首页
社区
课程
招聘
[原创]LordPE在win10下运行(应该叫规避win10下崩溃)
发表于: 2018-12-13 22:14 7704

[原创]LordPE在win10下运行(应该叫规避win10下崩溃)

2018-12-13 22:14
7704

一直用LordPE作为PE文件分析器,习惯了。最近升级了系统到win10,发现LordPE用不了了,崩溃。后来调试发现是LordPeFix.dll的一个bug,它修改了Procs.dll,在GetNumberOfProcesses的一处call之前改大了栈缓冲区的长度参数,但缓冲区没有相应改大,于是在call中覆盖了返回地址,发生了崩溃。具体调试过程简单写一下。

(10c04.571c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798

eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0         nv up ei pl nz ac pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216

000022e0 ??              ???

.text:20001291 8D 8C 24 30 01 00 00                    lea     ecx, [esp+220h+var_F0]

.text:20001298 50                                      push    eax

.text:20001299 68 F0 00 00 00                          push    0F0h

.text:2000129E 51                                      push    ecx

.text:2000129F FF 15 EC 24 00 20                       call    dword_200024EC


用windbg调挂上LordPE_hh.exe,F5后崩溃,发现eip是一个奇怪的eip指针:

(10c04.571c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798

eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0         nv up ei pl nz ac pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216

000022e0 ??              ???

k命令显示不了调用栈了:
0:000> k
 # ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0019f750 00000000 0x22e0

于是,dds esp l 100,看了一下调用栈,找到最近的LordPE主模块的调用栈:
0019fa14  004058b4 LordPE_hh+0x58b4
于是 ub 004058b4 
LordPE_hh+0x5899:
00405899 a324e54100      mov     dword ptr [LordPE_hh+0x1e524 (0041e524)],eax
0040589e 50              push    eax
0040589f 6a01            push    1
004058a1 6803100000      push    1003h
004058a6 8b0d48e64100    mov     ecx,dword ptr [LordPE_hh+0x1e648 (0041e648)]
004058ac 51              push    ecx
004058ad ffd3            call    ebx
004058af e85c060000      call    LordPE_hh+0x5f10 (00405f10)

重新加载程序,并在 004058b4 之前的call处下断点:bu  004058af,F5运行:
Breakpoint 0 hit
eax=00000000 ebx=75806c40 ecx=00345000 edx=00000000 esi=002121f0 edi=6de812f0
eip=004058af esp=0019fa18 ebp=0019fa94 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
LordPE_hh+0x58af:
004058af e85c060000      call    LordPE_hh+0x5f10 (00405f10)

F10,不进call,果然又崩溃了:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
000022e0 ??              ???

然后重新加载,并F11跟进去继续调,发现崩溃在这个call里:
LordPE_hh+0x5f94:
00405f94 e8fb220100      call    LordPE_hh+0x18294 (00418294)
00405f99 8bf8            mov     edi,eax

重新加载进程,F11跟进去,发现进入了另一个dll的空间:procs!GetNumberOfProcesses
eax=00000000 ebx=00000000 ecx=00000000 edx=00000001 esi=75806c40 edi=0019f798
eip=00418294 esp=0019f750 ebp=ffffffff iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
LordPE_hh+0x18294:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for E:\Tools\LPE-DLX\procs.dll - 
00418294 ff25fc924100    jmp     dword ptr [LordPE_hh+0x192fc (004192fc)] ds:002b:004192fc={procs!GetNumberOfProcesses (20001200)}

0:000> dd esp l 1
0019f750  00405f99
记下返回地址是 00405f99,此处 0019f750 下写入断点,F5运行,看是谁写坏的栈:
eax=000022e0 ebx=0019f560 ecx=0000007c edx=0002aed0 esi=0048db28 edi=00000100
eip=76bfb764 esp=0019f3e0 ebp=0019f41c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!K32EnumProcesses+0x74:
76bfb764 8b5de0          mov     ebx,dword ptr [ebp-20h] ss:002b:0019f3fc=00450000
用windbg调挂上LordPE_hh.exe,F5后崩溃,发现eip是一个奇怪的eip指针:

(10c04.571c): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798

eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0         nv up ei pl nz ac pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216

000022e0 ??              ???

k命令显示不了调用栈了:
0:000> k
 # ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0019f750 00000000 0x22e0

0:000> k
 # ChildEBP RetAddr  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0019f750 00000000 0x22e0

于是,dds esp l 100,看了一下调用栈,找到最近的LordPE主模块的调用栈:
0019fa14  004058b4 LordPE_hh+0x58b4
于是 ub 004058b4 
LordPE_hh+0x5899:
00405899 a324e54100      mov     dword ptr [LordPE_hh+0x1e524 (0041e524)],eax
0040589e 50              push    eax
0040589f 6a01            push    1
004058a1 6803100000      push    1003h
004058a6 8b0d48e64100    mov     ecx,dword ptr [LordPE_hh+0x1e648 (0041e648)]
004058ac 51              push    ecx
004058ad ffd3            call    ebx
004058af e85c060000      call    LordPE_hh+0x5f10 (00405f10)

重新加载程序,并在 004058b4 之前的call处下断点:bu  004058af,F5运行:
Breakpoint 0 hit
eax=00000000 ebx=75806c40 ecx=00345000 edx=00000000 esi=002121f0 edi=6de812f0
eip=004058af esp=0019fa18 ebp=0019fa94 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
LordPE_hh+0x58af:
004058af e85c060000      call    LordPE_hh+0x5f10 (00405f10)
Breakpoint 0 hit
eax=00000000 ebx=75806c40 ecx=00345000 edx=00000000 esi=002121f0 edi=6de812f0
eip=004058af esp=0019fa18 ebp=0019fa94 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
LordPE_hh+0x58af:
004058af e85c060000      call    LordPE_hh+0x5f10 (00405f10)

F10,不进call,果然又崩溃了:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
000022e0 ??              ???
F10,不进call,果然又崩溃了:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
000022e0 ??              ???

然后重新加载,并F11跟进去继续调,发现崩溃在这个call里:
LordPE_hh+0x5f94:
00405f94 e8fb220100      call    LordPE_hh+0x18294 (00418294)
LordPE_hh+0x5f94:
00405f94 e8fb220100      call    LordPE_hh+0x18294 (00418294)
00405f99 8bf8            mov     edi,eax
00405f99 8bf8            mov     edi,eax

重新加载进程,F11跟进去,发现进入了另一个dll的空间:procs!GetNumberOfProcesses
eax=00000000 ebx=00000000 ecx=00000000 edx=00000001 esi=75806c40 edi=0019f798
eip=00418294 esp=0019f750 ebp=ffffffff iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
LordPE_hh+0x18294:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for E:\Tools\LPE-DLX\procs.dll - 
00418294 ff25fc924100    jmp     dword ptr [LordPE_hh+0x192fc (004192fc)] ds:002b:004192fc={procs!GetNumberOfProcesses (20001200)}

eax=00000000 ebx=00000000 ecx=00000000 edx=00000001 esi=75806c40 edi=0019f798
eip=00418294 esp=0019f750 ebp=ffffffff iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
LordPE_hh+0x18294:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for E:\Tools\LPE-DLX\procs.dll - 
00418294 ff25fc924100    jmp     dword ptr [LordPE_hh+0x192fc (004192fc)] ds:002b:004192fc={procs!GetNumberOfProcesses (20001200)}

0:000> dd esp l 1
0019f750  00405f99
记下返回地址是 00405f99,此处 0019f750 下写入断点,F5运行,看是谁写坏的栈:
0:000> dd esp l 1
0019f750  00405f99
记下返回地址是 00405f99,此处 0019f750 下写入断点,F5运行,看是谁写坏的栈:
eax=000022e0 ebx=0019f560 ecx=0000007c edx=0002aed0 esi=0048db28 edi=00000100
eip=76bfb764 esp=0019f3e0 ebp=0019f41c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!K32EnumProcesses+0x74:
76bfb764 8b5de0          mov     ebx,dword ptr [ebp-20h] ss:002b:0019f3fc=00450000
eax=000022e0 ebx=0019f560 ecx=0000007c edx=0002aed0 esi=0048db28 edi=00000100
eip=76bfb764 esp=0019f3e0 ebp=0019f41c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
KERNELBASE!K32EnumProcesses+0x74:
76bfb764 8b5de0          mov     ebx,dword ptr [ebp-20h] ss:002b:0019f3fc=00450000

断下了,K命令显示一下调用栈:
 # ChildEBP RetAddr  
00 0019f41c 200012a5 KERNELBASE!K32EnumProcesses+0x74
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0019f430 6de3a061 procs!GetNumberOfProcesses+0xa5
 # ChildEBP RetAddr  
00 0019f41c 200012a5 KERNELBASE!K32EnumProcesses+0x74
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0019f430 6de3a061 procs!GetNumberOfProcesses+0xa5

原来是 K32EnumProcesses写坏的。那么问题来了,谁调用的它?看一下返回地址处的汇编代码:
ub 200012a5
procs!GetNumberOfProcesses+0x86:
20001286 81c41c030000    add     esp,31Ch
2000128c c3              ret
2000128d 8d442404        lea     eax,[esp+4]
20001291 8d8c2430010000  lea     ecx,[esp+130h]
20001298 50              push    eax
20001299 6800040000      push    400h
2000129e 51              push    ecx
2000129f ff15ec240020    call    dword ptr [procs!GetModuleHandleEx+0x48c (200024ec)]
procs!GetNumberOfProcesses+0x86:
20001286 81c41c030000    add     esp,31Ch
2000128c c3              ret
2000128d 8d442404        lea     eax,[esp+4]
20001291 8d8c2430010000  lea     ecx,[esp+130h]
20001298 50              push    eax
20001299 6800040000      push    400h
2000129e 51              push    ecx

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2018-12-14 21:00 被NoneName编辑 ,原因: 补漏
收藏
免费 4
支持
分享
最新回复 (3)
雪    币: 1602
活跃值: (14)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
求助:运行debugview的情况下,开不了vs2017,楼主能解决一下吗?
2018-12-14 07:33
1
雪    币: 14659
活跃值: (17754)
能力值: ( LV12,RANK:290 )
在线值:
发帖
回帖
粉丝
3
为什么我的LordPE在win10下从来就没有崩溃过,甚至还有点儿好用??
2018-12-14 08:20
2
雪    币: 12857
活跃值: (9172)
能力值: ( LV9,RANK:280 )
在线值:
发帖
回帖
粉丝
4
这个bug好像之前就有人分析过
2018-12-14 10:27
1
游客
登录 | 注册 方可回帖
返回
//