?????-???? detours ?? ???? ??????? ?? ????? SQL ????? ??? ??????? ???? ??

???? ID: 920925 - ?? ???????? ?? ?????? ??? ?? ?? ???? ???? ???? ??.
???? ?????? ???????????? ?????? ???????? KB ?? ???????? ????? ?? ??? ???? ????? ????
??? ?? ??????? ???? | ??? ?? ??????? ????

??????

Detours ?? ???? ??????? ?? ????? Microsoft SQL Server ?? ??????? ?? ????????? ???? ?? ??? ???????? ????? ???????? ?? ???? ?? ???? ??:
  • ???????? ????????
  • ??? ??????
  • ????? ?? ?????? ????
  • SQL ????? ?? ??????????? ?? ??????
  • ????????? ????????? ???????
  • ???? ?????, ???? fn_get_sql ??????? ?? DBCC INPUTBUFFER ???? ?? ????? ???? ?? ??? ???????
  • ??????? ???????? ?? ???? ??? ??? ?? ???????
??? Microsoft SQL ????? ?? ??????? ?? ????? ?? ??? detours ?? ???? ??????? ?? ????? ???? ???? ?????-???? ?????? ?? ??? ?????? ?????? ?????? ???? ???? ??? ?? ???? SQL ????? ?????? ?? SQL Server ?????? ?????? ?? ??? ??? ?? ??? ???, ?? detours ?? SQL ????? ?? ??????? ??? ???????? ???? ??????? ????? ???? ?? ??? ?? ??? ??????? ??, ?? ?????????? ?????? ?? ????? ???? ?? ??? ?? ?????? ?????? ??? ?? ??? ??? ??? detours ?? ???? ???????? ?? ????? ?? ??? ??????? ???????? ?????? ?????? ?? ???? ?? ???? ?? ????, ???? ?? detour ???? ??????????? ???????? ??????? ?????? ???????????? ???? ?????? ????? ?????? ???? ???? ??, Microsoft ??????? ?? ?? ?? ?????-???? ?????? ?? ??? ???????? ?? ?????? ???? ?? ?? ???????? ?? ???? ?? ??? ?????? ?????? ???? ?????

???? ???????

Detours ????? ???? ????? ???????? ?? ?? ?????/reward ????? detours ?????? ???? ???? ?? detour SQL ????? ?? ???? ???? ??? ??, ?? ??????????, ??? ???? ????????? ????? ??? injected ??? SQL Server ??????? ?? ??????? ?????? ???? ???? ?? ??????? SQL ????? ?? ??? ???????? ??????? ?? ??? ???? ????

?????????? ??? ?????? ???????????? ?? ???? ???? ?????? ??:
  • ??? ???? ??????? ??????? (TDS) ????? ????? ?? ????????? ???? ???? Detour net_readdata ??????? ????????? ????? ??? ?? ?????????? ????? ?? ????? ???? ??? ?? ????? ?? ?? ??? 100 CPU ???? ??? ?? ??????? ????? ?? ?? ???? ????

    ???????? TDS ???? ??? ??? ???????? ???? ?? ??? ?????? scribblers ??? ?? ???? ???? ?? ?????? ?? SQL Server ??????? ?????? ?????? ???? ???? ?? ?? ???? ????? ????? ??? ?? ????????? ???? ?? ??? ?? SQL ????? ?? ??? ?? ?????? ???? ????? ?? ??? ??? TDS ????? ???????? ?? ???? ???? ?????? ???????? ?? ???? ?? ??????? ?? ???? ????????? ???? ??? ????? ????? ?? ??????? ??? ??? ???? ?? ??? ??????? ???? ??? ?? ?? SQL ????? ????? ?? ???? ???
  • ???????? routines SQL Server ??????? ????????? ???? ?? ??? detoured ???? ???? ???? ???? ?????? ????? ???:
    • ???????? ????? ???????? ?????? ??? ?? ??? ???? ?????
    • ???? ?? ??? ??????? ?? ?? ???? ?? ???????? ???? ??? ???????, ?? ???? ?????? ??? ????????? ???
    • ????? ?????? ??? ???? ????????? ?????? ?? ???? ?????? ???
    • DBCC INPUTBUFFER ???? ????????? ?????? ?? ???? ??? ???? ?????? ???
    • Fn_get_sql ??????? ??? ???? ?????? ??? ??? ??, fn_get_sql ??????? ????? ?? ??? ?????? ?? ??? ????????? ??? Fn_get_sql ??????? ?? ????????? ?????? ?????? ???? ???? ?? ?? ????????? ?????? ?? ???????? ?? ???? ?? ???? ???
    • ????? ?????????? ??? ???????? (UMS) ?? SQL ????? ???????? ?????? (SQLOS) ??????? ??????? ???? ???? ?? ???? ??? SQL ????? ?? ??????????? ?? ???? ???? ?? ???, ??????????? ???????? ?? outages ?? ????
  • ????????? ??????? ?????? ?????? Win32 APIs detoured ???? ???? ??????????? ?? ???? ??, ??????? ?? ???? ????????? ???? ?????? ???????? ?? ???? ?? ????? ?? ???? ????? UMS ?? ?????????? SQLOS ?? ????? SQL ????? ?? ??????????? ?? ???? ???? ?? ??? ?? outages ?? ????
????? ?????? ?? kernel32 ?????? ??!GetQueuedCompletionStatus ??????? detoured ???? ?? ???? ???
MyDLL!MyGetQueuedCompletionStatus
ssnetlib!ConnectionReadAsyncWait
GetQueuedCompletionStatus ??????? ?? ??? ??????? ???, ???? ??????? ?? ??? ??????? ?? ??? ??? ???? ??? ???
0:038> u kernel32!GetQueuedCompletionStatus
kernel32!GetQueuedCompletionStatus 
77e660f1 e90a9f00aa      jmp     21e70000   ß  This points to an address that does not appear in the loaded module list (lm). It is injected code.
77e660f6 83ec10          sub     esp,10h
?? ??? ???? ?? ??? ?? ??? ??????? detoured ??????? ?? MyDLL ????? ?? ??? ?? ??? ?????? ???
0:038> u 21e70000  

21e70000 55              push    ebp
21e70001 8bec            mov     ebp,esp
21e70003 51              push    ecx
21e70004 8b4518          mov     eax,dword ptr [ebp+18h]
21e70007 50              push    eax
21e70008 8b4d14          mov     ecx,dword ptr [ebp+14h]
21e7000b 51              push    ecx
21e7000c 8b5510          mov     edx,dword ptr [ebp+10h]
21e7000f 52              push    edx
21e70010 8b450c          mov     eax,dword ptr [ebp+0Ch]
21e70013 50              push    eax
21e70014 8b4d08          mov     ecx,dword ptr [ebp+8]
21e70017 51              push    ecx
21e70018 e8234d19ee      call   MyDLL+0x4d40 (10004d40)   <- Call to the MyDLL file.
21e7001d 8945fc          mov     dword ptr [ebp-4],eax
21e70020 8b55fc          mov     edx,dword ptr [ebp-4]
??? ?? ??????? ????? ?? ??? Windows detours ?? ????? ???? ?? ??? ?? ??, ?? ????????? ???? ?? ??? ????? ?? ???? ???? ??? ???? ?? ???, ????? ????? ?? ???? ?????

??? ??????? ??? ?????? ???? ?? ???? ????? ?? ???? ?? ??????? ????? ??? ?? ??????? ????? ?? ??? Windows ?? ????? ???? ???, ?? ?? ?? ??????? ????? ???, ?? ????????? ?????? ?? ???? ??? ?? ??????? ???? ???? ??????? ????? ?? ???????? ?? ???? ???
  1. SQL ????? ?? ??????? ????? Windows ?? ??? ??????? ????, ?? ?? ????? ?????????? ??? ????? ??? ?????
  2. ????? ????? ???? ?????? ???????? ??? detours injected ???? ?? ???? ?? ?? ???? ?? ????????? ???? ?? ??? ??-????? ??? ?? ??????? ?? ???? ????????
    !for_each_module "!chkimg -v @#Base -d"
  3. ????? ??? ?????
??????? ????? ?? ??? Windows ?? ??????? ???? ?? ???, ????? Microsoft ??? ???? ?? ????:
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
(http://www.microsoft.com/whdc/devtools/debugging/default.mspx)
??-?????? ??? ????????? ?? ?? ??, ?? ?????? ????? ?? ???? ????? ?? ???? ??:
Comparison image path: c:\program files\microsoft sql server\mssql\binn\ssnetlib.dll\ssnetlib.dll
Scanning section:    .text
Size: 56488
Range to scan: 0c261000-0c26eca8
0c263710-0c26371a  11 bytes - ssnetlib!ConnectionClose
           
	[ 8b ff 55 8b ec 83 ec 10:68 00 00 00 00 e9 27 8a ]
0c2641e0-0c2641ea  11 bytes - ssnetlib!ConnectionReadAsync (+0xad0)

	[ 8b ff 55 8b ec 83 ec 38:68 00 00 00 00 e9 00 7e ]
0c265160-0c26516a  11 bytes - ssnetlib!ConnectionWriteAsync (+0xf80)

	[ 8b ff 55 8b ec 83 ec 28:68 00 00 00 00 e9 ba 70 ]
Total bytes compared: 56488(100%)
Number of errors: 33
33 errors : 0c260000 (0c263710-0c26516a)
?? ???? ?????? ?? ?????? ??, ?? ??? ??? ????? ?? ??? ??????? ?? ??????? ?? ???? ???:
0:038> u ssnetlib!ConnectionClose
ssnetlib!ConnectionClose]:
0c263710 6800000000      push    0
0c263715 e9278ada03      jmp     MyDLL!MyGetQueuedCompletionStatus  <- A detour has been installed.
?? detours ?? ???? ??????? ?? ??? ??????? SQL Server ??? detours ?? ???? ??????? ?? ????? ???? ???? ?? ???? ??? ??????? ?? ??? ?? ?? ?? ?????? ????? ??? Detours ?? ???? ??????? ?? ???? ??? ???? ??????? ?? ???, ????? Microsoft ???????? ?????? ??? ???? ?? ????:
http://research.microsoft.com/sn/detours
(http://research.microsoft.com/sn/detours/)

???

???? ID: 920925 - ????? ???????: 10 ????? 2013 - ??????: 1.0
???? ???? ???? ??:
  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2005 Express Edition with Advanced Services
  • Microsoft SQL Server 2005 Standard Edition
  • Microsoft SQL Server 2005 Workgroup Edition
  • Microsoft SQL Server 2005 Developer Edition
  • Microsoft SQL Server 2005 Enterprise Edition
  • Microsoft SQL Server 2005 Standard X64 Edition
  • Microsoft SQL Server 2005 Enterprise X64 Edition
  • Microsoft SQL Server 2005 Standard Edition for Itanium-based Systems
  • Microsoft SQL Server 2005 Enterprise Edition for Itanium-based Systems
  • Microsoft SQL Server 2000 Personal Edition
  • Microsoft SQL Server 2000 Standard Edition
  • Microsoft SQL Server 2000 Workgroup Edition
  • Microsoft SQL Server 2000 Developer Edition
  • Microsoft SQL Server 2000 Enterprise Edition
  • Microsoft SQL Server 2008 Developer
  • Microsoft SQL Server 2008 Enterprise
  • Microsoft SQL Server 2008 Express
  • Microsoft SQL Server 2008 R2 Datacenter
  • Microsoft SQL Server 2008 R2 Developer
  • Microsoft SQL Server 2008 R2 Enterprise
  • Microsoft SQL Server 2008 R2 Express
  • Microsoft SQL Server 2008 R2 Standard
  • Microsoft SQL Server 2008 R2 Web
  • Microsoft SQL Server 2008 R2 Workgroup
  • Microsoft SQL Server 2008 Web
  • Microsoft SQL Server 2008 Workgroup
  • Microsoft SQL Server 2012 Developer
  • Microsoft SQL Server 2012 Enterprise
  • Microsoft SQL Server 2012 Express
  • Microsoft SQL Server 2012 Standard
  • Microsoft SQL Server 2012 Web
  • SQL Server 2012 Enterprise Core
??????: 
kbtshoot kbexpertiseadvanced kbinfo kbmt KB920925 KbMthi
???? ?????? ????????
??????????: ?? ???? ?? ???? ??????? ?? ????? ?? Microsoft ????-?????? ?????????? ?????? ?????? ???? ??? ??. Microsoft ???? ??? ????-???????? ?? ????-???????? ????? ?????? ?? ???? ???????? ???? ?? ???? ????? ????? ??? ?? ??? ?????? ?? ???? ???? ???? ??? ????? ??. ???????, ????-???????? ???? ????? ???? ???? ???? ???. ?????, ????????, ?????-???? ?? ??????? ?? ???????? ?? ???? ???, ???? ?? ??? ?????? ???? ???? ??? ????? ??? ?? ???? ??. Microsoft ??????? ??? ???? ?? ?????? ?? ??????????, ????????? ?? ??? ?????? ?? ???? ????? ?? ???? ???????? ?? ??? ???? ????? ?? ??? ????????? ???? ??. Microsoft ????-?????? ?????????? ?? ????? ?????? ?? ?? ??? ??.
?????????? ?? ??????? ????????? ??????? ??:920925
(http://support.microsoft.com/kb/920925/en-us/ )
????? ?? ???? ???? | ??????????? ???

??????????? ???

 
????? ?? ???? ????????? ?? ???? ????