好友
阅读权限 40
听众
最后登录 1970-1-1
本帖最后由 冥界3大法王 于 2023-8-13 08:43 编辑
剧情是这个样子的:
编译了一个x64dbg插件模块
当在x64dbg标题栏按Window+A时就会
Access violation at address XXX in module 'ntdll.dll'.write of address YYY.之后截获窗口标题
奇怪的是在其他窗口按键也完全正常。。。你说奇怪不奇怪?
[Delphi] 纯文本查看 复制代码
procedure TCapture_Window.hotykey(var msg: TMessage);
var
pid: Cardinal;
pHandle: THandle;
buf: array[0..MAX_PATH] of Char;
ps: array[0..254] of Char; // 这个是定义激活的窗口的控件名
path: string; // 激活窗口的路径
arr: array[0..254] of Char;
h: HWND;
pt: TPoint;
c: TColor;
begin
if (GetAsyncKeyState(VK_LWIN) and (GetAsyncKeyState(Ord('A'))) < 0) then // Win+A
begin
h := GetForegroundWindow;
GetWindowThreadProcessId(h, @pid);
pHandle := OpenProcess(PROCESS_ALL_ACCESS, False, pid);
GetModuleFileNameEx(pHandle, 0, buf, Length(buf));
CloseHandle(pHandle);
GetWindowText(h, @arr, SizeOf(arr));
GetClassName(h, ps, 255);
path := GetProcessExePath(h);
Capture_Window.KJ_Edit1.Text := arr; //x64dbg的完整窗口标题
end;
无奈,还是直接上x64dbg直接开干吧。。。
是吧? 边走边看。
[Asm] 纯文本查看 复制代码
000000006D525E70 | 55 | push rbp |
000000006D525E71 | 48:81EC D0000000 | sub rsp,D0 |
000000006D525E78 | 48:8BEC | mov rbp,rsp |
000000006D525E7B | 48:896D 48 | mov qword ptr ss:[rbp+48],rbp |
000000006D525E7F | 48:898D E0000000 | mov qword ptr ss:[rbp+E0],rcx |
000000006D525E86 | 48:8995 E8000000 | mov qword ptr ss:[rbp+E8],rdx |
000000006D525E8D | 4C:8985 F0000000 | mov qword ptr ss:[rbp+F0],r8 |
000000006D525E94 | 44:898D F8000000 | mov dword ptr ss:[rbp+F8],r9d |
000000006D525E9B | 48:8B8D E0000000 | mov rcx,qword ptr ss:[rbp+E0] |
000000006D525EA2 | E8 99200000 | call <moretool.sub_6D527F40> |
000000006D525EA7 | 48:8985 98000000 | mov qword ptr ss:[rbp+98],rax |
000000006D525EAE | 48:83BD 98000000 00 | cmp qword ptr ss:[rbp+98],0 |
000000006D525EB6 | 75 17 | jne moretool.6D525ECF |
000000006D525EB8 | 48:8B85 E0000000 | mov rax,qword ptr ss:[rbp+E0] |
000000006D525EBF | 48:8B80 E0020000 | mov rax,qword ptr ds:[rax+2E0] |
000000006D525EC6 | 48:8985 80000000 | mov qword ptr ss:[rbp+80],rax |
000000006D525ECD | EB 0E | jmp moretool.6D525EDD |
000000006D525ECF | 48:8B85 98000000 | mov rax,qword ptr ss:[rbp+98] |
000000006D525ED6 | 48:8985 80000000 | mov qword ptr ss:[rbp+80],rax |
000000006D525EDD | 48:8B8D 98000000 | mov rcx,qword ptr ss:[rbp+98] |
000000006D525EE4 | BA 02000000 | mov edx,2 |
000000006D525EE9 | E8 F21FE8FF | call <JMP.&MonitorFromWindow> |
000000006D525EEE | 48:8985 C8000000 | mov qword ptr ss:[rbp+C8],rax |
000000006D525EF5 | 48:8B85 E0000000 | mov rax,qword ptr ss:[rbp+E0] |
000000006D525EFC | 48:8B88 E0020000 | mov rcx,qword ptr ds:[rax+2E0] |
000000006D525F03 | BA 02000000 | mov edx,2 |
000000006D525F08 | E8 D31FE8FF | call <JMP.&MonitorFromWindow> |
000000006D525F0D | 48:8985 C0000000 | mov qword ptr ss:[rbp+C0],rax |
000000006D525F14 | 48:8B85 C8000000 | mov rax,qword ptr ss:[rbp+C8] |
000000006D525F1B | 48:3B85 C0000000 | cmp rax,qword ptr ss:[rbp+C0] |
000000006D525F22 | 0F84 A9000000 | je moretool.6D525FD1 | nop fail
找到段首 000000006D525E70 | 55 | push rbp 一层一层往上找
配合 x64dbg右下角,堆栈窗口信息,你能找得更快更准。
[Asm] 纯文本查看 复制代码
000000006D525DC0 | 57 | push rdi |
000000006D525DC1 | 56 | push rsi |
000000006D525DC2 | 53 | push rbx |
000000006D525DC3 | 48:83EC 20 | sub rsp,20 |
000000006D525DC7 | 48:89CB | mov rbx,rcx |
000000006D525DCA | 48:89D6 | mov rsi,rdx |
000000006D525DCD | E8 EED4D2FF | call <JMP.&GetCapture> |
000000006D525DD2 | 48:85C0 | test rax,rax |
000000006D525DD5 | 74 18 | je moretool.6D525DEF |
000000006D525DD7 | E8 E4D4D2FF | call <JMP.&GetCapture> |
000000006D525DDC | 48:89C1 | mov rcx,rax |
000000006D525DDF | BA 1F000000 | mov edx,1F |
000000006D525DE4 | 4D:33C0 | xor r8,r8 |
000000006D525DE7 | 4D:33C9 | xor r9,r9 |
000000006D525DEA | E8 41DDD2FF | call <JMP.&SendMessageW>======>这里反正就是发送窗口消息的意思
000000006D525DEF | E8 BC37D1FF | call <moretool.sub_6D2395B0>==》或F7之后修改mov rdi,1; ret
000000006D525DF4 | 48:89C7 | mov rdi,rax |
000000006D525DF7 | 48:85FF | test rdi,rdi |
000000006D525DFA | 74 62 | je moretool.6D525E5E | =======》JMP 6D525E5E 也可以成功
000000006D525DFC | 48:89F9 | mov rcx,rdi |
000000006D525DFF | 48:8B15 F26CD3FF | mov rdx,qword ptr ds:[6D25CAF8] | 000000006D25CAF8:"浪%m"==&"`2'm"
000000006D525E06 | E8 05FFFFFF | call <moretool.sub_6D525D10> |
000000006D525E0B | 84C0 | test al,al |
000000006D525E0D | 74 3F | je moretool.6D525E4E |
000000006D525E0F | 48:89F9 | mov rcx,rdi |
000000006D525E12 | 48:8B15 4F7DD3FF | mov rdx,qword ptr ds:[<sub_6D25DB68>] | 000000006D25DB68:&"`2'm"
000000006D525E19 | E8 F2FEFFFF | call <moretool.sub_6D525D10> |
000000006D525E1E | 84C0 | test al,al |
000000006D525E20 | 75 3C | jne moretool.6D525E5E |
000000006D525E22 | 48:83BB D0010000 00 | cmp qword ptr ds:[rbx+1D0],0 |
000000006D525E2A | 74 15 | je moretool.6D525E41 |
000000006D525E2C | 48:8D9B D0010000 | lea rbx,qword ptr ds:[rbx+1D0] |
000000006D525E33 | 48:8B4B 08 | mov rcx,qword ptr ds:[rbx+8] |
000000006D525E37 | 48:89F2 | mov rdx,rsi |
000000006D525E3A | 49:89F8 | mov r8,rdi |
000000006D525E3D | FF13 | call qword ptr ds:[rbx] |
000000006D525E3F | EB 1D | jmp moretool.6D525E5E |
000000006D525E41 | 48:89D9 | mov rcx,rbx |
000000006D525E44 | 48:89FA | mov rdx,rdi |
000000006D525E47 | E8 94060000 | call <moretool.sub_6D5264E0> | ========》NOP这里可以成功,或进入后的地方直接ret!
000000006D525E4C | EB 10 | jmp moretool.6D525E5E | 回车之后来到了这里!
至此就算暴力法修复bug了。其他原因待考证。
免费评分
查看全部评分