源mac为空导致问题

00007ff7`72d7fc20  40 01 00 00 00 00 00 00-50 01 00 00 00 00 00 00  @.......P.......
00007ff7`72d7fc30  01 00 00 00 00 00 00 00-00 00 ff ff ff ff ff ff  ................
00007ff7`72d7fc40  ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00  ................
00007ff7`72d7fc50  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00007ff7`72d7fc60  d0 07 00 02 00 00 00 00-07 00 00 00 7b 32 36 33  ............{263
00007ff7`72d7fc70  31 37 46 38 34 2d 43 37-45 41 2d 34 43 41 31 2d  17F84-C7EA-4CA1-
00007ff7`72d7fc80  38 39 42 36 2d 32 46 33-45 41 44 35 33 44 33 30  89B6-2F3EAD53D30
00007ff7`72d7fc90  37 7d 00 00 00 00 00 00-00 00 00 00 00 00 00 00  7}..............


{26317F84-C7EA-4CA1-89B6-2F3EAD53D307}

struct vport_data{                            /*通道对象*/
    HANDLE              adp_fd;                /*通道句柄*/0
    HANDLE              adp_event;            /*读事件*/  8
    BOOL                lock_init;            /*初始化锁*/16
    unsigned char       vm_mac[6];            /*管理网卡mac地址*/20  00 00 00 00-00 00,缺陷问题,源mac为0
    unsigned char       gw_mac[6];            /*互联网关mac地址*/26
    CRITICAL_SECTION    wt_lock;            /*写保护锁*/32
    DWORD                ndis_ver;            /*NDIS驱动版本*/
    char                 port_name[64];        /*NDIS设备名*/ //{660734D0-0B29-4286-A300-E45DD367F57E}
};
//offset:20 vm_mac
//offset:26 gw_mac
//offset:76 port_name
//offset:76 port_name
//offset:72 ndis_ver

Integer arguments are passed in registers RCX, RDX, R8, and R9. 
Floating point arguments are passed in XMM0L, XMM1L, XMM2L, and XMM3L. 16-byte arguments are passed by reference. Parameter

npcap_write()


0:003> u cloud_update_phy+0x8aa0
cloud_update_phy+0x8aa0:
00007ff7`72d78aa0 4489442418      mov     dword ptr [rsp+18h],r8d
00007ff7`72d78aa5 4889542410      mov     qword ptr [rsp+10h],rdx
00007ff7`72d78aaa 48894c2408      mov     qword ptr [rsp+8],rcx
00007ff7`72d78aaf 4881ec38060000  sub     rsp,638h
00007ff7`72d78ab6 488b05db740000  mov     rax,qword ptr [cloud_update_phy+0xff98 (00007ff7`72d7ff98)]
00007ff7`72d78abd 4833c4          xor     rax,rsp
00007ff7`72d78ac0 4889842428060000 mov     qword ptr [rsp+628h],rax
00007ff7`72d78ac8 488d442470      lea     rax,[rsp+70h]
0:003> g
Breakpoint 0 hit
cloud_update_phy+0x8aa0:
00007ff7`72d78aa0 4489442418      mov     dword ptr [rsp+18h],r8d ss:00000000`00536450=00536508
0:000> k
 # Child-SP          RetAddr           Call Site
00 00000000`00536438 00007ff7`72d78a64 cloud_update_phy+0x8aa0
01 00000000`00536440 00007ff7`72d78a0a cloud_update_phy+0x8a64
02 00000000`00536480 00007ff7`72d76269 cloud_update_phy+0x8a0a
03 00000000`005364c0 00007ff7`72d7184b cloud_update_phy+0x6269
04 00000000`005364f0 00007ff7`72d7a0f2 cloud_update_phy+0x184b
05 00000000`0054f990 00007ffc`99337974 cloud_update_phy+0xa0f2
06 00000000`0054f9c0 00007ffc`9a4da271 KERNEL32!BaseThreadInitThunk+0x14
07 00000000`0054f9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:000> r
rax=0000000000000001 rbx=0000000000000001 rcx=00007ff772d7fc20
rdx=00007ff772d7fd0c rsi=0000000000000000 rdi=000000000054f568
rip=00007ff772d78aa0 rsp=0000000000536438 rbp=0000000000000000
 r8=0000000000000001  r9=0000000000000000 r10=0000000000000000
r11=fe624e212ac18000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
cloud_update_phy+0x8aa0:
00007ff7`72d78aa0 4489442418      mov     dword ptr [rsp+18h],r8d ss:00000000`00536450=00536508
0:000> db 00007ff772d7fc20
00007ff7`72d7fc20  40 01 00 00 00 00 00 00-50 01 00 00 00 00 00 00  @.......P.......
00007ff7`72d7fc30  01 00 00 00 00 00 00 00-00 00 ff ff ff ff ff ff  ................
00007ff7`72d7fc40  ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00  ................
00007ff7`72d7fc50  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00007ff7`72d7fc60  d0 07 00 02 00 00 00 00-07 00 00 00 7b 32 36 33  ............{263
00007ff7`72d7fc70  31 37 46 38 34 2d 43 37-45 41 2d 34 43 41 31 2d  17F84-C7EA-4CA1-
00007ff7`72d7fc80  38 39 42 36 2d 32 46 33-45 41 44 35 33 44 33 30  89B6-2F3EAD53D30
00007ff7`72d7fc90  37 7d 00 00 00 00 00 00-00 00 00 00 00 00 00 00  7}..............
0:000> dq 00007ff772d7fc20
00007ff7`72d7fc20  00000000`00000140 00000000`00000150
00007ff7`72d7fc30  00000000`00000001 ffffffff`ffff0000
00007ff7`72d7fc40  ffffffff`ffffffff 00000000`ffffffff
00007ff7`72d7fc50  00000000`00000000 00000000`00000000
00007ff7`72d7fc60  00000000`020007d0 3336327b`00000007
00007ff7`72d7fc70  37432d34`38463731 2d314143`342d4145
00007ff7`72d7fc80  3346322d`36423938 30334433`35444145
00007ff7`72d7fc90  00000000`00007d37 00000000`00000000
0:000> db 00007ff772d7fc20
00007ff7`72d7fc20  40 01 00 00 00 00 00 00-50 01 00 00 00 00 00 00  @.......P.......
00007ff7`72d7fc30  01 00 00 00 00 00 00 00-00 00 ff ff ff ff ff ff  ................
00007ff7`72d7fc40  ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00  ................
00007ff7`72d7fc50  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
00007ff7`72d7fc60  d0 07 00 02 00 00 00 00-07 00 00 00 7b 32 36 33  ............{263
00007ff7`72d7fc70  31 37 46 38 34 2d 43 37-45 41 2d 34 43 41 31 2d  17F84-C7EA-4CA1-
00007ff7`72d7fc80  38 39 42 36 2d 32 46 33-45 41 44 35 33 44 33 30  89B6-2F3EAD53D30
00007ff7`72d7fc90  37 7d 00 00 00 00 00 00-00 00 00 00 00 00 00 00  7}..............

//RCX(handle), RDX(lpBuffer), R8(nNumberOfBytesToWrite), and R9(lpNumberOfBytesWritten)
UPF_Write()
bp cloud_update_phy+ 0x0007810
0:003> bp cloud_update_phy+ 0x0007810
0:003> u cloud_update_phy+ 0x0007810
cloud_update_phy+0x7810:
00007ff7`72d77810 4c894c2420      mov     qword ptr [rsp+20h],r9
00007ff7`72d77815 4489442418      mov     dword ptr [rsp+18h],r8d
00007ff7`72d7781a 4889542410      mov     qword ptr [rsp+10h],rdx
00007ff7`72d7781f 48894c2408      mov     qword ptr [rsp+8],rcx
00007ff7`72d77824 4883ec48        sub     rsp,48h
00007ff7`72d77828 488b442458      mov     rax,qword ptr [rsp+58h]
00007ff7`72d7782d 4889442438      mov     qword ptr [rsp+38h],rax
00007ff7`72d77832 488b442438      mov     rax,qword ptr [rsp+38h]
0:003> g
Breakpoint 1 hit
cloud_update_phy+0x7810:
00007ff7`72d77810 4c894c2420      mov     qword ptr [rsp+20h],r9 ss:00000000`00535e18=0000000000535e44
0:000> r
rax=00007ff772d7fc20 rbx=0000000000000001 rcx=0000000000000140
rdx=0000000000535e70 rsi=0000000000000000 rdi=000000000054f568
rip=00007ff772d77810 rsp=0000000000535df8 rbp=0000000000000000
 r8=0000000000000021  r9=0000000000535e44 r10=0000000000000000
r11=0000000000535e90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
0:000> db 0000000000535e70 
00000000`00535e70  b0 64 53 00 00 00 00 00-11 00 00 00 11 00 00 00  .dS.............
00000000`00535e80  ff ff ff ff ff ff 00 00-00 00 00 00 99 99 00 01  ................
00000000`00535e90  23 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  #...............
00000000`00535ea0  04 00 00 00 00 00 00 00-01 1d d7 72 f7 7f 00 00  ...........r....
00000000`00535eb0  00 00 00 00 00 00 00 00-ff ff ff ff ff ff ff ff  ................
00000000`00535ec0  00 65 53 00 00 00 00 00-00 00 00 00 00 00 00 00  .eS.............
00000000`00535ed0  50 06 f7 00 00 00 00 00-ab 95 23 97 fc 7f 00 00  P.........#.....
00000000`00535ee0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................

char local[sizeof(struct pcap_pkthdr_w)+sizeof(struct phy_ethhdr)+PHY_Line_MTU];
0000000000000021 = 2x16+1 -16 = 17字节

struct pcap_pkthdr_w 16字节,剩下全是裸二层报文,从00535e80开始

最终结论,源mac地址为全零,导致心跳发不上去,导致cloud agent心跳发不上去