注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

且行且记录

点滴记录,行的更远!

 
 
 

日志

 
 

昨天初步用图形化对比了一下成功找到差异的地方  

2014-07-17 10:44:51|  分类: 一些练习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

之前早已经把虚拟机vxp里的rdpwd.sys中的所有调用都图形化了,

但是一大片色彩、大量线条难以区分,也就放弃希望了。

昨天,觉得应该可以找到差异的地方,只是线条太多,掩盖了微小的差异。

逐个排除应该可以找到补丁的地方。并且补丁应该是增加条件,或者增加调用。

所以用所有跳转的地方比较更能够找到差异的地方。

因为大部分线条都是看上去是平行的,所以只要做微小的移动就可以重合上。

经过多次的移动比较做标记,昨天晚上终于把补丁的地方通过图形对比方法找到了。

我先用W32ASM反汇编补丁中的一个rdpwd.sys(没通过安装补丁后提取)和vxp系统里的那个rdpwd.sys

之后用vba编了个简单的AUTOCAD宏文件画出图形,对比是通过手工操作,肉眼比较的,最后才找到补丁的函数!

之后重合对比新旧两个文件的同一个函数,发现打补丁的地方,如下图:

昨天初步用图形化对比了一下成功找到差异的地方 - appall - 且行且记录

 

放大的重合的样子细观:

昨天初步用图形化对比了一下成功找到差异的地方 - appall - 且行且记录

 附相关漏洞函数反汇编:

[rdpwd_old.sys]有漏洞的文件
:0002CAE8 8BFF                    mov edi, edi
:0002CAEA 55                      push ebp
:0002CAEB 8BEC                    mov ebp, esp
:0002CAED 83EC0C                  sub esp, 0000000C
:0002CAF0 8B450C                  mov eax, dword ptr [ebp+0C]
:0002CAF3 56                      push esi
:0002CAF4 8BF1                    mov esi, ecx
:0002CAF6 C70001000000            mov dword ptr [eax], 00000001
:0002CAFC F6461020                test [esi+10], 20
:0002CB00 0F8488000000            je 0002CB8E
:0002CB06 53                      push ebx
:0002CB07 33DB                    xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB1C(C)
|
:0002CB09 8D45FC                  lea eax, dword ptr [ebp-04]
:0002CB0C 50                      push eax
:0002CB0D 53                      push ebx
:0002CB0E 6A0B                    push 0000000B
:0002CB10 6A01                    push 00000001
:0002CB12 53                      push ebx
:0002CB13 FF36                    push dword ptr [esi]

* Reference To: TERMDD.IcaBufferAlloc, Ord:0002h
                                  |
:0002CB15 E8A879FFFF              Call 000244C2
:0002CB1A 85C0                    test eax, eax
:0002CB1C 75EB                    jne 0002CB09
:0002CB1E 8D450F                  lea eax, dword ptr [ebp+0F]
:0002CB21 50                      push eax
:0002CB22 8D45F4                  lea eax, dword ptr [ebp-0C]
:0002CB25 50                      push eax
:0002CB26 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CB29 50                      push eax
:0002CB2A 53                      push ebx
:0002CB2B 53                      push ebx
:0002CB2C 53                      push ebx
:0002CB2D 56                      push esi
:0002CB2E E83BE8FFFF              call 0002B36E
:0002CB33 85C0                    test eax, eax
:0002CB35 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB38 FF7010                  push [eax+10]
:0002CB3B 7520                    jne 0002CB5D
:0002CB3D 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CB40 FF700C                  push [eax+0C]
:0002CB43 6A01                    push 00000001
:0002CB45 53                      push ebx
:0002CB46 E87FFBFFFF              call 0002C6CA
:0002CB4B 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB4E C740140B000000          mov [eax+14], 0000000B
:0002CB55 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CB58 885804                  mov byte ptr [eax+04], bl
:0002CB5B EB13                    jmp 0002CB70

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB3B(C)
|
:0002CB5D 53                      push ebx
:0002CB5E 53                      push ebx
:0002CB5F 6A0E                    push 0000000E
:0002CB61 E864FBFFFF              call 0002C6CA
:0002CB66 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB69 C7401409000000          mov [eax+14], 00000009

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB5B(U)
|
:0002CB70 FF75FC                  push [ebp-04]
:0002CB73 56                      push esi
:0002CB74 E807F7FFFF              call 0002C280
:0002CB79 85C0                    test eax, eax
:0002CB7B 5B                      pop ebx
:0002CB7C 7D10                    jge 0002CB8E
:0002CB7E 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CB81 50                      push eax
:0002CB82 FF75F8                  push [ebp-08]
:0002CB85 83C670                  add esi, 00000070
:0002CB88 56                      push esi
:0002CB89 E81CF5FFFF              call 0002C0AA

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0002CB00(C), :0002CB7C(C)
|
:0002CB8E B001                    mov al, 01
:0002CB90 5E                      pop esi
:0002CB91 C9                      leave
:0002CB92 C20800                  ret 0008

==================

[rdpwd_gdr_new.sys]补丁里提取的文件
:0002CB44 8BFF                    mov edi, edi
:0002CB46 55                      push ebp
:0002CB47 8BEC                    mov ebp, esp
:0002CB49 83EC0C                  sub esp, 0000000C
:0002CB4C 8B450C                  mov eax, dword ptr [ebp+0C]
:0002CB4F 53                      push ebx
:0002CB50 56                      push esi
:0002CB51 8BF1                    mov esi, ecx
:0002CB53 C70001000000            mov dword ptr [eax], 00000001
:0002CB59 F6461020                test [esi+10], 20
:0002CB5D 0F849A000000            je 0002CBFD
:0002CB63 33DB                    xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB78(C)
|
:0002CB65 8D45FC                  lea eax, dword ptr [ebp-04]
:0002CB68 50                      push eax
:0002CB69 53                      push ebx
:0002CB6A 6A0B                    push 0000000B
:0002CB6C 6A01                    push 00000001
:0002CB6E 53                      push ebx
:0002CB6F FF36                    push dword ptr [esi]

* Reference To: TERMDD.IcaBufferAlloc, Ord:0002h
                                  |
:0002CB71 E88079FFFF              Call 000244F6
:0002CB76 85C0                    test eax, eax
:0002CB78 75EB                    jne 0002CB65
:0002CB7A 8D450F                  lea eax, dword ptr [ebp+0F]
:0002CB7D 50                      push eax
:0002CB7E 8D45F4                  lea eax, dword ptr [ebp-0C]
:0002CB81 50                      push eax
:0002CB82 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CB85 50                      push eax
:0002CB86 53                      push ebx
:0002CB87 53                      push ebx
:0002CB88 53                      push ebx
:0002CB89 56                      push esi
:0002CB8A E81FE8FFFF              call 0002B3AE
:0002CB8F 85C0                    test eax, eax
:0002CB91 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CB94 FF7010                  push [eax+10]
:0002CB97 7520                    jne 0002CBB9
:0002CB99 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CB9C FF700C                  push [eax+0C]
:0002CB9F 6A01                    push 00000001
:0002CBA1 53                      push ebx
:0002CBA2 E87FFBFFFF              call 0002C726
:0002CBA7 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CBAA C740140B000000          mov [eax+14], 0000000B
:0002CBB1 8B45F8                  mov eax, dword ptr [ebp-08]
:0002CBB4 885804                  mov byte ptr [eax+04], bl
:0002CBB7 EB13                    jmp 0002CBCC

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CB97(C)
|
:0002CBB9 53                      push ebx
:0002CBBA 53                      push ebx
:0002CBBB 6A0E                    push 0000000E
:0002CBBD E864FBFFFF              call 0002C726
:0002CBC2 8B45FC                  mov eax, dword ptr [ebp-04]
:0002CBC5 C7401409000000          mov [eax+14], 00000009

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0002CBB7(U)
|
:0002CBCC FF75FC                  push [ebp-04]
:0002CBCF 56                      push esi
:0002CBD0 E803F7FFFF              call 0002C2D8
:0002CBD5 85C0                    test eax, eax
:0002CBD7 7D24                    jge 0002CBFD
:0002CBD9 8D45F8                  lea eax, dword ptr [ebp-08]
:0002CBDC 50                      push eax
:0002CBDD FF75F8                  push [ebp-08]
:0002CBE0 83C670                  add esi, 00000070
:0002CBE3 56                      push esi
:0002CBE4 E819F5FFFF              call 0002C102

【增加的内容开始】
 :0002CBE9 8B45F8                  mov eax, dword ptr [ebp-08]
 :0002CBEC 3BC3                    cmp eax, ebx
 :0002CBEE 740D                    je 0002CBFD
 :0002CBF0 385805                  cmp byte ptr [eax+05], bl
 :0002CBF3 7508                    jne 0002CBFD
 :0002CBF5 53                      push ebx
 :0002CBF6 50                      push eax

 * Reference To: ntoskrnl.ExFreePoolWithTag, Ord:004Eh
       |
 :0002CBF7 FF15B8E00200            Call dword ptr [0002E0B8]
【增加的内容结尾】

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0002CB5D(C), :0002CBD7(C), :0002CBEE(C), :0002CBF3(C)
|
:0002CBFD 5E                      pop esi
:0002CBFE B001                    mov al, 01
:0002CC00 5B                      pop ebx
:0002CC01 C9                      leave
:0002CC02 C20800                  ret 0008

  评论这张
 
阅读(134)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017