病毒分类 普通文件病毒
溢出发生在user32.dll!_LoadAniIcon
_LoadCursorIconFromFileMap -> _LoadAniIcon@20
typedef struct TagHeader
{
DWORD Tag; // LIST , anih , etc.
DWORD OverlaySize;
}ST_TagHeader;
typedef struct MappingFile
{
PBYTE ViewBase;
DWORD CurPointer;
}ST_MappingFile;
; __stdcall LoadCursorIconFromFileMap(x, x, x, x, x, x)
_LoadCursorIconFromFileMap@24 :
...
.text:77D5429F cmp dword ptr [ebp-10h], 'hina'
.text:77D542A6 jnz short loc_77D54309
.text:77D542A8 cmp dword ptr [ebp-0Ch], 24h ;ST_TagHeader结构中的OverlaySize被检查了
;所以第一个anih结构的OverlaySize必须是0x24
.text:77D542AC jnz loc_77D543C5
...
...
...
.text:77D542FF call _LoadAniIcon@20 ; anih
.text:77D54304 jmp loc_77D543E6
...
...
; int __stdcall LoadAniIcon(int,int,int,int,int)
.text:77D53F83 _LoadAniIcon@20
...
...
...
.text:77D54008 cmp eax, 'hina'
.text:77D5400D jnz tag_unknown
.text:77D54013 lea eax, [ebp-4Ch] ;
.text:77D54016 push eax ; pOutBuffer,LocalBuffer,ebp-4ch
.text:77D54017 lea eax, [ebp-28h]
.text:77D5401A push eax ; ST_TagHeader*
.text:77D5401B push ebx ; ST_MappingFile*
.text:77D5401C call _ReadChunk@12 ; ST_TagHeader结构中的OverlaySize没有被检查
; 如果OverlaySize>0x50的话,RET就会被覆盖
.text:77D54021 test eax, eax
...
...
...
