NdrpGetAllocateAllNodesContext函数分析之三个内存区域的联系

第一部分：
NDR_ALLOC_ALL_NODES_CONTEXT *
NdrpGetAllocateAllNodesContext(
    PMIDL_STUB_MESSAGE pStubMsg,
    PFORMAT_STRING     pFormat )
{

    uchar *pAllocMemory =
        (uchar*)NdrAllocate( pStubMsg, AllocSize + sizeof(NDR_ALLOC_ALL_NODES_CONTEXT) );    //返回到这里

    NDR_ALLOC_ALL_NODES_CONTEXT *pAllocContext =
        (NDR_ALLOC_ALL_NODES_CONTEXT*)(pAllocMemory + AllocSize);
    pAllocContext->AllocAllNodesMemory      = pAllocMemory;
    pAllocContext->AllocAllNodesMemoryBegin = pAllocMemory;
    pAllocContext->AllocAllNodesMemoryEnd   = (uchar*)pAllocContext;
    
    return pAllocContext;
}

第二部分：

0: kd> p
RPCRT4!NdrAllocate+0x97:
001b:77c3f91a c20800          ret     8
0: kd> r
eax=00096488

    ulong AllocSize = pStubMsg->MemorySize;        =0x74
    pStubMsg->MemorySize = 0;
    LENGTH_ALIGN( AllocSize, __alignof(NDR_ALLOC_ALL_NODES_CONTEXT) - 1);

    uchar *pAllocMemory =
        (uchar*)NdrAllocate( pStubMsg, AllocSize + sizeof(NDR_ALLOC_ALL_NODES_CONTEXT) );

    NDR_ALLOC_ALL_NODES_CONTEXT *pAllocContext =
        (NDR_ALLOC_ALL_NODES_CONTEXT*)(pAllocMemory + AllocSize);
    pAllocContext->AllocAllNodesMemory      = pAllocMemory;
    pAllocContext->AllocAllNodesMemoryBegin = pAllocMemory;
    pAllocContext->AllocAllNodesMemoryEnd   = (uchar*)pAllocContext;
    
    return pAllocContext;
}

0: kd> p
RPCRT4!NdrpGetAllocateAllNodesContext+0x67:
001b:77c44682 8bc8            mov     ecx,eax
0: kd> r
eax=00096488 ebx=77d75382 ecx=00096508 edx=0006fb90 esi=0006fae0 edi=00000074
eip=77c44682 esp=0006f9a8 ebp=0006f9d4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
RPCRT4!NdrpGetAllocateAllNodesContext+0x67:
001b:77c44682 8bc8            mov     ecx,eax

0: kd> p
RPCRT4!NdrpGetAllocateAllNodesContext+0x6c:
001b:77c44687 8908            mov     dword ptr [eax],ecx
0: kd> r
eax=000964fc ebx=77d75382 ecx=00096488

pAllocContext= eax=000964fc

0: kd> r
eax=00096488 ebx=77d75382 ecx=00096508 edx=0006fb90 esi=0006fae0 edi=00000074
eip=77c44682 esp=0006f9a8 ebp=0006f9d4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
RPCRT4!NdrpGetAllocateAllNodesContext+0x67:
001b:77c44682 8bc8            mov     ecx,eax
0: kd> dv
       pStubMsg = 0x0006fae0
        pFormat = 0x77d75386 "+.&"
        pBuffer = 0x007b0a54 "???"
      pOldQueue = 0x0006fab4
0: kd> p
RPCRT4!NdrpGetAllocateAllNodesContext+0x69:
001b:77c44684 8d0439          lea     eax,[ecx+edi]

第四部分：

0: kd> p
RPCRT4!NdrpGetAllocateAllNodesContext+0x6c:
001b:77c44687 8908            mov     dword ptr [eax],ecx
0: kd> r
eax=000964fc ebx=77d75382 ecx=00096488 edx=0006fb90 esi=0006fae0 edi=00000074
eip=77c44687 esp=0006f9a8 ebp=0006f9d4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
RPCRT4!NdrpGetAllocateAllNodesContext+0x6c:
001b:77c44687 8908            mov     dword ptr [eax],ecx ds:0023:000964fc=00000000
0: kd> p
RPCRT4!NdrpGetAllocateAllNodesContext+0x6e:
001b:77c44689 894804          mov     dword ptr [eax+4],ecx
0: kd> p
RPCRT4!NdrpGetAllocateAllNodesContext+0x71:
001b:77c4468c 894008          mov     dword ptr [eax+8],eax

0: kd> dt NDR_ALLOC_ALL_NODES_CONTEXT 000964fc
RPCRT4!NDR_ALLOC_ALL_NODES_CONTEXT
   +0x000 AllocAllNodesMemory : 0x00096488  ""
   +0x004 AllocAllNodesMemoryBegin : 0x00096488  ""
   +0x008 AllocAllNodesMemoryEnd : 0x000964fc  "???"

第五部分：

0: kd> dd 0x00096488
00096488  00000000 00000000 00000000 00000000    待分配内存区域1
00096498  00000000 00000000 00000000 00000000
000964a8  00000000 00000000 00000000 00000000
000964b8  00000000 00000000 00000000 00000000
000964c8  00000000 00000000 00000000 00000000
000964d8  00000000 00000000 00000000 00000000
000964e8  00000000 00000000 00000000 00000000
000964f8  00000000 00096488 00096488 000964fc    NDR_ALLOC_ALL_NODES_CONTEXT结构信息-区域2
0: kd> dd 0x00096508
00096508  4d454d4c 00096488 00000000 00000000    _NDR_MEMORY_LIST_TAIL_NODE结构信息-区域3