如何找到调用第三方程序的COM方法?

时间:2019-04-26 18:28:07

标签: com windbg rpc

我有一个第三方程序,该程序在某些情况下会失败。该程序通过COM接口调用。我有针对此失败的调用堆栈(来自windbg),但无法理解如何对其进行分析。

06 326cefd8 77cb70e0 rpcrt4!Invoke+0x34
07 326cf658 75f3e6e2 rpcrt4!NdrStubCall2+0x330
08 326cf6a4 7577a96e combase!CStdStubBuffer_Invoke(
            struct IRpcStubBuffer * This = 0x02334480, 
            struct tagRPCOLEMESSAGE * prpcmsg = 0x0bc13c04, 
            struct IRpcChannelBuffer * pRpcChannelBuffer = 0x0becde5c)+0xd6 [d:\blue\com\combase\ndr\ndrole\stub.cxx @ 1507] 
09 326cf6d4 75f3a53f oleaut32!CUnivStubWrapper::Invoke+0x122
0a 326cf760 75e1c5c6 combase!SyncStubInvoke(
            struct tagRPCOLEMESSAGE * pMsg = 0x0bc13c04, 
            struct _GUID * riid = 0x039a3eb8 {ADBE4578-60D4-4A34-AE0F-58E34CC67ECC}, 
            class CIDObject * pID = 0x0bcf0698, 
            void * pVtableAddress = 0x00ce316c, 
            struct IRpcChannelBuffer * pChnl = 0x0becde5c, 
            struct IRpcStubBuffer * pStub = 0x0bf01438, 
            void * pInterface = 0x1c3f05ec, 
            unsigned long * pdwFault = 0x326cf8b8)+0x14c [d:\blue\com\combase\dcomrem\channelb.cxx @ 1664] 
0b (Inline) -------- combase!StubInvoke+0x9e [d:\blue\com\combase\dcomrem\channelb.cxx @ 1957] 
0c 326cf88c 75f3ada8 combase!CCtxComChnl::ContextInvoke(
            struct tagRPCOLEMESSAGE * pMessage = 0x0bc13c04, 
            struct IRpcStubBuffer * pStub = 0x0bf01438, 
            struct tagIPIDEntry * pIPIDEntry = 0x039d33d0, 
            unsigned long * pdwFault = 0x326cf8b8)+0x236 [d:\blue\com\combase\dcomrem\ctxchnl.cxx @ 1377] 
0d (Inline) -------- combase!DefaultInvokeInApartment+0xffffffe8 [d:\blue\com\combase\dcomrem\callctrl.cxx @ 2716] 
0e 326cf934 75f3a7ed combase!AppInvoke(
            class CMessageCall * pCall = 0x0bc13ba0, 
            class CRpcChannelBuffer * pChannel = 0x0becde5c, 
            struct IRpcStubBuffer * pStub = 0x0bf01438, 
            void * pv = 0x1c3f05ec, 
            void * pStubBuffer = 0x0bf6d400, 
            struct tagIPIDEntry * pIPIDEntry = 0x039d33d0, 
            union WireLocalThis * pLocalb = 0x0bf6d3f0)+0x415 [d:\blue\com\combase\dcomrem\channelb.cxx @ 1481] 
0f 326cfa40 75f432fe combase!ComInvokeWithLockAndIPID(
            class CMessageCall * pCall = 0x0bc13ba0, 
            struct tagIPIDEntry * pIPIDEntry = 0x039d33d0)+0x38b [d:\blue\com\combase\dcomrem\channelb.cxx @ 2310] 
10 326cfa94 77c3662d combase!ThreadInvoke(
            struct _RPC_MESSAGE * pMessage = 0x0bc79178)+0x451 [d:\blue\com\combase\dcomrem\channelb.cxx @ 5539] 
11 326cfad8 77c3708e rpcrt4!DispatchToStubInCNoAvrf+0x4d
12 326cfb48 77c36e57 rpcrt4!RPC_INTERFACE::DispatchToStubWorker+0x13e
13 326cfbdc 77c36b9c rpcrt4!LRPC_SCALL::DispatchRequest+0x226
14 326cfc38 77c36874 rpcrt4!LRPC_SCALL::HandleRequest+0x31c
15 326cfc74 77c351ef rpcrt4!LRPC_SASSOCIATION::HandleRequest+0x1fc
16 326cfd3c 77c34f61 rpcrt4!LRPC_ADDRESS::ProcessIO+0x481
17 326cfd78 77dc09e0 rpcrt4!LrpcIoComplete+0x8d
18 326cfdb0 77dc0106 ntdll!TppAlpcpExecuteCallback+0x180
19 326cff50 75ae7c04 ntdll!TppWorkerThread+0x33c
1a 326cff64 77dfad8f kernel32!BaseThreadInitThunk+0x24
1b 326cffac 77dfad5a ntdll!__RtlUserThreadStart+0x2f
1c 326cffbc 00000000 ntdll!_RtlUserThreadStart+0x1b

有机会找出“调用”后面隐藏了哪种方法?并可能找出此调用的参数(我想应该至少有一个字符串参数)。

我几乎没有本机调试(.net开发人员)的经验,因此任何说明都将有所帮助。

0 个答案:

没有答案