2020.2.14日报：IE双核模式下，hook另外个地方解决卡慢

发现老卡在这地方：

ntdll!memcpy+0x33 ntdll!RtlpReAllocateHeap+0x9d9 (FPO: [Non-Fpo]) ntdll!RtlReAllocateHeap+0x2c5 (FPO: [Non-Fpo]) kernel32!GlobalReAlloc+0x17f (FPO: [Non-Fpo]) ole32!CMemBytes::SetSize+0x2a (FPO: [Non-Fpo]) (CONV: stdca ole32!CMStream::SetSize+0x72 (FPO: [Non-Fpo]) (CONV: thisca ole32!CDirectStream::SetSize+0x285 (FPO: [Non-Fpo]) (CONV:  ole32!CMStream::SetMiniSize+0x49 (FPO: [Non-Fpo]) (CONV: th ole32!CDirectStream::SetSize+0x274 (FPO: [Non-Fpo]) (CONV:  ole32!PSStream::SetSize+0x19 (FPO: [Non-Fpo]) (CONV: thisca ole32!CPubStream::SetSize+0x52 (FPO: [Non-Fpo]) (CONV: this ole32!CExposeadStream::SetSize+0x62 (FPO: [Non-Fpo]) (CONV: MSHTML!CStorageHelper::_WriteKeyValuesToStream+0x115 (FPO:  MSHTML!CStorageHelper::Save+0x24 (FPO: [Non-Fpo]) MSHTML!CStorageListHelper::Save+0xb8 (FPO: [Non-Fpo]) MSHTML!CDoc::SetupDwnBindInfoAndBindCtx+0x677 (FPO: [Non-Fp MSHTML!CDoc::FollowHyperlink2+0x3b9 (FPO: [30,27,4]) MSHTML!CWindow::SuperNavigateInternal+0x20c (FPO: [12,11,4] MSHTML!CWindow::SuperNavigate3+0x27 (FPO: [Non-Fpo]) le. Following frames may be wrong. ieframe!Ordinal231+0xae8a ieframe!Ordinal231+0xabd0 ieframe!Ordinal231+0xa6e6 ieframe!Ordinal137+0x60bf MSHTML!CTExec+0x38 (FPO: [Non-Fpo]) MSHTML!CMarkup::DoAutoSearch+0x2fb (FPO: [Non-Fpo]) MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7':: MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7':: MSHTML!CBindingFilter::OnStopBinding+0x3d (FPO: [Non-Fpo]) urlmon!CBSCHolder::OnStopBinding+0x3c (FPO: [Non-Fpo]) urlmon!CBinding::CallOnStopBinding+0x3d (FPO: [Non-Fpo]) urlmon!AppDataFolderList::GetPackageDependencyStateForIUri+ urlmon!CBinding::ReportData+0xa2 (FPO: [Non-Fpo]) urlmon!COInetProt::ReportData+0x81 (FPO: [Non-Fpo]) urlmon!CTransaction::DispatchReport+0x171 (FPO: [6,3,4]) urlmon!CTransaction::OnINetCallback+0x140 (FPO: [Non-Fpo]) urlmon!TransactionWndProc+0x28 (FPO: [Non-Fpo]) USER32!gapfnScSendMessage+0x270 USER32!gapfnScSendMessage+0x922 USER32!LoadStringW+0x11f USER32!DispatchMessageW+0xf chrome_child!base::MessagePumpForUI::ProcessMessageHelper+0

研究了下，这个CDoc::SetupDwnBindInfoAndBindCtx是有代码的，在E:\mycode\win2k\private\inet\mshtml\src\site\base\hlink.cxx里。

但偏偏没有这个CStorageListHelper::Save的调用。所以IDA看下：

，貌似是从TLS里读了个结构体，然后用这个CStorageListHelper::Save保存到哪里去了。想了想，发现

CStorageListHelper::Save里必然会调用CreateILockBytesOnHGlobal和StgCreateDocfileOnILockBytes来创建流相关的句柄。又 差了下，CreateILockBytesOnHGlobal和StgCreateDocfileOnILockBytes这两货貌似也没别的地方用到。天助我也，我把这个两api给hook了，直接返回E_FAIL就行了。