利用时空旅行调试技术挖掘Windows GDI漏洞（上）教学文档<\/h1>

1. 时空旅行调试技术(TTD)简介<\/h2>
时空旅行调试(Time Travel Debugging, TTD)是Windows Debugger Preview提供的一项强大功能，它允许开发者记录程序的执行过程，然后可以向前或向后"时间旅行"般地查看程序在任何时刻的状态。<\/p>

1.1 TTD核心优势<\/h3>

执行历史记录<\/strong>：完整记录程序执行过程，包括所有内存状态<\/li>
逆向调试<\/strong>：可以回退到任意执行点重新分析<\/li>
完整上下文<\/strong>：保留所有内存分配、偏移信息<\/li>

精确重现<\/strong>：避免传统调试中难以复现的问题<\/li> <\/ul>
1.2 基本TTD命令<\/h3>

g-<\/code>：回滚到跟踪初始状态<\/li>
!tt 00<\/code>：回滚到开始(百分比格式)<\/li>
p-<\/code>：回退一步执行<\/li>
p-10<\/code>：回退10步执行<\/li> <\/ul> 2. 漏洞分析环境搭建<\/h2> 2.1 所需工具<\/h3> Windows Debugger Preview (支持TTD)<\/li> Winafl模糊测试工具套件<\/li> afl-tmin测试用例最小化工具<\/li> 十六进制编辑器<\/li> <\/ul> 2.2 测试环境配置<\/h3> 操作系统：Windows 10 x64<\/li> 测试套件：32位程序<\/li> 目标DLL：gdi32full.dll, GDI32.dll<\/li> <\/ul> 3. 漏洞发现过程<\/h2> 3.1 初始崩溃分析<\/h3> 通过模糊测试发现WMF文件处理漏洞，崩溃点位于memcpy函数：<\/p> (388.1928): Access violation - code c0000005 (!!! second chance !!!) eax=00000012 ebx=00000000 ecx=00000001 edx=d0d0d0d0 esi=08632000 edi=086241c0 eip=74270b37 esp=00eff124 ebp=00eff14c iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 ucrtbase!memcpy+0x507: 74270b37 8b16 mov edx,dword ptr [esi] ds:002b:08632000=???????? <\/code><\/pre> 3.2 关键观察点<\/h3> 崩溃发生在尝试读取esi(08632000)指向的内存<\/li> 该地址未映射有效内存<\/li> 堆分配记录显示仅分配了0x84字节<\/li> <\/ul> 4. 测试用例最小化<\/h2> 使用afl-tmin工具最小化崩溃文件：<\/p> afl-tmin.exe -D C:\DRIO\bin32 -i input.wmf -o output_MIN.wmf -- -covtype edge -coverage_module GDI32.dll -target_method fuzzit -nargs 2 -- harness.exe @@ <\/code><\/pre> 最小化后效果：<\/p> 仅保留导致崩溃的关键字节<\/li> 不相关字节被替换为0x30<\/li> 便于识别用户可控数据区域<\/li> <\/ul> 5. TTD跟踪记录<\/h2> 5.1 启动TTD记录<\/h3> 以管理员权限运行Windbg Preview<\/li> File → Start Debugging → Launch Executable Advance<\/li> 启用"Record process with Time Travel Debugging"<\/li> <\/ol> 5.2 关键调用栈分析<\/h3> 0:000> kv # ChildEBP RetAddr Args to Child 00 00eff128 76d6e086 08624154 08631f94 00000072 ucrtbase!memcpy+0x507 01 00eff14c 76d6dfd9 00000051 08621d20 00000000 gdi32full!MRBDIB::vInit+0x7d 02 00eff200 76d6da5f ffffff00 00001400 00001400 gdi32full!MF_AnyDIBits+0x167 03 00eff334 74743ca3 75211255 00000000 ffffff00 gdi32full!StretchDIBitsImpl+0xef 04 00eff374 76da86ec 75211255 00000000 ffffff00 GDI32!StretchDIBits+0x43 05 00eff494 76d69164 75211255 0862dff0 0861be96 gdi32full!PlayMetaFileRecord+0x3f3ec 06 00eff544 76d9749d 00000000 00000000 00eff568 gdi32full!CommonEnumMetaFile+0x3a5 07 00eff554 74745072 75211255 d0261074 0049414e gdi32full!PlayMetaFile+0x1d 08 00eff568 71ac9eb1 75211255 d0261074 d0261074 GDI32!PlayMetaFileStub+0x22 09 00eff5fc 71ac9980 09c39e18 000001e4 00000000 gdiplus!GetEmfFromWmfData+0x4f5 0a 00eff624 71a9bd6a 09c33f3c 09c33fd0 00000000 gdiplus!GetEmfFromWmf+0x69 0b 00eff770 71a8030c 09c33f3c 09c33fd0 00eff794 gdiplus!GetHeaderAndMetafile+0x1b970 0c 00eff79c 71a690f4 09c37fc8 00000001 71b59ec4 gdiplus!GpMetafile::InitStream+0x4c 0d 00eff7c0 71a77280 085a3fd0 00000000 09c31ff0 gdiplus!GpMetafile::GpMetafile+0xc2 0e 00eff7e4 71a771e1 09c31ff0 00000000 0859cfeb gdiplus!GpImage::LoadImageW+0x36 0f 00eff800 00311107 085a3fd0 09c31ff4 085a3fd0 gdiplus!GdipLoadImageFromFile+0x51 <\/code><\/pre> 6. 关键函数分析<\/h2> 6.1 PlayMetaFileRecord函数<\/h3> dx @$cursession.TTD.Calls("gdi32full!PlayMetaFileRecord")[2].TimeStart.SeekTo() <\/code><\/pre> 函数功能：通过执行记录中包含的GDI函数来播放Windows格式的元文件记录。<\/p> 6.2 StretchDIBits函数<\/h3> 参数分析：<\/p> 0:000> dds esp LD 0078f4b4 9f211284 <== hdc 0078f4b8 00003030 <== xDest 0078f4bc 00003030 <== yDest 0078f4c0 00003030 <== DestWidth 0078f4c4 00003030 <== DestHeight 0078f4c8 00003030 <== xSrc 0078f4cc 00003030 <== ySrc 0078f4d0 00003030 <== SrcWidth 0078f4d4 00003030 <== SrcHeight 0078f4d8 19a3affa <== *lpBits 0078f4dc 19a3af94 <== *lpbmi 0078f4e0 00000001 <== iUsage 0078f4e4 30303030 <== rop <\/code><\/pre> 6.3 BITMAPINFO结构分析<\/h3> 关键结构：<\/p> typedef<\/span> struct<\/span> tagBITMAPINFO { <\/span><\/span> BITMAPINFOHEADER bmiHeader; <\/span><\/span> RGBQUAD bmiColors[1<\/span>]; <\/span><\/span>} BITMAPINFO; <\/span><\/span> <\/span><\/span>typedef<\/span> struct<\/span> tagBITMAPINFOHEADER { <\/span><\/span> DWORD biSize; <\/span><\/span> LONG biWidth; <\/span><\/span> LONG biHeight; <\/span><\/span> WORD biPlanes; <\/span><\/span> WORD biBitCount; <\/span><\/span> DWORD biCompression; <\/span><\/span> DWORD biSizeImage; <\/span><\/span> LONG biXPelsPerMeter; <\/span><\/span> LONG biYPelsPerMeter; <\/span><\/span> DWORD biClrUsed; <\/span><\/span> DWORD biClrImportant; <\/span><\/span>} BITMAPINFOHEADER; <\/span><\/span><\/code><\/pre>内存转储：<\/p> 0:000> dc 19a3af94 19a3af94 00000066 30303030 30303030 00200000 f...00000000.. . 19a3afa4 00000003 30303030 30303030 30303030 ....000000000000 19a3afb4 00000000 30303030 30303030 30303030 ....000000000000 19a3afc4 30303030 30303030 30303030 30303030 0000000000000000 19a3afd4 30303030 30303030 30303030 30303030 0000000000000000 19a3afe4 30303030 30303030 30303030 30303030 0000000000000000 19a3aff4 30303030 30303030 d0d0d0d0 ???????? 00000000....???? 19a3b004 ???????? ???????? ???????? ???????? ???????????????? <\/code><\/pre> 7. 漏洞初步结论<\/h2> 通过TTD分析发现：<\/p> 漏洞触发路径：GDI32!StretchDIBits → gdi32full!PlayMetaFileRecord → gdi32full!MRBDIB::vInit → ucrtbase!memcpy<\/li> 关键问题：BITMAPINFO结构中的字段被精心构造，导致内存越界读取<\/li> 攻击面：WMF文件处理过程中对BITMAPINFO结构的验证不足<\/li> <\/ol> 8. 后续分析方向<\/h2> 精确追踪用户可控数据的传播路径<\/li> 分析BITMAPINFO结构字段如何影响内存分配<\/li> 确定漏洞是否可利用以及利用条件<\/li> 探索其他可能受影响的GDI函数<\/li> <\/ol> （下篇将深入分析漏洞利用细节和防护措施）<\/p>

利用时空旅行调试技术挖掘Windows GDI漏洞（上）教学文档<\/h1>

1. 时空旅行调试技术(TTD)简介<\/h2> 时空旅行调试(Time Travel Debugging, TTD)是Windows Debugger Preview提供的一项强大功能，它允许开发者记录程序的执行过程，然后可以向前或向后"时间旅行"般地查看程序在任何时刻的状态。<\/p>

2. 漏洞分析环境搭建<\/h2>

3. 漏洞发现过程<\/h2>

5. TTD跟踪记录<\/h2>

6. 关键函数分析<\/h2>

1. 时空旅行调试技术(TTD)简介<\/h2>
时空旅行调试(Time Travel Debugging, TTD)是Windows Debugger Preview提供的一项强大功能，它允许开发者记录程序的执行过程，然后可以向前或向后"时间旅行"般地查看程序在任何时刻的状态。<\/p>