客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
|
ASP.NET应用程序security token相关的句柄泄露一般都与impersonate机制相关。通常发生了这种问题会导致整个操作系统性能减慢,在系统日志中有可能记录2020错误。 Event Type: Error Event Source: Srv Event Category: None Event ID: 2020 Date: 12/24/2008 Time: 12:13:31 AM User: N/A Computer: MYW2K3 Description: The server was unable to allocate from the system paged pool because the pool was empty. 如果在这种情况下抓系统kernel dump,查看dump中paged pool,可以发现大部分都被token占用。从进程管理器我们也可以看到w3wp.exe和lsass.exe的handle数量远大于其他进程,并且持续增长。 0: kd> !token ea698028 _TOKEN ea698028 TS Session ID: 0 User: S-1-5-21-606747145-527237240-1605580848-740255 如何在不同版本的操作系统中抓取kernel dump,可以参考如下文章。 How To Enable Windows XP to Capture a Complete or Kernel Memory Dump 另外关于paged/nonpaged pool, 可以参考Mark Russinovich的博客文章 Pushing the Limits of Windows: Paged and Nonpaged Pool 问题调试在没有源代码的情况下如何找到什么地方调用了impersonate相关的方法呢?我们可以尝试以下两种方式。 1. 在应用程序dump文件中直接搜索该方法调用。 要实现impersonate就必须要调用相关的Windows APIs:LogonUser,DuplicateToken,我们可以在内存中搜索哪些assembly引用了这些API,然后通过ILSpy之类的IL反汇编工具来查看相应的代码。 0:018> s-a 0 L?7fffffff "LogonUserA" 0e752a90 4c 6f 67 6f 6e 55 73 65-72 41 00 44 75 70 6c 69 LogonUserA.Dupli 0e762a90 4c 6f 67 6f 6e 55 73 65-72 41 00 44 75 70 6c 69 LogonUserA.Dupli 77f747e4 4c 6f 67 6f 6e 55 73 65-72 41 00 4c 6f 67 6f 6e LogonUserA.Logon 0:018> !address 0e752a90 0e750000 : 0e752000 - 00002000 Type 01000000 MEM_IMAGE Protect 00000020 PAGE_EXECUTE_READ State 00001000 MEM_COMMIT Usage RegionUsageImage FullPath C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\securityhandleleak\91744b5d\ab584e94\App_Web_oeootcha.dll 如果该命令返回记录比较多,我们可以通过以下命令来查看 0:000> .foreach (place { s-[1]a 0 L?7fffffff "LogonUser" }) {!address place}
03530000 : 03532000 - 0000e000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\erpapv\be46890c\b4f7eeae\assembly\dl3\83aa2552\f8a67fd5_af8fc901\Assembly1.DLL
03590000 : 03592000 - 0000e000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageIsVAD
035b0000 : 035b2000 - 00011000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\erpapv\be46890c\b4f7eeae\assembly\dl3\73e6c81e\fcbd4e76_6f96c901\Approve.DLL
03700000 : 03702000 - 00032000
Type 01000000 MEM_IMAGE
Protect 00000020 PAGE_EXECUTE_READ
State 00001000 MEM_COMMIT
Usage RegionUsageImage
FullPath C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\erpapv\be46890c\b4f7eeae\assembly\dl3\19c4bca1\9a54ebdc_5a97c901\Assembly2.DLL
……………
2. 第二种方法是通过调试器在程序运行过程中记录相应API调用栈。
# ChildEBP RetAddr Args to Child 00 01f1ef08 0e49126a 01f1f128 01f1f028 01f1ef28 ADVAPI32!LogonUserA (FPO: [Non-Fpo]) (CONV: stdcall) 01 01f1f244 0e790605 00000001 00000000 060e3178 CLRStub[StubLinkStub]@e49126a 02 01f1f2a4 0e790505 00000000 00000000 00000000 App_Web_oeootcha!_Default.impersonateValidUser(System.String, System.String, System.String)+0x7d*** WARNING: Unable to verify checksum for C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\securityhandleleak\91744b5d\ab584e94\App_Web_oeootcha.dll (Managed) 03 00000000 66f12980 00000000 00000000 00000000 App_Web_oeootcha!_Default.Page_Load(System.Object, System.EventArgs)+0x3d (Managed) 04 01f1f504 6628efd2 00000000 00000000 00000000 Configuration File: <ADPlus> <Settings> <RunMode> CRASH </RunMode> <Sympath> http://msdl.microsoft.com/download/symbols </Sympath> <Option> Quiet </Option> <OutputDir> d:\HandleLeak </OutputDir> </Settings> <Breakpoints> <NewBP> <Address> advapi32!LogonUserA </Address> <Type> BP </Type> <Actions> stack </Actions> <CustomActions> </CustomActions> <ReturnAction> G </ReturnAction> </NewBP> <NewBP> <Address> advapi32!LogonUserW </Address> <Type> BP </Type> <Actions> stack </Actions> <CustomActions> </CustomActions> <ReturnAction> G </ReturnAction> </NewBP> </Breakpoints> </ADPlus>
希望以上内容对你有所帮助
weizhao |
请发表评论