RPCRT4!NdrpEmbeddedPointerMemorySize函数分析之第二次循环
第一部分:
进入第二次循环:
0: kd> r
eax=0000005c ebx=007b0a58 ecx=0000001e edx=0000000f esi=0006fae0 edi=77d7547c
eip=77c48680 esp=0006f924 ebp=0006f940 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293
RPCRT4!NdrpEmbeddedPointerMemorySize+0x7e:
001b:77c48680 83c704 add edi,4
0: kd> p
RPCRT4!NdrpEmbeddedPointerMemorySize+0x81:
001b:77c48683 897d0c mov dword ptr [ebp+0Ch],edi
0: kd> r
eax=0000005c ebx=007b0a58 ecx=0000001e edx=0000000f esi=0006fae0 edi=77d75480
0: kd> db 77d75480
77d75480 46 5c 08 00 08 00 12 00-4a fe 5b 06 06 08 08 5b F\......J.[....[
0x46, /* FC_NO_REPEAT */
0x5c, /* FC_PAD */
/* 760 */ NdrFcShort( 0x8 ), /* 8 */
/* 762 */ NdrFcShort( 0x8 ), /* 8 */ pFormat + 4
/* 764 */ 0x12, 0x0, /* FC_UP */
/* 766 */ NdrFcShort( 0xfe4a ), /* Offset= -438 (328) */
/* 328 */
0x17, /* FC_CSTRUCT */
0x3, /* 3 */
/* 330 */ NdrFcShort( 0x8 ), /* 8 */
/* 332 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (316) */
/* 334 */ 0x2, /* FC_CHAR */
0x2, /* FC_CHAR */
/* 336 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 338 */ NdrFcShort( 0xffe0 ), /* Offset= -32 (306) */
/* 340 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
第二部分:
// Compute the pointer to the pointer id in the buffer to size.
pBufPtr = (pBufferMark + *((signed short *)(pFormat + 4)));
// Increment to the pointer description.
pFormat += 6;
NdrpPointerMemorySize(
pStubMsg,
pBufPtr,
pFormat );
// Increment to next pointer description.
pFormat += 4;
} // for
}
第三部分:
0: kd> p
RPCRT4!NdrpEmbeddedPointerMemorySize+0x6d:
001b:77c4866f 0fbf4704 movsx eax,word ptr [edi+4]
0: kd> r
eax=00000046 ebx=007b0a58 ecx=0000001e edx=0000000f esi=0006fae0 edi=77d75480
0: kd> p
RPCRT4!NdrpEmbeddedPointerMemorySize+0x71:
001b:77c48673 83c706 add edi,6
0: kd> r
eax=00000008 ebx=007b0a58 ecx=0000001e edx=0000000f esi=0006fae0 edi=77d75480
0: kd> p
RPCRT4!NdrpEmbeddedPointerMemorySize+0x74:
001b:77c48676 57 push edi
0: kd> r
eax=00000008 ebx=007b0a58 ecx=0000001e edx=0000000f esi=0006fae0 edi=77d75486
第四部分:
0: kd> t
RPCRT4!NdrpPointerMemorySize:
001b:77c47c7d 55 push ebp
0: kd> kc
#
00 RPCRT4!NdrpPointerMemorySize
01 RPCRT4!NdrpEmbeddedPointerMemorySize
02 RPCRT4!NdrSimpleStructMemorySize
03 RPCRT4!NdrpUnionMemorySize
04 RPCRT4!NdrNonEncapsulatedUnionMemorySize
05 RPCRT4!NdrpGetAllocateAllNodesContext
06 RPCRT4!NdrpPointerUnmarshall
07 RPCRT4!NdrPointerUnmarshall
08 RPCRT4!NdrpPointerUnmarshall
09 RPCRT4!NdrPointerUnmarshall
0a RPCRT4!NdrpClientUnMarshal
0b RPCRT4!NdrClientCall2
0c ADVAPI32!LsarQueryInformationPolicy
0d ADVAPI32!LsaQueryInformationPolicy
0e services!ScGetAccountDomainInfo
0f services!ScInitServiceAccount
10 services!SvcctrlMain
11 services!main
12 services!mainCRTStartup
13 kernel32!BaseProcessStart
0: kd> dv
pStubMsg = 0x0006fae0
pBufferMark = 0x007b0a60 "???"
pFormat = 0x77d75486 "???"
0: kd> db 0x007b0a50
007b0a50 00 00 02 00 05 00 00 00-1e 00 20 00 04 00 02 00 .......... .....
007b0a60 08 00 02 00 10 00 00 00-00 00 00 00 0f 00 00 00 ................
0: kd> db 0x77d75486
77d75486 12 00 4a fe 5b 06 06 08-08 5b 1c 01 02 00 17 55 ..J.[....[.....U
/* 764 */ 0x12, 0x0, /* FC_UP */
/* 766 */ NdrFcShort( 0xfe4a ), /* Offset= -438 (328) */
NdrPointerMemorySize, 0x12
if ( ! SIMPLE_POINTER(pFormat[1]) )
{
// Pointer to complex type.
if ( POINTER_DEREF(pFormat[1]) )
pStubMsg->MemorySize += PTR_MEM_SIZE;
pFormat += 2;
pFormat += *((signed short *)pFormat);
/* 328 */
0x17, /* FC_CSTRUCT */
0x3, /* 3 */
/* 330 */ NdrFcShort( 0x8 ), /* 8 */
/* 332 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (316) */
/* 334 */ 0x2, /* FC_CHAR */
0x2, /* FC_CHAR */
/* 336 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 338 */ NdrFcShort( 0xffe0 ), /* Offset= -32 (306) */
/* 340 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
0: kd> r
eax=0000005c ebx=007b0a58 ecx=00000000 edx=0000000f esi=0006fae0 edi=77d75486
eip=77c47d10 esp=0006f908 ebp=0006f910 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
RPCRT4!NdrpPointerMemorySize+0x93:
001b:77c47d10 8d4f02 lea ecx,[edi+2]
0: kd> p
RPCRT4!NdrpPointerMemorySize+0x96:
001b:77c47d13 0fbf01 movsx eax,word ptr [ecx]
0: kd> r
eax=0000005c ebx=007b0a58 ecx=77d75488 edx=0000000f esi=0006fae0 edi=77d75486
0: kd> p
RPCRT4!NdrpPointerMemorySize+0x99:
001b:77c47d16 03c8 add ecx,eax
0: kd> r
eax=fffffe4a ebx=007b0a58 ecx=77d75488 edx=0000000f esi=0006fae0 edi=77d75486
0: kd> p
RPCRT4!NdrpPointerMemorySize+0x9b:
001b:77c47d18 eb43 jmp RPCRT4!NdrpPointerMemorySize+0xe0 (77c47d5d)
0: kd> r
eax=fffffe4a ebx=007b0a58 ecx=77d752d2 edx=0000000f esi=0006fae0 edi=77d75486
eip=77c47d18 esp=0006f908 ebp=0006f910 iopl=0 nv up ei pl nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000217
RPCRT4!NdrpPointerMemorySize+0x9b:
001b:77c47d18 eb43 jmp RPCRT4!NdrpPointerMemorySize+0xe0 (77c47d5d)
ecx=77d752d2
0: kd> db 77d752d2
77d752d2 17 03 08 00 f0 ff 02 02-4c 00 e0 ff 5c 5b 1b 00 ........L...\[..
/* 328 */
0x17, /* FC_CSTRUCT */
0x3, /* 3 */
/* 330 */ NdrFcShort( 0x8 ), /* 8 */
/* 332 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (316) */
/* 334 */ 0x2, /* FC_CHAR */
0x2, /* FC_CHAR */
/* 336 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 338 */ NdrFcShort( 0xffe0 ), /* Offset= -32 (306) */
/* 340 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
0: kd> p
RPCRT4!NdrpPointerMemorySize+0xf6:
001b:77c47d73 56 push esi
0: kd> p
RPCRT4!NdrpPointerMemorySize+0xf7:
001b:77c47d74 83e03f and eax,3Fh
0: kd> p
RPCRT4!NdrpPointerMemorySize+0xfa:
001b:77c47d77 ff1481 call dword ptr [ecx+eax*4]
0: kd> r
eax=00000017 ebx=007b0a00 ecx=77be2ca8 edx=0000000f esi=0006fae0 edi=77d75486
eip=77c47d77 esp=0006f8fc ebp=0006f910 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
RPCRT4!NdrpPointerMemorySize+0xfa:
001b:77c47d77 ff1481 call dword ptr [ecx+eax*4] ds:0023:77be2d04={RPCRT4!NdrConformantStructMemorySize (77c4871d)}
第五部分:
0: kd> t
Breakpoint 10 hit
RPCRT4!NdrConformantStructMemorySize:
001b:77c4871d 55 push ebp
0: kd> kc
#
00 RPCRT4!NdrConformantStructMemorySize
01 RPCRT4!NdrpPointerMemorySize
02 RPCRT4!NdrpEmbeddedPointerMemorySize
03 RPCRT4!NdrSimpleStructMemorySize
04 RPCRT4!NdrpUnionMemorySize
05 RPCRT4!NdrNonEncapsulatedUnionMemorySize
06 RPCRT4!NdrpGetAllocateAllNodesContext
07 RPCRT4!NdrpPointerUnmarshall
08 RPCRT4!NdrPointerUnmarshall
09 RPCRT4!NdrpPointerUnmarshall
0a RPCRT4!NdrPointerUnmarshall
0b RPCRT4!NdrpClientUnMarshal
0c RPCRT4!NdrClientCall2
0d ADVAPI32!LsarQueryInformationPolicy
0e ADVAPI32!LsaQueryInformationPolicy
0f services!ScGetAccountDomainInfo
10 services!ScInitServiceAccount
11 services!SvcctrlMain
12 services!main
13 services!mainCRTStartup
14 kernel32!BaseProcessStart
0: kd> dv
pStubMsg = 0x0006fae0
pFormat = 0x77d752d2 "???"
fIsEmbeddedStruct = 0x00 ''
Size = 0x77d7545e
Alignment = 0x77 'w'
0: kd> db 0x77d752d2
77d752d2 17 03 08 00 f0 ff 02 02-4c 00 e0 ff 5c 5b 1b 00 ........L...\[..
uchar fIsEmbeddedStruct = IS_EMBED_CONF_STRUCT( pStubMsg->uFlags );
#define IS_EMBED_CONF_STRUCT( f ) ( ( f ) & BOGUS_EMBED_CONF_STRUCT_FLAG )
[+0x039] uFlags : 0x0 [Type: unsigned char]
Size = *((ushort *)(pFormat + 2));
IS_EMBED_CONF_STRUCT
else
{
// Align for the conformance count.
ALIGN(pStubMsg->Buffer,0x3);
pStubMsg->MaxCount = *((long *&)pStubMsg->Buffer)++; =4
}
0: kd> db 0x7b0a8e
007b0a8e 00 00 04 00 00 00 01 04-00 00 00 00 00 05 15 00 ................
第六部分:
/* 328 */
0x17, /* FC_CSTRUCT */
0x3, /* 3 */
/* 330 */ NdrFcShort( 0x8 ), /* 8 */
/* 332 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (316) */
/* 334 */ 0x2, /* FC_CHAR */
0x2, /* FC_CHAR */
/* 336 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 338 */ NdrFcShort( 0xffe0 ), /* Offset= -32 (306) */
/* 340 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
/* 316 */
0x1b, /* FC_CARRAY */
0x3, /* 3 */
/* 318 */ NdrFcShort( 0x4 ), /* 4 */
/* 320 */ 0x4, /* Corr desc: FC_USMALL */
0x0, /* */
/* 322 */ NdrFcShort( 0xfff9 ), /* -7 */
/* 324 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 326 */ 0x8, /* FC_LONG */
0x5b, /* FC_END */
pFormatArray = pFormat + *((signed short *)pFormat); //316
第七部分:
0: kd> dx -id 0,0,8951a020 -r1 ((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)
((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0) : 0x6fae0 [Type: _MIDL_STUB_MESSAGE *]
[+0x000] RpcMsg : 0x6fab4 [Type: _RPC_MESSAGE *]
[+0x004] Buffer : 0x7b0a8e : 0x0 [Type: unsigned char *]
0: kd> db 0x7b0a8e
007b0a8e 00 00 04 00 00 00 01 04-00 00 00 00 00 05 15 00 ................
007b0a9e 00 00 0b 2e 6b 25 d5 fe-fd 81 2b 5f a6 f7
size=0x18=8+0x10
pStubMsg->MemorySize += Size;
[+0x018] MemorySize : 0x5c [Type: unsigned long] +0x18=0x74
第八部分:
0: kd> db 0x77d752d2
77d752d2 17 03
Alignment = pFormat[1];=3
Size = *((ushort *)(pFormat + 2));=8
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x1f:
001b:77c4873c 8945fc mov dword ptr [ebp-4],eax
0: kd> r
eax=00000008
// Align for the conformance count.
ALIGN(pStubMsg->Buffer,0x3); pStubMsg->Buffer=eax=007b0a90
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x34:
001b:77c48751 83e0fc and eax,0FFFFFFFCh
0: kd> r
eax=007b0a91
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x37:
001b:77c48754 894604 mov dword ptr [esi+4],eax
0: kd> r
eax=007b0a90
0: kd> db007b0a90
007b0a90 04 00 00 00 01 04 00 00-00 00 00 05 15 00 00 00 ................
pStubMsg->MaxCount = *((long *&)pStubMsg->Buffer)++;=0x4
pStubMsg->Buffer=007b0a94
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x3c:
001b:77c48759 83c004 add eax,4
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x3f:
001b:77c4875c 894e3c mov dword ptr [esi+3Ch],ecx
0: kd> r
eax=007b0a94 ebx=77d752d2 ecx=00000004 edx=0000000f esi=0006fae0 edi=77d75486
0: kd> dx -id 0,0,8951a020 -r1 ((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)
((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0) : 0x6fae0 [Type: _MIDL_STUB_MESSAGE *]
[+0x000] RpcMsg : 0x6fab4 [Type: _RPC_MESSAGE *]
[+0x004] Buffer : 0x7b0a90 : 0x4 [Type: unsigned char *]
[+0x03c] MaxCount : 0x4 [Type: unsigned long]
第九部分:
// Increment the format string to the offset to array description.
pFormat += 4;
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x45:
001b:77c48762 83c304 add ebx,4
0: kd> dv
pStubMsg = 0x0006fae0
pFormat = 0x03d752d2 "--- memory read error at address 0x03d752d2 ---"
fIsEmbeddedStruct = 0x00 ''
Size = 8
Alignment = 0x03 ''
0: kd> r
eax=007b0a94 ebx=77d752d2 ecx=00000004 edx=0000000f esi=0006fae0 edi=77d75486
0: kd> db 77d752d6
77d752d6 f0 ff 02 02 4c 00 e0 ff-5c 5b 1b 00 01 00 00 59 ....L...\[.....Y
// Get the array's description.
pFormatArray = pFormat + *((signed short *)pFormat); =edi=77d752c6
0: kd> r
eax=00000000 ebx=77d752d6 ecx=00000004 edx=0000000f esi=0006fae0 edi=fffffff0
eip=77c4876a esp=0006f8e4 ebp=0006f8f4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
RPCRT4!NdrConformantStructMemorySize+0x4d:
001b:77c4876a 03fb add edi,ebx
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x4f:
001b:77c4876c 8a4704 mov al,byte ptr [edi+4]
0: kd> r
eax=00000000 ebx=77d752d6 ecx=00000004 edx=0000000f esi=0006fae0 edi=77d752c6
0: kd> db 77d752c6
77d752c6 1b 03 04 00 04 00 f9 ff-01 00 08 5b 17 03 08 00 ...........[....
/* 316 */
0x1b, /* FC_CARRAY */
0x3, /* 3 */
/* 318 */ NdrFcShort( 0x4 ), /* 4 */
/* 320 */ 0x4, /* Corr desc: FC_USMALL */
0x0, /* */
/* 322 */ NdrFcShort( 0xfff9 ), /* -7 */
/* 324 */ NdrFcShort( 0x1 ), /* Corr flags: early, */
/* 326 */ 0x8, /* FC_LONG */
0x5b, /* FC_END */
// check for possible mulitplication overflow attack here.
Size += MultiplyWithOverflowCheck( (ulong)pStubMsg->MaxCount, *((ushort *)(pFormatArray + 2) ) );
pFormatArray + 2表示每个元素的大小为4字节。
0: kd> db 77d752c6
77d752c6 1b 03 04 00 04 00 f9 ff-01 00 08 5b 17 03 08 00 ...........[....
第十部分:
符合性数组
已知数组大小后,可以阻止复制一个符合性数组。
syntax
FC_CARRAY alignment<1>
element_size<2>
conformance_description<>
[pointer_layout<>]
element_description<>
FC_END
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x66:
001b:77c48783 e8d474ffff call RPCRT4!MultiplyWithOverflowCheck (77c3fc5c)
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x6b:
001b:77c48788 0fb6550f movzx edx,byte ptr [ebp+0Fh]
0: kd> r
eax=00000010
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0x75:
001b:77c48792 03f8 add edi,eax
0: kd> r
eax=00000010 ebx=77d752d6 ecx=0000005c edx=00000003 esi=0006fae0 edi=00000008
CHECK_EOB_WITH_WRAP_RAISE_IB( pStubMsg->Buffer, Size );
pStubMsg->Buffer += Size;
pStubMsg->MemorySize += Size; 0x5c+0x18
0: kd> dx -id 0,0,8951a020 -r1 ((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0)
((RPCRT4!_MIDL_STUB_MESSAGE *)0x6fae0) : 0x6fae0 [Type: _MIDL_STUB_MESSAGE *]
[+0x000] RpcMsg : 0x6fab4 [Type: _RPC_MESSAGE *]
[+0x004] Buffer : 0x7b0aac : 0x0 [Type: unsigned char *]
[+0x008] BufferStart : 0x7b0a50 : 0x0 [Type: unsigned char *]
[+0x00c] BufferEnd : 0x7b0ab0 : 0xd [Type: unsigned char *]
[+0x010] BufferMark : 0x7b0a58 : 0x1e [Type: unsigned char *]
[+0x014] BufferLength : 0x2a [Type: unsigned long]
[+0x018] MemorySize : 0x74 [Type: unsigned long]
0: kd> db 0x7b0a50
007b0a50 00 00 02 00 05 00 00 00-1e 00 20 00 04 00 02 00 .......... .....
007b0a60 08 00 02 00 10 00 00 00-00 00 00 00 0f 00 00 00 ................
007b0a70 4e 00 54 00 44 00 45 00-56 00 2d 00 51 00 51 00 N.T.D.E.V.-.Q.Q.
007b0a80 54 00 51 00 53 00 4e 00-4c 00 44 00 58 00 00 00 T.Q.S.N.L.D.X...
007b0a90 04 00 00 00 01 04 00 00-00 00 00 05 15 00 00 00 ................
007b0aa0 0b 2e 6b 25 d5 fe fd 81-2b 5f a6 f7
return pStubMsg->MemorySize;
}
第十一部分:
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0xc5:
001b:77c487e2 5e pop esi
0: kd> p
RPCRT4!NdrConformantStructMemorySize+0xc6:
001b:77c487e3 5b pop ebx
0: kd> r
eax=00000074
NdrpPointerMemorySize(
pStubMsg,
pBufPtr,
pFormat );
// Increment to next pointer description.
pFormat += 4;
} // for
}
0: kd> p
RPCRT4!NdrpEmbeddedPointerMemorySize+0x7e:
001b:77c48680 83c704 add edi,4
0: kd> r
eax=00000074 ebx=007b0a58 ecx=00000074 edx=007b0aac esi=0006fae0 edi=77d75486
eip=77c48680 esp=0006f924 ebp=0006f940 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
RPCRT4!NdrpEmbeddedPointerMemorySize+0x7e:
001b:77c48680 83c704 add edi,4
0: kd> p
RPCRT4!NdrpEmbeddedPointerMemorySize+0x81:
001b:77c48683 897d0c mov dword ptr [ebp+0Ch],edi
0: kd> r
eax=00000074 ebx=007b0a58 ecx=00000074 edx=007b0aac esi=0006fae0 edi=77d7548a
0: kd> db 77d75486
77d75486 12 00 4a fe 5b 06 06 08-08 5b 1c 01 02 00 17 55 ..J.[....[.....U
5b结束了。
if ( *pFormat == FC_END )
{
return;
}