解读 AcquireTxnFunctions

最新推荐文章于 2018-09-11 21:01:22 发布

心想才事成

最新推荐文章于 2018-09-11 21:01:22 发布

阅读量478

点赞数

分类专栏：操作系统相关 WCP 系统维护文章标签： WCP NTDLL 事务

本文链接：https://blog.csdn.net/hadstj/article/details/52863287

版权

系统维护同时被 3 个专栏收录

248 篇文章 0 订阅

订阅专栏

操作系统相关

179 篇文章 0 订阅

订阅专栏

WCP

86 篇文章 0 订阅

订阅专栏

解读 AcquireTxnFunctions


返回两个函数的地址：
g_pfnGetCurrentTransaction
g_pfnSetCurrentTransaction
和这些地址是否存在的标志：
g_fTxnFunctionsAcquired

在 TxCaptureAndRelease::Set 中调用。

这两个函数来自 ntdll.dll，是干什么的呢？
RtlGetCurrentTransaction
RtlSetCurrentTransaction

//----- (100E4267) --------------------------------------------------------
void *__fastcall `anonymous namespace'::AcquireTxnFunctions(_DWORD *a1, _DWORD *a2)
{
  _DWORD *v2; // ebx@1
  const char *v3; // edi@1
  bool v4; // zf@1
  void *v5; // esi@2
  signed int v6; // eax@3
  NTSTATUS v7; // eax@4
  NTSTATUS v8; // eax@7
  _DWORD *v10; // ecx@15
  char v11; // [sp+Ch] [bp-28h]@14
  _DWORD *v12; // [sp+10h] [bp-24h]@1
  const char *v13; // [sp+14h] [bp-20h]@10
  const char *v14; // [sp+18h] [bp-1Ch]@10
  int v15; // [sp+1Ch] [bp-18h]@10
  const char *v16; // [sp+20h] [bp-14h]@10
  PVOID ProcedureAddress; // [sp+24h] [bp-10h]@4
  PVOID v18; // [sp+28h] [bp-Ch]@7
  PVOID ModuleImageBase; // [sp+2Ch] [bp-8h]@2

  v2 = a1;
  v3 = 0;
  v12 = a2;
  v4 = `anonymous namespace'::g_fTxnFunctionsAcquired == 0;
  *a1 = 0;
  *a2 = 0;
  if ( v4 )
  {
    v5 = (void *)LdrGetDllHandle(0, 0, &g_UNICODE_STRING_ntdll_dot_dll, &ModuleImageBase);
    if ( (signed int)v5 < 0 )
    {
      v6 = 258;
      v3 = "LdrGetDllHandle( 0, 0, &g_UNICODE_STRING_ntdll_dot_dll, &Ntdll)";
LABEL_10:
      ModuleImageBase = v5;
      v15 = v6;
      v13 = "base\\wcp\\sil\\merged\\ntu\\ntsystem.cpp";
      v14 = "`anonymous-namespace'::AcquireTxnFunctions";
      v16 = v3;
      Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::ReportErrorOrigination(
        (int *)&ModuleImageBase,
        (int)&v13);
      return v5;
    }
    v7 = LdrGetProcedureAddress(ModuleImageBase, &g_ANSI_STRING_RtlSetCurrentTransaction, 0, &ProcedureAddress);
    v5 = (void *)v7;
    if ( v7 < 0 && v7 != -1073741511 )
    {
      v6 = 267;
      goto LABEL_10;
    }
    v8 = LdrGetProcedureAddress(ModuleImageBase, &g_ANSI_STRING_RtlGetCurrentTransaction, 0, &v18);
    v5 = (void *)v8;
    if ( v8 < 0 && v8 != -1073741511 )
    {
      v6 = 276;
      goto LABEL_10;
    }
    if ( ProcedureAddress )
    {
      if ( v18 )
      {
        `anonymous namespace'::g_pfnSetCurrentTransaction = (int)ProcedureAddress;
        `anonymous namespace'::g_pfnGetCurrentTransaction = (int)v18;
      }
    }
    _InterlockedOr((volatile signed __int32 *)&v11, 0);
    `anonymous namespace'::g_fTxnFunctionsAcquired = 1;
  }
  _InterlockedOr((volatile signed __int32 *)&v11, 0);
  v10 = v12;
  *v2 = `anonymous namespace'::g_pfnSetCurrentTransaction;
  *v10 = `anonymous namespace'::g_pfnGetCurrentTransaction;
  return 0;
}
// 1003E94C: using guessed type int g_UNICODE_STRING_ntdll_dot_dll;
// 1027D608: using guessed type int `anonymous namespace'::g_pfnGetCurrentTransaction;
// 1027D60C: using guessed type int `anonymous namespace'::g_pfnSetCurrentTransaction;
// 1027FB8C: using guessed type char `anonymous namespace'::g_fTxnFunctionsAcquired;



//----- (0000000180071EE0) ----------------------------------------------------
__int64 __fastcall TxCaptureAndRelease::Set(TxCaptureAndRelease *this)
{
  bool v1; // zf@1
  TxCaptureAndRelease *v2; // rdi@1
  char *v3; // rbx@3
  __int64 result; // rax@4
  int (*v5)(void); // rbx@5
  __int64 v6; // rax@5
  int (__fastcall *v7)(_QWORD); // rbx@6
  unsigned int v8; // [sp+20h] [bp-18h]@1

  v1 = *((_BYTE *)this + 8) == 0;
  v2 = this;
  v8 = -1073741595;
  if ( !v1 || !*(_QWORD *)this )
    goto LABEL_8;
  v3 = (char *)this + 24;
  if ( *((_QWORD *)this + 3)
    || (result = `anonymous namespace'::AcquireTxnFunctions((_QWORD *)this + 2, v3), (signed int)result >= 0) )
  {
    v5 = *(int (**)(void))v3;
    _guard_check_icall_fptr(v5);
    LODWORD(v6) = v5();
    if ( (unsigned __int64)(v6 - 1) <= 0xFFFFFFFFFFFFFFFDui64 )
    {
      Windows::ErrorHandling::CBaseFrame::BreakIn();
      __debugbreak();
    }
    else
    {
      v7 = (int (__fastcall *)(_QWORD))*((_QWORD *)v2 + 2);
      _guard_check_icall_fptr(*((_QWORD *)v2 + 2));
      if ( v7(*(_QWORD *)v2) )
      {
        *((_BYTE *)v2 + 8) = 1;
LABEL_8:
        Windows::ErrorHandling::COM::CBaseFrame<Windows::ErrorHandling::COM::CSimpleHResultCarryingFrame>::SetCanonicalSuccess(&v8);
        return v8;
      }
    }
    Windows::ErrorHandling::CBaseFrame::BreakIn();
    JUMPOUT(*(_QWORD *)&byte_180071F8C);
  }
  return result;
}