本帖最后由 Wesly.Zhang 于 2019-9-21 20:24 编辑
Hello,
在研究分析了traces我自己重现生成的traces追踪记录后,实际上是处在这里
卡巴斯基会对安全浏览器在启动前做如下几个主要工作
1.检查浏览器所有加载的DLL插件是否为已知安全,同时检查分析所有进程是否已知安全。
2.进行系统薄弱文件检查(vlnsp):
C:\Windows\System32\d3d10level9.dll
C:\Windows\system32\urlmon.dll
C:\Windows\syswow64\urlmon.dll
C:\Windows\system32\wwanpref.dll
C:\Windows\system32\drivers\partmgr.sys
C:\Windows\system32\drivers\bthusb.sys
C:\Windows\syswow64\jscript9.dll
当检查到jscript9.dll时检测到系统未安装MS13-069补丁,然后返回错误信息:CheckVulnerabilityStatus: the system is vulnerable。
11:41:39.680 0x1c48 INF env Expanding string result: "C:\Windows\syswow64\jscript9.dll"
11:41:39.680 0x1c48 INF vlnsp SystemVulnerabilityStatusProviderInstance::GetFileInfo: Expanded path: C:\Windows\syswow64\jscript9.dll
11:41:39.680 0x1c48 INF esm Returning existing service name='app_ctrl.process_monitor.ApplicationManager', serviceKey=0x1f8f4f7b, hostId=0x00000000, accessPointId=0x00000000, object=0x0270b2c0. Interface requested iface=0x06b550a8, serviceKey=0x00000000, hostId=0x00000000, accessPointId=0x00000000, requestor={unknown}
11:41:39.680 0x1c48 INF pmn Triggered GetModuleInfoByPath with client's path: C:\Windows\syswow64\jscript9.dll
11:41:39.680 0x1c48 INF pmn Try to get predefined id for module path: C:\Windows\syswow64\jscript9.dll
11:41:39.680 0x1c48 INF pmn FileInfoStorage::CreateRecordImpl: raw path=C:\Windows\syswow64\jscript9.dll, case sensitive: 0, shouldCreate: 1
11:41:39.680 0x1c48 INF rdb FindObject(0,A,0,0626E1A8,9,2,0,2A9) = err=0x00000000
11:41:39.680 0x1c48 INF pmn Created module record. moduleId = 681, raw key: 4649444200ce4088b0
11:41:39.680 0x1c48 INF rdb GetObjectData(2A9,1E2E2268,256,1AD3ECF4,-555461653) = err=0x00000000
11:41:39.680 0x1c48 INF rdb GetObjectData(2A9,1E2E8918,1,1AD3EDB4,-1131539153) = err=0x8000004C
11:41:39.680 0x1c48 INF pmn GetObjectData, for type = 1008438077
11:41:39.680 0x1c48 INF pmn Open file by context: , Filename = C:\Windows\syswow64\jscript9.dll, KernelFilename = , SequentialReadOptimizationFlag = 0, OpenVirtualFileFlag = 0, IsNetworkFile = 0, IsCaseSensitive = 0
11:41:39.680 0x1c48 INF pmn Trying to open without context impersonation
11:41:39.680 0x1c48 INF pmn Open via klif using user path
11:41:39.680 0x1c48 INF SI system_interceptors::file_name_mapper::FileNameMapper::UserFileName2KernelFileName (userFileName: C:\Windows\syswow64\jscript9.dll) starting...
11:41:39.680 0x1c48 INF SI system_interceptors::file_name_mapper::FileNameMapper::UserFileName2KernelFileName (userFileName: 'C:\Windows\syswow64\jscript9.dll',kernelFileName: '\??\C:\Windows\syswow64\jscript9.dll') done
11:41:39.680 0x1c48 INF pmn User filename mapped: C:\Windows\syswow64\jscript9.dll -> \??\C:\Windows\syswow64\jscript9.dll
11:41:39.680 0x1c48 INF SI klif::DirectFileIO::CreateByKernelPath (kernelFileName: \Device\HarddiskVolume3\Windows\SysWOW64\jscript9.dll) done. Result=0x0
11:41:39.680 0x1c48 INF SI FileObjectDatabase::GetRecordByIo using provider: allowCreation = 1, filename = C:\Windows\SysWOW64\jscript9.dll
11:41:39.680 0x1c48 INF pmn GetOrProvideValue, WasHandlerInvoked = 1
11:41:39.680 0x1c48 INF SI klif::DirectFileIO::~DirectFileIO - ClosePseudoHandle(fileName: \Device\HarddiskVolume3\Windows\SysWOW64\jscript9.dll, handle=0xfcb0000000003455) succeeded
11:41:39.680 0x1c48 INF vlnsp SystemVulnerabilityStatusProviderInstance::GetFileInfo: File ver: 11.0.18362.356
11:41:39.711 0x1c48 INF vlnsp SystemVulnerabilityStatusProviderInstance::CheckVulnerabilityStatus: First category matched: MS13-069
11:41:39.711 0x1c48 INF vlnsp SystemVulnerabilityStatusProviderInstance::CheckVulnerabilityStatus: the system is vulnerable
11:41:39.711 0x1c48 INF sbank Check vulnerabilities: rc = 0x00000001
好了,有谁直到这个补丁?MS13-069,应该时更新这个 JS 引擎的。但是这似乎是一个检测的大 Bug。有谁能够提醒下老毛子薄弱检测项目的数据库要更新下了,微软已经更新了这个 JS 引擎很多年了,怎么突然就检测到 2013 年的 JS 引擎上的问题呢,现在都几几年了,喂,苏州到啦!
|
楼主: xuerwei2008
楼主
发表于 2019-9-21 10:02:24
发表于 2019-9-21 20:18:04
