首页 > 其他分享 ><Oday安全 11.5利用未启用SafeSEH模块绕过SafeSEH>一节注记

<Oday安全 11.5利用未启用SafeSEH模块绕过SafeSEH>一节注记

时间:2022-11-07 20:34:16浏览次数:35  
标签:一节 RECORD 注记 mov PEXCEPTION 000 ebp push


    Oday安全一书的内容越往后越深奥,不得不做些注记备忘。

    1.书P297 插图11.5.6写道__except函数地址根据EBP-4的值得出。这是目前为止,书中写的最含糊的地方,需要展开讨论一下。参考<软件调试>P726提及的vc编译器扩展后的异常处理结构:

(代码段1)

struct _EXCEPTION_REGISTRATION
{
 struct _EXCEPTION_REGISTRATION* prev;
void (*handler)(PEXCEPTION_RECORD,PEXCEPTION_REGISTRATION,PCONTEXT,PEXCEPTION_RECORD);
struct scopetable_entry* scopetable;
int trylevel;
int _ebp;
};
struct scopetable_entry
{
    DWORD previousTryLevel;
    FARPROC lpfnFilter;  //过滤表达式的地址
    FARPROC lpfnHandler; //异常处理块的地址
};
00401020 55              push    ebp
00401021 8bec            mov     ebp,esp
00401023 6afe            push    0FFFFFFFEh
00401025 6868224000      push    offset callJump!__rtc_tzz+0x68 (00402268)
0040102a 68f5174000      push    offset callJump!_except_handler4 (004017f5)
0040102f 64a100000000    mov     eax,dword ptr fs:[00000000h]
00401035 50              push    eax
0:000> r ebp
ebp=0012ff6c

0:000> dd [ebp] L1
0012ff6c  0012ff7c

0:000> dd ebp-0x10 L8
0012ff5c  0012ffb0 004017f5 00402268 fffffffe
0012ff6c  0012ff7c

0:000> dd 00402268 L8
00402268  ffffffe0 00000000 ffffffb8 00000000
00402278  fffffffe 004010c3 004010c9 000022c0
0:000> !exchain
0012ff5c: callJump!_except_handler4+0 (004017f5)
  CRT scope  0, filter: callJump!test+a3 (004010c3)
                func:   callJump!test+a9 (004010c9)
0401000 55              push    ebp
00401001 8bec            mov     ebp,esp
00401003 6afe            push    0FFFFFFFEh
00401005 6828224000      push    offset SafeSEHExe!__rtc_tzz+0x68 (00402228)
0040100a 68f5164000      push    offset SafeSEHExe!_except_handler4 (004016f5)
0040100f 64a100000000    mov     eax,dword ptr fs:[00000000h]
00401015 50              push    eax
00401016 83ec14          sub     esp,14h
00401019 a100304000      mov     eax,dword ptr [SafeSEHExe!__security_cookie (00403000)] <-----从此开始的3条指令,是计算本函数的Security Cookie值
0040101e 3145f8          xor     dword ptr [ebp-8],eax
00401021 33c5            xor     eax,ebp
00401023 8945e4          mov     dword ptr [ebp-1Ch],eax <-----Security Cookie保存的位置
00401026 53              push    ebx
00401027 56              push    esi
00401028 57              push    edi
00401029 50              push    eax
0040102a 8d45f0          lea     eax,[ebp-10h]
0040102d 64a300000000    mov     dword ptr fs:[00000000h],eax
00401033 8965e8          mov     dword ptr [ebp-18h],esp 
0:000> ?? @ebp
unsigned int 0x12ff74
0:000> ?? @ebp-0x1c
unsigned int 0x12ff58
0:000> dd 0x12ff58
0012ff58  7e2a44b2 0012ff40 7c9c94f8 0012ffb0
0012ff68  004016f5 7e7899ee fffffffe 0012ffc0
struct _EXCEPTION_REGISTRATION
{
 struct _EXCEPTION_REGISTRATION* prev;
void (*handler)(PEXCEPTION_RECORD,PEXCEPTION_REGISTRATION,PCONTEXT,PEXCEPTION_RECORD);
struct scopetable_entry* scopetable;
int Security Cookie;
int trylevel;
int _ebp;
};
void (*handler)(PEXCEPTION_RECORD,PEXCEPTION_REGISTRATION,PCONTEXT,PEXCEPTION_RECORD);
void (*handler)(PEXCEPTION_RECORD,void*,PCONTEXT,PEXCEPTION_RECORD);

标签:一节,RECORD,注记,mov,PEXCEPTION,000,ebp,push
From: https://blog.51cto.com/u_13927568/5831329

相关文章

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99