KB4491443 の解析
Windows Embedded POSReady 2009 でリモートでコード実行の脆弱性のセキュリティ更新プログラムの説明: 2019 年 4 月 9日
このアップデートの中身はnetbios ドライバである netbt.sys の更新。
Windows XP のバイナリを 2000に放り込んだ場合、対応 SeExports のテーブルがNULLを返してクラッシュする。
違いはここだけ
|
SUB_L0002F9BF:
mov edi,edi
push ebp
mov ebp,esp
sub esp,0000001Ch
push ebx
mov ebx,[ntoskrnl.exe!ExAllocatePoolWithTag]
push esi
mov esi,[ebp+14h]
push edi
push 3732624Eh
xor edi,edi
push 00000190h
push edi
mov [ebp-04h],edi
mov [esi],edi
call ebx
cmp eax,edi
mov [ebp-18h],eax
jz L0003151A
mov edi,[ebp+10h]
push 3832624Eh
shl edi,06h
push edi
push 00000000h
call ebx
mov ebx,eax
test ebx,ebx
jz L00031524
mov ecx,edi
mov edx,ecx
shr ecx,02h
xor eax,eax
mov edi,ebx
rep stosd
mov ecx,edx
and ecx,00000003h
rep stosb
mov eax,[ebp+10h]
test eax,eax
mov [esi],ebx
jle L0002FBBD
mov ecx,[ebp+0Ch]
add ecx,00000008h
mov [ebp-08h],ecx
mov [ebp-0Ch],eax
L0002FA39:
movzx eax,[ecx-04h]
mov esi,[ecx]
shr eax,1
dec eax
mov edx,eax
lea esi,[esi+eax*2]
mov [ebp-14h],eax
mov [ebp+0Ch],edx
mov [ebp+10h],esi
jz L0002FBAE
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
L0002FA60:
mov di,[esi]
cmp di,[L0002FBE0]
jz L0002FA79
dec edx
dec esi
dec esi
test edx,edx
mov [ebp+0Ch],edx
mov [ebp+10h],esi
jnz L0002FA60
L0002FA79:
test edx,edx
jz L0002FBAE
cmp edx,eax
jz L0002FBAE
lea esi,[eax-01h]
cmp edx,esi
jz L0002FBAE
sub eax,edx
cmp eax,00000190h
mov [ebp-10h],eax
jg L0002FBAE
mov esi,SWC0002FBE4_Parameters_Interfaces_
push esi
call [ntoskrnl.exe!wcslen]
mov edi,[ebp-18h]
pop ecx
lea ecx,[eax+eax]
mov edx,ecx
shr ecx,02h
rep movsd
mov ecx,edx
mov edx,[ebp-18h]
and ecx,00000003h
rep movsb
mov esi,[ebp+10h]
mov ecx,[ebp-10h]
lea edi,[edx+eax*2]
sub eax,[ebp+0Ch]
add esi,00000002h
add eax,[ebp-14h]
rep movsw
|
変更後
|
SUB_L00031503:
mov edi,edi
push ebp
mov ebp,esp
sub esp,0000001Ch
push ebx
push esi
mov esi,[ebp+14h]
push edi
xor edi,edi
push offset _Parameters_Interfaces_
mov [ebp-04h],edi
mov [esi],edi
call [ntoskrnl.exe!wcslen]
mov ebx,[ntoskrnl.exe!ExAllocatePoolWithTag]
mov dword ptr [esp],3732624Eh
push 000001C2h
push edi
mov [ebp-08h],eax
call ebx
cmp eax,edi
mov [ebp-18h],eax
jz L00031528
mov edi,[ebp+10h]
push 3832624Eh
shl edi,06h
push edi
push 00000000h
call ebx
mov ebx,eax
test ebx,ebx
jz L00031532
mov ecx,edi
mov edx,ecx
shr ecx,02h
xor eax,eax
mov edi,ebx
rep stosd
mov ecx,edx
and ecx,00000003h
rep stosb
mov eax,[ebp+10h]
test eax,eax
mov [esi],ebx
jle L0002FBD0
mov ecx,[ebp+0Ch]
add ecx,00000008h
mov [ebp-0Ch],ecx
mov [ebp-10h],eax
L0002FA54:
movzx eax,[ecx-04h]
mov esi,[ecx]
shr eax,1
dec eax
lea esi,[esi+eax*2]
mov edx,eax
mov [ebp+0Ch],esi
jz L0002FBC1
nop
nop
nop
nop
nop
L0002FA70:
mov di,[esi]
cmp di,[L0002FBF4]
jz L0002FA86
dec edx
dec esi
dec esi
test edx,edx
mov [ebp+0Ch],esi
jnz L0002FA70
L0002FA86:
test edx,edx
jz L0002FBC1
cmp edx,eax
jz L0002FBC1
lea esi,[eax-01h]
cmp edx,esi
jz L0002FBC1
mov [ebp+10h],eax
sub [ebp+10h],edx
mov eax,[ebp-08h]
mov edx,000000E1h
sub edx,eax
cmp [ebp+10h],edx
jg L0002FBC1
lea ecx,[eax+eax]
mov eax,[ebp-18h]
mov [ebp-14h],ecx
mov edx,ecx
shr ecx,02h
mov edi,eax
mov esi,offset _Parameters_Interfaces_
rep movsd
mov ecx,edx
mov edx,[ebp+10h]
and ecx,00000003h
rep movsb
mov esi,[ebp+0Ch]
mov edi,[ebp-14h]
mov ecx,edx
add edi,eax
add esi,00000002h
rep movsw
|
Windows 2000のコードもほぼ同じ
Translate
Comments