解读 GetCurrentTransaction
每一个从接口派生的类,+0 的值即接口中定义的虚函数的地址表的地址;
可能在类的其他位置还有另外的虚函数的地址表。
是不是就能这样确定的说,那也还看更多的构造函数。
从 IRtlSystemIsolationLayer 中找一个最简单的函数GetCurrentTransaction,解读一下:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::GetCurrentTransaction
函数定义:
int __thiscall Windows::Rtl::SystemImplementation::CSystemIsolationLayer::GetCurrentTransaction(
Windows::Rtl::SystemImplementation::CSystemIsolationLayer *this,
void **a2)
具体内容:
v2 = *((_DWORD *)this + 7);
v3 = *(int (__thiscall **)(int, void **))(*(_DWORD *)v2 + 12);
__guard_check_icall_fptr(*(_DWORD *)(*(_DWORD *)v2 + 12));
result = v3(v2, a2);
+12 的函数:
函数定义:
signed int __thiscall Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff::GetCurrentThreadTransaction(
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff *this,
void **a2)
具体内容:
*a2 = 0;
result = Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator::GetCurrentThreadTransaction(
*((Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator **)
this - 1),
a2);
GetCurrentThreadTransaction 函数:
这是真正核心的函数了。
函数的定义:
__int32 __thiscall
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator::GetCurrentThreadTransaction(
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *this,
void **a2)
具体内容:
v17 = a2;
v2 = 0;
*a2 = 0;
v3 = this;
v16 = 0;
v18 = *(_DWORD *)(__readfsdword(24) + 36);
v15 = (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)this + 32);
Windows::Rtl::CriticalSectionLockGrant::Acquire((Windows::Rtl::CriticalSectionLockGrant *)&v15);
v5 = v4;
if ( v4 >= 0 )
goto LABEL_5;
v6 = (Windows::Rtl::CriticalSectionLockGrant *)&v15;
while ( 1 )
{
Windows::Rtl::CriticalSectionLockGrant::Release(v6);
if ( v7 >= 0 )
return v5;
while ( 1 )
{
RtlRaiseStatus(v7);
LABEL_5:
v14 = (int *)v2;
v13 = (int *)((char *)v3 + 16);
BUCL::CConstDequeIterator<BUCL::HashTable::CTable<CPathLockToComponentLockTableTraits>
::CBucket,0>::Reset(&v13);
if ( (unsigned __int8)BUCL::CConstDequeIterator<CompilerTransports::CHashElement,0>::More(v8) )
{
v9 = v14;
v10 = v18;
while ( *(v9 != v13 ? v9 + 3 : 12) != v10 )
{
v14 = (int *)*v9;
if ( !(unsigned __int8)BUCL::CConstDequeIterator<CompilerTransports::CHashElement,0>::More((int)&v13) )
goto LABEL_11;
}
v2 = *(v9 != v13 ? v9 + 4 : 16);
}
LABEL_11:
Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v15);
v5 = v11;
v6 = (Windows::Rtl::CriticalSectionLockGrant *)&v15;
if ( v11 < 0 )
break;
*v17 = (void *)v2;
Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v15);
if ( v7 >= 0 )
return 0;
}
}
64 位版本更好理解:
*a2 = 0i64;
v2 = this;
v3 = 0i64;
v4 = a2;
v5 = *(_QWORD *)(*MK_FP(__GS__, 48i64) + 72i64);
v12 = (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)this + 64);
v13 = 0;
v6 = Windows::Rtl::CriticalSectionLockGrant::Acquire((Windows::Rtl::CriticalSectionLockGrant *)&v12, (__int64)a2);
for ( i = *((_QWORD *)v2 + 4);
i
&& (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)i != (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)v2 + 32);
i = *(_QWORD *)i )
{
if ( *(_QWORD *)(i + 24) == v5 )
{
v3 = *(void **)(i + 32);
break;
}
}
v6 = Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v12);
*v4 = v3;
v11 = Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v12);
return 0i64;