标 题:
【原创】跟踪vdsldr.exe启动过程
作 者: boywhp
时 间: 2013-05-25,21:43:48
链 接: http://bbs.pediy.com/showthread.php?t=172274
调试日记比较乱,各位直接看我画的最终图吧!
vdsldr.exe 启动过程调试跟踪【懒得整理了,抱歉】:
命中堆栈如下:
00 f821ed38 808234cb 002ef1f8 001f0fff 002ef060 nt!NtCreateProcessEx
01 f821ed38 7c9585ec 002ef1f8 001f0fff 002ef060 nt!KiFastCallEntry+0xf8
02 002eee30 7c956e9b 7c82cf95 002ef1f8 001f0fff ntdll!KiFastSystemCallRet
03 002eee34 7c82cf95 002ef1f8 001f0fff 002ef060 ntdll!NtCreateProcessEx+0xc
04 002ef658 77f3c670 0000018c 00000000 000986c8 kernel32!CreateProcessInternalW+0x15e5
05 002ef6a4 4a2d5da0 0000018c 00000000 000986c8 ADVAPI32!CreateProcessAsUserW+0x108
06 002ef7f8 4a2d5aeb 000972f8 000976bc 000003aa rpcss!CClsidData::PrivilegedLaunchActivatorServer+0x393
07 002ef888 77c50193 00086110 9c38ed61 4728d565 rpcss!_LaunchActivatorServer+0xed
08 002ef8f8 77cb33e1 4a2d5a30 002efae0 00000017 RPCRT4!Invoke+0x30
09 002efcf8 77cb35c4 00000000 00000000 0008623c RPCRT4!NdrStubCall2+0x299
0a 002efd14 77c4ff7a 0008623c 00093c68 0008623c RPCRT4!NdrServerCall2+0x19
0b 002efd48 77c5042d 4a2c218d 0008623c 002efdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0c 002efd9c 77c50353 00000000 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
0d 002efdc0 77c511dc 0008623c 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
0e 002efdfc 77c512f0 00085fd0 00091848 00094138 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
0f 002efe20 77c58678 00091880 002efe38 00085fd0 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
10 002eff84 77c58792 002effac 77c5872d 00091848 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
11 002eff8c 77c5872d 00091848 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
12 002effac 77c4b110 00084428 002effec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
13 002effb8 7c824829 00086980 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
14 002effec 00000000 77c4b0f5 00086980 00000000 kernel32!BaseThreadStart+0x34
IDA 获取对应RPC接口标识如下:
guid -> AE 99 86 9B 44 0E B1 47 8E 7F 86 A4 61 D7 EC DC <----!!!!!唯一接口GUID
-> 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 --- Transfer RPC通用
http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_iactivationkernel.html
9b8699ae-0e44-47b1-8e7f-86a461d7ecdc v0.0: IActivationKernel
0x00 LaunchActivatorServer <---------------------------
0x01 LaunchRunAsServer
0x02 LaunchService
0x03 CertifyServerIdentity
0x04 PrivRunAsSetWinstaDesktop
0x05 PrivRunAsRelease
0x06 PrivRunAsInvalidateAndRelease
0x07 PrivTranslateShareName
0x08 FlushCache
0x09 IsPortOpen
0x0a SignalPnpNotification
!peb
WindowTitle: 'C:\WINDOWS\system32\svchost.exe'
ImageFile: 'C:\WINDOWS\system32\svchost.exe'
CommandLine: 'C:\WINDOWS\system32\svchost.exe -k DcomLaunch'
bp RPCRT4!NdrClientCall2 "j poi(poi(poi(esp+4))+4) = 0x9b8699ae'';'gc'"
命中如下:
00 00d4f4d0 4a2d5a16 4a2c3068 4a2d4282 00d4f4f4 RPCRT4!NdrClientCall2
01 00d4f4ec 4a2d59ca 0009b320 9c38ed61 4728d565 rpcss!LaunchActivatorServer+0x25
02 00d4f5a4 4a2d5ffb 000b0e88 000b5520 000003aa rpcss!CClsidData::LaunchActivatorServer+0xbe
03 00d4f610 4a2d52a1 00d4f7d8 000a75d8 00d4f63c rpcss!CServerTableEntry::StartServerAndWait+0x3e9
04 00d4f670 4a2cd500 00d4f7d8 00000000 000b8014 rpcss!Activation+0x686
05 00d4f6cc 4a2d1f00 000b8014 00d4f7bc 00d4f71c rpcss!ActivateFromProperties+0x213
06 00d4f6dc 4a2d1fb9 4a3118d0 00000000 000b8014 rpcss!CScmActivator::CreateInstance+0x10
07 00d4f71c 4a2cf731 000b8014 00000000 00d4f7bc rpcss!ActivationPropertiesIn::DelegateCreateInstance+0xf7
08 00d4f764 4a2cf385 000b8014 00d4f7bc 00000000 rpcss!ActivateFromPropertiesPreamble+0x557
09 00d4f7ac 4a2d20cd 00000002 000b8cc4 00000000 rpcss!PerformScmStage+0xbb
0a 00d4f8c8 77c50193 000b7850 000b8c60 000b8c80 rpcss!SCMActivatorCreateInstance+0xdd
0b 00d4f8f8 77cb33e1 4a2d202c 00d4fae0 00000007 RPCRT4!Invoke+0x30
0c 00d4fcf8 77cb35c4 00000000 00000000 000b797c RPCRT4!NdrStubCall2+0x299
0d 00d4fd14 77c4ff7a 000b797c 0009bb20 000b797c RPCRT4!NdrServerCall2+0x19
0e 00d4fd48 77c5042d 4a2c218d 000b797c 00d4fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0f 00d4fd9c 77c50353 00000004 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
10 00d4fdc0 77c511dc 000b797c 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
11 00d4fdfc 77c512f0 000b0958 00091600 00091470 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
12 00d4fe20 77c58678 00091638 00d4fe38 000b0958 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
13 00d4ff84 77c58792 00d4ffac 77c5872d 00091600 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
14 00d4ff8c 77c5872d 00091600 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
15 00d4ffac 77c4b110 00084418 00d4ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
16 00d4ffb8 7c824829 000953e8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
17 00d4ffec 00000000 77c4b0f5 000953e8 00000000 kernel32!BaseThreadStart+0x34
kd> db poi(poi(esp+4))
4a2c30b8 44 00 00 00 ae 99 86 9b-44 0e b1 47 8e 7f 86 a4 D.......D..G....
4a2c30c8 61 d7 ec dc 00 00 00 00-04 5d 88 8a eb 1c c9 11 a........]......
我们继续看rpcss!SCMActivatorCreateInstance这个函数,IDA
4A2C3480 dword_4A2C3480 dd 44h, 136h, 0 ; DATA XREF: .text:off_4A2C3430o
.text:4A2C3480 ; .data:_ISCMActivator_ServerIfHandleo
.text:4A2C348C dd 0C0h, 46000000h, 0
.text:4A2C3498 dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2
.text:4A2C34AC dd offset _ISCMActivator_DispatchTable
.text:4A2C34B0 dd 3 dup(0)
.text:4A2C34BC dd offset off_4A2C34C4
.text:4A2C34C0 dd 4000000h
.text:4A2C34C4 off_4A2C34C4 dd offset off_4A2C3430 ; DATA XREF: .text:4A2C34BCo
.text:4A2C34C8 dd offset off_4A2C34E8
.text:4A2C34CC dd offset word_4A2C3502
.text:4A2C34D0 dd offset dword_4A2C3638
.text:4A2C34D4 dd 5 dup(0)
.text:4A2C34E8 off_4A2C34E8 dd offset _DummyAddRefISCMActivator@20
.text:4A2C34E8 ; DATA XREF: .text:4A2C34C8o
.text:4A2C34E8 ; DummyAddRefISCMActivator(x,x,x,x,x)
.text:4A2C34EC dd offset _DummyAddRefISCMActivator@20 ; DummyAddRefISCMActivator(x,x,x,x,x)
.text:4A2C34F0 dd offset _DummyAddRefISCMActivator@20 ; DummyAddRefISCMActivator(x,x,x,x,x)
.text:4A2C34F4 dd offset _SCMActivatorGetClassObject@24 ; SCMActivatorGetClassObject(x,x,x,x,x,x)
.text:4A2C34F8 dd offset _SCMActivatorCreateInstance@28 <-----------------
对应GUID为:36 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46
00000136-0000-0000-c000-000000000046 v0.0: ISCMActivator
0x00 QueryInterfaceSCMActivator
0x01 AddRefISCMActivator
0x02 ReleaseISCMActivator
0x03 SCMActivatorGetClassObject
0x04 SCMActivatorCreateInstance <--------------------
GUID IID_ISCMLocalActivator
运行mmc后,下客户端RPC调用断点RPCRT4!NdrClientCall2
PROCESS ffa69348 SessionId: 0 Cid: 0a2c Peb: 7ffdc000 ParentCid: 0674
DirBase: 04f89000 ObjectTable: e10e6598 HandleCount: 251.
Image: mmc.exe
0 e 77cb2fb2 0001 (0001) RPCRT4!NdrClientCall2 "j poi(@$teb+20) = 0xa2c'';'gc'"
1 e 7c802474 0001 (0001) kernel32!CreateProcessW
依次命中如下:
00 0222f10c 774f0f0d 774b2118 774b1dac 0222f12c RPCRT4!NdrClientCall2
01 0222f124 774f0ec4 000b9470 000b95d8 0222f19c ole32!ServerAllocateOXIDAndOIDs+0x1c
02 0222f178 774f0e16 0222f1a4 0222f19c 0222f354 ole32!CRpcResolver::ServerRegisterOXID+0x7d
03 0222f1d0 774f0dd4 0222f354 0222f20c 000bb490 ole32!OXIDEntry::RegisterOXIDAndOIDs+0x38
04 0222f1e8 774f0489 0222f354 0222f20c 00000000 ole32!OXIDEntry::AllocOIDs+0x18
05 0222f358 774f0bd3 775d487c 000fd5c8 00000000 ole32!CComApartment::CallTheResolver+0x6b
06 0222f390 774f0c5b 775d68b8 00000000 775cc28e ole32!CComApartment::InitRemoting+0x1d9
07 0222f39c 775cc28e 0222f850 000fd5c8 0222f40c ole32!CComApartment::StartServer+0x13
08 0222f3ac 774f4ab5 775d68b8 0222f850 774f8743 ole32!InitChannelIfNecessary+0x1e
09 0222f3b8 774f8743 00000000 0222f850 775d487c ole32!CRpcResolver::BindToSCMProxy+0xb
0a 0222f40c 774f8709 0222f850 0222fd98 00450045 ole32!CRpcResolver::CreateInstance+0x23
0b 0222f658 774eaf7e 775d487c 00000000 00000000 ole32!CClientContextActivator::CreateInstance+0xfa
0c 0222f698 774eb10f 0222f850 00000000 0222fd98 ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7
0d 0222fe4c 774e679a 7299aed0 00000000 00000014 ole32!ICoCreateInstanceEx+0x3f8
0e 0222fe80 774e6762 7299aed0 00000000 00000000 ole32!CComActivator::DoCreateInstance+0x6a
0f 0222fea4 774e6963 7299aed0 00000000 00000014 ole32!CoCreateInstanceEx+0x23
10 0222fed4 7299ace7 7299aed0 00000000 00000014 ole32!CoCreateInstance+0x3c
WARNING: Frame IP not in any known module. Following frames may be wrong.
11 0222ff84 77b9b530 0007d414 00000000 00000000 0x7299ace7
12 0222ffb8 7c824829 0003c7a0 00000000 00000000 msvcrt!_endthreadex+0xa3
13 0222ffec 00000000 77b9b4bc 0003c7a0 00000000 kernel32!BaseThreadStart+0x34
kd> db poi(poi(esp+4))
774b2168 44 00 00 00 e6 73 0c e6-f9 88 cf 11 9a f1 00 20 D....s......... GUID -> e6 73 xxxx
774b2178 af 6e 72 f4 02 00 00 00-04 5d 88 8a eb 1c c9 11 .nr......]......
774b2188 9f e8 08 00 2b 10 48 60-02 00 00 00 00 00 00 00 ....+.H`........
774b2198 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
774b21a8 00 00 00 00 00 00 00 00-e9 df 4d 77 67 3c 57 77 ..........Mwg<Ww
IDA发现 ole32对应的 e60c73e6-88f9-11cf-9af1-0020af6e72f4 gg得到如下信息:
http://www.hsc.fr/ressources/articles/win_net_srv/rpcss_dcom_interfaces.html
调用参数为:
NdrClientCall2(&pStubDescriptor, &byte_774B1DAC, &a1);
byte_774B1DAC-> 00 68 00 00 00 00 04 00 34 00 32 00 00 00 34 00 执行RPC 0x4函数调用
Interface Operation number Operation name
e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0: ILocalObjectExporter
0x00 Connect
0x01 AllocateReservedIds
0x02 BulkUpdateOIDs
0x03 ClientResolveOXID
0x04 ServerAllocateOXIDandOIDs <--------------------
0x05 ServerAllocateOIDs
0x06 ServerFreeOXIDAndOIDs
0x07 Disconnect
最终调用rpcss._ServerAllocateOXIDAndOIDs函数!
00 0222f378 77cb25a6 774b62b8 774b953e 0222f3b0 RPCRT4!NdrClientCall2
01 0222f398 77c34f87 00000014 00000004 0222f40c RPCRT4!ObjectStublessClient+0x8b
02 0222f3a8 774f885b 0010769c 00000000 0222f850 RPCRT4!ObjectStubless+0xf
03 0222f40c 774f8709 0222f850 0222fd98 00450045 ole32!CRpcResolver::CreateInstance+0x14e
04 0222f658 774eaf7e 775d487c 00000000 00000000 ole32!CClientContextActivator::CreateInstance+0xfa
05 0222f698 774eb10f 0222f850 00000000 0222fd98 ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7
06 0222fe4c 774e679a 7299aed0 00000000 00000014 ole32!ICoCreateInstanceEx+0x3f8
07 0222fe80 774e6762 7299aed0 00000000 00000000 ole32!CComActivator::DoCreateInstance+0x6a
08 0222fea4 774e6963 7299aed0 00000000 00000014 ole32!CoCreateInstanceEx+0x23
09 0222fed4 7299ace7 7299aed0 00000000 00000014 ole32!CoCreateInstance+0x3c
0a 0222ff18 7d263767 00000000 00f26068 0003c848 dmdskmgr!CServerRequests::InitInstance+0x5f
WARNING: Stack unwind information not available. Following frames may be wrong.
0b 0222ff84 77b9b530 0007d414 00000000 00000000 MFC42u!Ordinal1181+0x167
0c 0222ffb8 7c824829 0003c848 00000000 00000000 msvcrt!_endthreadex+0xa3
0d 0222ffec 00000000 77b9b4bc 0003c848 00000000 kernel32!BaseThreadStart+0x34
IDA dmdskmgr!CServerRequests::InitInstance
CoCreateInstance(&CLSID_VdsLoader, 0, 0x14u, &IID_IVdsServiceLoader, &pProxy) 创建com接口
typedef enum tagCLSCTX {
CLSCTX_INPROC_SERVER = 0x1,
CLSCTX_INPROC_HANDLER = 0x2,
CLSCTX_LOCAL_SERVER = 0x4,
CLSCTX_REMOTE_SERVER = 0x10
} CLSCTX;
CLSID_VdsLoader -> 61 ED 38 9C 65 D5 28 47 AE EE C8 09 52 F0 EC DE 9c38ed61-d565-4728-aeee-c80952f0ecde
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C38ED61-D565-4728-AEEE-C80952F0ECDE}
%SystemRoot%\System32\vdsldr.exe
IID_IVdsServiceLoader-> 03 33 39 E0 D4 90 97 4A AB 71 E9 B6 71 EE 27 29 e0393303-90d4-4a97-ab71-e9b671ee2729
->
对应dll为:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0393303-90D4-4A97-AB71-E9B671EE2729}
%SystemRoot%\System32\vds_ps.dll
0E0393303-90D4-4A97-
bp RPCRT4!Invoke 对应的RPC服务函数为:
00 00e6f8f8 77cb33e1 4a2d202c 00e6fae0 00000007 RPCRT4!Invoke
01 00e6fcf8 77cb35c4 00000000 00000000 000a92cc RPCRT4!NdrStubCall2+0x299
02 00e6fd14 77c4ff7a 000a92cc 0009aa00 000a92cc RPCRT4!NdrServerCall2+0x19
03 00e6fd48 77c5042d 4a2c218d 000a92cc 00e6fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
04 00e6fd9c 77c50353 00000004 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
05 00e6fdc0 77c511dc 000a92cc 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
06 00e6fdfc 77c512f0 000b4808 00091610 000b03e8 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
07 00e6fe20 77c58678 00091648 00e6fe38 000b4808 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
08 00e6ff84 77c58792 00e6ffac 77c5872d 00091610 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
09 00e6ff8c 77c5872d 00091610 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
0a 00e6ffac 77c4b110 00084418 00e6ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
0b 00e6ffb8 7c824829 000afca0 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
0c 00e6ffec 00000000 77c4b0f5 000afca0 00000000 kernel32!BaseThreadStart+0x34
!peb->'C:\WINDOWS\system32\svchost.exe -k rpcss'
F11 跟踪 发现最终调用 rpcss!SCMActivatorCreateInstance
00 00e6f8c8 77c50193 000a91a0 000b17e0 000b1800 rpcss!SCMActivatorCreateInstance+0x50
ISCMActivator is an ORPC interface implemented by the COM SCM to handle remote activation requests (CoCreateInstance(), CoGetClassObject() ...) :
00 00d4f4d0 4a2d5a16 4a2c3068 4a2d4282 00d4f4f4 RPCRT4!NdrClientCall2
01 00d4f4ec 4a2d59ca 0009b320 9c38ed61 4728d565 rpcss!LaunchActivatorServer+0x25
02 00d4f5a4 4a2d5ffb 000b8838 000c2b70 000003aa rpcss!CClsidData::LaunchActivatorServer+0xbe
03 00d4f610 4a2d52a1 00d4f7d8 000a7400 00d4f63c rpcss!CServerTableEntry::StartServerAndWait+0x3e9
04 00d4f670 4a2cd500 00d4f7d8 00000000 000c263c rpcss!Activation+0x686
05 00d4f6cc 4a2d1f00 000c263c 00d4f7bc 00d4f71c rpcss!ActivateFromProperties+0x213
06 00d4f6dc 4a2d1fb9 4a3118d0 00000000 000c263c rpcss!CScmActivator::CreateInstance+0x10
07 00d4f71c 4a2cf731 000c263c 00000000 00d4f7bc rpcss!ActivationPropertiesIn::DelegateCreateInstance+0xf7
08 00d4f764 4a2cf385 000c263c 00d4f7bc 00000000 rpcss!ActivateFromPropertiesPreamble+0x557
09 00d4f7ac 4a2d20cd 00000002 000c1a84 00000000 rpcss!PerformScmStage+0xbb
0a 00d4f8c8 77c50193 000b7850 000c1a20 000c1a40 rpcss!SCMActivatorCreateInstance+0xdd
0b 00d4f8f8 77cb33e1 4a2d202c 00d4fae0 00000007 RPCRT4!Invoke+0x30
0c 00d4fcf8 77cb35c4 00000000 00000000 000b797c RPCRT4!NdrStubCall2+0x299
0d 00d4fd14 77c4ff7a 000b797c 0009bb20 000b797c RPCRT4!NdrServerCall2+0x19
0e 00d4fd48 77c5042d 4a2c218d 000b797c 00d4fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0f 00d4fd9c 77c50353 00000004 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
10 00d4fdc0 77c511dc 000b797c 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
11 00d4fdfc 77c512f0 000b0958 00091600 00091470 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
12 00d4fe20 77c58678 00091638 00d4fe38 000b0958 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
13 00d4ff84 77c58792 00d4ffac 77c5872d 00091600 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
14 00d4ff8c 77c5872d 00091600 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
15 00d4ffac 77c4b110 00084418 00d4ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
16 00d4ffb8 7c824829 000953e8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
17 00d4ffec 00000000 77c4b0f5 000953e8 00000000 kernel32!BaseThreadStart+0x34
kd> db poi(poi(esp+4))
4a2c30b8 44 00 00 00 ae 99 86 9b-44 0e b1 47 8e 7f 86 a4 D.......D..G....
4a2c30c8 61 d7 ec dc 00 00 00 00-04 5d 88 8a eb 1c c9 11 a........]......
GUID正是欲跟踪的 9b8699ae-0e44-47b1-8e7f-86a461d7ecdc
发送RPC调用加载exe
00 f82a2d38 808234cb 00d4f1f8 001f0fff 00d4f060 nt!NtCreateProcessEx
01 f82a2d38 7c9585ec 00d4f1f8 001f0fff 00d4f060 nt!KiFastCallEntry+0xf8
02 00d4ee30 7c956e9b 7c82cf95 00d4f1f8 001f0fff ntdll!KiFastSystemCallRet
03 00d4ee34 7c82cf95 00d4f1f8 001f0fff 00d4f060 ntdll!NtCreateProcessEx+0xc
04 00d4f658 77f3c670 00000178 00000000 000986c8 kernel32!CreateProcessInternalW+0x15e5
05 00d4f6a4 4a2d5da0 00000178 00000000 000986c8 ADVAPI32!CreateProcessAsUserW+0x108
06 00d4f7f8 4a2d5aeb 000972f8 000976bc 000003aa rpcss!CClsidData::PrivilegedLaunchActivatorServer+0x393
07 00d4f888 77c50193 00086110 9c38ed61 4728d565 rpcss!_LaunchActivatorServer+0xed
08 00d4f8f8 77cb33e1 4a2d5a30 00d4fae0 00000017 RPCRT4!Invoke+0x30
09 00d4fcf8 77cb35c4 00000000 00000000 0008623c RPCRT4!NdrStubCall2+0x299
0a 00d4fd14 77c4ff7a 0008623c 00093c68 0008623c RPCRT4!NdrServerCall2+0x19
0b 00d4fd48 77c5042d 4a2c218d 0008623c 00d4fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0c 00d4fd9c 77c50353 00000000 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
0d 00d4fdc0 77c511dc 0008623c 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
0e 00d4fdfc 77c512f0 00085fd0 00091848 0008f2c0 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
0f 00d4fe20 77c58678 00091880 00d4fe38 00085fd0 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
10 00d4ff84 77c58792 00d4ffac 77c5872d 00091848 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
11 00d4ff8c 77c5872d 00091848 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
12 00d4ffac 77c4b110 00084428 00d4ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
13 00d4ffb8 7c824829 00093ba8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
14 00d4ffec 00000000 77c4b0f5 00093ba8 00000000 kernel32!BaseThreadStart+0x34
2 e 8091de5f 0001 (0001) nt!NtCreateProcessEx*转载请注明来自看雪论坛@PEdiy.com
作 者: boywhp
时 间: 2013-05-25,21:43:48
链 接: http://bbs.pediy.com/showthread.php?t=172274
调试日记比较乱,各位直接看我画的最终图吧!
vdsldr.exe 启动过程调试跟踪【懒得整理了,抱歉】:
命中堆栈如下:
00 f821ed38 808234cb 002ef1f8 001f0fff 002ef060 nt!NtCreateProcessEx
01 f821ed38 7c9585ec 002ef1f8 001f0fff 002ef060 nt!KiFastCallEntry+0xf8
02 002eee30 7c956e9b 7c82cf95 002ef1f8 001f0fff ntdll!KiFastSystemCallRet
03 002eee34 7c82cf95 002ef1f8 001f0fff 002ef060 ntdll!NtCreateProcessEx+0xc
04 002ef658 77f3c670 0000018c 00000000 000986c8 kernel32!CreateProcessInternalW+0x15e5
05 002ef6a4 4a2d5da0 0000018c 00000000 000986c8 ADVAPI32!CreateProcessAsUserW+0x108
06 002ef7f8 4a2d5aeb 000972f8 000976bc 000003aa rpcss!CClsidData::PrivilegedLaunchActivatorServer+0x393
07 002ef888 77c50193 00086110 9c38ed61 4728d565 rpcss!_LaunchActivatorServer+0xed
08 002ef8f8 77cb33e1 4a2d5a30 002efae0 00000017 RPCRT4!Invoke+0x30
09 002efcf8 77cb35c4 00000000 00000000 0008623c RPCRT4!NdrStubCall2+0x299
0a 002efd14 77c4ff7a 0008623c 00093c68 0008623c RPCRT4!NdrServerCall2+0x19
0b 002efd48 77c5042d 4a2c218d 0008623c 002efdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0c 002efd9c 77c50353 00000000 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
0d 002efdc0 77c511dc 0008623c 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
0e 002efdfc 77c512f0 00085fd0 00091848 00094138 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
0f 002efe20 77c58678 00091880 002efe38 00085fd0 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
10 002eff84 77c58792 002effac 77c5872d 00091848 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
11 002eff8c 77c5872d 00091848 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
12 002effac 77c4b110 00084428 002effec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
13 002effb8 7c824829 00086980 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
14 002effec 00000000 77c4b0f5 00086980 00000000 kernel32!BaseThreadStart+0x34
IDA 获取对应RPC接口标识如下:
guid -> AE 99 86 9B 44 0E B1 47 8E 7F 86 A4 61 D7 EC DC <----!!!!!唯一接口GUID
-> 04 5D 88 8A EB 1C C9 11 9F E8 08 00 2B 10 48 60 --- Transfer RPC通用
http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_iactivationkernel.html
9b8699ae-0e44-47b1-8e7f-86a461d7ecdc v0.0: IActivationKernel
0x00 LaunchActivatorServer <---------------------------
0x01 LaunchRunAsServer
0x02 LaunchService
0x03 CertifyServerIdentity
0x04 PrivRunAsSetWinstaDesktop
0x05 PrivRunAsRelease
0x06 PrivRunAsInvalidateAndRelease
0x07 PrivTranslateShareName
0x08 FlushCache
0x09 IsPortOpen
0x0a SignalPnpNotification
!peb
WindowTitle: 'C:\WINDOWS\system32\svchost.exe'
ImageFile: 'C:\WINDOWS\system32\svchost.exe'
CommandLine: 'C:\WINDOWS\system32\svchost.exe -k DcomLaunch'
bp RPCRT4!NdrClientCall2 "j poi(poi(poi(esp+4))+4) = 0x9b8699ae'';'gc'"
命中如下:
00 00d4f4d0 4a2d5a16 4a2c3068 4a2d4282 00d4f4f4 RPCRT4!NdrClientCall2
01 00d4f4ec 4a2d59ca 0009b320 9c38ed61 4728d565 rpcss!LaunchActivatorServer+0x25
02 00d4f5a4 4a2d5ffb 000b0e88 000b5520 000003aa rpcss!CClsidData::LaunchActivatorServer+0xbe
03 00d4f610 4a2d52a1 00d4f7d8 000a75d8 00d4f63c rpcss!CServerTableEntry::StartServerAndWait+0x3e9
04 00d4f670 4a2cd500 00d4f7d8 00000000 000b8014 rpcss!Activation+0x686
05 00d4f6cc 4a2d1f00 000b8014 00d4f7bc 00d4f71c rpcss!ActivateFromProperties+0x213
06 00d4f6dc 4a2d1fb9 4a3118d0 00000000 000b8014 rpcss!CScmActivator::CreateInstance+0x10
07 00d4f71c 4a2cf731 000b8014 00000000 00d4f7bc rpcss!ActivationPropertiesIn::DelegateCreateInstance+0xf7
08 00d4f764 4a2cf385 000b8014 00d4f7bc 00000000 rpcss!ActivateFromPropertiesPreamble+0x557
09 00d4f7ac 4a2d20cd 00000002 000b8cc4 00000000 rpcss!PerformScmStage+0xbb
0a 00d4f8c8 77c50193 000b7850 000b8c60 000b8c80 rpcss!SCMActivatorCreateInstance+0xdd
0b 00d4f8f8 77cb33e1 4a2d202c 00d4fae0 00000007 RPCRT4!Invoke+0x30
0c 00d4fcf8 77cb35c4 00000000 00000000 000b797c RPCRT4!NdrStubCall2+0x299
0d 00d4fd14 77c4ff7a 000b797c 0009bb20 000b797c RPCRT4!NdrServerCall2+0x19
0e 00d4fd48 77c5042d 4a2c218d 000b797c 00d4fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0f 00d4fd9c 77c50353 00000004 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
10 00d4fdc0 77c511dc 000b797c 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
11 00d4fdfc 77c512f0 000b0958 00091600 00091470 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
12 00d4fe20 77c58678 00091638 00d4fe38 000b0958 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
13 00d4ff84 77c58792 00d4ffac 77c5872d 00091600 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
14 00d4ff8c 77c5872d 00091600 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
15 00d4ffac 77c4b110 00084418 00d4ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
16 00d4ffb8 7c824829 000953e8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
17 00d4ffec 00000000 77c4b0f5 000953e8 00000000 kernel32!BaseThreadStart+0x34
kd> db poi(poi(esp+4))
4a2c30b8 44 00 00 00 ae 99 86 9b-44 0e b1 47 8e 7f 86 a4 D.......D..G....
4a2c30c8 61 d7 ec dc 00 00 00 00-04 5d 88 8a eb 1c c9 11 a........]......
我们继续看rpcss!SCMActivatorCreateInstance这个函数,IDA
4A2C3480 dword_4A2C3480 dd 44h, 136h, 0 ; DATA XREF: .text:off_4A2C3430o
.text:4A2C3480 ; .data:_ISCMActivator_ServerIfHandleo
.text:4A2C348C dd 0C0h, 46000000h, 0
.text:4A2C3498 dd 8A885D04h, 11C91CEBh, 8E89Fh, 6048102Bh, 2
.text:4A2C34AC dd offset _ISCMActivator_DispatchTable
.text:4A2C34B0 dd 3 dup(0)
.text:4A2C34BC dd offset off_4A2C34C4
.text:4A2C34C0 dd 4000000h
.text:4A2C34C4 off_4A2C34C4 dd offset off_4A2C3430 ; DATA XREF: .text:4A2C34BCo
.text:4A2C34C8 dd offset off_4A2C34E8
.text:4A2C34CC dd offset word_4A2C3502
.text:4A2C34D0 dd offset dword_4A2C3638
.text:4A2C34D4 dd 5 dup(0)
.text:4A2C34E8 off_4A2C34E8 dd offset _DummyAddRefISCMActivator@20
.text:4A2C34E8 ; DATA XREF: .text:4A2C34C8o
.text:4A2C34E8 ; DummyAddRefISCMActivator(x,x,x,x,x)
.text:4A2C34EC dd offset _DummyAddRefISCMActivator@20 ; DummyAddRefISCMActivator(x,x,x,x,x)
.text:4A2C34F0 dd offset _DummyAddRefISCMActivator@20 ; DummyAddRefISCMActivator(x,x,x,x,x)
.text:4A2C34F4 dd offset _SCMActivatorGetClassObject@24 ; SCMActivatorGetClassObject(x,x,x,x,x,x)
.text:4A2C34F8 dd offset _SCMActivatorCreateInstance@28 <-----------------
对应GUID为:36 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46
00000136-0000-0000-c000-000000000046 v0.0: ISCMActivator
0x00 QueryInterfaceSCMActivator
0x01 AddRefISCMActivator
0x02 ReleaseISCMActivator
0x03 SCMActivatorGetClassObject
0x04 SCMActivatorCreateInstance <--------------------
GUID IID_ISCMLocalActivator
运行mmc后,下客户端RPC调用断点RPCRT4!NdrClientCall2
PROCESS ffa69348 SessionId: 0 Cid: 0a2c Peb: 7ffdc000 ParentCid: 0674
DirBase: 04f89000 ObjectTable: e10e6598 HandleCount: 251.
Image: mmc.exe
0 e 77cb2fb2 0001 (0001) RPCRT4!NdrClientCall2 "j poi(@$teb+20) = 0xa2c'';'gc'"
1 e 7c802474 0001 (0001) kernel32!CreateProcessW
依次命中如下:
00 0222f10c 774f0f0d 774b2118 774b1dac 0222f12c RPCRT4!NdrClientCall2
01 0222f124 774f0ec4 000b9470 000b95d8 0222f19c ole32!ServerAllocateOXIDAndOIDs+0x1c
02 0222f178 774f0e16 0222f1a4 0222f19c 0222f354 ole32!CRpcResolver::ServerRegisterOXID+0x7d
03 0222f1d0 774f0dd4 0222f354 0222f20c 000bb490 ole32!OXIDEntry::RegisterOXIDAndOIDs+0x38
04 0222f1e8 774f0489 0222f354 0222f20c 00000000 ole32!OXIDEntry::AllocOIDs+0x18
05 0222f358 774f0bd3 775d487c 000fd5c8 00000000 ole32!CComApartment::CallTheResolver+0x6b
06 0222f390 774f0c5b 775d68b8 00000000 775cc28e ole32!CComApartment::InitRemoting+0x1d9
07 0222f39c 775cc28e 0222f850 000fd5c8 0222f40c ole32!CComApartment::StartServer+0x13
08 0222f3ac 774f4ab5 775d68b8 0222f850 774f8743 ole32!InitChannelIfNecessary+0x1e
09 0222f3b8 774f8743 00000000 0222f850 775d487c ole32!CRpcResolver::BindToSCMProxy+0xb
0a 0222f40c 774f8709 0222f850 0222fd98 00450045 ole32!CRpcResolver::CreateInstance+0x23
0b 0222f658 774eaf7e 775d487c 00000000 00000000 ole32!CClientContextActivator::CreateInstance+0xfa
0c 0222f698 774eb10f 0222f850 00000000 0222fd98 ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7
0d 0222fe4c 774e679a 7299aed0 00000000 00000014 ole32!ICoCreateInstanceEx+0x3f8
0e 0222fe80 774e6762 7299aed0 00000000 00000000 ole32!CComActivator::DoCreateInstance+0x6a
0f 0222fea4 774e6963 7299aed0 00000000 00000014 ole32!CoCreateInstanceEx+0x23
10 0222fed4 7299ace7 7299aed0 00000000 00000014 ole32!CoCreateInstance+0x3c
WARNING: Frame IP not in any known module. Following frames may be wrong.
11 0222ff84 77b9b530 0007d414 00000000 00000000 0x7299ace7
12 0222ffb8 7c824829 0003c7a0 00000000 00000000 msvcrt!_endthreadex+0xa3
13 0222ffec 00000000 77b9b4bc 0003c7a0 00000000 kernel32!BaseThreadStart+0x34
kd> db poi(poi(esp+4))
774b2168 44 00 00 00 e6 73 0c e6-f9 88 cf 11 9a f1 00 20 D....s......... GUID -> e6 73 xxxx
774b2178 af 6e 72 f4 02 00 00 00-04 5d 88 8a eb 1c c9 11 .nr......]......
774b2188 9f e8 08 00 2b 10 48 60-02 00 00 00 00 00 00 00 ....+.H`........
774b2198 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
774b21a8 00 00 00 00 00 00 00 00-e9 df 4d 77 67 3c 57 77 ..........Mwg<Ww
IDA发现 ole32对应的 e60c73e6-88f9-11cf-9af1-0020af6e72f4 gg得到如下信息:
http://www.hsc.fr/ressources/articles/win_net_srv/rpcss_dcom_interfaces.html
调用参数为:
NdrClientCall2(&pStubDescriptor, &byte_774B1DAC, &a1);
byte_774B1DAC-> 00 68 00 00 00 00 04 00 34 00 32 00 00 00 34 00 执行RPC 0x4函数调用
Interface Operation number Operation name
e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0: ILocalObjectExporter
0x00 Connect
0x01 AllocateReservedIds
0x02 BulkUpdateOIDs
0x03 ClientResolveOXID
0x04 ServerAllocateOXIDandOIDs <--------------------
0x05 ServerAllocateOIDs
0x06 ServerFreeOXIDAndOIDs
0x07 Disconnect
最终调用rpcss._ServerAllocateOXIDAndOIDs函数!
00 0222f378 77cb25a6 774b62b8 774b953e 0222f3b0 RPCRT4!NdrClientCall2
01 0222f398 77c34f87 00000014 00000004 0222f40c RPCRT4!ObjectStublessClient+0x8b
02 0222f3a8 774f885b 0010769c 00000000 0222f850 RPCRT4!ObjectStubless+0xf
03 0222f40c 774f8709 0222f850 0222fd98 00450045 ole32!CRpcResolver::CreateInstance+0x14e
04 0222f658 774eaf7e 775d487c 00000000 00000000 ole32!CClientContextActivator::CreateInstance+0xfa
05 0222f698 774eb10f 0222f850 00000000 0222fd98 ole32!ActivationPropertiesIn::DelegateCreateInstance+0xf7
06 0222fe4c 774e679a 7299aed0 00000000 00000014 ole32!ICoCreateInstanceEx+0x3f8
07 0222fe80 774e6762 7299aed0 00000000 00000000 ole32!CComActivator::DoCreateInstance+0x6a
08 0222fea4 774e6963 7299aed0 00000000 00000014 ole32!CoCreateInstanceEx+0x23
09 0222fed4 7299ace7 7299aed0 00000000 00000014 ole32!CoCreateInstance+0x3c
0a 0222ff18 7d263767 00000000 00f26068 0003c848 dmdskmgr!CServerRequests::InitInstance+0x5f
WARNING: Stack unwind information not available. Following frames may be wrong.
0b 0222ff84 77b9b530 0007d414 00000000 00000000 MFC42u!Ordinal1181+0x167
0c 0222ffb8 7c824829 0003c848 00000000 00000000 msvcrt!_endthreadex+0xa3
0d 0222ffec 00000000 77b9b4bc 0003c848 00000000 kernel32!BaseThreadStart+0x34
IDA dmdskmgr!CServerRequests::InitInstance
CoCreateInstance(&CLSID_VdsLoader, 0, 0x14u, &IID_IVdsServiceLoader, &pProxy) 创建com接口
typedef enum tagCLSCTX {
CLSCTX_INPROC_SERVER = 0x1,
CLSCTX_INPROC_HANDLER = 0x2,
CLSCTX_LOCAL_SERVER = 0x4,
CLSCTX_REMOTE_SERVER = 0x10
} CLSCTX;
CLSID_VdsLoader -> 61 ED 38 9C 65 D5 28 47 AE EE C8 09 52 F0 EC DE 9c38ed61-d565-4728-aeee-c80952f0ecde
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9C38ED61-D565-4728-AEEE-C80952F0ECDE}
%SystemRoot%\System32\vdsldr.exe
IID_IVdsServiceLoader-> 03 33 39 E0 D4 90 97 4A AB 71 E9 B6 71 EE 27 29 e0393303-90d4-4a97-ab71-e9b671ee2729
->
对应dll为:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E0393303-90D4-4A97-AB71-E9B671EE2729}
%SystemRoot%\System32\vds_ps.dll
0E0393303-90D4-4A97-
bp RPCRT4!Invoke 对应的RPC服务函数为:
00 00e6f8f8 77cb33e1 4a2d202c 00e6fae0 00000007 RPCRT4!Invoke
01 00e6fcf8 77cb35c4 00000000 00000000 000a92cc RPCRT4!NdrStubCall2+0x299
02 00e6fd14 77c4ff7a 000a92cc 0009aa00 000a92cc RPCRT4!NdrServerCall2+0x19
03 00e6fd48 77c5042d 4a2c218d 000a92cc 00e6fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
04 00e6fd9c 77c50353 00000004 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
05 00e6fdc0 77c511dc 000a92cc 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
06 00e6fdfc 77c512f0 000b4808 00091610 000b03e8 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
07 00e6fe20 77c58678 00091648 00e6fe38 000b4808 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
08 00e6ff84 77c58792 00e6ffac 77c5872d 00091610 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
09 00e6ff8c 77c5872d 00091610 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
0a 00e6ffac 77c4b110 00084418 00e6ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
0b 00e6ffb8 7c824829 000afca0 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
0c 00e6ffec 00000000 77c4b0f5 000afca0 00000000 kernel32!BaseThreadStart+0x34
!peb->'C:\WINDOWS\system32\svchost.exe -k rpcss'
F11 跟踪 发现最终调用 rpcss!SCMActivatorCreateInstance
00 00e6f8c8 77c50193 000a91a0 000b17e0 000b1800 rpcss!SCMActivatorCreateInstance+0x50
ISCMActivator is an ORPC interface implemented by the COM SCM to handle remote activation requests (CoCreateInstance(), CoGetClassObject() ...) :
00 00d4f4d0 4a2d5a16 4a2c3068 4a2d4282 00d4f4f4 RPCRT4!NdrClientCall2
01 00d4f4ec 4a2d59ca 0009b320 9c38ed61 4728d565 rpcss!LaunchActivatorServer+0x25
02 00d4f5a4 4a2d5ffb 000b8838 000c2b70 000003aa rpcss!CClsidData::LaunchActivatorServer+0xbe
03 00d4f610 4a2d52a1 00d4f7d8 000a7400 00d4f63c rpcss!CServerTableEntry::StartServerAndWait+0x3e9
04 00d4f670 4a2cd500 00d4f7d8 00000000 000c263c rpcss!Activation+0x686
05 00d4f6cc 4a2d1f00 000c263c 00d4f7bc 00d4f71c rpcss!ActivateFromProperties+0x213
06 00d4f6dc 4a2d1fb9 4a3118d0 00000000 000c263c rpcss!CScmActivator::CreateInstance+0x10
07 00d4f71c 4a2cf731 000c263c 00000000 00d4f7bc rpcss!ActivationPropertiesIn::DelegateCreateInstance+0xf7
08 00d4f764 4a2cf385 000c263c 00d4f7bc 00000000 rpcss!ActivateFromPropertiesPreamble+0x557
09 00d4f7ac 4a2d20cd 00000002 000c1a84 00000000 rpcss!PerformScmStage+0xbb
0a 00d4f8c8 77c50193 000b7850 000c1a20 000c1a40 rpcss!SCMActivatorCreateInstance+0xdd
0b 00d4f8f8 77cb33e1 4a2d202c 00d4fae0 00000007 RPCRT4!Invoke+0x30
0c 00d4fcf8 77cb35c4 00000000 00000000 000b797c RPCRT4!NdrStubCall2+0x299
0d 00d4fd14 77c4ff7a 000b797c 0009bb20 000b797c RPCRT4!NdrServerCall2+0x19
0e 00d4fd48 77c5042d 4a2c218d 000b797c 00d4fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0f 00d4fd9c 77c50353 00000004 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
10 00d4fdc0 77c511dc 000b797c 00000000 4a3113f4 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
11 00d4fdfc 77c512f0 000b0958 00091600 00091470 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
12 00d4fe20 77c58678 00091638 00d4fe38 000b0958 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
13 00d4ff84 77c58792 00d4ffac 77c5872d 00091600 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
14 00d4ff8c 77c5872d 00091600 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
15 00d4ffac 77c4b110 00084418 00d4ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
16 00d4ffb8 7c824829 000953e8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
17 00d4ffec 00000000 77c4b0f5 000953e8 00000000 kernel32!BaseThreadStart+0x34
kd> db poi(poi(esp+4))
4a2c30b8 44 00 00 00 ae 99 86 9b-44 0e b1 47 8e 7f 86 a4 D.......D..G....
4a2c30c8 61 d7 ec dc 00 00 00 00-04 5d 88 8a eb 1c c9 11 a........]......
GUID正是欲跟踪的 9b8699ae-0e44-47b1-8e7f-86a461d7ecdc
发送RPC调用加载exe
00 f82a2d38 808234cb 00d4f1f8 001f0fff 00d4f060 nt!NtCreateProcessEx
01 f82a2d38 7c9585ec 00d4f1f8 001f0fff 00d4f060 nt!KiFastCallEntry+0xf8
02 00d4ee30 7c956e9b 7c82cf95 00d4f1f8 001f0fff ntdll!KiFastSystemCallRet
03 00d4ee34 7c82cf95 00d4f1f8 001f0fff 00d4f060 ntdll!NtCreateProcessEx+0xc
04 00d4f658 77f3c670 00000178 00000000 000986c8 kernel32!CreateProcessInternalW+0x15e5
05 00d4f6a4 4a2d5da0 00000178 00000000 000986c8 ADVAPI32!CreateProcessAsUserW+0x108
06 00d4f7f8 4a2d5aeb 000972f8 000976bc 000003aa rpcss!CClsidData::PrivilegedLaunchActivatorServer+0x393
07 00d4f888 77c50193 00086110 9c38ed61 4728d565 rpcss!_LaunchActivatorServer+0xed
08 00d4f8f8 77cb33e1 4a2d5a30 00d4fae0 00000017 RPCRT4!Invoke+0x30
09 00d4fcf8 77cb35c4 00000000 00000000 0008623c RPCRT4!NdrStubCall2+0x299
0a 00d4fd14 77c4ff7a 0008623c 00093c68 0008623c RPCRT4!NdrServerCall2+0x19
0b 00d4fd48 77c5042d 4a2c218d 0008623c 00d4fdec RPCRT4!DispatchToStubInCNoAvrf+0x38
0c 00d4fd9c 77c50353 00000000 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x11f
0d 00d4fdc0 77c511dc 0008623c 00000000 4a3115b0 RPCRT4!RPC_INTERFACE::DispatchToStub+0xa3
0e 00d4fdfc 77c512f0 00085fd0 00091848 0008f2c0 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x42c
0f 00d4fe20 77c58678 00091880 00d4fe38 00085fd0 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x127
10 00d4ff84 77c58792 00d4ffac 77c5872d 00091848 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x430
11 00d4ff8c 77c5872d 00091848 00000000 00000000 RPCRT4!RecvLotsaCallsWrapper+0xd
12 00d4ffac 77c4b110 00084428 00d4ffec 7c824829 RPCRT4!BaseCachedThreadRoutine+0x9d
13 00d4ffb8 7c824829 00093ba8 00000000 00000000 RPCRT4!ThreadStartRoutine+0x1b
14 00d4ffec 00000000 77c4b0f5 00093ba8 00000000 kernel32!BaseThreadStart+0x34
2 e 8091de5f 0001 (0001) nt!NtCreateProcessEx*转载请注明来自看雪论坛@PEdiy.com
506
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
