解读 RtlGetSystem

解读 RtlGetSystem

a2 = 0 时，调用出错：
0x5D5D573E (wcp.dll)处(位于 CallWCP.exe 中)引发的异常: 0xC0000005:
读取位置 0xCCCCCCCC 时发生访问冲突。

0x5D5D573E 的值：
Windows::Rtl::SystemImplementation::CreateFilesystemProviderStack(
unsigned long,
class Windows::Rtl::SystemImplementation::IRtlFileSystemProvider *,
struct Windows::Vector<struct Windows::Rtl::SYSTEM_LAYER> const &,
class Windows::Auto<class Windows::Rtl::SystemImplementation::IRtlFileSystemProvider *> *,bool *)

5D5D572C  jbe         Windows::Rtl::SystemImplementation::CreateFilesystemProviderStack+3F9h (5D5D5A54h)
5D5D5732  mov         eax,ebx
5D5D5734  mov         dword ptr [ebp-12Ch],ebx
5D5D573A  mov         ecx,dword ptr [ecx]
5D5D573C  add         ecx,eax
5D5D573E  mov         eax,dword ptr [ecx]

[ecx] 的值就是：0xCCCCCCCC，未定义。

把 a2 赋值 NULL，就可以了。

把 a3 设为一个地址：
UINT_PTR* pv = (UINT_PTR*)CoTaskMemAlloc(4);
pv = 0x00e25688
*pv = 0x00e340c8
*(LPVOID**)pv＝0x5c7542f4
const Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff>::`vftable'{for `Windows::Rtl::IRtlSystemIsolationLayer'}}

+0:
Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::CRtlInnerObjectTearoffImpl<class Windows::Rtl::SystemImplementation::CSystemIsolationLayer> >::Release(void)
+4:
Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::CRtlInnerObjectTearoffImpl<class Windows::Rtl::SystemImplementation::CSystemIsolationLayer> >::CreateInterface(
struct _GUID const &,
class Windows::Auto<struct Windows::Rtl::IRtlObject *> *)
+8:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenFilesystemDirectory(
unsigned long,
unsigned long,
struct _LUNICODE_STRING const &,
unsigned long,
unsigned long,
class Windows::Auto<struct Windows::Rtl::IRtlDirectory *> *,
unsigned long *)
+12 : Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenFilesystemFile(
unsigned long,
unsigned long,
struct _LUNICODE_STRING const &,
unsigned long,
unsigned long,
class Windows::Auto<struct Windows::Rtl::IRtlFile *> *,
unsigned long *)
+16:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::DeleteFilesystemFile(
unsigned long,
struct _LUNICODE_STRING const &,
unsigned long *)
+ 20:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::OpenRegistryKey(
unsigned long,
unsigned long,
struct _LUNICODE_STRING const &,
class Windows::Auto<struct Windows::Rtl::IRtlKey *> *,
unsigned long *)
+24:
Windows::Rtl::SystemImplementation::CSystemIsolationLayer_IRtlSystemIsolationLayerTearoff::TransferFile(
unsigned long,
unsigned long,
struct Windows::Rtl::IRtlDirectory *,
struct _LUNICODE_STRING const &,
struct Windows::Rtl::IRtlDirectory *,
struct _LUNICODE_STRING const &,
unsigned long *)

释放时，用了两种：
Windows::AutoPointerBase<Windows::Cdf::Rtl::IRtlCdfStringTableEnumerator *,Windows::Auto<Windows::Cdf::Rtl::IRtlCdfStringTableEnumerator *>>::Close(&v55);

Windows::Auto<Windows::Rtl::IRtlSystemIsolationLayer *>::~Auto<Windows::Rtl::IRtlSystemIsolationLayer *>(&v148);

后面的这个类型可能更靠谱，因为在函数的定义中，就是这样类型转换的：
v4 = (struct Windows::Rtl::SystemImplementation::IRtlFileSystemProvider *)a3;