转载

FlashPlayer针对dll劫持的缓解措施

不知道Adobe究竟是受什么启发，在FlashPlayer的23版本开始引入了针对dll劫持的缓解措施。

FlashPlayer 22的启动参数处理流程示意如下：

 v63 = hInstance;
  v4 = GetModuleHandleW(L"kernel32.dll");
  v5 = GetProcAddress(v4, "SetDllDirectoryA");
  v6 = 0;
  if ( v5 )
    ((void (__stdcall *)(char *))v5)(byte_D44471);
  v7 = GetModuleHandleW(L"kernel32.dll");
  v8 = GetProcAddress(v7, "SetDefaultDllDirectories");
  if ( v8 )
    ((void (__stdcall *)(signed int))v8)(2048);
  sub_41CC51();
  // <- new codes are inserted here
  v9 = GetCommandLineA();
  v10 = v9;
  v11 = *v9;
  if ( v11 != '"' )
  {
    if ( (unsigned __int8)v11 > 0x20u )
    {
      do
        ++v10;
      while ( *v10 > 0x20u );
    }
    goto LABEL_15;
  }
  do
    ++v10;
  while ( *v10 != 34 && *v10 );
  if ( *v10 != '"' )
    goto LABEL_15;

而23版本在GetCommandLineA前插入了新的缓解代码，如下所示：

  sub_41D360();
  GetModuleFileNameW(0, &Filename, 0x104u);
  wcscpy_s(&Dst, 0x104u, &Filename);
  v9 = wcsrchr(&Dst, 0x5Cu);
  if ( v9 )
    *v9 = 0;
  v10 = wcsrchr(&Filename, 0x5Cu);
  wcscpy_s(&v82, 0x104u, v10 + 1);
  v11 = GetCommandLineW();
  v66 = CommandLineToArgvW(v11, &pNumArgs);
  memset(&v86, 0, 0x208u);
  for ( i = 1; i < pNumArgs; ++i )
  {
    if ( wcsstr(v66[i], L"-relaunched") )
      v68 = 1;
  }
  if ( sub_41D705(&Dst) )                      // check dll
  {
    uExitCode = 0;
    if ( v68 )
    {
      MessageBoxW(0, L"Dll's are not allowed next to the Standalone Player", L"Error", 0);
    }
    else if ( sub_41CD97(&NewFileName, (int)&v82) )// create temp directory
    {
      v13 = 1;
      if ( CopyFileW(&Filename, &NewFileName, 1) )
      {
        if ( pNumArgs > 1 )
        {
          do
          {
            wcscat_s(&v86, 0x104u, v66[v13]);
            if ( v13 < pNumArgs )
              wcscat_s(&v86, 0x104u, L" ");
            ++v13;
          }
          while ( v13 < pNumArgs );
        }
        wcscat_s(&v86, 0x104u, L"-relaunched");
        if ( !sub_41D779(&NewFileName, (int)&v86, 0) )
          uExitCode = 1;
        wcscpy_s(&PathName, 0x104u, &NewFileName);
        v14 = wcsrchr(&PathName, 0x5Cu);
        if ( v14 )
          *v14 = 0;
        DeleteFileW(&NewFileName);
        RemoveDirectoryW(&PathName);
      }
      else
      {
        uExitCode = 1;
      }
    }
    else
    {
      uExitCode = 1;
    }
    ExitProcess(uExitCode);
  }
  v15 = GetCommandLineA();

插入的代码功能：FlashPlayer在运行的时候，会检测当前目录是否包含*.dll文件，如果包含，就拷贝自身到temp目录，然后以-relaunched参数启动。

如果以-relaunched启动后的FlashPlayer检测到目录仍然包含*.dll就会弹出错误对话框，然后终止运行。

所以包含dll时，查看进程管理器，看到的FlashPlayer都是这样的形式：

“C:/Users/admin/AppData/Local/Temp/{F0CF3F41-B0CC-44A3-B59F-EA1D57B9DF7C}/FlashPlayer.exe” -relaunched

原文 http://www.hhjack.com/flashplayer_dll_hijack_mitigation/

正文到此结束