combating the advanced memory exploitation techniques ... · combating the advanced memory...
TRANSCRIPT
Combating the Advanced Memory Exploitation Techniques: Detecting ROP with Memory
Information Leak
By nEINEI /CanSecWest2014
Agenda
• Background
• Our approach
• Case Study
• Optimization
• Acknowledgement & Reference
Background What’s ROP ?
ROP(Return-Oriented Programming) : search those instruction sequences (gadgets) that end up
with a ret instruction (0xc3) to construct the basic functionalities like memory read/write, logic
operation, and flow control.
The powerful weapon for bypassing DEP: an attacker needs to set executable flag in the memory
where the shellcode resides.
In order to make sure the ROP runs successfully, the 1st ROP gadget needs to switch the current
ESP to pointing to some controllable data on the heap (stack pivot)
Background ROP Exploitation Approaches
Statically loaded module base information + ROP
Load non-ASLR modules, such as Adobe Shockwave (dirapi.dll), MSVCR71.dll,Office(HXDS.DLL) … ,
these modules are being loaded at some fixed addresses in the process space; therefore it’s very
easy to be leveraged to constructed the ROP chain.
Memory information leak + ROP: calculate the ROP module loading base address at runtime
Exploiting a vulnerability, modify the array object’s length field to increase the array length to
achieve an out of bound arbitrary address read/write, leak ntdll.dll address from SharedUserData
(CVE-2013-1690)
Exploiting a vulnerability, modify the null terminator of a BSTR string to be able to leak the memory
information after that (CVE-2013-0640)
Exploiting a vulnerability, modify the length of Flash Vector object (by Flash AS) to cross-boundary
read out the vtable pointer of some other subsequent object, obtain module base address ->
obtain module’s import table address-> obtain kernel32 base -> obtain ntdll.dll base (cve-2014-
0322).
Microsoft EMET (Enhanced Mitigation Experience Toolkit)
Check points: stack pivot, caller check, simulate execution flow
Weakness: API hook based detection, subject to API hook hopping bypass.
Leverage Intel Pin tool to achieve dynamic instruction instrumentation, dynamically monitoring the
instruction sequence execution
Check points: The existence of some unique gadgets of ROP. Validity check on ret /call /jump.
Weakness: Performance hit in the real application.
Static compilation of prevent ROP: these jobs are separated into sequential steps through basic
block code. Every time the code is recompiled, it will changes in the basic block code of address.
The attacker will not find fix address for ROP gadget.
Weakness: there is no compiler support the feature.
• Background
• Our Approach
• Case Study
• Optimization
• Summary
• Acknowledgement & Reference
Observation
Usually the valid entry points of a module (the target of control flow transfer, the function address
in vftable, jump table, export table, etc) are pre-defined at compilation time, whereas the invalid
entry points of code execution (e.g., ROP) are not; and such invalid entries typically hit the middle
of a legitimate instruction.
Our approach
Separate valid entries from those invalid entries of execution, and then try to trap the invalid
execution.
What ROP exploitation types can our approach cover?
An exploit that leverages non-ASLR modules to launch ROP
Memory info leak, dynamically calculate the randomized base address of the ROP module
How our approach works?
Copy the .text section (code section) of the ROP module to a new memory region “new_text_code”.
Set the memory attribute of the original .text section of ROP module to NO_EXECUTE (Read Only).
Hook the INT 0xe and capture the page fault in kernel mode, and judge whether the fault is
generated on the original .text section of ROP module; if so, redirect this faulting code execution
access to the same point on the new .text section new_text_code for continue executing, in this
way the page fault is handled by us transparently without the intervention of OS.
Since we can see and analyze each attempt to execute code on the original .text section in our page
fault handler, whenever there is a ROP instruction like execution happening, we can catch/block it
immediately.
Our advantages?
Not subject to hook hopping bypass
Able to locate the 1st ROP gadget instruction, and trace back to the place where the vulnerability
is triggered.
Among 5,6 is important key point:
• Step 5: determine the source of the page fault: from which process, the range of the
faulting instruction address, and the error code value.
• Step 6: based on the faulting instruction address, calculate a new address (on the new .text
section) for redirection. When the current fault handling is done, the control flow will be
returned to the new calculated address, and the normal execution will resume from the
new address.
Our Approach How is kernel page fault handled?
1 Hook kernel exception handler (Page Fault).
__asm cli
idt_entries[IDT_INT_PAGE_FAULT].LowOffset = (USHORT) IDT_PageFault_Hook;
idt_entries[IDT_INT_PAGE_FAULT].HighOffset = (USHORT)((ULONG) IDT_PageFault_Hook>>16);
__asm sti
2 Determine the source of the fault (from which process), the range of the faulting instruction
address, Error Code value.
3 Based on the faulting instruction address, calculate a new address (on the new .text section)
for redirection. When the current fault handling is done, the control flow will be returned to the
new calculated place, and the normal execution will go on.
In order to know about all the context information when the vulnerability is triggered, including
the call stack information on the ROP module, we need to analyze the offending instruction and
output the analysis results.
1) [ring0->eip] = pfnStub_PrintRelocInfoAndAnalysis (kernel will first return to our instruction
analyzing and logging function)
2) [ring3-> esp-4] = new_text_code_by_redirect_offset(assign the new redirection address to esp-
4)
3) [ring0->esp -16 ] = addr(Ring3->esp-4) (modify the ring3 stack pointer to esp-4)
Initialization
Inject our own DLL (i.e., myring3.dll) into the target process
Parse the PE structure of the ROP module, and copy the entire .text section to a new allocated
memory region ”new_text_code”; Set the memory attribute of the original .text section of ROP
module to PAGE_READONLY to make it NO_EXECUTE
Suspend all threads, except for the current thread itself
Notify the Ring0 driver to start the address redirection
ROP detection
DLL module does instruction analysis and logs the exception information and analysis results
Why the relocated code can still run?
Executing the instructions within the original .text section
The execution of the normal instructions or relative address control transfer within the new
memory region ”new_text_code” continues in this region, until it hits some control transfer
instructions (i.e., jmp/ret/call) that use an absolute address, which leads to an access to the
original .text section, thus causes a page fault.
External calls
An external module’s call into the original .text section will cause a page fault and then be
redirected to the new memory region to continue execution.
Already running threads
If some threads are already running into the ROP module before the .text section relocation is done,
these threads will then be redirected to run on the new region; however some function return
addresses that have been pushed in the thread stacks by previous function calls may still point to
the original .text section. These old return address may cause some page faults for a few times, but
eventually they will be gradually resolved to the new region along with the nested function call
return.
The code access (instruction fetch) faults, i.e., copy-unfriendly instruction/address types
Some control transfer instructions “new_text_code” using absolute address may go back to the
original code region
A module passes information (interface pointer, function or data address etc) out to the external
modules through some interface call.
Call/jmp instructions via function address table (containing a list of absolute addresses) within a
module, such as virtual function table or jump table.
Export function address to the external modules via PE’s export address table (EAT).
“Copy-friendly” instructions
normal instructions (mov , xor ,inc ,add…) always run unaffected no matter where you move them
to
relative control transfer call/jump also run “self-contained” within the new region where they are
moved to
“Copy-unfriendly” instructions
Control transfer using absolute address
“Copy-unfriendly” instructions (cont’d)
Module passes interface pointer out to the external modules
Old code exported interface pointer to giving reference modules
“Copy-unfriendly” instructions (cont’d)
call/jmp instructions via function address table (containing a list of absolute addresses) within a
module, such as virtual function table or jump table.
“Copy-unfriendly” instructions (cont’d)
Export function address to the external modules via PE’s EAT.
By redirecting the faulting code access, any code execution attempt from the original .text section
will be transparently forwarded to the execution of the same corresponding code from the new
code region (new_text_code)
Page faults will be generated during this process, either by the relocated module (the new code
region) or from other external modules
Our page fault handler is able to catch any code execution attempt on the original .text section
checks for validity against the faulting instruction to determine whether this is a valid or ROP like
entry
ROP exploit via a ROP module loaded to a fixed address constructs the fake stack using hard-coded
sequence of addresses; such addresses point to the gadgets on the original .text section of the ROP
module. In the following example, address attribute at 0x51BE5B98 is set to non-executable;
therefore when the ROP exploit executes the needed instructions, we can catch this faulting
instruction and identify the ROP attack.
In the case of Information leak, the base address where the ROP module is loaded to is calculated
at runtime, then why is the leaked address still pointing to the original module after we do the
redirection?
For example, CVE-2013-0640
We can see that a string is allocated first ,58 58 58 58 00 =“XXXX”,by triggering the vulnerability,
the null terminator after 0x58 is modified to ’0xfe’.
The attacker deliberately places a Node object after the string array, and using a vulnerability try
to out-of-bound read the Node object’s vtable address, i.e., 0x4da7af4
The offset of vtable of Node object relative to the ROP module base (AcroForm.api) is fixed, i.e.,
0x7A7AF4 .Therefore, the randomized (ASLRed) base address of the ROP module = vtable address
– offset = 04da7af4 - 7A7AF4 = 0x4600000.In this example, Node object’s vtable is in the .rdata
section. We relocate the only the .text section, whereas ROP exploit calculates the randomized
base address of the ROP module via the leaked vtable address in .rdata section. Since the calculated
base address of the ROP module is still in the original .text section, we can catch the ROP attack.
• Background
• Our Approach
• Case Study
• Optimization
• Summary
• Acknowledgement & Reference
Case Study CVE-2013-3893 ROP via a module with a fixed address
CVE-2013-3893 is an IE vulnerability, the attacker leverages a non-ASLR module hxds.dll in MS
Office product to do ROP.
load a non-ASLR hxds.dll into IE; fixed address @ 0x51be5b98; controllable fake stack @
0x12121212
Demo.
CVE-2013-0640,Adobe Acrobat And Reader CVE-2013-0640 Remote Code Execution Vulnerability.
The module AcroForm.api is the target of info leak and the subsequent ROP chain construction.
We can catch stack pivot from the original .text section.
• Background
• Our Approach
• Case Study
• Optimization
• Summary
Acknowledgement & Reference
Challenge
Without optimization, both some legitimate entries and ROP execution attempts may cause page
faults; excessive number of page faults not only elongates the exploit execution, thus may cause
the exploits to fail, but also slows down the system and make the application unusable.
Goal: From the ROP detection’s perspective, we are only interested in those page faults that are
generated by ROP.
Observation: The majority of the page faults are caused by control transfer to the old code section
using absolute addresses and many of those originate from the function address table based
call/jmp within the ROP module
• .code relocation value: dwRelocCodeAddr ,value = *(DWORD) dwRelocCodeAddr
• value >= nCodeStart && value <= nCodeStart +nCodeSize
• .data relocation value: dwRelocDataAddr, value = *(DWORD) dwRelocCodeAddr
• value >= nCodeStart && value <= nCodeStart +nCodeSize
• .rdata relocation value: dwRelocRDataAddr, value = *(DWORD) dwRelocRDataAddr
• value >= nCodeStart && value <= nCodeStart +nCodeSize
Results
Taking CVE-2013-0640 as an example. The ROP module is AcroForm.api. Our internal testing
showed that without any optimization we might need to experience ~15 million of page faults
before the ROP instruction is identified. After fixing up the PE’s relocation section, only thousands
of page faults were seen, where almost all of those page faults were introduced by ROP exploits.
Summary
1) Make a shadow copy of the .text code section of the ROP module and mark the original .text
code section NON_EXECUTE
2) Change all the necessary addresses so that the shadow copy transparently runs in lieu of the
original .text code section
3) Any ROP attempt into the original .text code section will cause page faults, thus will be caught
by our exception handler with (ROP instruction, stack info, register info, current thread info,
etc) detail
Acknowledgement
Thanks Bing Sun for providing the research direction and help on the implementation; we would
also like to thank the colleagues of McAfee Labs IPS Team for sharing many great technical
information and ideas.
References
[1] YAN Tao, WANG Yi-jun, XUE Zhi,Research and Application of ROP Automatica Generation
Technology on Windows
[2] Elias Bachaalany , Inside EMET4.0
[3] Haifei Li, Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-
day Attack.
[4] Lucas Daviy, Ahmad-Reza Sadeghiy, Marcel Winandyz, ROPdefender: A Detection Tool to Defend
Against Return-Oriented Programming Attacks
Appendix
About Detection the CVE-2014-0640 information by Anti-ROP project
00000001 0.00000000 [2376] Dll Entry
00000002 0.00005881 [2376] ###---> [Exploit Detection:1] Dll was Injection to
Process:AcroRd32.exe !
00000003 0.00018571 [2376] ###---> [Exploit Detection:2] Find Target
Process:AcroRd32.exe
00000004 0.00025681 [2376] ###---> [Exploit Detection: ] Found AcroRd32.exe !
00000005 0.00095662 [2376] ###---> [Exploit Detection:3] GetParentProcessName falil!
00000006 0.06557223 [3396] Dll Entry
00000007 0.06564619 [3396] ###---> [Exploit Detection:1] Dll was Injection to
Process:AcroRd32.exe !
00000008 0.06577128 [3396] ###---> [Exploit Detection:2] Find Target
Process:AcroRd32.exe
00000009 0.06580690 [3396] ###---> [Exploit Detection: ] Found AcroRd32.exe !
00000010 0.06686674 [3396] [Exploit Detection:3] Find target Process Pid:3396!
00000011 0.06701019 [3396] ###---> [Exploit Detection:4] freopen fail!
00000012 0.06703967 [3396] ###---> [Exploit Detection:5] CreateDirectory Success!
00000013 0.06712634 [3396] ###---> [Exploit Detection:6] Injection of MyThreadRoutine is
Running!
00000014 0.09817512 [3396] ###---> [Exploit Detection:7] MyThreadRoutine
00000015 1.11598337 [3396] ###---> [Exploit Detection] C:\Program Files\Adobe\Reader
11.0\Reader\plug_ins\AcroForm.api
00000016 1.11598337 [3396] --> base module address is :0x69160000
00000017 1.11611617 [3396] section name .text,Characteristics 60000020 --- and
SectionNumber :5
00000018 1.11611617 [3396]
00000019 1.12164426 [3396] New VirtualAddress: 5af0000
00000020 1.12164426 [3396]
00000021 1.12173831 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\AcroRd32.exe
00000022 1.12173831 [3396] Address:0x00940000 ~ 0x00a91000
00000023 1.12179983 [3396] ***---> Load modules:C:\Windows\SYSTEM32\ntdll.dll
00000024 1.12179983 [3396] Address:0x77030000 ~ 0x7716c000
00000025 1.12183964 [3396] ***---> Load modules:C:\Windows\system32\kernel32.dll
00000026 1.12183964 [3396] Address:0x757c0000 ~ 0x75894000
00000027 1.12187850 [3396] ***---> Load
modules:C:\Windows\system32\KERNELBASE.dll
00000028 1.12187850 [3396] Address:0x75310000 ~ 0x7535a000
00000029 1.12191617 [3396] ***---> Load modules:C:\Windows\system32\USER32.dll
00000030 1.12191617 [3396] Address:0x75f20000 ~ 0x75fe9000
00000031 1.12195373 [3396] ***---> Load modules:C:\Windows\system32\GDI32.dll
00000032 1.12195373 [3396] Address:0x762e0000 ~ 0x7632e000
00000033 1.12201893 [3396] ***---> Load modules:C:\Windows\system32\LPK.dll
00000034 1.12201893 [3396] Address:0x76230000 ~ 0x7623a000
00000035 1.12205577 [3396] ***---> Load modules:C:\Windows\system32\USP10.dll
00000036 1.12205577 [3396] Address:0x75ce0000 ~ 0x75d7d000
00000037 1.12209225 [3396] ***---> Load modules:C:\Windows\system32\msvcrt.dll
00000038 1.12209225 [3396] Address:0x75510000 ~ 0x755bc000
00000039 1.12212908 [3396] ***---> Load modules:C:\Windows\system32\ADVAPI32.dll
00000040 1.12212908 [3396] Address:0x76240000 ~ 0x762e0000
00000041 1.12216592 [3396] ***---> Load modules:C:\Windows\SYSTEM32\sechost.dll
00000042 1.12216592 [3396] Address:0x763c0000 ~ 0x763d9000
00000043 1.12220335 [3396] ***---> Load modules:C:\Windows\system32\RPCRT4.dll
00000044 1.12220335 [3396] Address:0x758a0000 ~ 0x75941000
00000045 1.12224078 [3396] ***---> Load modules:C:\Windows\system32\SHLWAPI.dll
00000046 1.12224078 [3396] Address:0x75c20000 ~ 0x75c77000
00000047 1.12229431 [3396] ***---> Load modules:C:\Windows\system32\IMM32.DLL
00000048 1.12229431 [3396] Address:0x75cc0000 ~ 0x75cdf000
00000049 1.12233353 [3396] ***---> Load modules:C:\Windows\system32\MSCTF.dll
00000050 1.12233353 [3396] Address:0x75b50000 ~ 0x75c1c000
00000051 1.12237895 [3396] ***---> Load modules:c:\rc.dll
00000052 1.12237895 [3396] Address:0x71f20000 ~ 0x71fad000
00000053 1.12241733 [3396] ***---> Load modules:C:\Windows\system32\SHELL32.dll
00000054 1.12241733 [3396] Address:0x763e0000 ~ 0x7702a000
00000055 1.12245822 [3396] ***---> Load
modules:C:\Windows\WinSxS\x86_microsoft.windows.common-
controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32.dll
00000056 1.12245822 [3396] Address:0x74110000 ~ 0x742ae000
00000057 1.12249780 [3396] ***---> Load modules:C:\Windows\system32\uxtheme.dll
00000058 1.12249780 [3396] Address:0x73f90000 ~ 0x73fd0000
00000059 1.12253642 [3396] ***---> Load modules:C:\Windows\system32\dwmapi.dll
00000060 1.12253642 [3396] Address:0x73c60000 ~ 0x73c73000
00000061 1.12257671 [3396] ***---> Load modules:C:\Windows\system32\ole32.dll
00000062 1.12257671 [3396] Address:0x759c0000 ~ 0x75b1c000
00000063 1.12261653 [3396] ***---> Load modules:C:\Windows\system32\CRYPTBASE.dll
00000064 1.12261653 [3396] Address:0x75080000 ~ 0x7508c000
00000065 1.12266016 [3396] ***---> Load modules:C:\Windows\system32\ntmarta.dll
00000066 1.12266016 [3396] Address:0x73af0000 ~ 0x73b11000
00000067 1.12270081 [3396] ***---> Load modules:C:\Windows\system32\WLDAP32.dll
00000068 1.12270081 [3396] Address:0x77210000 ~ 0x77255000
00000069 1.12274706 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\AcroRd32.dll
00000070 1.12274706 [3396] Address:0x65a20000 ~ 0x675ef000
00000071 1.12280190 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\AGM.dll
00000072 1.12280190 [3396] Address:0x69e10000 ~ 0x6a2e9000
00000073 1.12284458 [3396] ***---> Load modules:C:\Windows\system32\MSVCR100.dll
00000074 1.12284458 [3396] Address:0x6df90000 ~ 0x6e04f000
00000075 1.12288618 [3396] ***---> Load modules:C:\Windows\system32\MSVCP100.dll
00000076 1.12288618 [3396] Address:0x6e230000 ~ 0x6e299000
00000077 1.12292778 [3396] ***---> Load modules:C:\Windows\system32\VERSION.dll
00000078 1.12292778 [3396] Address:0x74680000 ~ 0x74689000
00000079 1.12297153 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\CoolType.dll
00000080 1.12297153 [3396] Address:0x6aa90000 ~ 0x6ad4b000
00000081 1.12301648 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\BIB.dll
00000082 1.12301648 [3396] Address:0x70b20000 ~ 0x70b3e000
00000083 1.12306142 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\ACE.dll
00000084 1.12306142 [3396] Address:0x6cb20000 ~ 0x6cc0a000
00000085 1.12310565 [3396] ***---> Load modules:C:\Windows\system32\profapi.dll
00000086 1.12310565 [3396] Address:0x75180000 ~ 0x7518b000
00000087 1.12315667 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\plug_ins\AcroForm.api
00000088 1.12315667 [3396] Address:0x69160000 ~ 0x69e0d000
00000089 1.12320161 [3396] ***---> Load modules:C:\Windows\system32\OLEAUT32.dll
00000090 1.12320161 [3396] Address:0x76330000 ~ 0x763bf000
00000091 1.12324631 [3396] ***---> Load modules:C:\Windows\system32\SensApi.dll
00000092 1.12324631 [3396] Address:0x70690000 ~ 0x70696000
00000093 1.12330341 [3396] ***---> Load modules:C:\Windows\system32\CRYPT32.dll
00000094 1.12330341 [3396] Address:0x75360000 ~ 0x7547d000
00000095 1.12335229 [3396] ***---> Load modules:C:\Windows\system32\MSASN1.dll
00000096 1.12335229 [3396] Address:0x751f0000 ~ 0x751fc000
00000097 1.12339973 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\AXSLE.dll
00000098 1.12339973 [3396] Address:0x6b3e0000 ~ 0x6b476000
00000099 1.12344849 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\plug_ins\Annots.api
00000100 1.12344849 [3396] Address:0x68a80000 ~ 0x69160000
00000101 1.12349892 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\plug_ins\DigSig.api
00000102 1.12349892 [3396] Address:0x6b270000 ~ 0x6b3dc000
00000103 1.12354851 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\AXE8SharedExpat.dll
00000104 1.12354851 [3396] Address:0x729d0000 ~ 0x729fc000
00000105 1.12360275 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\cryptocme.dll
00000106 1.12360275 [3396] Address:0x6c9e0000 ~ 0x6ca2d000
00000107 1.12365162 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\ccme_base.dll
00000108 1.12365162 [3396] Address:0x6afd0000 ~ 0x6b032000
00000109 1.12370121 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\ccme_base_non_fips.dll
00000110 1.12370121 [3396] Address:0x6b870000 ~ 0x6b8a8000
00000111 1.12375069 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\ccme_asym.dll
00000112 1.12375069 [3396] Address:0x6af90000 ~ 0x6afce000
00000113 1.12381458 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\ccme_ecc.dll
00000114 1.12381458 [3396] Address:0x6af00000 ~ 0x6af90000
00000115 1.12386620 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\ccme_ecdrbg.dll
00000116 1.12386620 [3396] Address:0x6aa10000 ~ 0x6aa88000
00000117 1.12391782 [3396] ***---> Load modules:C:\Windows\system32\CRYPTSP.dll
00000118 1.12391782 [3396] Address:0x74c00000 ~ 0x74c16000
00000119 1.12396801 [3396] ***---> Load modules:C:\Windows\system32\rsaenh.dll
00000120 1.12396801 [3396] Address:0x749a0000 ~ 0x749db000
00000121 1.12401986 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\plug_ins\PPKLite.api
00000122 1.12401986 [3396] Address:0x67c60000 ~ 0x68362000
00000123 1.12407935 [3396] ***---> Load modules:C:\Windows\system32\WSOCK32.dll
00000124 1.12407935 [3396] Address:0x6f3b0000 ~ 0x6f3b7000
00000125 1.12413371 [3396] ***---> Load modules:C:\Windows\system32\WS2_32.dll
00000126 1.12413371 [3396] Address:0x75c80000 ~ 0x75cb5000
00000127 1.12418461 [3396] ***---> Load modules:C:\Windows\system32\NSI.dll
00000128 1.12418461 [3396] Address:0x77200000 ~ 0x77206000
00000129 1.12423694 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\plug_ins\EScript.api
00000130 1.12423694 [3396] Address:0x6a6b0000 ~ 0x6a85f000
00000131 1.12432003 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\icucnv40.dll
00000132 1.12432003 [3396] Address:0x6a930000 ~ 0x6aa04000
00000133 1.12437689 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\icudt40.dll
00000134 1.12437689 [3396] Address:0x706a0000 ~ 0x706b8000
00000135 1.12443125 [3396] ***---> Load modules:C:\Windows\system32\CLBCatQ.DLL
00000136 1.12443125 [3396] Address:0x75480000 ~ 0x75503000
00000137 1.12448585 [3396] ***---> Load
modules:C:\Users\Jifeng\AppData\Local\cache\LangBar32.dll
00000138 1.12448585 [3396] Address:0x02880000 ~ 0x028c4000
00000139 1.12454045 [3396] ***---> Load modules:C:\Windows\system32\WININET.DLL
00000140 1.12454045 [3396] Address:0x75ff0000 ~ 0x760e5000
00000141 1.12460029 [3396] ***---> Load modules:C:\Windows\system32\urlmon.dll
00000142 1.12460029 [3396] Address:0x760f0000 ~ 0x76226000
00000143 1.12465465 [3396] ***---> Load modules:C:\Windows\system32\iertutil.dll
00000144 1.12465465 [3396] Address:0x755c0000 ~ 0x757bb000
00000145 1.12470937 [3396] ***---> Load modules:C:\Windows\system32\propsys.DLL
00000146 1.12470937 [3396] Address:0x73fd0000 ~ 0x740c5000
00000147 1.12477791 [3396] ***---> Load modules:C:\Program Files\Adobe\Reader
11.0\Reader\plug_ins\Accessibility.api
00000148 1.12477791 [3396] Address:0x6a8b0000 ~ 0x6a929000
00000149 1.12483585 [3396] ***---> Load modules:C:\Windows\system32\SETUPAPI.dll
00000150 1.12483585 [3396] Address:0x75d80000 ~ 0x75f1d000
00000151 1.12489271 [3396] ***---> Load modules:C:\Windows\system32\CFGMGR32.dll
00000152 1.12489271 [3396] Address:0x75200000 ~ 0x75227000
00000153 1.12494946 [3396] ***---> Load modules:C:\Windows\system32\DEVOBJ.dll
00000154 1.12494946 [3396] Address:0x75230000 ~ 0x75242000
00000155 1.12497735 [3396] ###---> [Exploit Detection:8] EnumProcessModules
success!
00000156 1.12500679 [3396] ###---> [Exploit Detection:9]
00020841 52.24734116 [3396] ***************************[Record
Log]***********************************************
00020842 52.24736786 [3396] 69636B8C: 6A08 PUSH
08 ;
00020843 52.24739075 [3396] 69636B8E: B8 E5457369 MOV EAX,
697345E5 ;
00020844 52.24741364 [3396] [count:11245007]address :69205459 | opcode :6a 18
00020845 52.24743652 [3396] 69205459: 6A18 PUSH
18 ;
00020846 52.24745941 [3396] 6920545B: B8 ED217369 MOV EAX,
697321ED ;
00020847 52.24748230 [3396] [count:11245008]address :69516096 | opcode :56 8b
00020848 52.24750137 [3396] 69516096: 56 PUSH
ESI ;
00020849 52.24752045 [3396] 69516097: 8BF1 MOV ESI,
ECX ;
00020850 52.24754333 [3396] [count:11245009]address :69205459 | opcode :6a 18
00020851 52.24756622 [3396] 69205459: 6A18 PUSH
18 ;
00020852 52.24758911 [3396] 6920545B: B8 ED217369 MOV EAX,
697321ED ;
00020853 52.24765778 [3396] [count:11245010]address :69516096 | opcode :56 8b
00020854 52.24768066 [3396] 69516096: 56 PUSH
ESI ;
00020855 52.24770355 [3396] 69516097: 8BF1 MOV ESI,
ECX ;
00020856 52.24772644 [3396] [count:11245011]address :69648486 | opcode :56 8b
00020857 52.24774933 [3396] 69648486: 56 PUSH
ESI ;
00020858 52.24777222 [3396] 69648487: 8BF1 MOV ESI,
ECX ;
00020859 52.24779510 [3396] [count:11245012]address :6920618b | opcode :56 8b
00020860 52.24781418 [3396] 6920618B: 56 PUSH
ESI ;
00020861 52.24783707 [3396] 6920618C: 8BF1 MOV ESI,
ECX ;
00020862 52.24785995 [3396]
00020863 52.24785995 [3396]**[[[[[[[[[[[[[[[ Found exploit form AcroForm.api ]]]]]]]]]]]]]]]**
00020864 52.24788284 [3396] [PID:3396][count:11245013]
00020865 52.24788284 [3396] PageFault address:0x69319f50!AcroForm.api New
eip:0x5ca8f50
00020866 52.24788284 [3396]
eax:1184732c:ebx:00000001:ecx:11853c50:edx:00000000:esi:1776ebb4:edi:050b0294:esp:002d
dbd0
00020867 52.24788284 [3396]
00020868 52.24790955 [3396] 69319F50: 50 PUSH
EAX ;
00020869 52.24792862 [3396] 69319F51: 5C POP
ESP ;
00020870 52.24795151 [3396] current esp->0x5B944D5
00020871 52.24797058 [3396]
*******************************************************************************
************************************************
00020872 52.24797058 [3396] caller information:
00020873 52.24799728 [3396] 05B944C1: FF4704 INC DWORD
PTR DS:[EDI+04H] ;
00020874 52.24802017 [3396] 05B944C4: 8B4E44 MOV
ECX,DWORD PTR DS:[ESI+44H] ;
00020875 52.24804306 [3396] 05B944C7: 85C9 TEST ECX,
ECX ;
00020876 52.24806595 [3396] 05B944C9: 740A JZ
05B944D5 ;
00020877 52.24808502 [3396] 05B944CB: FF4904 DEC DWORD
PTR DS:[ECX+04H] ;
00020878 52.24810791 [3396] 05B944CE: 7505 JNZ
05B944D5 ;
00020879 52.24812698 [3396] 05B944D0: 8B01 MOV
EAX,DWORD PTR DS:[ECX] ;
00020880 52.24814987 [3396] 05B944D2: 53 PUSH
EBX ;
00020881 52.24817276 [3396] 05B944D3: FF10 CALL DWORD
PTR DS:[EAX] ;
00020882 52.24819565 [3396] 05B944D5: 56 PUSH
ESI ;
00020883 52.24821854 [3396] 05B944D6: 8BCF MOV ECX,
EDI ;
00020884 52.24824142 [3396] 05B944D8: 897E44 MOV DWORD
PTR DS:[ESI+44H],EDI ;
00020885 52.24826431 [3396] 05B944DB: E8 8C35FEFF CALL
05B77A6C ;
00020886 52.24828339 [3396] 05B944E0: 8B45F0 MOV
EAX,DWORD PTR SS:[EBP-10H] ;
00020887 52.24830627 [3396] 05B944E3: 8B404C MOV
EAX,DWORD PTR DS:[EAX+4CH] ;
00020888 52.24832916 [3396] 05B944E6: 33464C XOR
EAX,DWORD PTR DS:[ESI+4CH] ;
00020889 52.24835205 [3396] 05B944E9: 8B4D08 MOV
ECX,DWORD PTR SS:[EBP+08H] ;
00020890 52.24837494 [3396] 05B944EC: 23C3 AND EAX,
EBX ;
00020891 52.24839783 [3396] 05B944EE: 31464C XOR DWORD
PTR DS:[ESI+4CH],EAX ;
00020892 52.24842072 [3396] 05B944F1: 8D45E4 LEA
EAX,DWORD PTR SS:[EBP-1CH] ;
00020893 52.24843979 [3396]
*******************************************************************************
************************************************
00020894 52.24843979 [3396]
00020895 52.24846268 [3396] [count:11245014]address :69161049 | opcode :c3 74
00020896 52.24848557 [3396] 69161049: C3
RET ; Pop IP
00020897 52.24850845 [3396] 6916104A: 7409 JZ
69161055 ;
00020898 52.24853134 [3396] [count:11245015]address :69161049 | opcode :c3 74
00020899 52.24855423 [3396] 69161049: C3
RET ; Pop IP
00020900 52.24857712 [3396] 6916104A: 7409 JZ
69161055 ;
00020901 52.24863052 [3396] [count:11245016]address :69161049 | opcode :c3 74
00020902 52.24868393 [3396] 69161049: C3
RET ; Pop IP
00020903 52.24870682 [3396] 6916104A: 7409 JZ
69161055 ;
00020904 52.24872589 [3396] [count:11245017]address :69161049 | opcode :c3 74
00020905 52.24874878 [3396] 69161049: C3
RET ; Pop IP
00020906 52.24877167 [3396] 6916104A: 7409 JZ
69161055 ;
00020907 52.24879456 [3396] [count:11245018]address :69161049 | opcode :c3 74
00020908 52.24881744 [3396] 69161049: C3
RET ; Pop IP
00020909 52.24884033 [3396] 6916104A: 7409 JZ
69161055 ;
00020910 52.24886322 [3396] [count:11245019]address :69161049 | opcode :c3 74
00020911 52.24888229 [3396] 69161049: C3
RET ; Pop IP
00020912 52.24890518 [3396] 6916104A: 7409 JZ
69161055 ;
00020913 52.24892807 [3396] [count:11245020]address :69161049 | opcode :c3 74
00020914 52.24895096 [3396] 69161049: C3
RET ; Pop IP
00020915 52.24897385 [3396] 6916104A: 7409 JZ
69161055 ;
00020916 52.24899673 [3396] [count:11245021]address :69161049 | opcode :c3 74
00020917 52.24901962 [3396] 69161049: C3
RET ; Pop IP
00020918 52.24903870 [3396] 6916104A: 7409 JZ
69161055 ;
00020919 52.24906158 [3396] [count:11245022]address :69161049 | opcode :c3 74
00020920 52.24908447 [3396] 69161049: C3
RET ; Pop IP
00020921 52.24910736 [3396] 6916104A: 7409 JZ
69161055 ;
00020922 52.24913025 [3396] [count:11245023]address :69161049 | opcode :c3 74
00020923 52.24915314 [3396] 69161049: C3
RET ; Pop IP
00020924 52.24917603 [3396] 6916104A: 7409 JZ
69161055 ;
00020925 52.24919891 [3396] [count:11245024]address :69161049 | opcode :c3 74
00020926 52.24921799 [3396] 69161049: C3
RET ; Pop IP
00020927 52.24924088 [3396] 6916104A: 7409 JZ
69161055 ;
00020928 52.24926376 [3396] [count:11245025]address :69161049 | opcode :c3 74
00020929 52.24928665 [3396] 69161049: C3
RET ; Pop IP
00020930 52.24930954 [3396] 6916104A: 7409 JZ
69161055 ;
00020931 52.24932480 [3396] [count:11245026]address :69161049 | opcode :c3 74
00020932 52.24934769 [3396] 69161049: C3
RET ; Pop IP
00020933 52.24937057 [3396] 6916104A: 7409 JZ
69161055 ;
00020934 52.24939346 [3396] [count:11245027]address :69161049 | opcode :c3 74
00020935 52.24941635 [3396] 69161049: C3
RET ; Pop IP
00020936 52.24943924 [3396] 6916104A: 7409 JZ
69161055 ;
00020937 52.24946213 [3396] [count:11245028]address :69161049 | opcode :c3 74
00020938 52.24948120 [3396] 69161049: C3
RET ; Pop IP
00020939 52.24950409 [3396] 6916104A: 7409 JZ
69161055 ;
00020940 52.24952698 [3396] [count:11245029]address :69161049 | opcode :c3 74
00020941 52.24954987 [3396] 69161049: C3
RET ; Pop IP
00020942 52.24957275 [3396] 6916104A: 7409 JZ
69161055 ;
00020943 52.24961853 [3396] [count:11245030]address :69161049 | opcode :c3 74
00020944 52.24964523 [3396] 69161049: C3
RET ; Pop IP
00020945 52.24966812 [3396] 6916104A: 7409 JZ
69161055 ;
00020946 52.24969864 [3396] [count:11245031]address :69161049 | opcode :c3 74
00020947 52.24972153 [3396] 69161049: C3
RET ; Pop IP
….
---------------------------------------------------------------------------------------------------------------------------------