解读RtlGetIdentityAuthority_rtlreporterrororigination-CSDN博客

本文链接：https://blog.csdn.net/hadstj/article/details/53790847

本文详细解析了RtlGetIdentityAuthority函数的功能与使用方法，介绍了如何通过该函数获取IRtlIdentityAuthority接口，并探讨了它与IIdentityAuthority接口之间的联系与区别。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

解读RtlGetIdentityAuthority

RtlGetIdentityAuthority，这个函数使用的十分广泛，返回一组虚函数地址。

需要一个输入参数，但是，不起什么作用，直接传一个 0 即可。

输出参数为 IRtlIdentityAuthority接口。

调用这个函数，好像会影响两个全局变量：

g_pIIdentityAuthority

g_pIAppIdAuthority

typedefHRESULT(__fastcall *PRTL_GET_IDENTITY_AUTHORITY_FUNCTION)(INT, IIdentityAuthority **);

staticPRTL_GET_IDENTITY_AUTHORITY_FUNCTIONpRtlGetIdentityAuthority;

pRtlGetIdentityAuthority = (PRTL_GET_IDENTITY_AUTHORITY_FUNCTION)CalcFunctionAddress(phWCP, pfb_RtlGetIdentityAuthority);

IIdentityAuthority *Authority = NULL;

pRtlGetIdentityAuthority(0, &Authority);

Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::CRtlInnerObjectTearoffImpl<class Windows::Identity::Rtl::Implementation::CRtlIdentityAuthority> >::Release(void)

Windows::Rtl::CRtlTearoffObject<class Windows::Rtl::CRtlInnerObjectTearoffImpl<class Windows::Identity::Rtl::Implementation::CRtlIdentityAuthority> >::CreateInterface(struct _GUID const &,class Windows::Auto<struct Windows::Rtl::IRtlObject *> *)

Parse(unsigned long,struct _LUNICODE_STRING const *,class Windows::Auto<struct Windows::Identity::Rtl::IRtlReferenceIdentity *> *)

Parse(unsigned long,struct _LUNICODE_STRING const *,class Windows::Auto<struct Windows::Identity::Rtl::IRtlDefinitionIdentity *> *)

Format(unsigned long,struct Windows::Identity::Rtl::IRtlBaseIdentity *,class Windows::Auto<struct _LUNICODE_STRING> *)

FormatIntoBuffer(unsigned long,struct Windows::Identity::Rtl::IRtlBaseIdentity *,struct _LUNICODE_STRING *,unsigned long *)

AreEqual(unsigned long,struct Windows::Identity::Rtl::IRtlDefinitionIdentity *,struct Windows::Identity::Rtl::IRtlDefinitionIdentity *,bool *)

Matches(unsigned long,struct Windows::Identity::Rtl::IRtlDefinitionIdentity *,struct Windows::Identity::Rtl::IRtlReferenceIdentity *,bool *)

DetermineRelationship(unsigned long,struct Windows::Identity::Rtl::IRtlReferenceIdentity *,struct Windows::Identity::Rtl::IRtlReferenceIdentity *,unsigned long *)

Hash(unsigned long,unsigned long,struct Windows::Identity::Rtl::IRtlBaseIdentity *,unsigned __int64 *)

GenerateKeyFormIntoBuffer(unsigned long,struct Windows::Identity::Rtl::IRtlBaseIdentity *,struct _LUNICODE_STRING *)

CompareNames(unsigned long,struct _LUNICODE_STRING const *,struct _LUNICODE_STRING const *,int *)

CompareValues(unsigned long,struct _LUNICODE_STRING const *,struct _LUNICODE_STRING const *,int *)

HashNamespace(unsigned long,struct _LUNICODE_STRING const *,unsigned __int64 *)

HashName(unsigned long,struct _LUNICODE_STRING const *,unsigned __int64 *)

HashValue(unsigned long,struct _LBLOB const *,unsigned __int64 *)

HashName(unsigned long,struct _LUNICODE_STRING const *,unsigned __int64 *)

Create(unsigned long,struct Windows::Identity::Rtl::IRtlReferenceIdentity *,struct Windows::Identity::Rtl::BUILTIN_ATTRIBUTES const &,struct Windows::Vector<struct Windows::Identity::Rtl::_ATTRIBUTE const > const *,class Windows::Auto<struct Windows::Identity::Rtl::IRtlReferenceIdentity *> *)

Create(unsigned long,struct Windows::Identity::Rtl::IRtlDefinitionIdentity *,struct Windows::Identity::Rtl::BUILTIN_ATTRIBUTES const &,struct Windows::Vector<struct Windows::Identity::Rtl::_ATTRIBUTE const > const *,class Windows::Auto<struct Windows::Identity::Rtl::IRtlDefinitionIdentity *> *)

LookupBuiltinAttribute(unsigned long,struct _LUNICODE_STRING const *,unsigned long *)

与 IIdentityAuthority接口有显著差别：

EXTERN_C const IIDIID_IIdentityAuthority;

#if defined(__cplusplus) &&!defined(CINTERFACE)
MIDL_INTERFACE("261a6983-c35d-4d0d-aa5b-7867259e77bc")
IIdentityAuthority : public IUnknown
{
public:
    virtual HRESULTSTDMETHODCALLTYPE TextToDefinition(
        _In_ DWORD dwFlags,
        _In_ LPCWSTR pszIdentity,
        _Out_ IDefinitionIdentity **ppIDefinitionIdentity) = 0;

    virtual HRESULTSTDMETHODCALLTYPE TextToReference(
        _In_ DWORD dwFlags,
        _In_ LPCWSTR pszIdentity,
        _Out_ IReferenceIdentity **ppIReferenceIdentity) = 0;

    virtual HRESULT STDMETHODCALLTYPEDefinitionToText(
        _In_ DWORD dwFlags,
        _In_ IDefinitionIdentity *pIDefinitionIdentity,
        _Out_ LPWSTR *ppszFormattedIdentity) = 0;

    virtual HRESULTSTDMETHODCALLTYPE DefinitionToTextBuffer(
       _In_ DWORD dwFlags,
       _In_ IDefinitionIdentity *pIDefinitionIdentity,
       _In_ SIZE_T cchBufferSize,
       _Out_writes_to_(cchBufferSize, *pcchWritten) WCHARwchBuffer[ ],
       _Out_ SIZE_T *pcchWritten) = 0;

   virtual HRESULTSTDMETHODCALLTYPE ReferenceToText(
       _In_ DWORD dwFlags,
       _In_ IReferenceIdentity *pIReferenceIdentity,
       _Out_ LPWSTR *ppszFormattedIdentity) = 0;

   virtual HRESULTSTDMETHODCALLTYPE ReferenceToTextBuffer(
       _In_ DWORD dwFlags,
       _In_ IReferenceIdentity *pIReferenceIdentity,
       _In_ SIZE_T cchBufferSize,
       _Out_writes_to_(cchBufferSize, *pcchWritten) WCHARwchBuffer[ ],
       _Out_ SIZE_T *pcchWritten) = 0;

   virtual HRESULTSTDMETHODCALLTYPE AreDefinitionsEqual(
       _In_ DWORD dwFlags,
       _In_ IDefinitionIdentity *pDefinition1,
       _In_ IDefinitionIdentity *pDefinition2,
       _Out_ BOOL *pfEqual) = 0;

   virtual HRESULTSTDMETHODCALLTYPE AreReferencesEqual(
       _In_ DWORD dwFlags,
       _In_ IReferenceIdentity *pReference1,
       _In_ IReferenceIdentity *pReference2,
       _Out_ BOOL *pfEqual) = 0;

   virtual HRESULTSTDMETHODCALLTYPE AreTextualDefinitionsEqual(
       _In_ DWORD dwFlags,
       _In_ LPCWSTR pszIdentityLeft,
       _In_ LPCWSTR pszIdentityRight,
       _Out_ BOOL *pfEqual) = 0;

   virtual HRESULTSTDMETHODCALLTYPE AreTextualReferencesEqual(
       _In_ DWORD dwFlags,
       _In_ LPCWSTR pszIdentityLeft,
       _In_ LPCWSTR pszIdentityRight,
       _Out_ BOOL *pfEqual) = 0;

   virtual HRESULTSTDMETHODCALLTYPE DoesDefinitionMatchReference(
       _In_ DWORD dwFlags,
       _In_ IDefinitionIdentity *pIDefinitionIdentity,
       _In_ IReferenceIdentity *pIReferenceIdentity,
       _Out_ BOOL *pfMatches) = 0;

   virtual HRESULTSTDMETHODCALLTYPE extualDefinitionMatchTextualReference(
       _In_ DWORD dwFlags,
       _In_ LPCWSTR pszDefinition,
       _In_ LPCWSTR pszReference,
       _Out_ BOOL *pfMatches) = 0;

   virtual HRESULTSTDMETHODCALLTYPE HashReference(
       _In_ DWORD dwFlags,
       _In_ IReferenceIdentity *pIReferenceIdentity,
       _Out_ ULONGLONG *pullPseudoKey) = 0;

   virtual HRESULTSTDMETHODCALLTYPE HashDefinition(
       _In_ DWORD dwFlags,
       _In_ IDefinitionIdentity *pIDefinitionIdentity,
       _Out_ ULONGLONG *pullPseudoKey) = 0;

   virtual HRESULTSTDMETHODCALLTYPE GenerateDefinitionKey(
       _In_ DWORD dwFlags,
       _In_ IDefinitionIdentity *pIDefinitionIdentity,
       _Out_ LPWSTR *ppszKeyForm) = 0;

   virtual HRESULTSTDMETHODCALLTYPE GenerateReferenceKey(
       _In_ DWORD dwFlags,
       _In_ IReferenceIdentity *pIReferenceIdentity,
       _Out_ LPWSTR *ppszKeyForm) = 0;

   virtual HRESULTSTDMETHODCALLTYPE CreateDefinition(
       _Out_ IDefinitionIdentity **ppNewIdentity)= 0;

   virtual HRESULTSTDMETHODCALLTYPE CreateReference(
       _Out_ IReferenceIdentity **ppNewIdentity) = 0;

   virtual HRESULTSTDMETHODCALLTYPE DefinitionToTextBufferLength(
       _In_ DWORD dwFlags,
       _In_ IDefinitionIdentity *pIDefinitionIdentity,
       _Out_ SIZE_T *pcchBufferRequired) = 0;

   virtual HRESULTSTDMETHODCALLTYPE ReferenceToTextBufferLength(
       _In_ DWORD dwFlags,
       _In_ IReferenceIdentity *pIReferenceIdentity,
       _Out_ SIZE_T *pcchBufferRequired) = 0;

};

但是，再仔细分析一下，实质上还是一致的。比如，IRtlIdentityAuthority 中的第一个函数 parse 与 lIdentityAuthority 中的第二个函数 TextToReference 就是一致的。

IRtlIdentityAuthority	lIdentityAuthority
parse	TextToReference
unsigned long	DWORD dwFlags
struct _LUNICODE_STRING const *	LPCWSTR pszIdentity
class Windows::Auto<struct Windows::Identity::Rtl::IRtlReferenceIdentity >	IReferenceIdentity **ppIReferenceIdentity

//----- (000000018010C0FC)----------------------------------------------------
__int64 __fastcall RtlGetIdentityAuthority(__int64 a1, structWindows::Rtl::OneShotTypeDescriptionRecord *a2)
{
structWindows::Rtl::OneShotTypeDescriptionRecord *v2;// rdi@1
unsigned int v3; // ebx@2
void (__fastcall***v4)(_QWORD); // rdi@5
void (__fastcall*v5)(_QWORD); // rsi@6
void (__fastcall***v7)(_QWORD); // rsi@8
void (__fastcall*v8)(_QWORD); // rbx@9
int v9; // [sp+0h] [bp-60h]@4
void (__fastcall***v10)(_QWORD); // [sp+20h][bp-40h]@4
const char *v11; // [sp+28h][bp-38h]@2
const char *v12; // [sp+30h][bp-30h]@2
int v13; // [sp+38h] [bp-28h]@2
const char *v14; // [sp+40h][bp-20h]@2
unsigned int v15; // [sp+48h] [bp-18h]@1

v15 =C00000E5;
v2 =a2;
if (!a2 )
{
   Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::SetInvalidParameter(&v15);
    v13 =94;
    v11 ="base\\wcp\\identity\\id_authority.cpp";
    v12 ="Windows::Identity::Rtl::RtlGetIdentityAuthority";
    v14 ="Not-null check failed: Authority";
   Windows::ErrorHandling::Rtl::CBaseFrame<Windows::ErrorHandling::Rtl::CVoidRaiseFrame>::ReportErrorOrigination(
      &v15,
      (__int64)&v11);
    return v15;
}
v3 =`anonymous namespace'::InitializeIdentityAuthority(a1,a2);
if ((v3 &0x80000000) != 0 )
    return v3;
_InterlockedOr((volatilesigned __int32 *)&v9,0);
v10 =0i64;
v3 =Windows::Rtl::IRtlObject::CreateRequiredInterface<Windows::Identity::Rtl::IRtlIdentityAuthority>(
         (_QWORD*)`anonymousnamespace'::g_RtlIdentityAuthority,
         &v10);
if ((v3 &0x80000000) != 0 )
{
    v4 =v10;
    if (v10 )
    {
      v5 =**v10;
      _guard_check_icall_fptr(**v10);
      v5(v4);
    }
    return v3;
}
v7 =*(void(__fastcall ****)(_QWORD))v2;
*(_QWORD *)v2 =v10;
if (v7 )
{
    v8 =**v7;
    _guard_check_icall_fptr(**v7);
    v8(v7);
}
return 0i64;
}

//----- (1016BC61)--------------------------------------------------------
int __usercall `anonymous namespace'::InitializeIdentityAuthority@<eax>(volatilesigned __int32 *a1@<edi>)
{
void (__thiscall***v1)(_DWORD); // esi@2
int v2; // ecx@2
int v3; // ebx@2
int v4; // ST00_4@3
volatile signed __int32*v5; //eax@3
void (__thiscall*v6)(_DWORD); // edi@7
void (__thiscall***v8)(_DWORD); // edi@9
void (__thiscall*v9)(_DWORD); // esi@10
signed __int32 v10; // [sp+Ch] [bp-8h]@1

_InterlockedOr(&v10, 0);
if (`anonymous namespace'::g_RtlIdentityAuthority )
    return 0;
v1 =0;
v10 =0;
v3 =Windows::Rtl::CRtlOneShotTypeDescriptionInit<Windows::Identity::Rtl::Implementation::CRtlIdentityAuthority>::Initialize(a1);
if (v3 >= 0)
{
    v4 =v2;
    v5 =(volatile signed __int32*)Windows::Rtl::CRtlOneShotTypeDescriptionInit<Windows::Identity::Rtl::Implementation::CRtlIdentityAuthority>::TypeDescription();
    v3 =Windows::Rtl::CRtlObjectTypeDescription<Windows::Identity::Rtl::Implementation::CRtlIdentityAuthority>::CreateInstance<Windows::Identity::Rtl::Implementation::CRtlIdentityAuthorityTearoff,int,Windows::Identity::Rtl::IRtlIdentityAuthority>(
           v5,
           v4,
           &v10);
    if (v3 >= 0)
      v3 =0;
    v1 =(void (__thiscall***)(_DWORD))v10;
    if (v3 >= 0)
    {
      v8 =(void (__thiscall***)(_DWORD))(_InterlockedCompareExchange(
                                            (volatile signed __int32*)&`anonymous namespace'::g_RtlIdentityAuthority,
                                            v10,
                                            0) != 0 ? (unsignedint)v1 : 0);
      if (v8 )
      {
        v9 =**v8;
        __guard_check_icall_fptr(**v8);
        v9(v8);
      }
      return 0;
    }
}
if (v1 )
{
    v6 =**v1;
    __guard_check_icall_fptr(**v1);
    v6(v1);
}
return v3;
}