在家用Windbg杀小强

在家用Windbg杀小强

Windbg的家庭用法

原贴地址:
http://eparg.spaces.live.com/blog/cns!59BFC22C0E7E1A76!1475.entry
原贴时间:
2006-03-01
原贴作者:
eparg

今天拿了移动硬盘考了不少台球教程回家。跟小p看完星际录像后准备学习台球。在explorer中打开对应的文件夹，习惯性地右键鼠标选择缩略图方式预览。正准备双击目标文件打开的时候，咣当！熟悉的框框，explorer居然crash了。

好吧，老娘可是好惹的么？！

重新启动explorer试了一下，问题每次都能重现。好吧，肯定又是被某个流氓软件强奸了。根据以往的经验，上windbg，问题发生的时候看看callstack最上面是哪些module，九成能找到一个第三方的，然后想办法删除这个module就可以了。

于是启动windbg, f6, 选择explorer, g，然后重现问题。好吧，果然av了:

(c9c.9a0): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=029a3374 ecx=00000000 edx=029a6978 esi=02950000 edi=02990000
eip=029a33e0 esp=016ed964 ebp=016ed96c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
029a33e0 3100 xor dword ptr [eax],eax ds:0023:00000000=????????

不太对，虽然这里是一个xor指令，但是怎么没有对应的module。k一下看看：

0:008> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
016ed96c 00000000 6117a780 00000001 016ed9a8 0x29a33e0

奶奶的，居然not in any known module，别是stack overrun吧。流氓软件好歹也要有点技术功底，没事儿把stack全弄没了算啥。看看ebp esp eip，都还正常的嘛。好吧，死马当成活马医，看看尸斑：

0:008> dds ebp
016ed96c 6117a3ce PSIKey!XML_ExpatVersionInfo+0x8e84e
016ed970 00000000
016ed974 6117a780 PSIKey!XML_ExpatVersionInfo+0x8ec00
016ed978 00000001
016ed97c 016ed9a8
016ed980 016ed9b4
016ed984 016ed998
016ed988 6117a001 PSIKey!XML_ExpatVersionInfo+0x8e481
016ed98c 7c92eb94 ntdll!KiFastSystemCallRet
016ed990 00002a50
016ed994 016eda20
016ed998 7c9211a7 ntdll!LdrpCallInitRoutine+0x14
016ed99c 610a0000 PSIKey
016ed9a0 00000001
016ed9a4 00000000
016ed9a8 6117a001 PSIKey!XML_ExpatVersionInfo+0x8e481
016ed9ac 00000001
016ed9b0 00196248
016ed9b4 016edabc
016ed9b8 7c93cbab ntdll!LdrpRunInitializeRoutines+0x344
016ed9bc 6117a001 PSIKey!XML_ExpatVersionInfo+0x8e481
016ed9c0 610a0000 PSIKey
016ed9c4 00000001
016ed9c8 00000000
016ed9cc 016ee05c
016ed9d0 016ee03c
016ed9d4 00000000
016ed9d8 00000000
016ed9dc 0341c000 divx!s_bNewQPel+0xbda18


嗯？好像在加载PSIKey这个dll嘛。看看详细信息：


0:008> lmvm psikey
start end module name
610a0000 6118b000 PSIKey C (export symbols) PSIKey.dll
Loaded symbol image file: PSIKey.dll
Image path: C:/WINDOWS/system32/PSIKey.dll
Image name: PSIKey.dll
Timestamp: Tue Mar 11 09:52:27 2003 (3E6D415B)
CheckSum: 00000000
ImageSize: 000EB000
File version: 1.2.6.59
Product version: 1.2.6.59
File flags: 22 (Mask 3F) Pre-release Special
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Protexis Inc.
ProductName: Protexis nTitles
InternalName: SecureInstall
OriginalFilename: PSIKey.DLL
ProductVersion: 1.2.6.59
FileVersion: 1.2.6.59
PrivateBuild: 1.2.6.59
SpecialBuild:
FileDescription: nTitles Activator
LegalCopyright: Copyright (C) 2000 Protexis Inc.
LegalTrademarks:
Comments: v1.2.6

乃不是微软的dll,跑到system32里面去干啥？这玩意好像还跟divx有关哟。不管，现假设不crash的话,这个代码要干啥：

0:008> u eip
029a33e0 3100 xor dword ptr [eax],eax
029a33e2 eb01 jmp 029a33e5

直接jmp?好吧，进去看看：

0:008> u 029a33e5
029a33e5 648f0500000000 pop dword ptr fs:[0]
029a33ec eb02 jmp 029a33f0
029a33ee e8015868b8 call bb028bf4

恢复SEH handler又jmp？怎么这么奇怪，继续看：

0:008> u 029a33f0
029a33f0 58 pop eax
029a33f1 68b8a99902 push 299A9B8h
029a33f6 6850349a02 push 29A3450h
029a33fb 68082a9a02 push 29A2A08h
029a3400 6808279a02 push 29A2708h
029a3405 680c219a02 push 29A210Ch
029a340a 680c1b9a02 push 29A1B0Ch
029a340f 68b42d9a02 push 29A2DB4h
029a3414 c3 ret

ft,这么多push，要干啥啊。这种代码八成不会做什么好事情，估计是在布什么迷魂阵。不管了，网上查查再说：

http://forum.digital-digest.com/printthread.php?s=3c5066aa0aea6ab9b00cea35adfbc7a6&threadid=7686

"How to obtain Divx 5.0.2 Pro for free without adware

Most of you should know that Divx 5.0 Pro is available on the Kaaza fileshareing network with a keygen that allows you to register it. From the Divx.com site you can click that you're already a registered user and download the latest version of divx 5. If you install it, however, the keygen won't work on anything other then divx 5. In order to circumvent this, install divx 5 with the crack and make a copy of the file C:/windows/system/psikey.dll Install the latest version of divx pro from divx.com (You need to get the full version, not the adware version by selecting that you are upgrading) Then replace the new version of psikey.dll with the one that you backed up from divx 5. I believe this dll is only used for the registration. The actual codecs are other files such as divx.dll. This way you can circuvent the need to reregister. This method should work for quite some time :) Happy divxing!"

嘿嘿，找到元凶了吧。谁让乃用破解软件！原来这奇怪的代码果然是动态生成出来做破解的。回忆一下，问题是在查看台球录像缩略图的时候发生的。看录像当然可能牵涉divx了,没花钱的divx当然需要破解了。恩，证据有了，动机也有了！二话不说，网上下个最新的divx(还是一个破解版，好了伤疤忘了痛啊)，安装后一切恢复正常。

这可是一个典型例子阿。crash发生在unknown module，通过查看尸斑找到证据，通过网络找到解释，再回忆重现问题的步骤找到动机，最后通过补丁解决问题。我正愁手头没有这种奇怪的crash作为debugging paper的材料呢，这不就来了？