【微软漏洞分析】MS10-015 Windows 内核异常处理程序漏洞(CVE-2010-0232)
目录
- MS10-015
- 摘要
- 补丁分析
- apphelp.dll
- ApphelpCheckModule
- InternalCheckRunApp
- SdbIsValidQueryResultLight
- kernel32.dll
- BaseCheckRunApp
- BaseQueryModuleData
- 重点分析
MS10-015
摘要
我们这里分析的是 Windows 内核异常处理程序漏洞 - CVE-2010-0232
网上常说的MS10-015是Windows 内核双重释放漏洞 - CVE-2010-0233,很少有人分析这个0232,实际上微软是把这两个漏洞共同定义为MS10-015。
官方说明里面写着:
- windows 7 32位才有这个CVE-2010-0232漏洞,并且windows 7 32位没有CVE-2010-0233这个漏洞
- windows7 64位不受这两个漏洞影响
补丁分析
我们这里以windows 7的x86的补丁分析,补丁解开之后的目录列表如下:
重点查看补丁文件为:
- \x86\a…ence-infrastructure_6.1.7600.16481
- apphelp.dll
- \x86\kernel32_6.1.7600.16481
- kernel32.dll
apphelp.dll
主要包括三个更新函数:
- ApphelpCheckModule
- InternalCheckRunApp
- SdbIsValidQueryResultLight
ApphelpCheckModule
更新前
int __stdcall ApphelpCheckModule(const WCHAR *a1, int a2, int a3, int a4, int a5, char a6)
{int v6; // eaxchar v8; // [esp+0h] [ebp-1F8h]char v9; // [esp+4h] [ebp-1F4h]int v10; // [esp+Ch] [ebp-1ECh] BYREF_UNICODE_STRING NtName; // [esp+10h] [ebp-1E8h] BYREFPCWSTR DosName; // [esp+18h] [ebp-1E0h]int v13; // [esp+1Ch] [ebp-1DCh] BYREFint v14; // [esp+20h] [ebp-1D8h]PVOID P; // [esp+24h] [ebp-1D4h]int v16; // [esp+28h] [ebp-1D0h]int v17[114]; // [esp+2Ch] [ebp-1CCh] BYREFDosName = a1;NtName.Length = 0;*(_DWORD *)&NtName.MaximumLength = 0;HIWORD(NtName.Buffer) = 0;v14 = 1;v13 = 0;v10 = 456;v16 = 0;if ( gdwInfrastructureFlags >= 0 )v6 = CheckAppcompatInfrastructureFlags() & 1;elsev6 = gdwInfrastructureFlags & 1;if ( !v6 ){if ( RtlDosPathNameToRelativeNtPathName_U(DosName, &NtName, 0, 0)&& BaseCheckAppcompatCacheEx(NtName.Buffer, -1, 0, &v13, &v10, v17) ){if ( (v13 & 0x100) != 0 ){v16 = 1;}else{if ( (v13 & 0x200) == 0 )goto LABEL_8;memset(v17, 0, sizeof(v17));}}P = (PVOID)SdbInitDatabaseEx(0, 0, 332);if ( P ){if ( v16 && !SdbIsValidQueryResultLight(v17) ){v16 = 0;memset(v17, 0, sizeof(v17));}v14 = ApphelpQueryExe(P, DosName, a2, a6, v17, v16);if ( !a5 ){v17[43] = 0;memset(&v17[32], 0, 0x20u);}if ( v14 && a3 )ApphelpFixExe((int)P, (wchar_t *)DosName, (int)v17, a4, a6);SdbReleaseDatabase(P);}else if ( g_iShimDebugLevel ){ShimDbgPrint(1, (int)"ApphelpCheckExe", "Failed to initialize database.\n", v8, v9);}}
LABEL_8:RtlFreeUnicodeString(&NtName);return v14;
}
更新后
int __stdcall ApphelpCheckModule(const WCHAR *a1, int a2, int a3, int a4, int a5, char a6)
{int v6; // eaxvoid *v8; // ebxchar v9; // [esp+0h] [ebp-1F4h]char v10; // [esp+4h] [ebp-1F0h]int v11; // [esp+Ch] [ebp-1E8h] BYREF_UNICODE_STRING NtName; // [esp+10h] [ebp-1E4h] BYREFint v13; // [esp+18h] [ebp-1DCh]int v14; // [esp+1Ch] [ebp-1D8h] BYREFint v15; // [esp+20h] [ebp-1D4h]PCWSTR DosName; // [esp+24h] [ebp-1D0h]int v17[114]; // [esp+28h] [ebp-1CCh] BYREFDosName = a1;NtName.Length = 0;*(_DWORD *)&NtName.MaximumLength = 0;HIWORD(NtName.Buffer) = 0;v15 = 1;v14 = 0;v11 = 456;v13 = 0;if ( gdwInfrastructureFlags >= 0 )v6 = CheckAppcompatInfrastructureFlags() & 1;elsev6 = gdwInfrastructureFlags & 1;if ( !v6 ){if ( RtlDosPathNameToRelativeNtPathName_U(DosName, &NtName, 0, 0)&& BaseCheckAppcompatCacheEx(NtName.Buffer, -1, 0, &v14, &v11, v17) ){if ( (v14 & 0x100) != 0 ){v13 = 1;}else{if ( (v14 & 0x200) == 0 )goto LABEL_8;memset(v17, 0, sizeof(v17));}}v8 = (void *)SdbInitDatabaseEx(0, 0, 332);if ( v8 ){v15 = ApphelpQueryExe(v8, DosName, a2, a6, v17, v13);if ( !a5 ){v17[43] = 0;memset(&v17[32], 0, 0x20u);}if ( v15 && a3 )ApphelpFixExe((int)v8, (wchar_t *)DosName, (int)v17, a4, a6);SdbReleaseDatabase(v8);}else if ( g_iShimDebugLevel ){ShimDbgPrint(1, (int)"ApphelpCheckExe", "Failed to initialize database.\n", v9, v10);}}
LABEL_8:RtlFreeUnicodeString(&NtName);return v15;
}
InternalCheckRunApp
更新前
BOOL __stdcall InternalCheckRunApp(void *a1, int a2, int a3, const WCHAR *a4, WCHAR *a5, int a6, unsigned int *a7, int a8, int a9, _DWORD *a10, _DWORD *a11, _DWORD *a12, int a13, int a14, _WORD *a15, int a16, void *a17, _DWORD *a18, void *a19)
{_DWORD *v19; // esi_DWORD *v20; // esiint *v21; // esiint v22; // ecxint v23; // eaxint v24; // eaxchar *v26; // eaxchar v27; // diPVOID v28; // eaxunsigned int *v29; // edivoid *v30; // eaxunsigned int v31; // edi_DWORD *v32; // ediint v33; // eax_DWORD *v34; // esiint v35; // eaxint v36; // eaxunsigned int *v37; // esichar v38; // [esp+0h] [ebp-27Ch]char v39; // [esp+4h] [ebp-278h]char v40[4]; // [esp+Ch] [ebp-270h] BYREFchar argList[4]; // [esp+10h] [ebp-26Ch]int v42; // [esp+3Ch] [ebp-240h]_DWORD *v43; // [esp+40h] [ebp-23Ch]int v44; // [esp+44h] [ebp-238h]_DWORD *v45; // [esp+48h] [ebp-234h]int v46; // [esp+4Ch] [ebp-230h]_WORD *v47; // [esp+50h] [ebp-22Ch]int v48; // [esp+54h] [ebp-228h] BYREFint v49; // [esp+58h] [ebp-224h]int v50; // [esp+5Ch] [ebp-220h]int v51; // [esp+60h] [ebp-21Ch] BYREFunsigned int v52; // [esp+64h] [ebp-218h] BYREFchar v53[4]; // [esp+68h] [ebp-214h]HANDLE hObject; // [esp+6Ch] [ebp-210h]int v55; // [esp+70h] [ebp-20Ch]BOOL v56; // [esp+74h] [ebp-208h]void *v57; // [esp+78h] [ebp-204h]void *Src; // [esp+7Ch] [ebp-200h] BYREF_DWORD *v59; // [esp+80h] [ebp-1FCh]int v60; // [esp+84h] [ebp-1F8h] BYREFint v61; // [esp+88h] [ebp-1F4h] BYREFint v62; // [esp+8Ch] [ebp-1F0h]BOOL v63; // [esp+90h] [ebp-1ECh]PWSTR Environment; // [esp+94h] [ebp-1E8h]PCWSTR SourceString; // [esp+98h] [ebp-1E4h]unsigned int *v66; // [esp+9Ch] [ebp-1E0h]PVOID P; // [esp+A0h] [ebp-1DCh]void *v68; // [esp+A4h] [ebp-1D8h]int v69; // [esp+A8h] [ebp-1D4h] BYREFPVOID v70; // [esp+ACh] [ebp-1D0h]char v71; // [esp+B0h] [ebp-1CCh] BYREFhObject = a1;v44 = a2;SourceString = a4;Environment = a5;v66 = a7;v46 = a8;v50 = a9;v45 = a10;v43 = a11;v59 = a12;v42 = a14;v49 = a16;v57 = a17;v68 = a19;v61 = 0;v47 = a15;v63 = 1;P = 0;v69 = 0;v56 = 0;v70 = 0;v60 = 0;Src = 0;v62 = 0;v52 = 0;*(_DWORD *)v53 = 0;v55 = 1;if ( a18 )*a18 = 0;if ( a15 )*a15 = 0;if ( v57 )memset(v57, 0, 0x48u);v26 = (char *)v68;if ( !v68 )v26 = &v71;v68 = v26;if ( ConvertNtPathToDosPath(SourceString, 0, (int)&v69) == -1073741789 ){v27 = 2 * v69;v28 = RtlAllocateHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 8u, 2 * v69);P = v28;if ( !v28 ){if ( g_iShimDebugLevel )ShimDbgPrint(1,(int)"InternalCheckRunApp","Failed to allocate '%ld' bytes for path '%S'\n",v27,(char)SourceString);goto LABEL_55;}if ( ConvertNtPathToDosPath(SourceString, v28, (int)&v69) < 0 ){if ( g_iShimDebugLevel )ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to convert path '%S' to DOS.\n", (char)SourceString, v38);goto LABEL_55;}v29 = v66;if ( v66 )v69 = (*v66 >> 1) & 1;elsev69 = 1;v30 = (void *)SdbInitDatabaseEx(0, 0, a6);v70 = v30;if ( a18 )*a18 = v30;if ( !v30 ){if ( g_iShimDebugLevel )ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to initialize the database.\n", v38, v39);goto LABEL_55;}if ( !v29 )goto LABEL_25;v31 = *v29;if ( (v31 & 0x400) != 0 )JUMPOUT(0x6F008A34);if ( (v31 & 0x100) != 0 ){v32 = v68;if ( !DetectCompatLayerEnvironmentVariable(Environment) ){v36 = SdbIsValidQueryResultLight(v68);v55 = v36;if ( v36 ){*((_DWORD *)v68 + 48) |= 4u;v37 = v66;goto LABEL_77;}}}else{LABEL_25:v32 = v68;}memset(v32, 0, 0x1C8u);v37 = v66;if ( !v55 )*v66 = *v66 & 0xFFFFFEFF | 0x80000;if ( SdbGetMatchingExeEx(v70, (int)P, v44, a3, v42, (int)Environment, v53[0], v32) && g_iShimDebugLevel )ShimDbgPrint(3, (int)"InternalCheckRunApp", "Found %ws in the app compat database\n", (char)P, v38);
LABEL_77:if ( v37 && !IdentifyCandidates(0, (char)v37, (int)v70, hObject, SourceString, *v37, (int)v32) && g_iShimDebugLevel )ShimDbgPrint(3, (int)"IdentifyCandidates", "Failed to identify candidates.\n", v38, v39);if ( v45 ){SdbQueryFlagMask((char)v32, (int)v70, v32, 20494, &v61, 0);*v45 = v61;}v19 = v43;if ( v43 ){SdbQueryFlagMask((char)v32, (int)v70, v32, 20496, &v61, 0);*v43 = v61;v19[1] = v62;}if ( v59 ){SdbQueryFlagMask((char)v32, (int)v70, v32, 20497, &v61, 0);*v59 = v61;}ParseSdbQueryResult((int)v70, v32, &v60, &v52, v40, &Src);Environment = (PWSTR)(v60 != 0);if ( !v60 )goto LABEL_36;v59 = (_DWORD *)((v52 >> 2) & 1);if ( v59 && g_iShimDebugLevel )ShimDbgPrint(3, (int)"InternalCheckRunApp", "NoUI flag is set, apphelp UI disabled for this app.\n", v38, v39);v33 = *(_DWORD *)argList;if ( *(_DWORD *)argList && *(_DWORD *)argList <= 4u ){v34 = v57;if ( v57 )*((_DWORD *)v57 + 1) = *(_DWORD *)argList;if ( v59 ){v63 = v33 != 2;}else{v35 = v60;v32[41] = v60;if ( v34 && SdbTagRefToTagID(v70, v35, &v48, &v51) && SdbGetDatabaseGUID(v70, v48, v34 + 8) )v34[7] = v51;v63 = 1;}}else{if ( !g_iShimDebugLevel )goto LABEL_36;ShimDbgPrint(2, (int)"InternalCheckRunApp", "Unhandled severity flag 0x%x.\n", argList[0], v38);}if ( !v63 ){LABEL_41:v21 = (int *)v66;if ( (!v66 || (*v66 & 0x100) == 0) && !v69 && (!*v32 || SdbIsTagrefFromMainDB(*v32)) ){v22 = 1;if ( ((v32[48] >> 5) & 1) == 0 && ((v32[48] >> 4) & 1) == 0 ){if ( *v32 || v32[32] || Environment || v56 )v22 = 0;if ( hObject != (HANDLE)-1 ){*v21 |= 0x10000u;v23 = *v21;if ( v22 )v24 = v23 | 0x20000;elsev24 = v23 | 0x40000;*v21 = v24;}}}goto LABEL_55;}
LABEL_36:v20 = (_DWORD *)v46;if ( v46 && Src ){GetExeSxsData((int)v70, Src, v46, v50);v56 = *v20 != 0;}if ( a13 )GetExeNTVDMData(v70, v32, v47, v49);goto LABEL_41;}if ( !g_iShimDebugLevel )goto LABEL_57;ShimDbgPrint(1, (int)"InternalCheckRunApp", "Unexpected return result for call to ConvertNtPathToDosPath\n", v38, v39);
LABEL_55:if ( P )RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P);
LABEL_57:if ( !a13 && v70 )SdbReleaseDatabase(v70);return v63;
}
更新后
BOOL __stdcall InternalCheckRunApp(int a1, int a2, int a3, int a4, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, int a13, int a14, int a15, int a16, void *a17, int a18, int a19)
{char *v19; // eaxchar v20; // diPVOID v21; // eaxint *v22; // edivoid *v23; // eaxint v24; // edi_DWORD *v25; // edi_DWORD *v26; // ebx_DWORD *v27; // ebxint *v28; // ebxint v29; // ecxint v30; // eaxint v31; // eaxint v33; // eax_DWORD *v34; // ebxint v35; // eaxchar v36; // [esp+0h] [ebp-278h]char v37; // [esp+4h] [ebp-274h]char v38[4]; // [esp+Ch] [ebp-26Ch] BYREFchar argList[4]; // [esp+10h] [ebp-268h]_DWORD *v40; // [esp+3Ch] [ebp-23Ch]_DWORD *v41; // [esp+40h] [ebp-238h]int v42; // [esp+44h] [ebp-234h] BYREF_DWORD *v43; // [esp+48h] [ebp-230h]int v44; // [esp+4Ch] [ebp-22Ch]int v45; // [esp+50h] [ebp-228h]int v46; // [esp+54h] [ebp-224h] BYREFint v47; // [esp+58h] [ebp-220h]int v48; // [esp+5Ch] [ebp-21Ch]int v49; // [esp+60h] [ebp-218h]int v50; // [esp+64h] [ebp-214h]char v51[4]; // [esp+68h] [ebp-210h]BOOL v52; // [esp+6Ch] [ebp-20Ch]unsigned int v53; // [esp+70h] [ebp-208h] BYREFHANDLE hObject; // [esp+74h] [ebp-204h]int v55; // [esp+78h] [ebp-200h] BYREF_DWORD *v56; // [esp+7Ch] [ebp-1FCh]void *Src; // [esp+80h] [ebp-1F8h] BYREFint *v58; // [esp+84h] [ebp-1F4h]int v59; // [esp+88h] [ebp-1F0h] BYREFint v60; // [esp+8Ch] [ebp-1ECh]BOOL v61; // [esp+90h] [ebp-1E8h]PWSTR Environment; // [esp+94h] [ebp-1E4h]PCWSTR SourceString; // [esp+98h] [ebp-1E0h]PVOID P; // [esp+9Ch] [ebp-1DCh]void *v65; // [esp+A0h] [ebp-1D8h]int v66; // [esp+A4h] [ebp-1D4h] BYREFPVOID v67; // [esp+A8h] [ebp-1D0h]char v68; // [esp+ACh] [ebp-1CCh] BYREFhObject = (HANDLE)a1;v48 = a2;SourceString = (PCWSTR)a4;Environment = (PWSTR)a5;v58 = (int *)a7;v44 = a8;v49 = a9;v43 = (_DWORD *)a10;v41 = (_DWORD *)a11;v56 = (_DWORD *)a12;v50 = a14;v47 = a16;v65 = (void *)a19;v59 = 0;v45 = a15;v40 = a17;v61 = 1;P = 0;v66 = 0;v52 = 0;v67 = 0;v55 = 0;Src = 0;v60 = 0;v53 = 0;*(_DWORD *)v51 = 0;if ( a18 )*(_DWORD *)a18 = 0;if ( a15 )*(_WORD *)a15 = 0;if ( a17 )memset(a17, 0, 0x48u);v19 = (char *)v65;if ( !v65 )v19 = &v68;v65 = v19;if ( ConvertNtPathToDosPath(SourceString, 0, (int)&v66) == -1073741789 ){v20 = 2 * v66;v21 = RtlAllocateHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 8u, 2 * v66);P = v21;if ( !v21 ){if ( g_iShimDebugLevel )ShimDbgPrint(1,(int)"InternalCheckRunApp","Failed to allocate '%ld' bytes for path '%S'\n",v20,(char)SourceString);goto LABEL_50;}if ( ConvertNtPathToDosPath(SourceString, v21, (int)&v66) < 0 ){if ( g_iShimDebugLevel )ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to convert path '%S' to DOS.\n", (char)SourceString, v36);goto LABEL_50;}v22 = v58;if ( v58 )v66 = ((unsigned int)*v58 >> 1) & 1;elsev66 = 1;v23 = (void *)SdbInitDatabaseEx(0, 0, a6);v67 = v23;if ( a18 )*(_DWORD *)a18 = v23;if ( !v23 ){if ( g_iShimDebugLevel )ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to initialize the database.\n", v36, v37);goto LABEL_50;}if ( !v22 )goto LABEL_20;v24 = *v22;if ( (v24 & 0x400) != 0 )JUMPOUT(0x6F0089F4);if ( (v24 & 0x100) != 0 && !DetectCompatLayerEnvironmentVariable(Environment) ){v25 = v65;*((_DWORD *)v65 + 48) |= 4u;}else{LABEL_20:memset(v65, 0, 0x1C8u);if ( SdbGetMatchingExeEx(v67, (int)P, v48, a3, v50, (int)Environment, v51[0], v65) && g_iShimDebugLevel )ShimDbgPrint(3, (int)"InternalCheckRunApp", "Found %ws in the app compat database\n", (char)P, v36);v25 = v65;}if ( v58 && !IdentifyCandidates((int)v67, hObject, SourceString, *v58, (int)v25) && g_iShimDebugLevel )ShimDbgPrint(3, (int)"IdentifyCandidates", "Failed to identify candidates.\n", v36, v37);if ( v43 ){SdbQueryFlagMask((char)v25, (int)v67, v25, 20494, &v59, 0);*v43 = v59;}v26 = v41;if ( v41 ){SdbQueryFlagMask((char)v25, (int)v67, v25, 20496, &v59, 0);*v41 = v59;v26[1] = v60;}if ( v56 ){SdbQueryFlagMask((char)v25, (int)v67, v25, 20497, &v59, 0);*v56 = v59;}ParseSdbQueryResult(v67, v25, &v55, &v53, v38, &Src);Environment = (PWSTR)(v55 != 0);if ( !v55 )goto LABEL_31;v56 = (_DWORD *)((v53 >> 2) & 1);if ( v56 && g_iShimDebugLevel )ShimDbgPrint(3, (int)"InternalCheckRunApp", "NoUI flag is set, apphelp UI disabled for this app.\n", v36, v37);v33 = *(_DWORD *)argList;if ( *(_DWORD *)argList && *(_DWORD *)argList <= 4u ){v34 = v40;if ( v40 )v40[1] = *(_DWORD *)argList;if ( v56 ){v61 = v33 != 2;}else{v35 = v55;v25[41] = v55;if ( v34 && SdbTagRefToTagID(v67, v35, &v46, &v42) && SdbGetDatabaseGUID(v67, v46, v34 + 8) )v34[7] = v42;v61 = 1;}}else{if ( !g_iShimDebugLevel )goto LABEL_31;ShimDbgPrint(2, (int)"InternalCheckRunApp", "Unhandled severity flag 0x%x.\n", argList[0], v36);}if ( !v61 ){LABEL_36:v28 = v58;if ( (!v58 || (*v58 & 0x100) == 0) && !v66 && (!*v25 || SdbIsTagrefFromMainDB(*v25)) ){v29 = 1;if ( ((v25[48] >> 5) & 1) == 0 && ((v25[48] >> 4) & 1) == 0 ){if ( *v25 || v25[32] || Environment || v52 )v29 = 0;if ( hObject != (HANDLE)-1 ){*v28 |= 0x10000u;v30 = *v28;if ( v29 )v31 = v30 | 0x20000;elsev31 = v30 | 0x40000;*v28 = v31;}}}goto LABEL_50;}
LABEL_31:v27 = (_DWORD *)v44;if ( v44 && Src ){GetExeSxsData((int)v67, Src, v44, v49);v52 = *v27 != 0;}if ( a13 )GetExeNTVDMData(v67, v25, v45, v47);goto LABEL_36;}if ( !g_iShimDebugLevel )goto LABEL_52;ShimDbgPrint(1, (int)"InternalCheckRunApp", "Unexpected return result for call to ConvertNtPathToDosPath\n", v36, v37);
LABEL_50:if ( P )RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P);
LABEL_52:if ( !a13 && v67 )SdbReleaseDatabase(v67);return v61;
}
SdbIsValidQueryResultLight
更新前
; BOOL __stdcall SdbIsValidQueryResultLight(int a1)
SdbIsValidQueryResultLight(x) proc nearmov edi, edipush ebpmov ebp, espmov eax, [ebp+arg_0]test eax, eaxjz short loc_6F0214F7
loc_6f0214e0:cmp dword ptr [eax+0A8h], 10hja short loc_6F0214F7
loc_6f0214e9:cmp dword ptr [eax+0ACh], 8ja short loc_6F0214F7
loc_6f0214f2:xor eax, eaxinc eaxjmp short loc_6F0214F9
loc_6f0214f7:xor eax, eax
loc_6f0214f9:pop ebpretn 4
SdbIsValidQueryResultLight(x) endpBOOL __stdcall SdbIsValidQueryResultLight(int a1)
{return a1 && *(_DWORD *)(a1 + 168) <= 0x10u && *(_DWORD *)(a1 + 172) <= 8u;
}
更新后:无此函数
kernel32.dll
主要包括三个更新函数:
- BaseCheckRunApp
- BaseQueryModuleData
BaseCheckRunApp
更新前
int __stdcall BaseCheckRunApp(HANDLE SectionHandle, int a2, int a3, PWSTR Environment, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, PVOID P)
{int v13; // esiint BaseAddress; // [esp+4h] [ebp-4h] BYREFv13 = a6;BaseAddress = 1;if ( sub_77E21BE9(SectionHandle,a2,a3,Environment,a5,(int)&a6,a7,a8,a9,a10,a11,a12,(int)P,(int)&P,&BaseAddress) < 0 )return BaseAddress;if ( ((v13 & 0x100) == 0 || (a6 & 0x80000) != 0) && (a6 & 0x60000) != 0 )sub_77E21F10(a3, a2, P, a5, v13);if ( P )RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P);return BaseAddress;
}
更新后
int __stdcall BaseCheckRunApp(HANDLE SectionHandle, int a2, int a3, PWSTR Environment, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, PVOID P)
{int v13; // esiint BaseAddress; // [esp+4h] [ebp-4h] BYREFv13 = a6;BaseAddress = 1;if ( BasepLookupApp(SectionHandle,a2,a3,Environment,a5,(int)&a6,a7,a8,a9,a10,a11,a12,(int)P,(int)&P,&BaseAddress) < 0 )return BaseAddress;if ( (v13 & 0x100) == 0 && (a6 & 0x60000) != 0 )BasepCacheApp(a3, a2, P, a5, v13);if ( P )RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P);return BaseAddress;
}
BaseQueryModuleData
更新前
char __stdcall BaseQueryModuleData(PCWSTR SourceString, int a2, int a3, int a4, int a5, int a6, int a7)
{int v8; // [esp+Ch] [ebp-1E0h] BYREFint v9; // [esp+10h] [ebp-1DCh] BYREFint v10; // [esp+14h] [ebp-1D8h]int v11; // [esp+18h] [ebp-1D4h]int v12; // [esp+1Ch] [ebp-1D0h]int v13[114]; // [esp+20h] [ebp-1CCh] BYREFv11 = a5;v12 = a6;v10 = a7;v8 = 456;if ( IsShimInfrastructureDisabled() )return 0;if ( !BaseCheckAppcompatCacheEx(SourceString, (HANDLE)0xFFFFFFFF, 0, (int)&v9, (int)&v8, (int)v13) )return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10);if ( (v9 & 0x100) == 0 ){if ( (v9 & 0x200) != 0 )return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10);return 0;}if ( !SdbIsValidQueryResultLight(v13) )return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10);return BasepQueryModuleDataEx(SourceString, a2, a3, a4, v11, v12, v10, v13);
}
更新后
char __stdcall BaseQueryModuleData(PCWSTR SourceString, int a2, int a3, int a4, int a5, int a6, int a7)
{int v8; // [esp+Ch] [ebp-1E0h] BYREFint v9; // [esp+10h] [ebp-1DCh] BYREFint v10; // [esp+14h] [ebp-1D8h]int v11; // [esp+18h] [ebp-1D4h]int v12; // [esp+1Ch] [ebp-1D0h]int v13[114]; // [esp+20h] [ebp-1CCh] BYREFv11 = a5;v12 = a6;v10 = a7;v8 = 456;if ( IsShimInfrastructureDisabled() )return 0;if ( !BaseCheckAppcompatCacheEx(SourceString, (HANDLE)0xFFFFFFFF, 0, (int)&v9, (int)&v8, (int)v13) )return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10);if ( (v9 & 0x100) != 0 )return BasepQueryModuleDataEx(SourceString, a2, a3, a4, v11, v12, v10, v13);if ( (v9 & 0x200) != 0 )return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10);return 0;
}
重点分析
SdbIsValidQueryResultLight函数在两个dll中都去除了,说明此函数对应的检查有问题,不足以作为判断依据。
【微软漏洞分析】MS10-015 Windows 内核异常处理程序漏洞(CVE-2010-0232)相关推荐
- [漏洞分析] CVE-2022-32250 netfilter UAF内核提权
[漏洞分析] CVE-2022-32250 netfilter UAF内核提权 文章目录 [漏洞分析] CVE-2022-32250 netfilter UAF内核提权 漏洞简介 环境搭建 漏洞原理 ...
- 【漏洞通告】Windows 内核信息泄漏漏洞CVE-2021-31955
漏洞名称 : Windows 内核信息泄漏漏洞 组件名称 : Windows 影响范围 : Windows 10 21h1/20h2/1809/1909/2004 Windows Server 201 ...
- linux漏洞知乎_Linux本地内核提权漏洞(CVE-2019-13272)
0x00 简介 2019年07月20日,Linux正式修复了一个本地内核提权漏洞.通过此漏洞,攻击者可将普通权限用户提升为Root权限. 0x01 漏洞概述 当调用PTRACE_TRACEME时,pt ...
- struts2 ajax上传文件 file空_WordPress插件漏洞分析:WPDiscuz任意文件上传漏洞
写在前面的话 就在不久之前,Wordfence的威胁情报团队在一款名叫wpDiscuz的Wordpress评论插件中发现了一个高危漏洞,而这款插件目前已有超过80000个网站在使用了.这个漏洞将允许未 ...
- 国产软件CVE漏洞分析系列:泛微OA系统 漏洞编号:SSV-91661
今天开始扒拉一下各种国产软件已经公布的漏洞,有些公司自己把漏洞保密起来,其实真是傻啦吧唧的,以为不让大家知道,漏洞就不存在吗!没办法,可能也是为了上市公司的股价吧.普通人对于漏洞的理解还是有点狼来了的 ...
- 漏洞分析 | WP Super Cache远程代码执行漏洞分析
0x01 WP Super Cache 介绍 WP Super Cache是WordPress的一个插件,主要用来缓存加速网页数据的. 笔者发现管理后台再向缓存配置文件写入数据时过滤不严谨导致可以植入 ...
- CVE-XX-XX:“Atom截胡”Windows内核提权漏洞分析
可能要戴上眼镜好好看,图有点刺眼,有点不清 作者:PlayBoy23333 稿费:500RMB(不服你也来投稿啊!) 投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿 a)简介 前 ...
- 详述欺骗性断言如何引发严重的 Windows 内核漏洞 (CVE-2020-0792)
聚焦源代码安全,网罗国内外最新资讯! 编译:奇安信代码卫士团队 2019年11月,微软发布软件更新,其中对 Windows 内核驱动 win32kfull.sys 的一个小的代码修改引发了一个严重漏 ...
- CVE-2016-0143 漏洞分析(2016.4)
CVE-2016-0143漏洞分析 0x00 背景 4月20日,Nils Sommer在exploitdb上爆出了一枚新的Windows内核漏洞PoC.该漏洞影响所有版本的Windows操作系统,攻击 ...
最新文章
- 【MyBatis学习13】MyBatis中的二级缓存
- java-number2
- delphi项目文件说明
- matlabpython建模_一直在用Matlab建模,现在Python很火,用学么?
- w10计算机运行特别卡,电脑卡是什么问题?导致Win10正式版卡顿的原因及解决方法...
- python爬取豆瓣电影TOP250
- 解决 : org.apache.ibatis.binding.BindingException: Invalid bound statement (not found)
- idea 搭建 tensorflow 的 java 开发环境
- 做数据分析时注意事项
- el表达式里面fn的用法
- @RequestParam使用须知
- Axure RP 9 Beta 开放下载(更新激活密钥和汉化包)
- python库手册_Python 中文开发手册
- 程序员深度学习!mysql客户端工具免费绿色版
- 计算机排版自然段视频教程,排版教程(新手电脑排版教程视频)
- Hive教程(一) Hive入门教程
- DuReader数据集内容预览
- 产品经理相关学习资料
- Flink 实现Locality 模式调度
- access计算机二级大纲,计算机二级Access考试内容大纲