-
-
[原创]Windbg和IDA脚本辅助分析
-
发表于:
2016-4-23 23:00
7912
-
本文尝试解决另个问题:内核漏洞快速定位漏洞触发点 && Windbg执行流在IDA中高亮标示
内核漏洞快速定位漏洞触发点:
拿到一个内核漏洞的POC,首先我们需要定位触发漏洞,提权的地方。直接看反汇编代码往往不容易看出来
内核漏洞常见的目标是提权,一般会替换本进程的token为System的token,这种办法简单粗暴,成功率极高,所以往往为各黑客所爱。
既然要提权token,那么必须要对token所在的地址有写入操作,本文的思路就是对token所在地址下写入断点,一但触发,便是来到替换token,也就是提权的地方,再栈回溯,就能找到触发漏洞的函数了。下面我们来演示一下,我写了个windbg脚本:
$$注意一:凡是寄存器操作需加上r
$$注意二:打印字符串用%ma
$$此脚本用到了一个硬编码token偏移 0xf8,请根据你的实际系统修正它。
r @$t0=@$proc;
r @$t1=@$proc;
.while(1)
{
.if ((poi(@$t1+0xb8)-0xb8) != @$t0 )
{
$$比较是否为test进程
.if ( poi(@$t1+0x16c)==0x74736574 )
{
.printf "进程名:%ma\t",@$t1+0x16c;
.printf "进程EPROCESS:%x\t",@$t1;
.printf "进程TOKEN:%x\n",poi(@$t1+0xf8);
.printf "请输入:\n";
.printf "ba w1 %x+f8 \".if (wo(%x+f8+2)!=0x%x){} .else{gc;}\"",@$t1,@$t1,wo(@$t1+0xf8+2);
}
r @$t1=poi(@$t1+0xb8)-0xb8;
}
.else
{
.break;
}
}
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
99a80a24 96d094f3 fffffffb 000001ed 0192fac4 test+0x186d
99a80a64 96d095c5 fffffffb 000001ed 0192fac4 win32k!xxxSendMessageTimeout+0x1ac
99a80a8c 96d892fb fffffffb 000001ed 0192fac4 win32k!xxxSendMessage+0x28
99a80aec 96d88c1f 99a80b0c 00000000 0192fac4 win32k!xxxHandleMenuMessages+0x582
99a80b38 96d8f8f1 ffb89bb0 96e6f580 00000000 win32k!xxxMNLoop+0x2c6
99a80ba0 96d8f9dc 0000001c 00000000 ffffd8f0 win32k!xxxTrackPopupMenuEx+0x5cd
99a80c14 83e501ea 0009017d 00000000 ffffd8f0 win32k!NtUserTrackPopupMenuEx+0xc3
99a80c14 772570b4 0009017d 00000000 ffffd8f0 nt!KiFastCallEntry+0x12a
0192fad8 76b6483e 76b52243 0009017d 00000000 ntdll!KiFastSystemCallRet
0192fadc 76b52243 0009017d 00000000 ffffd8f0 USER32!NtUserTrackPopupMenuEx+0xc
0192fafc 013c1604 0009017d 00000000 ffffd8f0 USER32!TrackPopupMenu+0x1b
0192fb8c 75d93c45 00000000 0192fbd8 772737f5 test+0x1604
0192fb98 772737f5 00000000 76bae6a7 00000000 kernel32!BaseThreadInitThunk+0xe
0192fbd8 772737c8 013c1526 00000000 00000000 ntdll!__RtlUserThreadStart+0x70
0192fbf0 00000000 013c1526 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)