THREAD 81ec5930 Cid 0708.0de8 Teb: 7ffdd000 Win32Thread: ff2b2dd0 WAIT: (WrLpcReply) UserMode Non-Alertable
81ec5b64 Semaphore Limit 0x1
Waiting for reply to ALPC Message 87dff848 : queued at port 81ea96c0 : owned by process 9a752978
Not impersonating
DeviceMap 8ba09a00
Owning Process 81ea2030 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 275120226 Ticks: 662 (0:00:00:10.327)
Context Switch Count 115 IdealProcessor: 0
UserTime 00:00:00.015
KernelTime 00:00:00.436
Win32 Start Address ntdll!TppWorkerThread (0x76d612fe)
Stack Init 8255afd0 Current 8255aaa0 Base 8255b000 Limit 82558000 Call 00000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr
8255aab8 82877fae nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4])
8255aaf0 82879583 nt!KiSwapThread+0x394
8255ab18 8286aa1d nt!KiCommitThreadWait+0x461
8255ab8c 8287db0c nt!KeWaitForSingleObject+0x505
8255abbc 82dbcd1a nt!AlpcpSignalAndWait+0x142
8255abfc 82df4fa3 nt!AlpcpReceiveSynchronousReply+0x8e
8255aca0 82df7b81 nt!AlpcpProcessSynchronousRequest+0xaf9
8255ad0c 829ad913 nt!NtAlpcSendWaitReceivePort+0x1a9
8255ad0c 76cea084 nt!KiFastCallEntry+0x163 (FPO: [0,3] TrapFrame @ 8255ad34)
00c4f164 76cc03c0 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
00c4f168 770caf06 ntdll!ZwAlpcSendWaitReceivePort+0xc (FPO: [8,0,0])
00c4f1a0 770ddb19 RPCRT4!LRPC_CASSOCIATION::AlpcSendWaitReceivePort+0xcb
00c4f1f0 770db93d RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0xf2
00c4f214 770e11c5 RPCRT4!LRPC_BASE_CCALL::SendReceive+0x8f
00c4f224 7709619e RPCRT4!LRPC_CCALL::SendReceive+0x1e
00c4f240 77109adf RPCRT4!I_RpcSendReceive+0xad
00c4f25c 771107e0 RPCRT4!NdrSendReceive+0x50
00c4f26c 77135bb2 RPCRT4!NdrpSendReceive+0xc (FPO: [0,1,0])
00c4f684 005a5ca3 RPCRT4!NdrClientCall2+0x1ce
00c4f69c 005a5995 winlogon!ClientWluirRequestCredentials+0x19 (FPO: [Non-Fpo])
00c4f6f0 0057c5ef winlogon!WluiRequestCredentials+0x39 (FPO: [Non-Fpo])
00c4f714 00582e3b winlogon!RequestCredentials+0x90 (FPO: [Non-Fpo])
00c4f780 0059e996 winlogon!WLGeneric_Request_Logon_Credz_Execute+0xa6 (FPO: [Non-Fpo])
00c4f798 76d5dda1 winlogon!StateMachineWorkerCallback+0x67 (FPO: [Non-Fpo])
00c4f7bc 76d618e5 ntdll!TppWorkpExecuteCallback+0x121 (FPO: [Non-Fpo])
00c4f920 76197647 ntdll!TppWorkerThread+0x5e7 (FPO: [Non-Fpo])
00c4f92c 76cf0683 kernel32!BaseThreadInitThunk+0xe (FPO: [Non-Fpo])
00c4f96c 76cf08df ntdll!__RtlUserThreadStart+0x23 (FPO: [Non-Fpo])
00c4f984 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])
kd> x winlogon!*main*
005b4b38 winlogon!WPP_MAIN_CB = <no type information>
00571410 winlogon!_imp____getmainargs = <no type information>
0057e153 winlogon!WinMain (_WinMain@16)
0058c476 winlogon!CUser::GetDomainName (public: unsigned short const * __thiscall CUser::GetDomainName(void)const )
0058c3fc winlogon!CUser::SetDomainName (public: unsigned long __thiscall CUser::SetDomainName(unsigned short const *))
0059d781 winlogon!WinMainCRTStartup (_WinMainCRTStartup)
005b4190 winlogon!__native_dllmain_reason = <no type information>
00589982 winlogon!CMachine::IsDomainMember (public: int __thiscall CMachine::IsDomainMember(void))
005b4b6c winlogon!MainThreadId = <no type information>
kd> dd 005b4b38
005b4b38 00000000 00000000 00010001 00000002
005b4b48 0004000f ffffffff 00000401 ffffffff
005b4b58 00000000 00000000 0000001c 00000000
005b4b68 00208560 00000000 00000000 00000000
005b4b78 00000000 00000000 00000000 00000000
005b4b88 00000000 00000000 00000000 00000000
005b4b98 00000000 00000000 00000000 00000000
005b4ba8 00000000 00000000 00000000 00207c38
kd> dd 00208560
00208560 00231048 00000053 005b3ec0 00000022
00208570 005b3e38 00000004 00208088 00000000
00208580 00000000 00000001 00000000 00000000
00208590 00000002 00000000 0000001c 0000000a
002085a0 00000000 00000000 0000000b 00000000
002085b0 00000000 00000000 00000000 00000000
002085c0 00000000 00000000 00000000 00000000
002085d0 00000000 00000000 00000000 00000000
kd> u 005b3ec0
winlogon!g_rpWLGeneric_States:
005b3ec0 e021 loopne winlogon!g_rpWLGeneric_States+0x23 (005b3ee3)
005b3ec2 5b pop ebx
005b3ec3 000422 add byte ptr [edx],al
005b3ec6 5b pop ebx
005b3ec7 00d4 add ah,dl
005b3ec9 225b00 and bl,byte ptr [ebx]
005b3ecc 48 dec eax
005b3ecd 235b00 and ebx,dword ptr [ebx]
kd> dd 005b3ec0+b*4
005b3eec 005b2534 005b25e0 005b262c 005b2668
005b3efc 005b26c8 005b2704 005b2788 005b27ac
005b3f0c 005b2848 005b286c 005b290c 005b29e8
005b3f1c 005b2a3c 005b2acc 005b2b18 005b2b54
005b3f2c 005b2bcc 005b2cc4 005b2cf4 005b2d24
005b3f3c 005b2d54 005b2dac 005b2de8 005b2e24
005b3f4c 005b2e60 005b2e9c 005b2edc 005b2f24
005b3f5c 005b2f74 005b2fa4 005b3068 005b308c
kd> u 005b2534
winlogon!g_xWLGeneric_Request_Logon_Credz_State:
005b2534 90 nop
005b2535 2557000000 and eax,57h
005b253a 0000 add byte ptr [eax],al
005b253c 95 xchg eax,ebp
005b253d 2d5800d12f sub eax,2FD10058h
005b2542 58 pop eax
005b2543 0008 add byte ptr [eax],cl
005b2545 0000 add byte ptr [eax],al
kd> dd 005b2534
005b2534 00572590 00000000 00582d95 00582fd1
005b2544 00000008 005b2558 00000004 005b25b8
005b2554 0000000b 00000002 00000050 00000000
005b2564 00000012 00000050 00000000 00000004
005b2574 00000002 00000002 00000019 0000000d
005b2584 00000000 0000001a 0000000c 00000000
005b2594 0000001b 0000000c 00000000 00000007
005b25a4 00000002 00000002 00000009 00000008
kd> u 00582d95
winlogon!WLGeneric_Request_Logon_Credz_Execute:
00582d95 cc int 3
00582d96 2c68 sub al,68h
00582d98 00d8 add al,bl
00582d9a 5a pop edx
00582d9b 00e8 add al,ch
00582d9d fb sti
00582d9e a9010068f0 test eax,0F0680001h
00582da3 17 pop ss
扫一扫
244
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
