最近pdf文件问题很火,关键字zeus,网上看到了几篇文章,顺便自己练练手,用OD分析了下。
pdf这个文件格式潜在问题还挺多的。因为这种格式太“兼容并包”了。
首先推荐看
blog.didierstevens.com/2010/03/29/escape-from-pdf/
blog.didierstevens.com/2010/04/06/update-escape-from-pdf/
稍微了解下PDF文件格式。用文本编辑工具直接打开pdf....
begin.....
分析了下foxit怎么样处理launch action的,3个版本情况如下(具体OD分析见后面):
1.foxit reader 3.1.3.1031,对传入的/F参数(不是/WIN中的/F)中的程序路径字符串处理不当, / 和 \ 互换,造成可以运行带参数的程序(如CMD)。
处理过程:首先处理程序路径,/和\互换,然后根据/NewWindow值,调用不同函数创建进程运行外部程序,若 /NewWindow true,会调用CreateProcessA(危险!);若为false,则调用ShellExecuteA。ShellExecuteA很安全,详细见后。
2.foxit reader 3.1.4.1125(最新),在/F传程序路径时,路径中的 / 转换成 \ ,避免了cmd脚本执行。但是还是能给程序传递参数。以 - 表示参数开始的程序。
处理过程:跟1差不多,程序是UNICODE的,所以有个字符串变换(ASCII--->UNICODE),路径是 / 转换成 \ ,后面相同。
3.foxit reader 3.2.1.0401(最新),解决了上述问题。对于launch action有对话框提示,提示有点点问题,只提示要运行的程序名,didier stevens说可以控制提示信息,不知道怎么实现 -_-!
pdf内嵌可执行文件方法:
1. /EmbeddedFiles,其实是个附件,可隐藏。
2. 用CMD下的copy。嵌入的文件不能太大..
--------------------------------------------------------------------------------------------------------------------------------------------------
foxit reader 3.1.3.1031 launch action 中路径,参数处理不当问题。
对整个命令行参数执行 / <-> \互换,这是个明显的错误。导致能执行cmd脚本。
(1)路径处理
0050B390 /$ 6A FF PUSH -1
0050B392 |. 68 CF219500 PUSH Foxit_Re.009521CF ; SE 处理程序安装
0050B397 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0050B39D |. 50 PUSH EAX
0050B39E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0050B3A5 |. 83EC 08 SUB ESP,8
0050B3A8 |. 56 PUSH ESI
0050B3A9 |. C74424 08 000>MOV DWORD PTR SS:[ESP+8],0
0050B3B1 |. C74424 04 000>MOV DWORD PTR SS:[ESP+4],0
0050B3B9 |. 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20]
0050B3BD |. C74424 14 010>MOV DWORD PTR SS:[ESP+14],1
0050B3C5 |. 8A06 MOV AL,BYTE PTR DS:[ESI]
0050B3C7 |. 84C0 TEST AL,AL
0050B3C9 |. 74 22 JE SHORT Foxit_Re.0050B3ED
0050B3CB |> 3C 5C /CMP AL,5C ; \
0050B3CD |. 75 04 |JNZ SHORT Foxit_Re.0050B3D3
0050B3CF |. 6A 2F |PUSH 2F
0050B3D1 |. EB 09 |JMP SHORT Foxit_Re.0050B3DC
0050B3D3 |> 3C 2F |CMP AL,2F ; /
0050B3D5 |. 75 04 |JNZ SHORT Foxit_Re.0050B3DB
0050B3D7 |. 6A 5C |PUSH 5C
0050B3D9 |. EB 01 |JMP SHORT Foxit_Re.0050B3DC
0050B3DB |> 50 |PUSH EAX
0050B3DC |> 8D4C24 08 |LEA ECX,DWORD PTR SS:[ESP+8]
0050B3E0 |. E8 ABFF0F00 |CALL Foxit_Re.0060B390 ; 路径转换 / <---> \
0050B3E5 |. 8A46 01 |MOV AL,BYTE PTR DS:[ESI+1]
0050B3E8 |. 46 |INC ESI
0050B3E9 |. 84C0 |TEST AL,AL
0050B3EB |.^ 75 DE \JNZ SHORT Foxit_Re.0050B3CB
0050B3ED |> 8B7424 1C MOV ESI,DWORD PTR SS:[ESP+1C]
0050B3F1 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0050B3F5 |. 50 PUSH EAX
0050B3F6 |. 8BCE MOV ECX,ESI
0050B3F8 |. E8 53FD0F00 CALL Foxit_Re.0060B150
0050B3FD |. C74424 08 010>MOV DWORD PTR SS:[ESP+8],1
0050B405 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4]
0050B409 |. C64424 14 00 MOV BYTE PTR SS:[ESP+14],0
0050B40E |. E8 3DE20F00 CALL Foxit_Re.00609650
0050B413 |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
0050B417 |. 8BC6 MOV EAX,ESI
0050B419 |. 5E POP ESI
0050B41A |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0050B421 |. 83C4 14 ADD ESP,14
0050B424 \. C3 RETN
(2)运行外部程序
004767F0 /$ 6A FF PUSH -1
004767F2 |. 68 20619400 PUSH Foxit_Re.00946120 ; SE 处理程序安装
004767F7 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
004767FD |. 50 PUSH EAX
004767FE |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00476805 |. 83EC 58 SUB ESP,58
00476808 |. 56 PUSH ESI
00476809 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0047680D |. 57 PUSH EDI
0047680E |. 8BF1 MOV ESI,ECX
00476810 |. 50 PUSH EAX ; /Arg1
00476811 |. E8 5ABE0C00 CALL Foxit_Re.00542670 ; \Foxit_Re.00542670
00476816 |. BF E40FAB00 MOV EDI,Foxit_Re.00AB0FE4 ; newwindow
0047681B |. C74424 68 000>MOV DWORD PTR SS:[ESP+68],0
00476823 |. 8BCF MOV ECX,EDI
00476825 |. 897C24 0C MOV DWORD PTR SS:[ESP+C],EDI
00476829 |. 85C9 TEST ECX,ECX
0047682B |. 74 10 JE SHORT Foxit_Re.0047683D
0047682D |. 83C9 FF OR ECX,FFFFFFFF
00476830 |. 33C0 XOR EAX,EAX
00476832 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00476834 |. F7D1 NOT ECX
00476836 |. 49 DEC ECX
00476837 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
0047683B |. EB 08 JMP SHORT Foxit_Re.00476845
0047683D |> C74424 10 000>MOV DWORD PTR SS:[ESP+10],0
00476845 |> 8B0E MOV ECX,DWORD PTR DS:[ESI]
00476847 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0047684B |. 52 PUSH EDX
0047684C |. E8 AFBB0800 CALL Foxit_Re.00502400 ; 关键处
00476851 |. 85C0 TEST EAX,EAX
00476853 |. 74 57 JE SHORT Foxit_Re.004768AC ; 若eax=0,则转到ShellExecuteA
00476855 |. 8BC8 MOV ECX,EAX
00476857 |. E8 B4A90800 CALL Foxit_Re.00501210
0047685C |. 85C0 TEST EAX,EAX
0047685E |. 74 4C JE SHORT Foxit_Re.004768AC ; 若eax=0,则转到ShellExecuteA
00476860 |. B9 11000000 MOV ECX,11
00476865 |. 33C0 XOR EAX,EAX
00476867 |. 8D7C24 1C LEA EDI,DWORD PTR SS:[ESP+1C]
0047686B |. F3:AB REP STOS DWORD PTR ES:[EDI]
0047686D |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00476871 |. C74424 1C 440>MOV DWORD PTR SS:[ESP+1C],44
00476879 |. 85C0 TEST EAX,EAX
0047687B |. 74 05 JE SHORT Foxit_Re.00476882
0047687D |. 83C0 0C ADD EAX,0C
00476880 |. EB 05 JMP SHORT Foxit_Re.00476887
00476882 |> B8 DC9CBF00 MOV EAX,Foxit_Re.00BF9CDC
00476887 |> 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
0047688B |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C]
0047688F |. 51 PUSH ECX ; /pProcessInfo
00476890 |. 52 PUSH EDX ; |pStartupInfo
00476891 |. 6A 00 PUSH 0 ; |CurrentDir = NULL
00476893 |. 6A 00 PUSH 0 ; |pEnvironment = NULL
00476895 |. 6A 00 PUSH 0 ; |CreationFlags = 0
00476897 |. 6A 00 PUSH 0 ; |InheritHandles = FALSE
00476899 |. 6A 00 PUSH 0 ; |pThreadSecurity = NULL
0047689B |. 6A 00 PUSH 0 ; |pProcessSecurity = NULL
0047689D |. 50 PUSH EAX ; |CommandLine
0047689E |. 6A 00 PUSH 0 ; |ModuleFileName = NULL
004768A0 |. FF15 64E59800 CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>] ; \CreateProcessA
004768A6 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004768AA |. EB 26 JMP SHORT Foxit_Re.004768D2
004768AC |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004768B0 |. 85C0 TEST EAX,EAX
004768B2 |. 74 05 JE SHORT Foxit_Re.004768B9
004768B4 |. 83C0 0C ADD EAX,0C
004768B7 |. EB 05 JMP SHORT Foxit_Re.004768BE
004768B9 |> B8 DC9CBF00 MOV EAX,Foxit_Re.00BF9CDC
004768BE |> 6A 05 PUSH 5 ; /IsShown = 5
004768C0 |. 6A 00 PUSH 0 ; |DefDir = NULL
004768C2 |. 6A 00 PUSH 0 ; |Parameters = NULL
004768C4 |. 50 PUSH EAX ; |FileName
004768C5 |. 68 8410AB00 PUSH Foxit_Re.00AB1084 ; |open
004768CA |. 6A 00 PUSH 0 ; |hWnd = NULL
004768CC |. FF15 F0E69800 CALL DWORD PTR DS:[<&SHELL32.ShellExecuteA>] ; \ShellExecuteA
当没有/NewWindow true时,外部程序是用ShellExecuteA运行的,此时参数=NULL.固定。
当存在参数/NewWindow true时,外部程序是用CreateProcessA运行的,
CommandLine即为/F中的参数经过/,\字符变换后的命令行参数。
------------------------------------------------------------------------------------------------------------------------------------------------
foxit reader 3.1.4.1125在处理launch action时存在的问题。
第一种情况:
<<
/Type /Action
/S /Launch
/Win
<<
/D()/F(c:\\windows\\system32\\notepad.exe)/O()/P(f:\\test.bat)
>>
>>
这样是不行的。
00476040 /$ 6A FF PUSH -1
00476042 |. 68 106B9400 PUSH Foxit_Re.00946B10 ; SE 处理程序安装
00476047 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0047604D |. 50 PUSH EAX
0047604E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00476055 |. 83EC 58 SUB ESP,58
00476058 |. 56 PUSH ESI
00476059 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0047605D |. 57 PUSH EDI
0047605E |. 8BF1 MOV ESI,ECX
00476060 |. 50 PUSH EAX ; /Arg1
00476061 |. E8 1ABD0900 CALL Foxit_Re.00511D80 ; \Foxit_Re.00511D80
00476066 |. BF 4820AB00 MOV EDI,Foxit_Re.00AB2048 ; newwindow
0047606B |. C74424 68 000>MOV DWORD PTR SS:[ESP+68],0
00476073 |. 8BCF MOV ECX,EDI
00476075 |. 897C24 0C MOV DWORD PTR SS:[ESP+C],EDI
00476079 |. 85C9 TEST ECX,ECX
0047607B |. 74 10 JE SHORT Foxit_Re.0047608D
0047607D |. 83C9 FF OR ECX,FFFFFFFF
00476080 |. 33C0 XOR EAX,EAX
00476082 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00476084 |. F7D1 NOT ECX
00476086 |. 49 DEC ECX
00476087 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
0047608B |. EB 08 JMP SHORT Foxit_Re.00476095
0047608D |> C74424 10 000>MOV DWORD PTR SS:[ESP+10],0
00476095 |> 8B0E MOV ECX,DWORD PTR DS:[ESI]
00476097 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0047609B |. 52 PUSH EDX
0047609C |. E8 5FB40500 CALL Foxit_Re.004D1500
004760A1 |. 85C0 TEST EAX,EAX
004760A3 |. 74 57 JE SHORT Foxit_Re.004760FC
004760A5 |. 8BC8 MOV ECX,EAX
004760A7 |. E8 64A20500 CALL Foxit_Re.004D0310
004760AC |. 85C0 TEST EAX,EAX
004760AE |. 74 4C JE SHORT Foxit_Re.004760FC
004760B0 |. B9 11000000 MOV ECX,11
004760B5 |. 33C0 XOR EAX,EAX
004760B7 |. 8D7C24 1C LEA EDI,DWORD PTR SS:[ESP+1C]
004760BB |. F3:AB REP STOS DWORD PTR ES:[EDI]
004760BD |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004760C1 |. C74424 1C 440>MOV DWORD PTR SS:[ESP+1C],44
004760C9 |. 85C0 TEST EAX,EAX
004760CB |. 74 05 JE SHORT Foxit_Re.004760D2
004760CD |. 83C0 0C ADD EAX,0C
004760D0 |. EB 05 JMP SHORT Foxit_Re.004760D7
004760D2 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598
004760D7 |> 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
004760DB |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C]
004760DF |. 51 PUSH ECX ; /pProcessInfo
004760E0 |. 52 PUSH EDX ; |pStartupInfo
004760E1 |. 6A 00 PUSH 0 ; |CurrentDir = NULL
004760E3 |. 6A 00 PUSH 0 ; |pEnvironment = NULL
004760E5 |. 6A 00 PUSH 0 ; |CreationFlags = 0
004760E7 |. 6A 00 PUSH 0 ; |InheritHandles = FALSE
004760E9 |. 6A 00 PUSH 0 ; |pThreadSecurity = NULL
004760EB |. 6A 00 PUSH 0 ; |pProcessSecurity = NULL
004760ED |. 50 PUSH EAX ; |CommandLine
004760EE |. 6A 00 PUSH 0 ; |ModuleFileName = NULL
004760F0 |. FF15 C4059900 CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; \(初始 cpu 选择)
004760F6 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004760FA |. EB 26 JMP SHORT Foxit_Re.00476122
004760FC |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00476100 |. 85C0 TEST EAX,EAX
00476102 |. 74 05 JE SHORT Foxit_Re.00476109
00476104 |. 83C0 0C ADD EAX,0C
00476107 |. EB 05 JMP SHORT Foxit_Re.0047610E
00476109 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598
0047610E |> 6A 05 PUSH 5 ; /IsShown = 5
00476110 |. 6A 00 PUSH 0 ; |DefDir = NULL
00476112 |. 6A 00 PUSH 0 ; |Parameters = NULL
00476114 |. 50 PUSH EAX ; |FileName
00476115 |. 68 EC20AB00 PUSH Foxit_Re.00AB20EC ; |o
0047611A |. 6A 00 PUSH 0 ; |hWnd = NULL
0047611C |. FF15 44079900 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteW
寄存器值:
EAX 019F94E4 UNICODE "c:\windows\system32\notepad.exe"
ECX 00000000
EDX 005DCDE0 Foxit_Re.005DCDE0
EBX 00000000
ESP 0012F53C
EBP 01A32E20
ESI 0012F5E4
EDI 00AB2052 Foxit_Re.00AB2052
EIP 0047611C Foxit_Re.0047611C
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 1 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
MM0 BF83 D600 85F0 0294
MM1 859F 7778 BF80 0B1B
MM2 0000 0001 0000 0001
MM3 0000 0000 0000 0000
MM4 BFFF FFE0 0000 0000
MM5 8000 0000 0000 0000
MM6 0000 0000 0000 0000
MM7 CA12 D2D2 D2D2 D000
当EIP=0047611C时,程序最后调用了ShellExecuteW来运行Open Action.而ShellExecuteW的Parameters = NULL固定了
所以最终只能运行一个程序,而不能给程序传递参数。
第二种情况:
<<
/Type /Action
/S /Launch
/F (c:\\windows\\system32\\notepad.exe f:\\test.bat)
/NewWindow true
>>
(1)
0051571B |. /74 20 JE SHORT Foxit_Re.0051573D
0051571D |> |66:3D 2F00 /CMP AX,2F ; /
00515721 |. |75 04 |JNZ SHORT Foxit_Re.00515727
00515723 |. |6A 5C |PUSH 5C ; \
00515725 |. |EB 01 |JMP SHORT Foxit_Re.00515728
00515727 |> |50 |PUSH EAX
00515728 |> |8D4C24 08 |LEA ECX,DWORD PTR SS:[ESP+8]
0051572C |. |E8 DF3B0C00 |CALL Foxit_Re.005D9310
00515731 |. |66:8B46 02 |MOV AX,WORD PTR DS:[ESI+2]
00515735 |. |83C6 02 |ADD ESI,2
00515738 |. |66:85C0 |TEST AX,AX
此段代码作用是将命令行中的 / 全部替换成 \ ,防止带参数的cmd命令行。
但并没有过滤后面的参数。所以还是能传递参数。
(2)
00476040 /$ 6A FF PUSH -1
00476042 |. 68 106B9400 PUSH Foxit_Re.00946B10 ; SE 处理程序安装
00476047 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
0047604D |. 50 PUSH EAX
0047604E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
00476055 |. 83EC 58 SUB ESP,58
00476058 |. 56 PUSH ESI
00476059 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
0047605D |. 57 PUSH EDI
0047605E |. 8BF1 MOV ESI,ECX
00476060 |. 50 PUSH EAX ; /Arg1
00476061 |. E8 1ABD0900 CALL Foxit_Re.00511D80 ; \Foxit_Re.00511D80
00476066 |. BF 4820AB00 MOV EDI,Foxit_Re.00AB2048 ; newwindow
0047606B |. C74424 68 000>MOV DWORD PTR SS:[ESP+68],0
00476073 |. 8BCF MOV ECX,EDI
00476075 |. 897C24 0C MOV DWORD PTR SS:[ESP+C],EDI
00476079 |. 85C9 TEST ECX,ECX
0047607B |. 74 10 JE SHORT Foxit_Re.0047608D
0047607D |. 83C9 FF OR ECX,FFFFFFFF
00476080 |. 33C0 XOR EAX,EAX
00476082 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI]
00476084 |. F7D1 NOT ECX
00476086 |. 49 DEC ECX
00476087 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX
0047608B |. EB 08 JMP SHORT Foxit_Re.00476095
0047608D |> C74424 10 000>MOV DWORD PTR SS:[ESP+10],0
00476095 |> 8B0E MOV ECX,DWORD PTR DS:[ESI]
00476097 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
0047609B |. 52 PUSH EDX
0047609C |. E8 5FB40500 CALL Foxit_Re.004D1500
004760A1 |. 85C0 TEST EAX,EAX
004760A3 |. 74 57 JE SHORT Foxit_Re.004760FC
004760A5 |. 8BC8 MOV ECX,EAX
004760A7 |. E8 64A20500 CALL Foxit_Re.004D0310
004760AC |. 85C0 TEST EAX,EAX
004760AE |. 74 4C JE SHORT Foxit_Re.004760FC
004760B0 |. B9 11000000 MOV ECX,11
004760B5 |. 33C0 XOR EAX,EAX
004760B7 |. 8D7C24 1C LEA EDI,DWORD PTR SS:[ESP+1C]
004760BB |. F3:AB REP STOS DWORD PTR ES:[EDI]
004760BD |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
004760C1 |. C74424 1C 440>MOV DWORD PTR SS:[ESP+1C],44
004760C9 |. 85C0 TEST EAX,EAX
004760CB |. 74 05 JE SHORT Foxit_Re.004760D2
004760CD |. 83C0 0C ADD EAX,0C
004760D0 |. EB 05 JMP SHORT Foxit_Re.004760D7
004760D2 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598
004760D7 |> 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
004760DB |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C]
004760DF |. 51 PUSH ECX ; /pProcessInfo
004760E0 |. 52 PUSH EDX ; |pStartupInfo
004760E1 |. 6A 00 PUSH 0 ; |CurrentDir = NULL
004760E3 |. 6A 00 PUSH 0 ; |pEnvironment = NULL
004760E5 |. 6A 00 PUSH 0 ; |CreationFlags = 0
004760E7 |. 6A 00 PUSH 0 ; |InheritHandles = FALSE
004760E9 |. 6A 00 PUSH 0 ; |pThreadSecurity = NULL
004760EB |. 6A 00 PUSH 0 ; |pProcessSecurity = NULL
004760ED |. 50 PUSH EAX ; |CommandLine
004760EE |. 6A 00 PUSH 0 ; |ModuleFileName = NULL
004760F0 |. FF15 C4059900 CALL DWORD PTR DS:[<&KERNEL32.CreateProc>; \(初始 cpu 选择)
004760F6 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004760FA |. EB 26 JMP SHORT Foxit_Re.00476122
004760FC |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
00476100 |. 85C0 TEST EAX,EAX
00476102 |. 74 05 JE SHORT Foxit_Re.00476109
00476104 |. 83C0 0C ADD EAX,0C
00476107 |. EB 05 JMP SHORT Foxit_Re.0047610E
00476109 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598
0047610E |> 6A 05 PUSH 5 ; /IsShown = 5
00476110 |. 6A 00 PUSH 0 ; |DefDir = NULL
00476112 |. 6A 00 PUSH 0 ; |Parameters = NULL
00476114 |. 50 PUSH EAX ; |FileName
00476115 |. 68 EC20AB00 PUSH Foxit_Re.00AB20EC ; |o
0047611A |. 6A 00 PUSH 0 ; |hWnd = NULL
0047611C |. FF15 44079900 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteW
寄存器情况:
EAX 019F9B9C UNICODE "c:\windows\system32\notepad.exe f:\test.bat"
ECX 0012F560
EDX 0012F570
EBX 00000000
ESP 0012F52C
EBP 01A32E80
ESI 0012F5E4
EDI 0012F5B4
EIP 004760F0 Foxit_Re.004760F0
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
MM0 0059 5A5B 0059 5A5B
MM1 85B8 C2C8 BF80 0B1B
MM2 0000 0001 0000 0001
MM3 0000 0000 0000 0000
MM4 BFFF FFE0 0000 0000
MM5 8000 0000 0000 0000
MM6 0000 0000 0000 0000
MM7 CA12 D2D2 D2D2 D000
当参数/NewWindow true设置了时,会调用CreateProcess来执行程序。而API参数CommandLine是个变量。
这里是c:\windows\system32\notepad.exe f:\test.bat。
此时,即向Launch Action传递了参数。
---------------------------------------------------------------------------------------------------------------------------------------------------
foxit reader 3.2.1.0401 launch action分析
<<
/Type /Action
/S /Launch
/F (c:\\windows\\system32\\notepad.exe f:\\test.bat)
/NewWindow true
>>
0040A0E1 > \8B8424 880000>MOV EAX,DWORD PTR SS:[ESP+88]
0040A0E8 . 85C0 TEST EAX,EAX
0040A0EA . B8 BC81B300 MOV EAX,Foxit_Re.00B381BC ; UNICODE "open"
0040A0EF . 75 05 JNZ SHORT Foxit_Re.0040A0F6
0040A0F1 . B8 B081B300 MOV EAX,Foxit_Re.00B381B0 ; UNICODE "print"
0040A0F6 > 8B8C24 840000>MOV ECX,DWORD PTR SS:[ESP+84]
0040A0FD . 8B9424 800000>MOV EDX,DWORD PTR SS:[ESP+80]
0040A104 . 6A 01 PUSH 1 ; /IsShown = 1
0040A106 . 51 PUSH ECX ; |DefDir
0040A107 . 52 PUSH EDX ; |Parameters
0040A108 . 57 PUSH EDI ; |FileName
0040A109 . 50 PUSH EAX ; |Operation
0040A10A . 6A 00 PUSH 0 ; |hWnd = NULL
0040A10C . FF15 7497A000 CALL DWORD PTR DS:[<&SHELL32.ShellExecuteW>] ; \ShellExecuteW
这时FileName为c:\windows\system32\notepad.exe f:\test.bat,参数空。很明显程序不能运行。
<<
/Type /Action
/S /Launch
/Win
<<
/D()/F(c:\\windows\\system32\\notepad.exe)/O()/P(f:\\test.bat)
>>
>>
0040A0E1 > \8B8424 880000>MOV EAX,DWORD PTR SS:[ESP+88]
0040A0E8 . 85C0 TEST EAX,EAX
0040A0EA . B8 BC81B300 MOV EAX,Foxit_Re.00B381BC ; UNICODE "open"
0040A0EF . 75 05 JNZ SHORT Foxit_Re.0040A0F6
0040A0F1 . B8 B081B300 MOV EAX,Foxit_Re.00B381B0 ; UNICODE "print"
0040A0F6 > 8B8C24 840000>MOV ECX,DWORD PTR SS:[ESP+84]
0040A0FD . 8B9424 800000>MOV EDX,DWORD PTR SS:[ESP+80]
0040A104 . 6A 01 PUSH 1 ; /IsShown = 1
0040A106 . 51 PUSH ECX ; |DefDir
0040A107 . 52 PUSH EDX ; |Parameters
0040A108 . 57 PUSH EDI ; |FileName
0040A109 . 50 PUSH EAX ; |Operation
0040A10A . 6A 00 PUSH 0 ; |hWnd = NULL
0040A10C . FF15 7497A000 CALL DWORD PTR DS:[<&SHELL32.ShellExecuteW>] ; \ShellExecuteW
寄存器:
EAX 00B381BC UNICODE "open"
ECX 00CBB7F8 Foxit_Re.00CBB7F8
EDX 01ACB5CC UNICODE "f:\test.bat"
EBX 01AF7F18
ESP 0012EEA4
EBP 0012F5E4
ESI 00000001
EDI 01ACB79C UNICODE "c:\windows\system32\notepad.exe"
EIP 0040A10C Foxit_Re.0040A10C
堆栈:
0012EEA4 00000000 |hWnd = NULL
0012EEA8 00B381BC |Operation = "open"
0012EEAC 01ACB79C |FileName = "c:\windows\system32\notepad.exe"
0012EEB0 01ACB5CC |Parameters = "f:\test.bat"
0012EEB4 00CBB7F8 |DefDir = ""
0012EEB8 00000001 \IsShown = 1
有点问题,对话框提示只有FileName.
- 标 题:foxit reader各版本launch action问题分析
- 作 者:天外飞客
- 时 间:2010-04-23 17:08:31
- 链 接:http://bbs.pediy.com/showthread.php?t=111578