RPCRT4!NDRSContextUnmarshall2函数分析

第一部分：
1: kd> g
Breakpoint 4 hit
RPCRT4!NDRSContextUnmarshall2:
001b:77c36c8b 55              push    ebp

1: kd> dv
     BindingHandle = 0x00b03030
             pBuff = 0x00b03998

1: kd> dd 0x00b03998
00b03998  00000000 fddf284c 46533da3 3ebdd483
00b039a8  b3e554f1 baad0005 baadf00d baadf00d

1: kd> dt WIRE_CONTEXT 0x00b03998
RPCRT4!WIRE_CONTEXT
   +0x000 ContextType      : 0
   +0x004 ContextUuid      : _GUID {fddf284c-3da3-4653-83d4-bd3ef154e5b3}

    if (!WireContext || WireContext->IsNullContext())
        {                            不符合

1: kd> dt osf_scall 0x00b03030
RPCRT4!OSF_SCALL
   +0x000 __VFN_table : 0x77bd7808
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n64
   +0x00c RefCount         : INTERLOCKED_INTEGER
   +0x010 NestingCall      : (null)
   +0x014 pAsync           : (null)
   +0x018 NotificationIssued : 0n-1163005939
   +0x01c AsyncStatus      : 0n0
   +0x020 CachedAPCInfo    : RPC_APC_INFO
   +0x030 CachedAPCInfoAvailable : 0n1
   +0x034 CallingThread    : (null)
   +0x038 DispatchBuffer   : 0x00b03998 Void
   +0x03c IsMultiContextHandleCall : 0n0
   +0x040 ActiveContextHandles : ServerContextHandle_DICT
 
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!ServerContextHandle_DICT *)0xb03070))
(*((RPCRT4!ServerContextHandle_DICT *)0xb03070))                 [Type: ServerContextHandle_DICT]
    [+0x000] DictSlots        : 0xb0307c [Type: void * *]
    [+0x004] cDictSlots       : 0x4 [Type: unsigned int]
    [+0x008] cDictSize        : 0x0 [Type: unsigned int]
    [+0x00c] InitialDictSlots [Type: void * [4]]
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!void * (*)[4])0xb0307c))
(*((RPCRT4!void * (*)[4])0xb0307c))                 [Type: void * [4]]
    [0]              : 0x0 [Type: void *]
    [1]              : 0x0 [Type: void *]
    [2]              : 0x0 [Type: void *]
    [3]              : 0x0 [Type: void *]

第二部分：
1: kd> p
RPCRT4!NDRSContextUnmarshall2+0x17:
001b:77c36ca2 e8f9f6ffff      call    RPCRT4!GetContextCollection (77c363a0)
1: kd> p
RPCRT4!NDRSContextUnmarshall2+0x1c:
001b:77c36ca7 85db            test    ebx,ebx
1: kd> r
eax=00b03dc8 ebx=00b03998 ecx=00c3f8dc edx=00c3f8dc esi=732e4dc4 edi=732e253a
eip=77c36ca7 esp=00c3f8e0 ebp=00c3f8f0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
RPCRT4!NDRSContextUnmarshall2+0x1c:
001b:77c36ca7 85db            test    ebx,ebx
1: kd> dt ContextCollection 00b03dc8
RPCRT4!ContextCollection
   +0x000 ListHead         : _LIST_ENTRY [ 0xb03e30 - 0xb03e30 ]
   +0x008 CollectionMutex  : MUTEX
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!_LIST_ENTRY *)0xb03dc8))
(*((RPCRT4!_LIST_ENTRY *)0xb03dc8))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0xb03e30 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0xb03e30 [Type: _LIST_ENTRY *]

1: kd> dt servercontexthandle 0xb03e30
RPCRT4!ServerContextHandle
   +0x000 ContextChain     : _LIST_ENTRY [ 0xb03dc8 - 0xb03dc8 ]
   +0x008 UserContext      : 0x000bcf28 Void
   +0x00c UserRunDown      : 0x73343138     void  +73343138
   +0x010 CtxGuard         : 0x732e4dc4 Void
   +0x014 WireContext      : WIRE_CONTEXT
   +0x028 Lock             : SWMRLock
   +0x048 OwnerSID         : (null)
   +0x04c ReferenceCount   : 0n1
   +0x050 Flags            : 9
   +0x054 DeadlockTag      : 0n0
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!WIRE_CONTEXT *)0xb03e44))
(*((RPCRT4!WIRE_CONTEXT *)0xb03e44))                 [Type: WIRE_CONTEXT]
    [+0x000] ContextType      : 0x0 [Type: unsigned long]
    [+0x004] ContextUuid      : {FDDF284C-3DA3-4653-83D4-BD3EF154E5B3} [Type: _GUID]

    CtxCollection = GetContextCollection(BindingHandle);

1: kd> dt osf_scall 0x00b03030
RPCRT4!OSF_SCALL
   +0x000 __VFN_table : 0x77bd7808
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n64

   +0x05c Connection       : 0x00b02770 OSF_SCONNECTION

1: kd> dx -id 0,0,897e1020 -r1 ((RPCRT4!OSF_SCONNECTION *)0xb02770)
((RPCRT4!OSF_SCONNECTION *)0xb02770)                 : 0xb02770 [Type: OSF_SCONNECTION *]
    [+0x004] MagicLong        : 0x89abcdef [Type: unsigned long]
    [+0x008] ObjectType       : 256 [Type: int]

    [+0x068] Association      : 0xb03880 [Type: OSF_ASSOCIATION *]

1: kd> dx -id 0,0,897e1020 -r1 ((RPCRT4!OSF_ASSOCIATION *)0xb03880)
((RPCRT4!OSF_ASSOCIATION *)0xb03880)                 : 0xb03880 [Type: OSF_ASSOCIATION *]
    [+0x004] MagicLong        : 0x89abcdef [Type: unsigned long]
    [+0x008] ObjectType       : 1024 [Type: int]
    [+0x00c] RefCount         [Type: INTERLOCKED_INTEGER]
    [+0x010] AssociationID    : 0x1 [Type: unsigned long]
    [+0x014] CtxCollection    : 0xb03dc8 [Type: ContextCollection *]
    [+0x018] ConnectionCount  : 1 [Type: int]
    [+0x01c] AssociationGroupId : 0xffc9435e [Type: unsigned long]
    [+0x020] AssociationDictKey : 0 [Type: int]
    [+0x024] Address          : 0xb00070 [Type: OSF_ADDRESS *]
    [+0x028] ClientProcess    [Type: RPC_CLIENT_PROCESS_IDENTIFIER]
1: kd> dx -id 0,0,897e1020 -r1 ((RPCRT4!ContextCollection *)0xb03dc8)
((RPCRT4!ContextCollection *)0xb03dc8)                 : 0xb03dc8 [Type: ContextCollection *]
    [+0x000] ListHead         [Type: _LIST_ENTRY]
    [+0x008] CollectionMutex  [Type: MUTEX]
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!_LIST_ENTRY *)0xb03dc8))
(*((RPCRT4!_LIST_ENTRY *)0xb03dc8))                 [Type: _LIST_ENTRY]
    [+0x000] Flink            : 0xb03e30 [Type: _LIST_ENTRY *]
    [+0x004] Blink            : 0xb03e30 [Type: _LIST_ENTRY *]

第三部分：

        ContextHandle = FindAndAddRefContextHandle(CtxCollection,
            WireContext,
            CtxGuard,
            &Ignore     // ContextHandleNewlyCreated
            );

1: kd> t
Breakpoint 20 hit
RPCRT4!FindAndAddRefContextHandle:
001b:77c3673a 55              push    ebp

1: kd> p
RPCRT4!FindAndAddRefContextHandle+0x1f:
001b:77c36759 e8491e0000      call    RPCRT4!ContextCollection::Find (77c385a7)
1: kd> t
RPCRT4!ContextCollection::Find:
001b:77c385a7 55              push    ebp

1: kd> dv
            this = 0xb03e30
     WireContext = 0x00b03998
1: kd> dx -r1 ((RPCRT4!WIRE_CONTEXT *)0xb03998)
((RPCRT4!WIRE_CONTEXT *)0xb03998)                 : 0xb03998 [Type: WIRE_CONTEXT *]
    [+0x000] ContextType      : 0x0 [Type: unsigned long]
    [+0x004] ContextUuid      : {FDDF284C-3DA3-4653-83D4-BD3EF154E5B3} [Type: _GUID]

1: kd> dt ServerContextHandle 0xb03e30
RPCRT4!ServerContextHandle
   +0x000 ContextChain     : _LIST_ENTRY [ 0xb03dc8 - 0xb03dc8 ]
   +0x008 UserContext      : 0x000bcf28 Void
   +0x00c UserRunDown      : 0x73343138     void  +73343138
   +0x010 CtxGuard         : 0x732e4dc4 Void
   +0x014 WireContext      : WIRE_CONTEXT
   +0x028 Lock             : SWMRLock
   +0x048 OwnerSID         : (null)
   +0x04c ReferenceCount   : 0n1
   +0x050 Flags            : 9
   +0x054 DeadlockTag      : 0n0
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!WIRE_CONTEXT *)0xb03e44))
(*((RPCRT4!WIRE_CONTEXT *)0xb03e44))                 [Type: WIRE_CONTEXT]
    [+0x000] ContextType      : 0x0 [Type: unsigned long]
    [+0x004] ContextUuid      : {FDDF284C-3DA3-4653-83D4-BD3EF154E5B3} [Type: _GUID]

1: kd> gu
RPCRT4!FindAndAddRefContextHandle+0x24:
001b:77c3675e 3bc7            cmp     eax,edi
1: kd> r
eax=00b03e30

1: kd> p
RPCRT4!FindAndAddRefContextHandle+0xda:
001b:77c36814 5e              pop     esi
1: kd> p
RPCRT4!FindAndAddRefContextHandle+0xdb:
001b:77c36815 c9              leave
1: kd> r
eax=00b03e30

第四部分：

        RpcStatus = SCall->AddToActiveContextHandles(ContextHandle);

1: kd> dt osf_scall 0x00b03030
RPCRT4!OSF_SCALL
   +0x000 __VFN_table : 0x77bd7808
   +0x004 MagicLong        : 0x89abcdef
   +0x008 ObjectType       : 0n64

   +0x040 ActiveContextHandles : ServerContextHandle_DICT
 
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!ServerContextHandle_DICT *)0xb03070))
(*((RPCRT4!ServerContextHandle_DICT *)0xb03070))                 [Type: ServerContextHandle_DICT]
    [+0x000] DictSlots        : 0xb0307c [Type: void * *]
    [+0x004] cDictSlots       : 0x4 [Type: unsigned int]
    [+0x008] cDictSize        : 0x1 [Type: unsigned int]
    [+0x00c] InitialDictSlots [Type: void * [4]]
1: kd> dx -id 0,0,897e1020 -r1 (*((RPCRT4!void * (*)[4])0xb0307c))
(*((RPCRT4!void * (*)[4])0xb0307c))                 [Type: void * [4]]
    [0]              : 0xb03e30 [Type: void *]
    [1]              : 0x0 [Type: void *]
    [2]              : 0x0 [Type: void *]
    [3]              : 0x0 [Type: void *]

1: kd> p
RPCRT4!NDRSContextUnmarshall2+0x235:
001b:77c36ec0 c21400          ret     14h
1: kd> p
RPCRT4!NdrServerContextNewUnmarshall+0x9f:
001b:77c45c28 85c0            test    eax,eax
1: kd> r
eax=00b03e30

    pStubMsg->Buffer += CONTEXT_HANDLE_WIRE_SIZE;

    return SContext;
}

第五部分：
        NdrSaveContextHandle( pStubMsg,
                              SContext,
                              ppArg,
                              pFormat );

1: kd> p
RPCRT4!NdrUnmarshallHandle+0x77:
001b:77c51318 e83cffffff      call    RPCRT4!NdrSaveContextHandle (77c51259)
1: kd> t
RPCRT4!NdrSaveContextHandle:
001b:77c51259 55              push    ebp

1: kd> dt ServerContextHandle 0xb03e30
RPCRT4!ServerContextHandle
   +0x000 ContextChain     : _LIST_ENTRY [ 0xb03dc8 - 0xb03dc8 ]
   +0x008 UserContext      : 0x000bcf28 Void
   +0x00c UserRunDown      : 0x73343138     void  +73343138
   +0x010 CtxGuard         : 0x732e4dc4 Void
   +0x014 WireContext      : WIRE_CONTEXT
   +0x028 Lock             : SWMRLock
   +0x048 OwnerSID         : (null)
   +0x04c ReferenceCount   : 0n1
   +0x050 Flags            : 9
   +0x054 DeadlockTag      : 0n0

1: kd> dv
       pStubMsg = 0x00c3f99c
     CtxtHandle = 0x00b03e30
          ppArg = 0x00c3fb1c
        pFormat = 0x732e253a "0I"
1: kd> dx -r1 ((RPCRT4!unsigned char * *)0xc3fb1c)
((RPCRT4!unsigned char * *)0xc3fb1c)                 : 0xc3fb1c [Type: unsigned char * *]
    0x0 [Type: unsigned char *]

1: kd> pt
RPCRT4!NdrSaveContextHandle+0x45:
001b:77c5129e c21000          ret     10h

1: kd> dd 0x00c3fb1c
00c3fb1c  000bcf28