注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

初步跟了下ms12-020先找到异常的地方  

2014-07-16 16:34:01|  分类: 一些练习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

用网上的一个poc数据测试的。

找了好久总算是找到文章里的地方了,原因太复杂还不会分析初步跟了下ms12-020先找到异常的地方 - appall - 且行且记录

===
eax=00000000
===
eax=00000000
===
eax=040b01f9
TermDD: IcaDeviceControlStack TRAPPED!!
TermDD: ExceptionRecord=F4BA5448 ContextRecord=F4BA5144
TermDD: Exception code=c0000005, flags=00000000, addr=F859FC6E, IP=【F859FC6E】
TermDD: esp=F4BA5510 ebp=F4BA5518
Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=00000008 edx=804de451 esi=00000000 edi=00000000
eip=804e4596 esp=f4ba4f64 ebp=f4ba4f68 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
nt!DbgBreakPoint:
804e4596 cc              int     3
kd> kbn
 # ChildEBP RetAddr  Args to Child             
00 f4ba4f60 f85a2674 f4ba5c08 f85a409b 0001367c nt!DbgBreakPoint
01 f4ba4f68 f85a409b 0001367c f4ba4f94 804e3501 termdd!IcaExceptionFilter+0x7e
02 f4ba4f74 804e3501 f4ba4f9c 00000000 f4ba4f9c termdd!IcaDeviceControlStack+0x9d9
03 f4ba4f9c 804dc49a f4ba5448 f4ba5bf8 f4ba5144 nt!_except_handler3+0x61
04 f4ba4fc0 804dc46b f4ba5448 f4ba5bf8 f4ba5144 nt!ExecuteHandler2+0x26
05 f4ba5070 805089de f4ba5448 f4ba5144 040b0211 nt!ExecuteHandler+0x24
06 f4ba542c 804e0235 f4ba5448 00000000 f4ba549c nt!KiDispatchException+0x13e
07 f4ba5494 804e01e6 f4ba5518 f859fc6e badb0d00 nt!CommonDispatchException+0x4d
08 f4ba5518 f4a76538 e1e05478 00000000 00000001 nt!Kei386EoiHelper+0x18a
09 f4ba5540 f4a60696 e1753e60 00000001 e1e2e564 RDPWD!MCSDetachUserRequest+0x28
0a f4ba5554 f4a601ae e1e2e82c f4ba556c f4a60a19 RDPWD!NMDetachUserReq+0x14
0b f4ba5560 f4a60a19 e1e2e82c f4ba557c f4a645ae RDPWD!NM_Disconnect+0x16
0c f4ba556c f4a645ae e1e2e564 e1e2e82c f4ba559c RDPWD!SM_Disconnect+0x27
0d f4ba557c f4a606d7 e1e2e564 00000000 00000001 RDPWD!SM_OnConnected+0x70
0e f4ba559c f4a6041e e1e2e82c 00000002 e1e2e564 RDPWD!NMAbortConnect+0x23
0f f4ba55d4 f4a60ee6 00e2e82c e1e2e888 e1e2e3e6 RDPWD!NM_Connect+0x86
10 f4ba55f4 f4a62dc0 e1e2e564 02622e80 02622e8c RDPWD!SM_Connect+0xd8
11 f4ba561c f4a637a2 e1e2e008 02622d9c 02622e80 RDPWD!WDWConnect+0x2cc
12 f4ba5650 f4a5df9f e1e2e008 02622e74 8217e234 RDPWD!WDWConfConnect+0x94
13 f4ba5680 f85a329a e1e2e008 f4ba5744 8217e234 RDPWD!WD_Ioctl+0x1123
kd> ub F859FC6E
termdd!IcaBufferAlloc+0x2:
f859fc60 55              push    ebp
f859fc61 8bec            mov     ebp,esp
f859fc63 56              push    esi
f859fc64 57              push    edi
f859fc65 8b7d08          mov     edi,dword ptr [ebp+8]
f859fc68 8d47ec          lea     eax,[edi-14h]
f859fc6b 50              push    eax
f859fc6c eb09            jmp     termdd!IcaBufferAlloc+0x19 (f859fc77)
kd> u
termdd!IcaBufferAlloc+0x10:
【f859fc6e】 8b4618          mov     eax,dword ptr [esi+18h]
f859fc71 833800          cmp     dword ptr [eax],0
f859fc74 56              push    esi
f859fc75 7526            jne     termdd!IcaBufferAlloc+0x3f (f859fc9d)
f859fc77 e876280000      call    termdd!IcaGetPreviousSdLink (f85a24f2)
f859fc7c 8bf0            mov     esi,eax
f859fc7e 85f6            test    esi,esi
f859fc80 75ec            jne     termdd!IcaBufferAlloc+0x10 (f859fc6e)
kd> bl
 0 e f859fc7c     0001 (0001) termdd!IcaBufferAlloc+0x1e ".echo ===;r eax;g"

kd> bd 0
kd> bp f859fc6e
kd> g
Breakpoint 1 hit
eax=040b0404 ebx=e1898bb0 ecx=00000070 edx=00000003 esi=040b0404 edi=e20c8a40
eip=f859fc6e esp=f82e7510 ebp=f82e7518 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
termdd!IcaBufferAlloc+0x10:
f859fc6e 8b4618          mov     eax,dword ptr [esi+18h] ds:0023:040b041c=????????
kd> kbn 30
 # ChildEBP RetAddr  Args to Child             
00 f82e7518 f4a76538 e20c8a40 00000000 00000001 termdd!IcaBufferAlloc+0x10
01 f82e7540 f4a60696 e1e3fad8 00000001 e2185904 RDPWD!MCSDetachUserRequest+0x28
02 f82e7554 f4a601ae e2185bcc f82e756c f4a60a19 RDPWD!NMDetachUserReq+0x14
03 f82e7560 f4a60a19 e2185bcc f82e757c f4a645ae RDPWD!NM_Disconnect+0x16
04 f82e756c f4a645ae e2185904 e2185bcc f82e759c RDPWD!SM_Disconnect+0x27
05 f82e757c f4a606d7 e2185904 00000000 00000001 RDPWD!SM_OnConnected+0x70
06 f82e759c f4a6041e e2185bcc 00000002 e2185904 RDPWD!NMAbortConnect+0x23
07 f82e75d4 f4a60ee6 00185bcc e2185c28 e2185786 RDPWD!NM_Connect+0x86
08 f82e75f4 f4a62dc0 e2185904 02622e80 02622e8c RDPWD!SM_Connect+0xd8
09 f82e761c f4a637a2 e21853a8 02622d9c 02622e80 RDPWD!WDWConnect+0x2cc
0a f82e7650 f4a5df9f e21853a8 02622e74 820f69f4 RDPWD!WDWConfConnect+0x94
0b f82e7680 f85a329a e21853a8 f82e7744 820f69f4 RDPWD!WD_Ioctl+0x1123
0c f82e7698 f85a362c 82100108 00000005 f82e7730 termdd!_IcaCallSd+0x30
0d f82e76b8 f85a3f07 820f69e8 00000005 f82e7730 termdd!_IcaCallStack+0x42
0e f82e7c08 f85a1cfa 820f69e8 820ceab0 820ceb20 termdd!IcaDeviceControlStack+0x845
0f f82e7c1c f85a1f8a 820ceab0 820ceb20 8217e9a0 termdd!IcaDeviceControl+0x26
10 f82e7c34 804e4807 8224d538 820ceab0 806f0070 termdd!IcaDispatch+0x13a
11 f82e7c44 80568f71 820ceb20 8217e9a0 820ceab0 nt!IopfCallDriver+0x31
12 f82e7c58 8057bc7f 8224d538 820ceab0 8217e9a0 nt!IopSynchronousServiceTail+0x70
13 f82e7d00 805893d4 000002e8 00000000 00000000 nt!IopXxxControlFile+0x611
14 f82e7d34 804df7ec 000002e8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
15 f82e7d34 7c92e514 000002e8 00000000 00000000 nt!KiFastCallEntry+0xf8
16 0285e810 7c92d28a 74ed1173 000002e8 00000000 ntdll!KiFastSystemCallRet
17 0285e814 74ed1173 000002e8 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc
18 0285e850 74ed157e 000002e8 00382403 02622d60 ICAAPI!IcaIoControl+0x29
19 0285e87c 74ed15c3 000a67f8 00382403 02622d60 ICAAPI!_IcaStackIoControlWorker+0x64
1a 0285e8a4 72463784 000a67f8 00382403 02622d60 ICAAPI!IcaStackIoControl+0x29
1b 0285e8dc 724639b2 000a67f8 00000000 0285e92c rdpwsx!TSrvInitWDConnectInfo+0x6e
1c 0285e904 72463a47 026223e8 0285e92c 00000000 rdpwsx!TSrvInitWD+0x23
1d 0285e924 72463b37 00000000 00000000 026223e8 rdpwsx!TSrvConfCreateResp+0x26
1e 0285e938 72463c23 026223e8 0285e998 00000000 rdpwsx!TSrvDoConnectResponse+0x10
1f 0285e964 72463c84 026223e8 000002a8 02622120 rdpwsx!TSrvDoConnect+0xb6
20 0285e978 724656e1 000002a8 000a67f8 0285e998 rdpwsx!TSrvStackConnect+0x33
21 0285e99c 761ded48 02622120 000002a8 000a67f8 rdpwsx!WsxIcaStackIoControl+0x17d
22 0285e9c8 74ed160d 000d1160 000a67f8 0038004b termsrv!WsxStackIoControl+0x43
23 0285e9f8 74ed1806 000a67f8 0038004b 00000000 ICAAPI!_IcaStackIoControl+0x33
24 0285efe0 74ed1ec8 000a67f8 000bd8f4 0285f027 ICAAPI!_IcaStackWaitForIca+0x3e
25 0285f5e8 761cce31 000002a8 000a67f8 000bd870 ICAAPI!IcaStackConnectionAccept+0x153
26 0285ff90 761cd5c0 000bd850 000c4908 00000004 termsrv!TransferConnectionToIdleWinStation+0x416
27 0285ffb4 7c80b729 000c34b8 00000000 00000000 termsrv!WinStationTransferThread+0x69
28 0285ffec 00000000 761cd557 000c34b8 00000000 kernel32!BaseThreadStart+0x37

  评论这张
 
阅读(212)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017