↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑收租↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑
基本上就是字符串处理函数嘛。。。
请使用[code][/code]标记[s:275]
基本上就是字符串处理函数嘛。。。
请使用[code][/code]标记[s:275]
48824
%7B%22isLastPage%22%3Atrue%2C%22notes%22%3A%5B%5D%2C%22pid%22%3A%22t48824%22%2C%22tid%22%3A%2248824%22%2C%22mainForumsId%22%3A%5B%22134%22%5D%2C%22categoriesId%22%3A%5B%5D%2C%22tcId%22%3A%5B%5D%7D
%7B%22isEditMode%22%3Afalse%7D
枚举应用程序中有缓冲区溢出危险的函数
枚举应用程序中有缓冲区溢出危险的函数,这些函数大多位于老版本的C运行库中,使用Python编写。注意该脚本使用了pydbg库,该库可以从一款名为“白眉”的工具中得到,我会在附件中附上。同时附上微软公布的危险函数列表。如果软件中使用了这些函数,还愁找不到攻击目标吗,哈哈哈。
注意:pydbg只能用于python 2.4版,切记!!!
下面是源代码:
#!/usr/bin/env python
from pydbg import *
from XXXXXXXXfines import *
import utils
# The max number of times of executing single step after restore snapshot
MAX_INSTRUCTIONS = 10
# Functions are considered to be dangerous
dangerous_functions = {
# Dangerous string copy functions
"strcpy" : "msvcrt.dll",
"wcscpy" : "msvcrt.dll",
"_mbscpy" : "msvcrt.dll",
"_mbccpy" : "msvcrt.dll",
"lstrcpyA" : "kernel32.dll",
"lstrcpyW" : "kernel32.dll",
# Dangerous string concatenation functions
"strcat" : "msvcrt.dll",
"wcscat" : "msvcrt.dll",
"_mbscat" : "msvcrt.dll",
"lstrcatA" : "kernel32.dll",
"lstrcatW" : "kernel32.dll",
# Dangerous sprintf functions
"sprintf" : "msvcrt.dll",
"swprintf" : "msvcrt.dll",
"wsprintfA" : "user32.dll",
"wsprintfW" : "user32.dll",
"wnsprintfA" : "shlwapi.dll",
"wnsprintfW" : "shlwapi.dll",
# Dangerous "n" sprint functions
"_snprintf" : "msvcrt.dll",
"_snwprintf" : "msvcrt.dll",
# Dangerous variable argument sprintf functions
"wvsprintfA" : "user32.dll",
"wvsprintfW" : "user32.dll",
"vsprintf" : "msvcrt.dll",
"vswprintf" : "msvcrt.dll",
# Dangerous variable argument "n" sprintf functions
"_vsnprintf" : "msvcrt.dll",
"_vsnwprintf" : "msvcrt.dll",
"wvnsprintfA" : "shlwapi.dll",
"wvnsprintfW" : "shlwapi.dll",
# Dangerous "n" string copy functions
"strncpy" : "msvcrt.dll",
"wcsncpy" : "msvcrt.dll",
"_mbsncpy" : "msvcrt.dll",
"_mbsnbcpy" : "msvcrt.dll",
"lstrcpynA" : "kernel32.dll",
"lstrcpynW" : "kernel32.dll",
# Dangerous "n" string concatenation functions
"strncat" : "msvcrt.dll",
"wcsncat" : "msvcrt.dll",
"_mbsnbcat" : "msvcrt.dll",
# Other dangerous functions will be added
}
dangerous_functions_resolved = {}
crash_encountered = False
instruction_count = 0
def DangeroursFuncHandler(dbg):
# If dangerous function is invoked,
# display some of parameters of function on stack.
esp_offset = 0
print "[*] Hit %s" % dangerous_functions_resolved[XXXXXXntext.Eip]
print "=" * 88
while esp_offset <= 20:
parameter = XXXXXXart_dereference(XXXXXXXXXXXXXXp + esp_offset)
print "[ESP + 0x%02x] => %s" % (esp_offset, parameter)
esp_offset += 4
print "=" * 88
dbg.suspend_all_threads()
XXXXXXocess_snapshot()
XXXXXXsume_all_threads()
return DBG_CONTINUE
def AccessViolationHandler(dbg):
# If access violation occurs,
# restore process to last point of calling of dangerous function.
# When exception occurs, the debugger will receives the exception
# before debuggee get it. For debuggee can receive this exception,
# we have to pass the first chance exception.
if dbg.dbg.u.Exception.dwFirstChance:
return DBG_EXCEPTION_NOT_HANDLED
crash = XXXXXXXXash_XXXXXXXXXXash_binning()
XXXXXXXXcord_crash(dbg)
print XXXXXXXXash_synopsis()
if crash_encountered == False:
dbg.suspend_all_threads()
XXXXXXocess_restore()
crash_encountered = True
# Set each of thread to status of single step
for threadId in dbg.enumerate_threads():
print "[*] Setting single step for thread: 0x%08x" % threadId
hThread = dbg.open_thread(threadId)
XXXXXXngle_step(True, hThread)
XXXXXXose_handle(hThread)
# Now, resume all threads of debugee,
# this cause the control of debugee was handled by
# SingleStepHandler routine right now.
XXXXXXsume_all_threads()
return DBG_CONTINUE
else:
dbg.terminate_process()
return DBG_EXCEPTION_NOT_HANDLED
def SingleStepHandler(dbg):
global instruction_count
global crash_encountered
if crash_encountered:
if instruction_count == MAX_INSTRUCTIONS:
XXXXXXngle_step(False)
return DBG_CONTINUE
else:
# Disassembly next instruction
instruction = dbg.disasm(XXXXXXntext.Eip)
print "#%d\t0x%08x : %s" % (instruction_count, XXXXXXntext.Eip, instruction)
instruction_count += 1
XXXXXXngle_step(True)
return DBG_CONTINUE
dbg = pydbg()
pid = int(raw_input("Enter the PID you wish to monitor: "))
XXXXXXtach(pid)
# Search for dangerous functions,
# and set bp for them,
# and append them to dict which used to store resolved functions.
for func in dangerous_XXXXXXXXXXXXys():
funcAddr = dbg.func_resolve(dangerous_functions[func], func)
print "[*] Resolved breakpoint: %s -> 0x%08x" % (func, funcAddr)
dbg.bp_set(funcAddr, handler=DangeroursFuncHandler)
dangerous_functions_resolved[funcAddr] = func
XXXXXXt_callback(EXCEPTION_ACCESS_VIOLATION, AccessViolationHandler)
XXXXXXt_callback(EXCEPTION_SINGLE_STEP, SingleStepHandler)
XXXXXXn()
危险函数的列表可以自己扩展的呦。
注意:pydbg只能用于python 2.4版,切记!!!
下面是源代码:
#!/usr/bin/env python
from pydbg import *
from XXXXXXXXfines import *
import utils
# The max number of times of executing single step after restore snapshot
MAX_INSTRUCTIONS = 10
# Functions are considered to be dangerous
dangerous_functions = {
# Dangerous string copy functions
"strcpy" : "msvcrt.dll",
"wcscpy" : "msvcrt.dll",
"_mbscpy" : "msvcrt.dll",
"_mbccpy" : "msvcrt.dll",
"lstrcpyA" : "kernel32.dll",
"lstrcpyW" : "kernel32.dll",
# Dangerous string concatenation functions
"strcat" : "msvcrt.dll",
"wcscat" : "msvcrt.dll",
"_mbscat" : "msvcrt.dll",
"lstrcatA" : "kernel32.dll",
"lstrcatW" : "kernel32.dll",
# Dangerous sprintf functions
"sprintf" : "msvcrt.dll",
"swprintf" : "msvcrt.dll",
"wsprintfA" : "user32.dll",
"wsprintfW" : "user32.dll",
"wnsprintfA" : "shlwapi.dll",
"wnsprintfW" : "shlwapi.dll",
# Dangerous "n" sprint functions
"_snprintf" : "msvcrt.dll",
"_snwprintf" : "msvcrt.dll",
# Dangerous variable argument sprintf functions
"wvsprintfA" : "user32.dll",
"wvsprintfW" : "user32.dll",
"vsprintf" : "msvcrt.dll",
"vswprintf" : "msvcrt.dll",
# Dangerous variable argument "n" sprintf functions
"_vsnprintf" : "msvcrt.dll",
"_vsnwprintf" : "msvcrt.dll",
"wvnsprintfA" : "shlwapi.dll",
"wvnsprintfW" : "shlwapi.dll",
# Dangerous "n" string copy functions
"strncpy" : "msvcrt.dll",
"wcsncpy" : "msvcrt.dll",
"_mbsncpy" : "msvcrt.dll",
"_mbsnbcpy" : "msvcrt.dll",
"lstrcpynA" : "kernel32.dll",
"lstrcpynW" : "kernel32.dll",
# Dangerous "n" string concatenation functions
"strncat" : "msvcrt.dll",
"wcsncat" : "msvcrt.dll",
"_mbsnbcat" : "msvcrt.dll",
# Other dangerous functions will be added
}
dangerous_functions_resolved = {}
crash_encountered = False
instruction_count = 0
def DangeroursFuncHandler(dbg):
# If dangerous function is invoked,
# display some of parameters of function on stack.
esp_offset = 0
print "[*] Hit %s" % dangerous_functions_resolved[XXXXXXntext.Eip]
print "=" * 88
while esp_offset <= 20:
parameter = XXXXXXart_dereference(XXXXXXXXXXXXXXp + esp_offset)
print "[ESP + 0x%02x] => %s" % (esp_offset, parameter)
esp_offset += 4
print "=" * 88
dbg.suspend_all_threads()
XXXXXXocess_snapshot()
XXXXXXsume_all_threads()
return DBG_CONTINUE
def AccessViolationHandler(dbg):
# If access violation occurs,
# restore process to last point of calling of dangerous function.
# When exception occurs, the debugger will receives the exception
# before debuggee get it. For debuggee can receive this exception,
# we have to pass the first chance exception.
if dbg.dbg.u.Exception.dwFirstChance:
return DBG_EXCEPTION_NOT_HANDLED
crash = XXXXXXXXash_XXXXXXXXXXash_binning()
XXXXXXXXcord_crash(dbg)
print XXXXXXXXash_synopsis()
if crash_encountered == False:
dbg.suspend_all_threads()
XXXXXXocess_restore()
crash_encountered = True
# Set each of thread to status of single step
for threadId in dbg.enumerate_threads():
print "[*] Setting single step for thread: 0x%08x" % threadId
hThread = dbg.open_thread(threadId)
XXXXXXngle_step(True, hThread)
XXXXXXose_handle(hThread)
# Now, resume all threads of debugee,
# this cause the control of debugee was handled by
# SingleStepHandler routine right now.
XXXXXXsume_all_threads()
return DBG_CONTINUE
else:
dbg.terminate_process()
return DBG_EXCEPTION_NOT_HANDLED
def SingleStepHandler(dbg):
global instruction_count
global crash_encountered
if crash_encountered:
if instruction_count == MAX_INSTRUCTIONS:
XXXXXXngle_step(False)
return DBG_CONTINUE
else:
# Disassembly next instruction
instruction = dbg.disasm(XXXXXXntext.Eip)
print "#%d\t0x%08x : %s" % (instruction_count, XXXXXXntext.Eip, instruction)
instruction_count += 1
XXXXXXngle_step(True)
return DBG_CONTINUE
dbg = pydbg()
pid = int(raw_input("Enter the PID you wish to monitor: "))
XXXXXXtach(pid)
# Search for dangerous functions,
# and set bp for them,
# and append them to dict which used to store resolved functions.
for func in dangerous_XXXXXXXXXXXXys():
funcAddr = dbg.func_resolve(dangerous_functions[func], func)
print "[*] Resolved breakpoint: %s -> 0x%08x" % (func, funcAddr)
dbg.bp_set(funcAddr, handler=DangeroursFuncHandler)
dangerous_functions_resolved[funcAddr] = func
XXXXXXt_callback(EXCEPTION_ACCESS_VIOLATION, AccessViolationHandler)
XXXXXXt_callback(EXCEPTION_SINGLE_STEP, SingleStepHandler)
XXXXXXn()
危险函数的列表可以自己扩展的呦。
200字以内,仅用于支线交流,主线讨论请采用回复功能。