然后在xp分析了下这个过程。
调试中需要下两个主要的断点:
附件源进程,可以看出就是RPC的发送过程:
附加源进程中: bu ntdll!ZwRequestPort
THREAD 81f8ec40 Cid 0640.0f24 Teb: 7ffdf000Win32Thread: e20c9eb0 RUNNING on processor 0
Not impersonating
DeviceMap e1b1e7a8
OwningProcess 0 Image: <Unknown>
AttachedProcess 81c2b888 Image: TestUnload360.exe
Wait StartTickCount 542981 Ticks: 0
Context SwitchCount 885 LargeStack
UserTime 00:00:00.015
KernelTime 00:00:01.921
Win32 Start AddressTestUnload360!ILT+24265(_mainCRTStartup) (0x004beece)
Start Addresskernel32!BaseProcessStartThunk (0x7c8106f5)
Stack Init b1e1b000Current b1e1a95c Base b1e1b000 Limit b1e18000 Call 0
Priority 8BasePriority 8 PriorityDecrement 0 DecrementCount 16
ChildEBPRetAddr Args toChild
0012f6a877e6b5ea 00000150 0016e308 00000000 ntdll!ZwRequestPort (FPO: [2,0,0])
0012f6cc 77e6aa7300172a48 0012f6f4 76ab1778 RPCRT4!LRPC_CCALL::AsyncSend+0xe0 (FPO: [Non-Fpo])
0012f6d8 76ab177800172a48 0016f278 001729a4 RPCRT4!I_RpcSend+0x2f (FPO: [Non-Fpo])
0012f6f4 76ab11a600000000 00000000 00000000 ole32!ThreadSendReceive+0x66 (FPO: [Non-Fpo])
0012f710 76ab108a0012f7d8 0016f278 0012f834ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0x13d (FPO: [Non-Fpo])
0012f7f0 769dedaa0016f278 0012f904 0012f8f4 ole32!CRpcChannelBuffer::SendReceive2+0xc8 (FPO:[Non-Fpo])
0012f80c 769ded530012f904 0012f8f4 0016f278 ole32!CCliModalLoop::SendReceive+0x1e (FPO:[Non-Fpo])
0012f878 769dcdb20016f278 0012f904 0012f8f4 ole32!CAptRpcChnl::SendReceive+0x6f (FPO: [Non-Fpo])
0012f8cc 77ed4db50016f278 0012f904 0012f8f4 ole32!CCtxComChnl::SendReceive+0x113 (FPO:[Non-Fpo])
0012f8e8 77ed4ead00181eb4 0012f930 0300002c RPCRT4!NdrProxySendReceive+0x43 (FPO: [Non-Fpo])
0012fcc4 77ed4e420017e968 0017ee8e 0012fcfc RPCRT4!NdrClientCall2+0x1fa (FPO: [Non-Fpo])
0012fce4 77e6a83b0000000c 00000016 0012fe40 RPCRT4!ObjectStublessClient+0x8b (FPO: [Non-Fpo])
0012fcf4 004d13ec00181eb4 00000064 123be119 RPCRT4!ObjectStubless+0xf
0012fe40 004cf31600641818 123be035 00091378 TestUnload360!OpenWindow+0xac (FPO: [Non-Fpo])(CONV: cdecl) [e:\work\project\testunload360\testunload360\testunload360.cpp @583]
0012ff6c 005b36c700000001 00bc31c0 00bc3238 TestUnload360!main+0x146 (FPO: [Non-Fpo]) (CONV:cdecl) [e:\work\project\testunload360\testunload360\testunload360.cpp @ 50]
0012ffb8 005b359f0012fff0 7c817067 00091378 TestUnload360!__tmainCRTStartup+0x117 (FPO:[Non-Fpo]) (CONV: cdecl) [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 266]
0012ffc0 7c81706700091378 7c93003d 7ffd8000 TestUnload360!mainCRTStartup+0xf (FPO: [Non-Fpo])(CONV: cdecl) [f:\dd\vctools\crt_bld\self_x86\crt\src\crt0.c @ 182]
0012fff0 00000000004beece 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo])
下断点bu SHDOCVW!CIEFrameAuto::Navigate2时,可以看到RPC的接受链接处理过程,
出现打开,下载对话框时附加explore进程,下断,堆栈指示如下:
kd> kv
*** Stack trace for last set context - .thread/.cxrresets it
ChildEBP RetAddr Args toChild
b2bc5cc8 80501cd6 81e5a090 81e5a020 804fad62nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b2bc5cd4 804fad62 000024ff e105c340 00000000nt!KiSwapThread+0x46 (FPO: [0,0,0])
b2bc5cfc bf802f52 00000001 0000000d 00000001nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
b2bc5d38 bf803758 000024ff 00000000 00000001win32k!xxxSleepThread+0x192 (FPO: [Non-Fpo])
b2bc5d4c bf803775 000024ff 00000000 0399b780win32k!xxxRealWaitMessageEx+0x12 (FPO: [Non-Fpo])
b2bc5d5c 8053e638 0399b7ac 7c92e4f4 badb0d00 win32k!NtUserWaitMessage+0x14(FPO: [0,0,0])
b2bc5d5c 7c92e4f4 0399b7ac 7c92e4f4 badb0d00nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2bc5d64)
0399b774 77d19418 77d2770a 001801c0 00000001ntdll!KiFastSystemCallRet (FPO: [0,0,0])
0399b7ac 77d249c4 000d028c 001801c0 00000001USER32!NtUserWaitMessage+0xc
0399b7d4 77d24a06 01160000 015af17c 001801c0USER32!InternalDialogBox+0xd0 (FPO: [Non-Fpo]) --->消息处理中运行显示对话框
0399b7f4 77d247ea 01160000 015af17c 001801c0USER32!DialogBoxIndirectParamAorW+0x37 (FPO: [Non-Fpo])
0399b818 77f89ef1 01160000 00001140 001801c0USER32!DialogBoxParamW+0x3f (FPO: [Non-Fpo])
0399b838 7e623c0b 01160000 00001140 001801c0SHLWAPI!DialogBoxParamWrapW+0x36 (FPO: [Non-Fpo])
0399b880 7e5b3d31 01160000 00001140 001801c0SHDOCVW!SHFusionDialogBoxParam+0x3a (FPO: [Non-Fpo])
0399b8a0 7e5b402a 001801c0 00001140 0399b8c0SHDOCVW!_ShowSafeOpenDialog+0x26 (FPO: [Non-Fpo])
0399cc50 7e5b493c 001801c0 00001140 0399cd1cSHDOCVW!OpenSafeOpenDialog+0x2d3 (FPO: [Non-Fpo])
0399ccb0 7e5b4d63 001801c0 0399cd1c 0303a3e4SHDOCVW!MayOpenSafeOpenDialog+0x15d (FPO: [Non-Fpo])
0399cf28 7e5b5c32 00000000 03016858 00000005SHDOCVW!CDownload::_MayAskUserIsFileSafeToOpen+0x246 (FPO: [Non-Fpo])
0399e3b8 75c71eed 030394b8 00000005 001941b0SHDOCVW!CDownload::OnDataAvailable+0x1f5 (FPO:[Non-Fpo]) //获取下载文件信息
0399e3d8 75c71f54 03016858 00000005 001941b0urlmon!CBSCHolder::OnDataAvailable+0x40 (FPO: [Non-Fpo])
0399e3f8 75c72c77 0010ca58 00000005 001941b0urlmon!CBinding::CallOnDataAvailable+0x2b (FPO: [Non-Fpo])
0399e428 75c726b4 0010ca58 00000000 001941b0urlmon!CBinding::OnDataNotification+0xb2 (FPO: [Non-Fpo])
0399e454 75c7298f 0010ca58 00000006 001941b0urlmon!CBinding::OnTransNotification+0x30f (FPO: [Non-Fpo])
0399e484 75c7280d 001941b0 00000005 001941b0urlmon!CBinding::ReportData+0x77 (FPO: [Non-Fpo])
0399e4a4 75c6e313 0300da8c 00000005 001941b0urlmon!COInetProt::ReportData+0x72 (FPO: [Non-Fpo])
0399e4cc 75c6e189 0300d8d0 00000006 00000005urlmon!CTransaction::DispatchReport+0xe3 (FPO: [Non-Fpo])
0399e4f8 75c6e470 0300d8d0 03029c00 00000006urlmon!CTransaction::DispatchPacket+0x31 (FPO: [Non-Fpo])
0399e518 75c7232e 0300d8d0 00000000 00000104urlmon!CTransaction::OnINetCallback+0x92 (FPO: [Non-Fpo])
0399e53c 75c76afc 0300d8d0 00000005 001941b0 urlmon!CTransaction::ReportData+0x135(FPO: [Non-Fpo])
0399e9c8 75c7110b 00000000 03029648 0302965curlmon!CINetFile::INetAsyncOpen+0x197 (FPO: [Non-Fpo])
0399e9d8 75c710d2 00000000 03029648 0300d8e4urlmon!CINet::INetAsyncStart+0x1a (FPO: [0,0,0])
0399e9f4 75c6ef15 00000000 0302dfa0 0300d8d0urlmon!CINet::Start+0x1db (FPO: [Non-Fpo])
0399ea1c 75c6edfd 00000000 0302dfa0 0300d8d0urlmon!COInetProt::Start+0x90 (FPO: [Non-Fpo])
0399ea6c 75c6f547 0300d8d0 0302dfa0 0010ca60urlmon!CTransaction::Start+0x3c0 (FPO: [Non-Fpo])
0399eaf0 75c6f1a4 0399eb38 0017b628 7e551b60urlmon!CBinding::StartBinding+0x4d8 (FPO: [Non-Fpo])
0399fb88 75c6f06e 001701e8 00000000 0017b628urlmon!CUrlMon::StartBinding+0x1d8 (FPO: [Non-Fpo])
0399fbc0 7e5b0d8d 001701e8 0017b628 00000000 urlmon!CUrlMon::BindToStorage+0x67(FPO:[Non-Fpo]) //获取文件大小等信息
0399fe04 7e5b56a5 001701e8 0017b628 00000000SHDOCVW!CDownload::StartBinding+0x184 (FPO: [Non-Fpo])
0399fe1c 7e5b5747 001701e8 0017b628 00000000SHDOCVW!CDownload::OpenUI+0x84 (FPO: [Non-Fpo]) //初始化看到的下载打开对话框的标准窗口函数DownloadDlgProc,在窗口的的初始化函数中调用urlmon,获取下载文件的信息,后面调用ShowWindow显示
0399fe6c 7e5b5a0d 001701e8 0017b628 00000001SHDOCVW!CDownLoad_OpenUI+0x53 (FPO: [Non-Fpo])
0399fed0 7e5b24ea 000f6dc8 0017b628 001688c0 SHDOCVW!CDownLoad_OpenUIURL+0x66(FPO:[Non-Fpo]) //准备回显对话框
0399ff50 77f56f42 0302bd08 00e70000 0000000bSHDOCVW!IEDownload_ThreadProc+0xa8 (FPO: [Non-Fpo])-----------> //下载打开可以执行文件的处理过程
0399ffb4 7c80b713 00000000 00e70000 0000000bSHLWAPI!WrapperThreadProc+0x94 (FPO: [Non-Fpo])
0399ffec 00000000 77f56ed3 033871b4 00000000kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) ->>开启新线程准备下载
经过跟踪上面的处理过程,每个处理函数的功能如下:
发送URL->explorer启动新线程处理RPC:
SHDOCVW!CIEFrameAuto::Navigate2(字符串类型的转换)->SHDOCVW!CIEFrameAuto::Navigate(直接调用后面)->SHDOCVW!CIEFrameAuto::_NavigateHelper(匹配url类型,看是不是指定的可执行文件类型,PidlFromUrlEtc,SHDOCVW!IsURLChild)->SHDOCVW!CIEFrameAuto::_BrowseObjec->CShellBrowser2::BrowseObject
-> (不断调用继承自父类的BrowseObject函数)BROWSEUI!CCommonBrowser::BrowseObject(直接调用后面)->SHDOCVW!CBaseBrowser2::BrowseObject(判断url是否可以导航到,是否可以打开)->
SHDOCVW!CBaseBrowser2::_NavigateToPidlAsync->CBaseBrowser2::_SendAsyncOperation(SendMessage(_bbd._hwnd,WMC_ASYNCOPERATION, 0, 0),_bbd._hwnd指向shellbrowser,CBaseBrowser2处理消息)->(CBaseBrowser2::_NavigateToPidl)(SID_SHlinkFrame)->
新线程处理URL:SHLWAPI!WrapperThreadProc(SHLWAPI!SHCreateThreadRef-)-SHDOCVW!IEDownload_ThreadProc
在IEFrame.dll导出的IEDownload_Threadproc开始->调用CDownload_OpenUIURL->SHDOCVW!CDownLoad_OpenUI(初始化对话框的窗口函数DownloadDlgProc)->
[ 准备回显下载对话框->xp下(StartBinding)PathFindExtensionW(搜集目标文件信息,如url,文件大小)->BlockDownload中断数据下载,->IEFRAME!ShowWindow显示文件下载窗口 ]
->若点击运行,iexplorer调用CDownload_MayProcessMessage向ieuser.exe发送消息,->ieuser.exe处理消息,完成启动,显示确定运行对话框, win7下的权限检查,用于下载后运行文件的提权
->xp下,单击运行时,DownloadDlgProc窗口函数直接调用ShellExecuteEx ,xp下在上面的线程中会调用一个函数检查ie的区域设置,但是检查完后还是会调用下载对话框
=>若点击保存,iexplorer调用CDownload_MayProcessMessage向ieuser.exe发消息,ieuser处理后显示保存对话框。->若单击了保存,ieuser在缓存目录中创建文件,下载完毕,则由缓存拷贝到用户目录中。