WinDBG 技巧：分析程序漏洞是否可以被利用 (!exploitable 命令)

微软在最近的CanSec West 发布了一个开源的WinDBG 插件 MSEC.dll ， 该插件可以智能分析程序的漏洞是否可以被黑客利用。 可以去MSEC 开源项目的主页： http://msecdbg.codeplex.com/ 下载该插件。 解压之后，把  MSEC.dll 放到 WinDBG 安装目录的的 winext 子目录下。

 

启动WinDBG的之后， 使用 !load MSEC 来装载该插件。接下来就可以用 !exploitable 命令来分析漏洞了。 通常加上-v 选项来打印详细的信息(!exploitable -v)。

 

下面示范当程序出现空指针访问漏洞的时候如何利用!exploitable 来分析：

 

0:000> g
ModLoad: 7e410000 7e4a1000   C:/WINDOWS/system32/USER32.dll
ModLoad: 77f10000 77f59000   C:/WINDOWS/system32/GDI32.dll
ModLoad: 76390000 763ad000   C:/WINDOWS/system32/IMM32.DLL
ModLoad: 77dd0000 77e6b000   C:/WINDOWS/system32/ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:/WINDOWS/system32/RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:/WINDOWS/system32/Secur32.dll
ModLoad: 629c0000 629c9000   C:/WINDOWS/system32/LPK.DLL
ModLoad: 74d90000 74dfb000   C:/WINDOWS/system32/USP10.dll
ModLoad: 77b40000 77b62000   C:/WINDOWS/system32/Apphelp.dll
ModLoad: 77c00000 77c08000   C:/WINDOWS/system32/VERSION.dll
(a3c.10e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=785bb6f8 edx=00000000 esi=00000001 edi=0040337c
eip=00401002 esp=0012ff80 ebp=0012ffc0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
TestConsole!wmain+0x2:
00401002 8800            mov     byte ptr [eax],al          ds:0023:00000000=??

0:000> !load MSEC.dll
0:000> !exploitable -v
HostMachine/HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:/WINDOWS/system32/kernel32.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Exception Hash (Major/Minor): 0x34777202.0x123b6b02

Stack Trace:
TestConsole!wmain+0x2
TestConsole!__tmainCRTStartup+0x10f
kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x401002

Description: User Mode Write AV near NULL
Short Description: WriteAV
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - User Mode Write AV near NULL starting at TestConsole!wmain+0x2 (Hash=0x34777202.0x123b6b02)

User mode write access violations that are near NULL are probably exploitable.