Windows 2000に MS10-099 を適用すると スタンバイできなくなる問題
Windows 2000で、 MS10-099 を適用すると、スタンバイが効かなったり、特定の処理の応答が無くなり、CPU使用率が高くなる問題があることが分かりました。
別のプログラムが原因みたいなので、解析中です。すみません。
MS10-099のセキュリティパッチについて解析して作り直すことにしました。
パラメータのチェック追加1
| L00015240: push ebp mov ebp,esp sub esp,0000002ch+8 and dword ptr [DATA1],00000000h push esi mov ecx,[ebp+08h] lea esi,[ecx+20h] mov eax,[esi+14h] cmp eax,000000D0h mov [Data3],esi jc L00015563 cmp eax,[ecx+1Ch] jnc L00015563 lea eax,[TMP] push eax push [esi+04h] call SUB_L00013EEC test al,al jnz L00015287 mov eax,00001002h jmp L00015568 L00015287: push ebx mov ebx,[TMP] push edi lea edi,[ebx+48h] mov ecx,edi call [HAL.dll!KfAcquireSpinLock] mov [ebx+4Ch],al mov ecx,[ebx+30h] test byte ptr [ecx+38h],04h mov [DATA0],al jnz L000152BC mov ecx,edi mov edi,[HAL.dll!KfReleaseSpinLock] mov dl,al call edi mov esi,00001003h jmp L00015537 L000152BC: cmp dword ptr [esi+34h],00000001h jnz L000152D3 lea eax,[Data2] push eax push [esi+38h] push ebx call SUB_L000140DC test al,al jmp L000152DE L000152D3: push ebx call SUB_L0001416A mov [Data2],eax test eax,eax L000152DE: mov dl,[DATA0] mov ecx,edi mov edi,[HAL.dll!KfReleaseSpinLock] jnz L000152F7 mov esi,00001002h call edi jmp L00015537 L000152F7: mov eax,[ebx+0Ch] mov eax,[eax+0Ch] mov esi,[ebx+24h] mov [Data4],eax mov [Data5],esi call edi lea ecx,[esi+6Ch] mov [TMP],ecx call [HAL.dll!KfAcquireSpinLock] push esi mov [esi+70h],al call SUB_L00017F14 mov ecx,[TMP] mov esi,eax mov eax,[Data5] mov dl,[eax+70h] call edi test esi,esi jz L000153DA push 00000000h push esi call SUB_L00013BE8 test eax,eax jnz L000153D4 mov eax,[Data2] xor ecx,ecx mov [esi+00000098h],eax mov [esi+00000094h],ebx add eax,00000014h inc ecx lock xadd [eax],ecx mov eax,[ebx+30h] xor ecx,ecx ; add eax,00000014h inc ecx lock xadd [eax],ecx mov eax,[Data3] mov ecx,[eax+08h] mov [esi+0000009Ch],ecx mov ecx,[esi+000000B0h] mov edx,[ebx+20h] mov [ecx+10h],edx mov ecx,[esi+000000B0h] mov edx,[Data2] mov edx,[edx+10h] mov [ecx+14h],edx mov ecx,[esi+000000B0h] mov dword ptr [ecx+50h],00000001h mov edx,[eax+20h] mov ecx,[esi+000000B0h] mov [ecx+18h],edx mov ecx,[esi+000000B0h] mov edx,[eax+2Ch] mov [ecx+20h],edx mov eax,[eax+28h] test eax,eax mov ecx,[esi+000000B0h] jnz L000153C7 mov eax,[ebx+2Ch] mov eax,[eax+38h] L000153C7: push esi mov [ecx+1Ch],eax call SUB_L00013CA0 test al,al jnz L000153E4 L000153D4: push esi call SUB_L00016ABA L000153DA: mov esi,C0012018h jmp L00015537 L000153E4: mov eax,[esi+000000A0h] mov ecx,[Data3] mov [ecx+0Ch],eax lea eax,[esi+20h] push eax push [esi+000000A0h] mov eax,[Data5] push [eax+10h] mov eax,[Data4] push [eax+18h] call [NDIS.SYS!NdisCoCreateVc] test eax,eax jz L00015426 push esi call SUB_L00013E3A push esi call SUB_L00016ABA mov esi,C0012002h jmp L00015537 L00015426: lea eax,[DATA1] push eax mov eax,[ebp+08h] push [eax+1Ch] push [Data3] mov eax,[Data2] push 00000001h push [eax+10h] mov eax,[Data5] push [ebx+20h] push esi call [eax+3Ch] : 中略 L0001555D: pop edi mov eax,esi pop ebx jmp L00015568 L00015563: mov eax,C0012019h L00015568: pop esi leave retn 0004h |
パラメータのチェック追加2
| L00015601: mov eax,[esi+1Ch] push ebx lea ebx,[esi+2Ch] mov esi,[ebp-00000610h] sub eax,0000000Ch cmp [ebx],eax jbe L0001564F cmp esi,edi jz L00015645 lea edi,[esi+48h] mov ecx,edi call [HAL.dll!KfAcquireSpinLock] mov [esi+4Ch],al dec [esi+08h] mov dl,[esi+4Ch] mov ecx,edi &nb sp; jnz L0001563F call [HAL.dll!KfReleaseSpinLock] push esi call SUB_L000151EA jmp L00015645 L0001563F: call [HAL.dll!KfReleaseSpinLock] L00015645: mov eax,C0012019h jmp L0001597F |
パラメータのチェック追加3
| L00015B01: mov eax,[edi+1Ch] push ebx lea ebx,[edi+30h] sub eax,00000010h cmp [ebx],eax push esi mov esi,[ebp-00000410h] jbe L00015B50 test esi,esi jz L00015B46 lea edi,[esi+48h] mov ecx,edi call [HAL.dll!KfAcquireSpinLock] mov [esi+4Ch],al dec [esi+08h] mov dl,[esi+4Ch] mov ecx,edi jnz L00015B40 call [HAL.dll!KfReleaseSpinLock] push esi call SUB_L000151EA jmp L00015B46 L00015B40: call [HAL.dll!KfReleaseSpinLock] L00015B46: mov eax,C0012019h jmp L00015C99 |
オリジナル1
| mov eax,[Param1] mov eax,[eax+28h] mov eax,[eax+48h] add eax,[ebp-80h] push 006A5850h push eax push 00000000h mov [ebp-0000008Ch],eax call [ntoskrnl.exe!ExAllocatePoolWithTag] |
修正版1
| lea eax,[ebp-00000084h] push eax mov eax,[Param1] mov eax,[eax+28h] push [eax+48h] push [ebp-80h] call SUB_L000132D8 test eax,eax jl L000176CB push 006A5850h push [ebp-00000084h] push 00000000h call [ntoskrnl.exe!ExAllocatePoolWithTag] |
オリジナル2
| mov eax,[ebp+1Ch] push ebx xor ebx,ebx mov [eax],ebx mov eax,[ebp+18h] push esi mov esi,[eax+10h] shl esi,1 lea ecx,[eax+1Ch] push edi mov [ebp-0Ch],ebx mov [ebp-08h],ecx mov [ebp-10h],esi lea eax,[esi+000000DCh] xor edx,edx jmp L000179A9 L000179A6: mov eax,[ebp-04h] L000179A9: mov edi,[edx+L000181B0] mov edi,[edi+ecx] add edx,00000008h cmp edx,00000040h lea eax,[eax+edi+04h] mov [ebp-04h],eax jc L000179A6 mov edi,eax push 00375850h add edi,00000078h push edi push ebx call [ntoskrnl.exe!ExAllocatePoolWithTag] mov edx,eax cmp edx,ebx mov [ebp-14h],edx jnz L 000179E8 mov dword ptr [ebp-0Ch],C000009Ah jmp L00017ACE L000179E8: xor eax,eax mov ecx,edi mov ebx,ecx shr ecx,02h |
修正版2
| mov eax,[ebp+20h] push ebx push esi push edi xor edi,edi mov [eax],edi mov eax,[ebp+18h] mov esi,[eax+10h] lea ecx,[ebp-08h] push ecx lea ebx,[eax+1Ch] shl esi,1 mov eax,000000DCh push esi push eax mov [ebp-04h],edi mov [ebp-0Ch],ebx mov [ebp-14h],esi mov [ebp-08h],eax call SUB_L000167F8 test eax,eax jl L00017B39 mov eax,[ebp+1Ch] add eax,FFFFFFE4h and [ebp+1Ch],edi mov [ebp-10h],eax L00017AF7: mov eax,[ebp+1Ch] mov eax,[eax+L00018330] cmp [ebp-10h],eax jc L00017B45 mov eax,[eax+ebx] lea edi,[edi+eax+04h] lea eax,[ebp-08h] push eax push edi push [ebp-08h] call SUB_L000167F8 test eax,eax jl L00017B39 add dword ptr [ebp+1Ch],00000008h cmp dword ptr [ebp+1Ch],00000040h jc L00017AF7 lea eax,[ebp+1Ch] push eax push 00000078h push [ebp-08h] call SUB_L000167F8 test eax,eax jge L00017B51 L00017B39: mov dword ptr [ebp-04h],80000005h jmp L00017C51 L00017B45: mov dword ptr [ebp-04h],C000009Ah jmp L00017C51 L00017B51: push 00375850h push [ebp+1Ch] push 00000000h call [ntoskrnl.exe!ExAllocatePoolWithTag] mov edx,eax test edx,edx mov [ebp-10h],edx jz L00017B45 mov ecx,[ebp+1Ch] mov ebx,ecx shr ecx,02h xor eax,eax |
バッファーチェックなどが4か所増えています。
Translate
Comments