解读 RtlGetSystem

最新推荐文章于 2022-08-14 12:51:19 发布

心想才事成

最新推荐文章于 2022-08-14 12:51:19 发布

阅读量562

点赞数

分类专栏： WCP 编程语言操作系统相关 COM 系统维护文章标签： windows 接口 WCP

本文链接：https://blog.csdn.net/hadstj/article/details/52833560

版权

系统维护同时被 3 个专栏收录

248 篇文章 0 订阅

订阅专栏

操作系统相关

179 篇文章 0 订阅

订阅专栏

WCP

86 篇文章 0 订阅

订阅专栏

解读 RtlGetSystem

a2 = 0 时，调用出错：
0x5D5D573E (wcp.dll)处(位于 CallWCP.exe 中)引发的异常: 0xC0000005: 
读取位置 0xCCCCCCCC 时发生访问冲突。

0x5D5D573E 的值：
Windows::Rtl::SystemImplementation::CreateFilesystemProviderStack(
unsigned long,
class Windows::Rtl::SystemImplementation::IRtlFileSystemProvider *,
struct Windows::Vector<struct Windows::Rtl::SYSTEM_LAYER> const &,
class Windows::Auto<class Windows::Rtl::SystemImplementation::IRtlFileSystemProvider *> *,bool *)

5D5D572C  jbe         Windows::Rtl::SystemImplementation::CreateFilesystemProviderStack+3F9h (5D5D5A54h)  
5D5D5732  mov         eax,ebx  
5D5D5734  mov         dword ptr [ebp-12Ch],ebx  
5D5D573A  mov         ecx,dword ptr [ecx]  
5D5D573C  add         ecx,eax  
5D5D573E  mov         eax,dword ptr [ecx]  

[ecx] 的值就是：0xCCCCCCCC，未定义。

把 a2 赋值 NULL，就可以了。

把 a3 设为一个地址：
UINT_PTR* pv = (UINT_PTR*)CoTaskMemAlloc(4);
pv = 0x00e25688
*pv = 0x00e340c8
*(LPVOID**)pv＝0x5c7542f4
const Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff>::`vftable'{for `Windows::Rtl::IRtlSystemIsolationLayer'}}

+0:
Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::CRtlInnerObjectTearoffImpl<class Windows::Rtl::SystemImplementation::CSystemIsolationLayer> >::Release(void)
+4:
Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::CRtlInnerObjectTearoffImpl<class Windows::Rtl::SystemImplementation::CSystemIsolationLayer> >::CreateInterface(
struct _GUID const &,
class Windows::Auto<struct Windows::Rtl::IRtlObject *> *)
+8:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenFilesystemDirectory(
unsigned long,
unsigned long,
struct _LUNICODE_STRING const &,
unsigned long,
unsigned long,
class Windows::Auto<struct Windows::Rtl::IRtlDirectory *> *,
unsigned long *)
+12 : Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenFilesystemFile(
unsigned long,
unsigned long,
struct _LUNICODE_STRING const &,
unsigned long,
unsigned long,
class Windows::Auto<struct Windows::Rtl::IRtlFile *> *,
unsigned long *)
+16:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::DeleteFilesystemFile(
unsigned long,
struct _LUNICODE_STRING const &,
unsigned long *)
+ 20:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenRegistryKey(
unsigned long,
unsigned long,
struct _LUNICODE_STRING const &,
class Windows::Auto<struct Windows::Rtl::IRtlKey *> *,
unsigned long *)
+24:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::TransferFile(
unsigned long,
unsigned long,
struct Windows::Rtl::IRtlDirectory *,
struct _LUNICODE_STRING const &,
struct Windows::Rtl::IRtlDirectory *,
struct _LUNICODE_STRING const &,
unsigned long *)

释放时，用了两种：
                  Windows::AutoPointerBase<Windows::Cdf::Rtl::IRtlCdfStringTableEnumerator *,Windows::Auto<Windows::Cdf::Rtl::IRtlCdfStringTableEnumerator *>>::Close(&v55);

    Windows::Auto<Windows::Rtl::IRtlSystemIsolationLayer *>::~Auto<Windows::Rtl::IRtlSystemIsolationLayer *>(&v148);

后面的这个类型可能更靠谱，因为在函数的定义中，就是这样类型转换的：
  v4 = (struct Windows::Rtl::SystemImplementation::IRtlFileSystemProvider *)a3;