当前位置：首页 > news >正文

sfc_os!SfcValidateDLL函数分析之SfcGetValidationData

news 2025/8/20 16:13:50

第一部分：

NTSTATUS
SfcQueueValidationThread(
IN PVOID lpv
)
{

//
// now validate the file
//

SfcValidateDLL( vrd, hCatAdmin );
vrd->Flags |= VRD_FLAG_REQUEST_PROCESSED;

第二部分：

0: kd> t
Breakpoint 14 hit
sfc_os!SfcValidateDLL:
001b:768378e1 55 push ebp
0: kd> kc
#
00 sfc_os!SfcValidateDLL
01 sfc_os!SfcQueueValidationThread
02 kernel32!BaseThreadStart
0: kd> kv
# ChildEBP RetAddr Args to Child
00 007cf724 76838a3d 012380d0 01c0caf8 00000000 sfc_os!SfcValidateDLL (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 2201]
01 007cffb8 77e41be7 00000000 00000000 00000000 sfc_os!SfcQueueValidationThread+0x4ce (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\subsys\sm\sfc\dll\validate.c @ 1671]
02 007cffec 00000000 7683856f 00000000 00000000 kernel32!BaseThreadStart+0x34 (FPO: [Non-Fpo]) (CONV: stdcall) [d:\srv03rtm\base\win32\client\support.c @ 533]

第三部分：

BOOL
SfcGetValidationData(
IN PUNICODE_STRING FileName,
IN PUNICODE_STRING FullPathName,
IN HANDLE DirHandle,
IN HCATADMIN hCatAdmin,
OUT PIMAGE_VALIDATION_DATA ImageValData
)
{
NTSTATUS Status;
HANDLE FileHandle;

ASSERT((FileName != NULL) && (FileName->Buffer != NULL));
ASSERT((FullPathName != NULL) && (FullPathName->Buffer != NULL));
ASSERT( (DirHandle != NULL)
&& (hCatAdmin != NULL)
&& (ImageValData != NULL) );

RtlZeroMemory( ImageValData, sizeof(IMAGE_VALIDATION_DATA) );

//
// open the file
//

Status = SfcOpenFile( FileName, DirHandle, SHARE_ALL, &FileHandle );
if (NT_SUCCESS(Status)) {

ASSERT(FileHandle != INVALID_HANDLE_VALUE);
ImageValData->FilePresent = TRUE;
SfcGetFileVersion(FileHandle,
&ImageValData->DllVersion,
&ImageValData->DllCheckSum,
ImageValData->FileName );
} else {
//
// we don't to anything on failure since this is an expected state
// if the file was just removed. The member variables's below are
// automatically set at the entrypoint to the function so they are
// not necessary but are present and commented out for the sake of
// clarity
//
NOTHING;
//ImageValData->SignatureValid = FALSE;
//ImageValData->FilePresent = FALSE;
}

//
// verify the file signature
//

if (hCatAdmin && FileHandle != NULL) {
ImageValData->SignatureValid = SfcValidateFileSignature(
hCatAdmin,
FileHandle,
FileName->Buffer,
FullPathName->Buffer);
} else {
ImageValData->SignatureValid = FALSE;
}

//
// close the file
//

if (FileHandle != INVALID_HANDLE_VALUE) {
NtClose( FileHandle );
}

return TRUE;
}

第四部分：

0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!_IMAGE_VALIDATION_DATA *)0x12380e0))
(*((sfc_os!_IMAGE_VALIDATION_DATA *)0x12380e0))                 [Type: _IMAGE_VALIDATION_DATA]
[+0x000] DllVersion       : 0x500020ece0000 [Type: unsigned __int64]
[+0x008] DllCheckSum      : 0xcb39 [Type: unsigned long]
[+0x00c] SignatureValid   : 0 [Type: int]
[+0x010] FilePresent      : 1 [Type: int]
[+0x014] FileName         [Type: unsigned short [32]]
0: kd> dx -id 0,0,ffffffff89ce3d88 -r1 (*((sfc_os!unsigned short (*)[32])0x12380f4))
(*((sfc_os!unsigned short (*)[32])0x12380f4))                 [Type: unsigned short [32]]
[0]              : 0x70 [Type: unsigned short]
[1]              : 0x69 [Type: unsigned short]
[2]              : 0x64 [Type: unsigned short]
[3]              : 0x67 [Type: unsigned short]
[4]              : 0x65 [Type: unsigned short]
[5]              : 0x6e [Type: unsigned short]
[6]              : 0x2e [Type: unsigned short]
[7]              : 0x64 [Type: unsigned short]
[8]              : 0x6c [Type: unsigned short]
[9]              : 0x6c [Type: unsigned short]

0: kd> db 0x12380f4
012380f4 70 00 69 00 64 00 67 00-65 00 6e 00 2e 00 64 00 p.i.d.g.e.n...d.
01238104 6c 00 6c 00 00 00 00 00-00 00 00 00 00 00 00 00 l.l.............

查看全文

http://www.lryc.cn/news/626221.html