首页 > 其他分享 ><Oday安全 11.5利用未启用SafeSEH模块绕过SafeSEH>一节注记

<Oday安全 11.5利用未启用SafeSEH模块绕过SafeSEH>一节注记

时间:2022-11-07 20:34:16浏览次数:38  
标签:一节 RECORD 注记 mov PEXCEPTION 000 ebp push


    Oday安全一书的内容越往后越深奥,不得不做些注记备忘。

    1.书P297 插图11.5.6写道__except函数地址根据EBP-4的值得出。这是目前为止,书中写的最含糊的地方,需要展开讨论一下。参考<软件调试>P726提及的vc编译器扩展后的异常处理结构:

(代码段1)

struct _EXCEPTION_REGISTRATION
{
struct _EXCEPTION_REGISTRATION* prev;
void (*handler)(PEXCEPTION_RECORD,PEXCEPTION_REGISTRATION,PCONTEXT,PEXCEPTION_RECORD);
struct scopetable_entry* scopetable;
int trylevel;
int _ebp;
};
struct scopetable_entry
{
DWORD previousTryLevel;
FARPROC lpfnFilter; //过滤表达式的地址
FARPROC lpfnHandler; //异常处理块的地址
};
00401020 55 push ebp
00401021 8bec mov ebp,esp
00401023 6afe push 0FFFFFFFEh
00401025 6868224000 push offset callJump!__rtc_tzz+0x68 (00402268)
0040102a 68f5174000 push offset callJump!_except_handler4 (004017f5)
0040102f 64a100000000 mov eax,dword ptr fs:[00000000h]
00401035 50 push eax
0:000> r ebp
ebp=0012ff6c

0:000> dd [ebp] L1
0012ff6c 0012ff7c

0:000> dd ebp-0x10 L8
0012ff5c 0012ffb0 004017f5 00402268 fffffffe
0012ff6c 0012ff7c

0:000> dd 00402268 L8
00402268 ffffffe0 00000000 ffffffb8 00000000
00402278 fffffffe 004010c3 004010c9 000022c0
0:000> !exchain
0012ff5c: callJump!_except_handler4+0 (004017f5)
CRT scope 0, filter: callJump!test+a3 (004010c3)
func: callJump!test+a9 (004010c9)
0401000 55 push ebp
00401001 8bec mov ebp,esp
00401003 6afe push 0FFFFFFFEh
00401005 6828224000 push offset SafeSEHExe!__rtc_tzz+0x68 (00402228)
0040100a 68f5164000 push offset SafeSEHExe!_except_handler4 (004016f5)
0040100f 64a100000000 mov eax,dword ptr fs:[00000000h]
00401015 50 push eax
00401016 83ec14 sub esp,14h
00401019 a100304000 mov eax,dword ptr [SafeSEHExe!__security_cookie (00403000)] <-----从此开始的3条指令,是计算本函数的Security Cookie值
0040101e 3145f8 xor dword ptr [ebp-8],eax
00401021 33c5 xor eax,ebp
00401023 8945e4 mov dword ptr [ebp-1Ch],eax <-----Security Cookie保存的位置
00401026 53 push ebx
00401027 56 push esi
00401028 57 push edi
00401029 50 push eax
0040102a 8d45f0 lea eax,[ebp-10h]
0040102d 64a300000000 mov dword ptr fs:[00000000h],eax
00401033 8965e8 mov dword ptr [ebp-18h],esp
0:000> ?? @ebp
unsigned int 0x12ff74
0:000> ?? @ebp-0x1c
unsigned int 0x12ff58
0:000> dd 0x12ff58
0012ff58 7e2a44b2 0012ff40 7c9c94f8 0012ffb0
0012ff68 004016f5 7e7899ee fffffffe 0012ffc0
struct _EXCEPTION_REGISTRATION
{
struct _EXCEPTION_REGISTRATION* prev;
void (*handler)(PEXCEPTION_RECORD,PEXCEPTION_REGISTRATION,PCONTEXT,PEXCEPTION_RECORD);
struct scopetable_entry* scopetable;
int Security Cookie;
int trylevel;
int _ebp;
};
void (*handler)(PEXCEPTION_RECORD,PEXCEPTION_REGISTRATION,PCONTEXT,PEXCEPTION_RECORD);
void (*handler)(PEXCEPTION_RECORD,void*,PCONTEXT,PEXCEPTION_RECORD);

标签:一节,RECORD,注记,mov,PEXCEPTION,000,ebp,push
From: https://blog.51cto.com/u_13927568/5831329

相关文章