📄 762.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Windows Xp Sp2溢出保护 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography," />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
<div class="searchBox">
<form name="searchform" action="http://www.google.com/search" method="get">
<input type="hidden" name="domains" value="www.xfocus.net">
<input type="hidden" name="sitesearch" value="www.xfocus.net">
<input type="text" name="q" size="20">
<input type="submit" name="btnG" value="Google Search">
</form>
</div>
<img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
<img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
<a href="../../index.html" class="plain">首页</a>
<a href="../../releases/index.html" class="plain">焦点原创</a>
<a href="../../articles/index.html" class="selected">安全文摘</a>
<a href="../../tools/index.html" class="plain">安全工具</a>
<a href="../../vuls/index.html" class="plain">安全漏洞</a>
<a href="../../projects/index.html" class="plain">焦点项目</a>
<a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
<a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
<a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'><b>专题文章 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'>漏洞分析</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>Windows Xp Sp2溢出保护</h1><br>创建时间:2004-12-17 更新时间:2004-12-20<br>文章属性:原创<br>文章来源:<a href='http://www.xfocus.net' target='_blank'>http://www.xfocus.net</a><br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=54615'>funnywei</a> (funnywei_at_163.com)<br><br>Windows Xp Sp2对于溢出保护<br />
funnywei & jerry<br />
<br />
我们知道在我们对溢出漏洞进行exp的时候,经常要利用全局性的指针,利用异常处理。那么XP的sp2对此作了处理。使得我们无法运用以前的技巧来完成我们的工作。例如,对全局性的指针都作了编码处理。<br />
<br />
那么具体来讲,本文主要谈到以下<br />
1、映射给PEB管理结构的起始地址做了随机处理。后面我们会看到这种随机是很弱的,但已经足够让exp无法完成或者说是稳定的工作。<br />
2、对TOP SEH的保护<br />
3、VEH链表指针_RtlpCalloutEntryList的保护<br />
4、堆块结构的cookie保护<br />
<br />
不涉及内容:<br />
1、如何绕过保护机制<br />
2、堆管理的细节,其实没有太大的变化<br />
<br />
主题开始:<br />
<br />
1、PEB的地址的随机<br />
<br />
xp系统下,创建进程使用的是_NtCreateProcessEx函数,而不是_NtCreateProcess函数。_NtCreateProcessEx主要调用_PspCreateProcess@36函数来完成进程的创建工作<br />
<br />
PAGE:004B4649 call _PspCreateProcess@36 ; PspCreateProcess(x,x,x,x,x,x,x,x,x)<br />
<br />
进程的创建主要包括设置EPROCESS,创建初始进程地址空间等。这里就不罗嗦了。PEB的设置通过调用_MmCreatePeb.<br />
<br />
<br />
PAGE:004B428E push eax<br />
PAGE:004B428F push ebx<br />
PAGE:004B4290 push dword ptr [ebp-60h]<br />
PAGE:004B4293 call _MmCreateProcessAddressSpace@12 ; MmCreateProcessAddressSpace(x,x,x)<br />
<br />
<br />
PAGE:004B43E5 lea eax, [ebx+1B0h]<br />
PAGE:004B43EB push eax<br />
PAGE:004B43EC lea eax, [ebp-40h]<br />
PAGE:004B43EF push eax<br />
PAGE:004B43F0 push ebx<br />
PAGE:004B43F1 call _MmCreatePeb@12 ; MmCreatePeb(x,x,x)<br />
<br />
而MmCreatePeb又主要通过调用_MiCreatePebOrTeb<br />
<br />
PAGE:004B4A61 ; __stdcall MmCreatePeb(x,x,x)<br />
PAGE:004B4A61 _MmCreatePeb@12 proc near ; CODE XREF: PspCreateProcess(x,x,x,x,x,x,x,x,x)+303p<br />
PAGE:004B4A61<br />
PAGE:004B4A61 ; FUNCTION CHUNK AT PAGE:005267FF SIZE 000000DC BYTES<br />
PAGE:004B4A61<br />
PAGE:004B4A61 push 3Ch<br />
PAGE:004B4A63 push offset dword_42DAA8<br />
PAGE:004B4A68 call __SEH_prolog<br />
PAGE:004B4A6D xor ebx, ebx<br />
PAGE:004B4A6F mov [ebp-20h], ebx<br />
PAGE:004B4A72 mov [ebp-4Ch], ebx<br />
PAGE:004B4A75 mov [ebp-48h], ebx<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -