枚举应用程序中有缓冲区溢出危险的函数
bruclan2012/08/01软件综合 IP:北京
枚举应用程序中有缓冲区溢出危险的函数,这些函数大多位于老版本的C运行库中,使用Python编写。注意该脚本使用了pydbg库,该库可以从一款名为“白眉”的工具中得到,我会在附件中附上。同时附上微软公布的危险函数列表。如果软件中使用了这些函数,还愁找不到攻击目标吗,哈哈哈。
注意:pydbg只能用于python 2.4版,切记!!!

下面是源代码:


#!/usr/bin/env python


from pydbg import *
from XXXXXXXXfines import *


import utils


# The max number of times of executing single step after restore snapshot
MAX_INSTRUCTIONS = 10


# Functions are considered to be dangerous
dangerous_functions = {
    # Dangerous string copy functions
    "strcpy" : "msvcrt.dll",
    "wcscpy" : "msvcrt.dll",
    "_mbscpy" : "msvcrt.dll",
    "_mbccpy" : "msvcrt.dll",
    "lstrcpyA" : "kernel32.dll",
    "lstrcpyW" : "kernel32.dll",
    # Dangerous string concatenation functions
    "strcat" : "msvcrt.dll",
    "wcscat" : "msvcrt.dll",
    "_mbscat" : "msvcrt.dll",
    "lstrcatA" : "kernel32.dll",
    "lstrcatW" : "kernel32.dll",
    # Dangerous sprintf functions
    "sprintf" : "msvcrt.dll",
    "swprintf" : "msvcrt.dll",
    "wsprintfA" : "user32.dll",
    "wsprintfW" : "user32.dll",
    "wnsprintfA" : "shlwapi.dll",
    "wnsprintfW" : "shlwapi.dll",
    # Dangerous "n" sprint functions
    "_snprintf" : "msvcrt.dll",
    "_snwprintf" : "msvcrt.dll",
    # Dangerous variable argument sprintf functions
    "wvsprintfA" : "user32.dll",
    "wvsprintfW" : "user32.dll",
    "vsprintf" : "msvcrt.dll",
    "vswprintf" : "msvcrt.dll",
    # Dangerous variable argument "n" sprintf functions
    "_vsnprintf" : "msvcrt.dll",
    "_vsnwprintf" : "msvcrt.dll",
    "wvnsprintfA" : "shlwapi.dll",
    "wvnsprintfW" : "shlwapi.dll",
    # Dangerous "n" string copy functions
    "strncpy" : "msvcrt.dll",
    "wcsncpy" : "msvcrt.dll",
    "_mbsncpy" : "msvcrt.dll",
    "_mbsnbcpy" : "msvcrt.dll",
    "lstrcpynA" : "kernel32.dll",
    "lstrcpynW" : "kernel32.dll",
    # Dangerous "n" string concatenation functions
    "strncat" : "msvcrt.dll",
    "wcsncat" : "msvcrt.dll",
    "_mbsnbcat" : "msvcrt.dll",
    # Other dangerous functions will be added
}


dangerous_functions_resolved = {}


crash_encountered = False


instruction_count = 0


def DangeroursFuncHandler(dbg):
    # If dangerous function is invoked,
    # display some of parameters of function on stack.
    esp_offset = 0
    print "[*] Hit %s" % dangerous_functions_resolved[XXXXXXntext.Eip]
    print "=" * 88
    while esp_offset <= 20:
        parameter = XXXXXXart_dereference(XXXXXXXXXXXXXXp + esp_offset)
        print "[ESP + 0x%02x] => %s" % (esp_offset, parameter)
        esp_offset += 4
    print "=" * 88
    dbg.suspend_all_threads()
    XXXXXXocess_snapshot()
    XXXXXXsume_all_threads()
    return DBG_CONTINUE


def AccessViolationHandler(dbg):
    # If access violation occurs,
    # restore process to last point of calling of dangerous function.
    
    # When exception occurs, the debugger will receives the exception
    # before debuggee get it. For debuggee can receive this exception,
    # we have to pass the first chance exception.
    if dbg.dbg.u.Exception.dwFirstChance:
        return DBG_EXCEPTION_NOT_HANDLED
    crash = XXXXXXXXash_XXXXXXXXXXash_binning()
    XXXXXXXXcord_crash(dbg)
    print XXXXXXXXash_synopsis()
    if crash_encountered == False:
        dbg.suspend_all_threads()
        XXXXXXocess_restore()
        crash_encountered = True
        # Set each of thread to status of single step
        for threadId in dbg.enumerate_threads():
            print "[*] Setting single step for thread: 0x%08x" % threadId
            hThread = dbg.open_thread(threadId)
            XXXXXXngle_step(True, hThread)
            XXXXXXose_handle(hThread)
        # Now, resume all threads of debugee,
        # this cause the control of debugee was handled by
        # SingleStepHandler routine right now.
        XXXXXXsume_all_threads()
        return DBG_CONTINUE
    else:
        dbg.terminate_process()
    return DBG_EXCEPTION_NOT_HANDLED


def SingleStepHandler(dbg):
    global instruction_count
    global crash_encountered
    if crash_encountered:
        if instruction_count == MAX_INSTRUCTIONS:
            XXXXXXngle_step(False)
            return DBG_CONTINUE
        else:
            # Disassembly next instruction
            instruction = dbg.disasm(XXXXXXntext.Eip)
            print "#%d\t0x%08x : %s" % (instruction_count, XXXXXXntext.Eip, instruction)
            instruction_count += 1
            XXXXXXngle_step(True)
    return DBG_CONTINUE


dbg = pydbg()
pid = int(raw_input("Enter the PID you wish to monitor: "))
XXXXXXtach(pid)


# Search for dangerous functions,
# and set bp for them,
# and append them to dict which used to store resolved functions.
for func in dangerous_XXXXXXXXXXXXys():
    funcAddr = dbg.func_resolve(dangerous_functions[func], func)
    print "[*] Resolved breakpoint: %s -> 0x%08x" % (func, funcAddr)
    dbg.bp_set(funcAddr, handler=DangeroursFuncHandler)
    dangerous_functions_resolved[funcAddr] = func


XXXXXXt_callback(EXCEPTION_ACCESS_VIOLATION, AccessViolationHandler)
XXXXXXt_callback(EXCEPTION_SINGLE_STEP, SingleStepHandler)
XXXXXXn()


危险函数的列表可以自己扩展的呦。

attachment icon PaiMei-1.1-REV122.zip 1.74MB ZIP 19次下载

attachment icon Dangerous CRT Functions.rar 79.99KB RAR 20次下载
来自:计算机科学 / 软件综合
1
已屏蔽 原因:{{ notice.reason }}已屏蔽
{{notice.noticeContent}}
~~空空如也

想参与大家的讨论?现在就 登录 或者 注册

所属专业
上级专业
同级专业
文件下载
加载中...
{{errorInfo}}
{{downloadWarning}}
你在 {{downloadTime}} 下载过当前文件。
文件名称:{{resource.defaultFile.name}}
下载次数:{{resource.hits}}
上传用户:{{uploader.username}}
所需积分:{{costScores}},{{holdScores}}下载当前附件免费{{description}}
积分不足,去充值
文件已丢失

当前账号的附件下载数量限制如下:
时段 个数
{{f.startingTime}}点 - {{f.endTime}}点 {{f.fileCount}}
视频暂不能访问,请登录试试
仅供内部学术交流或培训使用,请先保存到本地。本内容不代表科创观点,未经原作者同意,请勿转载。
音频暂不能访问,请登录试试
支持的图片格式:jpg, jpeg, png
插入公式
评论控制
加载中...
文号:{{pid}}
投诉或举报
加载中...
{{tip}}
请选择违规类型:
{{reason.type}}

空空如也

加载中...
详情
详情
推送到专栏从专栏移除
设为匿名取消匿名
查看作者
回复
只看作者
加入收藏取消收藏
收藏
取消收藏
折叠回复
置顶取消置顶
评学术分
鼓励
设为精选取消精选
管理提醒
编辑
通过审核
评论控制
退修或删除
历史版本
违规记录
投诉或举报
加入黑名单移除黑名单
查看IP
{{format('YYYY/MM/DD HH:mm:ss', toc)}}