ZeroBox Notes

技巧一：

 

下断：

bu 3440D279″.if(1){.echo EnterVulnFunc;gc}”

bu 6e264b6c”.if(1){.echo Free heap block; dd esp l4;gc}”

 

输出结果：

EnterVulnFunc

Free heap block

0011bc5c  3441e2a2 138f0020 3b906313 10027b64

Free heap block

0011bc5c  3441dc6c 138f0020 3b906313 10027b64

(1508.e84): Accessviolation – code c0000005 (first chance)

First chanceexceptions are reported before any exception handling.

This exception may beexpected and handled.

eax=138f0018ebx=138f0020 ecx=6e287a7e edx=10028a70 esi=008a0000 edi=00000000

eip=77691f88esp=0011bbe8 ebp=0011bbf8 iopl=0        nv up ei pl zr na pe nc

cs=001b  ss=0023 ds=0023  es=0023  fs=003b gs=0000             efl=00010246

ntdll!RtlFreeHeap+0x3a:

77691f8880780705        cmp     byte ptr [eax+7],5         ds:0023:138f001f=??

0:000> kb

ChildEBP RetAddr  Args to Child

0011bbf8 75aaf14c008a0000 00000000 138f0020 ntdll!RtlFreeHeap+0x3a

0011bc0c 6e264c39008a0000 00000000 138f0020 kernel32!HeapFree+0x14

0011bc58 3441dc6c 138f0020 3b90631310027b64 MSVCR80!free+0xcd

 

技巧二：

 

 

 

 

 

 

 

 

0:000> kb

ChildEBP RetAddr  Args to Child

0012fbe4 7c85079b 015b1000 0012fc94 0012fc70 ntdll!DbgBreakPoint

0012fbf4 7c87204b 00000007 7c8722f8 015b1000 ntdll!RtlpPageHeapStop+0x72

0012fc70 7c873305 015b1000 00000004 003f5858 ntdll!RtlpDphReportCorruptedBlock+0x11e

0012fca0 7c8734c3 015b1000 003f0000 01001002 ntdll!RtlpDphNormalHeapFree+0x32

0012fcf8 7c8766b9 015b0000 01001002 003f5858 ntdll!RtlpDebugPageHeapFree+0x146

0012fd60 7c860386 015b0000 01001002 003f5858 ntdll!RtlDebugFreeHeap+0x1ed

0012fe38 7c81d77d 015b0000 01001002 003f5858 ntdll!RtlFreeHeapSlowly+0x37

0012ff1c 78134c3b 015b0000 01001002 003f5858 ntdll!RtlFreeHeap+0x11a

0012ff68 00401016 003f5858 003f5858 00000064 MSVCR80!free+0xcd

 

0:000> !heap -p -a 0x3f5858

address 003f5858 found in

_HEAP @ 3f0000

in HEAP_ENTRY: Size : Prev Flags – UserPtr UserSize – state

3f5830: 0014 : N/A  [N/A] – 3f5858 (70) – (free DelayedFree)

Trace: 004f

7c860386 ntdll!RtlFreeHeapSlowly+0x00000037

7c81d77d ntdll!RtlFreeHeap+0x0000011a

78134c3b MSVCR80!free+0x000000cd       // 在callstack中已显示曾被释放过一次

401010win32!main+0x00000010

77e523cd kernel32!BaseProcessStart+0x00000023

 

0:000> uf 00401010

74 00401000 56               push    esi

75 00401001 6a64             push    0x64

75 00401003 e824000000       call    win32!operator new[] (0040102c)

75 00401008 8bf0             mov     esi,eax

76 0040100a 56               push    esi

76 0040100b e828000000       call    win32!operator delete (00401038)

77 00401010 56               push    esi

 

77 00401011 e81c000000       call    win32!operator delete (00401032)

 

技巧三：

由于堆块是动态分配，每次加载调试时，进程所分配的堆块地址都是不同的。为了提高分析效率，我们可以在调试到一定程度时保存虚拟机快照，等我们需要重新加载调试时，可以直接恢复虚拟机快照，这样每次调试的堆块地址都是固定的。