Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- .386p
- .model flat, stdcall
- option casemap:none
- include \masm32\include\windows.inc
- include \masm32\include\kernel32.inc
- include \masm32\include\user32.inc
- include \masm32\include\advapi32.inc
- include \masm32\include\ole32.inc
- include \masm32\include\comctl32.inc
- includelib \masm32\lib\kernel32.lib
- includelib \masm32\lib\user32.lib
- includelib \masm32\lib\advapi32.lib
- includelib \masm32\lib\ole32.lib
- includelib \masm32\lib\comctl32.lib
- CountCLSIDnGUID PROTO
- .data?
- szSubKey db 0400h dup(?)
- dwSubKeySize dd ?
- szRegKey db 0400h dup(?)
- dwRegKey dd ?
- dwMainRegKey dd ?
- dwMainRegKeyCLSID dd ?
- dqFileTime dq ?
- stdOut dd ?
- stdIn dd ?
- wbuf db 0400h dup(?)
- Written dd ?
- hModule dd ?
- hList dd ?
- clmn LVCOLUMN <>
- item LVITEM <>
- sbitm LVITEM <>
- .const
- IDC_LIST1 DD 01000d
- DlgName DB "ComFuzzer", 0h
- .data
- szCl1 db "CLSID", 0h
- szCl2 db "ProgID", 0h
- szMsg db "ActiveX Fuzzer", 0ah, 0dh, 0ah, 0dh
- szMsg_size = $ - szMsg
- szPressKey db 0ah, 0dh, "Press Enter to exit"
- szPressKey_size = $ - szPressKey
- szImplCat db "CLSID\%s\Implemented Categories", 0h
- szCATID_SafeForScripting db "{7DD95801-9882-11CF-9FA9-00AA006C42C4}", 0h
- szCATID_SafeForInit db "{7DD95802-9882-11CF-9FA9-00AA006C42C4}", 0h
- szUnknown db "{00000000-0000-0000-C000-000000000046}", 0h
- szIID_IObjectSafety db "{CB5BDC81-93C1-11CF-8F20-00805F2CD064}", 0h
- szIsKillBitted db "SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatiblity\%s", 0h
- szIsKillBitted2 db "Compatibility Flags", 0h
- szMainRegKey db "SOFTWARE\Classes", 0h
- szMainRegKeyCLSID db "SOFTWARE\Classes\%s\CLSID", 0h
- sEOL db 0ah, 0dh
- CurrentCLSID dd 0h
- IUnknown dd 0h
- dw 0h
- dw 0h
- db 0c0h, 00h, 00h, 00h, 00h, 00h, 00, 046h
- IObjectSafety dd 0cb5bdc81h
- dw 093c1h
- dw 011CFh
- db 08fh, 020h, 00h, 80h, 05fh, 02ch, 0d0h, 064h
- InitCtrls dd 08h, 01h
- .code
- ;Процедура обработки сообщений главного диалогового окна
- DlgProc proc USES esi edi ebx, hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
- .IF uMsg==WM_INITDIALOG
- invoke CoInitialize, 0h
- invoke GetDlgItem, [hWnd], IDC_LIST1
- mov [hList], eax
- mov [clmn.imask], LVCF_WIDTH or LVCF_TEXT or LVCF_SUBITEM
- mov [clmn.fmt], LVCFMT_CENTER
- mov [clmn.lx], 225
- mov [clmn.pszText], OFFSET szCl2
- mov [clmn.iSubItem], 0
- invoke SendMessage,hList, LVM_INSERTCOLUMN, 0, ADDR clmn ;Добавление столбца с заголовком
- mov [clmn.lx], 275
- mov [clmn.pszText],OFFSET szCl1
- mov [clmn.iSubItem], 1
- invoke SendMessage,hList, LVM_INSERTCOLUMN, 0, ADDR clmn ;Добавление столбца с заголовком
- mov [item.iItem], 0
- invoke CountCLSIDnGUID
- .ELSEIF uMsg==WM_CLOSE
- invoke CoUninitialize
- invoke EndDialog, hWnd,0
- .ELSE
- mov eax,FALSE
- ret
- .ENDIF
- mov eax, TRUE
- ret
- DlgProc endp
- ;Является ли объект безопасным для инициализации
- IsSafeForInit proc szCLSID:DWORD
- LOCAL dwKey:DWord
- push ebx
- mov eax, [CLSID]
- invoke wsprintf, offset szRegKey, offset szImplCat, [szCLSID]
- lea eax, [dwKey]
- invoke RegOpenKeyEx, 080000000h, offset szRegKey, 0, 020019H, eax
- cmp eax, 0h
- jnz @@Error
- xor ebx, ebx
- @@Main_Loop:
- mov [dwRegKey], 0400h
- invoke RegEnumKeyEx, [dwKey], ebx, offset szRegKey, offset dwRegKey, 0, 0, 0, offset dqFileTime
- cmp eax, 0h
- jnz @@Error
- inc ebx
- invoke lstrcmp, offset szCATID_SafeForInit, offset szRegKey
- cmp eax, 0h
- jnz @@Main_Loop
- xor eax, eax
- inc eax
- jmp short @@End
- @@Error:
- xor eax, eax
- @@End:
- push eax
- invoke RegCloseKey, [dwKey]
- pop eax
- pop ebx
- ret
- IsSafeForInit endp
- ;Является ли объект безопасным для скриптинга
- IsSafeForScripting proc szCLSID:DWORD
- LOCAL dwKey:DWord
- push ebx
- invoke wsprintf, offset szRegKey, offset szImplCat, [szCLSID]
- invoke RegOpenKeyEx, 080000000h, offset szRegKey, 0, 020019H, addr dwKey
- cmp eax, 0h
- jnz @@Error
- xor ebx, ebx
- @@Main_Loop:
- mov [dwRegKey], 0400h
- invoke RegEnumKeyEx, [dwKey], ebx, offset szRegKey, offset dwRegKey, 0, 0, 0, offset dqFileTime
- cmp eax, 0h
- jnz @@Error
- inc ebx
- invoke lstrcmp, offset szCATID_SafeForScripting, offset szRegKey
- cmp eax, 0h
- jnz @@Main_Loop
- xor eax, eax
- inc eax
- jmp short @@End
- @@Error:
- xor eax, eax
- @@End:
- push eax
- invoke RegCloseKey, [dwKey]
- pop eax
- pop ebx
- ret
- IsSafeForScripting endp
- ;Есть ли объект в списке kill bitting
- IsKillBitted proc szCLSID:DWORD
- LOCAL dwKey:DWord
- LOCAL dwKeyType:DWord
- LOCAL dwValue:DWord
- LOCAL dwLenVal:DWord
- mov [dwLenVal], 04h
- invoke wsprintf, offset szRegKey, offset szIsKillBitted, [szCLSID]
- invoke RegOpenKeyEx, 080000000h, offset szRegKey, 0, 020019H, addr dwKey
- cmp eax, 0h
- jnz @@Error
- invoke RegQueryValueEx, [dwKey], offset szIsKillBitted2, 0, addr dwKeyType, addr dwValue, addr dwLenVal
- cmp [dwKeyType], 04h
- jnz @@Error
- test [dwValue], 0400h
- jz @@Error
- xor eax, eax
- inc eax
- jz @@End
- @@Error:
- xor eax, eax
- @@End:
- push eax
- invoke RegCloseKey, [dwKey]
- pop eax
- ret
- IsKillBitted endp
- ;Поддерживает ли объект интерфейс IObjectSafety
- IsObjectSafety proc szCLSID:DWORD
- LOCAL RetVal:DWORD
- LOCAL dwKey:DWORD
- LOCAL iidobjsaf[010h]:BYTE
- LOCAL pUnk: DWORD
- LOCAL ppv2:DWORD
- LOCAL iCLSID[010h]:BYTE
- mov [RetVal], 0h
- invoke MultiByteToWideChar, 0, 0, [szCLSID], -1, offset wbuf, 0400h
- invoke CLSIDFromString, offset wbuf, addr iCLSID
- invoke CoCreateInstance, addr iCLSID, 0h, 01h, offset IUnknown, ADDR pUnk
- cmp eax, 0h
- jnz @@End
- cmp [pUnk], 0h
- jz @@End
- lea eax, [ppv2]
- mov esi, offset IObjectSafety
- mov ecx, [pUnk]
- push eax
- push esi
- push ecx
- mov ecx, [pUnk]
- mov edx,dword ptr [ecx]
- call dword ptr [edx]
- cmp eax, 0h
- jnz @@Err
- cmp [ppv2], eax
- jz @@Err
- mov [RetVal], 01h
- @@Err:
- mov eax, [pUnk]
- push eax
- mov eax, [eax]
- call DWord ptr [eax+8]
- @@End:
- mov eax, [RetVal]
- ret
- IsObjectSafety endp
- Start:
- invoke GetModuleHandle, NULL
- mov [hModule], eax
- invoke InitCommonControlsEx, offset InitCtrls ;Запрос на загрузку дополнительного класса окна ListView
- invoke DialogBoxParam, [hModule], ADDR DlgName,NULL, addr DlgProc, NULL
- invoke ExitProcess, 0h
- ;Процерура перечисления всех объектов и их проверка на условия загрузки в интенет эксплорер без предупреждения
- CountCLSIDnGUID proc
- invoke RegOpenKeyEx, 080000002h, offset szMainRegKey, 0, 020019H, offset dwMainRegKey
- xor ebx, ebx
- MainLoop:
- mov [dwSubKeySize], 0400h
- invoke RegEnumKeyEx, [dwMainRegKey], ebx, offset szSubKey, offset dwSubKeySize, 0, 0, 0, offset dqFileTime
- cmp eax, 0h
- jnz Error
- inc ebx
- invoke wsprintf, offset wbuf, offset szMainRegKeyCLSID, offset szSubKey
- invoke RegOpenKeyEx, 080000002h, offset wbuf, 0, 020019H, offset dwMainRegKeyCLSID
- cmp eax, 0h
- jnz ErrCloseKey
- mov [Written], 0400h
- invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset wbuf, offset Written
- cmp eax, 0h
- jnz MainLoop
- invoke IsSafeForScripting, offset wbuf
- cmp eax, 0h
- jz ErrCloseKey
- mov [Written], 0400h
- invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset wbuf, offset Written
- invoke IsSafeForInit, offset wbuf
- cmp eax, 0h
- jz ErrCloseKey
- invoke IsKillBitted, offset wbuf
- cmp eax, 0h
- jnz ErrCloseKey
- mov [Written], 0400h
- invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset szRegKey, offset Written
- invoke IsObjectSafety, offset szRegKey
- cmp eax, 0h
- jz ErrCloseKey
- invoke RegQueryValue, [dwMainRegKeyCLSID], 0, offset wbuf, offset Written
- mov eax, [Written]
- add eax, offset wbuf
- mov Byte ptr [eax], 0h
- mov [item.imask], LVIF_TEXT or LVCF_SUBITEM
- mov [item.pszText], OFFSET wbuf
- mov [item.iSubItem], 0
- invoke SendMessage, [hList], LVM_INSERTITEM, 0, ADDR item ;Добавление строки
- mov [item.pszText], OFFSET szSubKey
- mov [item.iSubItem], 1h
- invoke SendMessage, [hList], LVM_SETITEM, 0, ADDR item ;Изменение надписи
- inc [item.iItem]
- jmp MainLoop
- ErrCloseKey:
- invoke RegCloseKey, [dwMainRegKeyCLSID]
- jmp MainLoop
- Error:
- ret
- CountCLSIDnGUID EndP
- end Start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement