一直用LordPE作为PE文件分析器,习惯了。最近升级了系统到win10,发现LordPE用不了了,崩溃。后来调试发现是LordPeFix.dll的一个bug,它修改了Procs.dll,在GetNumberOfProcesses的一处call之前改大了栈缓冲区的长度参数,但缓冲区没有相应改大,于是在call中覆盖了返回地址,发生了崩溃。具体调试过程简单写一下。
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
000022e0 ?? ???
.text:20001291 8D 8C 24 30 01 00 00 lea ecx, [esp+220h+var_F0]
.text:20001298 50 push eax
.text:20001299 68 F0 00 00 00 push 0F0h
.text:2000129E 51 push ecx
.text:2000129F FF 15 EC 24 00 20 call dword_200024EC
用windbg调挂上LordPE_hh.exe,F5后崩溃,发现eip是一个奇怪的eip指针:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
000022e0 ?? ???
k命令显示不了调用栈了:
0:000> k
# ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0019f750 00000000 0x22e0
于是,dds esp l 100,看了一下调用栈,找到最近的LordPE主模块的调用栈:
0019fa14 004058b4 LordPE_hh+0x58b4
于是 ub 004058b4
LordPE_hh+0x5899:
00405899 a324e54100 mov dword ptr [LordPE_hh+0x1e524 (0041e524)],eax
0040589e 50 push eax
0040589f 6a01 push 1
004058a1 6803100000 push 1003h
004058a6 8b0d48e64100 mov ecx,dword ptr [LordPE_hh+0x1e648 (0041e648)]
004058ac 51 push ecx
004058ad ffd3 call ebx
004058af e85c060000 call LordPE_hh+0x5f10 (00405f10)
重新加载程序,并在
004058b4 之前的call处下断点:bu
004058af,F5运行:
Breakpoint 0 hit
eax=00000000 ebx=75806c40 ecx=00345000 edx=00000000 esi=002121f0 edi=6de812f0
eip=004058af esp=0019fa18 ebp=0019fa94 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
LordPE_hh+0x58af:
004058af e85c060000 call LordPE_hh+0x5f10 (00405f10)
F10,不进call,果然又崩溃了:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
000022e0 ?? ???
然后重新加载,并F11跟进去继续调,发现崩溃在这个call里:
LordPE_hh+0x5f94:
00405f94 e8fb220100 call LordPE_hh+0x18294 (00418294)
00405f99 8bf8 mov edi,eax
重新加载进程,F11跟进去,发现进入了另一个dll的空间:procs!GetNumberOfProcesses
eax=00000000 ebx=00000000 ecx=00000000 edx=00000001 esi=75806c40 edi=0019f798
eip=00418294 esp=0019f750 ebp=ffffffff iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
LordPE_hh+0x18294:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Tools\LPE-DLX\procs.dll -
00418294 ff25fc924100 jmp dword ptr [LordPE_hh+0x192fc (004192fc)] ds:002b:004192fc={procs!GetNumberOfProcesses (20001200)}
0:000> dd esp l 1
0019f750 00405f99
记下返回地址是
00405f99,此处
0019f750
下写入断点,F5运行,看是谁写坏的栈:
eax=000022e0 ebx=0019f560 ecx=0000007c edx=0002aed0 esi=0048db28 edi=00000100
eip=76bfb764 esp=0019f3e0 ebp=0019f41c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
KERNELBASE!K32EnumProcesses+0x74:
76bfb764 8b5de0 mov ebx,dword ptr [ebp-20h] ss:002b:0019f3fc=00450000
用windbg调挂上LordPE_hh.exe,F5后崩溃,发现eip是一个奇怪的eip指针:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
000022e0 ?? ???
k命令显示不了调用栈了:
0:000> k
# ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0019f750 00000000 0x22e0
0:000> k
# ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 0019f750 00000000 0x22e0
于是,dds esp l 100,看了一下调用栈,找到最近的LordPE主模块的调用栈:
0019fa14 004058b4 LordPE_hh+0x58b4
于是 ub 004058b4
LordPE_hh+0x5899:
00405899 a324e54100 mov dword ptr [LordPE_hh+0x1e524 (0041e524)],eax
0040589e 50 push eax
0040589f 6a01 push 1
004058a1 6803100000 push 1003h
004058a6 8b0d48e64100 mov ecx,dword ptr [LordPE_hh+0x1e648 (0041e648)]
004058ac 51 push ecx
004058ad ffd3 call ebx
004058af e85c060000 call LordPE_hh+0x5f10 (00405f10)
重新加载程序,并在
004058b4 之前的call处下断点:bu
004058af,F5运行:
Breakpoint 0 hit
eax=00000000 ebx=75806c40 ecx=00345000 edx=00000000 esi=002121f0 edi=6de812f0
eip=004058af esp=0019fa18 ebp=0019fa94 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
LordPE_hh+0x58af:
004058af e85c060000 call LordPE_hh+0x5f10 (00405f10)
Breakpoint 0 hit
eax=00000000 ebx=75806c40 ecx=00345000 edx=00000000 esi=002121f0 edi=6de812f0
eip=004058af esp=0019fa18 ebp=0019fa94 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
LordPE_hh+0x58af:
004058af e85c060000 call LordPE_hh+0x5f10 (00405f10)
F10,不进call,果然又崩溃了:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
000022e0 ?? ???
F10,不进call,果然又崩溃了:
(10c04.571c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000000e2 ebx=00000000 ecx=76bfb79e edx=00540000 esi=75806c40 edi=0019f798
eip=000022e0 esp=0019f754 ebp=ffffffff iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
000022e0 ?? ???
然后重新加载,并F11跟进去继续调,发现崩溃在这个call里:
LordPE_hh+0x5f94:
00405f94 e8fb220100 call LordPE_hh+0x18294 (00418294)
LordPE_hh+0x5f94:
00405f94 e8fb220100 call LordPE_hh+0x18294 (00418294)
00405f99 8bf8 mov edi,eax
00405f99 8bf8 mov edi,eax
重新加载进程,F11跟进去,发现进入了另一个dll的空间:procs!GetNumberOfProcesses
eax=00000000 ebx=00000000 ecx=00000000 edx=00000001 esi=75806c40 edi=0019f798
eip=00418294 esp=0019f750 ebp=ffffffff iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
LordPE_hh+0x18294:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Tools\LPE-DLX\procs.dll -
00418294 ff25fc924100 jmp dword ptr [LordPE_hh+0x192fc (004192fc)] ds:002b:004192fc={procs!GetNumberOfProcesses (20001200)}
eax=00000000 ebx=00000000 ecx=00000000 edx=00000001 esi=75806c40 edi=0019f798
eip=00418294 esp=0019f750 ebp=ffffffff iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
LordPE_hh+0x18294:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for E:\Tools\LPE-DLX\procs.dll -
00418294 ff25fc924100 jmp dword ptr [LordPE_hh+0x192fc (004192fc)] ds:002b:004192fc={procs!GetNumberOfProcesses (20001200)}
0:000> dd esp l 1
0019f750 00405f99
记下返回地址是
00405f99,此处
0019f750
下写入断点,F5运行,看是谁写坏的栈:
0:000> dd esp l 1
0019f750 00405f99
记下返回地址是
00405f99,此处
0019f750
下写入断点,F5运行,看是谁写坏的栈:
eax=000022e0 ebx=0019f560 ecx=0000007c edx=0002aed0 esi=0048db28 edi=00000100
eip=76bfb764 esp=0019f3e0 ebp=0019f41c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
KERNELBASE!K32EnumProcesses+0x74:
76bfb764 8b5de0 mov ebx,dword ptr [ebp-20h] ss:002b:0019f3fc=00450000
eax=000022e0 ebx=0019f560 ecx=0000007c edx=0002aed0 esi=0048db28 edi=00000100
eip=76bfb764 esp=0019f3e0 ebp=0019f41c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
KERNELBASE!K32EnumProcesses+0x74:
76bfb764 8b5de0 mov ebx,dword ptr [ebp-20h] ss:002b:0019f3fc=00450000
断下了,K命令显示一下调用栈:
# ChildEBP RetAddr
00 0019f41c 200012a5 KERNELBASE!K32EnumProcesses+0x74
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0019f430 6de3a061 procs!GetNumberOfProcesses+0xa5
# ChildEBP RetAddr
00 0019f41c 200012a5 KERNELBASE!K32EnumProcesses+0x74
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0019f430 6de3a061 procs!GetNumberOfProcesses+0xa5
原来是
K32EnumProcesses写坏的。那么问题来了,谁调用的它?看一下返回地址处的汇编代码:
ub 200012a5
procs!GetNumberOfProcesses+0x86:
20001286 81c41c030000 add esp,31Ch
2000128c c3 ret
2000128d 8d442404 lea eax,[esp+4]
20001291 8d8c2430010000 lea ecx,[esp+130h]
20001298 50 push eax
20001299 6800040000 push 400h
2000129e 51 push ecx
2000129f ff15ec240020 call dword ptr [procs!GetModuleHandleEx+0x48c (200024ec)]
procs!GetNumberOfProcesses+0x86:
20001286 81c41c030000 add esp,31Ch
2000128c c3 ret
2000128d 8d442404 lea eax,[esp+4]
20001291 8d8c2430010000 lea ecx,[esp+130h]
20001298 50 push eax
20001299 6800040000 push 400h
2000129e 51 push ecx
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2018-12-14 21:00
被NoneName编辑
,原因: 补漏
