第一部分:
1: kd> p
RPCRT4!OsfCreateRpcAddress+0x28:
001b:77c0f4f5 e888e5ffff call RPCRT4!OSF_ADDRESS::OSF_ADDRESS (77c0da82)
1: kd> t
RPCRT4!OSF_ADDRESS::OSF_ADDRESS:
001b:77c0da82 ?? ???
1: kd> kc
#
00 RPCRT4!OSF_ADDRESS::OSF_ADDRESS
01 RPCRT4!OsfCreateRpcAddress
02 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
03 RPCRT4!I_RpcServerUseProtseqEp2W
04 RPCRT4!RpcServerUseProtseqEpExW
05 RPCRT4!RpcServerUseProtseqEpW
06 LSASRV!RpcpAddInterface
07 LSASRV!LsapRPCInit
08 LSASRV!LsapInitLsa
09 lsass!main
0a lsass!mainNoCRTStartup
0b kernel32!BaseProcessStart
OSF_ADDRESS::OSF_ADDRESS (
IN TRANS_INFO * RpcTransInfo,
IN OUT RPC_STATUS * Status
) : RPC_ADDRESS(Status)
/*++
Routine Description:
--*/
{
RPC_CONNECTION_TRANSPORT *RpcServerInfo =
(RPC_CONNECTION_TRANSPORT *) RpcTransInfo->InqTransInfo();
int i;
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!RPC_TRANSPORT_INTERFACE_HEADER *)0x77bece00)
((RPCRT4!RPC_TRANSPORT_INTERFACE_HEADER *)0x77bece00) : 0x77bece00 [Type: RPC_TRANSPORT_INTERFACE_HEADER *]
[+0x000] TransInterfaceVersion : 0x2004 [Type: unsigned int]
[+0x004] TransId : 0xf [Type: unsigned short]
[+0x006] TransAddrId : 0x11 [Type: unsigned short]
[+0x008] ProtocolSequence : 0x77bd2264 : 0x6e [Type: unsigned short *]
[+0x00c] WellKnownEndpoint : 0x77becea8 : "\pipe\epmapper" [Type: char *]
[+0x010] ProcessCalls : 0x77c66ea4 [Type: long (*)(int,unsigned int *,long *,void * *,unsigned int *,void * *,void * *)]
[+0x014] PnpNotify : 0x77c66e6f [Type: void (*)()]
[+0x018] PnpListen : 0x77c66d26 [Type: void (*)()]
[+0x01c] TowerConstruct : 0x77c6b290 [Type: long (*)(char *,char *,char *,unsigned short *,unsigned long *,unsigned char * *)]
[+0x020] TowerExplode : 0x77c6b5c7 [Type: long (*)(unsigned char *,unsigned char *,unsigned long,char * *,char * *,char * *)]
[+0x024] PostEvent : 0x77c66be8 [Type: long (*)(unsigned long,void *)]
[+0x028] fDatagram : 0 [Type: int]
[+0x02c] GetNetworkAddressVector : 0x77c71869 [Type: NETWORK_ADDRESS_VECTOR * (*)(void *)]
1: kd> dt RPC_CONNECTION_TRANSPORT 0x77bece00
RPCRT4!RPC_CONNECTION_TRANSPORT
+0x000 TransInterfaceVersion : 0x2004
+0x004 TransId : 0xf
+0x006 TransAddrId : 0x11
+0x008 ProtocolSequence : 0x77bd2264 -> 0x6e
+0x00c WellKnownEndpoint : 0x77becea8 "\pipe\epmapper"
+0x010 ProcessCalls : 0x77c66ea4 long RPCRT4!COMMON_ProcessCalls+0
+0x014 PnpNotify : 0x77c66e6f void RPCRT4!COMMON_StartPnpNotifications+0
+0x018 PnpListen : 0x77c66d26 void RPCRT4!COMMON_ListenForPNPNotifications+0
+0x01c TowerConstruct : 0x77c6b290 long RPCRT4!COMMON_TowerConstruct+0
+0x020 TowerExplode : 0x77c6b5c7 long RPCRT4!COMMON_TowerExplode+0
+0x024 PostEvent : 0x77c66be8 long RPCRT4!COMMON_PostRuntimeEvent+0
+0x028 fDatagram : 0n0
+0x02c GetNetworkAddressVector : 0x77c71869 NETWORK_ADDRESS_VECTOR* RPCRT4!NMP_GetNetworkAddressVector+0
+0x030 AddressSize : 0x70
+0x034 ClientConnectionSize : 0x54
+0x038 ServerConnectionSize : 0x54
+0x03c SendContextSize : 0x24
+0x040 ResolverHintSize : 0
+0x044 MaximumFragmentSize : 0x10b8
+0x048 Initialize : 0x77c72b3f long RPCRT4!NMP_Initialize+0
+0x04c InitComplete : (null)
+0x050 Open : 0x77c71fa4 long RPCRT4!NMP_Open+0
+0x054 SyncSendRecv : 0x77c72703 long RPCRT4!NMP_SyncSendRecv+0
+0x058 SyncRecv : 0x77c6de5b long RPCRT4!CO_SyncRecv+0
+0x05c Abort : 0x77c72a5f long RPCRT4!NMP_Abort+0
+0x060 Close : 0x77c71cb0 long RPCRT4!NMP_Close+0
+0x064 Send : 0x77c6d738 long RPCRT4!CO_Send+0
+0x068 Recv : 0x77c6d96a long RPCRT4!CO_Recv+0
+0x06c SyncSend : 0x77c72589 long RPCRT4!NMP_SyncSend+0
+0x070 TurnOnOffKeepAlives : (null)
+0x074 Listen : 0x77c72beb long RPCRT4!NMP_ServerListen+0
+0x078 AbortListen : 0x77c7153b void RPCRT4!NMP_ServerAbortListen+0
+0x07c CompleteListen : 0x77c66e46 void RPCRT4!COMMON_ServerCompleteListen+0
+0x080 QueryClientAddress : 0x77c71d52 long RPCRT4!NMP_ConnectionQueryClientAddress+0
+0x084 QueryLocalAddress : (null)
+0x088 QueryClientId : 0x77c71eb3 long RPCRT4!NMP_ConnectionQueryClientId+0
+0x08c QueryClientIpAddress : (null)
+0x090 ImpersonateClient : 0x77c71cf1 long RPCRT4!NMP_ConnectionImpersonateClient+0
+0x094 RevertToSelf : 0x77c7181e long RPCRT4!NMP_ConnectionRevertToSelf+0
+0x098 FreeResolverHint : (null)
+0x09c CopyResolverHint : (null)
+0x0a0 CompareResolverHint : (null)
+0x0a4 SetLastBufferToFree : (null)
ObjectType = OSF_ADDRESS_TYPE;
ActiveCallCount = 0;
ServerListeningFlag = 0;
ServerInfo = RpcServerInfo;
TransInfo = RpcTransInfo;
SetupAddressOccurred = 0;
1: kd> dt rpcrt4!OSF_ADDRESS 00b00070
+0x000 __VFN_table : 0x77bd77cc
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n2048
+0x00c TransInfo : 0x00943d70 TRANS_INFO
+0x010 Endpoint : (null)
+0x014 RpcProtocolSequence : (null)
+0x018 NetworkAddress : (null)
+0x01c StaticEndpointFlag : 0xbaadf00d
+0x020 ActiveCallCount : 0n0
+0x024 PendingQueueSize : 0xbaadf00d
+0x028 SecurityDescriptor : 0xbaadf00d Void
+0x02c NICFlags : 0xbaadf00d
+0x030 EndpointFlags : 0xbaadf00d
+0x034 Server : 0xbaadf00d RPC_SERVER
+0x038 AddressMutex : MUTEX
+0x050 DictKey : 0n-1163005939
+0x054 Associations : [8] OSF_ASSOCIATION_DICT
+0x134 AssociationBucketMutexMemory : [192] ".???"
+0x1f4 ServerInfo : 0x77bece00 RPC_CONNECTION_TRANSPORT
+0x1f8 SetupAddressOccurred : 0
+0x1fc ServerListeningFlag : 0n0
+0x200 DebugCell : 0xbaadf00d tagDebugEndpointInfo
+0x204 DebugCellTag : 0n-1163005939
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0x56:
001b:77c0dad8 8d8604020000 lea eax,[esi+204h]
1: kd> r
eax=00943d70 ebx=00000000 ecx=00b00188 edx=77fba380 esi=00b00070 edi=77bece00
eip=77c0dad8 esp=0006fe10 ebp=0006fe1c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0x56:
001b:77c0dad8 8d8604020000 lea eax,[esi+204h]
1: kd> dt rpcrt4!OSF_ADDRESS 00b00070
+0x000 __VFN_table : 0x77bd77cc
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n2048
+0x00c TransInfo : 0x00943d70 TRANS_INFO
+0x010 Endpoint : (null)
+0x014 RpcProtocolSequence : (null)
+0x018 NetworkAddress : (null)
+0x01c StaticEndpointFlag : 0xbaadf00d
+0x020 ActiveCallCount : 0n0
+0x024 PendingQueueSize : 0xbaadf00d
+0x028 SecurityDescriptor : 0xbaadf00d Void
+0x02c NICFlags : 0xbaadf00d
+0x030 EndpointFlags : 0xbaadf00d
+0x034 Server : 0xbaadf00d RPC_SERVER
+0x038 AddressMutex : MUTEX
+0x050 DictKey : 0n-1163005939
+0x054 Associations : [8] OSF_ASSOCIATION_DICT
+0x134 AssociationBucketMutexMemory : [192] ".???"
+0x1f4 ServerInfo : 0x77bece00 RPC_CONNECTION_TRANSPORT
+0x1f8 SetupAddressOccurred : 0
+0x1fc ServerListeningFlag : 0n0
+0x200 DebugCell : 0xbaadf00d tagDebugEndpointInfo
+0x204 DebugCellTag : 0n-1163005939
第二部分:
1: kd> dt rpcrt4!NumberOfAssociationsDictionaries
NumberOfAssociationsDictionaries = 0n8
inline MUTEX *GetAssociationBucketMutex(IN int HashIndex)
{
MUTEX *pMutex;
pMutex = (MUTEX *)(&AssociationBucketMutexMemory[MutexAllocationSize * HashIndex]);
ASSERT((((ULONG_PTR)pMutex) % 4) == 0);
return pMutex;
}
const int NumberOfAssociationsDictionaries = 8;
const int MutexAllocationSize = ( ((unsigned long)(sizeof(MUTEX)) + ((4)-1)) & ~(4 - 1) );
new (GetAssociationBucketMutex(i)) MUTEX (Status,
TRUE // pre-allocate semaphores
);
// if there is a failure, remember it, so that subsequent successes
// don't overwrite the failure
if ((*Status != RPC_S_OK) && (OriginalFailureStatus == RPC_S_OK))
{
OriginalFailureStatus = *Status;
}
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xce:
001b:77c0db50 e8e73b0100 call RPCRT4!MUTEX::CommonConstructor (77c2173c)
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3:
001b:77c0db55 8b07 mov eax,dword ptr [edi]
1: kd> r
eax=00000000 ebx=00000000 ecx=7ffde000 edx=77fba380 esi=00b00070
1: kd> dd 0xb001a4
00b001a4 000bd128 ffffffff
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xce:
001b:77c0db50 e8e73b0100 call RPCRT4!MUTEX::CommonConstructor (77c2173c)
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3:
001b:77c0db55 8b07 mov eax,dword ptr [edi]
1: kd> r
eax=00000000 ebx=00000000 ecx=7ffde000 edx=77fba380 esi=00b00070 edi=0006fe30
1: kd> dd 0xb001a4
00b001a4 000bd128 ffffffff 00000000 00000000
00b001b4 00000000 00000000 000bd198 ffffffff
00b001c4 00000000 00000000 00000000 00000000
inline MUTEX *GetAssociationBucketMutex(IN int HashIndex)
{
MUTEX *pMutex;
pMutex = (MUTEX *)(&AssociationBucketMutexMemory[MutexAllocationSize * HashIndex]);
ASSERT((((ULONG_PTR)pMutex) % 4) == 0);
return pMutex;
}
1: kd> dd 0xb001a4
00b001a4 000bd128 ffffffff 00000000 00000000
00b001b4 00000000 00000000 000bd198 ffffffff
00b001c4 00000000 00000000 00000000 00000000
00b001d4 baadf00d baadf00d baadf00d baadf00d
00b001e4 baadf00d baadf00d baadf00d baadf00d
00b001f4 baadf00d baadf00d baadf00d baadf00d
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc2:
001b:77c0db44 3bc3 cmp eax,ebx
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc4:
001b:77c0db46 740d je RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3 (77c0db55)
1: kd> r
eax=00b001d4 ebx=00000000 ecx=00b00070 edx=77fba380 esi=00b00070 edi=0006fe30
eip=77c0db46 esp=0006fe10 ebp=0006fe1c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc4:
001b:77c0db46 740d je RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xd3 (77c0db55) [br=0]
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xce:
001b:77c0db50 e8e73b0100 call RPCRT4!MUTEX::CommonConstructor (77c2173c)
1: kd> t
RPCRT4!MUTEX::CommonConstructor:
001b:77c2173c 55 push ebp
1: kd> kc
#
00 RPCRT4!MUTEX::CommonConstructor
01 RPCRT4!OSF_ADDRESS::OSF_ADDRESS
02 RPCRT4!OsfCreateRpcAddress
03 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
04 RPCRT4!I_RpcServerUseProtseqEp2W
05 RPCRT4!RpcServerUseProtseqEpExW
06 RPCRT4!RpcServerUseProtseqEpW
07 LSASRV!RpcpAddInterface
08 LSASRV!LsapRPCInit
09 LSASRV!LsapInitLsa
0a lsass!main
0b lsass!mainNoCRTStartup
0c kernel32!BaseProcessStart
NTSTATUS
RtlInitializeCriticalSectionAndSpinCount (
IN PRTL_CRITICAL_SECTION CriticalSection,
ULONG SpinCount
)
{
PRTL_CRITICAL_SECTION_DEBUG DebugInfo;
CriticalSection->LockCount = -1;
CriticalSection->RecursionCount = 0;
CriticalSection->OwningThread = 0;
CriticalSection->LockSemaphore = 0;
if ( NtCurrentPeb()->NumberOfProcessors > 1 ) {
CriticalSection->SpinCount = SpinCount & MAX_SPIN_COUNT;
} else {
CriticalSection->SpinCount = 0;
}
ASSERT (GlobalKeyedEventHandle != NULL);
//
// Initialize debugging information.
//
DebugInfo = (PRTL_CRITICAL_SECTION_DEBUG) RtlpAllocateDebugInfo ();
if (DebugInfo == NULL) {
return STATUS_NO_MEMORY;
}
DebugInfo->Type = RTL_CRITSECT_TYPE;
DebugInfo->ContentionCount = 0;
DebugInfo->EntryCount = 0;
//
// It is important to set critical section pointers and potential
// stack trace before we insert the resource in the process'
// resource list because the list can be randomly traversed from
// other threads that check for orphaned resources.
//
DebugInfo->CriticalSection = CriticalSection;
CriticalSection->DebugInfo = DebugInfo;
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb001d4))
(*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb001d4)) [Type: _RTL_CRITICAL_SECTION]
[+0x000] DebugInfo : 0xbd1c0 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
[+0x004] LockCount : -1 [Type: long]
[+0x008] RecursionCount : 0 [Type: long]
[+0x00c] OwningThread : 0x0 [Type: void *]
[+0x010] LockSemaphore : 0x0 [Type: void *]
[+0x014] SpinCount : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd1c0)
((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd1c0) : 0xbd1c0 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
[+0x000] Type : 0x0 [Type: unsigned short]
[+0x002] CreatorBackTraceIndex : 0x0 [Type: unsigned short]
[+0x004] CriticalSection : 0xb001d4 [Type: _RTL_CRITICAL_SECTION *]
[+0x008] ProcessLocksList [Type: _LIST_ENTRY]
[+0x010] EntryCount : 0x0 [Type: unsigned long]
[+0x014] ContentionCount : 0x0 [Type: unsigned long]
[+0x018] Spare [Type: unsigned long [2]]
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_LIST_ENTRY *)0xbd1c8))
(*((RPCRT4!_LIST_ENTRY *)0xbd1c8)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x77fba3f8 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xbd1a0 [Type: _LIST_ENTRY *]
1: kd> dd 0xb001a4
00b001a4 000bd128 ffffffff 00000000 00000000
00b001b4 00000000 00000000 000bd198 ffffffff
00b001c4 00000000 00000000 00000000 00000000
00b001d4 000bd1c0 ffffffff
第三部分:RPCRT4!OSF_ADDRESS::GetAssociationBucketMutex函数的作用
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xbd:
001b:77c0db3f e861ebffff call RPCRT4!OSF_ADDRESS::GetAssociationBucketMutex (77c0c6a5)
1: kd> p
RPCRT4!OSF_ADDRESS::OSF_ADDRESS+0xc2:
001b:77c0db44 3bc3 cmp eax,ebx
1: kd> r
eax=00b001ec
第四部分:ntdll!RtlInitializeCriticalSectionAndSpinCount初始化临界区和自旋锁
1: kd> t
ntdll!RtlInitializeCriticalSectionAndSpinCount:
001b:77f415d2 55 push ebp
1: kd> kc
#
00 ntdll!RtlInitializeCriticalSectionAndSpinCount
01 RPCRT4!MUTEX::CommonConstructor
02 RPCRT4!OSF_ADDRESS::OSF_ADDRESS
03 RPCRT4!OsfCreateRpcAddress
04 RPCRT4!RPC_SERVER::UseRpcProtocolSequence
05 RPCRT4!I_RpcServerUseProtseqEp2W
06 RPCRT4!RpcServerUseProtseqEpExW
07 RPCRT4!RpcServerUseProtseqEpW
08 LSASRV!RpcpAddInterface
09 LSASRV!LsapRPCInit
0a LSASRV!LsapInitLsa
0b lsass!main
0c lsass!mainNoCRTStartup
0d kernel32!BaseProcessStart
1: kd> dv
CriticalSection = 0x00b001ec
SpinCount = 0x80000000
ReqSize = 0x1d4
pThreadLocalData = 0x80000000
pEventHeader = 0x00b001ec
DebugInfo->Type = RTL_CRITSECT_TYPE;
DebugInfo->ContentionCount = 0;
DebugInfo->EntryCount = 0;
1: kd> p
ntdll!RtlInitializeCriticalSectionAndSpinCount+0x70:
001b:77f41642 895e10 mov dword ptr [esi+10h],ebx
1: kd> p
ntdll!RtlInitializeCriticalSectionAndSpinCount+0x73:
001b:77f41645 897e04 mov dword ptr [esi+4],edi
1: kd> r
eax=000bd1e8 ebx=00000000 ecx=77f2b57e edx=00080c14 esi=000bd1e8 edi=00b001ec
esi=000bd1e8
#define RTL_CRITSECT_TYPE 0
#define RTL_RESOURCE_TYPE 1
1: kd> dt RTL_CRITICAL_SECTION_DEBUG 000bd1e8
MPR!RTL_CRITICAL_SECTION_DEBUG
+0x000 Type : 0
+0x002 CreatorBackTraceIndex : 8
+0x004 CriticalSection : 0x00080178 _RTL_CRITICAL_SECTION
+0x008 ProcessLocksList : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x010 EntryCount : 0
+0x014 ContentionCount : 0
+0x018 Spare : [2] 0
1: kd> dt RTL_CRITICAL_SECTION_DEBUG 000bd1e8
MPR!RTL_CRITICAL_SECTION_DEBUG
+0x000 Type : 0
+0x002 CreatorBackTraceIndex : 8
+0x004 CriticalSection : 0x00b001ec _RTL_CRITICAL_SECTION
+0x008 ProcessLocksList : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x010 EntryCount : 0
+0x014 ContentionCount : 0
+0x018 Spare : [2] 0
1: kd> dt RtlCriticalSectionList
ntdll!RtlCriticalSectionList
[ 0x77fb9a08 - 0xbd1c8 ]
+0x000 Flink : 0x77fb9a08 _LIST_ENTRY [ 0x77fb9a28 - 0x77fba3f8 ]
+0x004 Blink : 0x000bd1c8 _LIST_ENTRY [ 0x77fba3f8 - 0xbd1a0 ]
if (CriticalSection != &RtlCriticalSectionLock) {
RtlEnterCriticalSection(&RtlCriticalSectionLock);
InsertTailList(&RtlCriticalSectionList, &DebugInfo->ProcessLocksList);
RtlLeaveCriticalSection(&RtlCriticalSectionLock );
1: kd> dt RtlCriticalSectionList
ntdll!RtlCriticalSectionList
[ 0x77fb9a08 - 0xbd1f0 ]
+0x000 Flink : 0x77fb9a08 _LIST_ENTRY [ 0x77fb9a28 - 0x77fba3f8 ]
+0x004 Blink : 0x000bd1f0 _LIST_ENTRY [ 0x77fba3f8 - 0xbd1c8 ]
1: kd> dt RTL_CRITICAL_SECTION_DEBUG 0x000bd1f0-8
MPR!RTL_CRITICAL_SECTION_DEBUG
+0x000 Type : 0
+0x002 CreatorBackTraceIndex : 0
+0x004 CriticalSection : 0x00b001ec _RTL_CRITICAL_SECTION
+0x008 ProcessLocksList : _LIST_ENTRY [ 0x77fba3f8 - 0xbd1c8 ]
+0x010 EntryCount : 0
+0x014 ContentionCount : 0
+0x018 Spare : [2] 0
1: kd> dd 0xb001a4
00b001a4 000bd128 ffffffff 00000000 00000000
00b001b4 00000000 00000000 000bd198 ffffffff
00b001c4 00000000 00000000 00000000 00000000
00b001d4 000bd1c0 ffffffff 00000000 00000000
00b001e4 00000000 00000000 000bd1e8 ffffffff
00b001f4 00000000 00000000 00000000 00000000
1: kd> dd 0xb001a4
00b001a4 000bd128 ffffffff 00000000 00000000
00b001b4 00000000 00000000 000bd198 ffffffff
00b001c4 00000000 00000000 00000000 00000000
00b001d4 000bd1c0 ffffffff 00000000 00000000
00b001e4 00000000 00000000 000bd1e8 ffffffff
00b001f4 00000000 00000000 00000000 00000000
00b00204 000bd210 ffffffff 00000000 00000000
00b00214 00000000 00000000 000bd238 ffffffff
1: kd> dd 0xb00224
00b00224 00000000 00000000 00000000 00000000
00b00234 000bd260 ffffffff 00000000 00000000
00b00244 00000000 00000000 000bd288 ffffffff
00b00254 00000000 00000000 00000000 00000000
第五部分:例子8和最终结果。
1: kd> dt MUTEX 0xb00244+8
RPCRT4!MUTEX
+0x000 CriticalSection : _RTL_CRITICAL_SECTION
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb0024c))
(*((RPCRT4!_RTL_CRITICAL_SECTION *)0xb0024c)) [Type: _RTL_CRITICAL_SECTION]
[+0x000] DebugInfo : 0xbd288 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
[+0x004] LockCount : -1 [Type: long]
[+0x008] RecursionCount : 0 [Type: long]
[+0x00c] OwningThread : 0x0 [Type: void *]
[+0x010] LockSemaphore : 0x0 [Type: void *]
[+0x014] SpinCount : 0x0 [Type: unsigned long]
1: kd> dx -id 0,0,897f4020 -r1 ((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd288)
((RPCRT4!_RTL_CRITICAL_SECTION_DEBUG *)0xbd288) : 0xbd288 [Type: _RTL_CRITICAL_SECTION_DEBUG *]
[+0x000] Type : 0x0 [Type: unsigned short]
[+0x002] CreatorBackTraceIndex : 0x0 [Type: unsigned short]
[+0x004] CriticalSection : 0xb0024c [Type: _RTL_CRITICAL_SECTION *]
[+0x008] ProcessLocksList [Type: _LIST_ENTRY]
[+0x010] EntryCount : 0x0 [Type: unsigned long]
[+0x014] ContentionCount : 0x0 [Type: unsigned long]
[+0x018] Spare [Type: unsigned long [2]]
1: kd> dx -id 0,0,897f4020 -r1 (*((RPCRT4!_LIST_ENTRY *)0xbd290))
(*((RPCRT4!_LIST_ENTRY *)0xbd290)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x77fba3f8 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xbd268 [Type: _LIST_ENTRY *]
1: kd> x ntdll!RtlCriticalSectionList
77fba3f8 ntdll!RtlCriticalSectionList = struct _LIST_ENTRY [ 0x77fb9a08 - 0xbd290 ]
1: kd> dx -id 0,0,897f4020 -r1 (*((ntdll!_LIST_ENTRY *)0x77fba3f8))
(*((ntdll!_LIST_ENTRY *)0x77fba3f8)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x77fb9a08 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0xbd290 [Type: _LIST_ENTRY *]
1: kd> dt rpcrt4!OSF_ADDRESS 00b00070
+0x000 __VFN_table : 0x77bd77cc
+0x004 MagicLong : 0x89abcdef
+0x008 ObjectType : 0n2048
+0x00c TransInfo : 0x00943d70 TRANS_INFO
+0x010 Endpoint : (null)
+0x014 RpcProtocolSequence : (null)
+0x018 NetworkAddress : (null)
+0x01c StaticEndpointFlag : 0xbaadf00d
+0x020 ActiveCallCount : 0n0
+0x024 PendingQueueSize : 0xbaadf00d
+0x028 SecurityDescriptor : 0xbaadf00d Void
+0x02c NICFlags : 0xbaadf00d
+0x030 EndpointFlags : 0xbaadf00d
+0x034 Server : 0xbaadf00d RPC_SERVER
+0x038 AddressMutex : MUTEX
+0x050 DictKey : 0n-1163005939
+0x054 Associations : [8] OSF_ASSOCIATION_DICT
+0x134 AssociationBucketMutexMemory : [192] "(???"
+0x1f4 ServerInfo : 0x77bece00 RPC_CONNECTION_TRANSPORT
+0x1f8 SetupAddressOccurred : 0
+0x1fc ServerListeningFlag : 0n0
+0x200 DebugCell : 0x00af0020 tagDebugEndpointInfo
+0x204 DebugCellTag : 0n0
1: kd> r
eax=00b00070 ebx=73304bd0 ecx=7ffde000 edx=77fba380 esi=00000000 edi=20000500
eip=77c0f514 esp=0006fe30 ebp=0006fe34 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
RPCRT4!OsfCreateRpcAddress+0x47:
001b:77c0f514 c9 leave
1: kd> p
RPCRT4!OsfCreateRpcAddress+0x48:
001b:77c0f515 c20400 ret 4
![[OS] mmap | fd是什么 | inode机制 | vfs封装](https://i-blog.csdnimg.cn/img_convert/8cf61529d3a6d4a5fd4cf662d891dd48.png)
