-
【微软漏洞分析】MS10-015 Windows 内核异常处理程序漏洞(CVE-2010-0232)
MS10-015
摘要
我们这里分析的是 Windows 内核异常处理程序漏洞 - CVE-2010-0232
网上常说的MS10-015是Windows 内核双重释放漏洞 - CVE-2010-0233,很少有人分析这个0232,实际上微软是把这两个漏洞共同定义为MS10-015。
官方说明里面写着:
- windows 7 32位才有这个CVE-2010-0232漏洞,并且windows 7 32位没有CVE-2010-0233这个漏洞
- windows7 64位不受这两个漏洞影响
补丁分析
我们这里以windows 7的x86的补丁分析,补丁解开之后的目录列表如下:
重点查看补丁文件为:- \x86\a…ence-infrastructure_6.1.7600.16481
- apphelp.dll
- \x86\kernel32_6.1.7600.16481
- kernel32.dll
apphelp.dll
主要包括三个更新函数:
- ApphelpCheckModule
- InternalCheckRunApp
- SdbIsValidQueryResultLight
ApphelpCheckModule
更新前
int __stdcall ApphelpCheckModule(const WCHAR *a1, int a2, int a3, int a4, int a5, char a6) { int v6; // eax char v8; // [esp+0h] [ebp-1F8h] char v9; // [esp+4h] [ebp-1F4h] int v10; // [esp+Ch] [ebp-1ECh] BYREF _UNICODE_STRING NtName; // [esp+10h] [ebp-1E8h] BYREF PCWSTR DosName; // [esp+18h] [ebp-1E0h] int v13; // [esp+1Ch] [ebp-1DCh] BYREF int v14; // [esp+20h] [ebp-1D8h] PVOID P; // [esp+24h] [ebp-1D4h] int v16; // [esp+28h] [ebp-1D0h] int v17[114]; // [esp+2Ch] [ebp-1CCh] BYREF DosName = a1; NtName.Length = 0; *(_DWORD *)&NtName.MaximumLength = 0; HIWORD(NtName.Buffer) = 0; v14 = 1; v13 = 0; v10 = 456; v16 = 0; if ( gdwInfrastructureFlags >= 0 ) v6 = CheckAppcompatInfrastructureFlags() & 1; else v6 = gdwInfrastructureFlags & 1; if ( !v6 ) { if ( RtlDosPathNameToRelativeNtPathName_U(DosName, &NtName, 0, 0) && BaseCheckAppcompatCacheEx(NtName.Buffer, -1, 0, &v13, &v10, v17) ) { if ( (v13 & 0x100) != 0 ) { v16 = 1; } else { if ( (v13 & 0x200) == 0 ) goto LABEL_8; memset(v17, 0, sizeof(v17)); } } P = (PVOID)SdbInitDatabaseEx(0, 0, 332); if ( P ) { if ( v16 && !SdbIsValidQueryResultLight(v17) ) { v16 = 0; memset(v17, 0, sizeof(v17)); } v14 = ApphelpQueryExe(P, DosName, a2, a6, v17, v16); if ( !a5 ) { v17[43] = 0; memset(&v17[32], 0, 0x20u); } if ( v14 && a3 ) ApphelpFixExe((int)P, (wchar_t *)DosName, (int)v17, a4, a6); SdbReleaseDatabase(P); } else if ( g_iShimDebugLevel ) { ShimDbgPrint(1, (int)"ApphelpCheckExe", "Failed to initialize database.\n", v8, v9); } } LABEL_8: RtlFreeUnicodeString(&NtName); return v14; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
更新后
int __stdcall ApphelpCheckModule(const WCHAR *a1, int a2, int a3, int a4, int a5, char a6) { int v6; // eax void *v8; // ebx char v9; // [esp+0h] [ebp-1F4h] char v10; // [esp+4h] [ebp-1F0h] int v11; // [esp+Ch] [ebp-1E8h] BYREF _UNICODE_STRING NtName; // [esp+10h] [ebp-1E4h] BYREF int v13; // [esp+18h] [ebp-1DCh] int v14; // [esp+1Ch] [ebp-1D8h] BYREF int v15; // [esp+20h] [ebp-1D4h] PCWSTR DosName; // [esp+24h] [ebp-1D0h] int v17[114]; // [esp+28h] [ebp-1CCh] BYREF DosName = a1; NtName.Length = 0; *(_DWORD *)&NtName.MaximumLength = 0; HIWORD(NtName.Buffer) = 0; v15 = 1; v14 = 0; v11 = 456; v13 = 0; if ( gdwInfrastructureFlags >= 0 ) v6 = CheckAppcompatInfrastructureFlags() & 1; else v6 = gdwInfrastructureFlags & 1; if ( !v6 ) { if ( RtlDosPathNameToRelativeNtPathName_U(DosName, &NtName, 0, 0) && BaseCheckAppcompatCacheEx(NtName.Buffer, -1, 0, &v14, &v11, v17) ) { if ( (v14 & 0x100) != 0 ) { v13 = 1; } else { if ( (v14 & 0x200) == 0 ) goto LABEL_8; memset(v17, 0, sizeof(v17)); } } v8 = (void *)SdbInitDatabaseEx(0, 0, 332); if ( v8 ) { v15 = ApphelpQueryExe(v8, DosName, a2, a6, v17, v13); if ( !a5 ) { v17[43] = 0; memset(&v17[32], 0, 0x20u); } if ( v15 && a3 ) ApphelpFixExe((int)v8, (wchar_t *)DosName, (int)v17, a4, a6); SdbReleaseDatabase(v8); } else if ( g_iShimDebugLevel ) { ShimDbgPrint(1, (int)"ApphelpCheckExe", "Failed to initialize database.\n", v9, v10); } } LABEL_8: RtlFreeUnicodeString(&NtName); return v15; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
InternalCheckRunApp
更新前
BOOL __stdcall InternalCheckRunApp(void *a1, int a2, int a3, const WCHAR *a4, WCHAR *a5, int a6, unsigned int *a7, int a8, int a9, _DWORD *a10, _DWORD *a11, _DWORD *a12, int a13, int a14, _WORD *a15, int a16, void *a17, _DWORD *a18, void *a19) { _DWORD *v19; // esi _DWORD *v20; // esi int *v21; // esi int v22; // ecx int v23; // eax int v24; // eax char *v26; // eax char v27; // di PVOID v28; // eax unsigned int *v29; // edi void *v30; // eax unsigned int v31; // edi _DWORD *v32; // edi int v33; // eax _DWORD *v34; // esi int v35; // eax int v36; // eax unsigned int *v37; // esi char v38; // [esp+0h] [ebp-27Ch] char v39; // [esp+4h] [ebp-278h] char v40[4]; // [esp+Ch] [ebp-270h] BYREF char argList[4]; // [esp+10h] [ebp-26Ch] int v42; // [esp+3Ch] [ebp-240h] _DWORD *v43; // [esp+40h] [ebp-23Ch] int v44; // [esp+44h] [ebp-238h] _DWORD *v45; // [esp+48h] [ebp-234h] int v46; // [esp+4Ch] [ebp-230h] _WORD *v47; // [esp+50h] [ebp-22Ch] int v48; // [esp+54h] [ebp-228h] BYREF int v49; // [esp+58h] [ebp-224h] int v50; // [esp+5Ch] [ebp-220h] int v51; // [esp+60h] [ebp-21Ch] BYREF unsigned int v52; // [esp+64h] [ebp-218h] BYREF char v53[4]; // [esp+68h] [ebp-214h] HANDLE hObject; // [esp+6Ch] [ebp-210h] int v55; // [esp+70h] [ebp-20Ch] BOOL v56; // [esp+74h] [ebp-208h] void *v57; // [esp+78h] [ebp-204h] void *Src; // [esp+7Ch] [ebp-200h] BYREF _DWORD *v59; // [esp+80h] [ebp-1FCh] int v60; // [esp+84h] [ebp-1F8h] BYREF int v61; // [esp+88h] [ebp-1F4h] BYREF int v62; // [esp+8Ch] [ebp-1F0h] BOOL v63; // [esp+90h] [ebp-1ECh] PWSTR Environment; // [esp+94h] [ebp-1E8h] PCWSTR SourceString; // [esp+98h] [ebp-1E4h] unsigned int *v66; // [esp+9Ch] [ebp-1E0h] PVOID P; // [esp+A0h] [ebp-1DCh] void *v68; // [esp+A4h] [ebp-1D8h] int v69; // [esp+A8h] [ebp-1D4h] BYREF PVOID v70; // [esp+ACh] [ebp-1D0h] char v71; // [esp+B0h] [ebp-1CCh] BYREF hObject = a1; v44 = a2; SourceString = a4; Environment = a5; v66 = a7; v46 = a8; v50 = a9; v45 = a10; v43 = a11; v59 = a12; v42 = a14; v49 = a16; v57 = a17; v68 = a19; v61 = 0; v47 = a15; v63 = 1; P = 0; v69 = 0; v56 = 0; v70 = 0; v60 = 0; Src = 0; v62 = 0; v52 = 0; *(_DWORD *)v53 = 0; v55 = 1; if ( a18 ) *a18 = 0; if ( a15 ) *a15 = 0; if ( v57 ) memset(v57, 0, 0x48u); v26 = (char *)v68; if ( !v68 ) v26 = &v71; v68 = v26; if ( ConvertNtPathToDosPath(SourceString, 0, (int)&v69) == -1073741789 ) { v27 = 2 * v69; v28 = RtlAllocateHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 8u, 2 * v69); P = v28; if ( !v28 ) { if ( g_iShimDebugLevel ) ShimDbgPrint( 1, (int)"InternalCheckRunApp", "Failed to allocate '%ld' bytes for path '%S'\n", v27, (char)SourceString); goto LABEL_55; } if ( ConvertNtPathToDosPath(SourceString, v28, (int)&v69) < 0 ) { if ( g_iShimDebugLevel ) ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to convert path '%S' to DOS.\n", (char)SourceString, v38); goto LABEL_55; } v29 = v66; if ( v66 ) v69 = (*v66 >> 1) & 1; else v69 = 1; v30 = (void *)SdbInitDatabaseEx(0, 0, a6); v70 = v30; if ( a18 ) *a18 = v30; if ( !v30 ) { if ( g_iShimDebugLevel ) ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to initialize the database.\n", v38, v39); goto LABEL_55; } if ( !v29 ) goto LABEL_25; v31 = *v29; if ( (v31 & 0x400) != 0 ) JUMPOUT(0x6F008A34); if ( (v31 & 0x100) != 0 ) { v32 = v68; if ( !DetectCompatLayerEnvironmentVariable(Environment) ) { v36 = SdbIsValidQueryResultLight(v68); v55 = v36; if ( v36 ) { *((_DWORD *)v68 + 48) |= 4u; v37 = v66; goto LABEL_77; } } } else { LABEL_25: v32 = v68; } memset(v32, 0, 0x1C8u); v37 = v66; if ( !v55 ) *v66 = *v66 & 0xFFFFFEFF | 0x80000; if ( SdbGetMatchingExeEx(v70, (int)P, v44, a3, v42, (int)Environment, v53[0], v32) && g_iShimDebugLevel ) ShimDbgPrint(3, (int)"InternalCheckRunApp", "Found %ws in the app compat database\n", (char)P, v38); LABEL_77: if ( v37 && !IdentifyCandidates(0, (char)v37, (int)v70, hObject, SourceString, *v37, (int)v32) && g_iShimDebugLevel ) ShimDbgPrint(3, (int)"IdentifyCandidates", "Failed to identify candidates.\n", v38, v39); if ( v45 ) { SdbQueryFlagMask((char)v32, (int)v70, v32, 20494, &v61, 0); *v45 = v61; } v19 = v43; if ( v43 ) { SdbQueryFlagMask((char)v32, (int)v70, v32, 20496, &v61, 0); *v43 = v61; v19[1] = v62; } if ( v59 ) { SdbQueryFlagMask((char)v32, (int)v70, v32, 20497, &v61, 0); *v59 = v61; } ParseSdbQueryResult((int)v70, v32, &v60, &v52, v40, &Src); Environment = (PWSTR)(v60 != 0); if ( !v60 ) goto LABEL_36; v59 = (_DWORD *)((v52 >> 2) & 1); if ( v59 && g_iShimDebugLevel ) ShimDbgPrint(3, (int)"InternalCheckRunApp", "NoUI flag is set, apphelp UI disabled for this app.\n", v38, v39); v33 = *(_DWORD *)argList; if ( *(_DWORD *)argList && *(_DWORD *)argList <= 4u ) { v34 = v57; if ( v57 ) *((_DWORD *)v57 + 1) = *(_DWORD *)argList; if ( v59 ) { v63 = v33 != 2; } else { v35 = v60; v32[41] = v60; if ( v34 && SdbTagRefToTagID(v70, v35, &v48, &v51) && SdbGetDatabaseGUID(v70, v48, v34 + 8) ) v34[7] = v51; v63 = 1; } } else { if ( !g_iShimDebugLevel ) goto LABEL_36; ShimDbgPrint(2, (int)"InternalCheckRunApp", "Unhandled severity flag 0x%x.\n", argList[0], v38); } if ( !v63 ) { LABEL_41: v21 = (int *)v66; if ( (!v66 || (*v66 & 0x100) == 0) && !v69 && (!*v32 || SdbIsTagrefFromMainDB(*v32)) ) { v22 = 1; if ( ((v32[48] >> 5) & 1) == 0 && ((v32[48] >> 4) & 1) == 0 ) { if ( *v32 || v32[32] || Environment || v56 ) v22 = 0; if ( hObject != (HANDLE)-1 ) { *v21 |= 0x10000u; v23 = *v21; if ( v22 ) v24 = v23 | 0x20000; else v24 = v23 | 0x40000; *v21 = v24; } } } goto LABEL_55; } LABEL_36: v20 = (_DWORD *)v46; if ( v46 && Src ) { GetExeSxsData((int)v70, Src, v46, v50); v56 = *v20 != 0; } if ( a13 ) GetExeNTVDMData(v70, v32, v47, v49); goto LABEL_41; } if ( !g_iShimDebugLevel ) goto LABEL_57; ShimDbgPrint(1, (int)"InternalCheckRunApp", "Unexpected return result for call to ConvertNtPathToDosPath\n", v38, v39); LABEL_55: if ( P ) RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P); LABEL_57: if ( !a13 && v70 ) SdbReleaseDatabase(v70); return v63; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
更新后
BOOL __stdcall InternalCheckRunApp(int a1, int a2, int a3, int a4, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, int a13, int a14, int a15, int a16, void *a17, int a18, int a19) { char *v19; // eax char v20; // di PVOID v21; // eax int *v22; // edi void *v23; // eax int v24; // edi _DWORD *v25; // edi _DWORD *v26; // ebx _DWORD *v27; // ebx int *v28; // ebx int v29; // ecx int v30; // eax int v31; // eax int v33; // eax _DWORD *v34; // ebx int v35; // eax char v36; // [esp+0h] [ebp-278h] char v37; // [esp+4h] [ebp-274h] char v38[4]; // [esp+Ch] [ebp-26Ch] BYREF char argList[4]; // [esp+10h] [ebp-268h] _DWORD *v40; // [esp+3Ch] [ebp-23Ch] _DWORD *v41; // [esp+40h] [ebp-238h] int v42; // [esp+44h] [ebp-234h] BYREF _DWORD *v43; // [esp+48h] [ebp-230h] int v44; // [esp+4Ch] [ebp-22Ch] int v45; // [esp+50h] [ebp-228h] int v46; // [esp+54h] [ebp-224h] BYREF int v47; // [esp+58h] [ebp-220h] int v48; // [esp+5Ch] [ebp-21Ch] int v49; // [esp+60h] [ebp-218h] int v50; // [esp+64h] [ebp-214h] char v51[4]; // [esp+68h] [ebp-210h] BOOL v52; // [esp+6Ch] [ebp-20Ch] unsigned int v53; // [esp+70h] [ebp-208h] BYREF HANDLE hObject; // [esp+74h] [ebp-204h] int v55; // [esp+78h] [ebp-200h] BYREF _DWORD *v56; // [esp+7Ch] [ebp-1FCh] void *Src; // [esp+80h] [ebp-1F8h] BYREF int *v58; // [esp+84h] [ebp-1F4h] int v59; // [esp+88h] [ebp-1F0h] BYREF int v60; // [esp+8Ch] [ebp-1ECh] BOOL v61; // [esp+90h] [ebp-1E8h] PWSTR Environment; // [esp+94h] [ebp-1E4h] PCWSTR SourceString; // [esp+98h] [ebp-1E0h] PVOID P; // [esp+9Ch] [ebp-1DCh] void *v65; // [esp+A0h] [ebp-1D8h] int v66; // [esp+A4h] [ebp-1D4h] BYREF PVOID v67; // [esp+A8h] [ebp-1D0h] char v68; // [esp+ACh] [ebp-1CCh] BYREF hObject = (HANDLE)a1; v48 = a2; SourceString = (PCWSTR)a4; Environment = (PWSTR)a5; v58 = (int *)a7; v44 = a8; v49 = a9; v43 = (_DWORD *)a10; v41 = (_DWORD *)a11; v56 = (_DWORD *)a12; v50 = a14; v47 = a16; v65 = (void *)a19; v59 = 0; v45 = a15; v40 = a17; v61 = 1; P = 0; v66 = 0; v52 = 0; v67 = 0; v55 = 0; Src = 0; v60 = 0; v53 = 0; *(_DWORD *)v51 = 0; if ( a18 ) *(_DWORD *)a18 = 0; if ( a15 ) *(_WORD *)a15 = 0; if ( a17 ) memset(a17, 0, 0x48u); v19 = (char *)v65; if ( !v65 ) v19 = &v68; v65 = v19; if ( ConvertNtPathToDosPath(SourceString, 0, (int)&v66) == -1073741789 ) { v20 = 2 * v66; v21 = RtlAllocateHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 8u, 2 * v66); P = v21; if ( !v21 ) { if ( g_iShimDebugLevel ) ShimDbgPrint( 1, (int)"InternalCheckRunApp", "Failed to allocate '%ld' bytes for path '%S'\n", v20, (char)SourceString); goto LABEL_50; } if ( ConvertNtPathToDosPath(SourceString, v21, (int)&v66) < 0 ) { if ( g_iShimDebugLevel ) ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to convert path '%S' to DOS.\n", (char)SourceString, v36); goto LABEL_50; } v22 = v58; if ( v58 ) v66 = ((unsigned int)*v58 >> 1) & 1; else v66 = 1; v23 = (void *)SdbInitDatabaseEx(0, 0, a6); v67 = v23; if ( a18 ) *(_DWORD *)a18 = v23; if ( !v23 ) { if ( g_iShimDebugLevel ) ShimDbgPrint(1, (int)"InternalCheckRunApp", "Failed to initialize the database.\n", v36, v37); goto LABEL_50; } if ( !v22 ) goto LABEL_20; v24 = *v22; if ( (v24 & 0x400) != 0 ) JUMPOUT(0x6F0089F4); if ( (v24 & 0x100) != 0 && !DetectCompatLayerEnvironmentVariable(Environment) ) { v25 = v65; *((_DWORD *)v65 + 48) |= 4u; } else { LABEL_20: memset(v65, 0, 0x1C8u); if ( SdbGetMatchingExeEx(v67, (int)P, v48, a3, v50, (int)Environment, v51[0], v65) && g_iShimDebugLevel ) ShimDbgPrint(3, (int)"InternalCheckRunApp", "Found %ws in the app compat database\n", (char)P, v36); v25 = v65; } if ( v58 && !IdentifyCandidates((int)v67, hObject, SourceString, *v58, (int)v25) && g_iShimDebugLevel ) ShimDbgPrint(3, (int)"IdentifyCandidates", "Failed to identify candidates.\n", v36, v37); if ( v43 ) { SdbQueryFlagMask((char)v25, (int)v67, v25, 20494, &v59, 0); *v43 = v59; } v26 = v41; if ( v41 ) { SdbQueryFlagMask((char)v25, (int)v67, v25, 20496, &v59, 0); *v41 = v59; v26[1] = v60; } if ( v56 ) { SdbQueryFlagMask((char)v25, (int)v67, v25, 20497, &v59, 0); *v56 = v59; } ParseSdbQueryResult(v67, v25, &v55, &v53, v38, &Src); Environment = (PWSTR)(v55 != 0); if ( !v55 ) goto LABEL_31; v56 = (_DWORD *)((v53 >> 2) & 1); if ( v56 && g_iShimDebugLevel ) ShimDbgPrint(3, (int)"InternalCheckRunApp", "NoUI flag is set, apphelp UI disabled for this app.\n", v36, v37); v33 = *(_DWORD *)argList; if ( *(_DWORD *)argList && *(_DWORD *)argList <= 4u ) { v34 = v40; if ( v40 ) v40[1] = *(_DWORD *)argList; if ( v56 ) { v61 = v33 != 2; } else { v35 = v55; v25[41] = v55; if ( v34 && SdbTagRefToTagID(v67, v35, &v46, &v42) && SdbGetDatabaseGUID(v67, v46, v34 + 8) ) v34[7] = v42; v61 = 1; } } else { if ( !g_iShimDebugLevel ) goto LABEL_31; ShimDbgPrint(2, (int)"InternalCheckRunApp", "Unhandled severity flag 0x%x.\n", argList[0], v36); } if ( !v61 ) { LABEL_36: v28 = v58; if ( (!v58 || (*v58 & 0x100) == 0) && !v66 && (!*v25 || SdbIsTagrefFromMainDB(*v25)) ) { v29 = 1; if ( ((v25[48] >> 5) & 1) == 0 && ((v25[48] >> 4) & 1) == 0 ) { if ( *v25 || v25[32] || Environment || v52 ) v29 = 0; if ( hObject != (HANDLE)-1 ) { *v28 |= 0x10000u; v30 = *v28; if ( v29 ) v31 = v30 | 0x20000; else v31 = v30 | 0x40000; *v28 = v31; } } } goto LABEL_50; } LABEL_31: v27 = (_DWORD *)v44; if ( v44 && Src ) { GetExeSxsData((int)v67, Src, v44, v49); v52 = *v27 != 0; } if ( a13 ) GetExeNTVDMData(v67, v25, v45, v47); goto LABEL_36; } if ( !g_iShimDebugLevel ) goto LABEL_52; ShimDbgPrint(1, (int)"InternalCheckRunApp", "Unexpected return result for call to ConvertNtPathToDosPath\n", v36, v37); LABEL_50: if ( P ) RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P); LABEL_52: if ( !a13 && v67 ) SdbReleaseDatabase(v67); return v61; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
SdbIsValidQueryResultLight
更新前
; BOOL __stdcall SdbIsValidQueryResultLight(int a1) SdbIsValidQueryResultLight(x) proc near mov edi, edi push ebp mov ebp, esp mov eax, [ebp+arg_0] test eax, eax jz short loc_6F0214F7 loc_6f0214e0: cmp dword ptr [eax+0A8h], 10h ja short loc_6F0214F7 loc_6f0214e9: cmp dword ptr [eax+0ACh], 8 ja short loc_6F0214F7 loc_6f0214f2: xor eax, eax inc eax jmp short loc_6F0214F9 loc_6f0214f7: xor eax, eax loc_6f0214f9: pop ebp retn 4 SdbIsValidQueryResultLight(x) endp BOOL __stdcall SdbIsValidQueryResultLight(int a1) { return a1 && *(_DWORD *)(a1 + 168) <= 0x10u && *(_DWORD *)(a1 + 172) <= 8u; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
更新后:无此函数
kernel32.dll
主要包括三个更新函数:
- BaseCheckRunApp
- BaseQueryModuleData
BaseCheckRunApp
更新前
int __stdcall BaseCheckRunApp(HANDLE SectionHandle, int a2, int a3, PWSTR Environment, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, PVOID P) { int v13; // esi int BaseAddress; // [esp+4h] [ebp-4h] BYREF v13 = a6; BaseAddress = 1; if ( sub_77E21BE9( SectionHandle, a2, a3, Environment, a5, (int)&a6, a7, a8, a9, a10, a11, a12, (int)P, (int)&P, &BaseAddress) < 0 ) return BaseAddress; if ( ((v13 & 0x100) == 0 || (a6 & 0x80000) != 0) && (a6 & 0x60000) != 0 ) sub_77E21F10(a3, a2, P, a5, v13); if ( P ) RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P); return BaseAddress; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
更新后
int __stdcall BaseCheckRunApp(HANDLE SectionHandle, int a2, int a3, PWSTR Environment, int a5, int a6, int a7, int a8, int a9, int a10, int a11, int a12, PVOID P) { int v13; // esi int BaseAddress; // [esp+4h] [ebp-4h] BYREF v13 = a6; BaseAddress = 1; if ( BasepLookupApp( SectionHandle, a2, a3, Environment, a5, (int)&a6, a7, a8, a9, a10, a11, a12, (int)P, (int)&P, &BaseAddress) < 0 ) return BaseAddress; if ( (v13 & 0x100) == 0 && (a6 & 0x60000) != 0 ) BasepCacheApp(a3, a2, P, a5, v13); if ( P ) RtlFreeHeap(NtCurrentTeb()->ProcessEnvironmentBlock->ProcessHeap, 0, P); return BaseAddress; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
BaseQueryModuleData
更新前
char __stdcall BaseQueryModuleData(PCWSTR SourceString, int a2, int a3, int a4, int a5, int a6, int a7) { int v8; // [esp+Ch] [ebp-1E0h] BYREF int v9; // [esp+10h] [ebp-1DCh] BYREF int v10; // [esp+14h] [ebp-1D8h] int v11; // [esp+18h] [ebp-1D4h] int v12; // [esp+1Ch] [ebp-1D0h] int v13[114]; // [esp+20h] [ebp-1CCh] BYREF v11 = a5; v12 = a6; v10 = a7; v8 = 456; if ( IsShimInfrastructureDisabled() ) return 0; if ( !BaseCheckAppcompatCacheEx(SourceString, (HANDLE)0xFFFFFFFF, 0, (int)&v9, (int)&v8, (int)v13) ) return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10); if ( (v9 & 0x100) == 0 ) { if ( (v9 & 0x200) != 0 ) return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10); return 0; } if ( !SdbIsValidQueryResultLight(v13) ) return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10); return BasepQueryModuleDataEx(SourceString, a2, a3, a4, v11, v12, v10, v13); }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
更新后
char __stdcall BaseQueryModuleData(PCWSTR SourceString, int a2, int a3, int a4, int a5, int a6, int a7) { int v8; // [esp+Ch] [ebp-1E0h] BYREF int v9; // [esp+10h] [ebp-1DCh] BYREF int v10; // [esp+14h] [ebp-1D8h] int v11; // [esp+18h] [ebp-1D4h] int v12; // [esp+1Ch] [ebp-1D0h] int v13[114]; // [esp+20h] [ebp-1CCh] BYREF v11 = a5; v12 = a6; v10 = a7; v8 = 456; if ( IsShimInfrastructureDisabled() ) return 0; if ( !BaseCheckAppcompatCacheEx(SourceString, (HANDLE)0xFFFFFFFF, 0, (int)&v9, (int)&v8, (int)v13) ) return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10); if ( (v9 & 0x100) != 0 ) return BasepQueryModuleDataEx(SourceString, a2, a3, a4, v11, v12, v10, v13); if ( (v9 & 0x200) != 0 ) return BasepQueryModuleData(SourceString, a2, a3, a4, v11, v12, v10); return 0; }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
重点分析
SdbIsValidQueryResultLight函数在两个dll中都去除了,说明此函数对应的检查有问题,不足以作为判断依据。
-
相关阅读:
LabVIEW高温摩擦磨损测试系统
【kubernetes】使用helm部署redis
fpga bitstream userid
【uni-app】Pinia 持久化
单商户商城系统功能拆解04—店铺商品分类编辑
聊聊MySQL面试常问名词回表、索引覆盖,最左匹配
PG数据库表及表注释查询语句
【附源码】Python计算机毕业设计七七美食汇
2022年暑期及9月份CSP-J1 CSP-S1初赛 培训计划及学习要点
安利一个好用的IDEA插件 object-helper-plugin
- 原文地址:https://blog.csdn.net/fastergohome/article/details/127610456
