CComObjectBase 和IUnknown 接口
`vftable'{for`Windows::COM::CComObjectBase'} 比 `vftable'{for`IUnknown'} 多一个函数:`vector deleting destructor'(unsignedint),且排在最前面。
那么,是否可以推定:Windows::COM::CComObjectBase 是继承了 IUnknown 接口,亦或 CComObjectBase 接口只有一个函数,即后面的三个实际上是下一组的虚函数。
当我们把能找到的虚函数组的地址排列在一起时,就会发现:虚函数组的地址从10003878 处开始向后连续存储,那么,判断一组虚函数到底有多少个虚函数,就可以用下一组虚函数的地址减去当前组虚函数的地址。
CComObjectBase 的 10006FC4,IUnknown 的地址是 10006FC8,两者的差为 4,即为一个字段的大小,因此,可以推断,CComObjectBase 接口只有一个函数。
同时,我们知道 IUnknown 接口有三个函数,那么,下一组虚函数的起始地址就应该是10006FC8 + 12,即 10006FD4。是这样吗?
是的,后面的两组虚函数就是这样。
但是,到 10006FE4 这里,出现的一些问题, 不再是 1、3、1、3…了。
10006FE4 的下一组是 1000700C,两者相差10 个字段的大小,那就说明有 10 个函数。是这样吗?
10006FE4 处是 Windows::ServicingAPI::CCSITransaction_ICSITransaction2,果然是有10 个函数。
因此,CComObjectBase 接口只有一个函数,即后面的三个实际上是下一组的虚函数。
//----- (10257DA4) --------------------------------------------------------
_DWORD *__thiscall Windows::Auto<Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2> *>::Allocate(_DWORD *this)
{
v1 =this;
result =RtlAllocateHeap(*(HANDLE *)(__readfsdword(48) + 24), 0, 0x10u);
if (result )
{
result[1] = 0;
result[3] = 0;
*result= &Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::`vftable'{for`Windows::COM::CComObjectBase'};
result[2] = &Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::`vftable'{for`IUnknown'};
}
else
{
result =0;
}
*v1= result;
return result;
}
// 10006FC4: using guessed type int (__thiscall*Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::`vftable'{for`Windows::COM::CComObjectBase'})(Windows::COM::CComObjectBase *this, char);
// 10006FC8: using guessed type int (__stdcall*Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::`vftable'{for`IUnknown'})(int, struct _GUID *, void **);
| 0x10006FC4 | {wcp.dll!const Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::`vftable'{for `Windows::COM::CComObjectBase'}} {...} |
| 0x5be47cb0 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::`vector deleting destructor'(unsigned int)} |
| 0x5be48520 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::QueryInterface(struct _GUID const &,void * *)} |
| 0x5bca5f10 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8> >::AddRef(void)} |
| 0x5bc886e0 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8> >::Release(void)} |
| 0x10006FC8 | {wcp.dll!const Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::`vftable'{for `IUnknown'}} {...} |
| 0x5be48520 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION2>::QueryInterface(struct _GUID const &,void * *)} |
| 0x5bca5f10 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8> >::AddRef(void)} |
| 0x5bc886e0 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8> >::Release(void)} |
//----- (10257DE0)--------------------------------------------------------
_DWORD *__thiscall Windows::Auto<Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION> *>::Allocate(_DWORD *this)
{
v1 =this;
result =RtlAllocateHeap(*(HANDLE *)(__readfsdword(48) + 24), 0, 0x10u);
if (result )
{
result[1] = 0;
result[3] = 0;
*result= &Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::`vftable'{for`Windows::COM::CComObjectBase'};
result[2] = &Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::`vftable'{for`IUnknown'};
}
else
{
result =0;
}
*v1= result;
return result;
}
// 10006FD4: using guessed type int (__thiscall*Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::`vftable'{for`Windows::COM::CComObjectBase'})(Windows::COM::CComObjectBase *this, char);
// 10006FD8: using guessed type int (__stdcall*Windows::COM::CComObject<Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::`vftable'{for`IUnknown'})(int, struct _GUID *, void **);
| 0x10006FD4 | {wcp.dll!const Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::`vftable'{for `Windows::COM::CComObjectBase'}} {...} |
| 0x5be47d30 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::`vector deleting destructor'(unsigned int)} |
| 0x10006FD8 | {wcp.dll!const Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::`vftable'{for `IUnknown'}} {...} |
| 0x5be48550 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CEnumCSI_PENDING_TRANSACTION>::QueryInterface(struct _GUID const &,void * *)} |
| 0x5bca5f10 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8> >::AddRef(void)} |
| 0x5bc886e0 | {wcp.dll!Windows::COM::CComObject<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8> >::Release(void)} |
| 0x10006fe4 | {const Windows::COM::CComObjectInterfaceTearOff<class Windows::ServicingAPI::CCSITransaction,class Windows::ServicingAPI::CCSITransaction_ICSITransaction2>::`vftable'} |
| 0x5be50960 | {Windows::COM::CComObjectInterfaceTearOff<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8>,class Windows::ServicingAPI::CCDFEnumeratorTearOffHelper<class Windows::ServicingAPI::CCDFEnumeratorHelper<struct IEnumCDF_APPID_TABLE_ITEM,class Windows::Cdf::Rtl::IRtlCdfAppIdTableEnumerator,class Windows::Cdf::Rtl::IRtlCdfAppIdTable,struct _CDF_APPID_TABLE_ITEM,8>,struct IEnumCDF_APPID_TABLE_ITEM,struct _CDF_APPID_TABLE_ITEM> >::QueryInterface(struct _GUID const &,void * *)} |
| 0x5bdd4b20 | {Windows::COM::CComObject<class HKCUSmartInstaller>::AddRef(void)} |
| 0x5bca4790 | {Windows::COM::CComObjectInterfaceTearOff<class Windows::ServicingAPI::CCSITransaction,class Windows::ServicingAPI::CCSITransaction_ICSITransaction2>::Release(void)} |
| 0x5be499f0 | {Windows::ServicingAPI::CCSITransaction_ICSITransaction2::AddFiles(unsigned long,unsigned long,struct IDefinitionIdentity * * const,unsigned short const * * const,unsigned short const * * const,unsigned long *,unsigned long *)} |
| 0x5be49410 | {Windows::ServicingAPI::CCSITransaction_ICSITransaction2::AddComponents(unsigned long,unsigned long,struct IDefinitionIdentity * * const,unsigned short const * * const,unsigned long *,unsigned long *)} |
| 0x5be4fc90 | {Windows::ServicingAPI::CCSITransaction_ICSITransaction2::Scavenge(unsigned long,void *,struct IDefinitionIdentity *,unsigned short const *,unsigned short const *,unsigned long *)} |
| 0x5be49f90 | {Windows::ServicingAPI::CCSITransaction_ICSITransaction2::Analyze(unsigned long,struct _GUID const &,struct IUnknown * *,unsigned long *)} |
| 0x5be4fd20 | {Windows::ServicingAPI::CCSITransaction_ICSITransaction2::UnstageDeploymentPayload(unsigned long,struct IDefinitionIdentity *,unsigned short const *,unsigned short const *,unsigned short const *,unsigned long *)} |
| 0x5be4efd0 | {Windows::ServicingAPI::CCSITransaction_ICSITransaction2::MarkDeploymentStaged(unsigned long,struct IDefinitionIdentity *,unsigned short const *,unsigned short const *,unsigned short const *,unsigned long *)} |
| 0x5be4f000 | {Windows::ServicingAPI::CCSITransaction_ICSITransaction2::MarkDeploymentUnstaged(unsigned long,struct IDefinitionIdentity *,unsigned short const *,unsigned short const *,unsigned short const *,unsigned long *)} |
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
