函数指针位置确定了

第十部分：

        //
        // Check if this is an allocate all nodes pointer AND that we're
        // not already in an allocate all nodes context.
        //
        if ( ALLOCATE_ALL_NODES(pFormat[1]) && ! pStubMsg->pAllocAllNodesContext )       不符合
            {
            fNewAllocAllNodes = TRUE;

            pStubMsg->pAllocAllNodesContext =
                NdrpGetAllocateAllNodesContext(
                    pStubMsg,
                    pFormatPointee );

*ppMemory = 0;

fPointeeAlloc = TRUE;

#define ALLOCATE_ALL_NODES( FC ) ((FC) & FC_ALLOCATE_ALL_NODES)

//
// Pointer attributes.
//
#define FC_ALLOCATE_ALL_NODES 0x01

0: kd> r
eax=0006fe14 ebx=77d7537e ecx=77d75382 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c4651d esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000206
RPCRT4!NdrpPointerUnmarshall+0x17e:
001b:77c4651d a801            test    al,1

0: kd> dx -id 0,0,8951a020 -r1 ((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)
((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)                 : 0x6fae0 [Type: _MIDL_STUB_MESSAGE *]
    [+0x000] RpcMsg           : 0x6fab4 [Type: _RPC_MESSAGE *]
    [+0x004] Buffer           : 0x7b0a50 : 0x0 [Type: unsigned char *]

[+0x028] pAllocAllNodesContext : 0x0 [Type: NDR_ALLOC_ALL_NODES_CONTEXT *]

第十一部分：

0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1a3:
001b:77c46542 f6430110        test    byte ptr [ebx+1],10h
0: kd> r
eax=0006fe14 ebx=77d7537e ecx=77d75382 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c46542 esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
RPCRT4!NdrpPointerUnmarshall+0x1a3:
001b:77c46542 f6430110        test    byte ptr [ebx+1],10h ds:0023:77d7537f=14

        if ( POINTER_DEREF(pFormat[1]) )
            {
            //
            // Re-align the buffer. This is to cover embedded pointer to
            // pointers.
            //
            ALIGN(pStubMsg->Buffer,0x3);

            //
            // We can't re-use the buffer for a pointer to a pointer
            // because we can't null out the pointee before we've unmarshalled
            // it. We need the stubs to alloc pointers to pointers on the
            // stack.
            //
            if ( ! *ppMemory && ! pStubMsg->IsClient )
                fPointeeAlloc = TRUE;

0: kd> db 0x7b0a50
007b0a50 00 00 02 00 05 00 00 00-1e 00 20 00 04 00 02 00 .......... .....

第十二部分：

ALIGN(pStubMsg->Buffer,0x3);

0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1a9:
001b:77c46548 8b4604          mov     eax,dword ptr [esi+4]
0: kd> r
eax=0006fe14 ebx=77d7537e ecx=77d75382 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c46548 esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000202
RPCRT4!NdrpPointerUnmarshall+0x1a9:
001b:77c46548 8b4604          mov     eax,dword ptr [esi+4] ds:0023:0006fae4=007b0a50
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1ac:
001b:77c4654b 83c003          add     eax,3
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1af:
001b:77c4654e 83e0fc          and     eax,0FFFFFFFCh
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1b2:
001b:77c46551 894604          mov     dword ptr [esi+4],eax
0: kd> r
eax=007b0a50

第十三部分：

[+0x068] FullPtrRefId : 0x0 [Type: unsigned long]

if ( pStubMsg->FullPtrRefId )
FULL_POINTER_INSERT( pStubMsg, *ppMemory );

0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1d7:
001b:77c46576 8b4668          mov     eax,dword ptr [esi+68h]
0: kd> r
eax=007b0a50 ebx=77d7537e ecx=77d75382 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c46576 esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
RPCRT4!NdrpPointerUnmarshall+0x1d7:
001b:77c46576 8b4668          mov     eax,dword ptr [esi+68h] ds:0023:0006fb48=00000000

0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1da:
001b:77c46579 85c0            test    eax,eax
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1dc:
001b:77c4657b 740f            je      RPCRT4!NdrpPointerUnmarshall+0x1ed (77c4658c)
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1ed:
001b:77c4658c 8b4514          mov     eax,dword ptr [ebp+14h]

if ( pBufferPointer )
*pBufferPointer = UNMARSHAL_PTR_WIRE_REP(*ppMemory);

0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x1ed:
001b:77c4658c 8b4514          mov     eax,dword ptr [ebp+14h]
0: kd> r
eax=00000000 ebx=77d7537e ecx=77d75382 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c4658c esp=0006fa30 ebp=0006fa44 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
RPCRT4!NdrpPointerUnmarshall+0x1ed:
001b:77c4658c 8b4514          mov     eax,dword ptr [ebp+14h] ss:0023:0006fa58=00000000
0: kd> dd 0006fa44+14
0006fa58 00000000

第十四部分：
        (*pfnUnmarshallRoutines[ROUTINE_INDEX(*pFormatPointee)])
        ( pStubMsg,
          ppMemory,
          pFormatPointee,
          fPointeeAlloc );

*pFormatPointee=ecx=00000012

ROUTINE_INDEX(*pFormatPointee)=ecx

and ecx,3Fh

0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x229:
001b:77c465c8 56              push    esi
0: kd> r
eax=77be2860 ebx=77d75300 ecx=00000012 edx=00000002 esi=0006fae0 edi=0006fe90
eip=77c465c8 esp=0006fa24 ebp=0006fa44 iopl=0         nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000             efl=00000246
RPCRT4!NdrpPointerUnmarshall+0x229:
001b:77c465c8 56              push    esi
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x22a:
001b:77c465c9 83e13f          and     ecx,3Fh
0: kd> r
eax=77be2860 ebx=77d75300 ecx=00000012

查看全文

http://www.xdnf.cn/news/184033.html