第一部分:
1: kd> kc
#
00 sfc_os!SfcQueueValidationRequest
01 sfc_os!SfcWatchProtectedDirectoriesWorkerThread
02 kernel32!BaseThreadStart
1: kd> dv
RegVal = 0x01129164
ChangeType = 5
vrd = 0x012bfef0
Status = 0n1988337684
vrdexisting = 0x012bffdc
//
// if we're in GUI-Setup, don't queue any validation requests
//
if (SFCDisable == SFC_DISABLE_SETUP) {
return STATUS_SUCCESS;
}
1: kd> x sfc_os!SFCDisable
768421b8 sfc_os!SFCDisable = 0
vrd->NextValidTime = GetTickCount() + (1000*SFCStall);
vrd->RegVal = RegVal;
vrd->ChangeType = ChangeType;
vrd->Signature = SFC_VRD_SIGNATURE;
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048)
((sfc_os!_VALIDATION_REQUEST_DATA *)0x1fe0048) : 0x1fe0048 [Type: _VALIDATION_REQUEST_DATA *]
[+0x000] Entry [Type: _LIST_ENTRY]
[+0x008] Signature : 0x69696969 [Type: unsigned long]
[+0x010] ImageValData [Type: _COMPLETE_VALIDATION_DATA]
[+0x130] RegVal : 0x1129164 [Type: _SFC_REGISTRY_VALUE *]
[+0x134] SourceInfo [Type: _SOURCE_INFO]
[+0xd74] ChangeType : 0x5 [Type: unsigned long]
[+0xd78] CopyCompleted : 0 [Type: int]
[+0xd7c] Win32Error : 0x0 [Type: unsigned long]
[+0xd80] SyncOnly : 0 [Type: int]
[+0xd84] RetryCount : 0x0 [Type: unsigned long]
[+0xd88] Flags : 0x0 [Type: unsigned long]
[+0xd8c] NextValidTime : 0xffd4b349 [Type: unsigned long]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 ((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164)
((sfc_os!_SFC_REGISTRY_VALUE *)0x1129164) : 0x1129164 [Type: _SFC_REGISTRY_VALUE *]
[+0x000] Entry [Type: _LIST_ENTRY]
[+0x008] FileName : "pidgen.dll" [Type: _UNICODE_STRING]
[+0x010] DirName : "c:\windows\system32" [Type: _UNICODE_STRING]
[+0x018] FullPathName : "c:\windows\system32\pidgen.dll" [Type: _UNICODE_STRING]
[+0x020] InfName : "" [Type: _UNICODE_STRING]
[+0x028] SourceFileName : "" [Type: _UNICODE_STRING]
[+0x030] OriginalFileName [Type: unsigned short [128]]
[+0x130] DirHandle : 0x24 [Type: void *]
[+0x134] pvWinSxsCookie : 0x0 [Type: void *]
[+0x138] dwWinSxsFlags : 0x0 [Type: unsigned long]
第二部分:
1: kd> p
sfc_os!SfcQueueValidationRequest+0xb9:
001b:76838ee2 e860e7ffff call sfc_os!IsFileInQueue (76837647)
1: kd> t
sfc_os!IsFileInQueue:
001b:76837647 55 push ebp
1: kd> kc
#
00 sfc_os!IsFileInQueue
01 sfc_os!SfcQueueValidationRequest
02 sfc_os!SfcWatchProtectedDirectoriesWorkerThread
03 kernel32!BaseThreadStart
1: kd> x sfc_os!SfcErrorQueue
76840e80 sfc_os!SfcErrorQueue = struct _LIST_ENTRY [ 0x12380d0 - 0x12380d0 ]
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))
(*((sfc_os!_LIST_ENTRY *)0x76840e80)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x12380d0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x12380d0 [Type: _LIST_ENTRY *]
1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]
+0x008 Signature : 0x69696969
+0x010 ImageValData : _COMPLETE_VALIDATION_DATA
+0x130 RegVal : 0x01129164 _SFC_REGISTRY_VALUE RegVal : 0x01129164
+0x134 SourceInfo : _SOURCE_INFO
+0xd74 ChangeType : 3
+0xd78 CopyCompleted : 0n1
+0xd7c Win32Error : 0
+0xd80 SyncOnly : 0n0
+0xd84 RetryCount : 0
+0xd88 Flags : 1
+0xd8c NextValidTime : 0xffd2d959
if (RegVal == vrd->RegVal) {
return vrd; //VALIDATION_REQUEST_DATA 0x12380d0
}
if (!vrdexisting || (vrdexisting->Flags & VRD_FLAG_REQUEST_PROCESSED) ) {
DebugPrint1( LVL_VERBOSE,
L"Inserting [%ws] into error queue for validation",
RegVal->FullPathName.Buffer );
InsertTailList( &SfcErrorQueue, &vrd->Entry );
ErrorQueueCount += 1;
//
// do this to avoid free later on
//
vrdexisting = NULL;
}
第三部分:
1: kd> p
sfc_os!IsFileInQueue+0x27:
001b:7683766e 5d pop ebp
1: kd> r
eax=012380d0
D:\srv03rtm\base\subsys\sm/sfc/dll/sfcp.h:471:#define VRD_FLAG_REQUEST_PROCESSED 0x00000001
+0xd88 Flags : 1
1: kd> x sfc_os!ErrorQueueCount
76840e7c sfc_os!ErrorQueueCount = 1
1: kd> x sfc_os!ErrorQueueCount
76840e7c sfc_os!ErrorQueueCount = 2
1: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_LIST_ENTRY *)0x76840e80))
(*((sfc_os!_LIST_ENTRY *)0x76840e80)) [Type: _LIST_ENTRY]
[+0x000] Flink : 0x12380d0 [Type: _LIST_ENTRY *]
[+0x004] Blink : 0x1fe0048 [Type: _LIST_ENTRY *]
1: kd> dt VALIDATION_REQUEST_DATA 0x1fe0048
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry : _LIST_ENTRY [ 0x76840e80 - 0x12380d0 ]
+0x008 Signature : 0x69696969
+0x010 ImageValData : _COMPLETE_VALIDATION_DATA
+0x130 RegVal : 0x01129164 _SFC_REGISTRY_VALUE
+0x134 SourceInfo : _SOURCE_INFO
+0xd74 ChangeType : 5 //+0xd74 ChangeType : 5
+0xd78 CopyCompleted : 0n0
+0xd7c Win32Error : 0
+0xd80 SyncOnly : 0n0
+0xd84 RetryCount : 0
+0xd88 Flags : 0 //+0xd88 Flags : 0
+0xd8c NextValidTime : 0xffd4b349
1: kd> dt VALIDATION_REQUEST_DATA 0x12380d0
sfc_os!VALIDATION_REQUEST_DATA
+0x000 Entry : _LIST_ENTRY [ 0x76840e80 - 0x76840e80 ]
+0x008 Signature : 0x69696969
+0x010 ImageValData : _COMPLETE_VALIDATION_DATA
+0x130 RegVal : 0x01129164 _SFC_REGISTRY_VALUE RegVal : 0x01129164
+0x134 SourceInfo : _SOURCE_INFO
+0xd74 ChangeType : 3 //+0xd74 ChangeType : 3
+0xd78 CopyCompleted : 0n1
+0xd7c Win32Error : 0
+0xd80 SyncOnly : 0n0
+0xd84 RetryCount : 0
+0xd88 Flags : 1 //+0xd88 Flags : 1
+0xd8c NextValidTime : 0xffd2d959
第四部分:
1: kd> x sfc_os!hErrorThread
76840e88 sfc_os!hErrorThread = 0x00000b4c
1: kd> !handle b4c
PROCESS 89ce3d88 SessionId: 0 Cid: 01d4 Peb: 7ffdf000 ParentCid: 018c
DirBase: 7c1c9000 ObjectTable: e136a268 HandleCount: 564.
Image: winlogon.exe
Handle table at e136a268 with 564 entries in use
0b4c: Object: 892d6da0 GrantedAccess: 001f03ff Entry: e1792698
Object: 892d6da0 Type: (89dd5710) Thread
ObjectHeader: 892d6d88 (old version)
HandleCount: 3 PointerCount: 5
THREAD 892d6da0 Cid 01d4.03bc Teb: 7ffdc000 Win32Thread: e10ecea8 RUNNING on processor 0
IRP List:
899d7838: (0006,01d8) Flags: 00000884 Mdl: 00000000
8936dcd8: (0006,0190) Flags: 00000000 Mdl: 00000000
Not impersonating
DeviceMap e10026b8
Owning Process 89ce3d88 Image: winlogon.exe
Attached Process N/A Image: N/A
Wait Start TickCount 274695963 Ticks: 0
Context Switch Count 441 IdealProcessor: 0 LargeStack
UserTime 00:00:00.156
KernelTime 00:00:00.156
Win32 Start Address sfc_os!SfcQueueValidationThread (0x7683856f)
Stack Init b9af1000 Current b9af0924 Base b9af1000 Limit b9aec000 Call 00000000
Priority 14 BasePriority 13 PriorityDecrement 0 IoPriority 0 PagePriority 0
ChildEBP RetAddr
b9af06f4 80aed4e8 nt!ExpAssertResource+0x71 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 2913]
b9af0718 f713659e nt!ExReleaseResourceLite+0x18 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\ex\resource.c @ 1410]
b9af071c f7135f80 Ntfs!NtfsCommonCreate+0x1da0 (FPO: [SEH]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4202]
b9af0908 f712f53e Ntfs!NtfsCommonCreate+0x1782 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 4210]
b9af0a08 80a2675c Ntfs!NtfsFsdCreate+0x1f6 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\fs\ntfs\create.c @ 904]
b9af0a24 80c75af1 nt!IofCallDriver+0x62 (FPO: [Non-Fpo]) (CONV: fastcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 2237]
b9af0b20 80c7607c nt!IopParseDevice+0xd7d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 1317]
b9af0b58 80d1cb2c nt!IopParseFile+0x78 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\parse.c @ 2014]
b9af0bd4 80d16798 nt!ObpLookupObjectName+0x14a (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obdir.c @ 1834]
b9af0c28 80c61f73 nt!ObOpenObjectByName+0x13e (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\ob\obref.c @ 767]
b9af0ca4 80c63967 nt!IopCreateFile+0x44d (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 5494]
b9af0cf0 80c6892f nt!IoCreateFile+0x73 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\iosubs.c @ 4788]
b9af0d38 80afbcb2 nt!NtOpenFile+0x57 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\ntos\io\iomgr\open.c @ 95]
b9af0d38 7ffe0304 nt!_KiSystemService+0x13f (FPO: [0,3] TrapFrame @ b9af0d64) (CONV: cdecl) [d:\srv03rtm\base\ntos\ke\i386\trap.asm @ 1328]
007cf674 77f2f1d8 SharedUserData!SystemCallStub+0x4 (FPO: [0,0,0])
007cf678 7682f536 ntdll!NtOpenFile+0xc (FPO: [6,0,0]) [d:\srv03rtm\base\ntdll\daytona\obj\i386\usrstubs.asm @ 1099]
007cf6c4 76837870 sfc_os!SfcOpenFile+0x8c (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\fileio.c @ 87]
007cf6ec 7683297d sfc_os!SfcGetValidationData+0x8b (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2126]
007cf724 76838b81 sfc_os!SfcRestoreFromCache+0x2fa (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\restore.c @ 1483]
007cffb8 77e41be7 sfc_os!SfcQueueValidationThread+0x612 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1702]
007cffec 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]
第五部分:changtype=3
Breakpoint 4 hit
sfc_os!SfcQueueValidationRequest:
001b:76838e29 6a1c push 1Ch
1: kd> dv
RegVal = 0x01129164
ChangeType = 3
vrd = 0x012bfef0
Status = 0n1988337684
vrdexisting = 0x012bffdc
扫一扫
938
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
