欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

Windows内核池喷射的愉悦

来源:本站整理 作者:佚名 时间:2017-09-21 TAG: 我要投稿
lkd> !handle 70
PROCESS 86e80930  SessionId: 1  Cid: 0240    Peb: 7ffd4000  ParentCid: 0f80
    DirBase: bf3fd2e0  ObjectTable: a8282b30  HandleCount:  41.
    Image: python.exe
Handle table at a8282b30 with 41 entries in use
0070: Object: 86e031a8  GrantedAccess: 001f0001 Entry: 8c0d80e0
Object: 86e031a8  Type: (8521a838) Mutant
    ObjectHeader: 86e03190 (new version)
        HandleCount: 1  PointerCount: 1
如许咱们就可以或许找到池的地位,细节以下:
lkd> !pool 86e031a8 
Pool page 86e031a8 region is Nonpaged pool
 86e03000 size:   98 previous size:    0  (Allocated)  IoCo (Protected)
 86e03098 size:   90 previous size:   98  (Allocated)  MmCa
 86e03128 size:   40 previous size:   90  (Allocated)  Even (Protected)
 86e03168 size:   10 previous size:   40  (Free)       Icp
*86e03178 size:   50 previous size:   10  (Allocated) *Muta (Protected)
  Pooltag Muta : Mutant objects
 86e031c8 size:   40 previous size:   50  (Allocated)  Even (Protected)
 86e03208 size:   40 previous size:   40  (Allocated)  Even (Protected)
它表现在非分页池中必要 0x50 字节巨细的地位。不管咱们反复若干次,都是 0x50。看起来确切如斯。假如咱们将以前的代码放在一个轮回中,咱们可以或许看到它可以或许工作,而且可以或许停止很棒的堆放射:
 851ef118 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef168 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef1b8 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef208 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef258 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef2a8 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef2f8 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef348 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef398 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef3e8 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef438 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef488 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef4d8 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef528 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef578 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef5c8 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef618 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef668 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef6b8 size:   50 previous size:   50  (Allocated)  Muta (Protected)
 851ef708 size:   50 previous size:   50  (Allocated)  Muta (Protected)
那末假如咱们给 Mutex 取一个名字,会有甚么样的变更?这是另一段 Python 代码:
def alloc_named_mutex(i):
        hHandle = HANDLE(0)
hHandle = kernel32.CreateMutexA(None, False, "Pool spraying is cool " + str(i))
if hHandle == None:
                print "[-] Error while creating mutex"
  sys.exit()
print hex(hHandle)
我给它通报了一个参数,因为假如咱们要应用它来停止放射,这将是很紧张的,因为咱们不克不及创立两个具备雷同定名的 mutex。
一旦咱们创立了 mutex,而且咱们遵守与以前异样的逻辑,就可以或许看到此中有点分歧:
*871d39e8 size:   60 previous size:   30  (Allocated) *Muta (Protected)
  Pooltag Muta : Mutant objects
这一次它必要 0x60 字节,这也是同等的。咱们也能够或许做异样的放射,但具备分歧的巨细。这里有一些紧张的器械。假如咱们看一看池分派,就可以或许看到这是一个从 pool chunk 的头地位偏移 0x20 的指针,指向 Mutex 的名字:
lkd> dd 871d39e8

上一页  [1] [2] [3] [4] [5] [6] [7] [8]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载