窗口类型
菜单:
菜单栏->菜单列表->子菜单
捷径菜单不属于菜单栏 由操作系统提供,应用程序通常
将快捷菜单与窗口的一部分(例如客户区域)或特定对象(例如图标)相关联。因此,这些菜单也称为上下文菜单。
窗口菜单:
窗口菜单又称之为系统菜单或者控制菜单,它由操作系统定义和管理,用户可以根据标题栏任意位置打开
1.CreateWindow TrackPopupMenu之间因为创造窗口注册时候的结构体成员不同,而在内核函数GetClassPtr查找注册的结构体tagCLS时候在tagCLS+0x60不同的值导致内存申请过小而产生的越界。
tagCLS+0x60也就是WNDCLASSEXA.cbWndExtra
tagWNDCLASSEXA 结构体:
typedef struct tagWNDCLASSEXA {
UINT cbSize;
/* Win 3.x /
UINT style;
WNDPROC lpfnWndProc;
int cbClsExtra;
int cbWndExtra;
HINSTANCE hInstance;
HICON hIcon;
HCURSOR hCursor;
HBRUSH hbrBackground;
LPCSTR lpszMenuName;
LPCSTR lpszClassName;
/ Win 4.0 */
HICON hIconSm;
} WNDCLASSEXA, *PWNDCLASSEXA, NEAR *NPWNDCLASSEXA, FAR *LPWNDCLASSEXA;
tagCLS 结构体:
typedef struct tagCLS {
/* NOTE: The order of the following fields is assumed. */
struct tagCLS pclsNext;
ATOM atomClassName;
WORD fnid; // record window proc used by this hwnd
PVOID hheapDesktop; / Allocation source */
struct tagDESKTOP rpdeskParent;/ Parent desktop */
struct tagDCE pdce; / PDCE to DC associated with class /
int cWndReferenceCount; / The number of windows registered with this class /
DWORD flags; / internal class flags /
LPSTR lpszClientAnsiMenuName; / string or resource ID /
LPWSTR lpszClientUnicodeMenuName; / string or resource ID /
DWORD adwWOW[2]; / LATER: No one uses dwExpWinVer. wow? /
DWORD hTaskWow; / LATER: is wow using this? /
PCALLPROCDATA spcpdFirst; / Pointer to first CallProcData element (or 0) */
struct tagCLS pclsBase; / Pointer to base class */
struct tagCLS pclsClone; / Pointer to clone class list /
PROC lpfnWorker; / Client side worker proc */
COMMON_WNDCLASS;
} CLS, *PCLS, *LPCLS, **PPCLS;
poc链接:https://github.com/Rootkitsmm/CVEXX-XX
ida简要分析
windbg调试:
结语:对于函数的返回值我个人借鉴了nt4等源码,这种漏洞的发现写fuzz和熟悉内核函数都是方法
