快捷搜索:  as  2018  FtCWSyGV  С˵  test  xxx  Ψһ  w3viyKQx

澳门新葡亰app在线下载_龟发之家论坛



我们知道在我们对溢出漏洞进行eXP的时刻,常常要使用全局性的指针,使用非常处置惩罚。那么XP的SP2对此作了处置惩罚。使得我们无法运用曩昔的技术来完成我们的事情。例如,对全局性的指针都作了编码处置惩罚。

那么详细来讲,本文主要谈到以下:

1、映射给PEB治理布局的肇端地址做了随机处置惩罚。后面我们会看到这种随机是很弱的,但已经足够让eXP无法完成或者说是稳定的事情澳门新葡亰app在线下载。

2、对TOP SEH的保护

3、VEH链表指针_RtlpCalloutEntryList的保护

4、堆块布局的cookie保护

不涉及内容:

1、若何绕过保护机制

2、堆治理的细节,着实没有太大年夜的变更

主题开始:

1、PEB的地址的随机

XP系统下,创建进程应用的是_NtCreateProcessEx函数,而不是_NtCreateProcess函数。_NtCreateProcess主要调用_P澳门新葡亰app在线下载spCreateProcess@36函数来完成进程的创建事情

PAGE:004B4649 call _PspCreateProcess@36 ; PspCreateProcess(x,x,x,x,x,x,x,x,x)

进程的创建主要包括设置EPROCESS,创建初始进程地址空间等。这里就不罗嗦了。PEB的设置经由过程调用_MmCreatePeb.

PAGE:004B428E push eax

PAGE:004B428F push ebx

PAGE:004B4290 push dword ptr [ebp-60h]

PAGE:004B4293 call MmCreateProcessAddressSpace@12 ; MmCreateProcessAddressSpace(x,x,x)

PAGE澳门新葡亰app在线下载:004B43E5 lea eax, [ebx+1B0h]

PAGE:004B43EB push eax

PAGE:004B43EC lea eax, [ebp-40h]

PAGE:004B43EF push eax

PAGE:004B43F0 push ebx

PAGE:004B43F1 call MmCreatePeb@12 ; MmCreatePeb(x,x,x)

而MmCreatePeb又主要经由过程调用_MiCreatePebOrTeb

PAGE:004B4A61 ; __stdcall MmCreatePeb(x,x,x)

PAGE:004B4A61 ">_MmCreatePeb@12 proc near ; CODE XREF: PspCreateProcess(x,x,x,x,x,x,x,x,x)+303p

PAGE:004B4A61

PAGE:004B4A61 ; FUNCTION CHUNK AT PAGE:005267FF SIZE 000000DC BYTES

PAGE:004B4A61

PAGE:004B4A61 push 3Ch

PAGE:004B4A63 push offset dword_42DAA8

PAGE:004B4A68 call __SEH_prolog

PAGE:004B4A6D xor ebx, ebx

PAGE:004B4A6F mov [ebp-20h], ebx

PAGE:004B4A72 mov [ebp-4Ch], ebx

PAGE:004B4A75 mov [ebp-48h], ebx

PAGE:004B4A78 mov [ebp-2Ch], ebx

PAGE:004B4A7B mov esi, [ebp+8]

PAGE:004B4A7E push esi

PAGE:004B4A7F call _KeAttachProcess@4 ; KeAttachProcess(x)

PAGE:004B4A84 push 2

PAGE:004B4A86 pop edi

PAGE:004B4A87 push edi

PAGE:004B4A88 push (offset loc_4FFFFE+2)

PAGE:004B4A8D push 1

PAGE:004B4A8F lea eax, [ebp-2Ch]

PAGE:004B4A92 push eax

PAGE:004B4A93 lea eax, [ebp-4Ch]

PAGE:004B4A96 push eax

PAGE:004B4A97 push ebx

PAGE:004B4A98 push ebx

PAGE:004B4A99 lea eax, [ebp-20h]

PAGE:004B4A9C push eax

PAGE:004B4A9D push esi

PAGE:004B4A9E push ds:_InitNlsSectionPointer

PAGE:004B4AA4 call _MmMapViewOfSection@40 ; MmMapViewOfSection(x,x,x,x,x,x,x,x,x,x)

PAGE:004B4AA9 mov [ebp-24h], eax

PAGE:004B4AAC cmp eax, ebx

PAGE:004B4AAE jl loc_5267FF

PAGE:004B4AB4 lea eax, [ebp-1Ch]

留意下面这个210参数,类似一个Flag。在后面你会发明,假如该参数不即是210,那么映射的PEB地址将不会孕育发生随机值,而是会跟曩昔的一样,始终在7FFDF000位置。

PAGE:004B4AB7 push eax

PAGE:004B4AB8 push 210h

;留意这个参数!

PAGE:004B4ABD push esi

PAGE:004B4ABE call ">_MiCreatePebOrTeb@12 ; MiCreatePebOrTeb(x,x,x)

真正完成事情

MiCreatePebOrTeb@12 函数

PAGE:004B01AE call ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)

PAGE:004B01B3 mov esi, eax

PAGE:004B01B5 test esi, esi

PAGE:004B01B7 jz loc_52678E

PAGE:004B01BD mov eax, [ebp+arg_8]

PAGE:004B01C0 mov ecx, [ebp+arg_8]

PAGE:004B01C3 and eax, 0FFFh

PAGE:004B01C8 neg eax

PAGE:004B01CA sbb eax, eax

PAGE:004B01CC neg eax

PAGE:004B01CE shr ecx, 0Ch

PAGE:004B01FB cmp [ebp+arg_8], 210h

PAGE:004B0202 jz loc_4B4A0A

;这里将210与压栈的参数对照,假如压入栈的不是210呢

PAGE:004B0208 loc_4B0208: ; CODE XREF: MiCreatePebOrTeb(x,x,x)+48ADj

PAGE:004B0208 mov edi, [ebp+arg_C]

PAGE:004B020B mov eax, _MmHighestUserAddress

PAGE:004B0210 push edi

PAGE:004B0211 push dword ptr [ebx+11Ch]

PAGE:004B0217 add eax, 0FFFF0001h

PAGE:004B021C push 1000h

PAGE:004B0221 push eax

PAGE:004B0222 mov eax, [ebp+arg_8]

PAGE:004B0225 add eax, 0FFFh

PAGE:004B022A and eax, 0FFFFF000h

PAGE:004B022F push eax

PAGE:004B0230 call ">_MiFindEmptyAddressRangeDownTree@20 ; MiFindEmptyAddressRangeDownTree(x,x,x,x,x)

PAGE:004B0235 test eax, eax

PAGE:004B0237 mov [ebp+arg_C], eax

PAGE:004B023A jl loc_5267A5

关键是这里

PAGE:004B4A0A loc_4B4A0A: ; CODE XREF: MiCreatePebOrTeb(x,x,x)+66j

PAGE:004B4A0A mov edi, _MmHighestUserAddress

;老是7FFEFFFF

PAGE:004B4A10 lea eax, [ebp+var_C]

PAGE:004B4A13 push eax

PAGE:004B4A14 add edi, 0FFFF0001h

;此时edi为7FFE0000

PAGE:004B4A1A call _KeQueryTickCount@4 ; KeQueryTickCount(x)

PAGE:004B4A1F mov eax, [ebp+var_C]澳门新葡亰app在线下载

PAGE:004B4A22 and eax, 0Fh

;只取着末一个字节的值,比如斯时为0C

PAGE:004B4A25 cmp eax, 1

;看ea澳门新葡亰app在线下载x此时是不是为01

PAGE:004B4A28 mov [ebp+var_C], eax

PAGE:004B4A2B jbe loc_4B4928

;假如是就跳到去处置惩罚

PAGE:004B4A31 loc_4B4A31: ; CODE XREF: MiCreatePebOrTeb(x,x,x)+4792j

PAGE:004B4A31 shl eax, 0Ch

PAGE:004B4A34 sub edi, eax

PAGE:004B4A36 lea eax, [edi+0FFFh]

PAGE:004B4A3C push eax

PAGE:004B4A3D push edi

PAGE:004B4A3E push ebx

PAGE:004B4A3F mov [ebp+var_4], edi

PAGE:004B4928 loc_4B4928: ; CODE XREF: MiCreatePebOrTeb(x,x,x)+488Fj

假如eax为1,那么就变动为2.这样避免着末谋略出来为7FFDF000.而是为7FFDE000

PAGE:004B4928 push 2

PAGE:004B492A pop eax

PAGE:004B492B mov [ebp+var_C], eax

PAGE:004B492E jmp loc_4B4A31

由于KeTickCount是进程的一个光阴计数,以是无法猜测。

.text:0041CAA8 mov edi, edi

.text:0041CAAA push ebp

.text:0041CAAB mov ebp, esp

.text:0041CAAD mov ecx, _KeTickCount.High1Time

.text:0041CAB3 mov eax, [ebp+arg_4]

.text:0041CAB6 mov [eax+4], ecx

.text:0041CAB9 mov edx, _KeTickCount.LowPart

.text:0041CABF mov [eax], edx

颠末上面的阐发我们知道,假如假如eax随机出来是1,2,那么着末分配的PEB的地址都是7FFDE000,这是为了避免曩昔的7FFDF000地址的呈现,使得曩昔的堆使用代码都掉效。

1,2 7FFDE000

3 7FFDD000

4 7FFDC000

5 7FFDB000

6 7FFDA000

7 7FFD9000

8 7FFD8000

9 7FFD7000

A 7FFD6000

B 7FFD5000

C 7FFD4000

D 7FFD3000

E 7FFD2000

F 7FFD1000

0 7FFDE000

上面列出了可以看到PEB的所有可能值,可以看到7FFDE000的概率最高,1/8,其他都是1/16。:),但纵然这样,也没法稳定使用了。

您可能还会对下面的文章感兴趣: