首页
社区
课程
招聘
[原创]解决只能通过鼠标双击触发的文档类漏洞样本调试问题
发表于: 2019-9-5 13:06 5322

[原创]解决只能通过鼠标双击触发的文档类漏洞样本调试问题

2019-9-5 13:06
5322

不知道大家碰没碰到过这种问题:漏洞只能通过双击打开样本文件的方式才能触发,其他方式均不能触发。比如,先打开程序,然后使用文件菜单打开;再比如,先打开程序,然后拖拽文档文件进入程序方式打开;再比如使用命令行打开文档;都不行,使用调试器载入程序后就更不行了。

winxp sp3 cn

office2003 sp3 cn

mso.dll 11.0.8172.0


kd> !process 0 0

**** NT ACTIVE PROCESS DUMP ****

Failed to get VadRoot

PROCESS 821b9830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000

    DirBase: 00b40000  ObjectTable: e1000c90  HandleCount: 262.

    Image: System

Failed to get VadRoot

PROCESS 82000da0  SessionId: none  Cid: 017c    Peb: 7ffd9000  ParentCid: 0004

    DirBase: 06b80020  ObjectTable: e13c1308  HandleCount:  19.

Image: smss.exe

Failed to get VadRoot

PROCESS 81e90da0  SessionId: 0  Cid: 062c    Peb: 7ffde000  ParentCid: 02a4

    DirBase: 06b802a0  ObjectTable: e1decca8  HandleCount: 107.

    Image: alg.exe

Failed to get VadRoot

PROCESS 81dcb340  SessionId: 0  Cid: 0664    Peb: 7ffdc000  ParentCid: 0408

    DirBase: 06b802c0  ObjectTable: e1d268b8  HandleCount:  39.

    Image: wscntfy.exe

Failed to get VadRoot

PROCESS 82072648  SessionId: 0  Cid: 06f8    Peb: 7ffde000  ParentCid: 067c

    DirBase: 06b802e0  ObjectTable: e1ac6cd0  HandleCount: 270.

    Image: WINWORD.EXE

kd> .process 82072648 

Implicit process is now 82072648

WARNING: .cache forcedecodeuser is not enabled

可能需要reload ,ld之类的命令,自己看着办。

Microsoft (R) Windows Debugger Version 10.0.17763.1 X86

Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\kd_winxp

Waiting to reconnect...

Connected to Windows XP 2600 x86 compatible target at (Thu Sep  5 11:33:08.840 2019 (UTC + 8:00)), ptr64 FALSE

Kernel Debugger connection established.

************* Path validation summary **************

Response                         Time (ms)     Location

Deferred                                       srv*H:\symbols\win10*http://msdl.microsoft.com/download/symbols

Symbol search path is: srv*H:\symbols\win10*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp.080413-2111

Machine Name:

Kernel base = 0x804d8000 PsLoadedModuleList = 0x80554fc0

Debug session time: Thu Sep  5 10:42:01.218 2019 (UTC + 8:00)

System Uptime: 0 days 6:41:20.062

Break instruction exception - code 80000003 (first chance)

30ed442c f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

kd> !teb

TEB at 7ffdd000

    ExceptionList:        0012ffb0

    StackBase:            00130000

    StackLimit:           00119000

    SubSystemTib:         00000000


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 2
支持
分享
最新回复 (1)
雪    币: 29182
活跃值: (63621)
能力值: (RANK:135 )
在线值:
发帖
回帖
粉丝
2
感谢分享!
2019-9-5 13:37
0
游客
登录 | 注册 方可回帖
返回
//