pStubMsg--MemorySize0x74字节是如何分配的之rpcrt4!NdrAllocate函数分析
pStubMsg--MemorySize0x74字节是如何分配的之rpcrt4!NdrAllocate函数分析
RPCRT4!NdrAllocate函数和pStubMsg->pAllocAllNodesContext结构的关系
第一部分:
0: kd> p
RPCRT4!NdrpPointerUnmarshall+0x22d:
001b:77c465cc ff1488 call dword ptr [eax+ecx*4]
0: kd> r
eax=77be2860 ebx=77d75300 ecx=0000002b edx=0006fb90 esi=0006fae0 edi=0006fea8
eip=77c465cc esp=0006f9d4 ebp=0006f9f8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
RPCRT4!NdrpPointerUnmarshall+0x22d:
001b:77c465cc ff1488 call dword ptr [eax+ecx*4] ds:0023:77be290c={RPCRT4!NdrNonEncapsulatedUnionUnmarshall (77c4736b)}
0: kd> t
Breakpoint 5 hit
RPCRT4!NdrNonEncapsulatedUnionUnmarshall:
001b:77c4736b 55 push ebp
0: kd> kc
#
00 RPCRT4!NdrNonEncapsulatedUnionUnmarshall
01 RPCRT4!NdrpPointerUnmarshall
02 RPCRT4!NdrPointerUnmarshall
03 RPCRT4!NdrpPointerUnmarshall
04 RPCRT4!NdrPointerUnmarshall
05 RPCRT4!NdrpClientUnMarshal
06 RPCRT4!NdrClientCall2
07 ADVAPI32!LsarQueryInformationPolicy
08 ADVAPI32!LsaQueryInformationPolicy
09 services!ScGetAccountDomainInfo
0a services!ScInitServiceAccount
0b services!SvcctrlMain
0c services!main
0d services!mainCRTStartup
0e kernel32!BaseProcessStart
0: kd> dv
pStubMsg = 0x0006fae0
ppMemory = 0x0006fea8
pFormat = 0x77d75386 "+.&"
fMustAlloc = 0x01 ''
pFormatSave = 0x77d75386 "+.&"
SwitchType = 0x3c '<'
Size = 0x77d75301
0: kd> dv
pStubMsg = 0x0006fae0
ppMemory = 0x0006fea8
pFormat = 0x77d75386 "+.&"
fMustAlloc = 0x01 ''
pFormatSave = 0x77d75386 "+.&"
SwitchType = 0x3c '<'
Size = 0x77d75301
0: kd> dx -id 0,0,8951a020 -r1 ((RPCRT4!unsigned char * *)0x6fea8) ppMemory = 0x0006fea8
((RPCRT4!unsigned char * *)0x6fea8) : 0x6fea8 [Type: unsigned char * *]
0x0 [Type: unsigned char *]
0: kd> bp rpcrt4!NdrAllocate
0: kd> dx -id 0,0,8951a020 -r1 ((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)
((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0) : 0x6fae0 [Type: _MIDL_STUB_MESSAGE *]
[+0x000] RpcMsg : 0x6fab4 [Type: _RPC_MESSAGE *]
[+0x004] Buffer : 0x7b0a54 : 0x5 [Type: unsigned char *]
[+0x008] BufferStart : 0x7b0a50 : 0x0 [Type: unsigned char *]
[+0x00c] BufferEnd : 0x7b0ab0 : 0xd [Type: unsigned char *]
[+0x010] BufferMark : 0x7b0a58 : 0x1e [Type: unsigned char *]
[+0x014] BufferLength : 0x2a [Type: unsigned long]
[+0x018] MemorySize : 0x0 [Type: unsigned long]
[+0x01c] Memory : 0x77d766e8 : 0xa8 [Type: unsigned char *]
[+0x020] IsClient : 1 [Type: int]
[+0x024] ReuseBuffer : 0 [Type: int]
[+0x028] pAllocAllNodesContext : 0x964fc [Type: NDR_ALLOC_ALL_NODES_CONTEXT *]
0: kd> dx -id 0,0,8951a020 -r1 ((RPCRT4!NDR_ALLOC_ALL_NODES_CONTEXT *)0x964fc)
((RPCRT4!NDR_ALLOC_ALL_NODES_CONTEXT *)0x964fc) : 0x964fc [Type: NDR_ALLOC_ALL_NODES_CONTEXT *]
[+0x000] AllocAllNodesMemory : 0x96488 : 0x0 [Type: unsigned char *]
[+0x004] AllocAllNodesMemoryBegin : 0x96488 : 0x0 [Type: unsigned char *]
[+0x008] AllocAllNodesMemoryEnd : 0x964fc : 0x88 [Type: unsigned char *]
0: kd> db 0x77d75386
77d75386 2b 0d 26 00 04 00 01 00-02 00 30 00 0d 70 01 00 +.&.......0..p..
/* 508 */
0x2b, /* FC_NON_ENCAPSULATED_UNION */
0xd, /* FC_ENUM16 */
/* 510 */ 0x26, /* Corr desc: parameter, FC_SHORT */
0x0, /* */
/* 512 */ NdrFcShort( 0x4 ), /* x86 Stack size/offset = 4 */
/* 514 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 516 */ NdrFcShort( 0x2 ), /* Offset= 2 (518) */
/* 518 */ NdrFcShort( 0x30 ), /* 48 */
/* 520 */ NdrFcShort( 0x700d ), /* 28685 */
/* 522 */ NdrFcLong( 0x1 ), /* 1 */
/* 526 */ NdrFcShort( 0x52 ), /* Offset= 82 (608) */
/* 528 */ NdrFcLong( 0x2 ), /* 2 */
/* 532 */ NdrFcShort( 0x7a ), /* Offset= 122 (654) */
/* 534 */ NdrFcLong( 0x3 ), /* 3 */
/* 538 */ NdrFcShort( 0x9a ), /* Offset= 154 (692) */
/* 540 */ NdrFcLong( 0x5 ), /* 5 */
/* 544 */ NdrFcShort( 0xc6 ), /* Offset= 198 (742) */
PFORMAT_STRING pFormatSave = pFormat;=ebx=77d75386
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x5:
001b:77c47370 8b5d10 mov ebx,dword ptr [ebp+10h]
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x8:
001b:77c47373 8a4301 mov al,byte ptr [ebx+1]
0: kd> r
eax=77be2860 ebx=77d75386
pFormat += 6;
CORRELATION_DESC_INCREMENT( pFormat );
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x12:
001b:77c4737d 83c306 add ebx,6
0: kd> r
eax=77be280d ebx=77d75386 ecx=0000002b edx=0006fb90 esi=0006fae0 edi=0006fea8
eip=77c4737d esp=0006f9c0 ebp=0006f9cc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x12:
001b:77c4737d 83c306 add ebx,6
0: kd> db 77d75386
77d75386 2b 0d 26 00 04 00 01 00-02 00 30 00 0d 70 01 00 +.&.......0..p..
pFormat += *((signed short *)pFormat);
/* 516 */ NdrFcShort( 0x2 ), /* Offset= 2 (518) */
/* 508 */
0x2b, /* FC_NON_ENCAPSULATED_UNION */
0xd, /* FC_ENUM16 */
/* 510 */ 0x26, /* Corr desc: parameter, FC_SHORT */
0x0, /* */
/* 512 */ NdrFcShort( 0x4 ), /* x86 Stack size/offset = 4 */
/* 514 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 516 */ NdrFcShort( 0x2 ), /* Offset= 2 (518) */
/* 518 */ NdrFcShort( 0x30 ), /* 48 */
/* 520 */ NdrFcShort( 0x700d ), /* 28685 */
/* 522 */ NdrFcLong( 0x1 ), /* 1 */
/* 526 */ NdrFcShort( 0x52 ), /* Offset= 82 (608) */
/* 528 */ NdrFcLong( 0x2 ), /* 2 */
/* 532 */ NdrFcShort( 0x7a ), /* Offset= 122 (654) */
/* 534 */ NdrFcLong( 0x3 ), /* 3 */
/* 538 */ NdrFcShort( 0x9a ), /* Offset= 154 (692) */
/* 540 */ NdrFcLong( 0x5 ), /* 5 */
/* 544 */ NdrFcShort( 0xc6 ), /* Offset= 198 (742) */
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x1f:
001b:77c4738a 43 inc ebx
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x20:
001b:77c4738b 43 inc ebx
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x21:
001b:77c4738c 0fbf03 movsx eax,word ptr [ebx]
0: kd> r
eax=77be280d ebx=77d7538e
0: kd> db 77d7538e
77d7538e 02 00 30 00 0d 70 01 00-00 00 52 00 02 00 00 00 ..0..p....R.....
/* 518 */ NdrFcShort( 0x30 ), /* 48 */
/* 520 */ NdrFcShort( 0x700d ), /* 28685 */
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x34:
001b:77c4739f 0fb703 movzx eax,word ptr [ebx]
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x37:
001b:77c473a2 50 push eax
0: kd> r
eax=00000030 ebx=77d75390
0: kd> db 77d75390
77d75390 30 00 0d 70 01 00 00 00-52 00 02 00 00 00 7a 00 0..p....R.....z.
*ppMemory = (uchar*)NdrAllocate( pStubMsg, Size );
第二部分:
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x38:
001b:77c473a3 56 push esi
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x39:
001b:77c473a4 894514 mov dword ptr [ebp+14h],eax
0: kd> p
RPCRT4!NdrNonEncapsulatedUnionUnmarshall+0x3c:
001b:77c473a7 e8d784ffff call RPCRT4!NdrAllocate (77c3f883)
0: kd> t
Breakpoint 17 hit
RPCRT4!NdrAllocate:
001b:77c3f883 55 push ebp
0: kd> kc
#
00 RPCRT4!NdrAllocate
01 RPCRT4!NdrNonEncapsulatedUnionUnmarshall
02 RPCRT4!NdrpPointerUnmarshall
03 RPCRT4!NdrPointerUnmarshall
04 RPCRT4!NdrpPointerUnmarshall
05 RPCRT4!NdrPointerUnmarshall
06 RPCRT4!NdrpClientUnMarshal
07 RPCRT4!NdrClientCall2
08 ADVAPI32!LsarQueryInformationPolicy
09 ADVAPI32!LsaQueryInformationPolicy
0a services!ScGetAccountDomainInfo
0b services!ScInitServiceAccount
0c services!SvcctrlMain
0d services!main
0e services!mainCRTStartup
0f kernel32!BaseProcessStart
第一次调用RPCRT4!NdrAllocate函数
0: kd> dv
pStubMsg = 0x0006fae0
Len = 0x30
0: kd> dd 00096488
00096488 00000000 00000000 00000000 00000000 分配开始
00096498 00000000 00000000 00000