evil0x00 avatar

Windows 程序崩溃后恢复

evil0x00

Published: 06 Sept 2018 › Updated: 06 Sept 2018Windows 程序崩溃后恢复

Windows 程序崩溃后恢复

Windows 程序崩溃后恢复

alt

场景一: 你正在写文档崩溃了怎么办

文档要如何恢复呢? 下面就写这个恢复过程

0x01:使用工具

windbag

win7 64位 安装使用的时候会缺少dll ,来这里下载这个更新就ok了

https://download.microsoft.com/download/1/1/5/11565A9A-EA09-4F0A-A57E-520D5D138140/Windows6.1-KB2999226-x64.msu

0x02 : 文档恢复

崩溃后会产生DMP文件,文件位置是在:C:\Users\ADMINI~1\AppData\Local\Temp*********.DMP

现在我们手工制造一个

alt


找到这个DMP文件:
C:\Users\ADMINI~1\AppData\Local\Temp\notepad.DMP

利用windbag来载入

file---> open cash dump

打开文件如下

alt

第一步: 查找文档里的内容 比如你写的第一句 方便一会dump出来

相关命令参考官方文献查找:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/s--search-memory-

s -u 0 l1000000 "这不是一个自由软件"

s                               (search memory)
-u                             Unicode
0                               
l1000000                         

alt

找到了地址用du命令

du (displary memory unicode)

du 00157758 l1000

如下所示:

0:000> du 00157758 l1000
00000000`00157758  "这不是一个自由软件!您只能在不用于商业目的的前提下对程序代码进行"
00000000`00157798  "修改和使用;..''' 未经授权不允许对程序代码以任何形式任何目"
00000000`001577d8  "的的再发布。..''' ===================="
00000000`00157818  "================================"
00000000`00157858  "==============..''' 编写: IT平民..''"
00000000`00157898  "' 修改:IT平民 in 2014.07.....option "
00000000`001578d8  "explicit...session.codepage=6500"
00000000`00157918  "1...response.charset="utf-8"...s"
00000000`00157958  "erver.scripttimeout=999999...dim"
00000000`00157998  " in_sdcms:in_sdcms=true...dim db"
00000000`001579d8  "query:dbquery=0...dim startime:s"
00000000`00157a18  "tartime=timer()...'microsoft.xml"
00000000`00157a58  "http...'Msxml2.XMLHTTP...'WinHtt"
00000000`00157a98  "p.WinHttpRequest.5.1...'MSXML2.S"
00000000`00157ad8  "ERVERXMLHTTP.3.0...'以上为候选参数...di"
00000000`00157b18  "m xmlhttp:xmlhttp="MSXML2.XMLHTT"
00000000`00157b58  "P"...dim ismobile:ismobile=false"
00000000`00157b98  "..%>........<!"
00000000`00157cd8  "--#include file="class/sdcms.fun"
00000000`00157d18  ".asp"-->.."
00000000`00157dd8  "....<%...dim sqltime:"
00000000`00157e58  "sqltime="now()"...if not(datatyp"
00000000`00157e98  "e) then sqltime="GetDate()"...sd"
00000000`00157ed8  "cms.sitedb:sdcms.catedb:sdcms.au"
00000000`00157f18  "to_update...dim page:page=sdcms."
00000000`00157f58  "getint(sdcms.fget("page",0),1).."
00000000`00157f98  ".dim webmode:webmode=sdcms.getsy"
00000000`00157fd8  "s("webmode")...dim isgzip:isgzip"
00000000`00158018  "=sdcms.getsys("isgzip")...dim is"
00000000`00158058  "cache:iscache=sdcms.getsys("isca"
00000000`00158098  "che")...dim tempcache:tempcache="
00000000`001580d8  "sdcms.getsys("tempcache")...dim "
00000000`00158118  "cachedate:cachedate=sdcms.getsys"
00000000`00158158  "("cachedate")...dim thisurl:this"
00000000`00158198  "url=sdcms.getthisurl...dim htmld"
00000000`001581d8  "ir:htmldir=sdcms.getsys("htmldir"
00000000`00158218  "")...dim commentconfig:commentco"
00000000`00158258  "nfig=eval(sdcms.getsys("expand.c"
00000000`00158298  "omment"))...dim syscomment:sysco"
00000000`001582d8  "mment=commentconfig(0)...dim moo"
00000000`00158318  "dconfig:moodconfig=sdcms.getsys("
00000000`00158358  ""expand.mood")...ismobile=sdcms."
00000000`00158398  "get_ismobile...dim blacklist:bla"
00000000`001583d8  "cklist="javascript|Document|oner"
00000000`00158418  "ror|onload|onmouseover"...'ismob"
00000000`00158458  "ile=true..%>"

里面就是文档信息了

下一步就是提取出来:
.writemem filename range

0:000> .writemem c:\1.txt 00157758 l1000
Writing 1000 bytes..

打开之后 1.txt 需要修改文件类型

打开之后是乱码 修改一下文件头 添加unicode的识别标志 ff fe 如下

alt

保存之后再打开就ok了 如下:

alt

"这"刚才被我们插入fffe的时候覆盖了 这样就完成了

Leave Windows 程序崩溃后恢复 to:

Written by

Read more #cn-curation posts


Best Posts From evil0x00

We have not curated any of evil0x00's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.

More Posts From evil0x00