有一个 64 位插件 DLL(无源代码),并且更新中的主机应用程序将其 DLL 特性更改为包括“高熵 64 位地址空间布局随机化 (ASLR) ” 设置此选项后会导致加载项随机崩溃。虽然我暂时使用 CFF 资源管理器删除了 DLL 特征以修复应用程序,但我想知道是否可以使用任何静态分析技术在反汇编中使用 IDA Pro 之类的工具来查找 ASLR 不兼容性,或者此类代码可能是什么样的如果遇到分析应用程序崩溃转储。
使用 WinDbg,由于 rbp 设置为无效值,我可以在此处看到访问冲突:
uccoext64!GetOutlookViewID+0x46eee:
0000016b`01f75bae 488b4500 mov rax,qword ptr [rbp] ss:00000000`05cccc50=????????????????
后退我发现这个无效的值是在不同的 DLL 中设置的:
UcLogging64+0x1ec8:
0000016b`05201ec8 488b6c2438 mov rbp,qword ptr [rsp+38h] ss:00000029`834f8978=0000000005cccc50
这部分代码:
0:000> uf 0000016b`05201ec8 488b6c2438
UcLogging64+0x1e40:
0000016b`05201e40 48895c2408 mov qword ptr [rsp+8],rbx
0000016b`05201e45 48896c2410 mov qword ptr [rsp+10h],rbp
0000016b`05201e4a 48897c2418 mov qword ptr [rsp+18h],rdi
0000016b`05201e4f 4154 push r12
0000016b`05201e51 4883ec20 sub rsp,20h
0000016b`05201e55 33ff xor edi,edi
0000016b`05201e57 418bd9 mov ebx,r9d
0000016b`05201e5a 4d8be0 mov r12,r8
0000016b`05201e5d 488bea mov rbp,rdx
0000016b`05201e60 40387928 cmp byte ptr [rcx+28h],dil
0000016b`05201e64 7423 je UcLogging64+0x1e89 (0000016b`05201e89) Branch
UcLogging64+0x1e66:
0000016b`05201e66 8b542450 mov edx,dword ptr [rsp+50h]
0000016b`05201e6a 488d0d0fd60000 lea rcx,[UcLogging64!UnifiedClientTrace+0xa480 (0000016b`0520f480)]
0000016b`05201e71 e82afaffff call UcLogging64+0x18a0 (0000016b`052018a0)
0000016b`05201e76 4885c0 test rax,rax
0000016b`05201e79 7403 je UcLogging64+0x1e7e (0000016b`05201e7e) Branch
UcLogging64+0x1e7b:
0000016b`05201e7b 8b780c mov edi,dword ptr [rax+0Ch]
UcLogging64+0x1e7e:
0000016b`05201e7e f6c304 test bl,4
0000016b`05201e81 7406 je UcLogging64+0x1e89 (0000016b`05201e89) Branch
UcLogging64+0x1e83:
0000016b`05201e83 85ff test edi,edi
0000016b`05201e85 7e02 jle UcLogging64+0x1e89 (0000016b`05201e89) Branch
UcLogging64+0x1e87:
0000016b`05201e87 ffcf dec edi
UcLogging64+0x1e89:
0000016b`05201e89 448b442450 mov r8d,dword ptr [rsp+50h]
0000016b`05201e8e 448bcf mov r9d,edi
0000016b`05201e91 498bd4 mov rdx,r12
0000016b`05201e94 488bcd mov rcx,rbp
0000016b`05201e97 e834fcffff call UcLogging64+0x1ad0 (0000016b`05201ad0)
0000016b`05201e9c f6c301 test bl,1
0000016b`05201e9f 7422 je UcLogging64+0x1ec3 (0000016b`05201ec3) Branch
UcLogging64+0x1ea1:
0000016b`05201ea1 33c0 xor eax,eax
0000016b`05201ea3 488bfd mov rdi,rbp
0000016b`05201ea6 4883c9ff or rcx,0FFFFFFFFFFFFFFFFh
0000016b`05201eaa 66f2af repne scas word ptr [rdi]
0000016b`05201ead 488b053c890000 mov rax,qword ptr [UcLogging64!UnifiedClientTrace+0x57f0 (0000016b`0520a7f0)]
0000016b`05201eb4 488947fe mov qword ptr [rdi-2],rax
0000016b`05201eb8 488b0539890000 mov rax,qword ptr [UcLogging64!UnifiedClientTrace+0x57f8 (0000016b`0520a7f8)]
0000016b`05201ebf 48894706 mov qword ptr [rdi+6],rax
UcLogging64+0x1ec3:
0000016b`05201ec3 488b5c2430 mov rbx,qword ptr [rsp+30h]
0000016b`05201ec8 488b6c2438 mov rbp,qword ptr [rsp+38h]
0000016b`05201ecd 488b7c2440 mov rdi,qword ptr [rsp+40h]
0000016b`05201ed2 4883c420 add rsp,20h
0000016b`05201ed6 415c pop r12
0000016b`05201ed8 c3 ret
在此位置使用 Time Travel 调试和内存写入断点,我发现它似乎在这里发生了变化,倒退了:
UcLogging64+0x1e45:
0000016b`05201e45 48896c2410 mov qword ptr [rsp+10h],rbp ss:00000029`834f8978=0000016b0520add8
0:000> r rbp
rbp=0000000005cccc50
再次查找 rbp 何时设置为:
UcLogging64+0x1193:
0000016b`05201193 488b6c2448 mov rbp,qword ptr [rsp+48h] ss:00000029`834f8958=0000000005cccc50
退步:
UcLogging64+0x108a:
0000016b`0520108a 56 push rsi
0:000> dd 00000029`834f8958
00000029`834f8958 05cccc50 00000000 834f8a09 00000029
00000029`834f8968 052051a4 0000016b 0520a728 0000016b
00000029`834f8978 0520add8 0000016b 834f89e0 00000029
00000029`834f8988 6d5e0000 00000000 000004e0 53282064
00000029`834f8998 01f92a80 0000016b 0520a728 0000016b
00000029`834f89a8 0520f0a0 0000016b ffffff01 ffffffff
00000029`834f89b8 01f92a70 0000016b 00000027 00000000
00000029`834f89c8 834fa670 00000029 fffffffe ffffffff
0:000> t-
Time Travel Position: 6516CD:1B [Unindexed] Index
UcLogging64+0x1085:
0000016b`05201085 48896c2420 mov qword ptr [rsp+20h],rbp ss:00000029`834f8958=0000016b01fad918
0:000> dd 00000029`834f8958
00000029`834f8958 01fad918 0000016b 834f8a09 00000029
再次向后看,在 pop rbp 上看到这个对无效指令的更改:
rbp=00000029834f8930
0:000> t-
Time Travel Position: 6516CB:134 [Unindexed] Index
MSVCR100!vswprintf_l+0xd7:
00000000`6d61400f 4883c450 add rsp,50h
0:000> r rbp
rbp=00000029834f8930
0:000> t
Time Travel Position: 6516CB:135 [Unindexed] Index
MSVCR100!vswprintf_l+0xdb:
00000000`6d614013 5d pop rbp
0:000> t
Time Travel Position: 6516CB:136 [Unindexed] Index
MSVCR100!vswprintf_l+0xdc:
00000000`6d614014 c3 ret
0:000> r rbp
rbp=0000000005cccc50
由于该值在函数启动之前已损坏:
Time Travel Position: 6516CA:B51 [Unindexed] Index
MSVCR100!vswprintf_l+0x13:
00000000`6d613f4b 55 push rbp
0:000> t-
Time Travel Position: 6516CA:B50 [Unindexed] Index
MSVCR100!vswprintf_l+0xf:
00000000`6d613f47 4c896020 mov qword ptr [rax+20h],r12 ds:00000029`834f8958=0000000000000004
0:000> r rbp
rbp=0000000005cccc50
这在之前的 msvcr100!vswprintf_l 调用中设置:
MSVCR100!vsnprintf_l+0xbb:
00000000`6d613a0b 488b6c2468 mov rbp,qword ptr [rsp+68h] ss:00000029`834f8938=0000000005cccc50
0:000> r rbp
rbp=0000000000000000
0:000> t
Time Travel Position: 6516CA:ACB [Unindexed] Index
MSVCR100!vsnprintf_l+0xc0:
00000000`6d613a10 488b742470 mov rsi,qword ptr [rsp+70h] ss:00000029`834f8940=0000016b01fad918
0:000> r rbp
rbp=0000000005cccc50
这是之前的设置:
0:000> r rbp
rbp=0000000005cccc50
0:000> t
Time Travel Position: 6516CA:11C [Unindexed] Index
MSVCR100!vsnprintf_l+0x3:
00000000`6d613953 48895808 mov qword ptr [rax+8],rbx ds:00000029`834f8930=0000016b0520f0a0
0:000> t
Time Travel Position: 6516CA:11D [Unindexed] Index
MSVCR100!vsnprintf_l+0x7:
00000000`6d613957 48896810 mov qword ptr [rax+10h],rbp ds:00000029`834f8938=0000016b0520f000
0:000> t
这还在继续,我还没有一直追溯到原点,我想知道是否有其他方法可以找到可能导致此问题的代码。