HRESULT __stdcall CExposedStream::MarshalInterface(CExposedStream *this, IStream *pstStm, _GUID *riid, void *pv, unsigned int dwDestContext, void *pvDestContext, unsigned int mshlflags)
{
CExposedStream *that; // esi
HRESULT hrFinal; // edi
unsigned int dwDestContextRef; // ebx
CMStream *CMStreamTemp; // eax
CBasedPubStreamPtr CBasedPubStreamObj_Out; // eax
CBasedPubStreamPtr CDFBasisObjTemp; // ST18_4
unsigned int *RefCDFBasisObjTemp_Out; // eax
CBasedDFBasisPtr CSeekPointerObjTemp; // ST18_4
CSharedMemoryBlock *v15; // eax
void *v16; // eax
unsigned int Pid; // eax
CPerContext *CPerContextObjTemp; // esi
IUnknownVtbl *CBasedGlobalFileStreamObjRef; // eax
CGlobalFileStream *CBasedGlobalFileStreamObjDirty; // eax
SDfMarshalPacket SDfMarshalPacketCurrent; // [esp+8h] [ebp-40h]
CSafeMultiHeap smh; // [esp+3Ch] [ebp-Ch]
CBasedDeltaListPtr CBasedGlobalContextObjIUnkownRef; // [esp+44h] [ebp-4h]
that = this;
CSafeMultiHeap::CSafeMultiHeap(&smh, this->CPerContextObj);
hrFinal = CExposedStream::Validate((CExposedStream *)((char *)that - 4));
if ( hrFinal >= 0 )
{
hrFinal = (that->CPubStreamObj->_UnmarshalOriginalConfig & 0x20) != 0 ? 0x80030102 : 0;
if ( hrFinal >= 0 )
{
dwDestContextRef = dwDestContext;
if ( dwDestContext && dwDestContext != 3 )
{
hrFinal = CoGetStandardMarshal(riid, (LPUNKNOWN)pv, dwDestContext, pvDestContext, mshlflags, (LPMARSHAL *)&this);
if ( hrFinal >= 0 )
{
hrFinal = this->baseMarshalStream._SelfMarshalVtbl->MarshalInterface(
(IUnknown *)this,
pstStm,
riid,
pv,
dwDestContextRef,
pvDestContext,
mshlflags);
((void (__stdcall *)(CExposedStream *))this->baseMarshalStream.vfptr->Release)(this);
}
}
else if ( pvDestContext )
{
hrFinal = -2147286953;
}
else
{
hrFinal = StartMarshal(pstStm, riid, &IID_IStream, mshlflags);
if ( hrFinal >= 0 )
{
hrFinal = CoGetStandardMarshal(
riid,
(LPUNKNOWN)pv,
dwDestContextRef,
0,
mshlflags,
(LPMARSHAL *)&pvDestContext);
if ( hrFinal >= 0 )
{
hrFinal = (*(int (__stdcall **)(void *, IStream *, _GUID *, void *, unsigned int, _DWORD, unsigned int))(*(_DWORD *)pvDestContext + offsetof(IMyMarshalVtbl, MarshalInterface)))(
pvDestContext,
pstStm,
riid,
pv,
dwDestContextRef,
0,
mshlflags);
(*(void (__stdcall **)(void *))(*(_DWORD *)pvDestContext + offsetof(IMyMarshalVtbl, Release)))(pvDestContext);
if ( hrFinal >= 0 )
{
memset(&SDfMarshalPacketCurrent, 0, 0x34u);
// 其实这个就是MarshalList,取它的head就是头,是否是第一个
CMStreamTemp = CUpdateList::GetHead((CHandle *)&that->baseCDeltaListclassObj);
SDfMarshalPacketCurrent.CBasedMarshalListObj._SelftobjectPtr = (unsigned int)(CMStreamTemp ? (CMStream *)((char *)CMStreamTemp - *(_DWORD *)NtCurrentTeb()->ReservedForOle) : 0);
// flag这里是指针调用通用生成对象初始化BasedCBasedPubStreamObj,第一次通用生成对象,出来CBasedPubStreamObj_Out
CBasedPubStreamObj_Out._SelftobjectPtr = CBasedPubDocFile_Stream_General::CBasedPubDocFile_Stream_General(
(IUnknown *)&mshlflags,
that->CPubStreamObj);
// 这里取出CDFBasisObjTemp
CDFBasisObjTemp._SelftobjectPtr = (unsigned int)that->CDFBasisObj;
// 这里赋值到packet的BasedPubStream实际上是同一个对象
SDfMarshalPacketCurrent.CBasedPubStreamObj._SelftobjectPtr = *(_DWORD *)CBasedPubStreamObj_Out._SelftobjectPtr;
// 先CDFBasisObjTemp调用general封装函数,取出CDFBasisObjTemp_out,再把包里面的字段赋值一下
RefCDFBasisObjTemp_Out = (unsigned int *)CBasedPubDocFile_Stream_General::CBasedPubDocFile_Stream_General(
(IUnknown *)&riid,
(void *)CDFBasisObjTemp._SelftobjectPtr);
// CSeekPointerObjTemp先从this的CSeekPointerObj字段种赋值接下来赋值给2个地方
CSeekPointerObjTemp._SelftobjectPtr = (unsigned int)that->CSeekPointerObj;
// 第一个地方,
// CBasedPubStreamObj调用general封装函数的结果包里的CBasedDFBasisObj
SDfMarshalPacketCurrent.CBasedDFBasisObj._SelftobjectPtr = *RefCDFBasisObjTemp_Out;
// 第二个地方,这个东西实际上是通用封装函数返回的eax
SDfMarshalPacketCurrent.CBasedSeekPointerObj._SelftobjectPtr = *(_DWORD *)CBasedPubDocFile_Stream_General::CBasedPubDocFile_Stream_General(
(IUnknown *)&pv,
// 中间调用general封装函数
(void *)CSeekPointerObjTemp._SelftobjectPtr);
// CPerContextObj直接赋值到packet中后调用通用函数封装
SDfMarshalPacketCurrent.CPerContextObj = that->CPerContextObj;
// todo:这个封装出来的结果是不是就是它CBasedGlobalContextObjIUnkownRefOut,需要看看CBasedGlobalContextObjIUnkownRef这个是哪里来的
SDfMarshalPacketCurrent.CBasedGlobalContextObj._SelftobjectPtr = *(_DWORD *)CBasedPubDocFile_Stream_General::CBasedPubDocFile_Stream_General(
(IUnknown *)&CBasedGlobalContextObjIUnkownRef,
SDfMarshalPacketCurrent.CPerContextObj->CGlobalContextPtr);
SDfMarshalPacketCurrent.ulHeapName = GetTlsSmAllocator()->_ulHeapName;
v15 = GetTlsSmAllocator()->CSharedMemoryBlockObj;
v16 = v15 ? v15->_hMem : 0;
SDfMarshalPacketCurrent.hMem = v16;
// 当前进程pid也写到包里
Pid = GetCurrentProcessId();
CPerContextObjTemp = that->CPerContextObj;
SDfMarshalPacketCurrent.ProcessContextId = Pid;
// 下面是全局环境变量几个字段赋值
CBasedGlobalFileStreamObjRef = CPerContextObjTemp->_LockBytesBasePtr[6].vfptr;
SDfMarshalPacketCurrent.CBasedGlobalFileStreamObj._SelftobjectPtr = (unsigned int)(CBasedGlobalFileStreamObjRef ? (IUnknownVtbl *)((char *)CBasedGlobalFileStreamObjRef - *(_DWORD *)NtCurrentTeb()->ReservedForOle) : 0);
CBasedGlobalFileStreamObjDirty = CPerContextObjTemp->_CFileStreamDirtyPtr->_CGlobalFileStreamPtr;
SDfMarshalPacketCurrent.CBasedGlobalFileStreamDirty._SelftobjectPtr = (unsigned int)(CBasedGlobalFileStreamObjDirty ? (CGlobalFileStream *)((char *)CBasedGlobalFileStreamObjDirty - *(_DWORD *)NtCurrentTeb()->ReservedForOle) : 0);
hrFinal = pstStm->_SelfStreamVtbl->Write(pstStm, &SDfMarshalPacketCurrent, 52u, &dwDestContext);
if ( hrFinal >= 0 && dwDestContext != 52 )
hrFinal = -2147287011;
}
}
}
}
}
}
CSafeMultiHeap::~CSafeMultiHeap(&smh);
return hrFinal;
}
费了九牛二虎之力,终于解出CExposedStream::MarshalInterface正确逆向结果
猜你喜欢
转载自blog.csdn.net/oshuangyue12/article/details/80146799
今日推荐
周排行