解讀 GetCurrentTransaction
每一個從接口派生的類,+ 的值即接口中定義的虛函數的位址表的位址;
可能在類的其他位置還有另外的虛函數的位址表。
是不是就能這樣确定的說,那也還看更多的構造函數。
從 IRtlSystemIsolationLayer 中找一個最簡單的函數GetCurrentTransaction,解讀一下:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::GetCurrentTransaction
函數定義:
int __thiscall Windows::Rtl::SystemImplementation::CSystemIsolationLayer::GetCurrentTransaction(
Windows::Rtl::SystemImplementation::CSystemIsolationLayer *this,
void **a2)
具體内容:
// CSystemIsolationLayer 對象的 +7 儲存的是對象:
// CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff
// v2 即是該對象的虛函數位址表
v2 = *((_DWORD *)this + );
// 位址表中 +12 的函數就是 GetCurrentTransaction
// 即:CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff
// ::GetCurrentThreadTransaction
v3 = *(int (__thiscall **)(int, void **))(*(_DWORD *)v2 + );
// 下面這一句是驗證函數,以後就省略。
// void
// Windows::WCP::Implementation::CAllocationPool::DefaultDestructor<
// Windows::Identity::Rtl::IRtlDefinitionIdentity *>()
// {
// ;
// }
__guard_check_icall_fptr(*(_DWORD *)(*(_DWORD *)v2 + ));
// 調用
result = v3(v2, a2);
+ 的函數:
函數定義:
signed int __thiscall Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff::GetCurrentThreadTransaction(
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff *this,
void **a2)
具體内容:
// 輸出的值清零
*a2 = ;
// -1 是個難點,一時搞不太清楚。
result = Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator::GetCurrentThreadTransaction(
*((Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator **)
this - ),
a2);
GetCurrentThreadTransaction 函數:
這是真正核心的函數了。
函數的定義:
__int32 __thiscall
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator::GetCurrentThreadTransaction(
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *this,
void **a2)
具體内容:
// 初始化變量
v17 = a2;
v2 = ;
*a2 = ;
v3 = this;
v16 = ;
// __readfsdword,向後偏移 6 個機關,建立 9 個機關大小的變量。存疑。
v18 = *(_DWORD *)(__readfsdword() + );
v15 = (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)this + );
Windows::Rtl::CriticalSectionLockGrant::Acquire((Windows::Rtl::CriticalSectionLockGrant *)&v15);
v5 = v4;
if ( v4 >= )
goto LABEL_5;
v6 = (Windows::Rtl::CriticalSectionLockGrant *)&v15;
while ( )
{
Windows::Rtl::CriticalSectionLockGrant::Release(v6);
if ( v7 >= )
return v5;
while ( )
{
RtlRaiseStatus(v7);
LABEL_5:
v14 = (int *)v2;
v13 = (int *)((char *)v3 + );
BUCL::CConstDequeIterator<BUCL::HashTable::CTable<CPathLockToComponentLockTableTraits>
::CBucket,>::Reset(&v13);
if ( (unsigned __int8)BUCL::CConstDequeIterator<CompilerTransports::CHashElement,>::More(v8) )
{
v9 = v14;
v10 = v18;
while ( *(v9 != v13 ? v9 + : ) != v10 )
{
v14 = (int *)*v9;
if ( !(unsigned __int8)BUCL::CConstDequeIterator<CompilerTransports::CHashElement,>::More((int)&v13) )
goto LABEL_11;
}
v2 = *(v9 != v13 ? v9 + : );
}
LABEL_11:
Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v15);
v5 = v11;
v6 = (Windows::Rtl::CriticalSectionLockGrant *)&v15;
if ( v11 < )
break;
*v17 = (void *)v2;
Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v15);
if ( v7 >= )
return ;
}
}
位版本更好了解:
*a2 = i64;
v2 = this;
v3 = i64;
v4 = a2;
//向後偏移 6 個機關,建立 9 個機關大小的變量。存疑。
v5 = *(_QWORD *)(*MK_FP(__GS__, i64) + i64);
v12 = (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)this + );
v13 = ;
v6 = Windows::Rtl::CriticalSectionLockGrant::Acquire((Windows::Rtl::CriticalSectionLockGrant *)&v12, (__int64)a2);
for ( i = *((_QWORD *)v2 + );
i
&& (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)i != (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)v2 + );
i = *(_QWORD *)i )
{
if ( *(_QWORD *)(i + ) == v5 )
{
v3 = *(void **)(i + );
break;
}
}
v6 = Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v12);
*v4 = v3;
v11 = Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v12);
return i64;