第一部分:
1: kd> kc
#
00 ntdll!CsrClientConnectToServer
01 kernel32!BaseDllInitialize
02 ntdll!LdrpCallInitRoutine
03 ntdll!LdrpRunInitializeRoutines
04 ntdll!LdrpLoadDll
05 ntdll!LdrLoadDll
06 csrsrv!CsrLoadServerDll
07 csrsrv!CsrParseServerCommandLine
08 csrsrv!CsrServerInitialization
09 csrss!main
0a csrss!NtProcessStartup
1: kd> x ntdll!CsrServerProcess
77fbabd4 ntdll!CsrServerProcess = 0x01 ''
NTSTATUS
CsrClientConnectToServer (
IN PWSTR ObjectDirectory,
IN ULONG ServerDllIndex,
IN PVOID ConnectionInformation,
IN OUT PULONG ConnectionInformationLength OPTIONAL,
OUT PBOOLEAN CalledFromServer OPTIONAL
)
{
CsrServerProcess =
(NtHeaders->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_NATIVE) ? TRUE : FALSE;
if (CsrServerProcess) {
extern PVOID NtDllBase;
DllName_U.Buffer = L"csrsrv";
DllName_U.Length = sizeof (L"csrsrv") - sizeof (WCHAR);
DllName_U.MaximumLength = sizeof(L"csrsrv");
Status = LdrDisableThreadCalloutsForDll (NtDllBase);
if (!NT_SUCCESS (Status)) {
return Status;
}
Status = LdrGetDllHandle (NULL,
NULL,
&DllName_U,
(PVOID *)&CsrServerModuleHandle);
if (!NT_SUCCESS (Status)) {
return Status;
}
RtlInitString (&ProcedureName,"CsrCallServerFromServer");
Status = LdrGetProcedureAddress (CsrServerModuleHandle,
&ProcedureName,
0L,
(PVOID *)&CsrServerApiRoutine);
if (!NT_SUCCESS (Status)) {
return Status;
}
1: kd> x ntdll!CsrServerApiRoutine
77fbabdc ntdll!CsrServerApiRoutine = 0x752a5714
1: kd> u 752a5714
csrsrv!CsrCallServerFromServer [d:\srv03rtm\base\subsys\csr\server\apireqst.c @ 871]:
第二部分:
NTSTATUS
CsrClientCallServer (
IN OUT PCSR_API_MSG m,
IN OUT PCSR_CAPTURE_HEADER CaptureBuffer OPTIONAL,
IN CSR_API_NUMBER ApiNumber,
IN ULONG ArgLength
)
{
if (CsrServerProcess == FALSE) {
......
} else {
m->h.ClientId = NtCurrentTeb()->ClientId;
Status = (CsrServerApiRoutine) ((PCSR_API_MSG)m,
(PCSR_API_MSG)m);
第三部分:
1: kd> g
KD: write to 0x752A5714 ok
Breakpoint 16 hit
csrsrv!CsrCallServerFromServer:
001b:752a5714 6a10 push 10h
1: kd> kc
#
00 csrsrv!CsrCallServerFromServer
01 ntdll!CsrClientCallServer
02 kernel32!CsrBasepNlsCreateSection
03 kernel32!NlsServerInitialize
04 kernel32!NlsDllInitialize
05 kernel32!BaseDllInitialize
06 ntdll!LdrpCallInitRoutine
07 ntdll!LdrpRunInitializeRoutines
08 ntdll!LdrpLoadDll
09 ntdll!LdrLoadDll
0a csrsrv!CsrLoadServerDll
0b csrsrv!CsrParseServerCommandLine
0c csrsrv!CsrServerInitialization
0d csrss!main
0e csrss!NtProcessStartup
1: kd> x ntdll!CsrServerProcess
77fbabd4 ntdll!CsrServerProcess = 0x01 ''
1: kd> dv
ReceiveMsg = 0x0015f28c
ReplyMsg = 0x0015f28c
LoadedServerDll = 0x0015f2e4
ReplyStatus = 0n1454816 (No matching enumerant)
1: kd> dx -r1 ((csrsrv!_CSR_API_MSG *)0x15f28c)
((csrsrv!_CSR_API_MSG *)0x15f28c) : 0x15f28c [Type: _CSR_API_MSG *]
[+0x000] h [Type: _PORT_MESSAGE]
[+0x018] ConnectionRequest [Type: _CSR_API_CONNECTINFO]
[+0x018] CaptureBuffer : 0x0 [Type: _CSR_CAPTURE_HEADER *]
[+0x01c] ApiNumber : 0x10010 [Type: unsigned long]
[+0x020] ReturnValue : 0x40001 [Type: unsigned long]
[+0x024] Reserved : 0x0 [Type: unsigned long]
[+0x028] u [Type: __unnamed]
#define CSR_APINUMBER_TO_SERVERDLLINDEX( ApiNumber ) \
((ULONG)((ULONG)(ApiNumber) >> 16))
1: kd> x csrsrv!CsrLoadedServerDll
752aa8c0 csrsrv!CsrLoadedServerDll = struct _CSR_SERVER_DLL *[4]
1: kd> dx -r1 (*((csrsrv!_CSR_SERVER_DLL * (*)[4])0x752aa8c0))
(*((csrsrv!_CSR_SERVER_DLL * (*)[4])0x752aa8c0)) [Type: _CSR_SERVER_DLL * [4]]
[0] : 0x162e78 [Type: _CSR_SERVER_DLL *]
[1] : 0x163388 [Type: _CSR_SERVER_DLL *]
[2] : 0x0 [Type: _CSR_SERVER_DLL *]
[3] : 0x0 [Type: _CSR_SERVER_DLL *]
1: kd> dx -r1 ((csrsrv!_CSR_SERVER_DLL *)0x163388)
((csrsrv!_CSR_SERVER_DLL *)0x163388) : 0x163388 [Type: _CSR_SERVER_DLL *]
[+0x000] Length : 0x50 [Type: unsigned long]
[+0x004] ModuleName [Type: _STRING]
[+0x00c] ModuleHandle : 0x752e0000 [Type: void *]
[+0x010] ServerDllIndex : 0x1 [Type: unsigned long]
[+0x014] ServerDllConnectInfoLength : 0x0 [Type: unsigned long]
[+0x018] ApiNumberBase : 0x0 [Type: unsigned long]
[+0x01c] MaxApiNumber : 0x20 [Type: unsigned long]
[+0x020] ApiDispatchTable : 0x752e1220 [Type: unsigned long (**)(_CSR_API_MSG *,_CSR_REPLY_STATUS *)]
[+0x024] ApiServerValidTable : 0x752f0080 : 0x1 [Type: unsigned char *]
[+0x028] ApiNameTable : 0x752e12a8 [Type: char * *]
[+0x02c] PerProcessDataLength : 0x0 [Type: unsigned long]
[+0x030] ConnectRoutine : 0x752e4748 [Type: long (*)(_CSR_PROCESS *,void *,unsigned long *)]
[+0x034] DisconnectRoutine : 0x752e476a [Type: void (*)(_CSR_PROCESS *)]
[+0x038] HardErrorRoutine : 0x0 [Type: void (*)(_CSR_THREAD *,_HARDERROR_MSG *)]
[+0x03c] SharedStaticServerData : 0x7f6f0cb0 [Type: void *]
[+0x040] AddProcessRoutine : 0x0 [Type: long (*)(_CSR_PROCESS *,_CSR_PROCESS *)]
[+0x044] ShutdownProcessRoutine : 0x0 [Type: unsigned long (*)(_CSR_PROCESS *,unsigned long,unsigned char)]
1: kd> dx -r1 (*((csrsrv!_STRING *)0x16338c))
(*((csrsrv!_STRING *)0x16338c)) [Type: _STRING]
[+0x000] Length : 0x7 [Type: unsigned short]
[+0x002] MaximumLength : 0x8 [Type: unsigned short]
[+0x004] Buffer : 0x1633d0 : "basesrv" [Type: char *]
1: kd> dd 0x752e1220
752e1220 752e6a64 752e684e 752e69e2 752e6984
752e1230 752e6a02 752ea586 752ea685 752e8f7f
752e1240 752ea6c1 752e816e 752e8d8a 752e76c6
752e1250 752e6a0a 752e6a3d 752ea886 752ea953
752e1260 752ead8e 752e81a7 752e8323 752e82be
752e1270 752e9670 752ec59f 752ec003 752e5dbb
752e1280 752ebb8a 752eac41 752e4a4b 752edb64
752e1290 752e6a02 752e68e6 752ee734 752ea81c
1: kd> u 752ead8e
basesrv!BaseSrvNlsCreateSection [d:\srv03rtm\base\win32\server\srvnls.c @ 1031]:
752ead8e 55 push ebp
752ead8f 8bec mov ebp,esp
752ead91 81ecf8000000 sub esp,0F8h
752ead97 a1f4012f75 mov eax,dword ptr [basesrv!__security_cookie (752f01f4)]
752ead9c 8945fc mov dword ptr [ebp-4],eax
752ead9f 8b4508 mov eax,dword ptr [ebp+8]
752eada2 53 push ebx
752eada3 56 push esi
扫一扫
396
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
