博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
CVE-2013-3893
阅读量:4314 次
发布时间:2019-06-06

本文共 101545 字,大约阅读时间需要 338 分钟。

前方高能!!!这篇博文比较长,因为我把完整的调试过程都记录下来了,感兴趣的童鞋可以看下。没有耐心的童鞋可以直接跳到最后看总结:)

  Microsoft Internet Explorer 远程代码执行漏洞()

        Internet Explorer(IE)是美国微软(Microsoft)公司开发的一款Web浏览器,是Windows操作系统附带的默认浏览器。 

        Microsoft IE 6至11版本中的mshtml.dll文件中的SetMouseCapture功能实现中存在远程代码执行漏洞,该漏洞源于程序访问内存中已被删除或尚未正确分配的对象。攻击者可借助特制的网站并诱使用户查看该网站,利用该漏洞在IE中的当前用户的上下文中执行任意代码,可造成内存损坏。成功利用此漏洞的攻击者可获得与当前用户相同的用户权限。如果当前用户使用管理用户权限登录,成功利用此漏洞的攻击者便可完全控制受影响的系统。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。

POC如下

 程序crash到如下所示的情况,其中edi的值触发了异常。经过分析后发现,edi的值来自于上层函数的传递。并且这个edi的值处于一个已经释放的堆中,调试记录如下所示。

1:021> g(ed4.bd8): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=041ce6c8 ecx=05e00680 edx=041ce400 esi=00000000 edi=074a9fb0eip=656c1f60 esp=041ce618 ebp=041ce620 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202mshtml!CDoc::HasContainerCapture+0x14:656c1f60 8b0f            mov     ecx,dword ptr [edi]  ds:0023:074a9fb0=????????1:021> !heap -p -a edi    address 074a9fb0 found in    _DPH_HEAP_ROOT @ 1201000    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)                                    7392478:          74a9000             2000    6b4890b2 verifier!AVrfDebugPageHeapFree+0x000000c2    771e5674 ntdll!RtlDebugFreeHeap+0x0000002f    771a7aca ntdll!RtlpFreeHeap+0x0000005d    77172d68 ntdll!RtlFreeHeap+0x00000142    75a5f1ac kernel32!HeapFree+0x00000014    656be590 mshtml!CTreeNode::Release+0x0000002d    656d15b1 mshtml!CMarkup::UnloadContents+0x00000380    656d2a8a mshtml!CMarkup::TearDownMarkupHelper+0x00000055    656d2a15 mshtml!CMarkup::TearDownMarkup+0x00000049    655b3b5e mshtml!COmWindowProxy::SwitchMarkup+0x000005a0    65502bb4 mshtml!CDocument::open+0x00000426    65500789 mshtml!CDocument::write+0x0000007c    655b3267 mshtml!Method_void_SAFEARRAYPVARIANTP+0x00000085    656e235c mshtml!CBase::ContextInvokeEx+0x000005dc    656e25d5 mshtml!CBase::InvokeEx+0x00000025    656edf9a mshtml!DispatchInvokeCollection+0x0000014c    656a4998 mshtml!CDocument::InvokeEx+0x000000f0    65693148 mshtml!CBase::VersionedInvokeEx+0x00000020    65693104 mshtml!PlainInvokeEx+0x000000eb    6b4ea22a jscript!IDispatchExInvokeEx2+0x00000104    6b4ea175 jscript!IDispatchExInvokeEx+0x0000006a    6b4ea3f6 jscript!InvokeDispatchEx+0x00000098    6b4ea4a0 jscript!VAR::InvokeByName+0x00000139    6b4fd8c8 jscript!VAR::InvokeDispName+0x0000007d    6b4fd96f jscript!VAR::InvokeByDispID+0x000000ce    6b4fe3e7 jscript!CScriptRuntime::Run+0x00002b80    6b4f5c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce    6b4f5bfb jscript!ScrFncObj::Call+0x0000008d    6b4f5e11 jscript!CSession::Execute+0x0000015f    6b4ef3ee jscript!NameTbl::InvokeDef+0x000001b5    6b4eea2e jscript!NameTbl::InvokeEx+0x0000012c    65707af1 mshtml!CBase::InvokeDispatchWithThis+0x000001e1

 这里可以看出edi为一个已经释放的CTreeNode对象的指针,栈回溯如下

1:021> KVChildEBP RetAddr  Args to Child              0428e510 656c1a82 00000000 069f4ff0 05538680 mshtml!CDoc::HasContainerCapture+0x140428e594 6573163d 0428e5b8 00000000 00000000 mshtml!CDoc::PumpMessage+0x3e40428e650 657f580d 0614fff0 00000001 069f4ff0 mshtml!CDoc::SetMouseCapture+0xe70428e678 654da5d0 07689fc8 0000ffff 0495bfd0 mshtml!CElement::setCapture+0x510428e6a0 656e235c 07689fc8 0495bfd0 07665fd8 mshtml!Method_void_oDoVARIANTBOOL+0xc50428e714 656ec75a 07689fc8 80010410 00000001 mshtml!CBase::ContextInvokeEx+0x5dc0428e764 656ec79a 07689fc8 80010410 00000001 mshtml!CElement::ContextInvokeEx+0x9d0428e790 65693104 07689fc8 80010410 00000001 mshtml!CInput::VersionedInvokeEx+0x2d0428e7e4 6a58a22a 076abfd8 80010410 00000001 mshtml!PlainInvokeEx+0xeb0428e820 6a58a175 06eb0d10 80010410 00000409 jscript!IDispatchExInvokeEx2+0x1040428e85c 6a58a3f6 06eb0d10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a0428e91c 6a58a4a0 80010410 00000001 00000000 jscript!InvokeDispatchEx+0x980428e950 6a59d8c8 06eb0d10 0428e984 00000001 jscript!VAR::InvokeByName+0x1390428e99c 6a59d96f 06eb0d10 00000001 00000000 jscript!VAR::InvokeDispName+0x7d0428e9c8 6a59e3e7 06eb0d10 00000000 00000001 jscript!VAR::InvokeByDispID+0xce0428eb64 6a595c9d 0428eb7c 00000000 0493ef88 jscript!CScriptRuntime::Run+0x2b800428ec4c 6a595bfb 00000000 00000000 0493cf70 jscript!ScrFncObj::CallWithFrameOnStack+0xce0428ec94 6a5974ac 00000000 00000000 0493cf70 jscript!ScrFncObj::Call+0x8d0428ed18 6a594ea4 06eb2fa0 06eb0d10 00000001 jscript!NameTbl::InvokeInternal+0x1410428ed4c 6a59e3e7 06eb0d10 00000000 00000001 jscript!VAR::InvokeByDispID+0x17f

查看调用

1:021> UB 656c1a82mshtml!CDoc::PumpMessage+0x3c0:656c1a5e 81a7580700007fffffff and dword ptr [edi+758h],0FFFFFF7Fh656c1a68 57              push    edi656c1a69 e8eafdffff      call    mshtml!CDoc::ReleaseDetachedCaptures (656c1858)656c1a6e 837c242c00      cmp     dword ptr [esp+2Ch],0656c1a73 7415            je      mshtml!CDoc::PumpMessage+0x444 (656c1a8a)656c1a75 8b7c2410        mov     edi,dword ptr [esp+10h]656c1a79 8b4c2414        mov     ecx,dword ptr [esp+14h]656c1a7d e8c6040000      call    mshtml!CDoc::HasContainerCapture (656c1f48)

但是这样我们对于重用还是看不出个所以然来,这也是ie漏洞分析的难点所在,必须从执行流程入手才能分析明白。

现在我们已经做出了猜测,uaf对象是某个元素的CTreeNode对象,这样我们就可以尝试一下CTreeNode的通用断点。

断下创建:CTreeNode::CTreeNode 释放:CTreeNode::Release

bu mshtml!CTreeNode::Release "ln poi(poi(edx));.echo ==CTreeNode释放==;gc;"

在poc里加上辅助语句来帮助调试

Math.tan(3,4);bu jscript!tan

先断在tan上再去下记录断点,这样可以避免非poc的元素进行干扰

1:021> g(690d70e0)   mshtml!CPhraseElement::`vftable'   |  (690d7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' = 
     
      ==CTreeNode释放==(690d70e0)   mshtml!CPhraseElement::`vftable'   |  (690d7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' = 
      
       ==CTreeNode释放==(690fc2e8)   mshtml!CGenericElement::`vftable'   |  (69234ce0)   mshtml!CHeaderElement::`vftable'Exact matches:    mshtml!CGenericElement::`vftable' = 
       
        ==CTreeNode释放==(690d70e0)   mshtml!CPhraseElement::`vftable'   |  (690d7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' = 
        
         ==CTreeNode释放==(6921d3a8)   mshtml!CHeadElement::`vftable'   |  (6921d0d8)   mshtml!CHtmlElement::`vftable'Exact matches:    mshtml!CHeadElement::`vftable' = 
         
          ==CTreeNode释放==(6921d628)   mshtml!CTitleElement::`vftable'   |  (690d5900)   mshtml!CMetaElement::`vftable'Exact matches:    mshtml!CTitleElement::`vftable' = 
          
           ==CTreeNode释放==(69245438) mshtml!CScriptElement::`vftable' | (69245724) mshtml!CScriptElement::DownLoadScriptExact matches: mshtml!CScriptElement::`vftable' = 
           
            ==CTreeNode释放==(69226670) mshtml!CBodyElement::`vftable' | (69289108) mshtml!CCaret::`vftable'Exact matches: mshtml!CBodyElement::`vftable' = 
            
             ==CTreeNode释放==(6921d0d8) mshtml!CHtmlElement::`vftable' | (6921d359) mshtml!CHeadElement::CreateElementExact matches: mshtml!CHtmlElement::`vftable' = 
             
              ==CTreeNode释放==(6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable'Exact matches: mshtml!CRootElement::`vftable' = 
              
               ==CTreeNode释放==(6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable'Exact matches: mshtml!CRootElement::`vftable' = 
               
                ==CTreeNode释放==(6921a9a8) mshtml!CRootElement::`vftable' | (69288ba0) mshtml!CDisplayPointer::`vftable'Exact matches: mshtml!CRootElement::`vftable' = 
                
                 ==CTreeNode释放== crashed....

这样就得到了完整的CTreeNode释放流程,在记录时加上r edi再与crash对比即可。

bu mshtml!CTreeNode::Release ".echo ==CTreeNode释放==;r edx;ln poi(poi(edx));gc;"

这次可以看到CTreeNode对象的地址,对比crash时的对象地址

1:021> g==CTreeNode释放==edx=10d34fb0(6a0f70e0)   mshtml!CPhraseElement::`vftable'   |  (6a0f7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' = 
     
      ==CTreeNode释放==edx=0a2a4fb0(6a0f70e0)   mshtml!CPhraseElement::`vftable'   |  (6a0f7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' = 
      
       ==CTreeNode释放==edx=132dafb0(6a11c2e8)   mshtml!CGenericElement::`vftable'   |  (6a254ce0)   mshtml!CHeaderElement::`vftable'Exact matches:    mshtml!CGenericElement::`vftable' = 
       
        ==CTreeNode释放==edx=132dafb0(6a11c2e8)   mshtml!CGenericElement::`vftable'   |  (6a254ce0)   mshtml!CHeaderElement::`vftable'Exact matches:    mshtml!CGenericElement::`vftable' = 
        
         ==CTreeNode释放==edx=0a2a4fb0(6a0f70e0)   mshtml!CPhraseElement::`vftable'   |  (6a0f7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' = 
         
          ==CTreeNode释放==edx=0d152fb0(6a23d3a8)   mshtml!CHeadElement::`vftable'   |  (6a23d0d8)   mshtml!CHtmlElement::`vftable'Exact matches:    mshtml!CHeadElement::`vftable' = 
          
           ==CTreeNode释放==edx=13f3afb0(6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable'Exact matches: mshtml!CTitleElement::`vftable' = 
           
            ==CTreeNode释放==edx=13f3afb0(6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable'Exact matches: mshtml!CTitleElement::`vftable' = 
            
             ==CTreeNode释放==edx=13f3afb0(6a23d628) mshtml!CTitleElement::`vftable' | (6a0f5900) mshtml!CMetaElement::`vftable'Exact matches: mshtml!CTitleElement::`vftable' = 
             
              ==CTreeNode释放==edx=13358fb0(6a265438) mshtml!CScriptElement::`vftable' | (6a265724) mshtml!CScriptElement::DownLoadScriptExact matches: mshtml!CScriptElement::`vftable' = 
              
               ==CTreeNode释放==edx=07636fb0(6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable'Exact matches: mshtml!CBodyElement::`vftable' = 
               
                ==CTreeNode释放==edx=0e418fb0(6a23d0d8) mshtml!CHtmlElement::`vftable' | (6a23d359) mshtml!CHeadElement::CreateElementExact matches: mshtml!CHtmlElement::`vftable' = 
                
                 ==CTreeNode释放==edx=14ec8fb0(6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable'Exact matches: mshtml!CRootElement::`vftable' = 
                 
                  ==CTreeNode释放==edx=14ec8fb0(6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable'Exact matches: mshtml!CRootElement::`vftable' = 
                  
                   ==CTreeNode释放==edx=14ec8fb0(6a23a9a8) mshtml!CRootElement::`vftable' | (6a2a8ba0) mshtml!CDisplayPointer::`vftable'Exact matches: mshtml!CRootElement::`vftable' = 
                   
                    (9bc.eb4): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=03eee688 ecx=062fa680 edx=03eee3c0 esi=00000000 edi=07636fb0eip=6a301f60 esp=03eee5d8 ebp=03eee5e0 iopl=0 nv up ei pl nz na po nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202mshtml!CDoc::HasContainerCapture+0x14:6a301f60 8b0f mov ecx,dword ptr [edi] ds:0023:07636fb0=????????

 这样对比可以看出是mshtml!CBodyElement对象对应的CTreeNode对象导致的uaf。对于exploiter来说uaf漏洞最重要的是uaf对象是在哪一瞬间被释放的,只有知道了这一点才能占位。

bu mshtml!CTreeNode::Release ".echo ==CTreeNode释放==;r edx;ln poi(poi(edx));.if(edx==07636fb0){}.else{gc;}"

但是发现这样是断不下来的,因为堆每次分配都是不一样的。

只好去掉gc手动跟到

 

==CTreeNode释放==

edx=07636fb0 (6a246670) mshtml!CBodyElement::`vftable' | (6a2a9108) mshtml!CCaret::`vftable' Exact matches: mshtml!CBodyElement::`vftable' = <no type information>

1:021> kvChildEBP RetAddr  Args to Child              0437d520 6a310a05 0753ff64 0753ff30 0753ff30 mshtml!CTreeNode::Release (FPO: [0,0,0])0437d584 6a3115b1 0753ff30 00000001 00000001 mshtml!CMarkup::DestroySplayTree+0x2850437d5f0 6a312a8a 00000000 00000001 0753ff30 mshtml!CMarkup::UnloadContents+0x3800437d60c 6a312a15 0753ff30 00000001 00000001 mshtml!CMarkup::TearDownMarkupHelper+0x550437d638 6a1f3b5e 00000001 00000001 076c8f30 mshtml!CMarkup::TearDownMarkup+0x490437d6a0 6a142bb4 076c8f30 00000000 00000003 mshtml!COmWindowProxy::SwitchMarkup+0x5a00437d79c 6a140789 060e2fc8 00000000 00000000 mshtml!CDocument::open+0x4260437d818 6a1f3267 060e2fc8 08df5fe8 08c0cfd0 mshtml!CDocument::write+0x7c0437d838 6a32235c 060e2fc8 08c0cfd0 08df1fd8 mshtml!Method_void_SAFEARRAYPVARIANTP+0x850437d8ac 6a3225d5 060e2fc8 0000041e 00000001 mshtml!CBase::ContextInvokeEx+0x5dc0437d8d8 6a32df9a 060e2fc8 0000041e 00000001 mshtml!CBase::InvokeEx+0x250437d928 6a2e4998 060e2fc8 0000000b 0000041e mshtml!DispatchInvokeCollection+0x14c0437d970 6a2d3148 060e2fc8 0000041e 00000001 mshtml!CDocument::InvokeEx+0xf00437d998 6a2d3104 060e2fc8 0000041e 00000001 mshtml!CBase::VersionedInvokeEx+0x200437d9ec 6c75a22a 08dbafd8 0000041e 00000001 mshtml!PlainInvokeEx+0xeb0437da28 6c75a175 06ebad10 0000041e 00000409 jscript!IDispatchExInvokeEx2+0x1040437da64 6c75a3f6 06ebad10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a0437db24 6c75a4a0 0000041e 00000001 00000000 jscript!InvokeDispatchEx+0x980437db58 6c76d8c8 06ebad10 0437db8c 00000001 jscript!VAR::InvokeByName+0x1390437dba4 6c76d96f 06ebad10 00000001 00000000 jscript!VAR::InvokeDispName+0x7d

 其实这个栈回溯并不能看出什么,但可作为以后的参考。此时回头看下poc,createElement可通过CElement::CElement下断监控到,但appendChild并不熟悉。可以肯定的是这个函数继承自CElement类。

; Attributes: bp-based frame; public: long __stdcall CElement::appendChild(struct IHTMLDOMNode *, struct IHTMLDOMNode * *)?appendChild@CElement@@QAGJPAUIHTMLDOMNode@@PAPAU2@@Z proc nearvar_10= word ptr -10harg_0= dword ptr  8arg_4= dword ptr  0Charg_8= dword ptr  10hmov     edi, edipush    ebpmov     ebp, espand     esp, 0FFFFFFF8hsub     esp, 10hpush    esipush    edi             ; pvargpush    [ebp+arg_8]xor     eax, eaxlea     edi, [esp+1Ch+var_10]stosdstosdstosdstosdsub     esp, 10hxor     eax, eaxmov     edi, esppush    [ebp+arg_4]inc     eaxpush    [ebp+arg_0]mov     [esp+34h+var_10], axlea     esi, [esp+34h+var_10]movsdmovsdmovsdmovsdcall    ?insertBefore@CElement@@QAGJPAUIHTMLDOMNode@@UtagVARIANT@@PAPAU2@@Z ; CElement::insertBefore(IHTMLDOMNode *,tagVARIANT,IHTMLDOMNode * *)lea     esi, [esp+18h+var_10]mov     edi, eaxcall    _VariantClear@4 ; VariantClear(x)mov     eax, edipop     edipop     esimov     esp, ebppop     ebpretn    0Ch?appendChild@CElement@@QAGJPAUIHTMLDOMNode@@PAPAU2@@Z endp ; sp-analysis failed

由js知识可以知道appendChild是向标签中增加子节点的

实例:var div=document.createElement("div");//新建一个div元素节点document.body.appendChild(div);//把div元素节点添加到body元素节点中成为其子节点,但是放在body的现有子节点的最后

最后函数会经过一番调用,调用到CTreeNode::CTreeNode函数以初始化一个CTreeNode对象,下面来调试一下这个过程

如上在poc中增设辅助调试语句

Breakpoint 0 hiteax=00000000 ebx=0411e380 ecx=00000005 edx=00000003 esi=0411e370 edi=0411e370eip=6c77d8c0 esp=0411e274 ebp=0411e2b0 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216jscript!tan:6c77d8c0 ff258010756c    jmp     dword ptr [jscript!_imp__tan (6c751080)] ds:0023:6c751080={msvcrt!tan (773dde34)}
1:021> bu mshtml!CreateElementMatched: 6a23d88c mshtml!CreateElement = 
     
      Matched: 6a234bb0 mshtml!CreateElement = 
      
       Ambiguous symbol error at 'mshtml!CreateElement'1:021> bu 6a23d88c 1:021> bu 6a234bb0 1:021> bu jscript!cos1:021> gBreakpoint 2 hiteax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement:6a234bb0 8bff            mov     edi,edi

来跟一下mshtml!CreateElement函数,我之前已经在ie调试心得里提到过了

1:021> gBreakpoint 2 hiteax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement:6a234bb0 8bff            mov     edi,edi1:021> pBreakpoint 2 hiteax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement:6a234bb0 8bff            mov     edi,edi1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb2 esp=0425e67c ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x2:6a234bb2 55              push    ebp1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb3 esp=0425e678 ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x3:6a234bb3 8bec            mov     ebp,esp1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb5 esp=0425e678 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x5:6a234bb5 83ec10          sub     esp,10h1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb8 esp=0425e668 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x8:6a234bb8 53              push    ebx1:021> eax=0425e750 ebx=00000003 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bb9 esp=0425e664 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x9:6a234bb9 8b5d10          mov     ebx,dword ptr [ebp+10h] ss:0023:0425e688=000000001:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bbc esp=0425e664 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0xc:6a234bbc 56              push    esi1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bbd esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0xd:6a234bbd c7451000000000  mov     dword ptr [ebp+10h],0 ss:0023:0425e688=000000001:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bc4 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x14:6a234bc4 85db            test    ebx,ebx1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bc6 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x16:6a234bc6 0f84c67d0300    je      mshtml!CreateElement+0x18 (6a26c992)    [br=1]1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a26c992 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x18:6a26c992 bb08832a6a      mov     ebx,offset mshtml!g_Zero (6a2a8308)1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a26c997 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x1d:6a26c997 e93082fcff      jmp     mshtml!CreateElement+0x1d (6a234bcc)1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bcc esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x1d:6a234bcc 0fb64701        movzx   eax,byte ptr [edi+1]       ds:0023:0425e6a9=601:021> eax=00000060 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bd0 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x21:6a234bd0 c1e004          shl     eax,41:021> eax=00000600 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bd3 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x24:6a234bd3 05709a2c6a      add     eax,offset mshtml!g_atagdesc (6a2c9a70)1:021> eax=6a2ca070 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bd8 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x29:6a234bd8 0f84b34e1500    je      mshtml!CreateElement+0x2b (6a389a91)    [br=0]1:021> eax=6a2ca070 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234bde esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x38:6a234bde 8b4008          mov     eax,dword ptr [eax+8] ds:0023:6a2ca078={mshtml!CPhraseElement::CreateElement (6a269f4b)}1:021> eax=6a269f4b ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234be1 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x3b:6a234be1 8d4d10          lea     ecx,[ebp+10h]1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234be4 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x3e:6a234be4 51              push    ecx1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234be5 esp=0425e65c ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x3f:6a234be5 52              push    edx1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234be6 esp=0425e658 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x40:6a234be6 57              push    edi1:021> eax=6a269f4b ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=1a708808 edi=0425e6a8eip=6a234be7 esp=0425e654 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x41:6a234be7 ffd0            call    eax {mshtml!CPhraseElement::CreateElement (6a269f4b)}1:021> ln eax(6a269f4b)   mshtml!CPhraseElement::CreateElement   |  (6a269fdd)   mshtml!FindPeerExact matches:    mshtml!CPhraseElement::CreateElement =

 可见var id_0 = document.createElement("sup");导致了CPhraseElement对象的创建

bu mshtml!CElement::CElement

来看下这个对象的内容,虽然估计与漏洞触发关系不大

1:021> pBreakpoint 6 hiteax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a23480f esp=0425e638 ebp=0425e64c iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement:6a23480f 8bff            mov     edi,edi1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a234811 esp=0425e638 ebp=0425e64c iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0x2:6a234811 55              push    ebp1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a234812 esp=0425e634 ebp=0425e64c iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0x3:6a234812 8bec            mov     ebp,esp1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a234814 esp=0425e634 ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0x5:6a234814 53              push    ebx1:021> eax=1af02fd8 ebx=6a2a8308 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a234815 esp=0425e630 ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0x6:6a234815 8b5d0c          mov     ebx,dword ptr [ebp+0Ch] ss:0023:0425e640=05ad06801:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a234818 esp=0425e630 ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0x9:6a234818 56              push    esi1:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a234819 esp=0425e62c ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0xa:6a234819 57              push    edi1:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=00000000eip=6a23481a esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0xb:6a23481a 8bf8            mov     edi,eax1:021> dd eax1af02fd8  00000000 00000000 00000000 000000001af02fe8  00000000 00000000 00000000 000000001af02ff8  00000000 00000000 ???????? ????????1af03008  ???????? ???????? ???????? ????????1af03018  ???????? ???????? ???????? ????????1af03028  ???????? ???????? ???????? ????????1af03038  ???????? ???????? ???????? ????????1af03048  ???????? ???????? ???????? ????????1:021> peax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a23481c esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0xd:6a23481c 8bf7            mov     esi,edi1:021> eax=1af02fd8 ebx=05ad0680 ecx=7782349f edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a23481e esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0xf:6a23481e e80c300800      call    mshtml!CBase::CBase (6a2b782f)1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a234823 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::CElement+0x14:6a234823 83672400        and     dword ptr [edi+24h],0 ds:0023:1af02ffc=000000001:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a234827 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x18:6a234827 c707b0540f6a    mov     dword ptr [edi],offset mshtml!CElement::`vftable' (6a0f54b0) ds:0023:1af02fd8={mshtml!CEncode::`vftable' (6a2b785c)}1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a23482d esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x1e:6a23482d 8b03            mov     eax,dword ptr [ebx]  ds:0023:05ad0680={mshtml!CDoc::`vftable' (6a2a1e88)}1:021> eax=6a2a1e88 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a23482f esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x20:6a23482f 8bcb            mov     ecx,ebx1:021> eax=6a2a1e88 ebx=05ad0680 ecx=05ad0680 edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a234831 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x22:6a234831 ff5070          call    dword ptr [eax+70h]  ds:0023:6a2a1ef8={mshtml!CDoc::SecurityContext (6a234733)}1:021> eax=074befe8 ebx=05ad0680 ecx=05ad0680 edx=00000000 esi=1af02fd8 edi=1af02fd8eip=6a234834 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x25:6a234834 8bf0            mov     esi,eax1:021> eax=074befe8 ebx=05ad0680 ecx=05ad0680 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a234836 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x27:6a234836 e828000000      call    mshtml!CElement::ReplaceSecurityContext (6a234863)1:021> eax=00000004 ebx=05ad0680 ecx=6a2a92e1 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a23483b esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CElement::CElement+0x2c:6a23483b 83430808        add     dword ptr [ebx+8],8  ds:0023:05ad0688=000000a01:021> eax=00000004 ebx=05ad0680 ecx=6a2a92e1 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a23483f esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CElement::CElement+0x30:6a23483f e8123d0800      call    mshtml!_IncrementObjectCount (6a2b8556)1:021> eax=0000003b ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a234844 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CElement::CElement+0x35:6a234844 8a4508          mov     al,byte ptr [ebp+8]        ss:0023:0425e63c=601:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a234847 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CElement::CElement+0x38:6a234847 81671cfffffbff  and     dword ptr [edi+1Ch],0FFFBFFFFh ds:0023:1af02ff4=000000001:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a23484e esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x3f:6a23484e 806720fe        and     byte ptr [edi+20h],0FEh    ds:0023:1af02ff8=001:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a234852 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x43:6a234852 884718          mov     byte ptr [edi+18h],al      ds:0023:1af02ff0=001:021> eax=00000060 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a234855 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x46:6a234855 8bc7            mov     eax,edi1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=1af02fd8eip=6a234857 esp=0425e628 ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x48:6a234857 5f              pop     edi1:021> eax=1af02fd8 ebx=05ad0680 ecx=6a6251a0 edx=00000000 esi=074befe8 edi=00000000eip=6a234858 esp=0425e62c ebp=0425e634 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::CElement+0x49:6a234858 5e              pop     esi1:021> dd eax1af02fd8  6a0f54b0 00000001 00000008 000000001af02fe8  00000000 00000000 00000060 000000001af02ff8  00000000 074befe8 ???????? ????????1af03008  ???????? ???????? ???????? ????????1af03018  ???????? ???????? ???????? ????????1af03028  ???????? ???????? ???????? ????????1af03038  ???????? ???????? ???????? ????????1af03048  ???????? ???????? ???????? ????????1:021> ln 6a0f54b0 (6a0f54b0)   mshtml!CElement::`vftable'   |  (6a1008c0)   mshtml!CShape::`vftable'Exact matches:    mshtml!CElement::`vftable' = 
     
      1:021> dd 074befe8 074befe8  6a2a8c34 00000004 00000001 05ad0680074beff8  00000000 00000000 ???????? ????????074bf008  ???????? ???????? ???????? ????????074bf018  ???????? ???????? ???????? ????????074bf028  ???????? ???????? ???????? ????????074bf038  ???????? ???????? ???????? ????????074bf048  ???????? ???????? ???????? ????????074bf058  ???????? ???????? ???????? ????????1:021> ln 6a2a8c34 (6a2a8c34)   mshtml!CSecurityContext::`vftable'   |  (6a2a8c44)   mshtml!CInvalidatedSecurityContext::`vftable'Exact matches:    mshtml!CSecurityContext::`vftable' =

可以看到CPhraseElement对象被初始化后的结果,有意思的是对象的0x28偏移处有个CSecurityContext对象的指针。

 

1:021> gBreakpoint 2 hiteax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bb0 esp=0425e67c ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement:6a234bb0 8bff            mov     edi,edi1:021> peax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bb2 esp=0425e67c ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x2:6a234bb2 55              push    ebp1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bb3 esp=0425e678 ebp=0425e718 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x3:6a234bb3 8bec            mov     ebp,esp1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bb5 esp=0425e678 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x5:6a234bb5 83ec10          sub     esp,10h1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bb8 esp=0425e668 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x8:6a234bb8 53              push    ebx1:021> eax=0425e750 ebx=06d62f30 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bb9 esp=0425e664 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x9:6a234bb9 8b5d10          mov     ebx,dword ptr [ebp+10h] ss:0023:0425e688=000000001:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bbc esp=0425e664 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0xc:6a234bbc 56              push    esi1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bbd esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0xd:6a234bbd c7451000000000  mov     dword ptr [ebp+10h],0 ss:0023:0425e688=000000001:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bc4 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CreateElement+0x14:6a234bc4 85db            test    ebx,ebx1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bc6 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x16:6a234bc6 0f84c67d0300    je      mshtml!CreateElement+0x18 (6a26c992)    [br=1]1:021> eax=0425e750 ebx=00000000 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a26c992 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x18:6a26c992 bb08832a6a      mov     ebx,offset mshtml!g_Zero (6a2a8308)1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a26c997 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x1d:6a26c997 e93082fcff      jmp     mshtml!CreateElement+0x1d (6a234bcc)1:021> eax=0425e750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bcc esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x1d:6a234bcc 0fb64701        movzx   eax,byte ptr [edi+1]       ds:0023:0425e6a9=751:021> eax=00000075 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bd0 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CreateElement+0x21:6a234bd0 c1e004          shl     eax,41:021> eax=00000750 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bd3 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x24:6a234bd3 05709a2c6a      add     eax,offset mshtml!g_atagdesc (6a2c9a70)1:021> eax=6a2ca1c0 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bd8 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x29:6a234bd8 0f84b34e1500    je      mshtml!CreateElement+0x2b (6a389a91)    [br=0]1:021> peax=6a2ca1c0 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234bde esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x38:6a234bde 8b4008          mov     eax,dword ptr [eax+8] ds:0023:6a2ca1c8={mshtml!CGenericElement::CreateElement (6a11c234)}1:021> eax=6a11c234 ebx=6a2a8308 ecx=06d62f30 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234be1 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x3b:6a234be1 8d4d10          lea     ecx,[ebp+10h]1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234be4 esp=0425e660 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x3e:6a234be4 51              push    ecx1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234be5 esp=0425e65c ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x3f:6a234be5 52              push    edx1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234be6 esp=0425e658 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x40:6a234be6 57              push    edi1:021> eax=6a11c234 ebx=6a2a8308 ecx=0425e688 edx=05ad0680 esi=00000000 edi=0425e6a8eip=6a234be7 esp=0425e654 ebp=0425e678 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CreateElement+0x41:6a234be7 ffd0            call    eax {mshtml!CGenericElement::CreateElement (6a11c234)}1:021> ln eax(6a11c234)   mshtml!CGenericElement::CreateElement   |  (6a11c279)   mshtml!CGenericElement::CGenericElementExact matches:    mshtml!CGenericElement::CreateElement =

可见var id_1 = document.createElement("audio");导致创建了CGenericElement对象

1:021> gBreakpoint 6 hiteax=07824fc8 ebx=07824fc8 ecx=7782349f edx=00000000 esi=0425e6a8 edi=0425e6a8eip=6a23480f esp=0425e614 ebp=0425e638 iopl=0         nv up ei pl nz ac po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212mshtml!CElement::CElement:6a23480f 8bff            mov     edi,edi1:021> peax=07824fc8 ebx=07824fc8 ecx=7782349f edx=00000000 esi=0425e6a8 edi=0425e6a8eip=6a234811 esp=0425e614 ebp=0425e638 iopl=0         nv up ei pl nz ac po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212mshtml!CElement::CElement+0x2:6a234811 55              push    ebp1:021> eax=07824fc8 ebx=07824fc8 ecx=7782349f edx=00000000 esi=0425e6a8 edi=0425e6a8eip=6a234812 esp=0425e610 ebp=0425e638 iopl=0         nv up ei pl nz ac po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212mshtml!CElement::CElement+0x3:6a234812 8bec            mov     ebp,esp1:021> dd eax07824fc8  00000000 00000000 00000000 0000000007824fd8  00000000 00000000 00000000 0000000007824fe8  00000000 00000000 00000000 0000000007824ff8  00000000 00000000 ???????? ????????07825008  ???????? ???????? ???????? ????????07825018  ???????? ???????? ???????? ????????07825028  ???????? ???????? ???????? ????????07825038  ???????? ???????? ???????? ????????

这是CGenericElement对象调用的继承自基类的构造函数,没有必要单步到返回了,因为对于继承于CElement类的子类实例来说,初始化的内容都是一样的,除了0x24偏移处表示类型的flag值。

 

1:021> gBreakpoint 3 hiteax=00000000 ebx=0425e960 ecx=00000005 edx=00000003 esi=0425e950 edi=0425e950eip=6c77d67f esp=0425e834 ebp=0425e870 iopl=0         nv up ei pl nz ac po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212jscript!cos:6c77d67f ff259010756c    jmp     dword ptr [jscript!_imp__cos (6c751090)] ds:0023:6c751090={msvcrt!cos (773d8ace)}

 

这个就很有意思了,注意我下的断点

1:021> bl 0 e 6c77d8c0     0001 (0001)  1:**** jscript!tan 1 e 6a23d88c     0001 (0001)  1:**** mshtml!CreateElement 2 e 6a234bb0     0001 (0001)  1:**** mshtml!CreateElement 3 e 6c77d67f     0001 (0001)  1:**** jscript!cos 4 e 6a1f20c4     0001 (0001)  1:**** mshtml!CElement::appendChild 5 e 6a2bced0     0001 (0001)  1:**** mshtml!CTreeNode::CTreeNode 6 e 6a23480f     0001 (0001)  1:**** mshtml!CElement::CElement

一个常识就是CxxxElement对象与CTreeNode对象是有一一对应的关系的,但是在这里就可以看出创建元素未必就会创建CTreeNode

 

1:021> gBreakpoint 4 hiteax=15284fd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi=00001200 edi=00000000eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216mshtml!CElement::appendChild:6a1f20c4 8bff            mov     edi,edi1:021> dd esp0425e7c8  6a1f1436 150e3fd0 1b1dcfd8 0425e8500425e7d8  176bafd0 6a1f13ba 6a2ae458 a9ca0dc90425e7e8  9bcb0009 1b1dcfd8 00000000 000000000425e7f8  0425e86c 6a32235c 150e3fd0 176bafd00425e808  15284fd8 0000004c 6a2ae458 000000010425e818  0425ea40 0425e848 176bafd0 000000000425e828  80070005 80020003 0dbb001b 000000000425e838  0000004c 15284fd8 00000000 000000011:021> dd 150e3fd0 150e3fd0  6a246670 00000005 00000008 07701fe8150e3fe0  071fae80 15171fb0 00000010 8202e280150e3ff0  00000002 104d4f00 00000000 d0d0d0d0150e4000  ???????? ???????? ???????? ????????150e4010  ???????? ???????? ???????? ????????150e4020  ???????? ???????? ???????? ????????150e4030  ???????? ???????? ???????? ????????150e4040  ???????? ???????? ???????? ????????1:021> ln 6a246670 (6a246670)   mshtml!CBodyElement::`vftable'   |  (6a2a9108)   mshtml!CCaret::`vftable'Exact matches:    mshtml!CBodyElement::`vftable' = 
     
      1:021> dd 1b1dcfd8 1b1dcfd8  6a627f68 00000001 6a2d2fa8 1af02fd81b1dcfe8  6a2aaadc 00000000 00000000 000200001b1dcff8  03000048 00000000 ???????? ????????1b1dd008  ???????? ???????? ???????? ????????1b1dd018  ???????? ???????? ???????? ????????1b1dd028  ???????? ???????? ???????? ????????1b1dd038  ???????? ???????? ???????? ????????1b1dd048  ???????? ???????? ???????? ????????1:021> ln 6a627f68 (6a627f68)   mshtml!s_apfnTrackerTearoffVtable   |  (6a6280a0)   mshtml!s_fontFamilyMapExact matches:    mshtml!s_apfnTrackerTearoffVtable =

 看的出CElement::appendChild函数的第一个参数就是要加入的父对象(body)

1:021> teax=150e3fd0 ebx=6a628b0c ecx=00000000 edx=00000000 esi=1b1dcfd8 edi=0425e850eip=6a1f2170 esp=0425e76c ebp=0425e784 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::InsertBeforeHelper:6a1f2170 8bff            mov     edi,edi1:021> kvChildEBP RetAddr  Args to Child              0425e768 6a1f2148 1b1dcfd8 00000000 0425e7a4 mshtml!CElement::InsertBeforeHelper0425e784 6a1f20fe 150e3fd0 1b1dcfd8 00000001 mshtml!CElement::insertBefore+0x3c0425e7c4 6a1f1436 150e3fd0 1b1dcfd8 0425e850 mshtml!CElement::appendChild+0x3a0425e7f8 6a32235c 150e3fd0 176bafd0 15284fd8 mshtml!Method_IDispatchpp_IDispatchp+0xcb0425e86c 6a32c75a 150e3fd0 80010431 00000001 mshtml!CBase::ContextInvokeEx+0x5dc0425e8bc 6a32c79a 150e3fd0 80010431 00000001 mshtml!CElement::ContextInvokeEx+0x9d0425e8e8 6a2d3104 150e3fd0 80010431 00000001 mshtml!CInput::VersionedInvokeEx+0x2d0425e93c 6c75a22a 06fa2fd8 80010431 00000001 mshtml!PlainInvokeEx+0xeb0425e978 6c75a175 1a6c4d10 80010431 00000409 jscript!IDispatchExInvokeEx2+0x1040425e9b4 6c75a3f6 1a6c4d10 00000409 00000001 jscript!IDispatchExInvokeEx+0x6a0425ea74 6c75a4a0 80010431 00000001 00000000 jscript!InvokeDispatchEx+0x980425eaa8 6c76d8c8 1a6c4d10 0425eadc 00000001 jscript!VAR::InvokeByName+0x1390425eaf4 6c76d96f 1a6c4d10 00000001 00000000 jscript!VAR::InvokeDispName+0x7d0425eb20 6c76e3e7 1a6c4d10 00000000 00000001 jscript!VAR::InvokeByDispID+0xce

从回溯传递的参数就可以看出上几层函数其实只是简单的封装(原来的参数1由eax传递),真正的功能由CElement::InsertBeforeHelper实现

1:021> eax=150e3fd0 ebx=6a628b0c ecx=150e3fd0 edx=00000000 esi=150e3fd0 edi=00000000eip=6a1f218d esp=0425e710 ebp=0425e768 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::InsertBeforeHelper+0x1d:6a1f218d e86ea20b00      call    mshtml!CElement::Doc (6a2ac400)

这个函数首先调用的就是CElement::Doc,只有一个ecx传递下去。

; public: class CDoc * __thiscall CElement::Doc(void)const?Doc@CElement@@QBEPAVCDoc@@XZ proc nearmov     eax, [ecx]mov     edx, [eax+70h]call    edxmov     eax, [eax+0Ch]retn?Doc@CElement@@QBEPAVCDoc@@XZ endp

可以看到只是简单的调用对象的一个虚函数,然后根据返回的指针取值。

1:021> teax=150e3fd0 ebx=6a628b0c ecx=150e3fd0 edx=00000000 esi=150e3fd0 edi=00000000eip=6a2ac400 esp=0425e70c ebp=0425e768 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::Doc:6a2ac400 8b01            mov     eax,dword ptr [ecx]  ds:0023:150e3fd0={mshtml!CBodyElement::`vftable' (6a246670)}1:021> eax=6a246670 ebx=6a628b0c ecx=150e3fd0 edx=00000000 esi=150e3fd0 edi=00000000eip=6a2ac402 esp=0425e70c ebp=0425e768 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::Doc+0x2:6a2ac402 8b5070          mov     edx,dword ptr [eax+70h] ds:0023:6a2466e0={mshtml!CElement::SecurityContext (6a2ac3d0)}1:021> eax=6a246670 ebx=6a628b0c ecx=150e3fd0 edx=6a2ac3d0 esi=150e3fd0 edi=00000000eip=6a2ac405 esp=0425e70c ebp=0425e768 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::Doc+0x5:6a2ac405 ffd2            call    edx {mshtml!CElement::SecurityContext (6a2ac3d0)}1:021> ln eax(6a246670)   mshtml!CBodyElement::`vftable'   |  (6a2a9108)   mshtml!CCaret::`vftable'Exact matches:    mshtml!CBodyElement::`vftable' =

可以看到ecx还是body(父对象)

1:021> peax=18b1cfe8 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=00000000eip=6a2ac407 esp=0425e70c ebp=0425e768 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CElement::Doc+0x7:6a2ac407 8b400c          mov     eax,dword ptr [eax+0Ch] ds:0023:18b1cff4=05ad06801:021> dd eax18b1cfe8  6a2a8c34 00000008 00000001 05ad068018b1cff8  00000000 06d62f30 ???????? ????????18b1d008  ???????? ???????? ???????? ????????18b1d018  ???????? ???????? ???????? ????????18b1d028  ???????? ???????? ???????? ????????18b1d038  ???????? ???????? ???????? ????????18b1d048  ???????? ???????? ???????? ????????18b1d058  ???????? ???????? ???????? ????????1:021> ln poi(eax)(6a2a8c34)   mshtml!CSecurityContext::`vftable'   |  (6a2a8c44)   mshtml!CInvalidatedSecurityContext::`vftable'Exact matches:    mshtml!CSecurityContext::`vftable' =

这是call之后的返回值,可以看出返回其实是CSecurityContext对象

1:021> peax=18b1cfe8 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=00000000eip=6a2ac407 esp=0425e70c ebp=0425e768 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CElement::Doc+0x7:6a2ac407 8b400c          mov     eax,dword ptr [eax+0Ch] ds:0023:18b1cff4=05ad06801:021> peax=05ad0680 ebx=6a628b0c ecx=06d62f30 edx=6a2ac916 esi=150e3fd0 edi=00000000eip=6a2ac40a esp=0425e70c ebp=0425e768 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CElement::Doc+0xa:6a2ac40a c3              ret1:021> dd eax05ad0680  6a2a1e88 00000014 000000b0 0000000005ad0690  00000000 6a2bb610 05ad0680 054aeb8c05ad06a0  000040a8 000021e6 054aeba8 0000000005ad06b0  077d5f88 00000001 00000002 0000000005ad06c0  00000000 00000000 00000000 0000000005ad06d0  00000000 07560fc8 04ea8870 0000000005ad06e0  00000000 00105804 00000000 13fbded805ad06f0  00000006 00000005 0000001d 000000001:021> ln poi(eax)(6a2a1e88)   mshtml!CDoc::`vftable'   |  (6a2bb610)   mshtml!CDoc::`vftable'Exact matches:    mshtml!CDoc::`vftable' =

取CSecurityContext对象0xC偏移的值作为返回,通过求符号可以看到这个货其实是CDoc对象的指针。也就是说CElement::Doc的作用是单纯的返回mshtml!Doc的地址,Doc对象是代表html dom树总根的,就是<html></html>

1:021> eax=0425e71c ebx=6a628b0c ecx=150e3fd0 edx=6a2ac916 esi=150e3fd0 edi=00000000eip=6a1f21a6 esp=0425e710 ebp=0425e768 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::InsertBeforeHelper+0x3c:6a1f21a6 e8deab0b00      call    mshtml!CElement::GetWindowedMarkupContext (6a2acd89)1:021> eax=06d62f30 ebx=6a628b0c ecx=00000000 edx=6a2ac8f9 esi=150e3fd0 edi=00000000eip=6a1f21ab esp=0425e710 ebp=0425e768 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CElement::InsertBeforeHelper+0x41:6a1f21ab 8bd8            mov     ebx,eax1:021> ln poi(eax)(6a2a20a8)   mshtml!CMarkup::`vftable'   |  (6a2a21a0)   mshtml!CMarkupPointer::`vftable'Exact matches:    mshtml!CMarkup::`vftable' =

明显这个函数获取到了CMarkup对象的指针

1:021> reax=00000000 ebx=06d62f30 ecx=00000000 edx=00000014 esi=150e3fd0 edi=00000000eip=6a1f220a esp=0425e708 ebp=0425e768 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216mshtml!CElement::InsertBeforeHelper+0xb9:6a1f220a e831000000      call    mshtml!CElement::GetDOMInsertPosition (6a1f2240)1:021> ln poi(poi(esp))(6a246670)   mshtml!CBodyElement::`vftable'   |  (6a2a9108)   mshtml!CCaret::`vftable'Exact matches:    mshtml!CBodyElement::`vftable' = 
     
      1:021> ln poi(poi(esp+4))(6a2a21a0)   mshtml!CMarkupPointer::`vftable'   |  (6a2a2278)   mshtml!CIPrintCollection::`vftable'Exact matches:    mshtml!CMarkupPointer::`vftable' =

以两个对象的地址作为参数

Breakpoint 5 hiteax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bced0 esp=0425e594 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode:6a2bced0 8bff            mov     edi,edi1:021> kpChildEBP RetAddr  0425e590 6a210d02 mshtml!CTreeNode::CTreeNode0425e630 6a1f1c01 mshtml!CMarkup::InsertElementInternal+0x23d0425e66c 6a1f1b36 mshtml!CDoc::InsertElement+0x8a0425e700 6a1f2222 mshtml!CCommentElement::`scalar deleting destructor'+0x23e0425e768 6a1f2148 mshtml!CElement::InsertBeforeHelper+0xd10425e784 6a1f20fe mshtml!CElement::insertBefore+0x3c0425e7c4 6a1f1436 mshtml!CElement::appendChild+0x3a0425e7f8 6a32235c mshtml!Method_IDispatchpp_IDispatchp+0xcb0425e86c 6a32c75a mshtml!CBase::ContextInvokeEx+0x5dc0425e8bc 6a32c79a mshtml!CElement::ContextInvokeEx+0x9d0425e8e8 6a2d3104 mshtml!CInput::VersionedInvokeEx+0x2d0425e93c 6c75a22a mshtml!PlainInvokeEx+0xeb0425e978 6c75a175 jscript!IDispatchExInvokeEx2+0x1040425e9b4 6c75a3f6 jscript!IDispatchExInvokeEx+0x6a0425ea74 6c75a4a0 jscript!InvokeDispatchEx+0x980425eaa8 6c76d8c8 jscript!VAR::InvokeByName+0x1390425eaf4 6c76d96f jscript!VAR::InvokeDispName+0x7d0425eb20 6c76e3e7 jscript!VAR::InvokeByDispID+0xce0425ecbc 6c765c9d jscript!CScriptRuntime::Run+0x2b800425eda4 6c765bfb jscript!ScrFncObj::CallWithFrameOnStack+0xce

只要等到这个函数CTreeNode::CTreeNode函数执行完毕就可以去看内存中初始化完毕的数据了,由于CTreeNode对象的前四个字节就是所属元素对象的指针,所以获取这个值即可

1:021> peax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bced2 esp=0425e594 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x2:6a2bced2 55              push    ebp1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bced3 esp=0425e590 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x3:6a2bced3 8bec            mov     ebp,esp1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bced5 esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x5:6a2bced5 8a450c          mov     al,byte ptr [ebp+0Ch]      ss:0023:0425e59c=001:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bced8 esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x8:6a2bced8 c0e004          shl     al,41:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bcedb esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0xb:6a2bcedb 324109          xor     al,byte ptr [ecx+9]        ds:0023:127c7fb9=001:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bcede esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0xe:6a2bcede 56              push    esi1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=0425e660 edi=1af02fd8eip=6a2bcedf esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0xf:6a2bcedf 8b7140          mov     esi,dword ptr [ecx+40h] ds:0023:127c7ff0=000000001:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bcee2 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x12:6a2bcee2 2410            and     al,10h1:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bcee4 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x14:6a2bcee4 304109          xor     byte ptr [ecx+9],al        ds:0023:127c7fb9=001:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bcee7 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x17:6a2bcee7 8a5109          mov     dl,byte ptr [ecx+9]        ds:0023:127c7fb9=001:021> eax=127c7f00 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bceea esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x1a:6a2bceea b8ffffffff      mov     eax,0FFFFFFFFh1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bceef esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x1f:6a2bceef 6689410a        mov     word ptr [ecx+0Ah],ax    ds:0023:127c7fba=00001:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bcef3 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x23:6a2bcef3 0bc0            or      eax,eax1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bcef5 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x25:6a2bcef5 83e607          and     esi,71:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000000 edi=1af02fd8eip=6a2bcef8 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x28:6a2bcef8 83ce08          or      esi,81:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcefb esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x2b:6a2bcefb 6689410c        mov     word ptr [ecx+0Ch],ax    ds:0023:127c7fbc=00001:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bceff esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x2f:6a2bceff 83c8ff          or      eax,0FFFFFFFFh1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf02 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x32:6a2bcf02 897140          mov     dword ptr [ecx+40h],esi ds:0023:127c7ff0=000000001:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf05 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x35:6a2bcf05 6689410e        mov     word ptr [ecx+0Eh],ax    ds:0023:127c7fbe=00001:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf09 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x39:6a2bcf09 8939            mov     dword ptr [ecx],edi  ds:0023:127c7fb0=000000001:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf0b esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x3b:6a2bcf0b 85ff            test    edi,edi1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf0d esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x3d:6a2bcf0d 7406            je      mshtml!CTreeNode::CTreeNode+0x45 (6a2bcf15) [br=0]1:021> eax=ffffffff ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf0f esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x3f:6a2bcf0f 8a4718          mov     al,byte ptr [edi+18h]      ds:0023:1af02ff0=601:021> eax=ffffff60 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf12 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x42:6a2bcf12 884108          mov     byte ptr [ecx+8],al        ds:0023:127c7fb8=001:021> eax=ffffff60 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf15 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x45:6a2bcf15 8b4508          mov     eax,dword ptr [ebp+8] ss:0023:0425e598=15171fb01:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf18 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x48:6a2bcf18 894104          mov     dword ptr [ecx+4],eax ds:0023:127c7fb4=000000001:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf1b esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x4b:6a2bcf1b 85ff            test    edi,edi1:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf1d esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x4d:6a2bcf1d 0f84f15deaff    je      mshtml!CTreeNode::CTreeNode+0x5a (6a162d14) [br=0]1:021> eax=15171fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf23 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x4f:6a2bcf23 0fb64108        movzx   eax,byte ptr [ecx+8]       ds:0023:127c7fb8=601:021> eax=00000060 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf27 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x53:6a2bcf27 e8cd020000      call    mshtml!IsPreLikeTag (6a2bd1f9)1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf2c esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x5c:6a2bcf2c 85c0            test    eax,eax1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf2e esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x5e:6a2bcf2e 0f95c0          setne   al1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf31 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x61:6a2bcf31 c0e003          shl     al,31:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf34 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x64:6a2bcf34 32c2            xor     al,dl1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf36 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x66:6a2bcf36 2408            and     al,81:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf38 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x68:6a2bcf38 32c2            xor     al,dl1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf3a esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x6a:6a2bcf3a 884109          mov     byte ptr [ecx+9],al        ds:0023:127c7fb9=001:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf3d esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x6d:6a2bcf3d 85ff            test    edi,edi1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf3f esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x6f:6a2bcf3f 0f84d65deaff    je      mshtml!CTreeNode::CTreeNode+0x7c (6a162d1b) [br=0]1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf45 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x71:6a2bcf45 0fb64108        movzx   eax,byte ptr [ecx+8]       ds:0023:127c7fb8=601:021> eax=00000060 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf49 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CTreeNode::CTreeNode+0x75:6a2bcf49 e8ab020000      call    mshtml!IsPreLikeTag (6a2bd1f9)1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf4e esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x7e:6a2bcf4e 33d2            xor     edx,edx1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf50 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x80:6a2bcf50 85c0            test    eax,eax1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf52 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x82:6a2bcf52 0f95c2          setne   dl1:021> eax=00000000 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf55 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x85:6a2bcf55 8bc1            mov     eax,ecx1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf57 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x87:6a2bcf57 33d6            xor     edx,esi1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=00000008 edi=1af02fd8eip=6a2bcf59 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x89:6a2bcf59 83e201          and     edx,11:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000000 esi=00000008 edi=1af02fd8eip=6a2bcf5c esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x8c:6a2bcf5c 33d6            xor     edx,esi1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=00000008 edi=1af02fd8eip=6a2bcf5e esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x8e:6a2bcf5e 895140          mov     dword ptr [ecx+40h],edx ds:0023:127c7ff0=000000081:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=00000008 edi=1af02fd8eip=6a2bcf61 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x91:6a2bcf61 5e              pop     esi1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=0425e660 edi=1af02fd8eip=6a2bcf62 esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x92:6a2bcf62 5d              pop     ebp1:021> eax=127c7fb0 ebx=00000000 ecx=127c7fb0 edx=00000008 esi=0425e660 edi=1af02fd8eip=6a2bcf63 esp=0425e594 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x93:6a2bcf63 c20800          ret     81:021> dd eax127c7fb0  1af02fd8 15171fb0 ffff0060 ffffffff127c7fc0  00000000 00000000 00000000 00000000127c7fd0  00000000 00000000 00000000 00000000127c7fe0  00000000 00000000 00000000 00000000127c7ff0  00000008 00000000 00000000 d0d0d0d0127c8000  ???????? ???????? ???????? ????????127c8010  ???????? ???????? ???????? ????????127c8020  ???????? ???????? ???????? ????????1:021> dd 1af02fd81af02fd8  6a0f70e0 00000002 00000008 000000001af02fe8  071faee0 00000000 80000060 000100001af02ff8  00000000 18b1cfe8 ???????? ????????1af03008  ???????? ???????? ???????? ????????1af03018  ???????? ???????? ???????? ????????1af03028  ???????? ???????? ???????? ????????1af03038  ???????? ???????? ???????? ????????1af03048  ???????? ???????? ???????? ????????1:021> ln 6a0f70e0(6a0f70e0)   mshtml!CPhraseElement::`vftable'   |  (6a0f7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' =

可见这个CTreeNode是属于CPhraseElement的,也就是说POC中的document.body.appendChild(id_0);这句话导致的结果是为Phrase对象创建了CTreeNode对象,那么这个CTreeNode连入谁了呢?根据js我们猜测是body对象

1:021> dd eax127c7fb0  1af02fd8 15171fb0 ffff0060 ffffffff127c7fc0  00000000 00000000 00000000 00000000127c7fd0  00000000 00000000 00000000 00000000127c7fe0  00000000 00000000 00000000 00000000127c7ff0  00000008 00000000 00000000 d0d0d0d0127c8000  ???????? ???????? ???????? ????????127c8010  ???????? ???????? ???????? ????????127c8020  ???????? ???????? ???????? ????????1:021> dd 15171fb015171fb0  150e3fd0 1379cfb0 00046210 0009000415171fc0  00000551 00000008 1515ffc0 15171fd815171fd0  1515ffd8 1976dfe0 00000062 0000000015171fe0  1362afd8 13e48fe0 13e48fe0 1379cfd815171ff0  00000008 00000000 00000000 d0d0d0d015172000  ???????? ???????? ???????? ????????15172010  ???????? ???????? ???????? ????????15172020  ???????? ???????? ???????? ????????1:021> dd 150e3fd0 150e3fd0  6a246670 00000005 00000008 07701fe8150e3fe0  071fae80 15171fb0 00000010 8202e280150e3ff0  00000002 104d4f00 00000000 d0d0d0d0150e4000  ???????? ???????? ???????? ????????150e4010  ???????? ???????? ???????? ????????150e4020  ???????? ???????? ???????? ????????150e4030  ???????? ???????? ???????? ????????150e4040  ???????? ???????? ???????? ????????1:021> ln 6a246670 (6a246670)   mshtml!CBodyElement::`vftable'   |  (6a2a9108)   mshtml!CCaret::`vftable'Exact matches:    mshtml!CBodyElement::`vftable' =

果然没错,就是body对象

1:021> reax=00000000 ebx=0425e960 ecx=00000005 edx=00000003 esi=0425e950 edi=0425e950eip=6c77d711 esp=0425e834 ebp=0425e870 iopl=0         nv up ei pl nz ac po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212jscript!sin:6c77d711 ff256810756c    jmp     dword ptr [jscript!_imp__sin (6c751068)] ds:0023:6c751068={msvcrt!sin (773d8aea)}

成功撞上我们的辅助调试语句

1:021> gBreakpoint 4 hiteax=06c3efd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi=00001200 edi=00000000eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216mshtml!CElement::appendChild:6a1f20c4 8bff            mov     edi,edi

第二条appendChild导致的中断,按同样的方法调试

1:021> gBreakpoint 4 hiteax=06c3efd8 ebx=6a628b0c ecx=6a1f20c4 edx=0425e7f4 esi=00001200 edi=00000000eip=6a1f20c4 esp=0425e7c8 ebp=0425e7f8 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216mshtml!CElement::appendChild:6a1f20c4 8bff            mov     edi,edi1:021> gBreakpoint 5 hiteax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bced0 esp=0425e594 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode:6a2bced0 8bff            mov     edi,edi1:021> peax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bced2 esp=0425e594 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x2:6a2bced2 55              push    ebp1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bced3 esp=0425e590 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x3:6a2bced3 8bec            mov     ebp,esp1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bced5 esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x5:6a2bced5 8a450c          mov     al,byte ptr [ebp+0Ch]      ss:0023:0425e59c=001:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bced8 esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x8:6a2bced8 c0e004          shl     al,41:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bcedb esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0xb:6a2bcedb 324109          xor     al,byte ptr [ecx+9]        ds:0023:196e2fb9=001:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bcede esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0xe:6a2bcede 56              push    esi1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=0425e660 edi=07824fc8eip=6a2bcedf esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0xf:6a2bcedf 8b7140          mov     esi,dword ptr [ecx+40h] ds:0023:196e2ff0=000000001:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bcee2 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x12:6a2bcee2 2410            and     al,10h1:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bcee4 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x14:6a2bcee4 304109          xor     byte ptr [ecx+9],al        ds:0023:196e2fb9=001:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bcee7 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x17:6a2bcee7 8a5109          mov     dl,byte ptr [ecx+9]        ds:0023:196e2fb9=001:021> eax=196e2f00 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bceea esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x1a:6a2bceea b8ffffffff      mov     eax,0FFFFFFFFh1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bceef esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x1f:6a2bceef 6689410a        mov     word ptr [ecx+0Ah],ax    ds:0023:196e2fba=00001:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bcef3 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x23:6a2bcef3 0bc0            or      eax,eax1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bcef5 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x25:6a2bcef5 83e607          and     esi,71:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000000 edi=07824fc8eip=6a2bcef8 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x28:6a2bcef8 83ce08          or      esi,81:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcefb esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x2b:6a2bcefb 6689410c        mov     word ptr [ecx+0Ch],ax    ds:0023:196e2fbc=00001:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bceff esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x2f:6a2bceff 83c8ff          or      eax,0FFFFFFFFh1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf02 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x32:6a2bcf02 897140          mov     dword ptr [ecx+40h],esi ds:0023:196e2ff0=000000001:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf05 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x35:6a2bcf05 6689410e        mov     word ptr [ecx+0Eh],ax    ds:0023:196e2fbe=00001:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf09 esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x39:6a2bcf09 8939            mov     dword ptr [ecx],edi  ds:0023:196e2fb0=000000001:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf0b esp=0425e58c ebp=0425e590 iopl=0         nv up ei ng nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286mshtml!CTreeNode::CTreeNode+0x3b:6a2bcf0b 85ff            test    edi,edi1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf0d esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x3d:6a2bcf0d 7406            je      mshtml!CTreeNode::CTreeNode+0x45 (6a2bcf15) [br=0]1:021> eax=ffffffff ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf0f esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x3f:6a2bcf0f 8a4718          mov     al,byte ptr [edi+18h]      ds:0023:07824fe0=751:021> eax=ffffff75 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf12 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x42:6a2bcf12 884108          mov     byte ptr [ecx+8],al        ds:0023:196e2fb8=001:021> eax=ffffff75 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf15 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x45:6a2bcf15 8b4508          mov     eax,dword ptr [ebp+8] ss:0023:0425e598=15171fb01:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf18 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x48:6a2bcf18 894104          mov     dword ptr [ecx+4],eax ds:0023:196e2fb4=000000001:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf1b esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x4b:6a2bcf1b 85ff            test    edi,edi1:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf1d esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x4d:6a2bcf1d 0f84f15deaff    je      mshtml!CTreeNode::CTreeNode+0x5a (6a162d14) [br=0]1:021> eax=15171fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf23 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x4f:6a2bcf23 0fb64108        movzx   eax,byte ptr [ecx+8]       ds:0023:196e2fb8=751:021> eax=00000075 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf27 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x53:6a2bcf27 e8cd020000      call    mshtml!IsPreLikeTag (6a2bd1f9)1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf2c esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x5c:6a2bcf2c 85c0            test    eax,eax1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf2e esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x5e:6a2bcf2e 0f95c0          setne   al1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf31 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x61:6a2bcf31 c0e003          shl     al,31:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf34 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x64:6a2bcf34 32c2            xor     al,dl1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf36 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x66:6a2bcf36 2408            and     al,81:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf38 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x68:6a2bcf38 32c2            xor     al,dl1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf3a esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x6a:6a2bcf3a 884109          mov     byte ptr [ecx+9],al        ds:0023:196e2fb9=001:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf3d esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x6d:6a2bcf3d 85ff            test    edi,edi1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf3f esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x6f:6a2bcf3f 0f84d65deaff    je      mshtml!CTreeNode::CTreeNode+0x7c (6a162d1b) [br=0]1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf45 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x71:6a2bcf45 0fb64108        movzx   eax,byte ptr [ecx+8]       ds:0023:196e2fb8=751:021> eax=00000075 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf49 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x75:6a2bcf49 e8ab020000      call    mshtml!IsPreLikeTag (6a2bd1f9)1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf4e esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x7e:6a2bcf4e 33d2            xor     edx,edx1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf50 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x80:6a2bcf50 85c0            test    eax,eax1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf52 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x82:6a2bcf52 0f95c2          setne   dl1:021> eax=00000000 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf55 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x85:6a2bcf55 8bc1            mov     eax,ecx1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf57 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x87:6a2bcf57 33d6            xor     edx,esi1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=00000008 edi=07824fc8eip=6a2bcf59 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x89:6a2bcf59 83e201          and     edx,11:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000000 esi=00000008 edi=07824fc8eip=6a2bcf5c esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::CTreeNode+0x8c:6a2bcf5c 33d6            xor     edx,esi1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=00000008 edi=07824fc8eip=6a2bcf5e esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x8e:6a2bcf5e 895140          mov     dword ptr [ecx+40h],edx ds:0023:196e2ff0=000000081:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=00000008 edi=07824fc8eip=6a2bcf61 esp=0425e58c ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x91:6a2bcf61 5e              pop     esi1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=0425e660 edi=07824fc8eip=6a2bcf62 esp=0425e590 ebp=0425e590 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x92:6a2bcf62 5d              pop     ebp1:021> eax=196e2fb0 ebx=00000000 ecx=196e2fb0 edx=00000008 esi=0425e660 edi=07824fc8eip=6a2bcf63 esp=0425e594 ebp=0425e630 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x93:6a2bcf63 c20800          ret     81:021> dd eax196e2fb0  07824fc8 15171fb0 ffff0075 ffffffff196e2fc0  00000000 00000000 00000000 00000000196e2fd0  00000000 00000000 00000000 00000000196e2fe0  00000000 00000000 00000000 00000000196e2ff0  00000008 00000000 00000000 d0d0d0d0196e3000  ???????? ???????? ???????? ????????196e3010  ???????? ???????? ???????? ????????196e3020  ???????? ???????? ???????? ????????1:021> dd 07824fc8 07824fc8  6a11c2e8 00000002 00000008 1506efe807824fd8  071faeb0 00000000 80000075 0001000007824fe8  00000000 18b1cfe8 0e030ff4 0000000007824ff8  00000000 00000000 ???????? ????????07825008  ???????? ???????? ???????? ????????07825018  ???????? ???????? ???????? ????????07825028  ???????? ???????? ???????? ????????07825038  ???????? ???????? ???????? ????????1:021> ln 6a11c2e8 (6a11c2e8)   mshtml!CGenericElement::`vftable'   |  (6a254ce0)   mshtml!CHeaderElement::`vftable'Exact matches:    mshtml!CGenericElement::`vftable' =

同理得document.body.appendChild(id_1);导致了CGenericElement对象的CTreeNode对象建立

修改POC重新下辅助调试语句

1:021> gBreakpoint 0 hiteax=00000000 ebx=0441e988 ecx=00000005 edx=00000003 esi=0441e978 edi=0441e978eip=6c77d8c0 esp=0441e874 ebp=0441e8b0 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216jscript!tan:6c77d8c0 ff258010756c    jmp     dword ptr [jscript!_imp__tan (6c751080)] ds:0023:6c751080={msvcrt!tan (773dde34)}

重新下断点

1:021> bl 0 e 6c77d8c0     0001 (0001)  1:**** jscript!tan 1 e 6a2bced0     0001 (0001)  1:**** mshtml!CTreeNode::CTreeNode 2 e 6a2fe563     0001 (0001)  1:**** mshtml!CTreeNode::Release 3 e 6a23480f     0001 (0001)  1:**** mshtml!CElement::CElement 4 e 6a31071b     0001 (0001)  1:**** mshtml!CElement::~CElement 5 e 6a45673b     0001 (0001)  1:**** mshtml!CElement::applyElement
1:021> gBreakpoint 5 hiteax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi=00001200 edi=00000000eip=6a45673b esp=0441e7ec ebp=0441e820 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::applyElement:6a45673b 8bff            mov     edi,edi

果然断了下来,看来mshtml就是使用的这个函数对应的js的applyElement

1:021> gBreakpoint 5 hiteax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi=00001200 edi=00000000eip=6a45673b esp=0441e7ec ebp=0441e820 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::applyElement:6a45673b 8bff            mov     edi,edi1:021> dd esp0441e7ec  6a462da7 06e4efc8 07394fd8 052d5ff40441e7fc  0441e878 00810fd0 6a462cbe 6a2b28200441e80c  052d5ff4 07394fd8 00000002 000000000441e81c  00080009 0441e894 6a32235c 06e4efc80441e82c  00810fd0 06eaafd8 0000016c 6a2b28200441e83c  00000001 05498fe8 0441e870 00810fd00441e84c  00000000 80070005 01001002 778900230441e85c  0441ea68 0000016c 06eaafd8 000000001:021> dd 06e4efc806e4efc8  6a11c2e8 00000004 00000008 0738cfe806e4efd8  062c5ef0 07337fb0 00000075 0001020006e4efe8  00000000 075c2f30 06e96ff4 0000000006e4eff8  00000000 00000000 ???????? ????????06e4f008  ???????? ???????? ???????? ????????06e4f018  ???????? ???????? ???????? ????????06e4f028  ???????? ???????? ???????? ????????06e4f038  ???????? ???????? ???????? ????????1:021> ln 6a11c2e8 (6a11c2e8)   mshtml!CGenericElement::`vftable'   |  (6a254ce0)   mshtml!CHeaderElement::`vftable'Exact matches:    mshtml!CGenericElement::`vftable' = 
     
      1:021> dd 07394fd807394fd8  6a627f68 00000001 6a2d2fa8 06e42fd807394fe8  6a2aaadc 00000000 00000000 0002000007394ff8  03000048 00000000 ???????? ????????07395008  ???????? ???????? ???????? ????????07395018  ???????? ???????? ???????? ????????07395028  ???????? ???????? ???????? ????????07395038  ???????? ???????? ???????? ????????07395048  ???????? ???????? ???????? ????????1:021> ln 6a627f68 (6a627f68)   mshtml!s_apfnTrackerTearoffVtable   |  (6a6280a0)   mshtml!s_fontFamilyMapExact matches:    mshtml!s_apfnTrackerTearoffVtable =

第一个参数是CGenericElement对象指针,前面我们知道了id_1=CGenericElement

1:021> reax=06eaafd8 ebx=6a628c2c ecx=6a45673b edx=0441e814 esi=00001200 edi=00000000eip=6a45673b esp=0441e7ec ebp=0441e820 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206mshtml!CElement::applyElement:6a45673b 8bff            mov     edi,edi1:021> gBreakpoint 2 hiteax=00000003 ebx=075c2f30 ecx=063f0754 edx=07392fb0 esi=07392fb0 edi=00000000eip=6a2fe563 esp=0441e684 ebp=0441e738 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::Release:6a2fe563 8b4a40          mov     ecx,dword ptr [edx+40h] ds:0023:07392ff0=000000081:021> dd edx07392fb0  06e42fd8 00000000 ffff0060 ffffffff07392fc0  00000051 00000000 00000000 0000000007392fd0  00000000 00000000 00000052 0000000007392fe0  00000000 00000000 00000000 0000000007392ff0  00000008 00000000 00000000 d0d0d0d007393000  ???????? ???????? ???????? ????????07393010  ???????? ???????? ???????? ????????07393020  ???????? ???????? ???????? ????????1:021> dd 06e42fd806e42fd8  6a0f70e0 00000002 00000008 0000000006e42fe8  062c5f20 07392fb0 80000060 8001020006e42ff8  00000002 075c2f30 ???????? ????????06e43008  ???????? ???????? ???????? ????????06e43018  ???????? ???????? ???????? ????????06e43028  ???????? ???????? ???????? ????????06e43038  ???????? ???????? ???????? ????????06e43048  ???????? ???????? ???????? ????????1:021> ln 6a0f70e0(6a0f70e0)   mshtml!CPhraseElement::`vftable'   |  (6a0f7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' =

注意,Math.cos(3,4);没有被命中。说明id_1.applyElement(id_0);导致了CPhraseElement(id_0)的CTreeNode释放

1:021> eax=06ab8fb0 ebx=00000000 ecx=06ab8fb0 edx=00000008 esi=00000008 edi=06e42fd8eip=6a2bcf61 esp=0441e664 ebp=0441e668 iopl=0         nv up ei pl nz na po nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202mshtml!CTreeNode::CTreeNode+0x91:6a2bcf61 5e              pop     esi1:021> dd eax06ab8fb0  06e42fd8 077a2fb0 ffff0060 ffffffff06ab8fc0  00000000 00000000 00000000 0000000006ab8fd0  00000000 00000000 00000000 0000000006ab8fe0  00000000 00000000 00000000 0000000006ab8ff0  00000008 00000000 00000000 d0d0d0d006ab9000  ???????? ???????? ???????? ????????06ab9010  ???????? ???????? ???????? ????????06ab9020  ???????? ???????? ???????? ????????1:021> dd 06e42fd8 06e42fd8  6a0f70e0 00000002 00000008 0000000006e42fe8  062c5f20 00000000 80000060 8001000006e42ff8  00000002 06ebefe8 ???????? ????????06e43008  ???????? ???????? ???????? ????????06e43018  ???????? ???????? ???????? ????????06e43028  ???????? ???????? ???????? ????????06e43038  ???????? ???????? ???????? ????????06e43048  ???????? ???????? ???????? ????????1:021> ln 6a0f70e0 (6a0f70e0)   mshtml!CPhraseElement::`vftable'   |  (6a0f7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' =

然后又立即分配了这个对象

1:021> gBreakpoint 6 hiteax=00000000 ebx=0441e988 ecx=00000005 edx=00000003 esi=0441e978 edi=0441e978eip=6c77d67f esp=0441e874 ebp=0441e8b0 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216jscript!cos:6c77d67f ff259010756c    jmp     dword ptr [jscript!_imp__cos (6c751090)] ds:0023:6c751090={msvcrt!cos (773d8ace)}

断在辅助语句上

1:021> gBreakpoint 2 hiteax=06eaafd8 ebx=06e42fd8 ecx=063f06ec edx=06ab8fb0 esi=06ab8fb0 edi=06eaafd8eip=6a2fe563 esp=0441e440 ebp=0441e590 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::Release:6a2fe563 8b4a40          mov     ecx,dword ptr [edx+40h] ds:0023:06ab8ff0=000000121:021> dd edx06ab8fb0  06e42fd8 077a2fb0 00020260 0003000106ab8fc0  00000061 00000000 07337fd8 07382fe006ab8fd0  07382fe0 07337fc0 00000062 0000000006ab8fe0  07390fe0 07337fd8 07337fd8 07390fe006ab8ff0  00000012 00000000 00000000 d0d0d0d006ab9000  ???????? ???????? ???????? ????????06ab9010  ???????? ???????? ???????? ????????06ab9020  ???????? ???????? ???????? ????????1:021> dd 06e42fd806e42fd8  6a0f70e0 00000006 00000020 06aaafe806e42fe8  062c5f21 06ab8fb0 00000060 8201020006e42ff8  00000002 075c2f30 ???????? ????????06e43008  ???????? ???????? ???????? ????????06e43018  ???????? ???????? ???????? ????????06e43028  ???????? ???????? ???????? ????????06e43038  ???????? ???????? ???????? ????????06e43048  ???????? ???????? ???????? ????????1:021> ln 6a0f70e0(6a0f70e0)   mshtml!CPhraseElement::`vftable'   |  (6a0f7308)   mshtml!CBlockElement::`vftable'Exact matches:    mshtml!CPhraseElement::`vftable' =

可见CPhraseElement的CTreeNode又被释放了,这是由于

id_0.onlosecapture=function(e) {

document.write("");
}

造成的

1:021> gBreakpoint 7 hiteax=00000000 ebx=0441e988 ecx=00000005 edx=00000003 esi=0441e978 edi=0441e978eip=6c77d711 esp=0441e874 ebp=0441e8b0 iopl=0         nv up ei pl nz ac pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216jscript!sin:6c77d711 ff256810756c    jmp     dword ptr [jscript!_imp__sin (6c751068)] ds:0023:6c751068={msvcrt!sin (773d8aea)}

 

1:021> gBreakpoint 2 hiteax=0736cfa8 ebx=00000000 ecx=00000720 edx=07337fb0 esi=07337fb0 edi=06e4efc8eip=6a2fe563 esp=0441e48c ebp=0441e5e0 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246mshtml!CTreeNode::Release:6a2fe563 8b4a40          mov     ecx,dword ptr [edx+40h] ds:0023:07337ff0=000000081:021> dd edx07337fb0  06e4efc8 00000000 ffff0075 ffffffff07337fc0  00000051 00000000 00000000 0000000007337fd0  00000000 07337fd8 00000152 0000000107337fe0  00000000 00000000 07337fc0 06ab8fd807337ff0  00000008 00000000 00000000 d0d0d0d007338000  ???????? ???????? ???????? ????????07338010  ???????? ???????? ???????? ????????07338020  ???????? ???????? ???????? ????????1:021> dd 06e4efc8 06e4efc8  6a11c2e8 00000002 00000008 0738cfe806e4efd8  062c5ef0 07337fb0 80000075 8801020006e4efe8  00000002 075c2f30 06e96ff4 0000000006e4eff8  00000000 00000000 ???????? ????????06e4f008  ???????? ???????? ???????? ????????06e4f018  ???????? ???????? ???????? ????????06e4f028  ???????? ???????? ???????? ????????06e4f038  ???????? ???????? ???????? ????????1:021> ln 6a11c2e8 (6a11c2e8)   mshtml!CGenericElement::`vftable'   |  (6a254ce0)   mshtml!CHeaderElement::`vftable'Exact matches:    mshtml!CGenericElement::`vftable' =

 

转载于:https://www.cnblogs.com/Ox9A82/p/5797123.html

你可能感兴趣的文章
WordPress资源站点推荐
查看>>
Python性能鸡汤
查看>>
android Manifest.xml选项
查看>>
Cookie/Session机制具体解释
查看>>
ATMEGA16 IOport相关汇总
查看>>
有意思的cmd命令
查看>>
js正則表達式语法
查看>>
Git学习系列-Git基本概念
查看>>
c#多个程序集使用app.config 的解决办法
查看>>
Linux+Apache+PHP+MySQL服务器环境配置(CentOS篇)
查看>>
Linux下获取本机IP地址的代码
查看>>
(C#)调用Webservice,提示远程服务器返回错误(500)内部服务器错误
查看>>
flex布局
查看>>
python-----python的文件操作
查看>>
java Graphics2d消除锯齿,使字体平滑显示
查看>>
控件中添加的成员变量value和control的区别
查看>>
Spring Boot Docker 实战
查看>>
Div Vertical Menu ver3
查看>>
Git简明操作
查看>>
InnoDB为什么要使用auto_Increment
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-10-06 06:52:25   当前IP: 3.139.98.197   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我