一个程序正在加载一个基于 VB6 的 ActiveX 控件,该控件具有多个属性,例如 ConnectionString。应用程序在运行时动态生成它提供的值,因此通过静态分析进行识别并不简单。虽然我可以转储进程的内存并找到其中一些值,但有些不是简单的字符串,因此通过这种方式找到并不那么简单。
我构建了一个测试 VB6 程序并使用如下代码编译符号:
Private Sub SetConnectionString()
aABCFeeList1.ConnectionString = "Provider=SQLOLEDB;Trusted_Connection=Yes;initial catalog=sql;data source=sqlserver;"
End Sub
在 IDA 这显示反汇编为:
.text:00401D20 ; void __stdcall Form1::SetConnectionString(Form1 *this)
.text:00401D20 ?SetConnectionString@Form1@@AAGXXZ proc near ; CODE XREF: .text:004016E0j
.text:00401D20
.text:00401D20 var_20 = dword ptr -20h
.text:00401D20 var_18 = dword ptr -18h
.text:00401D20 var_14 = dword ptr -14h
.text:00401D20 var_10 = dword ptr -10h
.text:00401D20 var_8 = dword ptr -8
.text:00401D20 var_4 = dword ptr -4
.text:00401D20 this = dword ptr 8
.text:00401D20
.text:00401D20 push ebp
.text:00401D21 mov ebp, esp
.text:00401D23 sub esp, 8
.text:00401D26 push offset ___vbaExceptHandler
.text:00401D2B mov eax, large fs:0
.text:00401D31 push eax
.text:00401D32 mov large fs:0, esp
.text:00401D39 sub esp, 28h
.text:00401D3C push ebx
.text:00401D3D push esi
.text:00401D3E push edi
.text:00401D3F mov [ebp+var_8], esp
.text:00401D42 mov [ebp+var_4], offset dword_4010A0
.text:00401D49 sub esp, 10h
.text:00401D4C mov ecx, 8
.text:00401D51 mov edx, esp
.text:00401D53 mov eax, offset ___vba@09EB2DB8
.text:00401D58 push 68030012h
.text:00401D5D mov [ebp+var_14], 0
.text:00401D64 mov [edx], ecx
.text:00401D66 mov ecx, [ebp+var_20]
.text:00401D69 mov [edx+4], ecx
.text:00401D6C mov [edx+8], eax
.text:00401D6F mov eax, [ebp+var_18]
.text:00401D72 mov [edx+0Ch], eax
.text:00401D75 mov eax, [ebp+this]
.text:00401D78 push eax
.text:00401D79 mov ecx, [eax]
.text:00401D7B call dword ptr [ecx+2FCh]
.text:00401D81 lea edx, [ebp+var_14]
.text:00401D84 push eax
.text:00401D85 push edx
.text:00401D86 call ds:__imp____vbaObjSet
.text:00401D8C push eax
.text:00401D8D call ds:__imp____vbaLateIdSt
.text:00401D93 lea ecx, [ebp+var_14]
.text:00401D96 call ds:__imp____vbaFreeObj
.text:00401D9C push offset loc_401DAE
.text:00401DA1 jmp short loc_401DAD
.text:00401DA3 ; ---------------------------------------------------------------------------
.text:00401DA3
.text:00401DA3 loc_401DA3: ; DATA XREF: .text:004010ACo
.text:00401DA3 lea ecx, [ebp+var_14]
.text:00401DA6 call ds:__imp____vbaFreeObj
.text:00401DAC retn
.text:00401DAD ; ---------------------------------------------------------------------------
.text:00401DAD
.text:00401DAD loc_401DAD: ; CODE XREF: Form1::SetConnectionString(void)+81j
.text:00401DAD retn
.text:00401DAE ; ---------------------------------------------------------------------------
.text:00401DAE
.text:00401DAE loc_401DAE: ; CODE XREF: Form1::SetConnectionString(void):loc_401DADj
.text:00401DAE ; DATA XREF: Form1::SetConnectionString(void)+7Co
.text:00401DAE mov ecx, [ebp+var_10]
.text:00401DB1 pop edi
.text:00401DB2 pop esi
.text:00401DB3 xor eax, eax
.text:00401DB5 mov large fs:0, ecx
.text:00401DBC pop ebx
.text:00401DBD mov esp, ebp
.text:00401DBF pop ebp
.text:00401DC0 retn 4
.text:00401DC0 ?SetConnectionString@Form1@@AAGXXZ endp
在这种情况下,连接字符串被设置在行
.text:00401D53 mov eax, offset ___vba@09EB2DB8
我的问题是如何识别
1) 此代码正在配置哪个 ActiveX 控件 2) 它正在设置 ActiveX 控件上的哪个属性
我需要在其中找到它的程序更大更复杂。
其他一些参考:
dword_4010A0 dd 40004h, 2 dup(0)
如果我能找到对有问题的 ActiveX 控件的引用,我应该能够配置断点。
我在 WinDbg 中的 ActiveX 控件的模块加载上设置了一个断点,因为我怀疑我需要捕获初始化:
0:000> sxe ld FeeList.ocx
0:000> g
ModLoad: 75f50000 75f76000 C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 73cd0000 73cdf000 C:\WINDOWS\SysWOW64\kernel.appcore.dll
ModLoad: 73c10000 73c8c000 C:\WINDOWS\SysWOW64\uxtheme.dll
ModLoad: 5fd70000 5fdf6000 C:\WINDOWS\SysWOW64\SXS.DLL
ModLoad: 74080000 741c3000 C:\WINDOWS\SysWOW64\MSCTF.dll
ModLoad: 704a0000 704c3000 C:\WINDOWS\SysWOW64\dwmapi.dll
ModLoad: 76b70000 76bf3000 C:\WINDOWS\SysWOW64\clbcatq.dll
ModLoad: 615b0000 615cf000 C:\adv2000\FeeList.ocx
eax=00000000 ebx=00800000 ecx=00000000 edx=00000000 esi=007db8d8 edi=007db820
eip=7744ab5c esp=0019e034 ebp=0019e080 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
ntdll!NtMapViewOfSection+0xc:
7744ab5c c22800 ret 28h
0:000> kv
# ChildEBP RetAddr Args to Child
00 0019e030 7741878f 000001cc ffffffff 007db8f0 ntdll!NtMapViewOfSection+0xc (FPO: [10,0,0])
01 0019e080 7741856d 007db820 00000000 007db82c ntdll!LdrpMinimalMapModule+0xa0 (FPO: [Non-Fpo])
02 0019e0a8 77415643 007db820 00000000 007db904 ntdll!LdrpMapDllWithSectionHandle+0x15 (FPO: [Non-Fpo])
03 0019e0f8 7743418c 0019e2f8 007db820 00000000 ntdll!LdrpMapDllNtFileName+0x12f (FPO: [Non-Fpo])
04 0019e228 7743393e 9e745ffd 0019e2f8 0019e2f4 ntdll!LdrpMapDllFullPath+0xbc (FPO: [0,71,4])
05 0019e278 7742aff7 9e745f45 0019e438 0019e4c8 ntdll!LdrpProcessWork+0x10a (FPO: [SEH])
06 0019e2c0 7741a8eb 00000600 00000004 00000000 ntdll!LdrpLoadDllInternal+0x17c (FPO: [SEH])
07 0019e40c 77417d42 00000000 00000001 0019e430 ntdll!LdrpLoadDll+0x93 (FPO: [3,71,4])
08 0019e490 76ee3b58 00002009 0019e4b8 0019e4c8 ntdll!LdrLoadDll+0x92 (FPO: [Non-Fpo])
09 0019e4d4 762192c8 0019e598 00000000 00002008 KERNELBASE!LoadLibraryExW+0x148 (FPO: [Non-Fpo])
0a 0019e4f8 76219245 00002008 0019e560 0019e598 combase!LoadLibraryWithLogging+0x1b (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\common\loadfree.cxx @ 160]
0b 0019e524 762190a2 0019e558 0019e55c 0019e560 combase!CClassCache::CDllPathEntry::LoadDll+0x50 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\dllcache.cxx @ 2394]
0c 0019e56c 7621615b 0019e590 007db588 80004005 combase!CClassCache::CDllPathEntry::Create+0x35 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\dllcache.cxx @ 2235]
0d 0019e7c4 761fd3de 00000001 0019eb3c 0019e814 combase!CClassCache::CClassEntry::CreateDllClassEntry+0xf3 (FPO: [Non-Fpo]) (CONV: thiscall) [onecore\com\combase\objact\dllcache.cxx @ 1070]
0e 0019eaf4 761b5239 0019eb1c f57d20f9 0019eb28 combase!CClassCache::GetClassObjectActivator+0x52e (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\dllcache.cxx @ 5516]
0f 0019eb28 761b507a 0019f164 761b4f50 0019f85c combase!CClassCache::GetClassObject+0x30 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\dllcache.cxx @ 5284]
10 (Inline) -------- -------- -------- -------- combase!CCGetClassObject+0x3d (Inline Function @ 761b507a) (CONV: stdcall) [onecore\com\combase\objact\dllcache.cxx @ 8308]
11 0019eb94 762088ad 7633b4a4 0019f164 0019f85c combase!CServerContextActivator::GetClassObject+0x12a (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actvator.cxx @ 719]
12 0019ebd0 7622173b 0019f164 0019f85c 00000000 combase!ActivationPropertiesIn::DelegateGetClassObject+0x8d (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\actprops\actprops.cxx @ 1832]
13 0019ebf8 76221056 7633b4a8 0019f164 0019f85c combase!CApartmentActivator::GetClassObject+0x6b (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actvator.cxx @ 2089]
14 0019ec1c 762210d0 7633b4a0 00000001 00000000 combase!CProcessActivator::GCOCallback+0x56 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actvator.cxx @ 1569]
15 0019ec40 7622115b 7633b4a0 0019ef90 00000000 combase!CProcessActivator::AttemptActivation+0x40 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actvator.cxx @ 1524]
16 0019ec84 762213aa 7633b4a0 0019ef90 00000000 combase!CProcessActivator::ActivateByContext+0x7b (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actvator.cxx @ 1390]
17 0019ecb4 762088c0 7633b4a0 0019f164 0019f85c combase!CProcessActivator::GetClassObject+0x6a (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actvator.cxx @ 1213]
18 0019ecf0 76205907 0019f164 0019f85c 003a0043 combase!ActivationPropertiesIn::DelegateGetClassObject+0xa0 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\actprops\actprops.cxx @ 1832]
19 0019ef44 7620888d 7633b49c 0019f164 0019f85c combase!CClientContextActivator::GetClassObject+0xd7 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actvator.cxx @ 451]
1a 0019ef80 76202204 0019f164 0019f85c 76124fa8 combase!ActivationPropertiesIn::DelegateGetClassObject+0x6d (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\actprops\actprops.cxx @ 1884]
1b 0019f99c 7618cd55 00000000 66030510 00000000 combase!ICoGetClassObject+0x834 (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\objact.cxx @ 1341]
1c 0019fa50 7618cc3e 00000000 66030510 0019fad0 combase!CComActivator::DoGetClassObject+0xef (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\immact.hxx @ 337]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SysWOW64\MSVBVM60.DLL -
1d 0019fa70 66070023 005b5cf4 00000003 00000000 combase!CoGetClassObject+0x4e (FPO: [Non-Fpo]) (CONV: stdcall) [onecore\com\combase\objact\actapi.cxx @ 84]
WARNING: Stack unwind information not available. Following frames may be wrong.
1e 0019fa9c 66044e26 005b5cf4 00000003 00000000 MSVBVM60!IID_IVbaHost+0x419e3
1f 0019fad4 66045557 0000002d 02392574 66012f70 MSVBVM60!IID_IVbaHost+0x167e6
20 0019fb2c 66048e33 00000001 02392574 0019fb74 MSVBVM60!IID_IVbaHost+0x16f17
21 0019fb3c 6606d2cc 0000002d 02392574 005b5c70 MSVBVM60!IID_IVbaHost+0x1a7f3
22 0019fb74 66032695 02392ccc 02392574 02392b1c MSVBVM60!IID_IVbaHost+0x3ec8c
23 0019fba0 6603291b 024a05bc 0019fbc4 02392ccc MSVBVM60!IID_IVbaHost+0x4055
24 0019fbc8 6603295e 024a05bc 02392574 00000000 MSVBVM60!IID_IVbaHost+0x42db
25 0019fbf8 66032737 024a05bc 02392501 00000000 MSVBVM60!IID_IVbaHost+0x431e
26 0019fc30 660320a5 024a05bc 02392574 02392454 MSVBVM60!IID_IVbaHost+0x40f7
27 0019fc90 66031ead 024a05bc 00000000 00000000 MSVBVM60!IID_IVbaHost+0x3a65
28 0019fcb0 660648d1 024a05bc 005b5f9c 00000000 MSVBVM60!IID_IVbaHost+0x386d
29 0019fd08 6606ff18 0019fd40 00000001 024a05bc MSVBVM60!IID_IVbaHost+0x36291
2a 0019fd44 6601e703 02392454 00000001 00403010 MSVBVM60!IID_IVbaHost+0x418d8
2b 0019fe94 66007b3e 024a05bc 00401358 005b05bc MSVBVM60!Zombie_Release+0xfcaa
2c 0019feb8 66003981 00401358 00000000 00401358 MSVBVM60!BASIC_CLASS_QueryInterface+0xeca
2d 0019fed8 660036fa 00400000 00400000 0040116c MSVBVM60!ThunRTMain+0x3dd
2e 0019fef8 66003600 00000000 00400000 0040116c MSVBVM60!ThunRTMain+0x156
2f 0019ff78 00401176 00401358 75f98484 00321000 MSVBVM60!ThunRTMain+0x5c
30 0019ff94 77443ab8 00321000 9e744259 00000000 fee3!__vbaS+0xa
31 0019ffdc 77443a88 ffffffff 7745f2f4 00000000 ntdll!__RtlUserThreadStart+0x2f (FPO: [SEH])
32 0019ffec 00000000 0040116c 00321000 00000000 ntdll!_RtlUserThreadStart+0x1b (FPO: [Non-Fpo])