当前位置：首页 > java >正文

RPCRT4!NdrPointerUnmarshall函数之ADVAPI32!LsarQueryInformationPolicy函数调用的一个例子

java 2025/5/8 16:03:48

第一部分：
1: kd> db 0x7b0a50
007b0a50 00 00 02 00 05 00 00 00-1e 00 20 00 04 00 02 00 .......... .....
007b0a60 08 00 02 00 10 00 00 00-00 00 00 00 0f 00 00 00 ................
007b0a70 4e 00 54 00 44 00 45 00-56 00 2d 00 51 00 51 00 N.T.D.E.V.-.Q.Q.
007b0a80 54 00 51 00 53 00 4e 00-4c 00 44 00 58 00 00 00 T.Q.S.N.L.D.X...
007b0a90 04 00 00 00 01 04 00 00-00 00 00 05 15 00 00 00 ................
007b0aa0 0b 2e 6b 25 d5 fe fd 81-2b 5f a6 f7 00 00 00 00 ..k%....+_......
007b0ab0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................
007b0ac0 0d f0 ad ba 0d f0 ad ba-0d f0 ad ba 0d f0 ad ba ................

1: kd> dt rpc_message 0x6fab4
services!RPC_MESSAGE
   +0x000 Handle           : 0x007b0740 Void
   +0x004 DataRepresentation : 0x10
   +0x008 Buffer           : 0x007b0a50 Void
   +0x00c BufferLength     : 0x60
   +0x010 ProcNum          : 7
   +0x014 TransferSyntax   : (null)
   +0x018 RpcInterfaceInformation : 0x77d73ea8 Void
   +0x01c ReservedForRuntime : (null)
   +0x020 ManagerEpv       : (null)
   +0x024 ImportContext    : 0x77f7b3e2 Void
   +0x028 RpcFlags         : 0x1000

第二部分：

0: kd> g
KD: write to 0x77C4639F ok
Breakpoint 15 hit
RPCRT4!NdrpPointerUnmarshall:
001b:77c4639f 55 push ebp
0: kd> kc
#
00 RPCRT4!NdrpPointerUnmarshall
01 RPCRT4!NdrPointerUnmarshall
02 RPCRT4!NdrpClientUnMarshal
03 RPCRT4!NdrClientCall2
04 ADVAPI32!LsarQueryInformationPolicy
05 ADVAPI32!LsaQueryInformationPolicy
06 services!ScGetAccountDomainInfo
07 services!ScInitServiceAccount
08 services!SvcctrlMain
09 services!main
0a services!mainCRTStartup
0b kernel32!BaseProcessStart

第三部分：
1: kd> dd 00096488
00096488 0020001e 000964b8 000964d8 00000000
00096498 00000000 00000000 00000000 00000000
000964a8 00000000 00000000 00000000 00000000
000964b8 0054004e 00450044 002d0056 00510051
000964c8 00510054 004e0053 0044004c 00000058
000964d8 00000401 05000000 00000015 256b2e0b
000964e8 81fdfed5 f7a65f2b 00000000 00000000
000964f8 00000000 000964f0 00096488 000964fc

1: kd> dt _POLICY_ACCOUNT_DOMAIN_INFO 00096488
services!_POLICY_ACCOUNT_DOMAIN_INFO
   +0x000 DomainName       : _UNICODE_STRING "NTDEV-QQTQSNLDX"
   +0x008 DomainSid        : 0x000964d8 Void
1: kd> dx -id 0,0,893eb020 -r1 (*((services!_UNICODE_STRING *)0x96488))
(*((services!_UNICODE_STRING *)0x96488))                 : "NTDEV-QQTQSNLDX" [Type: _UNICODE_STRING]
    [<Raw View>]     [Type: _UNICODE_STRING]
1: kd> dx -id 0,0,893eb020 -r1 -nv (*((services!_UNICODE_STRING *)0x96488))
(*((services!_UNICODE_STRING *)0x96488))                 : "NTDEV-QQTQSNLDX" [Type: _UNICODE_STRING]
    [+0x000] Length           : 0x1e [Type: unsigned short]
    [+0x002] MaximumLength    : 0x20 [Type: unsigned short]
    [+0x004] Buffer           : 0x964b8 : 0x4e [Type: unsigned short *]
1: kd> db 0x964b8
000964b8 4e 00 54 00 44 00 45 00-56 00 2d 00 51 00 51 00 N.T.D.E.V.-.Q.Q.
000964c8 54 00 51 00 53 00 4e 00-4c 00 44 00 58 00 00 00 T.Q.S.N.L.D.X...
000964d8 01 04 00 00 00 00 00 05-15 00 00 00 0b 2e 6b 25 ..............k%
000964e8 d5 fe fd 81 2b 5f a6 f7-00 00 00 00 00 00 00 00 ....+_..........
1: kd> db 0x000964d8
000964d8 01 04 00 00 00 00 00 05-15 00 00 00 0b 2e 6b 25 ..............k%
000964e8 d5 fe fd 81 2b 5f a6 f7-00 00 00 00 00 00 00 00 ....+_..........