Hack.Exploit.RIFF.b

病毒分类 普通文件病毒

溢出发生在user32.dll!_LoadAniIcon

_LoadCursorIconFromFileMap -> _LoadAniIcon@20

typedef struct TagHeader

{

DWORD Tag; // LIST , anih , etc.

DWORD OverlaySize;

}ST_TagHeader;

typedef struct MappingFile

{

PBYTE ViewBase;

DWORD CurPointer;

}ST_MappingFile;

; __stdcall LoadCursorIconFromFileMap(x, x, x, x, x, x)

_LoadCursorIconFromFileMap@24 :

...

.text:77D5429F cmp dword ptr [ebp-10h], 'hina'

.text:77D542A6 jnz short loc_77D54309

.text:77D542A8 cmp dword ptr [ebp-0Ch], 24h ;ST_TagHeader结构中的OverlaySize被检查了

;所以第一个anih结构的OverlaySize必须是0x24

.text:77D542AC jnz loc_77D543C5

...

...

...

.text:77D542FF call _LoadAniIcon@20 ; anih

.text:77D54304 jmp loc_77D543E6

...

...

; int __stdcall LoadAniIcon(int,int,int,int,int)

.text:77D53F83 _LoadAniIcon@20

...

...

...

.text:77D54008 cmp eax, 'hina'

.text:77D5400D jnz tag_unknown

.text:77D54013 lea eax, [ebp-4Ch] ;

.text:77D54016 push eax ; pOutBuffer,LocalBuffer,ebp-4ch

.text:77D54017 lea eax, [ebp-28h]

.text:77D5401A push eax ; ST_TagHeader*

.text:77D5401B push ebx ; ST_MappingFile*

.text:77D5401C call _ReadChunk@12 ; ST_TagHeader结构中的OverlaySize没有被检查

; 如果OverlaySize>0x50的话，RET就会被覆盖

.text:77D54021 test eax, eax

...

...

...