标 题: 【原创】foxit reader各版本launch action问题分析 作 者: 天外飞客 时 间: 2010-04-23,17:08:31 链 接: http://bbs.pediy.com/showthread.php?t=111578 最近pdf文件问题很火,关键字zeus,网上看到了几篇文章,顺便自己练练手,用OD分析了下。 pdf这个文件格式潜在问题还挺多的。因为这种格式太“兼容并包”了。  首先推荐看 blog.didierstevens.com/2010/03/29/escape-from-pdf/ blog.didierstevens.com/2010/04/06/update-escape-from-pdf/ 稍微了解下PDF文件格式。用文本编辑工具直接打开pdf.... begin..... 分析了下foxit怎么样处理launch action的,3个版本情况如下(具体OD分析见后面): 1.foxit reader 3.1.3.1031,对传入的/F参数(不是/WIN中的/F)中的程序路径字符串处理不当, / 和 \ 互换,造成 可以运行带参数的程序(如CMD)。 处理过程:首先处理程序路径,/和\互换,然后根据/NewWindow值,调用不同函数创建进程运行外部程序,若 /NewWindow true,会 调用CreateProcessA(危险!);若为false,则调用ShellExecuteA。ShellExecuteA很安全,详细见后。 2.foxit reader 3.1.4.1125(最新),在/F传程序路径时,路径中的 / 转换成 \ ,避免了cmd脚本执行。但是还是能给程 序传递参数。以 - 表示参数开始的程序。 处理过程:跟1差不多,程序是UNICODE的,所以有个字符串变换(ASCII--->UNICODE),路径是 / 转换成 \ ,后面相同。 3.foxit reader 3.2.1.0401(最新),解决了上述问题。对于launch action有对话框提示,提示有点点问题,只提示要 运行的程序名,didier stevens说可以控制提示信息,不知道怎么实现 -_-! pdf内嵌可执行文件方法: 1. /EmbeddedFiles,其实是个附件,可隐藏。 2. 用CMD下的copy。嵌入的文件不能太大.. -------------------------------------------------------------------------------------------------------------------------------------------------- foxit reader 3.1.3.1031 launch action 中路径,参数处理不当问题。 对整个命令行参数执行 / <-> \互换,这是个明显的错误。导致能执行cmd脚本。 (1)路径处理 0050B390 /$ 6A FF PUSH -1 0050B392 |. 68 CF219500 PUSH Foxit_Re.009521CF ; SE 处 理程序安装 0050B397 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 0050B39D |. 50 PUSH EAX 0050B39E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP 0050B3A5 |. 83EC 08 SUB ESP,8 0050B3A8 |. 56 PUSH ESI 0050B3A9 |. C74424 08 000>MOV DWORD PTR SS:[ESP+8],0 0050B3B1 |. C74424 04 000>MOV DWORD PTR SS:[ESP+4],0 0050B3B9 |. 8B7424 20 MOV ESI,DWORD PTR SS:[ESP+20] 0050B3BD |. C74424 14 010>MOV DWORD PTR SS:[ESP+14],1 0050B3C5 |. 8A06 MOV AL,BYTE PTR DS:[ESI] 0050B3C7 |. 84C0 TEST AL,AL 0050B3C9 |. 74 22 JE SHORT Foxit_Re.0050B3ED 0050B3CB |> 3C 5C /CMP AL,5C ; \ 0050B3CD |. 75 04 |JNZ SHORT Foxit_Re.0050B3D3 0050B3CF |. 6A 2F |PUSH 2F 0050B3D1 |. EB 09 |JMP SHORT Foxit_Re.0050B3DC 0050B3D3 |> 3C 2F |CMP AL,2F ; / 0050B3D5 |. 75 04 |JNZ SHORT Foxit_Re.0050B3DB 0050B3D7 |. 6A 5C |PUSH 5C 0050B3D9 |. EB 01 |JMP SHORT Foxit_Re.0050B3DC 0050B3DB |> 50 |PUSH EAX 0050B3DC |> 8D4C24 08 |LEA ECX,DWORD PTR SS:[ESP+8] 0050B3E0 |. E8 ABFF0F00 |CALL Foxit_Re.0060B390 ; 路 径转换 / <---> \ 0050B3E5 |. 8A46 01 |MOV AL,BYTE PTR DS:[ESI+1] 0050B3E8 |. 46 |INC ESI 0050B3E9 |. 84C0 |TEST AL,AL 0050B3EB |.^ 75 DE \JNZ SHORT Foxit_Re.0050B3CB 0050B3ED |> 8B7424 1C MOV ESI,DWORD PTR SS:[ESP+1C] 0050B3F1 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 0050B3F5 |. 50 PUSH EAX 0050B3F6 |. 8BCE MOV ECX,ESI 0050B3F8 |. E8 53FD0F00 CALL Foxit_Re.0060B150 0050B3FD |. C74424 08 010>MOV DWORD PTR SS:[ESP+8],1 0050B405 |. 8D4C24 04 LEA ECX,DWORD PTR SS:[ESP+4] 0050B409 |. C64424 14 00 MOV BYTE PTR SS:[ESP+14],0 0050B40E |. E8 3DE20F00 CALL Foxit_Re.00609650 0050B413 |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C] 0050B417 |. 8BC6 MOV EAX,ESI 0050B419 |. 5E POP ESI 0050B41A |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX 0050B421 |. 83C4 14 ADD ESP,14 0050B424 \. C3 RETN (2)运行外部程序 004767F0 /$ 6A FF PUSH -1 004767F2 |. 68 20619400 PUSH Foxit_Re.00946120 ; SE 处 理程序安装 004767F7 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 004767FD |. 50 PUSH EAX 004767FE |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP 00476805 |. 83EC 58 SUB ESP,58 00476808 |. 56 PUSH ESI 00476809 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 0047680D |. 57 PUSH EDI 0047680E |. 8BF1 MOV ESI,ECX 00476810 |. 50 PUSH EAX ; /Arg1 00476811 |. E8 5ABE0C00 CALL Foxit_Re.00542670 ; \Foxit_Re.00542670 00476816 |. BF E40FAB00 MOV EDI,Foxit_Re.00AB0FE4 ; newwindow 0047681B |. C74424 68 000>MOV DWORD PTR SS:[ESP+68],0 00476823 |. 8BCF MOV ECX,EDI 00476825 |. 897C24 0C MOV DWORD PTR SS:[ESP+C],EDI 00476829 |. 85C9 TEST ECX,ECX 0047682B |. 74 10 JE SHORT Foxit_Re.0047683D 0047682D |. 83C9 FF OR ECX,FFFFFFFF 00476830 |. 33C0 XOR EAX,EAX 00476832 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] 00476834 |. F7D1 NOT ECX 00476836 |. 49 DEC ECX 00476837 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX 0047683B |. EB 08 JMP SHORT Foxit_Re.00476845 0047683D |> C74424 10 000>MOV DWORD PTR SS:[ESP+10],0 00476845 |> 8B0E MOV ECX,DWORD PTR DS:[ESI] 00476847 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C] 0047684B |. 52 PUSH EDX 0047684C |. E8 AFBB0800 CALL Foxit_Re.00502400 ; 关 键处 00476851 |. 85C0 TEST EAX,EAX 00476853 |. 74 57 JE SHORT Foxit_Re.004768AC ; 若 eax=0,则转到ShellExecuteA 00476855 |. 8BC8 MOV ECX,EAX 00476857 |. E8 B4A90800 CALL Foxit_Re.00501210 0047685C |. 85C0 TEST EAX,EAX 0047685E |. 74 4C JE SHORT Foxit_Re.004768AC ; 若 eax=0,则转到ShellExecuteA 00476860 |. B9 11000000 MOV ECX,11 00476865 |. 33C0 XOR EAX,EAX 00476867 |. 8D7C24 1C LEA EDI,DWORD PTR SS:[ESP+1C] 0047686B |. F3:AB REP STOS DWORD PTR ES:[EDI] 0047686D |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 00476871 |. C74424 1C 440>MOV DWORD PTR SS:[ESP+1C],44 00476879 |. 85C0 TEST EAX,EAX 0047687B |. 74 05 JE SHORT Foxit_Re.00476882 0047687D |. 83C0 0C ADD EAX,0C 00476880 |. EB 05 JMP SHORT Foxit_Re.00476887 00476882 |> B8 DC9CBF00 MOV EAX,Foxit_Re.00BF9CDC 00476887 |> 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 0047688B |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C] 0047688F |. 51 PUSH ECX ; /pProcessInfo 00476890 |. 52 PUSH EDX ; |pStartupInfo 00476891 |. 6A 00 PUSH 0 ; |CurrentDir = NULL 00476893 |. 6A 00 PUSH 0 ; |pEnvironment = NULL 00476895 |. 6A 00 PUSH 0 ; |CreationFlags = 0 00476897 |. 6A 00 PUSH 0 ; |InheritHandles = FALSE 00476899 |. 6A 00 PUSH 0 ; |pThreadSecurity = NULL 0047689B |. 6A 00 PUSH 0 ; |pProcessSecurity = NULL 0047689D |. 50 PUSH EAX ; |CommandLine 0047689E |. 6A 00 PUSH 0 ; |ModuleFileName = NULL 004768A0 |. FF15 64E59800 CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>] ; \CreateProcessA 004768A6 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 004768AA |. EB 26 JMP SHORT Foxit_Re.004768D2 004768AC |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 004768B0 |. 85C0 TEST EAX,EAX 004768B2 |. 74 05 JE SHORT Foxit_Re.004768B9 004768B4 |. 83C0 0C ADD EAX,0C 004768B7 |. EB 05 JMP SHORT Foxit_Re.004768BE 004768B9 |> B8 DC9CBF00 MOV EAX,Foxit_Re.00BF9CDC 004768BE |> 6A 05 PUSH 5 ; /IsShown = 5 004768C0 |. 6A 00 PUSH 0 ; |DefDir = NULL 004768C2 |. 6A 00 PUSH 0 ; |Parameters = NULL 004768C4 |. 50 PUSH EAX ; |FileName 004768C5 |. 68 8410AB00 PUSH Foxit_Re.00AB1084 ; |open 004768CA |. 6A 00 PUSH 0 ; |hWnd = NULL 004768CC |. FF15 F0E69800 CALL DWORD PTR DS:[<&SHELL32.ShellExecuteA>] ; \ShellExecuteA 当没有/NewWindow true时,外部程序是用ShellExecuteA运行的,此时参数=NULL.固定。 当存在参数/NewWindow true时,外部程序是用CreateProcessA运行的, CommandLine即为/F中的参数经过/,\字符变换后的命令行参数。 ------------------------------------------------------------------------------------------------------------------------------------------------ foxit reader 3.1.4.1125在处理launch action时存在的问题。 第一种情况: << /Type /Action /S /Launch /Win << /D()/F(c:\\windows\\system32\\notepad.exe)/O()/P(f:\\test.bat) >> >> 这样是不行的。 00476040 /$ 6A FF PUSH -1 00476042 |. 68 106B9400 PUSH Foxit_Re.00946B10 ; SE 处 理程序安装 00476047 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 0047604D |. 50 PUSH EAX 0047604E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP 00476055 |. 83EC 58 SUB ESP,58 00476058 |. 56 PUSH ESI 00476059 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 0047605D |. 57 PUSH EDI 0047605E |. 8BF1 MOV ESI,ECX 00476060 |. 50 PUSH EAX ; /Arg1 00476061 |. E8 1ABD0900 CALL Foxit_Re.00511D80 ; \Foxit_Re.00511D80 00476066 |. BF 4820AB00 MOV EDI,Foxit_Re.00AB2048 ; newwindow 0047606B |. C74424 68 000>MOV DWORD PTR SS:[ESP+68],0 00476073 |. 8BCF MOV ECX,EDI 00476075 |. 897C24 0C MOV DWORD PTR SS:[ESP+C],EDI 00476079 |. 85C9 TEST ECX,ECX 0047607B |. 74 10 JE SHORT Foxit_Re.0047608D 0047607D |. 83C9 FF OR ECX,FFFFFFFF 00476080 |. 33C0 XOR EAX,EAX 00476082 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] 00476084 |. F7D1 NOT ECX 00476086 |. 49 DEC ECX 00476087 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX 0047608B |. EB 08 JMP SHORT Foxit_Re.00476095 0047608D |> C74424 10 000>MOV DWORD PTR SS:[ESP+10],0 00476095 |> 8B0E MOV ECX,DWORD PTR DS:[ESI] 00476097 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C] 0047609B |. 52 PUSH EDX 0047609C |. E8 5FB40500 CALL Foxit_Re.004D1500 004760A1 |. 85C0 TEST EAX,EAX 004760A3 |. 74 57 JE SHORT Foxit_Re.004760FC 004760A5 |. 8BC8 MOV ECX,EAX 004760A7 |. E8 64A20500 CALL Foxit_Re.004D0310 004760AC |. 85C0 TEST EAX,EAX 004760AE |. 74 4C JE SHORT Foxit_Re.004760FC 004760B0 |. B9 11000000 MOV ECX,11 004760B5 |. 33C0 XOR EAX,EAX 004760B7 |. 8D7C24 1C LEA EDI,DWORD PTR SS:[ESP+1C] 004760BB |. F3:AB REP STOS DWORD PTR ES:[EDI] 004760BD |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 004760C1 |. C74424 1C 440>MOV DWORD PTR SS:[ESP+1C],44 004760C9 |. 85C0 TEST EAX,EAX 004760CB |. 74 05 JE SHORT Foxit_Re.004760D2 004760CD |. 83C0 0C ADD EAX,0C 004760D0 |. EB 05 JMP SHORT Foxit_Re.004760D7 004760D2 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598 004760D7 |> 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 004760DB |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C] 004760DF |. 51 PUSH ECX ; /pProcessInfo 004760E0 |. 52 PUSH EDX ; |pStartupInfo 004760E1 |. 6A 00 PUSH 0 ; |CurrentDir = NULL 004760E3 |. 6A 00 PUSH 0 ; |pEnvironment = NULL 004760E5 |. 6A 00 PUSH 0 ; |CreationFlags = 0 004760E7 |. 6A 00 PUSH 0 ; |InheritHandles = FALSE 004760E9 |. 6A 00 PUSH 0 ; |pThreadSecurity = NULL 004760EB |. 6A 00 PUSH 0 ; |pProcessSecurity = NULL 004760ED |. 50 PUSH EAX ; |CommandLine 004760EE |. 6A 00 PUSH 0 ; |ModuleFileName = NULL 004760F0 |. FF15 C4059900 CALL DWORD PTR DS: [<&KERNEL32.CreateProc>; \(初始 cpu 选择) 004760F6 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 004760FA |. EB 26 JMP SHORT Foxit_Re.00476122 004760FC |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 00476100 |. 85C0 TEST EAX,EAX 00476102 |. 74 05 JE SHORT Foxit_Re.00476109 00476104 |. 83C0 0C ADD EAX,0C 00476107 |. EB 05 JMP SHORT Foxit_Re.0047610E 00476109 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598 0047610E |> 6A 05 PUSH 5 ; /IsShown = 5 00476110 |. 6A 00 PUSH 0 ; |DefDir = NULL 00476112 |. 6A 00 PUSH 0 ; |Parameters = NULL 00476114 |. 50 PUSH EAX ; |FileName 00476115 |. 68 EC20AB00 PUSH Foxit_Re.00AB20EC ; |o 0047611A |. 6A 00 PUSH 0 ; |hWnd = NULL 0047611C |. FF15 44079900 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteW 寄存器值: EAX 019F94E4 UNICODE "c:\windows\system32\notepad.exe" ECX 00000000 EDX 005DCDE0 Foxit_Re.005DCDE0 EBX 00000000 ESP 0012F53C EBP 01A32E20 ESI 0012F5E4 EDI 00AB2052 Foxit_Re.00AB2052 EIP 0047611C Foxit_Re.0047611C C 0 ES 0023 32位 0(FFFFFFFF) P 1 CS 001B 32位 0(FFFFFFFF) A 1 SS 0023 32位 0(FFFFFFFF) Z 0 DS 0023 32位 0(FFFFFFFF) S 0 FS 003B 32位 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G) MM0 BF83 D600 85F0 0294 MM1 859F 7778 BF80 0B1B MM2 0000 0001 0000 0001 MM3 0000 0000 0000 0000 MM4 BFFF FFE0 0000 0000 MM5 8000 0000 0000 0000 MM6 0000 0000 0000 0000 MM7 CA12 D2D2 D2D2 D000 当EIP=0047611C时,程序最后调用了ShellExecuteW来运行Open Action.而ShellExecuteW的 Parameters = NULL固定了 所以最终只能运行一个程序,而不能给程序传递参数。 第二种情况: << /Type /Action /S /Launch /F (c:\\windows\\system32\\notepad.exe f:\\test.bat) /NewWindow true >> (1) 0051571B |. /74 20 JE SHORT Foxit_Re.0051573D 0051571D |> |66:3D 2F00 /CMP AX,2F ; / 00515721 |. |75 04 |JNZ SHORT Foxit_Re.00515727 00515723 |. |6A 5C |PUSH 5C ; \ 00515725 |. |EB 01 |JMP SHORT Foxit_Re.00515728 00515727 |> |50 |PUSH EAX 00515728 |> |8D4C24 08 |LEA ECX,DWORD PTR SS:[ESP+8] 0051572C |. |E8 DF3B0C00 |CALL Foxit_Re.005D9310 00515731 |. |66:8B46 02 |MOV AX,WORD PTR DS:[ESI+2] 00515735 |. |83C6 02 |ADD ESI,2 00515738 |. |66:85C0 |TEST AX,AX 此段代码作用是将命令行中的 / 全部替换成 \ ,防止带参数的cmd命令行。 但并没有过滤后面的参数。所以还是能传递参数。 (2) 00476040 /$ 6A FF PUSH -1 00476042 |. 68 106B9400 PUSH Foxit_Re.00946B10 ; SE 处 理程序安装 00476047 |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 0047604D |. 50 PUSH EAX 0047604E |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP 00476055 |. 83EC 58 SUB ESP,58 00476058 |. 56 PUSH ESI 00476059 |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 0047605D |. 57 PUSH EDI 0047605E |. 8BF1 MOV ESI,ECX 00476060 |. 50 PUSH EAX ; /Arg1 00476061 |. E8 1ABD0900 CALL Foxit_Re.00511D80 ; \Foxit_Re.00511D80 00476066 |. BF 4820AB00 MOV EDI,Foxit_Re.00AB2048 ; newwindow 0047606B |. C74424 68 000>MOV DWORD PTR SS:[ESP+68],0 00476073 |. 8BCF MOV ECX,EDI 00476075 |. 897C24 0C MOV DWORD PTR SS:[ESP+C],EDI 00476079 |. 85C9 TEST ECX,ECX 0047607B |. 74 10 JE SHORT Foxit_Re.0047608D 0047607D |. 83C9 FF OR ECX,FFFFFFFF 00476080 |. 33C0 XOR EAX,EAX 00476082 |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] 00476084 |. F7D1 NOT ECX 00476086 |. 49 DEC ECX 00476087 |. 894C24 10 MOV DWORD PTR SS:[ESP+10],ECX 0047608B |. EB 08 JMP SHORT Foxit_Re.00476095 0047608D |> C74424 10 000>MOV DWORD PTR SS:[ESP+10],0 00476095 |> 8B0E MOV ECX,DWORD PTR DS:[ESI] 00476097 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C] 0047609B |. 52 PUSH EDX 0047609C |. E8 5FB40500 CALL Foxit_Re.004D1500 004760A1 |. 85C0 TEST EAX,EAX 004760A3 |. 74 57 JE SHORT Foxit_Re.004760FC 004760A5 |. 8BC8 MOV ECX,EAX 004760A7 |. E8 64A20500 CALL Foxit_Re.004D0310 004760AC |. 85C0 TEST EAX,EAX 004760AE |. 74 4C JE SHORT Foxit_Re.004760FC 004760B0 |. B9 11000000 MOV ECX,11 004760B5 |. 33C0 XOR EAX,EAX 004760B7 |. 8D7C24 1C LEA EDI,DWORD PTR SS:[ESP+1C] 004760BB |. F3:AB REP STOS DWORD PTR ES:[EDI] 004760BD |. 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 004760C1 |. C74424 1C 440>MOV DWORD PTR SS:[ESP+1C],44 004760C9 |. 85C0 TEST EAX,EAX 004760CB |. 74 05 JE SHORT Foxit_Re.004760D2 004760CD |. 83C0 0C ADD EAX,0C 004760D0 |. EB 05 JMP SHORT Foxit_Re.004760D7 004760D2 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598 004760D7 |> 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] 004760DB |. 8D5424 1C LEA EDX,DWORD PTR SS:[ESP+1C] 004760DF |. 51 PUSH ECX ; /pProcessInfo 004760E0 |. 52 PUSH EDX ; |pStartupInfo 004760E1 |. 6A 00 PUSH 0 ; |CurrentDir = NULL 004760E3 |. 6A 00 PUSH 0 ; |pEnvironment = NULL 004760E5 |. 6A 00 PUSH 0 ; |CreationFlags = 0 004760E7 |. 6A 00 PUSH 0 ; |InheritHandles = FALSE 004760E9 |. 6A 00 PUSH 0 ; |pThreadSecurity = NULL 004760EB |. 6A 00 PUSH 0 ; |pProcessSecurity = NULL 004760ED |. 50 PUSH EAX ; |CommandLine 004760EE |. 6A 00 PUSH 0 ; |ModuleFileName = NULL 004760F0 |. FF15 C4059900 CALL DWORD PTR DS: [<&KERNEL32.CreateProc>; \(初始 cpu 选择) 004760F6 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C] 004760FA |. EB 26 JMP SHORT Foxit_Re.00476122 004760FC |> 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] 00476100 |. 85C0 TEST EAX,EAX 00476102 |. 74 05 JE SHORT Foxit_Re.00476109 00476104 |. 83C0 0C ADD EAX,0C 00476107 |. EB 05 JMP SHORT Foxit_Re.0047610E 00476109 |> B8 9845C000 MOV EAX,Foxit_Re.00C04598 0047610E |> 6A 05 PUSH 5 ; /IsShown = 5 00476110 |. 6A 00 PUSH 0 ; |DefDir = NULL 00476112 |. 6A 00 PUSH 0 ; |Parameters = NULL 00476114 |. 50 PUSH EAX ; |FileName 00476115 |. 68 EC20AB00 PUSH Foxit_Re.00AB20EC ; |o 0047611A |. 6A 00 PUSH 0 ; |hWnd = NULL 0047611C |. FF15 44079900 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteW 寄存器情况: EAX 019F9B9C UNICODE "c:\windows\system32\notepad.exe f:\test.bat" ECX 0012F560 EDX 0012F570 EBX 00000000 ESP 0012F52C EBP 01A32E80 ESI 0012F5E4 EDI 0012F5B4 EIP 004760F0 Foxit_Re.004760F0 C 0 ES 0023 32位 0(FFFFFFFF) P 1 CS 001B 32位 0(FFFFFFFF) A 0 SS 0023 32位 0(FFFFFFFF) Z 0 DS 0023 32位 0(FFFFFFFF) S 0 FS 003B 32位 7FFDF000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) MM0 0059 5A5B 0059 5A5B MM1 85B8 C2C8 BF80 0B1B MM2 0000 0001 0000 0001 MM3 0000 0000 0000 0000 MM4 BFFF FFE0 0000 0000 MM5 8000 0000 0000 0000 MM6 0000 0000 0000 0000 MM7 CA12 D2D2 D2D2 D000 当参数/NewWindow true设置了时,会调用CreateProcess来执行程序。而API参数CommandLine是个变量。 这里是c:\windows\system32\notepad.exe f:\test.bat。 此时,即向Launch Action传递了参数。 --------------------------------------------------------------------------------------------------------------------------------------------------- foxit reader 3.2.1.0401 launch action分析 << /Type /Action /S /Launch /F (c:\\windows\\system32\\notepad.exe f:\\test.bat) /NewWindow true >> 0040A0E1 > \8B8424 880000>MOV EAX,DWORD PTR SS:[ESP+88] 0040A0E8 . 85C0 TEST EAX,EAX 0040A0EA . B8 BC81B300 MOV EAX,Foxit_Re.00B381BC ; UNICODE "open" 0040A0EF . 75 05 JNZ SHORT Foxit_Re.0040A0F6 0040A0F1 . B8 B081B300 MOV EAX,Foxit_Re.00B381B0 ; UNICODE "print" 0040A0F6 > 8B8C24 840000>MOV ECX,DWORD PTR SS:[ESP+84] 0040A0FD . 8B9424 800000>MOV EDX,DWORD PTR SS:[ESP+80] 0040A104 . 6A 01 PUSH 1 ; /IsShown = 1 0040A106 . 51 PUSH ECX ; |DefDir 0040A107 . 52 PUSH EDX ; |Parameters 0040A108 . 57 PUSH EDI ; |FileName 0040A109 . 50 PUSH EAX ; |Operation 0040A10A . 6A 00 PUSH 0 ; |hWnd = NULL 0040A10C . FF15 7497A000 CALL DWORD PTR DS:[<&SHELL32.ShellExecuteW>] ; \ShellExecuteW 这时FileName为c:\windows\system32\notepad.exe f:\test.bat,参数空。很明显程序不能运行。 << /Type /Action /S /Launch /Win << /D()/F(c:\\windows\\system32\\notepad.exe)/O()/P(f:\\test.bat) >> >> 0040A0E1 > \8B8424 880000>MOV EAX,DWORD PTR SS:[ESP+88] 0040A0E8 . 85C0 TEST EAX,EAX 0040A0EA . B8 BC81B300 MOV EAX,Foxit_Re.00B381BC ; UNICODE "open" 0040A0EF . 75 05 JNZ SHORT Foxit_Re.0040A0F6 0040A0F1 . B8 B081B300 MOV EAX,Foxit_Re.00B381B0 ; UNICODE "print" 0040A0F6 > 8B8C24 840000>MOV ECX,DWORD PTR SS:[ESP+84] 0040A0FD . 8B9424 800000>MOV EDX,DWORD PTR SS:[ESP+80] 0040A104 . 6A 01 PUSH 1 ; /IsShown = 1 0040A106 . 51 PUSH ECX ; |DefDir 0040A107 . 52 PUSH EDX ; |Parameters 0040A108 . 57 PUSH EDI ; |FileName 0040A109 . 50 PUSH EAX ; |Operation 0040A10A . 6A 00 PUSH 0 ; |hWnd = NULL 0040A10C . FF15 7497A000 CALL DWORD PTR DS:[<&SHELL32.ShellExecuteW>] ; \ShellExecuteW 寄存器: EAX 00B381BC UNICODE "open" ECX 00CBB7F8 Foxit_Re.00CBB7F8 EDX 01ACB5CC UNICODE "f:\test.bat" EBX 01AF7F18 ESP 0012EEA4 EBP 0012F5E4 ESI 00000001 EDI 01ACB79C UNICODE "c:\windows\system32\notepad.exe" EIP 0040A10C Foxit_Re.0040A10C 堆栈: 0012EEA4 00000000 |hWnd = NULL 0012EEA8 00B381BC |Operation = "open" 0012EEAC 01ACB79C |FileName = "c:\windows\system32\notepad.exe" 0012EEB0 01ACB5CC |Parameters = "f:\test.bat" 0012EEB4 00CBB7F8 |DefDir = "" 0012EEB8 00000001 \IsShown = 1 有点问题,对话框提示只有FileName. |
此帖于 2010-04-24 12:15:10 被 天外飞客 最后编辑 原因: 增加内容 |
2010年5月4日星期二
转贴:foxit reader各版本launch action问题分析
訂閱:
發佈留言 (Atom)
沒有留言:
發佈留言