sfc_os!SfcValidateDLL函数分析之cache文件版本

第一部分：

0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_COMPLETE_VALIDATION_DATA *)0x12380e0))
(*((sfc_os!_COMPLETE_VALIDATION_DATA *)0x12380e0))                 [Type: _COMPLETE_VALIDATION_DATA]
[+0x000] Original         [Type: _IMAGE_VALIDATION_DATA]
[+0x058] Cache            [Type: _IMAGE_VALIDATION_DATA]
[+0x0b0] New              [Type: _IMAGE_VALIDATION_DATA]
[+0x108] RestoreFromReal  : 0 [Type: int]
[+0x10c] RestoreFromCache : 0 [Type: int]
[+0x110] RestoreFromMedia : 0 [Type: int]
[+0x114] NotifyUser       : 0 [Type: int]
[+0x118] BadCacheEntry    : 0 [Type: int]
[+0x11c] EventLog         : 0x0 [Type: unsigned long]
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_IMAGE_VALIDATION_DATA *)0x12380e0))        [+0x000] Original
(*((sfc_os!_IMAGE_VALIDATION_DATA *)0x12380e0))                 [Type: _IMAGE_VALIDATION_DATA]
[+0x000] DllVersion       : 0x500020ece0000 [Type: unsigned __int64]
[+0x008] DllCheckSum      : 0xcb39 [Type: unsigned long]
[+0x00c] SignatureValid   : 0 [Type: int]
[+0x010] FilePresent      : 1 [Type: int]
[+0x014] FileName         [Type: unsigned short [32]]

0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_IMAGE_VALIDATION_DATA *)0x1238138))        [+0x058] Cache
(*((sfc_os!_IMAGE_VALIDATION_DATA *)0x1238138))                 [Type: _IMAGE_VALIDATION_DATA]
[+0x000] DllVersion       : 0x0 [Type: unsigned __int64]
[+0x008] DllCheckSum      : 0x0 [Type: unsigned long]
[+0x00c] SignatureValid   : 0 [Type: int]
[+0x010] FilePresent      : 0 [Type: int]
[+0x014] FileName         [Type: unsigned short [32]]

第二部分：

   //
// get the version information for both files (the cached version and the
// current version)
//

    SfcGetValidationData( &RegVal->FileName,
&RegVal->FullPathName,
RegVal->DirHandle,
hCatAdmin,
&ImageValData->Original);

    {
UNICODE_STRING FullPath;
WCHAR Buffer[MAX_PATH];

        RtlZeroMemory( &ImageValData->Cache, sizeof(IMAGE_VALIDATION_DATA) );

        FileName = FileNameOnMedia( RegVal );
RtlInitUnicodeString( &ActualFileName, FileName );

ASSERT(FileName != NULL);

        wcscpy(Buffer, SfcProtectedDllPath.Buffer);
pSetupConcatenatePaths( Buffer, ActualFileName.Buffer, UnicodeChars(Buffer), NULL);
RtlInitUnicodeString( &FullPath, Buffer );

0: kd> dv
vrd = 0x0112916c
hCatAdmin = 0x01c0caf8
ActualFileName = "pidgen.dll"

ASSERT(FileName != NULL);

        wcscpy(Buffer, SfcProtectedDllPath.Buffer);
pSetupConcatenatePaths( Buffer, ActualFileName.Buffer, UnicodeChars(Buffer), NULL);
RtlInitUnicodeString( &FullPath, Buffer );

0: kd> dv
vrd = 0x0112916c
hCatAdmin = 0x01c0caf8
ActualFileName = "pidgen.dll"
FullPath = "c:\windows\system32\dllcache\pidgen.dll"
Buffer = unsigned short [260]

第三部分：

0: kd> t
Breakpoint 19 hit
sfc_os!SfcGetValidationData:
001b:768377e5 55              push    ebp
0: kd> kc
#
00 sfc_os!SfcGetValidationData
01 sfc_os!SfcValidateDLL
02 sfc_os!SfcQueueValidationThread
03 kernel32!BaseThreadStart
0: kd> dv
FileName = 0x007cf510 "pidgen.dll"
FullPathName = 0x007cf508 "c:\windows\system32\dllcache\pidgen.dll"
DirHandle = 0x00000010
hCatAdmin = 0x01c0caf8
ImageValData = 0x01238138
FileHandle = 0x77f7b0f8