tgjarwl的博客

道可道,非常道;名可名,非常名

记录生活,记录更好的自己。

获取rpc来源进程pid和tid

| 阅读:

Life

今天下雪了,虽然我没下去,但据说还是很漂亮的。

典型的调用栈

下面是一个典型的RPC调用栈

0:003> kv
 # Child-SP          RetAddr               : Args to Child                                                           : Call Site
00 000000c8`0857c288 00007ffb`0a521344     : 000000c8`0857c390 0000020e`ead51280 00000000`00000001 000000c8`0857c579 : ntdll!NtAlpcSendWaitReceivePort+0x14
01 000000c8`0857c290 00007ffb`0a5207e6     : 00000000`ead17000 0000020e`ee129860 0000020e`ead51280 0000020e`eaefb480 : rpcrt4!LRPC_BASE_CCALL::DoSendReceive+0x154
02 000000c8`0857c3d0 00007ffb`0a534c5e     : 0000020e`ee129b48 00000000`00000000 0000020e`eaefb480 000000c8`0857c8e8 : rpcrt4!LRPC_CCALL::SendReceive+0x76
03 000000c8`0857c4c0 00007ffb`093da61d     : 00000000`00b031c2 346dc5d6`3886594b 0000020e`ead86d40 00000000`00000003 : rpcrt4!I_RpcSendReceive+0x4e
04 000000c8`0857c4f0 00007ffb`093e6d4a     : 0000020e`ead511f0 00000000`00000720 00000000`00b031c2 346dc5d6`3886594b : combase!CMessageCall::RpcSendRequestReceiveResponse+0xfd [onecore\com\combase\dcomrem\call.cxx @ 4285] 
05 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!ThreadSendReceive+0x16a (Inline Function @ 00007ffb`093e6d4a) [onecore\com\combase\dcomrem\channelb.cxx @ 7332] 
06 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!CSyncClientCall::SwitchAptAndDispatchCall+0x203 (Inline Function @ 00007ffb`093e6d4a) [onecore\com\combase\dcomrem\channelb.cxx @ 5785] 
07 000000c8`0857c710 00007ffb`0942e47b     : 00000000`00000000 0000020e`ee126c20 0000020e`ead511f0 0000020e`ead865f0 : combase!CSyncClientCall::SendReceive2+0x3ea [onecore\com\combase\dcomrem\channelb.cxx @ 5347] 
08 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!SyncClientCallRetryContext::SendReceiveWithRetry+0x2f (Inline Function @ 00007ffb`0942e47b) [onecore\com\combase\dcomrem\callctrl.cxx @ 1503] 
09 000000c8`0857cb50 00007ffb`0942df63     : 0000020e`ead865f0 000000c8`0857cc80 0000020e`ee126c20 0000020e`ea1e6460 : combase!CSyncClientCall::SendReceiveInRetryContext+0x5b [onecore\com\combase\dcomrem\callctrl.cxx @ 581] 
0a (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!DefaultSendReceive+0x3c (Inline Function @ 00007ffb`0942df63) [onecore\com\combase\dcomrem\callctrl.cxx @ 539] 
0b 000000c8`0857cb80 00007ffb`094410c3     : 00007ffb`096383a8 00007ffb`0943fed7 00007ffb`09620940 0000020e`ead59a48 : combase!CSyncClientCall::SendReceive+0x283 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 802] 
0c (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!CClientChannel::SendReceive+0x49 (Inline Function @ 00007ffb`094410c3) [onecore\com\combase\dcomrem\ctxchnl.cxx @ 674] 
0d 000000c8`0857ccf0 00007ffb`0a5b7a91     : 00000000`00000000 0000020e`00000000 0000020e`ee126c20 00007ffb`09604f00 : combase!NdrExtpProxySendReceive+0xb3 [onecore\com\combase\ndr\ndrole\proxy.cxx @ 1899] 
0e 000000c8`0857cd40 00007ffb`0943efb6     : 00007ffb`09620940 00000000`00000000 00000000`00000000 00000000`00000001 : rpcrt4!NdrpClientCall3+0x431
0f 000000c8`0857d0b0 00007ffb`095c5572     : 00000000`00000000 00000000`00000405 00000000`00000000 000000c8`0857d500 : combase!ObjectStublessClient+0x146 [onecore\com\combase\ndr\ndrole\amd64\stblsclt.cxx @ 366] 
10 000000c8`0857d440 00007ffb`09515c2d     : 0000020e`ead59a48 000000c8`0857d4e8 00000000`00000005 00000000`00000001 : combase!ObjectStubless+0x42 [onecore\com\combase\ndr\ndrole\amd64\stubless.asm @ 176] 
11 000000c8`0857d490 00007ffb`094ea913     : 0000020e`ee13b628 00007ffb`093dc062 000000c8`0857d5f0 00007ffb`0950a8e0 : combase!CStdMarshal::Begin_RemQIAndUnmarshal1+0xd5 [onecore\com\combase\dcomrem\marshal.cxx @ 6036] 
12 000000c8`0857d540 00007ffb`094ea889     : 000000c8`0857d5f0 000000c8`0857d6c0 0000020e`ee13b628 0000020e`ee13b628 : combase!CStdMarshal::Begin_RemQIAndUnmarshal+0x53 [onecore\com\combase\dcomrem\marshal.cxx @ 5946] 
13 000000c8`0857d580 00007ffb`094e9a66     : 000000c8`0857d5f0 000000c8`0857d650 0000020e`ee13b628 00000000`00000001 : combase!CStdMarshal::Begin_QueryRemoteInterfaces+0x69 [onecore\com\combase\dcomrem\marshal.cxx @ 5824] 
14 000000c8`0857d5c0 00007ffb`0942b54c     : 000000c8`0857d6b0 0000020e`ee13b620 000000c8`0857d798 000000c8`0857d6d8 : combase!CStdMarshal::QueryRemoteInterfaces+0xea [onecore\com\combase\dcomrem\marshal.cxx @ 5802] 
15 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!CStdIdentity::CInternalUnk::QueryMultipleInterfacesWithCallerAddress+0x1d9 (Inline Function @ 00007ffb`0942b54c) [onecore\com\combase\dcomrem\stdid.cxx @ 721] 
16 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!CStdIdentity::CInternalUnk::QueryInterfaceWithCallerAddress+0x1ef (Inline Function @ 00007ffb`0942b54c) [onecore\com\combase\dcomrem\stdid.cxx @ 417] 
17 000000c8`0857d680 00007ffa`dd82a698     : 000000c8`0857d798 0000020e`ead59e38 00007ffb`095e32f0 0000020e`ead1a630 : combase!CStdIdentity::CInternalUnk::QueryInterface+0x21c [onecore\com\combase\dcomrem\stdid.cxx @ 408] 
18 000000c8`0857d740 00007ffa`dd881ba6     : 0000020e`ead1a630 000000c8`0857d828 0000020e`ea000340 0000020e`ea004a40 : wpncore!Microsoft::WRL::ComPtr<IWpnToastFeedback>::As<IWpnToastFeedback2>+0x38
19 000000c8`0857d770 00007ffa`dd881707     : 0000020e`ead1a660 00007ffb`08e2366b 0000020e`ead1a630 0000020e`ead1a660 : wpncore!<lambda_b2af4e63f830acbf9f6f28620f2faeaa>::operator()+0x5e
1a 000000c8`0857d7d0 00007ffa`dd80dcc1     : 0000020e`ea19cb28 0000020e`ea19cae8 0000020e`ea19cae8 000000c8`0857d890 : wpncore!std::find_if<std::_Vector_iterator<std::_Vector_val<std::_Simple_types<RunningApps::ToastFeedbackCallback> > >,<lambda_b2af4e63f830acbf9f6f28620f2faeaa> >+0x2f
1b 000000c8`0857d800 00007ffa`dd80db52     : 00000003`00000000 00000000`00000000 0000020e`ee1fb8b0 00007ffb`0a5b3616 : wpncore!RunningApps::RemoveCallbackForToast+0xf9
1c 000000c8`0857d870 00007ffb`0a5b3663     : 00000000`00000003 000000c8`0857dce8 0000020e`ea6ef06c 0000020e`ea17cc20 : wpncore!AppEndpoint::RemoveToastFeedbackCallback+0x92
1d 000000c8`0857d8b0 00007ffb`0a5b570e     : 00007ffa`f85a8390 000000c8`0857dfd0 0000020e`ee130bf0 00000000`00000000 : rpcrt4!Invoke+0x73
1e 000000c8`0857d910 00007ffb`0a4f6c50     : 0000cbe0`41d931d4 0000020e`ea004740 0000020e`ea004740 0000020e`ea004740 : rpcrt4!Ndr64StubWorker+0x6ee
1f 000000c8`0857df20 00007ffb`0940ac1d     : 00000000`00000000 000000c8`0857e130 00007ffa`f85a3360 00000000`00000000 : rpcrt4!NdrStubCall3+0xc0
20 000000c8`0857df90 00007ffb`0940ab5b     : 00000000`00000001 0000020e`ee130bf0 0000020e`eaeb01c0 00007ffb`00000003 : combase!CStdStubBuffer_Invoke+0x7d [onecore\com\combase\ndr\ndrole\stub.cxx @ 1413] 
21 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_c9f3956a20c9da92a64affc24fdd69ec>::operator()+0x26 (Inline Function @ 00007ffb`0940ab5b) [onecore\com\combase\dcomrem\channelb.cxx @ 1162] 
22 000000c8`0857dfd0 00007ffb`0940a0d6     : 0000020e`00000000 000000c8`0857e0e0 000000c8`0857e078 0000020e`00000000 : combase!ObjectMethodExceptionHandlingAction<<lambda_c9f3956a20c9da92a64affc24fdd69ec> >+0x47 [onecore\com\combase\dcomrem\excepn.hxx @ 94] 
23 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!InvokeStubWithExceptionPolicyAndTracing+0x182 (Inline Function @ 00007ffb`0940a0d6) [onecore\com\combase\dcomrem\channelb.cxx @ 1160] 
24 000000c8`0857e030 00007ffb`09409721     : 0000020e`ee1fac80 000000c8`0857e280 0000020e`ee136530 00000000`80004021 : combase!DefaultStubInvoke+0x376 [onecore\com\combase\dcomrem\channelb.cxx @ 1229] 
25 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!SyncStubCall::Invoke+0x7 (Inline Function @ 00007ffb`09409721) [onecore\com\combase\dcomrem\channelb.cxx @ 1286] 
26 (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!SyncServerCall::StubInvoke+0x35 (Inline Function @ 00007ffb`09409721) [onecore\com\combase\dcomrem\ServerCall.hpp @ 790] 
27 000000c8`0857e1f0 00007ffb`094795d6     : 00000000`00000000 0000020e`ee1fac80 000000c8`0857e440 00007ffb`094174e4 : combase!StubInvoke+0x321 [onecore\com\combase\dcomrem\channelb.cxx @ 1495] 
28 000000c8`0857e340 00007ffb`093df51a     : 000000c8`00000003 0000020e`ee130b60 00000000`00000000 0000020e`ea6ef008 : combase!ServerCall::ContextInvoke+0x2c6 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1438] 
29 000000c8`0857e570 00007ffb`093e4988     : 00000000`00001802 000000c8`0857e610 00000000`00000000 00007ffb`093e4585 : combase!DefaultInvokeInApartment+0x8a [onecore\com\combase\dcomrem\callctrl.cxx @ 3256] 
2a 000000c8`0857e5a0 00007ffb`094140d3     : 00000000`00000000 00000000`00000000 0000020e`ead865f0 00000000`00000000 : combase!ComInvokeWithLockAndIPID+0xcf8 [onecore\com\combase\dcomrem\channelb.cxx @ 2163] 
2b (Inline Function) --------`--------     : --------`-------- --------`-------- --------`-------- --------`-------- : combase!ThreadInvokeReturnHresult+0xeb (Inline Function @ 00007ffb`094140d3) [onecore\com\combase\dcomrem\channelb.cxx @ 6994] 
2c 000000c8`0857e880 00007ffb`0a5680f7     : 0000020e`ead719b0 00007ffb`0a533500 0000de88`a15f8501 00007ffb`0a534800 : combase!ThreadInvoke+0x103 [onecore\com\combase\dcomrem\channelb.cxx @ 7094] 
2d 000000c8`0857e940 00007ffb`0a531ab4     : 000000c8`0857eab0 00000000`00000001 000000c8`0857eaf0 00007ffb`0b4e9be9 : rpcrt4!DispatchToStubInCNoAvrf+0x17
2e 000000c8`0857e990 00007ffb`0a53287a     : 000000c8`0857eb60 00000000`00000001 000000c8`00000000 0000020e`ead71860 : rpcrt4!RPC_INTERFACE::DispatchToStubWorker+0x194
2f 000000c8`0857ea60 00007ffb`0a51fc54     : 0000020e`00000000 5ac08760`00000000 0000020e`ead71860 001f0000`00020000 : rpcrt4!LRPC_SCALL::DispatchRequest+0x85a
30 000000c8`0857eed0 00007ffb`0a53001c     : 0000020e`ee1fb640 00000000`00000000 0000020e`ea6eef80 00000000`00000000 : rpcrt4!LRPC_SCALL::QueueOrDispatchCall+0xe4
31 000000c8`0857f090 00007ffb`0a53601c     : 0000020e`ead71860 0000020e`ead71860 0000020e`ead71860 0000020e`eae630d0 : rpcrt4!LRPC_SCALL::HandleRequest+0x2bc
32 000000c8`0857f210 00007ffb`0a5351a3     : 0000020e`ea6eef80 0000020e`ea6eef80 00000000`00000000 0000020e`ea157250 : rpcrt4!LRPC_ADDRESS::HandleRequest+0x3ac
33 000000c8`0857f2f0 00007ffb`0a534148     : 0000020e`ea10c4c0 00000000`00000000 0000020e`ea157358 000000c8`0857fa88 : rpcrt4!LRPC_ADDRESS::ProcessIO+0x2f3
34 000000c8`0857f660 00007ffb`0b437ffe     : 000000c8`0857f810 000000c8`00000000 00000098`00010010 00000000`00000000 : rpcrt4!LrpcIoComplete+0xc8
35 000000c8`0857f780 00007ffb`0b436123     : 00000000`00000016 00000000`00000000 0000020e`ea1ef420 00000000`00000000 : ntdll!TppAlpcpExecuteCallback+0x44e
36 000000c8`0857f8f0 00007ffb`09c8e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x563
37 000000c8`0857fc50 00007ffb`0b44c53c     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : kernel32!BaseThreadInitThunk+0x17
38 000000c8`0857fc80 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

这里面比较关键的是 rpcrt4!LRPC_SCALL::HandleRequest+0x2bc 这个函数,其实就是 LRPC_SCALL 这个结构体。通过对第一个参数 0000020e`ead71860 执行以下命令

0:003> dq 0000020e`ead71860 L50
0000020e`ead71860  00007ffb`0a5c0850 00002000`89abcdef
0000020e`ead71870  202c5d74`00000001 00000000`00000000
0000020e`ead71880  2e5d6174`61445b20 00000000`00000000
0000020e`ead71890  565b2e5d`00000000 5246205d`65756c61
0000020e`ead718a0  43454c45`53284d4f 495b2e5d`4e5b2054
0000020e`ead718b0  2e5d485b`202c5d64 7972616d`6972505b
0000020e`ead718c0  5d4e5b20`2c5d6449 2c5d6570`79545b2e
0000020e`ead718d0  61505b2e`00000001 0000020e`ead718f0
0000020e`ead718e0  0000020e`ead71910 5b2e5d4e`00000004
0000020e`ead718f0  00000000`00000000 00000000`00000000
0000020e`ead71900  00000000`00000000 00000000`00000000
0000020e`ead71910  00000000`00000000 00000000`00000000
0000020e`ead71920  00000000`00000000 00000000`00000000
0000020e`ead71930  00000000`00000000 00000000`00000000
0000020e`ead71940  0000020e`ea6eefe8 79546461`00018000
0000020e`ead71950  00000000`00000000 0000020e`ead71968
0000020e`ead71960  00000000`00000004 00000000`00000000
0000020e`ead71970  00000000`00000000 00000000`00000000
0000020e`ead71980  00000000`00000000 00000000`00000000
0000020e`ead71990  0000020e`eae630d0 0000020e`eaeb0380
0000020e`ead719a0  00000000`00000000 646e6148`6e6f6974
0000020e`ead719b0  0000020e`ead71860 5b204e4f`00000010
0000020e`ead719c0  0000020e`ea6eefe8 0000002f`00000094
0000020e`ead719d0  00007ffa`f85a7600 0000020e`ee1e8140
0000020e`ead719e0  0000020e`ead71a00 00000000`00000000
0000020e`ead719f0  5d6c6c41`5b205341 554f2054`00001000
0000020e`ead71a00  4e494f4a`00000010 0000020e`ea6eefe8
0000020e`ead71a10  00000000`00000000 0000020e`ea6eef80
0000020e`ead71a20  0000020e`ea6fbb80 00000000`00000000
0000020e`ead71a30  00000000`00000000 00000000`00000000
0000020e`ead71a40  6e6f6974`61636966 20544645`4c5d6449
0000020e`ead71a50  00000000`00002924 00000000`0000a300

最后一行,可以看到 0000020eead71a50 0000000000002924 00000000`0000a300 这里面就是对应的PID和TID。在我的win11 x64系统上,大概就是 0x1f0的偏移位置。

End

害怕忘记,还是整理到这里吧。毕竟还是比较常用的。