RPCRT4!NdrConformantStructUnmarshall函数分析
RPCRT4!NdrConformantStructUnmarshall函数分析
第一部分:
0: kd> g
Breakpoint 5 hit
RPCRT4!NdrConformantStructUnmarshall:
001b:77c44859 55 push ebp
0: kd> kc
#
00 RPCRT4!NdrConformantStructUnmarshall
01 RPCRT4!NdrpPointerUnmarshall
02 RPCRT4!NdrpEmbeddedPointerUnmarshall
03 RPCRT4!NdrSimpleStructUnmarshall
04 RPCRT4!NdrpUnionUnmarshall
05 RPCRT4!NdrNonEncapsulatedUnionUnmarshall
06 RPCRT4!NdrpPointerUnmarshall
07 RPCRT4!NdrPointerUnmarshall
08 RPCRT4!NdrpPointerUnmarshall
09 RPCRT4!NdrPointerUnmarshall
0a RPCRT4!NdrpClientUnMarshal
0b RPCRT4!NdrClientCall2
0c ADVAPI32!LsarQueryInformationPolicy
0d ADVAPI32!LsaQueryInformationPolicy
0e services!ScGetAccountDomainInfo
0f services!ScInitServiceAccount
10 services!SvcctrlMain
11 services!main
12 services!mainCRTStartup
13 kernel32!BaseProcessStart
0: kd> dv
pStubMsg = 0x0006fae0
ppMemory = 0x00096490
pFormat = 0x77d752d2 "???"
fMustAlloc = 0x01 ''
StructSize = 0x77d752d2
fIsEmbeddedStruct = 0x00 ''
pCorrMemorySave = 0x77d75440 "???"
0: kd> db 0x77d752d2
77d752d2 17 03 08 00 f0 ff 02 02-4c 00 e0 ff 5c 5b 1b 00 ........L...\[..
/* 328 */
0x17, /* FC_CSTRUCT */
0x3, /* 3 */
/* 330 */ NdrFcShort( 0x8 ), /* 8 */
/* 332 */ NdrFcShort( 0xfff0 ), /* Offset= -16 (316) */
/* 334 */ 0x2, /* FC_CHAR */ /* 334 */ 0x2, /* FC_CHAR */ 不是 FC_PP
0x2, /* FC_CHAR */
/* 336 */ 0x4c, /* FC_EMBEDDED_COMPLEX */
0x0, /* 0 */
/* 338 */ NdrFcShort( 0xffe0 ), /* Offset= -32 (306) */
/* 340 */ 0x5c, /* FC_PAD */
0x5b, /* FC_END */
0: kd> dd 0x00096490
00096490 000964d8
0: kd> dd 0x96488
00096488 00000000 000964b8 00000000 00000000
00096498 00000000 00000000 00000000 00000000
000964a8 00000000 00000000 00000000 00000000
000964b8 0054004e 00450044 002d0056 00510051
000964c8 00510054 004e0053 0044004c 00000058
000964d8 00000000 00000000 00000000 00000000
000964e8 00000000 00000000 00000000 00000000
// Pointer section delimiter.
FC_PP, // 0x4b
第二部分:
// Add the size of the conformant array to the structure size.
// check for possible mulitplication overflow attack here.
StructSize += MultiplyWithOverflowCheck( (ulong)pStubMsg->MaxCount, *((ushort *)(pFormatArray + 2) ) );
// Check the size and the buffer limit.
0: kd> dv
pStubMsg = 0x0006fae0
ppMemory = 0x00096490
pFormat = 0x00000018 "--- memory read error at address 0x00000018 ---"
fMustAlloc = 0x01 ''
StructSize = 0x18 //正确:
0: kd> dt _sid
services!_SID
+0x000 Revision : UChar
+0x001 SubAuthorityCount : UChar
+0x002 IdentifierAuthority : _SID_IDENTIFIER_AUTHORITY
+0x008 SubAuthority : [1] Uint4B
第三部分:
// Initialize the memory pointer if needed.
if ( fMustAlloc )
{
*ppMemory = (uchar *) NdrAllocate( pStubMsg, StructSize );
}
0: kd> dd 00096490
00096490 000964d8
0: kd> dd 000964d8
000964d8 00000000 00000000 00000000 00000000
000964e8 00000000 00000000 00000000 00000000
000964f8 00000000 000964f0 00096488 000964fc
第四部分:
// Unmarshall embedded pointers before copying the struct.
if ( *pFormat == FC_PP ) 没有运行/* 334 */ 0x2, /* FC_CHAR */
{
//
// Set BufferMark to the beginning of the structure in the buffer.
//
pStubMsg->BufferMark = pBufferStart;
NdrpEmbeddedPointerUnmarshall( pStubMsg,
*ppMemory,
pFormat,
fMustAlloc );
}
0: kd> db 77d752d8
77d752d8 02 02 4c 00 e0 ff 5c 5b-1b 00 01 00 00 59 00 00 ..L...\[.....Y..
77d752e8 00 00 02 5b 17 01 04 00-f0 ff 02 02 06 5b 16 03 ...[.........[..
// Copy the struct if we're not using the rpc buffer.
if ( *ppMemory != pBufferStart )
{
RpcpMemoryCopy( *ppMemory,
pBufferStart,
StructSize );
}
0: kd> dd 000964d8
000964d8 00000401 05000000 00000015 256b2e0b
000964e8 81fdfed5 f7a65f2b
0: kd> dd 00096488
00096488 00000000 000964b8 000964d8 00000000
00096498 00000000 00000000 00000000 00000000
000964a8 00000000 00000000 00000000 00000000
000964b8 0054004e 00450044 002d0056 00510051
000964c8 00510054 004e0053 0044004c 00000058
000964d8 00000401 05000000 00000015 256b2e0b
000964e8 81fdfed5 f7a65f2b