windbg时间穿梭——利用Time Travel Debugging更方便地调试漏洞
windbg时间穿梭——利用Time Travel Debugging更方便地调试漏洞
下面使用windbg是新版的windbg,叫windbg preview,需要在微软商店(Microsoft Store)中下载安装新版的windbg具有更现代的视觉效果,速度更快,更完善的脚本编写体验以及Time Travel Debugging 特性需要注意的是,Time Travel Debugging特
windbg时间穿梭——利用Time Travel Debugging更方便地调试漏洞
下面使用windbg是新版的windbg,叫windbg preview,需要在微软商店(Microsoft Store)中下载安装
新版的windbg具有更现代的视觉效果,速度更快,更完善的脚本编写体验以及Time Travel Debugging 特性
需要注意的是,Time Travel Debugging特性的开启需要以管理员权限运行,之后使用advanced打开并勾选对应的选项即可,最后配置一下记录的保存路径即可
当然你也可以attach到正在运行的程序,或者打开别人的trace file
有了Time Travel Debugging,你几乎可以像本地看电影一样,不断来回脱动进度条,而且这个还是本地化,免去了查漏洞软件,搭建环境,验证漏洞的烦恼,只需要拿到别人的TTD的记录文件即可,而且调试过程地址还不会变,爽不爽。
Time Travel Debugging 初探
我们随便一个windows程序,看看这个新特性
一开始载入没什么反应,以为出什么事了,原来是这个特性载入程序,速度太慢了
对于我们常用的p,t,g,假如想反向执行,只需在指令后面加个”-“号
代码语言:javascript代码运行次数:0运行复制0:000> p
Time Travel Position: 6:F
**** WARIG loaded *kernel* extension dll for usermode
eax=559b1944 ebx=02bfe000 ecx=00000001 edx=0099b720 esi=00991100 edi=00991100
eip=00992158 esp=0098f9c0 ebp=0098f9dc iopl=0 nv up ei pl nz na po nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000202
learnCFG!main+0x8:
00992158 b8cccccccc mov eax,0CCCCCCCCh
0:000> p
Time Travel Position: 6:40
**** WARIG loaded *kernel* extension dll for usermode
eax=cccccccc ebx=02bfe000 ecx=00000001 edx=0099b720 esi=00991100 edi=00991100
eip=0099215d esp=0098f9c0 ebp=0098f9dc iopl=0 nv up ei pl nz na po nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000202
learnCFG!main+0xd:
0099215d 8945ec mov dword ptr [ebp-14h],eax ss:002b:0098f9c8=0098f9d4
0:000> p-
Time Travel Position: 6:F
**** WARIG loaded *kernel* extension dll for usermode
eax=559b1944 ebx=02bfe000 ecx=00000001 edx=0099b720 esi=00991100 edi=00991100
eip=00992158 esp=0098f9c0 ebp=0098f9dc iopl=0 nv up ei pl nz na po nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000202
learnCFG!main+0x8:
00992158 b8cccccccc mov eax,0CCCCCCCCh可以看到,假如我们一步小心,执行过了,还可以回退,可以回到当初的状态看看寄存器,内存,这是相当好的东西,有后悔药吃了。
有时候我们执行过了头,想要跟进去那个函数,也是可以回头进去的
代码语言:javascript代码运行次数:0运行复制eax=12fd94d0 ebx=02bfe000 ecx=00991a0 edx=00000000 esi=0098f9c0 edi=0098f9bc
eip=009921d1 esp=0098f9bc ebp=0098f9dc iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
learnCFG!main+0x81:
009921d1 ff1500e09900 call dword ptr [learnCFG!__guard_check_icall_fptr (0099e000)] ds:002b:0099e000={ntdll!LdrpValidateUserCallTarget (77408be0)}
0:000> p
Time Travel Position: 67:85
**** WARIG loaded *kernel* extension dll for usermode
eax=0012274 ebx=02bfe000 ecx=00991a0 edx=10100444 esi=0098f9c0 edi=0098f9bc
eip=009921d7 esp=0098f9bc ebp=0098f9dc iopl=0 nv up ei pl zr na pe cy
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000247
learnCFG!main+0x87:
009921d7 bfc cmp edi,esp
0:000> p-
Time Travel Position: 67:79
**** WARIG loaded *kernel* extension dll for usermode
eax=12fd94d0 ebx=02bfe000 ecx=00991a0 edx=00000000 esi=0098f9c0 edi=0098f9bc
eip=009921d1 esp=0098f9bc ebp=0098f9dc iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
learnCFG!main+0x81:
009921d1 ff1500e09900 call dword ptr [learnCFG!__guard_check_icall_fptr (0099e000)] ds:002b:0099e000={ntdll!LdrpValidateUserCallTarget (77408be0)}
0:000> t
Time Travel Position: 67:7D
**** WARIG loaded *kernel* extension dll for usermode
eax=0000991 ebx=02bfe000 ecx=00991a0 edx=009b0000 esi=0098f9c0 edi=0098f9bc
eip=77408beb esp=0098f9b8 ebp=0098f9dc iopl=0 nv up ei pl nz na po cy
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=0000020
ntdll!LdrpValidateUserCallTargetBitMapCheck:
77408beb 8b1482 mov edx,dword ptr [edx+eax*4] ds:002b:009d644c=10100444我们看看记录的目录,共有三个文件,.run是trace文件,idx是索引文件,索引文件可以让我们更快地访问跟踪信息。假如我们只有.run文件,也是可以的,当WinDbg Preview打开跟踪文件(.run)时,索引文件也会自动创建。
利用别人的跟踪文件调试
这是参考文章的作者给的文件,一个.run文件就592M了,但是可以免除搭建环境,1个G甚至8个G我都能接受
这个漏洞是Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream(CVE-2019-8044),POC可以在下面下载
我就不下载POC复现了,直接用作者的跟踪文件分析,载入run文件后,直接g,触发崩溃
代码语言:javascript代码运行次数:0运行复制Time Travel Position: 224FB2:1
eax=000d0004 ebx=00000000 ecx=ffffd8f0 edx=770d20 esi=0000a98 edi=00000000
eip=67ce7001 esp=010cc25c ebp=010cc2a8 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
67ce7001 0970ce or dword ptr [eax-2h],esi ds:002b:000cffd2=????????
0:001> kv
# ChildEBP RetAddr Args to Child
WARIG: Frame IP not in any known module. Following frames may be wrong.
00 010cc258 770bdc2c 770ffa22 000006d4 00000000 0x67ce7001
01 010cc25c 770ffa22 000006d4 00000000 010cc290 ntdll!tWaitForSingleObject+0xc (FPO: [,0,0])
02 010cc2a8 770ff802 010cce6c 00000568 00000000 ntdll!WaitForWerSvc+0x77 (FPO: [on-Fpo])
0 010cc8 770fed66 00000000 000002dc 00000000 ntdll!SendMessageToWERService+0x5d (FPO: [on-Fpo])
04 010cce28 770ffb1 010cd25c 00000004 00000000 ntdll!ReportExceptionInternal+0xde (FPO: [4,695,4])
05 010cd288 770fee0a 00000000 00000000 00000000 ntdll!RtlReportExceptionHelper+0x29d (FPO: [on-Fpo])
06 010cd2ac 77129865 010cd424 010cd474 00000000 ntdll!RtlReportException+0x6a (FPO: [,,4])
07 010cd2bc 770c20b0 010cd964 00000001 fffffffe ntdll!RtlReportCriticalFailure+0xad (FPO: [SEH])
08 010cd2d0 770c19c0 00000000 00000000 00000000 ntdll!_EH4_CallFilterFunc+0x12 (FPO: [Uses EBP] [0,0,4])
09 010cd2fc 770c5e00 77162d4 770bfbd0 010cd424 ntdll!_except_handler4_common+0x80 (FPO: [on-Fpo])
0a 010cd1c 770d2b2 010cd424 010cd954 010cd474 ntdll!_except_handler4+0x20 (FPO: [on-Fpo])
0b 010cd40 770d284 010cd424 010cd954 010cd474 ntdll!ExecuteHandler2+0x26
0c 010cd40c 770bff1f 010cd424 010cd474 010cd424 ntdll!ExecuteHandler+0x24
0d 010cd964 00000000 00000001 00000002 7712b76 ntdll!KiUserExceptionDispatcher+0xf (FPO: [2,0,0]) (COTEXT @ ffffffff)可以看到这里面看不到什么有用的东西,都是windows的异常处理函数相关的,而且我们通过信息已经知道这个漏洞是double free了,可能是free的时候崩溃的,我们需要向上回溯
通过不断点击step out back,或者命令g-u去不断返回,但是我们到ntdll!KiUserExceptionDispatcher+0xf的时候再返回,就变成载入时的状态,所以到这一步我们应该点击step over back,或者命令p-,多step over back几次即可
最终可以执行下面命令回到真正触发崩溃的地方
代码语言:javascript代码运行次数:0运行复制g-u;g-u;g-u;g-u;g-u;g-u;g-u;g-u;g-u;g-u;g-u;g-u;g-u;p-;p-;p-;p-;p-;p-;再看下此时的栈,是MSVCR120!free之后调用ntdll!RtlFreeHeap失败,最终进入ntdll!RtlpLogHeapFailure处理
代码语言:javascript代码运行次数:0运行复制0:001> kb
# ChildEBP RetAddr Args to Child
WARIG: Frame IP not in any known module. Following frames may be wrong.
00 010cd5e0 770bf1c 770d2595 010cd8f8 010cd5f8 0x67ce7000
01 010cd5e4 770d2595 010cd8f8 010cd5f8 00000001 ntdll!tRaiseException+0xc
02 010cd8c8 77129841 010cd8f8 a9cf7ad 1fb1c848 ntdll!RtlRaiseException+0x5
0 010cd964 7712cfe2 00000001 00000002 7712b76 ntdll!RtlReportCriticalFailure+0x89
04 010cd970 7712b76 01670000 00000002 010cd9b0 ntdll!RtlpReportHeapFailure+0x2
05 010cd980 770d16cf a9cf779 01670000 1fb1c848 ntdll!RtlpHeapHandleError+0x1c
06 010cd9b0 770e2be 1fb1c848 00000000 00000000 ntdll!RtlpLogHeapFailure+0x9f
07 010cd9e4 6b1becfa 01670000 00000000 1fb1c850 ntdll!RtlFreeHeap+0x4abce
08 010cd9f8 6a18b2a7 1fb1c850 27726dc 010cdb5c MSVCR120!free+0x1a [f:\dd\vctools\crt\crtw2\heap\ @ 51]
09 010cdb0c 6a17bc96 010cdb7c 00000001 00000b20 AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c8
0a 010cdcd4 6a179c26 00000000 00000000 00000000 AcroRd2!CTJPEGTiledContentWriter::operator=+0x672
0b 010cdd08 6a1710 1ff1e00 074eaf44 074eaf60 AcroRd2!CTJPEGTiledContentWriter::operator=+0x1602
0c 010cdd1c 6a1654a7 1ff1e00 0000f8 0767cd8 AcroRd2!AX_PDXlateToHostEx+0x271448
0d 010cddc4 69c7c595 074eaf44 00000001 07848e0 AcroRd2!AX_PDXlateToHostEx+0x2658bc
0e 010cdde0 69c7c4a9 20a54028 00000001 001d690 AcroRd2!CTJPEGWriter::CTJPEGWriter+0x22d4d
0f 010cde00 69c119d7 010cde20 20a54028 001d690 AcroRd2!CTJPEGWriter::CTJPEGWriter+0x22c61
10 010cde28 69c1198d 20a54028 00000001 001d690 AcroRd2!AcroWinBrowserMain+0x19eb
11 010cdec 69cb0c16 20a54028 00000001 001d690 AcroRd2!AcroWinBrowserMain+0x19e69
12 010cde54 69d8d21a 20a54028 00000001 001d690 AcroRd2!CTJPEGWriter::CTJPEGWriter+0x57ce
1 010cdea8 6a0ee98 00000000 00000e44 076a1e54 AcroRd2!CTJPEGDecoderHasMoreTiles+0xf4a
14 010cdf20 69ff0017 010cdf40 010cdf50 27722b4 AcroRd2!AX_PDXlateToHostEx+0x1ee7ad
15 010cdf64 6b6999 07557880 010cdf88 26c94051 AcroRd2!AX_PDXlateToHostEx+0xf042c
16 010ce010 6b5f6028 075578d8 010ce024 00000000 AGM!AGMGetVersion+0x1426
17 010ce028 6b2fb9af 010ce0cc 26c97f11 00112015 AGM!AGMGetVersion+0x2a0952
18 00000000 00000000 00000000 00000000 00000000 AGM!AGMInitialize+0x15我们看看什么导致checkfail了
代码语言:javascript代码运行次数:0运行复制Time Travel Position: 222B02:6F
eax=6aefb4c ebx=1fb1c850 ecx=00000008 edx=01670000 esi=1fb1c848 edi=01670000
eip=770e2b9 esp=010cd9b8 ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x4abc9:
770e2b9 e872f2feff call ntdll!RtlpLogHeapFailure (770d160)
0:001> t-
Time Travel Position: 222B02:6E
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=01670000 esi=1fb1c848 edi=01670000
eip=770e2b4 esp=010cd9b8 ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x4abc4:
770e2b4 b908000000 mov ecx,8
0:001> t-
Time Travel Position: 222B02:6D
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000
eip=770e2b2 esp=010cd9b8 ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x4abc2:
770e2b2 8bd7 mov edx,edi
0:001> t-
Time Travel Position: 222B02:6C
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000
eip=770e2b1 esp=010cd9bc ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x4abc1:
770e2b1 56 push esi
0:001> t-
Time Travel Position: 222B02:6B
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000
eip=770e2af esp=010cd9c0 ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x4abbf:
770e2af 6a00 push 0
0:001> t-
Time Travel Position: 222B02:6A
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000
eip=770e2ad esp=010cd9c4 ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x4abbd:
770e2ad 6a00 push 0
0:001> t-
Time Travel Position: 222B02:69
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000
eip=770e2ab esp=010cd9c8 ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x4abbb:
770e2ab 6a00 push 0
0:001> t-
Time Travel Position: 222B02:68
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000
eip=77097855 esp=010cd9c8 ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlFreeHeap+0x65:
77097855 0f8450ab0400 je ntdll!RtlFreeHeap+0x4abbb (770e2ab) [br=1]
0:001> t-
Time Travel Position: 222B02:67
**** WARIG loaded *kernel* extension dll for usermode
eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000
eip=77097851 esp=010cd9c8 ebp=010cd9e4 iopl=0 ov up ei pl nz ac pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000a16
ntdll!RtlFreeHeap+0x61:
77097851 f64607f test byte ptr [esi+7],Fh ds:002b:1fb1c84f=80原来是这个77097851 f64607f test byte ptr [esi+7],Fh ds:002b:1fb1c84f=80
这个地址肯定被改写了才导致检查是吧,所以我们可以对这个地址下一个写入断点,之后往回走,g-就行,实在太方便了
代码语言:javascript代码运行次数:0运行复制ba w1 1fb1c84f
g-由于这个断下来会停在写入的下一个指令,所以还要p-一下
代码语言:javascript代码运行次数:0运行复制0:001> p-
Time Travel Position: 222B02:B
**** WARIG loaded *kernel* extension dll for usermode
eax=017022d ebx=1fb1c848 ecx=817022d edx=017022d esi=017022d edi=078410c0
eip=7709795 esp=010cd990 ebp=010cd9bc iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
ntdll!RtlpLowFragHeapFree+0x9:
7709795 c640780 mov byte ptr [ebx+7],80h ds:002b:1fb1c84f=88这时再看一下栈,可以看到MSVCR120!free(void * pBlock = 0x1fb1c850)+0x1a,是free(0x1fb1c850)后导致的写入,而且这个栈跟上面的有所区别,所以这应该是第一次free,写入了0x80后,导致第二次free失败了。
0:001> kp
# ChildEBP RetAddr
00 010cd9bc 7709787d ntdll!RtlpLowFragHeapFree+0x9
01 010cd9e4 6b1becfa ntdll!RtlFreeHeap+0x8d
02 010cd9f8 6a18b296 MSVCR120!free(void * pBlock = 0x1fb1c850)+0x1a [f:\dd\vctools\crt\crtw2\heap\ @ 51]
WARIG: Stack unwind information not available. Following frames may be wrong.
0 010cdb0c 6a17bc96 AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c72
04 010cdcd4 6a179c26 AcroRd2!CTJPEGTiledContentWriter::operator=+0x672
05 010cdd08 6a1710 AcroRd2!CTJPEGTiledContentWriter::operator=+0x1602
06 010cdd1c 6a1654a7 AcroRd2!AX_PDXlateToHostEx+0x271448
07 010cddc4 69c7c595 AcroRd2!AX_PDXlateToHostEx+0x2658bc
08 010cdde0 69c7c4a9 AcroRd2!CTJPEGWriter::CTJPEGWriter+0x22d4d
09 010cde00 69c119d7 AcroRd2!CTJPEGWriter::CTJPEGWriter+0x22c61
0a 010cde28 69c1198d AcroRd2!AcroWinBrowserMain+0x19eb
0b 010cdec 69cb0c16 AcroRd2!AcroWinBrowserMain+0x19e69
0c 010cde54 69d8d21a AcroRd2!CTJPEGWriter::CTJPEGWriter+0x57ce
0d 010cdea8 6a0ee98 AcroRd2!CTJPEGDecoderHasMoreTiles+0xf4a
0e 010cdf20 69ff0017 AcroRd2!AX_PDXlateToHostEx+0x1ee7ad
0f 010cdf64 6b6999 AcroRd2!AX_PDXlateToHostEx+0xf042c
10 010ce010 6b5f6028 AGM!AGMGetVersion+0x1426
11 010ce028 6b2fb9af AGM!AGMGetVersion+0x2a0952
12 00000000 00000000 AGM!AGMInitialize+0x15参考文章的作者还给出了TTD的一个牛逼的命令,可以看到MSVCR120!malloc什么时候返回0x1fb1c850 注:下面中括号的四个可能会变
代码语言:javascript代码运行次数:0运行复制0:001> dx -r1 @$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)
@$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)
[0x21fe]
[0x991b]
[0xc926]
[0xe405]之后可以在后面加个中括号去访问对应的那个状态,可以看到他的时间点去判断是在free之前malloc的还是之后(下面的TimeStart)
代码语言:javascript代码运行次数:0运行复制0:001> dx -r1 @$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[0x21fe]
@$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[0x21fe]
EventType : 0x0
ThreadId : 0x146c
UniqueThreadId : 0x8
TimeStart : 20FB5D:162 [Translate Position]
SystemTimeStart : Unexpected failure to dereference object
TimeEnd : 20FB5E:90 [Translate Position]
SystemTimeEnd : Unexpected failure to dereference object
Function : MSVCR120!malloc
FunctionAddress : 0x6b1bed0
ReturnAddress : 0x69bf042
ReturnValue : 0x1fb1c850 [Type: void *]
Parameters或者直接点击那是个中括号的值(点击的话中括号的会变成十进制的)
代码语言:javascript代码运行次数:0运行复制0:001> dx -r1 @$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[14870]
@$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[14870]
EventType : 0x0
ThreadId : 0x146c
UniqueThreadId : 0x8
TimeStart : 20FB5D:162 [Translate Position]
SystemTimeStart : Unexpected failure to dereference object
TimeEnd : 20FB5E:90 [Translate Position]
SystemTimeEnd : Unexpected failure to dereference object
Function : MSVCR120!malloc
FunctionAddress : 0x6b1bed0
ReturnAddress : 0x69bf042
ReturnValue : 0x1fb1c850 [Type: void *]
Parameters
0:001> dx -r1 @$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[2580]
@$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[2580]
EventType : 0x0
ThreadId : 0x1a0
UniqueThreadId : 0x
TimeStart : 1EA482:1C1 [Translate Position]
SystemTimeStart : Unexpected failure to dereference object
TimeEnd : 1EA48:90 [Translate Position]
SystemTimeEnd : Unexpected failure to dereference object
Function : MSVCR120!malloc
FunctionAddress : 0x6b1bed0
ReturnAddress : 0x68b49911
ReturnValue : 0x1fb1c850 [Type: void *]
Parameters
0:001> dx -r1 @$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[248102]
@$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[248102]
EventType : 0x0
ThreadId : 0x1a0
UniqueThreadId : 0x
TimeStart : 1F94B:D6 [Translate Position]
SystemTimeStart : Unexpected failure to dereference object
TimeEnd : 1F94B4:90 [Translate Position]
SystemTimeEnd : Unexpected failure to dereference object
Function : MSVCR120!malloc
FunctionAddress : 0x6b1bed0
ReturnAddress : 0x68b49911
ReturnValue : 0x1fb1c850 [Type: void *]
Parameters
0:001> dx -r1 @$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[254981]
@$cursession.TTD.Calls("MSVCR120!malloc").Where(c => c.ReturnValue == (void *)0x1fb1c850)[254981]
EventType : 0x0
ThreadId : 0x1a0
UniqueThreadId : 0x
TimeStart : 2201C5:62 [Translate Position]
SystemTimeStart : Unexpected failure to dereference object
TimeEnd : 2201C6:90 [Translate Position]
SystemTimeEnd : Unexpected failure to dereference object
Function : MSVCR120!malloc
FunctionAddress : 0x6b1bed0
ReturnAddress : 0x6a17cd10
ReturnValue : 0x1fb1c850 [Type: void *]
Parameters写入0x80的时间是Time Travel Position: 222B02:B(第一次free),所以malloc应该在他前面且最近的一次
上面四个分别是下面的,所以最近的应该是最后一个
代码语言:javascript代码运行次数:0运行复制TimeStart : 20FB5D:162 [Translate Position]
TimeStart : 1EA482:1C1 [Translate Position]
TimeStart : 1F94B:D6 [Translate Position]
TimeStart : 2201C5:62 [Translate Positio跟参考文章作者得出的一样,只不过那个中括号的排序可能有所差异
感觉这样还没有条件记录断点方便,但是还是挺清晰的
跟踪free
到上面写入0x80这,我们已经在第一次free的里面了
向上回溯,到第一次调用free的地方(AcroRd2!AcroWinBrowserMain+0x259里面会调用MSVCR120!free)
代码语言:javascript代码运行次数:0运行复制0:001> p-
Time Travel Position: 222B01:4
**** WARIG loaded *kernel* extension dll for usermode
eax=1fb1c850 ebx=00000000 ecx=1fb1c7f0 edx=00000000 esi=1fb1c400 edi=00000000
eip=6a18b291 esp=010cda00 ebp=010cdb0c iopl=0 nv up ei pl nz na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000206
AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c6d:
6a18b291 e821eea6ff call AcroRd2!AcroWinBrowserMain+0x259 (69bfa0b7)而我们看看现在代码上下,发现两次调用了AcroRd2!AcroWinBrowserMain+0x259
6a18b286 8b8568ffffff mov eax, dword ptr [ebp-98h]
6a18b28c 85c0 test eax, eax
6a18b28e 7407 je AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c7 (6a18b297)
6a18b290 50 push eax
6a18b291 e821eea6ff call AcroRd2!AcroWinBrowserMain+0x259 (69bfa0b7)
6a18b296 59 pop ecx
6a18b297 8b8570ffffff mov eax, dword ptr [ebp-90h]
6a18b29d 85c0 test eax, eax
6a18b29f 7407 je AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c84 (6a18b2a8)
6a18b2a1 50 push eax
6a18b2a2 e810eea6ff call AcroRd2!AcroWinBrowserMain+0x259 (69bfa0b7)我们向下执行(记得将写入断点禁用),看看是不是
代码语言:javascript代码运行次数:0运行复制6a18b286 8b8568ffffff mov eax, dword ptr [ebp-98h]
6a18b28c 85c0 test eax, eax
6a18b28e 7407 je AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c7 (6a18b297)
6a18b290 50 push eax
6a18b291 e821eea6ff call AcroRd2!AcroWinBrowserMain+0x259 (69bfa0b7)
6a18b296 59 pop ecx
6a18b297 8b8570ffffff mov eax, dword ptr [ebp-90h] ss:002b:010cda7c=1fb1c850
6a18b29d 85c0 test eax, eax
6a18b29f 7407 je AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c84 (6a18b2a8)
6a18b2a1 50 push eax
6a18b2a2 e810eea6ff call AcroRd2!AcroWinBrowserMain+0x259 (69bfa0b7)可以看到[ebp-90h]里面存的还是1fb1c850,那就明显free了两次了
看下内存更清晰
代码语言:javascript代码运行次数:0运行复制0:001> dd ebp-98 l4
010cda74 1fb1c850 00000000 1fb1c850 00000018
0:001> dd ebp-90 l4
010cda7c 1fb1c850 00000018 00000000 00000000最终在第二个 call AcroRd2!AcroWinBrowserMain+0x259 (69bfa0b7) 里面崩溃,确实free两次了
0:001> p
Time Travel Position: 222B02:A
**** WARIG loaded *kernel* extension dll for usermode
eax=1fb1c850 ebx=00000000 ecx=1fb1c850 edx=00000000 esi=1fb1c400 edi=00000000
eip=6a18b2a2 esp=010cda00 ebp=010cdb0c iopl=0 nv up ei pl nz na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000206
AcroRd2!CTJPEGTiledContentWriter::operator=+0x12c7e:
6a18b2a2 e810eea6ff call AcroRd2!AcroWinBrowserMain+0x259 (69bfa0b7)
0:001> p
(2dc.1a0): Unknown exception - code c000074 (first/second chance not available)
**** WARIG loaded *kernel* extension dll for usermode
TTD: End of trace reached.
(2dc.1a0): Break instruction exception - code 8000000 (first/second chance not available)
**** WARIG loaded *kernel* extension dll for usermode
Time Travel Position: 224FB2:1
eax=000d0004 ebx=00000000 ecx=ffffd8f0 edx=770d20 esi=0000a98 edi=00000000
eip=67ce7001 esp=010cc25c ebp=010cc2a8 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
67ce7001 0970ce or dword ptr [eax-2h],esi ds:002b:000cffd2=????????那么这个[ebp-98h]和[ebp-90h]从哪里来的呢,由于这个是4字节的,我下一个4字节的写入断点
代码语言:javascript代码运行次数:0运行复制0:001> ba w4 010cda74
0:001> ba w4 010cda7c
0:001> g-
Breakpoint 4 hit
**** WARIG loaded *kernel* extension dll for usermode
Time Travel Position: 222B00:1AD
eax=1fb1c850 ebx=00000000 ecx=016afde0 edx=0000000 esi=1fb1c700 edi=00000000
eip=6a18ac78 esp=010cda04 ebp=010cdb0c iopl=0 nv up ei pl nz ac po nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000212
AcroRd2!CTJPEGTiledContentWriter::operator=+0x12654:
6a18ac78 8d45a8 lea eax,[ebp-58h]
0:001> p-
Time Travel Position: 222B00:1AD2
**** WARIG loaded *kernel* extension dll for usermode
eax=1fb1c850 ebx=00000000 ecx=016afde0 edx=0000000 esi=1fb1c700 edi=00000000
eip=6a18ac72 esp=010cda04 ebp=010cdb0c iopl=0 nv up ei pl nz ac po nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000212
AcroRd2!CTJPEGTiledContentWriter::operator=+0x1264e:
6a18ac72 898570ffffff mov dword ptr [ebp-90h],eax ss:002b:010cda7c=0000077f
0:001> g-
Breakpoint hit
**** WARIG loaded *kernel* extension dll for usermode
Time Travel Position: 222B00:1AA4
eax=1fb1c850 ebx=00000000 ecx=016afde0 edx=0000000 esi=1fb1c700 edi=00000000
eip=6a18ac5f esp=010cd9cc ebp=010cdb0c iopl=0 nv up ei ng nz na pe cy
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000287
AcroRd2!CTJPEGTiledContentWriter::operator=+0x126b:
6a18ac5f 6a0f push 0Fh
0:001> p-
Time Travel Position: 222B00:1AA
**** WARIG loaded *kernel* extension dll for usermode
eax=1fb1c850 ebx=00000000 ecx=016afde0 edx=0000000 esi=1fb1c700 edi=00000000
eip=6a18ac59 esp=010cd9cc ebp=010cdb0c iopl=0 nv up ei ng nz na pe cy
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000287
AcroRd2!CTJPEGTiledContentWriter::operator=+0x1265:
6a18ac59 898568ffffff mov dword ptr [ebp-98h],eax ss:002b:010cda74=1ff69498这两个代码很接近,我们看看上下文
代码语言:javascript代码运行次数:0运行复制6a18acf 56 push esi
6a18ac40 5 push ebx
6a18ac41 6a0f push 0Fh
6a18ac4 89855cffffff mov dword ptr [ebp-0A4h], eax
6a18ac49 8d45a8 lea eax, [ebp-58h]
6a18ac4c 6a0e push 0Eh
6a18ac4e 50 push eax
6a18ac4f ff75e4 push dword ptr [ebp-1Ch]
6a18ac52 e88e060000 call AcroRd2!CTJPEGTiledContentWriter::operator=+0x12cc1 (6a18b2e5)
6a18ac57 56 push esi
6a18ac58 5 push ebx
6a18ac59 898568ffffff mov dword ptr [ebp-98h], eax ss:002b:010cda74=1ff69498
6a18ac5f 6a0f push 0Fh
6a18ac61 6a0e push 0Eh
6a18ac6 8d45a8 lea eax, [ebp-58h]
6a18ac66 50 push eax
6a18ac67 ff75e5 push dword ptr [ebp-1Bh]
6a18ac6a e876060000 call AcroRd2!CTJPEGTiledContentWriter::operator=+0x12cc1 (6a18b2e5)
6a18ac6f 8c448 add esp, 48h
6a18ac72 898570ffffff mov dword ptr [ebp-90h], eax这个函数其实是GetMemoryBlock函数
代码语言:javascript代码运行次数:0运行复制undefined4
GetMemoryBlock(undefined4 memory_block_type,int *param_2,byte offsetVal1,byte offsetVal2,
undefined4 offsetVal,int param_6)
{
undefined4 retVal;
int memory_block_base;
byte offset;
code *pcVar1;
if ((char)memory_block_type == '\x0') {
if ((param_2 == (int *)0x0) || (param_6 == 0)) {
exception:
CallThrowException(0x4000000,0);
memory_block_type = 0;
_CxxThrowException(&memory_block_type,0x7472e75c);
pcVar1 = (code *)swi();
retVal = (*pcVar1)();
return retVal;
}
*param_2 = *param_2 + 1;
retVal = RetrieveMemoryBlock(param_6,*param_2 + -1);
}
else {
offset = offsetVal1;
if (((char)memory_block_type != '\0') &&
(offset = offsetVal2, (char)memory_block_type != '\x01')) {
if ((char)memory_block_type != '\x02') goto exception;
offset = (byte)offsetVal;
}
if (offset == 0) goto exception;
memory_block_base = (*_TlsGetValueStub)(_dwTlsIndexForMemoryBlockBase);
retVal = *(undefined4 *)(memory_block_base + 0x20 + (uint)offset * 4);
}
return retVal;
}我们看看两次调用的6个参数
代码语言:javascript代码运行次数:0运行复制eax=010cdab4 ebx=00000000 ecx=1fb1c700 edx=0000000 esi=1fb1c700 edi=00000000
eip=6a18ac52 esp=010cd9d4 ebp=010cdb0c iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
AcroRd2!CTJPEGTiledContentWriter::operator=+0x1262e:
6a18ac52 e88e060000 call AcroRd2!CTJPEGTiledContentWriter::operator=+0x12cc1 (6a18b2e5)
0:001> dds esp l6
010cd9d4 01000000
010cd9d8 010cdab4
010cd9dc 0000000e
010cd9e0 0000000f
010cd9e4 00000000
010cd9e8 1fb1c700
eax=010cdab4 ebx=00000000 ecx=016afde0 edx=0000000 esi=1fb1c700 edi=00000000
eip=6a18ac6a esp=010cd9bc ebp=010cdb0c iopl=0 nv up ei ng nz na pe cy
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000287
AcroRd2!CTJPEGTiledContentWriter::operator=+0x12646:
6a18ac6a e876060000 call AcroRd2!CTJPEGTiledContentWriter::operator=+0x12cc1 (6a18b2e5)
0:001> dds esp l6
010cd9bc 00010000
010cd9c0 010cdab4
010cd9c4 0000000e
010cd9c8 0000000f
010cd9cc 00000000
010cd9d0 1fb1c700可以看到两次调用,只是第一个参数不一样,第一次是0x01000000,第二次是0x00010000,但是返回结果是一样的,而函数GetMemoryBlock里面是将memory_block_type强制转为char进行处理的,所以他们都是0x00,导致返回结果一样。
执行的是else部分代码
代码语言:javascript代码运行次数:0运行复制else {
offset = offsetVal1;
if (((char)memory_block_type != '\0') &&
(offset = offsetVal2, (char)memory_block_type != '\x01')) {
if ((char)memory_block_type != '\x02') goto exception;
offset = (byte)offsetVal;
}
if (offset == 0) goto exception;
memory_block_base = (*_TlsGetValueStub)(_dwTlsIndexForMemoryBlockBase);
retVal = *(undefined4 *)(memory_block_base + 0x20 + (uint)offset * 4);
}最终offset = offsetVal1 = 0x0000000e
而retVal = *(memory_block_base + 0x20 + (uint)offset * 4 = 0x016afde0 + 0x20 + 0x0000000e * 4) = *(0x16afe8)
我们看看这个地址的值,的确是0x1fb1c850
代码语言:javascript代码运行次数:0运行复制0:001> dd 0x16afe8 l1
016afe8 1fb1c850跟踪0x00010000来源
代码语言:javascript代码运行次数:0运行复制eax=010cdab4 ebx=00000000 ecx=016afde0 edx=0000000 esi=1fb1c700 edi=00000000
eip=6a18ac67 esp=010cd9c0 ebp=010cdb0c iopl=0 nv up ei ng nz na pe cy
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000287
AcroRd2!CTJPEGTiledContentWriter::operator=+0x1264:
6a18ac67 ff75e5 push dword ptr [ebp-1Bh] ss:002b:010cdaf1=00010000对 [ebp-1Bh]下吸入断点
代码语言:javascript代码运行次数:0运行复制0:001> ba w1 010cdaf1
0:001> g-
Breakpoint 5 hit
**** WARIG loaded *kernel* extension dll for usermode
Time Travel Position: 222B00:19AE
eax=00000000 ebx=1fbad818 ecx=00000002 edx=010cdb7c esi=010cdb54 edi=010cdaf4
eip=6a18ab57 esp=010cda04 ebp=010cdb0c iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
AcroRd2!CTJPEGTiledContentWriter::operator=+0x125:
6a18ab57 fa5 rep movs dword ptr es:[edi],dword ptr [esi]这里是010cdb54指向的值吸入010cdaf4,那么010cdaf1就来源于010cdb51,看了下确实是0x00010000
代码语言:javascript代码运行次数:0运行复制0:001> dd 010cdb51 l1
010cdb51 00010000继续不断下硬件写入断点,跟踪010cdb51,来源于0x010cdbd1,
代码语言:javascript代码运行次数:0运行复制0:001> ba w1 010cdb51
0:001> g-
Breakpoint 6 hit
**** WARIG loaded *kernel* extension dll for usermode
Time Travel Position: 222B00:197C
eax=010cdb7c ebx=1fbad818 ecx=00000002 edx=0000000 esi=010cdbd4 edi=010cdb54
eip=6a17bc8e esp=010cdb18 ebp=010cdcd4 iopl=0 nv up ei pl nz na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000206
AcroRd2!CTJPEGTiledContentWriter::operator=+0x66a:
6a17bc8e fa5 rep movs dword ptr es:[edi],dword ptr [esi]
0:001> ba w1 010cdbd1
0:001> g-
Breakpoint 7 hit
**** WARIG loaded *kernel* extension dll for usermode
Time Travel Position: 222AAF:140
eax=1fb1c700 ebx=1fbad818 ecx=00000502 edx=00000666 esi=0000000f edi=00000001
eip=6a17b868 esp=010cdb6c ebp=010cdcd4 iopl=0 nv up ei pl nz na po nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000202
AcroRd2!CTJPEGTiledContentWriter::operator=+0x244:
6a17b868 8a47e mov al,byte ptr [ebx+7Eh] ds:002b:1fbad896=00这个往上看看,写入的00来源于0x1fbad895
代码语言:javascript代码运行次数:0运行复制6a17b85f 8a47d mov al, byte ptr [ebx+7Dh] ds:002b:1fbad895=00
6a17b862 8885fdfeffff mov byte ptr [ebp-10h], al
6a17b868 8a47e mov al, byte ptr [ebx+7Eh]后面有两个字节来源于别处,而且都是0
代码语言:javascript代码运行次数:0运行复制a17b86b 8885fefeffff mov byte ptr [ebp-102h], al
6a17b871 668b880000000 mov ax, word ptr [ebx+80h]
6a17b878 89958ffffff mov dword ptr [ebp-0C8h], edx
6a17b87e 8995d8feffff mov dword ptr [ebp-128h], edx
6a17b884 66898500ffffff mov word ptr [ebp-100h], ax只有ebp-101没被修改,而这里本来就是01了
代码语言:javascript代码运行次数:0运行复制0:001> db ebp-101 l1
010cdbd 01而我们关注的是最低字节,继续看看1fbad895的写入
代码语言:javascript代码运行次数:0运行复制0:001> ba w1 1fbad895
0:001> g-
Breakpoint 8 hit
**** WARIG loaded *kernel* extension dll for usermode
Time Travel Position: 222AAB:7F5
eax=00000000 ebx=0000000 ecx=000000ff edx=076beae esi=1fbad818 edi=1fb900
eip=6a17be59 esp=010cdb60 ebp=010cdcd4 iopl=0 nv up ei pl zr na pe nc
cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246
AcroRd2!CTJPEGTiledContentWriter::operator=+0x85:
6a17be59 8bc1 mov eax,ecx向上看
代码语言:javascript代码运行次数:0运行复制6a17be18 e809d5ffff call AcroRd2!CTJPEGTiledContentWriter::operator=+0xd02 (6a17926)
6a17be1d 0fb7c8 movzx ecx, ax
---------------------------------------- 下面的中间的代码可以忽略了,就是上面call返回值给到ecx
6a17be20 8ac1 mov al, cl
6a17be22 22c and al, bl
6a17be24 884678 mov byte ptr [esi+78h], al
6a17be27 8ac1 mov al, cl
6a17be29 c0e802 shr al, 2
6a17be2c 22c and al, bl
6a17be2e 884679 mov byte ptr [esi+79h], al
6a17be1 8ac1 mov al, cl
6a17be c0e804 shr al, 4
6a17be6 22c and al, bl
6a17be8 88467a mov byte ptr [esi+7Ah], al
6a17beb 8ac1 mov al, cl
6a17bed c0e806 shr al, 6
6a17be40 22c and al, bl
6a17be42 88467b mov byte ptr [esi+7Bh], al
6a17be45 8bc1 mov eax, ecx
6a17be47 c1e808 shr eax, 8
6a17be4a 22c and al, bl
6a17be4c 88467c mov byte ptr [esi+7Ch], al
----------------------------------------ecx给到eax做些运算写入1fbad895
6a17be4f 8bc1 mov eax, ecx
6a17be51 c1e80a shr eax, 0Ah
6a17be54 22c and al, bl
6a17be56 88467d mov byte ptr [esi+7Dh], al
6a17be59 8bc1 mov eax, ecx上面说明分析看出来源于call AcroRd2!CTJPEGTiledContentWriter::operator=+0xd02 (6a17926)的返回值,跟进去看看,分析可以看出实际来源于0x076beac
6a17958 0fb608 movzx ecx, byte ptr [eax] ds:002b:076beac=00
6a1795b 8d5001 lea edx, [eax+1]
6a1795e 8917 mov dword ptr [edi], edx
6a17960 8fe01 cmp esi, 1
6a1796 760f jbe AcroRd2!CTJPEGTiledContentWriter::operator=+0xd50 (6a17974)
6a17965 4e dec esi
6a17966 0fb602 movzx eax, byte ptr [edx] ;eax来源于edx,即上面6a1795b的[eax+1]
6a17969 c1e108 shl ecx, 8
6a1796c 0c8 add ecx, eax ;ecx来源于跟eax运算,ecx又来源于6a17958的[eax]
6a1796e 42 inc edx
6a1796f 8917 mov dword ptr [edi], edx
6a17971 4e dec esi
6a17972 75f2 jne AcroRd2!CTJPEGTiledContentWriter::operator=+0xd42 (6a17966)
6a17974 8bc1 mov eax, ecx ;eax来源于ecx
6a17976 eb0 jmp AcroRd2!CTJPEGTiledContentWriter::operator=+0xd57 (6a1797b) ;跳到6a1797b
----下面两行没执行
6a17978 6a0a push 0Ah
6a1797a 58 pop eax
6a1797b 5f pop edi
6a1797c 5e pop esi
6a1797d 5d pop ebp
6a1797e c20400 ret 4看看里面
代码语言:javascript代码运行次数:0运行复制0:001> db 076beac
076beac 00 ff 00 00 05 6 20 00-77 65 55 2 00 00 00 00 .....c .weU#....
076bebc 00 00 00 00 00 00 4 4e-70 9 0f 76 71 19 85 50 ......Cp9.vq..P
076becc 21 02 54 9e a2 4 da 0e-04 08 12 96 10 95 4a 64 !.T..C........Jd
076bedc a2 04 d0 4 4a e4 d0-be 9d 96 4d 66 b6 78 21 ...CJ.....Mf.x!
076beec f1 f5 90 24 d e 81 2c-e5 0 92 a9 44 ad ee 8a ...$=..,.0..D...
076befc 97 ff 07 48 4b 79 a1 7d-d 44 16 76 9e 4e 84 68 ...HKy.}=D.v..h
076bf0c 9a 06 5a cc 4 14 a6 68-69 c7 fd 1f fe ae 6 64 ..Z.4..hi.....cd
076bf1c 9 ef ff c2 02 45 e 20-db 4 0f f0 98 55 e8 12 .....E> .4...U..通过ba w1 076beac,发现0x076beac来源于0x0746ba24,之后就不知道0x0746ba24来源于什么的
而076beac我们也在poc中到了这段内容,那这就是从文件读取进来的了
最终再看这张图就很清晰了
总结
漏洞就是经过读取文件,计算,调用GetMemoryBlock,由于最低位都是00,导致获取的指针都指向同一个内存(文中的0x1fb1c850),而free的时候就free两次了。
TTD虽然优点很明显 1、可以无poc,无环境调试漏洞,可以团队协作共享 2、地址都是不变的 、能够”时间穿梭”
缺点 1、假如程序过大,跟踪文件可能很大,而且调试也是比较占用内存的 2、原始调试者的本地目录可能随着分享的跟踪文件而泄露
参考
.html .zip
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。 原始发表:2019-11-04,如有侵权请联系 cloudcommunity@tencent 删除timewindbg漏洞调试debugging#感谢您对电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格的认可,转载请说明来源于"电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格
上传时间: 2025-07-24 13:16:56
推荐阅读
| 留言与评论(共有 18 条评论) |
| 本站网友 如何减去腹部赘肉 | 30分钟前 发表 |
| 本站网友 东方威尼斯 | 16分钟前 发表 |
| 本站网友 俄塞俄比亚 | 16分钟前 发表 |
| 1fbad896=00这个往上看看 | |
| 本站网友 白骨精见了孙悟空 | 9分钟前 发表 |
| 6C **** WARIG loaded *kernel* extension dll for usermode eax=6aefb4c ebx=1fb1c850 ecx=1fb1c850 edx=00000000 esi=1fb1c848 edi=01670000 eip=770e2b1 esp=010cd9bc ebp=010cd9e4 iopl=0 nv up ei pl zr na pe nc cs=002 ss=002b ds=002b es=002b fs=005 gs=002b efl=00000246 ntdll!RtlFreeHeap+0x4abc1 | |
| 本站网友 天津117大厦 | 5分钟前 发表 |
| 那这就是从文件读取进来的了最终再看这张图就很清晰了总结漏洞就是经过读取文件 | |
| 本站网友 邮政储蓄业务 | 7分钟前 发表 |
| dword ptr [ebp-90h] ss | |
| 本站网友 云中人 | 22分钟前 发表 |
| 所以还要p-一下代码语言:javascript代码运行次数:0运行复制0 | |
| 本站网友 钓鱼执法 | 5分钟前 发表 |
| 还可以回退 | |
| 本站网友 瞌睡姐 | 27分钟前 发表 |
| 这是相当好的东西 | |
| 本站网友 三几片 | 16分钟前 发表 |
| \dd\vctools\crt\crtw2\heap\ @ 51] 09 010cdb0c 6a17bc96 010cdb7c 00000001 00000b20 AcroRd2!CTJPEGTiledContentWriter | |
| 本站网友 武汉设计 | 9分钟前 发表 |
| CTJPEGWriter+0x22d4d 0f 010cde00 69c119d7 010cde20 20a54028 001d690 AcroRd2!CTJPEGWriter | |
| 本站网友 豆捞坊官网 | 30分钟前 发表 |
| 1EA48 | |
| 本站网友 绿地泾南公寓 | 20分钟前 发表 |
| 001> ba w4 010cda74 0 | |
| 本站网友 日式家居装修 | 16分钟前 发表 |
| 222B02 | |
| 本站网友 中科电气 | 1分钟前 发表 |
| 都是windows的异常处理函数相关的 | |
| 本站网友 福清二手房出售 | 24分钟前 发表 |
| operator=+0x244 | |
| 本站网友 北京晚报微博 | 2分钟前 发表 |
| 222B02 | |