Hi all,
After being a frequent (passive) user of this list, I have the need of opening
a new thread in order to ask for some help.
During the last days I have been trying to understand some internal functions
of Windows (more concretely, Windows 10 x64). However, in some cases I am meshing
with NdrClientCall3. The problem I have is that I do not know how to determine
the process (and the corresponding target function) it is communicating with.
Next you can find an exemplary snippet of code (taken from WinDbg during one
of my debugging sessions):
…
mov rdx,qword ptr [rbx]
mov rcx,qword ptr [ncryptprov!g_RpcBindingContext+0x8]
mov eax,dword ptr [rsp+0A0h]
mov dword ptr [rsp+48h],eax
mov dword ptr [rsp+40h],r14d
mov qword ptr [rsp+38h],r15
mov qword ptr [rsp+30h],rdi
mov qword ptr [rsp+28h],rdx
mov qword ptr [rsp+20h],rcx
mov r9,qword ptr [ncryptprov!g_RpcBindingContext]
xor r8d,r8d
lea edx,[r8+9]
lea rcx,[ncryptprov!mp_scrambled_store (ncryptprov+0x42060)]
call qword ptr [ncryptprov!_imp_NdrClientCall3]
mov rbx,rax
…
At this point of the discussion my question should be clear (I guess), i.e., how can
I continue the debugging process without having to skip the function being executed
in the other side? Or, in other words, how can I determine which is the process and
target function we are communicating with?
Thanks in advance for your help.
Regards,
Santos