360网盾 广告拦截模块崩溃分析
声明：此Bug不是本人发现的，所做的工作是对Bug成因进行分析，分析的过程中自己学到了很多东西，
在此感谢提供此Bug的坛友：xuecniao，是你让我有了这次锻炼的机会。
分析过程是逆向分析的，希望能和大家多多交流。其中有错误之处欢迎指正。
1.分析环境:
Windwos XP SP3_CN（虚拟机）
360安全卫士8.7.2002(最新版)
备用木马库版本：2012.11.3.1

工具:
IDA 5.5
Windbg
OD

2.分析过程
样本代码如下：
xp3系统，ie8，360安全卫士-7.6.0.1130

<A href="file:///c:\windows\system32\BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB">按一下</A>　

65448f26 8b4c2404        mov     ecx,dword ptr [esp+4]
65448f2a 66833900        cmp     word ptr [ecx],0         ds:0023:00000000=????
65448f2e 8d4102          lea     eax,[ecx+2]
65448f31 740a            je      Adfilter!OnTrayMsg+0x2119b (65448f3d)

0:008> r
eax=00000000 ebx=00000000 ecx=00000000 edx=000000c0 esi=0211e354 edi=02b24c14
eip=65448f2a esp=0211e170 ebp=0211e1ac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Adfilter!OnTrayMsg+0x21188:
65448f2a 66833900        cmp     word ptr [ecx],0         ds:0023:00000000=????

		0:008> !lmi Adfilter
		Loaded Module Info: [adfilter] 
				 Module: Adfilter
		   Base Address: 65400000
			 Image Name: C:\Program Files\360\360safe\safemon\Adfilter.dll
		   Machine Type: 332 (I386)
			 Time Stamp: 4f558bc0 Tue Mar 06 12:00:00 2012
				   Size: ab000
			   CheckSum: b1275
		Characteristics: 210e  
		Debug Data Dirs: Type  Size     VA  Pointer
					 CODEVIEW    45,     0,   a8000  [Debug data not mapped] - Can't validate symbols, if present.
			 Image Type: FILE     - Image read successfully from debugger.
						 C:\Program Files\360\360safe\safemon\Adfilter.dll
			Symbol Type: EXPORT   - PDB not found
			Load Report: export symbols

	.text:65448F26 ; =============== S U B R O U T I N E =======================================
	.text:65448F26
	.text:65448F26 ; Attributes: library function
	.text:65448F26
	.text:65448F26 ; size_t __cdecl wcslen(const wchar_t *Str)
	.text:65448F26 _wcslen         proc near               ; CODE XREF: sub_654012C5+61p
	.text:65448F26                                         ; sub_65402AB1+D4p ...
	.text:65448F26
	.text:65448F26 Str             = dword ptr  4
	.text:65448F26
	.text:65448F26                 mov     ecx, [esp+Str]
	.text:65448F2A                 cmp     word ptr [ecx], 0
	.text:65448F2E                 lea     eax, [ecx+2]
	.text:65448F31                 jz      short loc_65448F3D
	.text:65448F33
	.text:65448F33 loc_65448F33:                           ; CODE XREF: _wcslen+15j
	.text:65448F33                 mov     dx, [eax]
	.text:65448F36                 inc     eax
	.text:65448F37                 inc     eax
	.text:65448F38                 test    dx, dx
	.text:65448F3B                 jnz     short loc_65448F33
	.text:65448F3D
	.text:65448F3D loc_65448F3D:                           ; CODE XREF: _wcslen+Bj
	.text:65448F3D                 sub     eax, ecx
	.text:65448F3F                 sar     eax, 1
	.text:65448F41                 dec     eax
	.text:65448F42                 retn
	.text:65448F42 _wcslen         endp

	#include <Windows.h>

	int _tmain(int argc, _TCHAR* argv[])
	{
		WCHAR* p = NULL;

		wcslen(p);

		return 0;
	}

Breakpoint 0 hit
eax=65461620 ebx=00175c90 ecx=00000001 edx=000000c0 esi=0211e260 edi=02b24bf8
eip=00d615e4 esp=0211e1b4 ebp=0211e1e0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
IEFRAME!IEIsProtectedModeProcess+0x580b:
00d615e4 ff5018          call    dword ptr [eax+18h]  ds:0023:65461638=65405c64

 bp 65405cb9 "r eax;gc"

 .text:65405CA3                 mov     edi, [ebp+8]
.text:65405CA6                 mov     ecx, edi
.text:65405CA8                 call    sub_65405AA8
.text:65405CAD                 test    eax, eax
.text:65405CAF                 jz      short loc_65405C9C
.text:65405CB1                 mov     eax, [ebp+0Ch]
.text:65405CB4                 sub     eax, 0FAh
.text:65405CB9                 jz      loc_65405F75    ; eax=0x0,在这里跳转到错误处理流程
....
.text:65405F75 loc_65405F75:                           ; CODE XREF: .text:65405CB9j
.text:65405F75                 mov     eax, [ebp+8]
.text:65405F78                 push    dword ptr [eax+1Ch]
.text:65405F7B                 lea     edi, [eax+1Ch]
.text:65405F7E                 call    sub_654026F7
.text:65405F83                 push    dword ptr [edi]
.text:65405F85                 call    sub_65402612
.text:65405F8A                 mov     eax, [esi]
.text:65405F8C                 pop     ecx
.text:65405F8D                 pop     ecx
.text:65405F8E                 mov     eax, [eax+58h]
.text:65405F91                 push    ebx
.text:65405F92                 mov     [ebp+1Ch], eax
.text:65405F95                 mov     al, [ebp+0Bh]
.text:65405F98                 lea     ecx, [ebp-28h]
.text:65405F9B                 mov     [ebp-28h], al
.text:65405F9E                 call    ?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z ; std::basic_string<ushort,std::char_traits<ushort>,std::allocator<ushort>>::_Tidy(bool)
.text:65405FA3                 mov     eax, [ebp+1Ch]
.text:65405FA6                 mov     [ebp-4], ebx
.text:65405FA9                 test    byte ptr [eax+1], 40h
.text:65405FAD                 mov     eax, [eax+8]    ; 正常情况兄下[eax+8]保存有字符串的指针
.text:65405FB0                 jz      short loc_65405FC4
.text:65405FB2                 mov     eax, [eax]
.text:65405FB4                 push    eax             ; Str
.text:65405FB5                 mov     [ebp+1Ch], eax
.text:65405FB8                 call    _wcslen         ; 这里调用出错函数

breakpoint 9 redefined
eax=ffffff6f
eax=ffffff6f
eax=ffffff6f
eax=ffffff6f
eax=ffffff6f
eax=ffffff6f
eax=ffffff6f
eax=ffffff6c
eax=ffffff6f
eax=00000000
Breakpoint 8 hit
eax=00000000 ebx=00000000 ecx=0211e1a0 edx=000000c0 esi=0211e354 edi=02b24d08
eip=65405f75 esp=0211e178 ebp=0211e1ac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Adfilter!IsInWhiteList+0x7ef:
65405f75 8b4508          mov     eax,dword ptr [ebp+8] ss:0023:0211e1b4=02b24d08

bp 65405C64 "r ‘poi(ebp+0x0c)’;'gc'"
bp 65405C64 ".echo begin ######### ;dd poi(ebp+0c);.echo end ##############;gc"

bp 65405CA8 ".echo begin ######### ;dd poi(ebp+0c);.echo end ##############;gc"

bp 65405CA8 ".echo begin ######### ;dd poi(ebp+0c);.echo end ##############;gc"
begin #########
000000fa  ???????? ???????? ???????? ????????
0000010a  ???????? ???????? ???????? ????????
0000011a  ???????? ???????? ???????? ????????
0000012a  ???????? ???????? ???????? ????????
0000013a  ???????? ???????? ???????? ????????
0000014a  ???????? ???????? ???????? ????????
0000015a  ???????? ???????? ???????? ????????
0000016a  ???????? ???????? ???????? ????????

bp 65405CA6 ".echo begin ######### ;dd poi(ebp+0c);.echo end ##############;gc"
bp 65405C7B ".echo begin ######### ;dd poi(ebp+0c);.echo end ##############;gc"
bp 65405C64 ".echo begin ######### ;dd poi(ebp+0c);.echo end ##############;gc"
begin #########
0211e260  00000003 000000fa 00d61078 00000000
0211e270  e3540001 00000211 00000000 00000000
0211e280  d4af0000 021100d5 0211e430 00000000
0211e290  0211e368 00d5d454 001758d0 000000fa
0211e2a0  0211e354 0211e430 00000000 0000400c
0211e2b0  0000400b 0000400b 00000000 0211e430
0211e2c0  00000000 0000400c 00000000 0211e40c
0211e2d0  00000000 0000400c 00000000 0211e3ec
end ##############
Breakpoint 8 hit
eax=00000000 ebx=00000000 ecx=0211e1a0 edx=000000c0 esi=0211e354 edi=02b24d08
eip=65405f75 esp=0211e178 ebp=0211e1ac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
Adfilter!IsInWhiteList+0x7ef:
65405f75 8b4508          mov     eax,dword ptr [ebp+8] ss:0023:0211e1b4=02b24d08

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)