1 00007ff7`72d7fc20 40 01 00 00 00 00 00 00-50 01 00 00 00 00 00 00 @.......P.......
2 00007ff7`72d7fc30 01 00 00 00 00 00 00 00-00 00 ff ff ff ff ff ff ................
3 00007ff7`72d7fc40 ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00 ................
4 00007ff7`72d7fc50 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
5 00007ff7`72d7fc60 d0 07 00 02 00 00 00 00-07 00 00 00 7b 32 36 33 ............{263
6 00007ff7`72d7fc70 31 37 46 38 34 2d 43 37-45 41 2d 34 43 41 31 2d 17F84-C7EA-4CA1-
7 00007ff7`72d7fc80 38 39 42 36 2d 32 46 33-45 41 44 35 33 44 33 30 89B6-2F3EAD53D30
8 00007ff7`72d7fc90 37 7d 00 00 00 00 00 00-00 00 00 00 00 00 00 00 7}..............
9
10
11 {26317F84-C7EA-4CA1-89B6-2F3EAD53D307}
12
13 struct vport_data{ /*通道对象*/
14 HANDLE adp_fd; /*通道句柄*/0
15 HANDLE adp_event; /*读事件*/ 8
16 BOOL lock_init; /*初始化锁*/16
17 unsigned char vm_mac[6]; /*管理网卡mac地址*/20 00 00 00 00-00 00,缺陷问题,源mac为0
18 unsigned char gw_mac[6]; /*互联网关mac地址*/26
19 CRITICAL_SECTION wt_lock; /*写保护锁*/32
20 DWORD ndis_ver; /*NDIS驱动版本*/
21 char port_name[64]; /*NDIS设备名*/ //{660734D0-0B29-4286-A300-E45DD367F57E}
22 };
23 //offset:20 vm_mac
24 //offset:26 gw_mac
25 //offset:76 port_name
26 //offset:76 port_name
27 //offset:72 ndis_ver
28
29 Integer arguments are passed in registers RCX, RDX, R8, and R9.
30 Floating point arguments are passed in XMM0L, XMM1L, XMM2L, and XMM3L. 16-byte arguments are passed by reference. Parameter
31
32 npcap_write()
33
34
35 0:003> u cloud_update_phy+0x8aa0
36 cloud_update_phy+0x8aa0:
37 00007ff7`72d78aa0 4489442418 mov dword ptr [rsp+18h],r8d
38 00007ff7`72d78aa5 4889542410 mov qword ptr [rsp+10h],rdx
39 00007ff7`72d78aaa 48894c2408 mov qword ptr [rsp+8],rcx
40 00007ff7`72d78aaf 4881ec38060000 sub rsp,638h
41 00007ff7`72d78ab6 488b05db740000 mov rax,qword ptr [cloud_update_phy+0xff98 (00007ff7`72d7ff98)]
42 00007ff7`72d78abd 4833c4 xor rax,rsp
43 00007ff7`72d78ac0 4889842428060000 mov qword ptr [rsp+628h],rax
44 00007ff7`72d78ac8 488d442470 lea rax,[rsp+70h]
45 0:003> g
46 Breakpoint 0 hit
47 cloud_update_phy+0x8aa0:
48 00007ff7`72d78aa0 4489442418 mov dword ptr [rsp+18h],r8d ss:00000000`00536450=00536508
49 0:000> k
50 # Child-SP RetAddr Call Site
51 00 00000000`00536438 00007ff7`72d78a64 cloud_update_phy+0x8aa0
52 01 00000000`00536440 00007ff7`72d78a0a cloud_update_phy+0x8a64
53 02 00000000`00536480 00007ff7`72d76269 cloud_update_phy+0x8a0a
54 03 00000000`005364c0 00007ff7`72d7184b cloud_update_phy+0x6269
55 04 00000000`005364f0 00007ff7`72d7a0f2 cloud_update_phy+0x184b
56 05 00000000`0054f990 00007ffc`99337974 cloud_update_phy+0xa0f2
57 06 00000000`0054f9c0 00007ffc`9a4da271 KERNEL32!BaseThreadInitThunk+0x14
58 07 00000000`0054f9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
59 0:000> r
60 rax=0000000000000001 rbx=0000000000000001 rcx=00007ff772d7fc20
61 rdx=00007ff772d7fd0c rsi=0000000000000000 rdi=000000000054f568
62 rip=00007ff772d78aa0 rsp=0000000000536438 rbp=0000000000000000
63 r8=0000000000000001 r9=0000000000000000 r10=0000000000000000
64 r11=fe624e212ac18000 r12=0000000000000000 r13=0000000000000000
65 r14=0000000000000000 r15=0000000000000000
66 iopl=0 nv up ei pl zr na po nc
67 cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
68 cloud_update_phy+0x8aa0:
69 00007ff7`72d78aa0 4489442418 mov dword ptr [rsp+18h],r8d ss:00000000`00536450=00536508
70 0:000> db 00007ff772d7fc20
71 00007ff7`72d7fc20 40 01 00 00 00 00 00 00-50 01 00 00 00 00 00 00 @.......P.......
72 00007ff7`72d7fc30 01 00 00 00 00 00 00 00-00 00 ff ff ff ff ff ff ................
73 00007ff7`72d7fc40 ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00 ................
74 00007ff7`72d7fc50 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
75 00007ff7`72d7fc60 d0 07 00 02 00 00 00 00-07 00 00 00 7b 32 36 33 ............{263
76 00007ff7`72d7fc70 31 37 46 38 34 2d 43 37-45 41 2d 34 43 41 31 2d 17F84-C7EA-4CA1-
77 00007ff7`72d7fc80 38 39 42 36 2d 32 46 33-45 41 44 35 33 44 33 30 89B6-2F3EAD53D30
78 00007ff7`72d7fc90 37 7d 00 00 00 00 00 00-00 00 00 00 00 00 00 00 7}..............
79 0:000> dq 00007ff772d7fc20
80 00007ff7`72d7fc20 00000000`00000140 00000000`00000150
81 00007ff7`72d7fc30 00000000`00000001 ffffffff`ffff0000
82 00007ff7`72d7fc40 ffffffff`ffffffff 00000000`ffffffff
83 00007ff7`72d7fc50 00000000`00000000 00000000`00000000
84 00007ff7`72d7fc60 00000000`020007d0 3336327b`00000007
85 00007ff7`72d7fc70 37432d34`38463731 2d314143`342d4145
86 00007ff7`72d7fc80 3346322d`36423938 30334433`35444145
87 00007ff7`72d7fc90 00000000`00007d37 00000000`00000000
88 0:000> db 00007ff772d7fc20
89 00007ff7`72d7fc20 40 01 00 00 00 00 00 00-50 01 00 00 00 00 00 00 @.......P.......
90 00007ff7`72d7fc30 01 00 00 00 00 00 00 00-00 00 ff ff ff ff ff ff ................
91 00007ff7`72d7fc40 ff ff ff ff ff ff ff ff-ff ff ff ff 00 00 00 00 ................
92 00007ff7`72d7fc50 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
93 00007ff7`72d7fc60 d0 07 00 02 00 00 00 00-07 00 00 00 7b 32 36 33 ............{263
94 00007ff7`72d7fc70 31 37 46 38 34 2d 43 37-45 41 2d 34 43 41 31 2d 17F84-C7EA-4CA1-
95 00007ff7`72d7fc80 38 39 42 36 2d 32 46 33-45 41 44 35 33 44 33 30 89B6-2F3EAD53D30
96 00007ff7`72d7fc90 37 7d 00 00 00 00 00 00-00 00 00 00 00 00 00 00 7}..............
97
98 //RCX(handle), RDX(lpBuffer), R8(nNumberOfBytesToWrite), and R9(lpNumberOfBytesWritten)
99 UPF_Write()
100 bp cloud_update_phy+ 0x0007810
101 0:003> bp cloud_update_phy+ 0x0007810
102 0:003> u cloud_update_phy+ 0x0007810
103 cloud_update_phy+0x7810:
104 00007ff7`72d77810 4c894c2420 mov qword ptr [rsp+20h],r9
105 00007ff7`72d77815 4489442418 mov dword ptr [rsp+18h],r8d
106 00007ff7`72d7781a 4889542410 mov qword ptr [rsp+10h],rdx
107 00007ff7`72d7781f 48894c2408 mov qword ptr [rsp+8],rcx
108 00007ff7`72d77824 4883ec48 sub rsp,48h
109 00007ff7`72d77828 488b442458 mov rax,qword ptr [rsp+58h]
110 00007ff7`72d7782d 4889442438 mov qword ptr [rsp+38h],rax
111 00007ff7`72d77832 488b442438 mov rax,qword ptr [rsp+38h]
112 0:003> g
113 Breakpoint 1 hit
114 cloud_update_phy+0x7810:
115 00007ff7`72d77810 4c894c2420 mov qword ptr [rsp+20h],r9 ss:00000000`00535e18=0000000000535e44
116 0:000> r
117 rax=00007ff772d7fc20 rbx=0000000000000001 rcx=0000000000000140
118 rdx=0000000000535e70 rsi=0000000000000000 rdi=000000000054f568
119 rip=00007ff772d77810 rsp=0000000000535df8 rbp=0000000000000000
120 r8=0000000000000021 r9=0000000000535e44 r10=0000000000000000
121 r11=0000000000535e90 r12=0000000000000000 r13=0000000000000000
122 r14=0000000000000000 r15=0000000000000000
123 0:000> db 0000000000535e70
124 00000000`00535e70 b0 64 53 00 00 00 00 00-11 00 00 00 11 00 00 00 .dS.............
125 00000000`00535e80 ff ff ff ff ff ff 00 00-00 00 00 00 99 99 00 01 ................
126 00000000`00535e90 23 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 #...............
127 00000000`00535ea0 04 00 00 00 00 00 00 00-01 1d d7 72 f7 7f 00 00 ...........r....
128 00000000`00535eb0 00 00 00 00 00 00 00 00-ff ff ff ff ff ff ff ff ................
129 00000000`00535ec0 00 65 53 00 00 00 00 00-00 00 00 00 00 00 00 00 .eS.............
130 00000000`00535ed0 50 06 f7 00 00 00 00 00-ab 95 23 97 fc 7f 00 00 P.........#.....
131 00000000`00535ee0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
132
133 char local[sizeof(struct pcap_pkthdr_w)+sizeof(struct phy_ethhdr)+PHY_Line_MTU];
134 0000000000000021 = 2x16+1 -16 = 17字节
135
136 struct pcap_pkthdr_w 16字节,剩下全是裸二层报文,从00535e80开始
137
138 最终结论,源mac地址为全零,导致心跳发不上去,导致cloud agent心跳发不上去
