-
-
[原创]解决只能通过鼠标双击触发的文档类漏洞样本调试问题
-
发表于: 2019-9-5 13:06
-
不知道大家碰没碰到过这种问题:漏洞只能通过双击打开样本文件的方式才能触发,其他方式均不能触发。比如,先打开程序,然后使用文件菜单打开;再比如,先打开程序,然后拖拽文档文件进入程序方式打开;再比如使用命令行打开文档;都不行,使用调试器载入程序后就更不行了。
winxp sp3 cn
office2003 sp3 cn
mso.dll 11.0.8172.0
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
Failed to get VadRoot
PROCESS 821b9830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 00b40000 ObjectTable: e1000c90 HandleCount: 262.
Image: System
Failed to get VadRoot
PROCESS 82000da0 SessionId: none Cid: 017c Peb: 7ffd9000 ParentCid: 0004
DirBase: 06b80020 ObjectTable: e13c1308 HandleCount: 19.
Image: smss.exe
Failed to get VadRoot
PROCESS 81e90da0 SessionId: 0 Cid: 062c Peb: 7ffde000 ParentCid: 02a4
DirBase: 06b802a0 ObjectTable: e1decca8 HandleCount: 107.
Image: alg.exe
Failed to get VadRoot
PROCESS 81dcb340 SessionId: 0 Cid: 0664 Peb: 7ffdc000 ParentCid: 0408
DirBase: 06b802c0 ObjectTable: e1d268b8 HandleCount: 39.
Image: wscntfy.exe
Failed to get VadRoot
PROCESS 82072648 SessionId: 0 Cid: 06f8 Peb: 7ffde000 ParentCid: 067c
DirBase: 06b802e0 ObjectTable: e1ac6cd0 HandleCount: 270.
Image: WINWORD.EXE
kd> .process 82072648
Implicit process is now 82072648
WARNING: .cache forcedecodeuser is not enabled
可能需要reload ,ld之类的命令,自己看着办。
Microsoft (R) Windows Debugger Version 10.0.17763.1 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Opened \\.\pipe\kd_winxp
Waiting to reconnect...
Connected to Windows XP 2600 x86 compatible target at (Thu Sep 5 11:33:08.840 2019 (UTC + 8:00)), ptr64 FALSE
Kernel Debugger connection established.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*H:\symbols\win10*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*H:\symbols\win10*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d8000 PsLoadedModuleList = 0x80554fc0
Debug session time: Thu Sep 5 10:42:01.218 2019 (UTC + 8:00)
System Uptime: 0 days 6:41:20.062
Break instruction exception - code 80000003 (first chance)
30ed442c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
kd> !teb
TEB at 7ffdd000
ExceptionList: 0012ffb0
StackBase: 00130000
StackLimit: 00119000
SubSystemTib: 00000000
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
