首页
社区
课程
招聘
未解决 [讨论]腾讯iOA的注入崩溃讨论
4天前 989

未解决 [讨论]腾讯iOA的注入崩溃讨论

4天前
989

最近我的电脑启动不了,在卸载完腾讯iOA后问题得到解决。
于是大致分析了一下该问题:腾讯电脑管家已经无了,然后换皮搞了个腾讯iOA。但看起来现在iOA的开发,跟之前的电脑管家的开发,已经完全不在一个水平了。一个很小的注入模块,就能看到一些常识性的错误。
发帖的目的一是吐槽,另外也希望能被iOA的开发团队看到,对其产品进行改进。

我这边安装的版本107版本的iOA。它会注入service.exe,svchost.exe, explorer.exe进程。
其对explorer.exe的注入,会使用apc的方式注入QMIpcMT64.dll、QMInjAttmonx64.dll,使用线程注入的方式注入InjUmon64.dll。
其APC注入,采用的是直接投递APC到KERNEL32!LoadLibraryW。

一般情况下这样也没有问题,因为轮到APC执行的时候,kernel32大概率是初始化完成了,下图是一般情况。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Breakpoint 0 hit
ntdll!KiUserApcDispatch:
00007ffe`96610a40 488b4c2418      mov     rcx,qword ptr [rsp+18h] ss:00000000`010bf438={KERNEL32!LoadLibraryWStub (00007ffe`9623fee0)}
0:000> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`010bf420 00007ffe`96610534 : 00007ffe`965e4f9d 00000000`00000000 00000000`011d5d20 00000000`00000000 : ntdll!KiUserApcDispatch (TrapFrame @ 00000000`010bf7c8)
00000000`010bf958 00007ffe`965e4f9d : 00000000`00000000 00000000`011d5d20 00000000`00000000 00000000`00000001 : ntdll!ZwTestAlert+0x14
00000000`010bf960 00007ffe`965e4b63 : 00000000`00000000 00007ffe`96570000 00000000`00000000 00000000`00e4d000 : ntdll!LdrpInitialize+0x421
00000000`010bfa00 00007ffe`965e4b0e : 00000000`010bfa80 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpInitialize+0x3b
00000000`010bfa30 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=00007ffe96610a40
rdx=0000000000000000 rsi=0000000000000001 rdi=0000000000000000
rip=00007ffe96610a40 rsp=00000000010bf420 rbp=0000000000000000
 r8=00000000010bf420  r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000e4c050 r13=00000000010bfa80
r14=0000000000002000 r15=0000000000e4d000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!KiUserApcDispatch:
00007ffe`96610a40 488b4c2418      mov     rcx,qword ptr [rsp+18h] ss:00000000`010bf438={KERNEL32!LoadLibraryWStub (00007ffe`9623fee0)}
0:000> t
Breakpoint 0 hit
ntdll!KiUserApcDispatch:
00007ffe`96610a40 488b4c2418      mov     rcx,qword ptr [rsp+18h] ss:00000000`010bf438={KERNEL32!LoadLibraryWStub (00007ffe`9623fee0)}
0:000> t
ntdll!KiUserApcDispatcher+0x5:
00007ffe`96610a45 488bc1          mov     rax,rcx
0:000> t
ntdll!KiUserApcDispatcher+0x8:
00007ffe`96610a48 4c8bcc          mov     r9,rsp
0:000> t
ntdll!KiUserApcDispatcher+0xb:
00007ffe`96610a4b 48c1f902        sar     rcx,2
0:000> t
ntdll!KiUserApcDispatcher+0xf:
00007ffe`96610a4f 488b542408      mov     rdx,qword ptr [rsp+8] ss:00000000`010bf428=0000000000000001
0:000> t
ntdll!KiUserApcDispatcher+0x14:
00007ffe`96610a54 48f7d9          neg     rcx
0:000> t
ntdll!KiUserApcDispatcher+0x17:
00007ffe`96610a57 4c8b442410      mov     r8,qword ptr [rsp+10h] ss:00000000`010bf430=0000000000000000
0:000> t
ntdll!KiUserApcDispatcher+0x1c:
00007ffe`96610a5c 480fa4c920      shld    rcx,rcx,20h
0:000> t
ntdll!KiUserApcDispatcher+0x21:
00007ffe`96610a61 85c9            test    ecx,ecx
0:000> t
ntdll!KiUserApcDispatcher+0x23:
00007ffe`96610a63 7438            je      ntdll!KiUserApcDispatcher+0x5d (00007ffe`96610a9d) [br=0]
0:000> t
ntdll!KiUserApcDispatcher+0x25:
00007ffe`96610a65 488b0c24        mov     rcx,qword ptr [rsp] ss:00000000`010bf420=00000000010c0044
0:000> t
ntdll!KiUserApcDispatcher+0x29:
00007ffe`96610a69 e882ffffff      call    ntdll!KiUserCallForwarder (00007ffe`966109f0)
0:000> t
ntdll!KiUserCallForwarder:
00007ffe`966109f0 4883ec48        sub     rsp,48h
0:000> p
ntdll!KiUserCallForwarder+0x4:
00007ffe`966109f4 48894c2420      mov     qword ptr [rsp+20h],rcx ss:00000000`010bf3f0=0000000000000000
0:000> p
ntdll!KiUserCallForwarder+0x9:
00007ffe`966109f9 4889542428      mov     qword ptr [rsp+28h],rdx ss:00000000`010bf3f8=00000000010bf404
0:000> p
ntdll!KiUserCallForwarder+0xe:
00007ffe`966109fe 4c89442430      mov     qword ptr [rsp+30h],r8 ss:00000000`010bf400=00000004010f0000
0:000> p
ntdll!KiUserCallForwarder+0x13:
00007ffe`96610a03 4c894c2438      mov     qword ptr [rsp+38h],r9 ss:00000000`010bf408={ntdll!`string' (00007ffe`966948f0)}
0:000> p
ntdll!KiUserCallForwarder+0x18:
00007ffe`96610a08 488bc8          mov     rcx,rax
0:000> p
ntdll!KiUserCallForwarder+0x1b:
00007ffe`96610a0b 488b05cee70d00  mov     rax,qword ptr [ntdll!_guard_check_icall_fptr (00007ffe`966ef1e0)] ds:00007ffe`966ef1e0={ntdll!LdrpValidateUserCallTarget (00007ffe`965fc580)}
0:000> p
ntdll!KiUserCallForwarder+0x22:
00007ffe`96610a12 ffd0            call    rax {ntdll!LdrpValidateUserCallTarget (00007ffe`965fc580)}
0:000> p
ntdll!KiUserCallForwarder+0x24:
00007ffe`96610a14 488bc1          mov     rax,rcx
0:000> p
ntdll!KiUserCallForwarder+0x27:
00007ffe`96610a17 488b4c2420      mov     rcx,qword ptr [rsp+20h] ss:00000000`010bf3f0=00000000010c0044
0:000> p
ntdll!KiUserCallForwarder+0x2c:
00007ffe`96610a1c 488b542428      mov     rdx,qword ptr [rsp+28h] ss:00000000`010bf3f8=0000000000000001
0:000> p
ntdll!KiUserCallForwarder+0x31:
00007ffe`96610a21 4c8b442430      mov     r8,qword ptr [rsp+30h] ss:00000000`010bf400=0000000000000000
0:000> p
ntdll!KiUserCallForwarder+0x36:
00007ffe`96610a26 4c8b4c2438      mov     r9,qword ptr [rsp+38h] ss:00000000`010bf408=00000000010bf420
0:000> p
ntdll!KiUserCallForwarder+0x3b:
00007ffe`96610a2b 4883c448        add     rsp,48h
0:000> p
ntdll!KiUserCallForwarder+0x3f:
00007ffe`96610a2f 48ffe0          jmp     rax {KERNEL32!LoadLibraryWStub (00007ffe`9623fee0)}
0:000> t
KERNEL32!LoadLibraryWStub:
00007ffe`9623fee0 48ff2589160600  jmp     qword ptr [KERNEL32!_imp_LoadLibraryW (00007ffe`962a1570)] ds:00007ffe`962a1570={KERNELBASE!LoadLibraryW (00007ffe`93e99bc0)}
0:000> t
KERNELBASE!LoadLibraryW:
00007ffe`93e99bc0 4533c0          xor     r8d,r8d
0:000> r rcx
rcx=00000000010c0044
0:000> dU 00000000010c0044
00000000`010c0044  "C:\Program Files (x86)\iOAEnt\10"
00000000`010c0084  "7.5.18939.62005\qmipcmt64.dll"
0:000> !address 00000000010c0044

但是APC依赖KERNEL32初始化完,投递的时机也很早,遇到KERNEL32还没初始化完的时候,就歇菜了,见下图:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
0:000> kv
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000000`00d2de78 00007ffc`982b0a6e : 00000000`00d40044 00000000`00000001 00000000`00000000 00007ffc`96fefee0 : 0xad9e8
00000000`00d2de80 00007ffc`982ad244 : 00007ffc`98224d42 00000000`011c35d0 00000000`011c34c0 00000000`011c34c0 : ntdll!KiUserApcDispatcher+0x2e (TrapFrame @ 00000000`00d2e228)
00000000`00d2e3b8 00007ffc`98224d42 : 00000000`011c35d0 00000000`011c34c0 00000000`011c34c0 00000000`00d2e3e4 : ntdll!ZwMapViewOfSection+0x14
00000000`00d2e3c0 00007ffc`98224aaa : 00000000`00000000 00000000`0000004c 00000000`00000000 00000000`011c34c0 : ntdll!LdrpMinimalMapModule+0x10a
00000000`00d2e480 00007ffc`98224479 : 00000000`011c34c0 00000000`011c3618 00000000`011c35d0 00000000`c0000135 : ntdll!LdrpMapDllWithSectionHandle+0x1a
00000000`00d2e4d0 00007ffc`982288a8 : 00000000`00000000 00000000`0000004c 00000000`00000020 00000000`00000060 : ntdll!LdrpLoadKnownDll+0xe1
00000000`00d2e530 00007ffc`98227b29 : 00000000`00000000 00000000`011c2de0 00000000`011c2de0 00000000`00000000 : ntdll!LdrpLoadDependentModule+0xcc8
00000000`00d2ea90 00007ffc`98224c14 : 00000000`011c2de0 00000000`011c3470 00000000`00000000 00000000`011c2ef0 : ntdll!LdrpMapAndSnapDependency+0x199
00000000`00d2eb10 00007ffc`98224479 : 00000000`011c2de0 00000000`011c2f38 00000000`00000000 000bd000`4e5c27cf : ntdll!LdrpMapDllWithSectionHandle+0x184
00000000`00d2eb60 00007ffc`9827b1dd : 00000000`00000000 00000000`00000048 00000000`00d2ec78 00000000`00d2ed00 : ntdll!LdrpLoadKnownDll+0xe1
00000000`00d2ebc0 00007ffc`9822fb31 : 00000000`00d2ecf8 00000000`00d2edb0 00000000`00000000 00000000`00d2ed00 : ntdll!LdrpFindOrPrepareLoadingModule+0xbd
00000000`00d2ec30 00007ffc`982273e4 : 00000000`00d2ed00 00000000`00d2eea0 00007ffc`9832c208 00000000`00d2ee90 : ntdll!LdrpLoadDllInternal+0x11d
00000000`00d2ecb0 00007ffc`98226af4 : 00000000`00000000 00000000`00004001 00007ffc`98374520 00000000`011c2c80 : ntdll!LdrpLoadDll+0xa8
00000000`00d2ee60 00007ffc`982e372f : 00000000`00000010 00000000`00000010 00000000`00f42000 00007ffc`982100e8 : ntdll!LdrLoadDll+0xe4
00000000`00d2ef50 00007ffc`98284cdb : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000001 : ntdll!LdrpInitializeProcess+0x1acf
00000000`00d2f380 00007ffc`98284b63 : 00000000`00000000 00007ffc`98210000 00000000`00000000 00000000`00f43000 : ntdll!LdrpInitialize+0x15f
00000000`00d2f420 00007ffc`98284b0e : 00000000`00d2f4a0 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpInitialize+0x3b
00000000`00d2f450 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
0:000> !address 0xad9e8
Usage:                  Free
Base Address:           00000000`00000000
End Address:            00000000`00c70000
Region Size:            00000000`00c70000
Type:                   00000000   
State:                  00010000    MEM_FREE
Protect:                00000001    PAGE_NOACCESS
 
0:000> dU 00d40044
00000000`00d40044  "C:\Program Files (x86)\iOAEnt\10"
00000000`00d40084  "7.5.18939.62005\qmipcmt64.dll"

笔者并没有去分析0xad9e8这个地址它是怎么去计算的,本来应该是要填充成KERNEL32!LoadLibraryW?可能此时还没初始化完?没兴趣去分析,只是这种看起来也太业余了,完全没有腾讯该有的水准,想当年电脑管家团队可是高手云集,现在居然连个注入都做成这样。

上面是APC注入的问题。

下面来看看注入的dll,
用depends打开qmipcmt64.dll一看,好家伙,依赖那么多的系统dll,甚至还依赖上了msvcp80和msvcr80,这些导入表的污染,好像就不用处理一样,那就是随缘冲突和崩溃了。有点理解它只注入那么几个进程的原因了。


[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 0
打赏
分享
最新回复 (2)
雪    币: 75
活跃值: (508)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
skypismire 1 4天前
2
0
从最基础的技术来看公司的底蕴,研究下360的注入,看看强多少
雪    币: 163
活跃值: (2128)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
saloyun 4天前
3
0
这其实就是我要吐槽的地方,为什么要重新搞,为什么不抄以前的代码,重新搞一个注入又搞得这么戳。
游客
登录 | 注册 方可回帖
返回