第一部分:
1: kd> t
RPCRT4!OSF_CCALL::ActivateCall:
001b:77bf5789 55 push ebp
1: kd> kc
#
00 RPCRT4!OSF_CCALL::ActivateCall
01 RPCRT4!OSF_CASSOCIATION::AllocateCCall
02 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
03 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
04 RPCRT4!I_RpcGetBufferWithObject
05 RPCRT4!I_RpcGetBuffer
06 RPCRT4!NdrGetBuffer
07 RPCRT4!NdrClientCall2
08 ADVAPI32!LsarGetUserName
09 ADVAPI32!LsaGetUserName
0a ntdll!RtlpWaitOrTimerCallout
1: kd> dv
this = 00ce1b98
BindingHandle = 0x00ce1730
Binding = 0x00ce1fa8
AvailableBindingsList = 0x00000000
CallIdToUse = 1
InitialCallState = NeedOpenAndBind (0n0)
DispatchTable = 0x00000000
CConnection = 0x00ce1958
Status = 0n1
1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CCALL *)0xce1b98)
((RPCRT4!OSF_CCALL *)0xce1b98) : 0xce1b98 [Type: OSF_CCALL *]
[+0x004] MagicLong : 0x89abcdef [Type: unsigned long]
[+0x008] ObjectType : 32 [Type: int]
[+0x00c] RefCount [Type: INTERLOCKED_INTEGER]
[+0x010] NestingCall : 0xbaadf00d [Type: CALL *]
[+0x014] pAsync : 0xbaadf00d [Type: _RPC_ASYNC_STATE *]
[+0x018] NotificationIssued : -1163005939 [Type: long]
[+0x01c] AsyncStatus : -1163005939 [Type: long]
[+0x020] CachedAPCInfo [Type: RPC_APC_INFO]
[+0x030] CachedAPCInfoAvailable : 1 [Type: int]
[+0x034] CallingThread : 0xbaadf00d [Type: THREAD *]
[+0x038] UuidSpecified : -1163005939 [Type: int]
[+0x03c] ObjectUuid : {BAADF00D-F00D-BAAD-0DF0-ADBA0DF0ADBA} [Type: _GUID]
[+0x04c] EEInfo : 0x0 [Type: tagExtendedErrorInfo *]
[+0x050] CurrentState : -1163005939 [Type: OSF_CCALL_STATE]
[+0x054] Connection : 0xbaadf00d [Type: OSF_CCONNECTION *]
[+0x058] BindingHandle : 0xbaadf00d [Type: OSF_BINDING_HANDLE *]
[+0x05c] CallbackLevel : 0 [Type: int]
[+0x060] Bindings [Type: OSF_CCALL::__unnamed]
[+0x068] CurrentBuffer : 0xbaadf00d [Type: void *]
[+0x06c] fDataLengthNegotiated : -1163005939 [Type: int]
[+0x070] CurrentOffset : -1163005939 [Type: int]
[+0x074] CurrentBufferLength : 0xbaadf00d [Type: unsigned long]
[+0x078] CallId : 0xbaadf00d [Type: unsigned long]
[+0x07c] RcvBufferLength : 0xbaadf00d [Type: unsigned int]
[+0x080] FirstSend : -1163005939 [Type: int]
[+0x084] DispatchTableCallback : 0xbaadf00d [Type: RPC_DISPATCH_TABLE *]
[+0x088] MaximumFragmentLength : 0xbaadf00d [Type: unsigned int]
[+0x08c] MaxSecuritySize : 0xbaadf00d [Type: unsigned int]
[+0x090] MaxDataLength : 0xbaadf00d [Type: unsigned int]
[+0x094] ProcNum : -1163005939 [Type: int]
[+0x098] ReservedForSecurity : 0x0 [Type: unsigned char *]
[+0x09c] SecBufferLength : 0x0 [Type: unsigned int]
[+0x0a0] HeaderSize : 0xbaadf00d [Type: unsigned int]
[+0x0a4] AdditionalSpaceForSecurity : 0xbaadf00d [Type: unsigned int]
[+0x0a8] SavedHeaderSize : 0x0 [Type: unsigned long]
[+0x0ac] SavedHeader : 0x0 [Type: void *]
[+0x0b0] LastBuffer : 0xbaadf00d [Type: void *]
[+0x0b4] SyncEvent [Type: EVENT]
[+0x0b8] ActualBufferLength : 0xbaadf00d [Type: unsigned int]
[+0x0bc] NeededLength : 0xbaadf00d [Type: unsigned int]
[+0x0c0] CallSendContext : 0xce1cd0 [Type: void *]
[+0x0c4] fAdvanceCallCount [Type: INTERLOCKED_INTEGER]
[+0x0c8] fPeerChoked : -1163005939 [Type: int]
[+0x0cc] Flags [Type: CompositeFlags]
[+0x0d0] fLastSendComplete : -1163005939 [Type: int]
[+0x0d4] CallMutex [Type: MUTEX]
[+0x0ec] RecursiveCallsKey : -1163005939 [Type: int]
[+0x0f0] AllocHint : 0xbaadf00d [Type: unsigned long]
[+0x0f4] CallStack : -1163005939 [Type: int]
[+0x0f8] fCallCancelled : -1163005939 [Type: int]
[+0x0fc] CancelState : -1163005939 [Type: CANCEL_STATE]
[+0x100] BufferQueue [Type: QUEUE]
[+0x12c] InReply : 0 [Type: int]
[+0x130] fChoked : -1163005939 [Type: int]
第二部分:
1: kd> dv
this = 00ce1b98
BindingHandle = 0x00ce1730
Connection = CConnection;
this->BindingHandle = BindingHandle;
第三部分:
1: kd> dv
this = 0x00ce18b4
BindingHandle = 0x00ce1730
Binding = 0x00ce1fa8
AvailableBindingsList = 0x00000000
CallIdToUse = 1
CallId = CallIdToUse;
1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CASSOCIATION *)0xce1840)
((RPCRT4!OSF_CASSOCIATION *)0xce1840) : 0xce1840 [Type: OSF_CASSOCIATION *]
[+0x004] MagicLong : 0x89abcdef [Type: unsigned long]
[+0x008] ObjectType : 512 [Type: int]
[+0x070] CallIdCounter : 0x2 [Type: unsigned long]
第四部分:CallIdCounter是RPCRT4!OSF_CASSOCIATION结构成员
RPC_STATUS
OSF_CASSOCIATION::AllocateCCall (
IN OSF_BINDING_HANDLE *BindingHandle,
IN PRPC_MESSAGE Message,
IN CLIENT_AUTH_INFO * ClientAuthInfo,
OUT OSF_CCALL ** pCCall,
OUT BOOL *fBindingHandleReferenceRemoved
)
{
CallIdToUse = CallIdCounter++;
CurrentState = InitialCallState;
Status = Connection->AddActiveCall(
CallIdToUse,
this);
第五部分:RPCRT4!OSF_CCONNECTION结构中的ActiveCalls
1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CCONNECTION *)0xce1958)
((RPCRT4!OSF_CCONNECTION *)0xce1958) : 0xce1958 [Type: OSF_CCONNECTION *]
[+0x004] MagicLong : 0x89abcdef [Type: unsigned long]
[+0x008] ObjectType : 128 [Type: int]
[+0x0b0] ActiveCalls [Type: OSF_CCALL_DICT2]
1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!OSF_CCALL_DICT2 *)0xce1a08))
(*((RPCRT4!OSF_CCALL_DICT2 *)0xce1a08)) [Type: OSF_CCALL_DICT2]
[+0x000] DictKeys : 0xce1a14 [Type: void * *]
[+0x004] DictItems : 0xce1a24 [Type: void * *]
[+0x008] cDictSlots : 0x4 [Type: unsigned int]
[+0x00c] InitialDictKeys [Type: void * [4]]
[+0x01c] InitialDictItems [Type: void * [4]]
1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!void * (*)[4])0xce1a14))
(*((RPCRT4!void * (*)[4])0xce1a14)) [Type: void * [4]]
[0] : 0x0 [Type: void *]
[1] : 0x0 [Type: void *]
[2] : 0x0 [Type: void *]
[3] : 0x0 [Type: void *]
1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!void * (*)[4])0xce1a24))
(*((RPCRT4!void * (*)[4])0xce1a24)) [Type: void * [4]]
[0] : 0x0 [Type: void *]
[1] : 0x0 [Type: void *]
[2] : 0x0 [Type: void *]
[3] : 0x0 [Type: void *]
第六部分:
Bindings.SelectedBinding = Binding;
Bindings.AvailableBindingsList = AvailableBindingsList;
1: kd> dv
this = 0x00ce18b4
BindingHandle = 0x00ce1730
Binding = 0x00ce1fa8 这里有Binding
AvailableBindingsList = 0x00000000
1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_BINDING *)0xce1fa8)
((RPCRT4!OSF_BINDING *)0xce1fa8) : 0xce1fa8 [Type: OSF_BINDING *]
[+0x000] InterfaceId [Type: _RPC_SYNTAX_IDENTIFIER]
[+0x014] TransferSyntaxInfo [Type: TRANSFER_SYNTAX_INFO_ATOM]
[+0x030] NextBinding : 0x0 [Type: MTSyntaxBinding *]
[+0x034] PresentationContext : 0 [Type: int]
[+0x038] CapabilitiesBitmap : 1 [Type: int]
[+0x03c] RefCount [Type: INTERLOCKED_INTEGER]
[+0x040] Flags [Type: CompositeFlags]
第七部分:参考
inline OSF_BINDING *
GetListOfAvaialbleBindings (
OUT BOOL *fMultipleBindingsAvailable
)
{
if (Bindings.AvailableBindingsList)
{
*fMultipleBindingsAvailable = TRUE;
return Bindings.AvailableBindingsList;
}
else
{
*fMultipleBindingsAvailable = FALSE;
return Bindings.SelectedBinding;
}
}
第八部分:
1: kd> dt osf_ccall 00ce1b98
RPCRT4!OSF_CCALL
+0x000 __VFN_table : 0x77bd3278
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n32
+0x060 Bindings : OSF_CCALL::__unnamed
1: kd> dx -id 0,0,898d2250 -r1 (*((RPCRT4!OSF_CCALL::__unnamed *)0xce1bf8))
(*((RPCRT4!OSF_CCALL::__unnamed *)0xce1bf8)) [Type: OSF_CCALL::__unnamed]
[+0x000] SelectedBinding : 0xce1fa8 [Type: OSF_BINDING *]
[+0x004] AvailableBindingsList : 0x0 [Type: OSF_BINDING *]
1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_BINDING *)0xce1fa8)
((RPCRT4!OSF_BINDING *)0xce1fa8) : 0xce1fa8 [Type: OSF_BINDING *]
[+0x000] InterfaceId [Type: _RPC_SYNTAX_IDENTIFIER]
[+0x014] TransferSyntaxInfo [Type: TRANSFER_SYNTAX_INFO_ATOM]
[+0x030] NextBinding : 0x0 [Type: MTSyntaxBinding *]
[+0x034] PresentationContext : 0 [Type: int]
[+0x038] CapabilitiesBitmap : 1 [Type: int]
[+0x03c] RefCount [Type: INTERLOCKED_INTEGER]
[+0x040] Flags [Type: CompositeFlags]
第九部分:
1: kd> dx -id 0,0,898d2250 -r1 ((RPCRT4!OSF_CCONNECTION *)0xce1958)
((RPCRT4!OSF_CCONNECTION *)0xce1958) : 0xce1958 [Type: OSF_CCONNECTION *]
[+0x004] MagicLong : 0x89abcdef [Type: unsigned long]
[+0x008] ObjectType : 128 [Type: int]
[+0x054] fExclusive : 1 [Type: int]
if (Connection->fExclusive == 0) //不成立
{
//
第十部分:最终结果
1: kd> dt osf_ccall 00ce1b98
RPCRT4!OSF_CCALL
+0x000 __VFN_table : 0x77bd3278
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n32
+0x00c RefCount : INTERLOCKED_INTEGER
+0x010 NestingCall : 0xbaadf00d CALL
+0x014 pAsync : (null)
+0x018 NotificationIssued : 0n-1163005939
+0x01c AsyncStatus : 0n-1163005939
+0x020 CachedAPCInfo : RPC_APC_INFO
+0x030 CachedAPCInfoAvailable : 0n1
+0x034 CallingThread : (null)
+0x038 UuidSpecified : 0n-1163005939
+0x03c ObjectUuid : _GUID {baadf00d-f00d-baad-0df0-adba0df0adba}
+0x04c EEInfo : (null)
+0x050 CurrentState : 0 ( NeedOpenAndBind )
+0x054 Connection : 0x00ce1958 OSF_CCONNECTION
+0x058 BindingHandle : 0x00ce1730 OSF_BINDING_HANDLE
+0x05c CallbackLevel : 0n0
+0x060 Bindings : OSF_CCALL::__unnamed
+0x068 CurrentBuffer : (null)
+0x06c fDataLengthNegotiated : 0n0
+0x070 CurrentOffset : 0n0
+0x074 CurrentBufferLength : 0xbaadf00d
+0x078 CallId : 1
+0x07c RcvBufferLength : 0
+0x080 FirstSend : 0n-1163005939
+0x084 DispatchTableCallback : (null)
+0x088 MaximumFragmentLength : 0
+0x08c MaxSecuritySize : 0
+0x090 MaxDataLength : 0
+0x094 ProcNum : 0n-1163005939
+0x098 ReservedForSecurity : (null)
+0x09c SecBufferLength : 0
+0x0a0 HeaderSize : 0
+0x0a4 AdditionalSpaceForSecurity : 0
+0x0a8 SavedHeaderSize : 0
+0x0ac SavedHeader : (null)
+0x0b0 LastBuffer : (null)
+0x0b4 SyncEvent : EVENT
+0x0b8 ActualBufferLength : 0xbaadf00d
+0x0bc NeededLength : 0
+0x0c0 CallSendContext : 0x00ce1cd0 Void
+0x0c4 fAdvanceCallCount : INTERLOCKED_INTEGER
+0x0c8 fPeerChoked : 0n0
+0x0cc Flags : CompositeFlags
+0x0d0 fLastSendComplete : 0n-1163005939
+0x0d4 CallMutex : MUTEX
+0x0ec RecursiveCallsKey : 0n-1
+0x0f0 AllocHint : 0
+0x0f4 CallStack : 0n0
+0x0f8 fCallCancelled : 0n0
+0x0fc CancelState : 0 ( CANCEL_NOTREGISTERED )
+0x100 BufferQueue : QUEUE
+0x12c InReply : 0n0
+0x130 fChoked : 0n-1163005939