潜在的漏洞？ [英] Potential Exploit?

问题描述

Windows 7，所有最新更新：在WM_NCPaint处理程序内部，如果您使桌面的一部分无效（即接收WM_NCPaint消息的（弹出）窗口的屏幕矩形，则使用桌面窗口DC ），然后在
桌面窗口句柄上调用UpdateWindow，然后放置一个int 3（不是API调用，只是直接将_asm int 3插入代码中）...如果你没有在调试器中运行（我使用WinDbg），整个系统锁定。 所有中断都显示为禁用，所有外设都冻结，
光标停止移动，鼠标停止响应，键盘无法工作等等。 只有硬停电才能重置。 我尝试将反递归机制放入WM_NCPaint处理程序中;这没有效果。 

Windows 7, all the latest updates: inside the WM_NCPaint handler, if you invalidate a portion of the desktop (i.e. the screen rectangle for the (popup) window receiving the WM_NCPaint message, using the desktop window DC), then call UpdateWindow on the desktop window handle, then place an int 3 (not an API call, just insert _asm int 3 into the code directly) ... if you're not running in a debugger (I use WinDbg), the entire system locks.  All interrupts appear disabled, all peripherals freeze, the cursor stops moving, the mouse stops responding, the keyboard won't work, etc.  Only a hard power down will reset it.  I tried putting an anti-recursion mechanism into the WM_NCPaint hander; this had no effect. 

显然，用户空间不应该出现这种情况。 不确定Win 10中是否存在同样的问题。 在发现DirectX 12几乎完全残废并且NVidia尚未发布驱动程序之后我停止使用它。 
我还没有深入研究这个问题，看看这是否为可能的漏洞打开了大门（即通过在发出int 3之前添加向量异常处理程序，在这些条件下可以在0环中执行？） 。  我将留下
其他人来钻研。

Obviously this behavior should not be possible from userland.  Not sure if the same problem is present in Win 10 or not.  I stopped using it after finding DirectX 12 was almost completely crippled and NVidia publishes no drivers for it yet.  I have not delved further into the issue, to see if this opens the door to a possible exploit (i.e. by adding a vectored exception handler prior to issuing the int 3, which could execute in ring 0 under these conditions?).  I will leave that for others to delve into.

那些可以做的人。那些不能教的人。

Those who can, do. Those who can't, teach.

推荐答案

我应该补充一点，这个处理程序工作得很好，只要我不试图插入一个中断点。 重点是捕捉桌面减去我的窗口;检索我的窗口下的桌面背景，该窗口应该是ws_ex_transparent
，但是其他Windows只能在某些未记录的条件下正常工作。  （在没有这种机制的情况下捕获桌面下的桌面，窗口会扭曲 - 底部比顶部更窄 - 并且在第一次执行时具有全白背景
，无法解释。） 在桌面窗口句柄上发出UpdateWindow调用之前，我将处理程序置于旁路模式，以便每个消息都由DefWindowProc处理，直到UpdateWindow调用返回。 
使用此设置，我能够正确地在透明窗口下获取桌面，并且即使在UpdateWindow返回后，NCPaint消息处理程序中的断点也会将系统发送到lala land。

I should probably add that this handler works fine as long as I don't try to insert a breakpoint in it.  The point is to capture the desktop minus my window; retrieve the desktop background under my window which is supposed to be ws_ex_transparent but like the rest of Windows only works properly in certain undocumented conditions.  (Capturing the desktop under my window without this mechanism in place, the window is distorted - narrower at the bottom than the top - and has an all-white background on the first execution which cannot be explained.)  Just prior to issuing the UpdateWindow call on the desktop window handle, I put my handler into bypass mode so that every message is handled by DefWindowProc until the UpdateWindow call returns.  With this setup I'm able to get the desktop under my transparent window correctly, and a breakpoint in the NCPaint message handler, even after UpdateWindow returns, sends the system into lala land.

这篇关于潜在的漏洞？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！