sfc_os!SfcQueueValidationRequest函數分析之sfc

第一部分：

1: kd> kc
#
00 sfc_os!SfcQueueValidationRequest
01 sfc_os!SfcWatchProtectedDirectoriesWorkerThread
02 kernel32!BaseThreadStart

1: kd> dv
RegVal = 0x01129164
ChangeType = 5
vrd = 0x012bfef0
Status = 0n1988337684
vrdexisting = 0x012bffdc

??? //
// if we're in GUI-Setup, don't queue any validation requests
//
if (SFCDisable == SFC_DISABLE_SETUP) {
return STATUS_SUCCESS;
}

1: kd> x sfc_os!SFCDisable
768421b8????????? sfc_os!SFCDisable = 0

vrd->NextValidTime = GetTickCount() + (1000*SFCStall);
vrd->RegVal = RegVal;
vrd->ChangeType = ChangeType;
vrd->Signature = SFC_VRD_SIGNATURE;

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048)
((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048)???????????????? : 0x1fe0048 [Type: _VALIDATION_REQUEST_DATA *]
[+0x000] Entry??????????? [Type: _LIST_ENTRY]
[+0x008] Signature??????? : 0x69696969 [Type: unsigned long]
[+0x010] ImageValData???? [Type: _COMPLETE_VALIDATION_DATA]
[+0x130] RegVal?????????? : 0x1129164 [Type: _SFC_REGISTRY_VALUE *]
[+0x134] SourceInfo?????? [Type: _SOURCE_INFO]
[+0xd74] ChangeType?????? : 0x5 [Type: unsigned long]
[+0xd78] CopyCompleted??? : 0 [Type: int]
[+0xd7c] Win32Error?????? : 0x0 [Type: unsigned long]
[+0xd80] SyncOnly???????? : 0 [Type: int]
[+0xd84] RetryCount?????? : 0x0 [Type: unsigned long]
[+0xd88] Flags??????????? : 0x0 [Type: unsigned long]
[+0xd8c] NextValidTime??? : 0xffd4b349 [Type: unsigned long]

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164)??
((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164)???????????????? : 0x1129164 [Type: _SFC_REGISTRY_VALUE *]
[+0x000] Entry??????????? [Type: _LIST_ENTRY]
[+0x008] FileName???????? : "pidgen.dll" [Type: _UNICODE_STRING]
[+0x010] DirName????????? : "c:\windows\system32" [Type: _UNICODE_STRING]
[+0x018] FullPathName???? : "c:\windows\system32\pidgen.dll" [Type: _UNICODE_STRING]
[+0x020] InfName????????? : "" [Type: _UNICODE_STRING]
[+0x028] SourceFileName?? : "" [Type: _UNICODE_STRING]
[+0x030] OriginalFileName [Type: unsigned short [128]]
[+0x130] DirHandle??????? : 0x24 [Type: void *]
[+0x134] pvWinSxsCookie?? : 0x0 [Type: void *]
[+0x138] dwWinSxsFlags??? : 0x0 [Type: unsigned long]

第二部分：

1: kd> p
sfc_os!SfcQueueValidationRequest+0xb9:
001b:76838ee2 e860e7ffff????? call??? sfc_os!IsFileInQueue (76837647)
1: kd> t
sfc_os!IsFileInQueue:
001b:76837647 55????????????? push??? ebp
1: kd> kc
#
00 sfc_os!IsFileInQueue
01 sfc_os!SfcQueueValidationRequest
02 sfc_os!SfcWatchProtectedDirectoriesWorkerThread
03 kernel32!BaseThreadStart

1: kd> x sfc_os!SfcErrorQueue
76840e80????????? sfc_os!SfcErrorQueue = struct _LIST_ENTRY [ 0x12380d0 - 0x12380d0 ]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))
(*((sfc_os!_LIST_ENTRY *)0x76840e80))???????????????? [Type: _LIST_ENTRY]
[+0x000] Flink??????????? : 0x12380d0 [Type: _LIST_ENTRY *]
[+0x004] Blink??????????? : 0x12380d0 [Type: _LIST_ENTRY *]
1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry??????????? : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]
+0x008 Signature??????? : 0x69696969
+0x010 ImageValData???? : _COMPLETE_VALIDATION_DATA
+0x130 RegVal?????????? : 0x01129164 _SFC_REGISTRY_VALUE?? ??? ?RegVal?????????? : 0x01129164
+0x134 SourceInfo?????? : _SOURCE_INFO
+0xd74 ChangeType?????? : 3
+0xd78 CopyCompleted??? : 0n1
+0xd7c Win32Error?????? : 0
+0xd80 SyncOnly???????? : 0n0
+0xd84 RetryCount?????? : 0
+0xd88 Flags??????????? : 1
+0xd8c NextValidTime??? : 0xffd2d959

??????? if (RegVal == vrd->RegVal) {
return vrd;?? ??? ?//VALIDATION_REQUEST_DATA 0x12380d0
}

??????? if (!vrdexisting || (vrdexisting->Flags & VRD_FLAG_REQUEST_PROCESSED) ) {

??????????? DebugPrint1( LVL_VERBOSE,
L"Inserting [%ws] into error queue for validation",
RegVal->FullPathName.Buffer );

??????????? InsertTailList( &SfcErrorQueue, &vrd->Entry );
ErrorQueueCount += 1;

??????????? //
// do this to avoid free later on
//
vrdexisting = NULL;

??????? }

第三部分：

1: kd> p
sfc_os!IsFileInQueue+0x27:
001b:7683766e 5d????????????? pop???? ebp
1: kd> r
eax=012380d0

D:\srv03rtm\base\subsys\sm/sfc/dll/sfcp.h:471:#define VRD_FLAG_REQUEST_PROCESSED??????? 0x00000001

+0xd88 Flags??????????? : 1

1: kd> x sfc_os!ErrorQueueCount
76840e7c????????? sfc_os!ErrorQueueCount = 1

1: kd> x sfc_os!ErrorQueueCount
76840e7c????????? sfc_os!ErrorQueueCount = 2

1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))
(*((sfc_os!_LIST_ENTRY *)0x76840e80))???????????????? [Type: _LIST_ENTRY]
[+0x000] Flink??????????? : 0x12380d0 [Type: _LIST_ENTRY *]
[+0x004] Blink??????????? : 0x1fe0048 [Type: _LIST_ENTRY *]

1: kd> dt VALIDATION_REQUEST_DATA 0x1fe0048
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry??????????? : _LIST_ENTRY [ 0x76840e80 - 0x12380d0 ]
+0x008 Signature??????? : 0x69696969
+0x010 ImageValData???? : _COMPLETE_VALIDATION_DATA
+0x130 RegVal?????????? : 0x01129164 _SFC_REGISTRY_VALUE
+0x134 SourceInfo?????? : _SOURCE_INFO
+0xd74 ChangeType?????? : 5?? ??? ??? ??? ?//+0xd74 ChangeType?????? : 5
+0xd78 CopyCompleted??? : 0n0
+0xd7c Win32Error?????? : 0
+0xd80 SyncOnly???????? : 0n0
+0xd84 RetryCount?????? : 0
+0xd88 Flags??????????? : 0?? ??? ??? ??? ?//+0xd88 Flags??????????? : 0?? ?
+0xd8c NextValidTime??? : 0xffd4b349

1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry??????????? : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]
+0x008 Signature??????? : 0x69696969
+0x010 ImageValData???? : _COMPLETE_VALIDATION_DATA
+0x130 RegVal?????????? : 0x01129164 _SFC_REGISTRY_VALUE?? ??? ?RegVal?????????? : 0x01129164
+0x134 SourceInfo?????? : _SOURCE_INFO
+0xd74 ChangeType?????? : 3?? ??? ??? ??? ?//+0xd74 ChangeType?????? : 3
+0xd78 CopyCompleted??? : 0n1
+0xd7c Win32Error?????? : 0
+0xd80 SyncOnly???????? : 0n0
+0xd84 RetryCount?????? : 0
+0xd88 Flags??????????? : 1?? ??? ??? ??? ?//+0xd88 Flags??????????? : 1
+0xd8c NextValidTime??? : 0xffd2d959

第四部分：

1: kd> x sfc_os!hErrorThread
76840e88????????? sfc_os!hErrorThread = 0x00000b4c

1: kd> !handle b4c

PROCESS 89ce3d88? SessionId: 0? Cid: 01d4??? Peb: 7ffdf000? ParentCid: 018c
DirBase: 7c1c9000? ObjectTable: e136a268? HandleCount: 564.
Image: winlogon.exe

Handle table at e136a268 with 564 entries in use

0b4c: Object: 892d6da0? GrantedAccess: 001f03ff Entry: e1792698
Object: 892d6da0? Type: (89dd5710) Thread
ObjectHeader: 892d6d88 (old version)
HandleCount: 3? PointerCount: 5

?????? THREAD 892d6da0? Cid 01d4.03bc? Teb: 7ffdc000 Win32Thread: e10ecea8 RUNNING on processor 0
IRP List:
899d7838: (0006,01d8) Flags: 00000884? Mdl: 00000000
8936dcd8: (0006,0190) Flags: 00000000? Mdl: 00000000
Not impersonating
DeviceMap???????????????? e10026b8
Owning Process??????????? 89ce3d88?????? Image:???????? winlogon.exe
Attached Process????????? N/A??????????? Image:???????? N/A
Wait Start TickCount????? 274695963????? Ticks: 0
Context Switch Count????? 441??????????? IdealProcessor: 0???????????????? LargeStack
UserTime????????????????? 00:00:00.156
KernelTime??????????????? 00:00:00.156
Win32 Start Address sfc_os!SfcQueueValidationThread (0x7683856f)
Stack Init b9af1000 Current b9af0924 Base b9af1000 Limit b9aec000 Call 00000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr ?
b9af06f4 80aed4e8 nt!ExpAssertResource+0x71 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 2913]
b9af0718 f713659e nt!ExReleaseResourceLite+0x18 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 1410]
b9af071c f7135f80 Ntfs!NtfsCommonCreate+0x1da0 (FPO: [SEH]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4202]
b9af0908 f712f53e Ntfs!NtfsCommonCreate+0x1782 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4210]
b9af0a08 80a2675c Ntfs!NtfsFsdCreate+0x1f6 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 904]
b9af0a24 80c75af1 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]
b9af0b20 80c7607c nt!IopParseDevice+0xd7d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 1317]
b9af0b58 80d1cb2c nt!IopParseFile+0x78 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 2014]
b9af0bd4 80d16798 nt!ObpLookupObjectName+0x14a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obdir.c @ 1834]
b9af0c28 80c61f73 nt!ObOpenObjectByName+0x13e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obref.c @ 767]
b9af0ca4 80c63967 nt!IopCreateFile+0x44d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 5494]
b9af0cf0 80c6892f nt!IoCreateFile+0x73 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 4788]
b9af0d38 80afbcb2 nt!NtOpenFile+0x57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\open.c @ 95]
b9af0d38 7ffe0304 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b9af0d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
007cf674 77f2f1d8 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
007cf678 7682f536 ntdll!NtOpenFile+0xc (FPO: [6,0,0]) [d:\srv03rtm\base\ntdll\daytona\obj\i386\usrstubs.asm @ 1099]
007cf6c4 76837870 sfc_os!SfcOpenFile+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\fileio.c @ 87]
007cf6ec 7683297d sfc_os!SfcGetValidationData+0x8b (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2126]
007cf724 76838b81 sfc_os!SfcRestoreFromCache+0x2fa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\restore.c @ 1483]
007cffb8 77e41be7 sfc_os!SfcQueueValidationThread+0x612 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1702]
007cffec 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]

第五部分：changtype=3

Breakpoint 4 hit
sfc_os!SfcQueueValidationRequest:
001b:76838e29 6a1c??????????? push??? 1Ch
1: kd> dv
RegVal = 0x01129164
ChangeType = 3
vrd = 0x012bfef0
Status = 0n1988337684
vrdexisting = 0x012bffdc