吾爱破解 - LCG - LSG |安卓破解|病毒分析|破解软件|www.52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

搜索
查看: 4441|回复: 1

[漏洞分析] Microsoft Windows XP Win32k.sys Local BSoD Vulnerability

[复制链接]
Ruin 发表于 2012-6-7 17:30
Microsoft Windows XP Win32k.sys Local BSoD Vulnerability
在函数NtUserMessageCall的处理流程中存在一个BSoD。

  1. 出问题的代码:
  2. .text:BF80EE53 ; int __stdcall NtUserMessageCall(int, int, int UnicodeString, PVOID Address, int, int, int)
  3. .text:BF80EE53 _NtUserMessageCall@28 proc near ; DATA XREF: .data:BF99D730o
  4. .text:BF80EE53
  5. .text:BF80EE53 var_C = dword ptr -0Ch
  6. .text:BF80EE53 var_8 = dword ptr -8
  7. .text:BF80EE53 arg_0 = dword ptr 8
  8. .text:BF80EE53 arg_4 = dword ptr 0Ch
  9. .text:BF80EE53 UnicodeString = dword ptr 10h
  10. .text:BF80EE53 Address = dword ptr 14h
  11. .text:BF80EE53 arg_10 = dword ptr 18h
  12. .text:BF80EE53 arg_14 = dword ptr 1Ch
  13. .text:BF80EE53 arg_18 = dword ptr 20h
  14. .text:BF80EE53
  15. .text:BF80EE53 ; FUNCTION CHUNK AT .text:BF80EE21 SIZE 0000002D BYTES
  16. .text:BF80EE53
  17. .text:BF80EE53 mov edi, edi
  18. .text:BF80EE55 push ebp
  19. .text:BF80EE56 mov ebp, esp
  20. .text:BF80EE58 sub esp, 0Ch
  21. .text:BF80EE5B push esi
  22. .text:BF80EE5C push edi
  23. .text:BF80EE5D call _EnterCrit@0 ; EnterCrit()
  24. .text:BF80EE62 mov ecx, [ebp+arg_0]
  25. .text:BF80EE65 call @ValIDAteHwnd@4 ; ValidateHwnd(x) //句柄在后边作为指针访问。
  26. .text:BF80EE6A mov ecx, [ebp+arg_14]
  27. .text:BF80EE6D mov esi, eax
  28. .text:BF80EE6F test esi, esi
  29. .text:BF80EE71 jz short loc_BF80EE38
  30. .text:BF80EE73 mov eax, _gptiCurrent
  31. .text:BF80EE78 mov edx, [eax+28h]
  32. .text:BF80EE7B mov [ebp+var_C], edx
  33. .text:BF80EE7E lea edx, [ebp+var_C]
  34. .text:BF80EE81 mov [eax+28h], edx
  35. .text:BF80EE84 mov [ebp+var_8], esi
  36. .text:BF80EE87 inc dword ptr [esi+4]
  37. .text:BF80EE8A
  38. .text:BF80EE8A loc_BF80EE8A: ; CODE XREF: NtUserMessageCall(x,x,x,x,x,x,x)-7j
  39. .text:BF80EE8A mov eax, [ebp+arg_4]
  40. .text:BF80EE8D and eax, 1FFFFh
  41. .text:BF80EE92 cmp eax, 400h
  42. .text:BF80EE97 jnb short loc_BF80EED4
  43. .text:BF80EE99 push [ebp+arg_18] ; int
  44. .text:BF80EE9C movzx eax, ds:_MessageTable[eax]
  45. .text:BF80EEA3 push ecx ; int
  46. .text:BF80EEA4 push [ebp+arg_10] ; int
  47. .text:BF80EEA7 and eax, 3Fh
  48. .text:BF80EEAA push [ebp+Address] ; Address
  49. .text:BF80EEAD push [ebp+UnicodeString] ; int
  50. .text:BF80EEB0 push [ebp+arg_4] ; int
  51. .text:BF80EEB3 push esi ; int
  52. .text:BF80EEB4 call ds:_gapfnMessageCall[eax*4] ; NtUserfnINSTRINGNULL(x,x,x,x,x,x,x)// 进入


  53. .text:BF9147C9 ; __stdcall NtUserfnINOUTLPPOINT5(x, x, x, x, x, x, x)
  54. .text:BF9147C9 _NtUserfnINOUTLPPOINT5@28 proc near ; CODE XREF: xxxDefWindowProc(x,x,x,x)+96p
  55. .text:BF9147C9 ; NtUserMessageCall(x,x,x,x,x,x,x)+61p ...
  56. .text:BF9147C9
  57. .text:BF9147C9 var_44 = byte ptr -44h
  58. .text:BF9147C9 var_1C = dword ptr -1Ch
  59. .text:BF9147C9 ms_exc = CPPEH_RECORD ptr -18h
  60. .text:BF9147C9 VUL = dword ptr 8
  61. .text:BF9147C9 arg_4 = dword ptr 0Ch
  62. .text:BF9147C9 arg_8 = dword ptr 10h
  63. .text:BF9147C9 arg_C = dword ptr 14h
  64. .text:BF9147C9 arg_10 = dword ptr 18h
  65. .text:BF9147C9 arg_14 = dword ptr 1Ch
  66. .text:BF9147C9
  67. .text:BF9147C9 push 34h
  68. .text:BF9147CB push offset stru_BF990E40
  69. .text:BF9147D0 call __SEH_prolog
  70. .text:BF9147D5 and [ebp+ms_exc.disabled], 0
  71. .text:BF9147D9 mov ebx, [ebp+arg_C]
  72. .text:BF9147DC mov eax, _Win32UserProbeAddress
  73. .text:BF9147E1 cmp ebx, eax
  74. .text:BF9147E3 jb short loc_BF9147EB
  75. .text:BF9147E5 mov dword ptr [eax], 0
  76. .text:BF9147EB
  77. .text:BF9147EB loc_BF9147EB: ; CODE XREF: NtUserfnINOUTLPPOINT5(x,x,x,x,x,x,x)+1Aj
  78. .text:BF9147EB push 0Ah
  79. .text:BF9147ED pop ecx
  80. .text:BF9147EE mov esi, ebx
  81. .text:BF9147F0 mov edi, ebx
  82. .text:BF9147F2 rep movsd
  83. .text:BF9147F4 push 0Ah
  84. .text:BF9147F6 pop ecx
  85. .text:BF9147F7 mov esi, ebx
  86. .text:BF9147F9 lea edi, [ebp+var_44]
  87. .text:BF9147FC rep movsd
  88. .text:BF9147FE or [ebp+ms_exc.disabled], 0FFFFFFFFh
  89. .text:BF914802 mov eax, [ebp+arg_14]
  90. .text:BF914805 add eax, 6
  91. .text:BF914808 and eax, 1Fh
  92. .text:BF91480B push [ebp+arg_10]
  93. .text:BF91480E lea ecx, [ebp+var_44]
  94. .text:BF914811 push ecx
  95. .text:BF914812 push [ebp+arg_8]
  96. .text:BF914815 push [ebp+arg_4]
  97. .text:BF914818 push [ebp+VUL]
  98. .text:BF91481B mov ecx, _gpsi
  99. .text:BF914821 call dword ptr [ecx+eax*4+0Ch] // 进入

  100. .text:BF932C40 ; __stdcall fnHkINLPCWPRETEXSTRUCT(x, x, x, x, x)
  101. .text:BF932C40 _fnHkINLPCWPRETEXSTRUCT@20 proc near ; DATA XREF: InitFunctionTables()+100o
  102. .text:BF932C40
  103. .text:BF932C40 var_18 = dword ptr -18h
  104. .text:BF932C40 var_14 = dword ptr -14h
  105. .text:BF932C40 var_10 = dword ptr -10h
  106. .text:BF932C40 var_C = dword ptr -0Ch
  107. .text:BF932C40 var_8 = dword ptr -8
  108. .text:BF932C40 var_4 = dword ptr -4
  109. .text:BF932C40 vul = dword ptr 8
  110. .text:BF932C40 arg_4 = dword ptr 0Ch
  111. .text:BF932C40 arg_8 = dword ptr 10h
  112. .text:BF932C40 arg_C = dword ptr 14h
  113. .text:BF932C40
  114. .text:BF932C40 mov edi, edi
  115. .text:BF932C42 push ebp
  116. .text:BF932C43 mov ebp, esp
  117. .text:BF932C45 sub esp, 18h
  118. .text:BF932C48 call ds:__imp__PsGetCurrentThread@0 ; PsGetCurrentThread()
  119. .text:BF932C4E push eax
  120. .text:BF932C4F call ds:__imp__PsGetThreadWin32Thread@4 ; PsGetThreadWin32Thread(x)
  121. .text:BF932C55 mov ecx, [ebp+vul]
  122. .text:BF932C58 mov eax, [eax+44h]
  123. .text:BF932C5B xor edx, edx
  124. .text:BF932C5D cmp ecx, edx
  125. .text:BF932C5F jnz short loc_BF932C66
  126. .text:BF932C61 mov [ebp+var_8], edx
  127. .text:BF932C64 jmp short loc_BF932C6B
  128. .text:BF932C66 ; ---------------------------------------------------------------------------
  129. .text:BF932C66
  130. .text:BF932C66 loc_BF932C66: ; CODE XREF: fnHkINLPCWPRETEXSTRUCT(x,x,x,x,x)+1Fj
  131. .text:BF932C66 mov ecx, [ecx]
  132. .text:BF932C68 mov [ebp+var_8], ecx
  133. .text:BF932C6B
  134. .text:BF932C6B loc_BF932C6B: ; CODE XREF: fnHkINLPCWPRETEXSTRUCT(x,x,x,x,x)+24j
  135. .text:BF932C6B mov ecx, [ebp+arg_4]
  136. .text:BF932C6E mov [ebp+var_C], ecx
  137. .text:BF932C71 mov ecx, [ebp+arg_8]
  138. .text:BF932C74 mov [ebp+var_10], ecx
  139. .text:BF932C77 mov ecx, [ebp+arg_C]
  140. .text:BF932C7A mov [ebp+var_14], ecx
  141. .text:BF932C7D mov ecx, [eax+40h]
  142. .text:BF932C80 mov [ebp+var_18], ecx
  143. .text:BF932C83 mov [ebp+var_4], edx
  144. .text:BF932C86 mov eax, [eax]
  145. .text:BF932C88 lea ecx, [ebp+var_18]
  146. .text:BF932C8B shr eax, 4
  147. .text:BF932C8E push ecx
  148. .text:BF932C8F and eax, 1
  149. .text:BF932C92 push eax
  150. .text:BF932C93 push edx
  151. .text:BF932C94 call sub_BF8F5DC2 // 进入


  152. .text:BF8F5DC2 sub_BF8F5DC2 proc near ; CODE XREF: NtUserCallNextHookEx(x,x,x,x)-F5726p
  153. .text:BF8F5DC2 ; NtUserfnHkINLPMSG(x,x,x,x)+35p ...
  154. .text:BF8F5DC2
  155. .text:BF8F5DC2 arg_0 = dword ptr 8
  156. .text:BF8F5DC2 arg_4 = dword ptr 0Ch
  157. .text:BF8F5DC2 vul_handle = dword ptr 10h
  158. .text:BF8F5DC2
  159. .text:BF8F5DC2 mov edi, edi
  160. .text:BF8F5DC4 push ebp
  161. .text:BF8F5DC5 mov ebp, esp
  162. .text:BF8F5DC7 mov eax, _gptiCurrent
  163. .text:BF8F5DCC mov eax, [eax+9Ch]
  164. .text:BF8F5DD2 test eax, eax
  165. .text:BF8F5DD4 jz short loc_BF8F5DEF
  166. .text:BF8F5DD6 lea ecx, [ebp+vul_handle]
  167. .text:BF8F5DD9 push ecx
  168. .text:BF8F5DDA push [ebp+vul_handle]
  169. .text:BF8F5DDD push [ebp+arg_4]
  170. .text:BF8F5DE0 push [ebp+arg_0]
  171. .text:BF8F5DE3 push eax
  172. .text:BF8F5DE4 call _PhkNextValid@4 ; PhkNextValid(x)
  173. .text:BF8F5DE9 push eax
  174. .text:BF8F5DEA call _xxxCallHook2@20 ; xxxCallHook2(x,x,x,x,x)//step into

  175. ...

  176. .text:BF8326A2 loc_BF8326A2: ; CODE XREF: xxxCallHook2(x,x,x,x,x)+125j
  177. .text:BF8326A2 push [ebp+vul_handle]
  178. .text:BF8326A5 push [ebp+arg_8]
  179. .text:BF8326A8 push [ebp+arg_4]
  180. .text:BF8326AB push edi
  181. .text:BF8326AC call _xxxHkCallHook@16 ; xxxHkCallHook(x,x,x,x)// 进入

  182. ...

  183. .text:BF800556 loc_BF800556: ; CODE XREF: ttfdQueryFontData(x,x,x,x,x,x)+71j
  184. .text:BF800556 cmp ebx, 6
  185. .text:BF800559 ja loc_BF83D539
  186. .text:BF80055F jmp loc_BF83D54B
  187. .text:BF80055F ; END OF FUNCTION CHUNK FOR _ttfdQueryFontData@24
  188. .text:BF800564 ; ---------------------------------------------------------------------------
  189. .text:BF800564 ; START OF FUNCTION CHUNK FOR _xxxHkCallHook@16
  190. .text:BF800564
  191. .text:BF800564 loc_BF800564: ; CODE XREF: xxxHkCallHook(x,x,x,x)+131j
  192. .text:BF800564 test byte ptr [eax+24h], 5 //eax中就是传入的句柄,访问违例导致崩溃。

  193. just for fun
复制代码

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

炽焰天使 发表于 2012-6-7 17:47
大牛v5,感觉有点难度,努力学习
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则 警告:禁止回复与主题无关内容,违者重罚!

快速回复 收藏帖子 返回列表 搜索

RSS订阅|小黑屋|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2019-10-18 16:42

Powered by Discuz!

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表