解读 GetCurrentTransaction
每一个从接口派生的类,+ 的值即接口中定义的虚函数的地址表的地址;
可能在类的其他位置还有另外的虚函数的地址表。
是不是就能这样确定的说,那也还看更多的构造函数。
从 IRtlSystemIsolationLayer 中找一个最简单的函数GetCurrentTransaction,解读一下:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::GetCurrentTransaction
函数定义:
int __thiscall Windows::Rtl::SystemImplementation::CSystemIsolationLayer::GetCurrentTransaction(
Windows::Rtl::SystemImplementation::CSystemIsolationLayer *this,
void **a2)
具体内容:
// CSystemIsolationLayer 对象的 +7 保存的是对象:
// CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff
// v2 即是该对象的虚函数地址表
v2 = *((_DWORD *)this + );
// 地址表中 +12 的函数就是 GetCurrentTransaction
// 即:CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff
// ::GetCurrentThreadTransaction
v3 = *(int (__thiscall **)(int, void **))(*(_DWORD *)v2 + );
// 下面这一句是验证函数,以后就省略。
// void
// Windows::WCP::Implementation::CAllocationPool::DefaultDestructor<
// Windows::Identity::Rtl::IRtlDefinitionIdentity *>()
// {
// ;
// }
__guard_check_icall_fptr(*(_DWORD *)(*(_DWORD *)v2 + ));
// 调用
result = v3(v2, a2);
+ 的函数:
函数定义:
signed int __thiscall Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff::GetCurrentThreadTransaction(
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator_IRtlTransactionCoordinatorTearoff *this,
void **a2)
具体内容:
// 输出的值清零
*a2 = ;
// -1 是个难点,一时搞不太清楚。
result = Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator::GetCurrentThreadTransaction(
*((Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator **)
this - ),
a2);
GetCurrentThreadTransaction 函数:
这是真正核心的函数了。
函数的定义:
__int32 __thiscall
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator::GetCurrentThreadTransaction(
Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *this,
void **a2)
具体内容:
// 初始化变量
v17 = a2;
v2 = ;
*a2 = ;
v3 = this;
v16 = ;
// __readfsdword,向后偏移 6 个单位,创建 9 个单位大小的变量。存疑。
v18 = *(_DWORD *)(__readfsdword() + );
v15 = (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)this + );
Windows::Rtl::CriticalSectionLockGrant::Acquire((Windows::Rtl::CriticalSectionLockGrant *)&v15);
v5 = v4;
if ( v4 >= )
goto LABEL_5;
v6 = (Windows::Rtl::CriticalSectionLockGrant *)&v15;
while ( )
{
Windows::Rtl::CriticalSectionLockGrant::Release(v6);
if ( v7 >= )
return v5;
while ( )
{
RtlRaiseStatus(v7);
LABEL_5:
v14 = (int *)v2;
v13 = (int *)((char *)v3 + );
BUCL::CConstDequeIterator<BUCL::HashTable::CTable<CPathLockToComponentLockTableTraits>
::CBucket,>::Reset(&v13);
if ( (unsigned __int8)BUCL::CConstDequeIterator<CompilerTransports::CHashElement,>::More(v8) )
{
v9 = v14;
v10 = v18;
while ( *(v9 != v13 ? v9 + : ) != v10 )
{
v14 = (int *)*v9;
if ( !(unsigned __int8)BUCL::CConstDequeIterator<CompilerTransports::CHashElement,>::More((int)&v13) )
goto LABEL_11;
}
v2 = *(v9 != v13 ? v9 + : );
}
LABEL_11:
Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v15);
v5 = v11;
v6 = (Windows::Rtl::CriticalSectionLockGrant *)&v15;
if ( v11 < )
break;
*v17 = (void *)v2;
Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v15);
if ( v7 >= )
return ;
}
}
位版本更好理解:
*a2 = i64;
v2 = this;
v3 = i64;
v4 = a2;
//向后偏移 6 个单位,创建 9 个单位大小的变量。存疑。
v5 = *(_QWORD *)(*MK_FP(__GS__, i64) + i64);
v12 = (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)this + );
v13 = ;
v6 = Windows::Rtl::CriticalSectionLockGrant::Acquire((Windows::Rtl::CriticalSectionLockGrant *)&v12, (__int64)a2);
for ( i = *((_QWORD *)v2 + );
i
&& (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)i != (Windows::Rtl::SystemImplementation::CRtlTransactionCoordinator *)((char *)v2 + );
i = *(_QWORD *)i )
{
if ( *(_QWORD *)(i + ) == v5 )
{
v3 = *(void **)(i + );
break;
}
}
v6 = Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v12);
*v4 = v3;
v11 = Windows::Rtl::CriticalSectionLockGrant::Release((Windows::Rtl::CriticalSectionLockGrant *)&v12);
return i64;