Windows 程序崩溃后恢复

43
6 years ago
in
#cn-curation

Windows 程序崩溃后恢复

场景一: 你正在写文档崩溃了怎么办

文档要如何恢复呢? 下面就写这个恢复过程

0x01:使用工具

windbag

win7 64位 安装使用的时候会缺少dll ,来这里下载这个更新就ok了

https://download.microsoft.com/download/1/1/5/11565A9A-EA09-4F0A-A57E-520D5D138140/Windows6.1-KB2999226-x64.msu

0x02 : 文档恢复

崩溃后会产生DMP文件,文件位置是在:C:\Users\ADMINI~1\AppData\Local\Temp*********.DMP

现在我们手工制造一个


找到这个DMP文件:
C:\Users\ADMINI~1\AppData\Local\Temp\notepad.DMP

利用windbag来载入

file---> open cash dump

打开文件如下

第一步: 查找文档里的内容 比如你写的第一句 方便一会dump出来

相关命令参考官方文献查找:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/s--search-memory-

s -u 0 l1000000 "这不是一个自由软件"

s                               (search memory)
-u                             Unicode
0                               
l1000000

找到了地址用du命令

du (displary memory unicode)

du 00157758 l1000

如下所示:

0:000> du 00157758 l1000
00000000`00157758  "这不是一个自由软件!您只能在不用于商业目的的前提下对程序代码进行"
00000000`00157798  "修改和使用;..''' 未经授权不允许对程序代码以任何形式任何目"
00000000`001577d8  "的的再发布。..''' ===================="
00000000`00157818  "================================"
00000000`00157858  "==============..''' 编写: IT平民..''"
00000000`00157898  "' 修改:IT平民 in 2014.07.....option "
00000000`001578d8  "explicit...session.codepage=6500"
00000000`00157918  "1...response.charset="utf-8"...s"
00000000`00157958  "erver.scripttimeout=999999...dim"
00000000`00157998  " in_sdcms:in_sdcms=true...dim db"
00000000`001579d8  "query:dbquery=0...dim startime:s"
00000000`00157a18  "tartime=timer()...'microsoft.xml"
00000000`00157a58  "http...'Msxml2.XMLHTTP...'WinHtt"
00000000`00157a98  "p.WinHttpRequest.5.1...'MSXML2.S"
00000000`00157ad8  "ERVERXMLHTTP.3.0...'以上为候选参数...di"
00000000`00157b18  "m xmlhttp:xmlhttp="MSXML2.XMLHTT"
00000000`00157b58  "P"...dim ismobile:ismobile=false"
00000000`00157b98  "..%>........<!"
00000000`00157cd8  "--#include file="class/sdcms.fun"
00000000`00157d18  ".asp"-->.."
00000000`00157dd8  "....<%...dim sqltime:"
00000000`00157e58  "sqltime="now()"...if not(datatyp"
00000000`00157e98  "e) then sqltime="GetDate()"...sd"
00000000`00157ed8  "cms.sitedb:sdcms.catedb:sdcms.au"
00000000`00157f18  "to_update...dim page:page=sdcms."
00000000`00157f58  "getint(sdcms.fget("page",0),1).."
00000000`00157f98  ".dim webmode:webmode=sdcms.getsy"
00000000`00157fd8  "s("webmode")...dim isgzip:isgzip"
00000000`00158018  "=sdcms.getsys("isgzip")...dim is"
00000000`00158058  "cache:iscache=sdcms.getsys("isca"
00000000`00158098  "che")...dim tempcache:tempcache="
00000000`001580d8  "sdcms.getsys("tempcache")...dim "
00000000`00158118  "cachedate:cachedate=sdcms.getsys"
00000000`00158158  "("cachedate")...dim thisurl:this"
00000000`00158198  "url=sdcms.getthisurl...dim htmld"
00000000`001581d8  "ir:htmldir=sdcms.getsys("htmldir"
00000000`00158218  "")...dim commentconfig:commentco"
00000000`00158258  "nfig=eval(sdcms.getsys("expand.c"
00000000`00158298  "omment"))...dim syscomment:sysco"
00000000`001582d8  "mment=commentconfig(0)...dim moo"
00000000`00158318  "dconfig:moodconfig=sdcms.getsys("
00000000`00158358  ""expand.mood")...ismobile=sdcms."
00000000`00158398  "get_ismobile...dim blacklist:bla"
00000000`001583d8  "cklist="javascript|Document|oner"
00000000`00158418  "ror|onload|onmouseover"...'ismob"
00000000`00158458  "ile=true..%>"

里面就是文档信息了

下一步就是提取出来:
.writemem filename range

0:000> .writemem c:\1.txt 00157758 l1000
Writing 1000 bytes..

打开之后 1.txt 需要修改文件类型

打开之后是乱码 修改一下文件头 添加unicode的识别标志 ff fe 如下

保存之后再打开就ok了 如下:

"这"刚才被我们插入fffe的时候覆盖了 这样就完成了

cn-curation
cn
cn-malaysia
cn-literature
team-cn
6 years ago
evil0x0043
via steemit
$ 0.055
12
H2
H3
H4
3 columns
2 columns
1 column
Join the conversation now