суббота, 9 июня 2012 г.

!alpc /lpc

First - this command don`t work on vista:

lkd> !object \Sessions\1\Windows\SbApiPort
Object: 89c40ed0  Type: (82b6fed0) ALPC Port
    ObjectHeader: 89c40eb8 (old version)
    HandleCount: 1  PointerCount: 4
    Directory Object: 8fe397e0  Name: SbApiPort
lkd> !alpc /lpc 89c40ed0
Error querying field CommunicationInfo of structure nt!_ALPC_PORT at 89c40ed0
Port @89c40ed0 is not a connection port.

Second - I think it just don`t work

vista sp2 32bit:
lkd> !object \RPC Control\IMpServiceD68DDC3A-831F-4FAE-9E44-DA132C1ACF46
Object: 85592030  Type: (82fbe040) ALPC Port
    ObjectHeader: 85592018 (old version)
    HandleCount: 1  PointerCount: 4
    Directory Object: 87be5f58  Name: IMpServiceD68DDC3A-831F-4FAE-9E44-DA132C1ACF46
lkd> !alpc /lpc 85592030

Port @85592030 has 2 connections

SRV:85593c50 (m:0, p:0, l:0) <-> CLI:85344f08 (m:0, p:0, l:0), Process=854a2418 ('MSASCui.exe')
SRV:851cba40 (m:0, p:0, l:0) <-> CLI:84f543f0 (m:0, p:0, l:0), Process=852d0020 ('svchost.exe')

O`k, lets check:
lkd> dt _ALPC_PORT 85592030
   +0x000 PortListEntry    : _LIST_ENTRY [ 0x85344f08 - 0x85590b30 ]
   +0x008 CommunicationInfo : 0x903ebd80 _ALPC_COMMUNICATION_INFO
   +0x00c OwnerProcess     : 0x852d0020 _EPROCESS
   +0x010 SequenceNo       : 0

lkd> dt _ALPC_COMMUNICATION_INFO 0x903ebd80
   +0x000 ConnectionPort   : 0x85592030 _ALPC_PORT
   +0x004 ServerCommunicationPort : (null)
   +0x008 ClientCommunicationPort : (null)
   +0x00c CommunicationList : _LIST_ENTRY [ 0x920c9204 - 0x94132ecc ]
   +0x014 HandleTable      : _ALPC_HANDLE_TABLE

Next _ALPC_COMMUNICATION_INFO located at 0x920c9204 - 0xC = 0x920c91f8

lkd> dt _ALPC_COMMUNICATION_INFO 0x920c91f8

   +0x000 ConnectionPort   : 0x85592030 _ALPC_PORT
   +0x004 ServerCommunicationPort : 0x
85593c50 _ALPC_PORT
   +0x008 ClientCommunicationPort : 0x
85344f08 _ALPC_PORT
   +0x00c CommunicationList : _LIST_ENTRY [ 0x903ebd8c - 0x920c9204 ]
   +0x014 HandleTable      : _ALPC_HANDLE_TABLE

Next _ALPC_COMMUNICATION_INFO located at 0x903ebd8c - 0xC = 0x903ebd80 - but this is address of _ALPC_COMMUNICATION_INFO in our port 85592030, so this was last entry

Where kdexts.dll got 851cba40 & 84f543f0 for second client`s connection ?

Комментариев нет:

Отправить комментарий