CLruCache::BucketFromIdentifier函数分析
第一部分:
1: kd> p
CRYPT32!CLruCache::FindEntry+0x9:
001b:75c8f388 e833fdffff call CRYPT32!CLruCache::BucketFromIdentifier (75c8f0c0)
1: kd> t
CRYPT32!CLruCache::BucketFromIdentifier:
001b:75c8f0c0 55 push ebp
1: kd> kc
#
00 CRYPT32!CLruCache::BucketFromIdentifier
01 CRYPT32!CLruCache::FindEntry
02 CRYPT32!I_CryptFindLruEntryData
03 WINTRUST!CCatalogCache::FindCachedState
04 WINTRUST!_VerifyTrust
05 WINTRUST!WinVerifyTrust
06 sfc_os!SfcValidateFileSignature
07 sfc_os!SfcGetValidationData
08 sfc_os!SfcValidateDLL
09 sfc_os!SfcQueueValidationThread
0a kernel32!BaseThreadStart
1: kd> dv
this = 0x76819334
pIdentifier = 0x007ce9a4
inline PLRU_CACHE_BUCKET
CLruCache::BucketFromIdentifier (
IN PCRYPT_DATA_BLOB pIdentifier
)
{
DWORD Hash = ( *m_Config.pfnHash )( pIdentifier );
return( &m_aBucket[ Hash % m_Config.cBuckets ] );
}
第二部分:
1: kd> p
CRYPT32!CLruCache::BucketFromIdentifier+0x9:
001b:75c8f0c9 ff5608 call dword ptr [esi+8]
1: kd> r
eax=007ce9a4 ebx=007ceb00 ecx=00298168 edx=76819334 esi=00298168 edi=76819334
eip=75c8f0c9 esp=007ce960 ebp=007ce968 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
CRYPT32!CLruCache::BucketFromIdentifier+0x9:
001b:75c8f0c9 ff5608 call dword ptr [esi+8] ds:0023:00298170={WINTRUST!CatalogCacheHashIdentifier (767ff181)}
1: kd> t
WINTRUST!CatalogCacheHashIdentifier:
001b:767ff181 55 push ebp
1: kd> kc
#
00 WINTRUST!CatalogCacheHashIdentifier
01 CRYPT32!CLruCache::BucketFromIdentifier
02 CRYPT32!CLruCache::FindEntry
03 CRYPT32!I_CryptFindLruEntryData
04 WINTRUST!CCatalogCache::FindCachedState
05 WINTRUST!_VerifyTrust
06 WINTRUST!WinVerifyTrust
07 sfc_os!SfcValidateFileSignature
08 sfc_os!SfcGetValidationData
09 sfc_os!SfcValidateDLL
0a sfc_os!SfcQueueValidationThread
0b kernel32!BaseThreadStart
1: kd> dv
pIdentifier = 0x007ce9a4
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((WINTRUST!_CRYPTOAPI_BLOB *)0x7ce9a4)
((WINTRUST!_CRYPTOAPI_BLOB *)0x7ce9a4) : 0x7ce9a4 [Type: _CRYPTOAPI_BLOB *]
[+0x000] cbData : 0x9a [Type: unsigned long]
[+0x004] pbData : 0x7ceb50 : 0x43 [Type: unsigned char *]
1: kd> db 0x7ceb50
007ceb50 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
007ceb60 57 00 53 00 5c 00 73 00-79 00 73 00 74 00 65 00 W.S.\.s.y.s.t.e.
007ceb70 6d 00 33 00 32 00 5c 00-43 00 61 00 74 00 52 00 m.3.2.\.C.a.t.R.
007ceb80 6f 00 6f 00 74 00 5c 00-7b 00 46 00 37 00 35 00 o.o.t.\.{.F.7.5.
007ceb90 30 00 45 00 36 00 43 00-33 00 2d 00 33 00 38 00 0.E.6.C.3.-.3.8.
007ceba0 45 00 45 00 2d 00 31 00-31 00 44 00 31 00 2d 00 E.E.-.1.1.D.1.-.
007cebb0 38 00 35 00 45 00 35 00-2d 00 30 00 30 00 43 00 8.5.E.5.-.0.0.C.
007cebc0 30 00 34 00 46 00 43 00-32 00 39 00 35 00 45 00 0.4.F.C.2.9.5.E.
第三部分:
DWORD WINAPI
CatalogCacheHashIdentifier (PCRYPT_DATA_BLOB pIdentifier)
{
DWORD dwHash = 0;
DWORD cb = pIdentifier->cbData;
LPBYTE pb = pIdentifier->pbData;
while ( cb-- )
{
if ( dwHash & 0x80000000 )
{
dwHash = ( dwHash << 1 ) | 1;
}
else
{
dwHash = dwHash << 1;
}
dwHash += *pb++;
}
return( dwHash );
}
1: kd> p
WINTRUST!CatalogCacheHashIdentifier+0x22:
001b:767ff1a3 03c6 add eax,esi
1: kd> bp 767ff1a3
1: kd> p
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> r
eax=00000043 ebx=007ceb00 ecx=007ceb50 edx=0000009a esi=00000043 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
else
{
dwHash = dwHash << 1;
}
dwHash += *pb++;
1: kd> p
WINTRUST!CatalogCacheHashIdentifier+0x1d:
001b:767ff19e d1e0 shl eax,1
1: kd> p
WINTRUST!CatalogCacheHashIdentifier+0x1f:
001b:767ff1a0 0fb631 movzx esi,byte ptr [ecx]
1: kd> r
eax=00000086 ebx=007ceb00 ecx=007ceb51
1: kd> p
Breakpoint 26 hit
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> r
eax=00000086 ebx=007ceb00 ecx=007ceb51 edx=00000099 esi=00000000 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> p
WINTRUST!CatalogCacheHashIdentifier+0x22:
001b:767ff1a3 03c6 add eax,esi
1: kd> r
eax=0000010c ebx=007ceb00 ecx=007ceb52 edx=00000098 esi=0000003a edi=76819334
eip=767ff1a3 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
WINTRUST!CatalogCacheHashIdentifier+0x22:
001b:767ff1a3 03c6 add eax,esi
1: kd> db 0x7ceb50
007ceb50 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
第三次循环到了第三个字节0x3a esi=0000003a
1: kd> r
eax=0000028c ebx=007ceb00 ecx=007ceb53 edx=00000097 esi=00000000 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> pr
Breakpoint 26 hit
eax=00000574 ebx=007ceb00 ecx=007ceb54 edx=00000096 esi=0000005c edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> g
Breakpoint 26 hit
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> r
eax=00000ae8 ebx=007ceb00 ecx=007ceb55 edx=00000095 esi=00000000 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> g
Breakpoint 26 hit
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> r
eax=00001627 ebx=007ceb00 ecx=007ceb56 edx=00000094 esi=00000057 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> g
Breakpoint 26 hit
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> r
eax=00002c4e ebx=007ceb00 ecx=007ceb57 edx=00000093 esi=00000000 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> g
Breakpoint 26 hit
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> r
eax=000058e5 ebx=007ceb00 ecx=007ceb58 edx=00000092 esi=00000049 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> g
Breakpoint 26 hit
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
1: kd> r
eax=0000b1ca ebx=007ceb00 ecx=007ceb59 edx=00000091 esi=00000000 edi=76819334
eip=767ff1a5 esp=007ce954 ebp=007ce958 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
WINTRUST!CatalogCacheHashIdentifier+0x24:
001b:767ff1a5 41 inc ecx
第四部分:
1: kd> bc 25
1: kd> bc 26
1: kd> gu
CRYPT32!CLruCache::BucketFromIdentifier+0xc:
001b:75c8f0cc 33d2 xor edx,edx
1: kd> r
eax=27c4477f
{
DWORD Hash = ( *m_Config.pfnHash )( pIdentifier ); eax=27c4477f
return( &m_aBucket[ Hash % m_Config.cBuckets ] );
}
第五部分:
1: kd> p
CRYPT32!CLruCache::BucketFromIdentifier+0xe:
001b:75c8f0ce f77610 div eax,dword ptr [esi+10h]
1: kd> r
eax=27c4477f ebx=007ceb00 ecx=007cebea edx=00000000 esi=00298168 edi=76819334
eip=75c8f0ce esp=007ce964 ebp=007ce968 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
CRYPT32!CLruCache::BucketFromIdentifier+0xe:
001b:75c8f0ce f77610 div eax,dword ptr [esi+10h] ds:0023:00298178=00000003
1: kd> dd 00298168
00298168 00000001 767ff124 767ff181 00000000
00298178 00000003 00000003 00000000 00000000
m_Config.cBuckets = 0x00000003
1: kd> dv
this = 0x00000000
pIdentifier = 0x007ce9a4
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((CRYPT32!_LRU_CACHE_CONFIG *)0x76819334))
(*((CRYPT32!_LRU_CACHE_CONFIG *)0x76819334)) [Type: _LRU_CACHE_CONFIG]
[+0x000] dwFlags : 0x7d8f8 [Type: unsigned long]
[+0x004] pfnFree : 0x0 [Type: void (*)(void *)]
[+0x008] pfnHash : 0x1 [Type: unsigned long (*)(_CRYPTOAPI_BLOB *)]
[+0x00c] pfnOnRemoval : 0x3bc [Type: void (*)(void *,void *)]
[+0x010] cBuckets : 0x0 [Type: unsigned long]
[+0x014] MaxEntries : 0x0 [Type: unsigned long]
1: kd> u 767ff181
WINTRUST!CatalogCacheHashIdentifier [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\catcache.cpp @ 365]:
767ff181 55 push ebp
767ff182 8bec mov ebp,esp
767ff184 8b4d08 mov ecx,dword ptr [ebp+8]
767ff187 8b11 mov edx,dword ptr [ecx]
767ff189 8b4904 mov ecx,dword ptr [ecx+4]
767ff18c 33c0 xor eax,eax
767ff18e 85d2 test edx,edx
767ff190 7418 je WINTRUST!CatalogCacheHashIdentifier+0x29 (767ff1aa)
1: kd> u 767ff124
WINTRUST!CatalogCacheFreeEntryData [d:\srv03rtm\ds\security\cryptoapi\pkitrust\wintrust\catcache.cpp @ 339]:
767ff124 55 push ebp
767ff125 8bec mov ebp,esp
767ff127 83ec40 sub esp,40h
767ff12a a1c4918176 mov eax,dword ptr [WINTRUST!__security_cookie (768191c4)]
767ff12f 8945fc mov dword ptr [ebp-4],eax
767ff132 56 push esi
767ff133 8b7508 mov esi,dword ptr [ebp+8]
767ff136 57 push edi
1: kd> ?0x27c4477f%3
Evaluate expression: 1 = 00000001
第六部分:
1: kd> p
CRYPT32!CLruCache::BucketFromIdentifier+0x11:
001b:75c8f0d1 8b4634 mov eax,dword ptr [esi+34h]
1: kd> r
eax=0d416d2a ebx=007ceb00 ecx=007cebea edx=00000001 esi=00298168 edi=76819334
eip=75c8f0d1 esp=007ce964 ebp=007ce968 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
CRYPT32!CLruCache::BucketFromIdentifier+0x11:
001b:75c8f0d1 8b4634 mov eax,dword ptr [esi+34h] ds:0023:0029819c=002981b0
1: kd> dd 00298168
00298168 00000001 767ff124 767ff181 00000000
00298178 00000003 00000003 00000000 00000000
00298188 00000000 00000000 00000000 00000000
00298198 00000000 002981b0
1: kd> p
CRYPT32!CLruCache::BucketFromIdentifier+0x15:
001b:75c8f0d5 8d04d0 lea eax,[eax+edx*8]
1: kd> r
eax=002981b0 ebx=007ceb00 ecx=007cebea edx=00000001 esi=00298168 edi=76819334
eip=75c8f0d5 esp=007ce968 ebp=007ce968 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
CRYPT32!CLruCache::BucketFromIdentifier+0x15:
001b:75c8f0d5 8d04d0 lea eax,[eax+edx*8]
1: kd> dd 002981b0
002981b0 00000000 00000000 00000009 00000000
002981c0 00000000 00000000 00040009 000e01de
002981d0 003a0043 0057005c 004e0049 004f0044
1: kd> ?002981b0+00000001*8
Evaluate expression: 2720184 = 002981b8
1: kd> p
CRYPT32!CLruCache::BucketFromIdentifier+0x19:
001b:75c8f0d9 c20400 ret 4
1: kd> r
eax=002981b8
第七部分:
1: kd> r
eax=002981b8 ebx=007ceb00 ecx=007cebea edx=00000001 esi=00298168 edi=76819334
eip=75c8f38d esp=007ce974 ebp=007ce978 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
CRYPT32!CLruCache::FindEntry+0xe:
001b:75c8f38d ff750c push dword ptr [ebp+0Ch] ss:0023:007ce984=00000001
1: kd> dt LRU_CACHE_BUCKET 002981b8
CRYPT32!LRU_CACHE_BUCKET
+0x000 Usage : 9
+0x004 pList : (null)