WinDBG 技巧:分析程序漏洞是否可以被利用 (!exploitable 命令)
微软在最近的CanSec West 发布了一个开源的WinDBG 插件 MSEC.dll , 该插件可以智能分析程序的漏洞是否可以被黑客利用。 可以去MSEC 开源项目的主页: http://msecdbg.codeplex.com/下载该插件。 解压之后,把 MSEC.dll 放到 WinDBG 安装目录的的 winext 子目录下。
启动WinDBG的之后, 使用 !load MSEC 来装载该插件。接下来就可以用 !exploitable 命令来分析漏洞了。 通常加上-v 选项来打印详细的信息(!exploitable -v)。
下面示范当程序出现空指针访问漏洞的时候如何利用!exploitable 来分析:
0:000> g
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\Apphelp.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
(a3c.10e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=785bb6f8 edx=00000000 esi=00000001 edi=0040337c
eip=00401002 esp=0012ff80 ebp=0012ffc0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
TestConsole!wmain+0x2:
00401002 8800 mov byte ptr [eax],al ds:0023:00000000=??
0:000> !load MSEC.dll
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Exception Hash (Major/Minor): 0x34777202.0x123b6b02
Stack Trace:
TestConsole!wmain+0x2
TestConsole!__tmainCRTStartup+0x10f
kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x401002
Description: User Mode Write AV near NULL
Short Description: WriteAV
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - User Mode Write AV near NULL starting at TestConsole!wmain+0x2 (Hash=0x34777202.0x123b6b02)
User mode write access violations that are near NULL are probably exploitable.