update
This commit is contained in:
Huoji's
@@ -1139,20 +1139,20 @@ auto Api_HeapAlloc(void* sandbox, uc_engine* uc, uint64_t address) -> void {
|
||||
dwBytes = temp_bytes;
|
||||
}
|
||||
// 这里如果想检查有效,得先跑main,再跑其他的,浪费时间了,操
|
||||
|
||||
|
||||
// 检查堆句柄是否有效
|
||||
/*
|
||||
|
||||
uint64_t expected_handle =
|
||||
context->GetPeInfo()->isX64 ? HEAP_ADDRESS_64 : HEAP_ADDRESS_32;
|
||||
if (hHeap != expected_handle) {
|
||||
uint64_t null_ptr = 0;
|
||||
hHeap = expected_handle;
|
||||
uc_reg_write(
|
||||
uc, context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
||||
&null_ptr);
|
||||
return;
|
||||
// uc_reg_write(
|
||||
// uc, context->GetPeInfo()->isX64 ? UC_X86_REG_RAX :
|
||||
// UC_X86_REG_EAX, &null_ptr);
|
||||
// return;
|
||||
}
|
||||
*/
|
||||
|
||||
// 获取或创建堆段
|
||||
HeapSegment* segment = nullptr;
|
||||
auto it = context->m_heapSegments.find(hHeap);
|
||||
@@ -2026,7 +2026,7 @@ auto Api_RtlFormatCurrentUserKeyPath(void* sandbox, uc_engine* uc,
|
||||
|
||||
// 获取参数
|
||||
if (context->GetPeInfo()->isX64) {
|
||||
// x64: rcx = KeyPathBuffer
|
||||
// x64: rcx = KeyPathBuffer (PUNICODE_STRING)
|
||||
uc_reg_read(uc, UC_X86_REG_RCX, &keyPathBuffer);
|
||||
} else {
|
||||
// x86: 从栈上读取参数
|
||||
@@ -2047,10 +2047,36 @@ auto Api_RtlFormatCurrentUserKeyPath(void* sandbox, uc_engine* uc,
|
||||
// 例如可以修改userKeyPath或在日志中记录查询操作
|
||||
printf("[*] RtlFormatCurrentUserKeyPath: 正在查询MCP服务器获取用户SID\n");
|
||||
|
||||
// 将路径写入到提供的缓冲区
|
||||
if (keyPathBuffer != 0) {
|
||||
uc_mem_write(uc, keyPathBuffer, userKeyPath,
|
||||
(wcslen(userKeyPath) + 1) * sizeof(wchar_t));
|
||||
// 分配内存用于存储路径字符串
|
||||
size_t pathLen = wcslen(userKeyPath);
|
||||
size_t bufferSize = (pathLen + 1) * sizeof(wchar_t);
|
||||
uint64_t stringBuffer = 0;
|
||||
|
||||
// 从堆中分配内存
|
||||
if (context->GetPeInfo()->isX64) {
|
||||
HeapSegment* segment = context->FindHeapSegment(HEAP_ADDRESS_64);
|
||||
if (segment) {
|
||||
stringBuffer = context->AllocateFromSegment(segment, bufferSize);
|
||||
}
|
||||
} else {
|
||||
HeapSegment* segment = context->FindHeapSegment(HEAP_ADDRESS_32);
|
||||
if (segment) {
|
||||
stringBuffer = context->AllocateFromSegment(segment, bufferSize);
|
||||
}
|
||||
}
|
||||
|
||||
if (stringBuffer != 0 && keyPathBuffer != 0) {
|
||||
// 将路径字符串写入到分配的缓冲区
|
||||
uc_mem_write(uc, stringBuffer, userKeyPath, bufferSize);
|
||||
|
||||
// 创建UNICODE_STRING结构
|
||||
UNICODE_STRING unicodeString;
|
||||
unicodeString.Length = static_cast<USHORT>(pathLen * sizeof(wchar_t));
|
||||
unicodeString.MaximumLength = static_cast<USHORT>(bufferSize);
|
||||
unicodeString.Buffer = reinterpret_cast<PWSTR>(stringBuffer);
|
||||
|
||||
// 将UNICODE_STRING结构写入到提供的缓冲区
|
||||
uc_mem_write(uc, keyPathBuffer, &unicodeString, sizeof(UNICODE_STRING));
|
||||
}
|
||||
|
||||
// 返回NTSTATUS成功代码 (0x00000000 = STATUS_SUCCESS)
|
||||
@@ -2059,8 +2085,10 @@ auto Api_RtlFormatCurrentUserKeyPath(void* sandbox, uc_engine* uc,
|
||||
context->GetPeInfo()->isX64 ? UC_X86_REG_RAX : UC_X86_REG_EAX,
|
||||
&status);
|
||||
|
||||
printf("[*] RtlFormatCurrentUserKeyPath: Buffer=0x%llx, Path=%ls\n",
|
||||
keyPathBuffer, userKeyPath);
|
||||
printf(
|
||||
"[*] RtlFormatCurrentUserKeyPath: Buffer=0x%llx, StringBuffer=0x%llx, "
|
||||
"Path=%ls\n",
|
||||
keyPathBuffer, stringBuffer, userKeyPath);
|
||||
}
|
||||
|
||||
// 添加FlsSetValue API实现
|
||||
|
||||
Reference in New Issue
Block a user