第一部分:
1: kd> g
Breakpoint 5 hit
Npfs!NpFsdCreate:
baaecba6 55 push ebp
1: kd> kc
#
00 Npfs!NpFsdCreate
01 nt!IofCallDriver
02 nt!IopParseDevice
03 nt!ObpLookupObjectName
04 nt!ObOpenObjectByName
05 nt!IopCreateFile
06 nt!IoCreateFile
07 nt!NtCreateFile
08 nt!_KiSystemService
09 SharedUserData!SystemCallStub
0a ntdll!NtCreateFile
0b kernel32!CreateFileW
0c RPCRT4!NMP_Open
0d RPCRT4!OSF_CCONNECTION::TransOpen
0e RPCRT4!OSF_CCONNECTION::OpenConnectionAndBind
0f RPCRT4!OSF_CCALL::BindToServer
10 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
11 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
12 RPCRT4!I_RpcGetBufferWithObject
13 RPCRT4!I_RpcGetBuffer
14 RPCRT4!NdrGetBuffer
15 RPCRT4!NdrClientCall2
16 ADVAPI32!LsarOpenPolicy2
17 ADVAPI32!LsaOpenPolicy
1: kd> dv
NpfsDeviceObject = 0x895b5038
Irp = 0x89544d30
DeferredList = struct _LIST_ENTRY [ 0xbab18b38 - 0x30 ]
RelatedFileObject = 0x00000000
Ccb = 0xbab18a4c
RelatedType = 0x89 ''
RemainingPart = ""
FileName = ""
IrpSp = 0x00000000
Fcb = 0x00000008
DesiredAccess = 0xbaaecba7
1: kd> dt io_stack_location 0x89544d30+70
GDI32!IO_STACK_LOCATION
+0x000 MajorFunction : 0 ''
+0x001 MinorFunction : 0 ''
+0x002 Flags : 0 ''
+0x003 Control : 0 ''
+0x004 Parameters : __unnamed
+0x014 DeviceObject : 0x895b5038 _DEVICE_OBJECT
+0x018 FileObject : 0x8978b348 _FILE_OBJECT +0x018 FileObject : 0x8978b348
+0x01c CompletionRoutine : (null)
+0x020 Context : (null)
1: kd> dx -id 0,0,89429250 -r1 ((GDI32!_FILE_OBJECT *)0x8978b348)
((GDI32!_FILE_OBJECT *)0x8978b348) : 0x8978b348 [Type: _FILE_OBJECT *]
[+0x000] Type : 5 [Type: short]
[+0x002] Size : 112 [Type: short]
[+0x004] DeviceObject : 0x895b5038 : Device for "\FileSystem\Npfs" [Type: _DEVICE_OBJECT *]
[+0x008] Vpb : 0x0 [Type: _VPB *]
[+0x00c] FsContext : 0x0 [Type: void *] //FsContext : 0x0
[+0x010] FsContext2 : 0x0 [Type: void *]
[+0x014] SectionObjectPointer : 0x0 [Type: _SECTION_OBJECT_POINTERS *]
[+0x018] PrivateCacheMap : 0x0 [Type: void *]
[+0x01c] FinalStatus : 0 [Type: long]
[+0x020] RelatedFileObject : 0x0 [Type: _FILE_OBJECT *] //RelatedFileObject : 0x0
[+0x024] LockOperation : 0x0 [Type: unsigned char]
[+0x025] DeletePending : 0x0 [Type: unsigned char]
[+0x026] ReadAccess : 0x0 [Type: unsigned char]
[+0x027] WriteAccess : 0x0 [Type: unsigned char]
[+0x028] DeleteAccess : 0x0 [Type: unsigned char]
[+0x029] SharedRead : 0x0 [Type: unsigned char]
[+0x02a] SharedWrite : 0x0 [Type: unsigned char]
[+0x02b] SharedDelete : 0x0 [Type: unsigned char]
[+0x02c] Flags : 0x0 [Type: unsigned long]
[+0x030] FileName : "\lsarpc" [Type: _UNICODE_STRING] //FileName : "\lsarpc"
[+0x038] CurrentByteOffset : {0} [Type: _LARGE_INTEGER]
[+0x040] Waiters : 0x0 [Type: unsigned long]
[+0x044] Busy : 0x0 [Type: unsigned long]
[+0x048] LastLock : 0x0 [Type: void *]
[+0x04c] Lock [Type: _KEVENT]
[+0x05c] Event [Type: _KEVENT]
[+0x06c] CompletionContext : 0x0 [Type: _IO_COMPLETION_CONTEXT *]
if (RelatedFileObject != NULL) { 不符合
RelatedType = NpDecodeFileObject (RelatedFileObject,
&Fcb,
&Ccb,
NULL);
}
第二部分: Status = NpTranslateAlias (&FileName);
FileName = *(PUNICODE_STRING)&IrpSp->FileObject->FileName;
[+0x030] FileName : "\lsarpc" [Type: _UNICODE_STRING]
1: kd> x npfs!NpAliasListByLength
baaeb094 Npfs!NpAliasListByLength = struct _SINGLE_LIST_ENTRY [5]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_SINGLE_LIST_ENTRY (*)[5])0xbaaeb094))
(*((Npfs!_SINGLE_LIST_ENTRY (*)[5])0xbaaeb094)) [Type: _SINGLE_LIST_ENTRY [5]]
[0] [Type: _SINGLE_LIST_ENTRY]
[1] [Type: _SINGLE_LIST_ENTRY]
[2] [Type: _SINGLE_LIST_ENTRY]
[3] [Type: _SINGLE_LIST_ENTRY]
[4] [Type: _SINGLE_LIST_ENTRY]
1: kd> x npfs!NpAliasListByLength
baaeb094 Npfs!NpAliasListByLength = struct _SINGLE_LIST_ENTRY [5]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_SINGLE_LIST_ENTRY (*)[5])0xbaaeb094))
(*((Npfs!_SINGLE_LIST_ENTRY (*)[5])0xbaaeb094)) [Type: _SINGLE_LIST_ENTRY [5]]
[2] [Type: _SINGLE_LIST_ENTRY]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_SINGLE_LIST_ENTRY *)0xbaaeb09c))
(*((Npfs!_SINGLE_LIST_ENTRY *)0xbaaeb09c)) [Type: _SINGLE_LIST_ENTRY]
[+0x000] Next : 0x8978fba8 [Type: _SINGLE_LIST_ENTRY *]
1: kd> dx -id 0,0,89429250 -r1 ((Npfs!_SINGLE_LIST_ENTRY *)0x8978fba8)
((Npfs!_SINGLE_LIST_ENTRY *)0x8978fba8) : 0x8978fba8 [Type: _SINGLE_LIST_ENTRY *]
[+0x000] Next : 0x8978fbd8 [Type: _SINGLE_LIST_ENTRY *]
1: kd> dx -id 0,0,89429250 -r1 ((Npfs!_SINGLE_LIST_ENTRY *)0x8978fbd8)
((Npfs!_SINGLE_LIST_ENTRY *)0x8978fbd8) : 0x8978fbd8 [Type: _SINGLE_LIST_ENTRY *]
[+0x000] Next : 0x0 [Type: _SINGLE_LIST_ENTRY *]
1: kd> dt npfs!_ALIAS 0x8978fba8
+0x000 ListEntry : _SINGLE_LIST_ENTRY
+0x004 TranslationString : 0x8978fb78 _UNICODE_STRING "\LSASS"
+0x008 AliasString : _UNICODE_STRING "\LSARPC"
第三部分: Fcb = NpFindPrefix (&FileName, CaseInsensitive, &RemainingPart);
PFCB
NpFindPrefix (
IN PUNICODE_STRING String,
IN BOOLEAN CaseInsensitive,
OUT PUNICODE_STRING RemainingPart
)
{
。。。。。。
Fcb = CONTAINING_RECORD( PrefixTableEntry, FCB, PrefixTableEntry );
1: kd> x npfs!NpVcb
baaeb090 Npfs!NpVcb = 0x895b50f0
1: kd> dx -id 0,0,89429250 -r1 ((Npfs!_VCB *)0x895b50f0)
((Npfs!_VCB *)0x895b50f0) : 0x895b50f0 [Type: _VCB *]
[+0x000] NodeTypeCode : 0x1 [Type: unsigned char]
[+0x004] RootDcb : 0xe14e3338 [Type: _FCB *]
[+0x008] OpenCount : 0x0 [Type: unsigned long]
[+0x00c] PrefixTable [Type: _UNICODE_PREFIX_TABLE]
[+0x018] Resource [Type: _ERESOURCE]
[+0x050] EventTable [Type: _EVENT_TABLE]
[+0x078] WaitQueue [Type: _WAIT_QUEUE]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_UNICODE_PREFIX_TABLE *)0x895b50fc))
(*((Npfs!_UNICODE_PREFIX_TABLE *)0x895b50fc)) [Type: _UNICODE_PREFIX_TABLE]
[+0x000] NodeTypeCode : 2048 [Type: short]
[+0x002] NameLength : 0 [Type: short]
[+0x004] NextPrefixTree : 0xe15ec3e8 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
[+0x008] LastNextEntry : 0x0 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
1: kd> dx -id 0,0,89429250 -r1 ((Npfs!_UNICODE_PREFIX_TABLE_ENTRY *)0xe15ec3e8)
((Npfs!_UNICODE_PREFIX_TABLE_ENTRY *)0xe15ec3e8) : 0xe15ec3e8 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
[+0x000] NodeTypeCode : 2049 [Type: short]
[+0x002] NameLength : 3 [Type: short]
[+0x004] NextPrefixTree : 0xe1636b80 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
[+0x008] CaseMatch : 0xe15ec3e8 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
[+0x00c] Links [Type: _RTL_SPLAY_LINKS]
[+0x018] Prefix : 0xe15ec3d8 : "\TerminalServer\AutoReconnect" [Type: _UNICODE_STRING *]
1: kd> dx -id 0,0,89429250 -r1 ((Npfs!_UNICODE_PREFIX_TABLE_ENTRY *)0xe1636b80)
((Npfs!_UNICODE_PREFIX_TABLE_ENTRY *)0xe1636b80) : 0xe1636b80 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
[+0x000] NodeTypeCode : 2049 [Type: short]
[+0x002] NameLength : 2 [Type: short]
[+0x004] NextPrefixTree : 0xe14e3380 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
[+0x008] CaseMatch : 0xe1636b80 [Type: _UNICODE_PREFIX_TABLE_ENTRY *]
[+0x00c] Links [Type: _RTL_SPLAY_LINKS]
[+0x018] Prefix : 0xe1636b70 : "\lsass" [Type: _UNICODE_STRING *]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_RTL_SPLAY_LINKS *)0xe1636b8c))
(*((Npfs!_RTL_SPLAY_LINKS *)0xe1636b8c)) [Type: _RTL_SPLAY_LINKS]
[+0x000] Parent : 0xe1636b8c [Type: _RTL_SPLAY_LINKS *]
[+0x004] LeftChild : 0xe16bf334 [Type: _RTL_SPLAY_LINKS *]
[+0x008] RightChild : 0xe13ee5f4 [Type: _RTL_SPLAY_LINKS *]
1: kd> dt Npfs!_FCB 0xe1636b80-48
+0x000 NodeTypeCode : 0x4 ''
+0x004 ParentDcbLinks : _LIST_ENTRY [ 0xe13ee5a4 - 0xe16bf2e4 ]
+0x00c ParentDcb : 0xe14e3338 _FCB
+0x010 Vcb : (null)
+0x014 OpenCount : 2
+0x018 ServerOpenCount : 2
+0x01c SecurityDescriptor : 0xe13e02e8 Void
+0x020 Specific : __unnamed
+0x038 FullFileName : _UNICODE_STRING "\lsass"
+0x040 LastFileName : _UNICODE_STRING "lsass"
+0x048 PrefixTableEntry : _UNICODE_PREFIX_TABLE_ENTRY
第四部分:NpCreateClientEnd
if (Fcb->NodeTypeCode == NPFS_NTC_FCB) {
DebugTrace(0, Dbg, "Create client end named pipe, Fcb = %08lx\n", Fcb );
//
// If the server has no handles open, then pretend that
// the pipe name doesn't exist.
//
if (Fcb->ServerOpenCount == 0) {
Status = STATUS_OBJECT_NAME_NOT_FOUND;
} else {
Irp->IoStatus = NpCreateClientEnd (Fcb,
FileObject,
DesiredAccess,
IrpSp->Parameters.Create.SecurityContext->SecurityQos,
IrpSp->Parameters.Create.SecurityContext->AccessState,
(KPROCESSOR_MODE)(FlagOn(IrpSp->Flags, SL_FORCE_ACCESS_CHECK) ?
UserMode : Irp->RequestorMode),
Irp->Tail.Overlay.Thread,
&DeferredList);
1: kd> t
Breakpoint 0 hit
Npfs!NpCreateClientEnd:
baaec874 55 push ebp
1: kd> kc
#
00 Npfs!NpCreateClientEnd
01 Npfs!NpFsdCreate
02 nt!IofCallDriver
03 nt!IopParseDevice
04 nt!ObpLookupObjectName
05 nt!ObOpenObjectByName
06 nt!IopCreateFile
07 nt!IoCreateFile
08 nt!NtCreateFile
09 nt!_KiSystemService
0a SharedUserData!SystemCallStub
0b ntdll!NtCreateFile
0c kernel32!CreateFileW
0d RPCRT4!NMP_Open
0e RPCRT4!OSF_CCONNECTION::TransOpen
0f RPCRT4!OSF_CCONNECTION::OpenConnectionAndBind
10 RPCRT4!OSF_CCALL::BindToServer
11 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
12 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
13 RPCRT4!I_RpcGetBufferWithObject
14 RPCRT4!I_RpcGetBuffer
15 RPCRT4!NdrGetBuffer
16 RPCRT4!NdrClientCall2
17 ADVAPI32!LsarOpenPolicy2
18 ADVAPI32!LsaOpenPolicy
19 services!ScOpenPolicy
1a services!ScGetAccountDomainInfo
1b services!ScInitServiceAccount
1c services!SvcctrlMain
1d services!main
1e services!mainCRTStartup
1f kernel32!BaseProcessStart
1: kd> dv
Fcb = 0xe1636b38
FileObject = 0x8978b348
DesiredAccess = 0x12019f
SecurityQos = 0x89878708
AccessState = 0x89878670
RequestorMode = 0n1 ''
UserThread = 0x8961a268
DeferredList = 0xbab18a0c [ 0xbab18a0c - 0xbab18a0c ]
Privileges = 0x00000008
Iosb = struct _IO_STATUS_BLOCK
Name = ""
AccessGranted = 0x70 'p'
GrantedAccess = 0xe1636b38
1: kd> dx -id 0,0,89429250 -r1 ((Npfs!_FCB *)0xe1636b38)
((Npfs!_FCB *)0xe1636b38) : 0xe1636b38 [Type: _FCB *]
[+0x000] NodeTypeCode : 0x4 [Type: unsigned char]
[+0x004] ParentDcbLinks [Type: _LIST_ENTRY]
[+0x00c] ParentDcb : 0xe14e3338 [Type: _FCB *]
[+0x010] Vcb : 0x0 [Type: _VCB *]
[+0x014] OpenCount : 0x2 [Type: unsigned long]
[+0x018] ServerOpenCount : 0x2 [Type: unsigned long]
[+0x01c] SecurityDescriptor : 0xe13e02e8 [Type: void *]
[+0x020] Specific [Type: __unnamed]
[+0x038] FullFileName : "\lsass" [Type: _UNICODE_STRING]
[+0x040] LastFileName : "lsass" [Type: _UNICODE_STRING]
[+0x048] PrefixTableEntry [Type: _UNICODE_PREFIX_TABLE_ENTRY]
+0x020 Specific : __unnamed
+0x000 Dcb : __unnamed
+0x000 NotifyFullQueue : _LIST_ENTRY
+0x008 NotifyPartialQueue : _LIST_ENTRY
+0x010 ParentDcbQueue : _LIST_ENTRY
+0x000 Fcb : __unnamed
+0x000 MaximumInstances : Uint4B
+0x004 NamedPipeConfiguration : Pos 0, 16 Bits
+0x004 NamedPipeType : Pos 16, 16 Bits
+0x008 DefaultTimeOut : _LARGE_INTEGER
+0x010 CcbQueue : _LIST_ENTRY
Links = Fcb->Specific.Fcb.CcbQueue.Flink;
while (1) {
if (Links == &Fcb->Specific.Fcb.CcbQueue) {
Iosb.Status = STATUS_PIPE_NOT_AVAILABLE;
return Iosb;
}
Ccb = CONTAINING_RECORD (Links, CCB, CcbLinks);
if (Ccb->NamedPipeState == FILE_PIPE_LISTENING_STATE) {
break;
}
1: kd> dd 0xe1636b38
e1636b38 00000004 e13ee5a4 e16bf2e4 e14e3338
e1636b48 00000000 00000002 00000002 e13e02e8
e1636b58 ffffffff 00010002 fff85ee0 ffffffff
e1636b68 e1636320 e13ed638 000e000c 89503220
e1636b78 000c000a 89503222 00020801 e14e3380
e1636b88 e1636b80 e1636b8c e16bf334 e13ee5f4
e1636b98 e1636b70 00000000 624b7cb7 898d9250
e1636ba8 0c0e060f 46506343 0044005c 00760065
1: kd> dt npfs!ccb e1636320-10
+0x000 NodeTypeCode : 0x6 ''
+0x001 NamedPipeState : 0x2 ''
+0x002 ReadCompletionMode : [2] __unnamed
+0x004 SecurityQos : _SECURITY_QUALITY_OF_SERVICE
+0x010 CcbLinks : _LIST_ENTRY [ 0xe13ed638 - 0xe1636b68 ]
+0x018 Fcb : 0xe1636b38 _FCB
+0x01c FileObject : [2] (null)
+0x024 ClientProcess : (null)
+0x028 ClientInfo : (null)
+0x02c NonpagedCcb : 0x8947c6a0 _NONPAGED_CCB
+0x030 DataQueue : [2] _DATA_QUEUE
+0x070 SecurityClientContext : (null)
+0x074 ListeningQueue : _LIST_ENTRY [ 0x898442e8 - 0x898442e8 ]
1: kd> dt _irp 0x898442e8-58
GDI32!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x94
+0x004 MdlAddress : (null)
+0x008 Flags : 0x800
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x89848480 - 0x899bf710 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 1 ''
+0x021 PendingReturned : 0 ''
+0x022 StackCount : 1 ''
+0x023 CurrentLocation : 1 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0xc ''
+0x028 UserIosb : 0x00ae02b8 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : (null)
+0x040 Tail : __unnamed
+0x040 Tail : __unnamed
+0x000 Overlay : __unnamed
+0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
+0x000 DriverContext : [4] Ptr32 Void
+0x010 Thread : Ptr32 _ETHREAD
+0x014 AuxiliaryBuffer : Ptr32 Char
+0x018 ListEntry : _LIST_ENTRY
+0x020 CurrentStackLocation : Ptr32 _IO_STACK_LOCATION
+0x020 PacketType : Uint4B
+0x024 OriginalFileObject : Ptr32 _FILE_OBJECT
1: kd> dd 0x898442e8-58
89844290 00940006 00000000 00000800 00000000
898442a0 89848480 899bf710 00000000 00000000
898442b0 01010001 0c000000 00ae02b8 00000000
898442c0 00000000 00ae02b8 00000000 00000000
898442d0 00000000 00000000 00000000 00000000
898442e0 89848268 00000000 bab18a0c bab18a0c
898442f0 89844300 8946f068
if (!NT_SUCCESS(Iosb.Status = NpSetConnectedPipeState (Ccb,
FileObject,
DeferredList))) {
//
// And complete any listening waiters
//
while (!IsListEmpty (&Ccb->ListeningQueue)) {
PLIST_ENTRY Links;
Links = RemoveHeadList (&Ccb->ListeningQueue);
LocalIrp = CONTAINING_RECORD (Links, IRP, Tail.Overlay.ListEntry);
//
// Remove the cancel routine and detect if cancel is active. If it is leave the IRP to the
// cancel routine.
if (IoSetCancelRoutine (LocalIrp, NULL) != NULL) {
NpDeferredCompleteRequest (LocalIrp, STATUS_SUCCESS, DeferredList);
} else {
InitializeListHead (&LocalIrp->Tail.Overlay.ListEntry);
}
}
1: kd> gu
Breakpoint 9 hit
Npfs!NpSetConnectedPipeState:
baaf38f2 55 push ebp
1: kd> dv
Ccb = 0xe1636310
ClientFileObject = 0x8978b348
DeferredList = 0xbab18a0c [ 0xbab18a0c - 0xbab18a0c ]
1: kd> dv
Fcb = 0x0012019b
FileObject = 0x8978b348
DesiredAccess = 0x12019f
SecurityQos = 0x89878708
AccessState = 0x89878601
RequestorMode = 0n1 ''
UserThread = 0x8961a268
DeferredList = 0xbab18a0c [ 0x898442e8 - 0x898442e8 ]
#define FILE_PIPE_CLIENT_END 0x00000000
#define FILE_PIPE_SERVER_END 0x00000001
Ccb->FileObject[FILE_PIPE_CLIENT_END] = ClientFileObject;
NpSetFileObject (ClientFileObject,
Ccb,
NonpagedCcb,
FILE_PIPE_CLIENT_END);
1: kd> dx -id 0,0,89429250 -r1 ((Npfs!_CCB *)0xe1636310)
((Npfs!_CCB *)0xe1636310) : 0xe1636310 [Type: _CCB *]
[+0x000] NodeTypeCode : 0x6 [Type: unsigned char]
[+0x001] NamedPipeState : 0x3 [Type: unsigned char]
[+0x002] ReadCompletionMode [Type: __unnamed [2]]
[+0x004] SecurityQos [Type: _SECURITY_QUALITY_OF_SERVICE]
[+0x010] CcbLinks [Type: _LIST_ENTRY]
[+0x018] Fcb : 0xe1636b38 [Type: _FCB *]
[+0x01c] FileObject [Type: _FILE_OBJECT * [2]]
[+0x024] ClientProcess : 0x89429250 [Type: void *]
[+0x028] ClientInfo : 0x0 [Type: _CLIENT_INFO *]
[+0x02c] NonpagedCcb : 0x8947c6a0 [Type: _NONPAGED_CCB *]
[+0x030] DataQueue [Type: _DATA_QUEUE [2]]
[+0x070] SecurityClientContext : 0x0 [Type: _SECURITY_CLIENT_CONTEXT *]
[+0x074] ListeningQueue [Type: _LIST_ENTRY]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_FILE_OBJECT * (*)[2])0xe163632c))
(*((Npfs!_FILE_OBJECT * (*)[2])0xe163632c)) [Type: _FILE_OBJECT * [2]]
[0] : 0x8978b348 [Type: _FILE_OBJECT *]
[1] : 0x8946f068 [Type: _FILE_OBJECT *]
Ccb->ClientInfo = NULL;
Ccb->ClientProcess = IoThreadToProcess (UserThread);
//
// And set our return status
//
Iosb.Status = STATUS_SUCCESS;
Iosb.Information = FILE_OPENED;
//
// Define the I/O status information return values for NtCreateFile/NtOpenFile
//
#define FILE_SUPERSEDED 0x00000000
#define FILE_OPENED 0x00000001
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_IO_STATUS_BLOCK *)0xbab189c0))
(*((Npfs!_IO_STATUS_BLOCK *)0xbab189c0)) [Type: _IO_STATUS_BLOCK]
[+0x000] Status : 1 [Type: long]
[+0x000] Pointer : 0x1 [Type: void *]
[+0x004] Information : 0xe1636384 [Type: unsigned long]
NpCompleteDeferredIrps (&DeferredList);
FsRtlExitFileSystem();
NpCompleteRequest (Irp, Status);
return Status;
}
VOID
FORCEINLINE
NpCompleteDeferredIrps (
IN PLIST_ENTRY DeferredList
)
{
PIRP Irp;
PLIST_ENTRY Entry, NextEntry;
Entry = DeferredList->Flink;
while (Entry != DeferredList) {
Irp = CONTAINING_RECORD (Entry, IRP, Tail.Overlay.ListEntry);
NextEntry = Entry->Flink;
NpCompleteRequest (Irp, Irp->IoStatus.Status);
Entry = NextEntry;
}
}
#define NpCompleteRequest(IRP,STATUS) FsRtlCompleteRequest( (IRP), (STATUS) );
#define FsRtlCompleteRequest(IRP,STATUS) { \
(IRP)->IoStatus.Status = (STATUS); \
IoCompleteRequest( (IRP), IO_DISK_INCREMENT ); \
}
1: kd> p
Npfs!NpFsdCreate+0x23e:
baaecde4 8b18 mov ebx,dword ptr [eax]
1: kd> p
Npfs!NpFsdCreate+0x240:
baaecde6 8d48a8 lea ecx,[eax-58h]
1: kd> r
eax=898442e8
1: kd> p
Npfs!NpFsdCreate+0x245:
baaecdeb ff1520a0aeba call dword ptr [Npfs!_imp_IofCompleteRequest (baaea020)]
1: kd> t
nt!IofCompleteRequest:
80a241a8 ff250488b180 jmp dword ptr [nt!pIofCompleteRequest (80b18804)]
1: kd> kc
#
00 nt!IofCompleteRequest
01 Npfs!NpFsdCreate
02 nt!IofCallDriver
03 nt!IopParseDevice
04 nt!ObpLookupObjectName
05 nt!ObOpenObjectByName
06 nt!IopCreateFile
07 nt!IoCreateFile
08 nt!NtCreateFile
09 nt!_KiSystemService
0a SharedUserData!SystemCallStub
0b ntdll!NtCreateFile
0c kernel32!CreateFileW
0d RPCRT4!NMP_Open
0e RPCRT4!OSF_CCONNECTION::TransOpen
0f RPCRT4!OSF_CCONNECTION::OpenConnectionAndBind
10 RPCRT4!OSF_CCALL::BindToServer
11 RPCRT4!OSF_BINDING_HANDLE::AllocateCCall
12 RPCRT4!OSF_BINDING_HANDLE::NegotiateTransferSyntax
13 RPCRT4!I_RpcGetBufferWithObject
14 RPCRT4!I_RpcGetBuffer
15 RPCRT4!NdrGetBuffer
16 RPCRT4!NdrClientCall2
17 ADVAPI32!LsarOpenPolicy2
18 ADVAPI32!LsaOpenPolicy
19 services!ScOpenPolicy
1a services!ScGetAccountDomainInfo
1b services!ScInitServiceAccount
1c services!SvcctrlMain
1d services!main
1e services!mainCRTStartup
1f kernel32!BaseProcessStart
1: kd> dv
Irp = 0x00000001
PriorityBoost = 0n12 ''
1: kd> p
nt!IopfCompleteRequest+0xa:
80a26a0a 8a4622 mov al,byte ptr [esi+22h]
1: kd> p
nt!IopfCompleteRequest+0xd:
80a26a0d 33db xor ebx,ebx
1: kd> r
eax=89844201 ebx=bab18a0c ecx=89844290 edx=00000001 esi=89844290 edi=00000000
eip=80a26a0d esp=bab189d8 ebp=bab189f0 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000282
nt!IopfCompleteRequest+0xd:
80a26a0d 33db xor ebx,ebx
1: kd> dt _irp 89844290
GDI32!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x94
+0x004 MdlAddress : (null)
+0x008 Flags : 0x800
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x89848480 - 0x899bf710 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 1 ''
+0x021 PendingReturned : 0 ''
+0x022 StackCount : 1 ''
+0x023 CurrentLocation : 1 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0xc ''
+0x028 UserIosb : 0x00ae02b8 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : (null)
+0x040 Tail : __unnamed
ASSERT( !Irp->CancelRoutine );
1: kd> p
nt!IopfCompleteRequest+0x2b:
80a26a2b 395e38 cmp dword ptr [esi+38h],ebx
1: kd> r
eax=89844202 ebx=00000000 ecx=89844290 edx=00000001 esi=89844290 edi=00000000
eip=80a26a2b esp=bab189d4 ebp=bab189f0 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
nt!IopfCompleteRequest+0x2b:
80a26a2b 395e38 cmp dword ptr [esi+38h],ebx ds:0023:898442c8=00000000
1: kd> dt _irp 89844290
GDI32!_IRP
+0x000 Type : 0n6
+0x002 Size : 0x94
+0x004 MdlAddress : (null)
+0x008 Flags : 0x800
+0x00c AssociatedIrp : __unnamed
+0x010 ThreadListEntry : _LIST_ENTRY [ 0x89848480 - 0x899bf710 ]
+0x018 IoStatus : _IO_STATUS_BLOCK
+0x020 RequestorMode : 1 ''
+0x021 PendingReturned : 0 ''
+0x022 StackCount : 1 ''
+0x023 CurrentLocation : 1 ''
+0x024 Cancel : 0 ''
+0x025 CancelIrql : 0 ''
+0x026 ApcEnvironment : 0 ''
+0x027 AllocationFlags : 0xc ''
+0x028 UserIosb : 0x00ae02b8 _IO_STATUS_BLOCK
+0x02c UserEvent : (null)
+0x030 Overlay : __unnamed
+0x038 CancelRoutine : (null)
+0x03c UserBuffer : (null)
+0x040 Tail : __unnamed
1: kd> dd 89844290
89844290 00940006 00000000 00000800 00000000
898442a0 89848480 899bf710 00000000 00000000
898442b0 01010001 0c000000 00ae02b8 00000000
898442c0 00000000 00ae02b8 00000000 00000000
898442d0 00000000 00000000 00000000 00000000
898442e0 89848268 00000000 bab18a0c bab18a0c
898442f0 89844300 8946f068 00000000 00000000
89844300 0105000d 00000000 00000000 00110008
1: kd> dt kapc 89844290+40
GDI32!KAPC
+0x000 Type : 0n0
+0x002 Size : 0n0
+0x004 Spare0 : 0
+0x008 Thread : (null)
+0x00c ApcListEntry : _LIST_ENTRY [ 0x0 - 0x89848268 ]
+0x014 KernelRoutine : (null)
+0x018 RundownRoutine : 0xbab18a0c void +ffffffffbab18a0c
+0x01c NormalRoutine : 0xbab18a0c void +ffffffffbab18a0c
+0x020 NormalContext : 0x89844300 Void
+0x024 SystemArgument1 : 0x8946f068 Void
+0x028 SystemArgument2 : (null)
+0x02c ApcStateIndex : 0 ''
+0x02d ApcMode : 0 ''
+0x02e Inserted : 0 ''
+0x040 Tail : __unnamed
+0x000 Overlay : __unnamed
+0x000 DeviceQueueEntry : _KDEVICE_QUEUE_ENTRY
+0x000 DriverContext : [4] Ptr32 Void
+0x010 Thread : Ptr32 _ETHREAD 89848268
+0x014 AuxiliaryBuffer : Ptr32 Char
+0x018 ListEntry : _LIST_ENTRY
+0x020 CurrentStackLocation : Ptr32 _IO_STACK_LOCATION
+0x020 PacketType : Uint4B
+0x024 OriginalFileObject : Ptr32 _FILE_OBJECT 8946f068
1: kd> dd 89844290
89844290 00940006 00000000 00000800 00000000
898442a0 89848480 899bf710 00000000 00000000
898442b0 01010001 0c000000 00ae02b8 00000000
898442c0 00000000 00ae02b8 00000000 00000000
898442d0 00000000 00000000 00000000 00000000
898442e0 89848268 00000000 bab18a0c bab18a0c
898442f0 89844300 8946f068
1: kd> dt file_object 8946f068
GDI32!FILE_OBJECT
+0x000 Type : 0n5
+0x002 Size : 0n112
+0x004 DeviceObject : 0x895b5038 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0xe1636311 Void
+0x010 FsContext2 : 0x8947c6a0 Void
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : 0x00000001 Void
+0x01c FinalStatus : 0n0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0 ''
+0x02c Flags : 0x40080
+0x030 FileName : _UNICODE_STRING "\lsass"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : 0xe13df1e8 _IO_COMPLETION_CONTEXT
1: kd> dt npfs!ccb 0xe1636310
+0x000 NodeTypeCode : 0x6 ''
+0x001 NamedPipeState : 0x3 ''
+0x002 ReadCompletionMode : [2] __unnamed
+0x004 SecurityQos : _SECURITY_QUALITY_OF_SERVICE
+0x010 CcbLinks : _LIST_ENTRY [ 0xe13ed638 - 0xe1636b68 ]
+0x018 Fcb : 0xe1636b38 _FCB
+0x01c FileObject : [2] 0x8978b348 _FILE_OBJECT
+0x024 ClientProcess : 0x89429250 Void
+0x028 ClientInfo : (null)
+0x02c NonpagedCcb : 0x8947c6a0 _NONPAGED_CCB
+0x030 DataQueue : [2] _DATA_QUEUE
+0x070 SecurityClientContext : (null)
+0x074 ListeningQueue : _LIST_ENTRY [ 0xe1636384 - 0xe1636384 ]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_FILE_OBJECT * (*)[2])0xe163632c))
(*((Npfs!_FILE_OBJECT * (*)[2])0xe163632c)) [Type: _FILE_OBJECT * [2]]
[0] : 0x8978b348 [Type: _FILE_OBJECT *]
[1] : 0x8946f068 [Type: _FILE_OBJECT *]
1: kd> dx -id 0,0,89429250 -r1 (*((Npfs!_LIST_ENTRY *)0xe1636384))
(*((Npfs!_LIST_ENTRY *)0xe1636384)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0xe1636384 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xe1636384 [Type: _LIST_ENTRY *]
1: kd> !THREAD 89848268
THREAD 89848268 Cid 0204.0254 Teb: 7ffd6000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Non-Alertable
895f3b08 QueueObject
898482e0 NotificationTimer
IRP List:
899bf700: (0006,0094) Flags: 00000800 Mdl: 00000000
89844290: (0006,0094) Flags: 00000800 Mdl: 00000000
Not impersonating
DeviceMap e10003d8
Owning Process 898d9250 Image: lsass.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274648358 Ticks: 10 (0:00:00:00.156)
Context Switch Count 2 IdealProcessor: 1
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address RPCRT4!ThreadStartRoutine (0x77c04bb7)
Stack Init baac8000 Current baac7c38 Base baac8000 Limit baac5000 Call 00000000
Priority 9 BasePriority 9 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr Args to Child
baac7c50 80a440eb 89848308 89848268 895f3b08 nt!KiSwapContext+0x26 (FPO: [Uses EBP] [0,0,4]) [d:\srv03rtm\base\ntos\ke\i386\ctxswap.asm @ 139]
baac7c88 80a38894 baac7d58 00000000 80c652f4 nt!KiSwapThread+0x627 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ke\thredsup.c @ 2000]
baac7cb8 80c653d0 00000001 00000001 baac7cd8 nt!KeRemoveQueue+0x2f2 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ke\queueobj.c @ 533]
baac7d3c 80afbcb2 00000704 00c1ff04 00c1feec nt!NtRemoveIoCompletion+0xdc (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\complete.c @ 597]
baac7d3c 7ffe0304 00000704 00c1ff04 00c1feec nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ baac7d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
00c1fed4 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
