6e9008d6 inc edi
6e9008d7 push 0x26
6e9008d9 push edi
6e9008da call dword ptr [idq!_imp__strchr (6e8f111c)]
6e9008e0 pop ecx
6e9008e1 mov edi,eax
6e9008e3 pop ecx
6e9008e4 test edi,edi
6e9008e6 jne 6e9007ae
6e9008ec push dword ptr [ebp-0x2c]
6e9008ef or dword ptr [ebp-0x4],0xffffffff
6e9008f3 call idq!ciDelete (6e905f8c)
6e9008f8 mov ecx,[ebp-0xc]
6e9008fb pop edi
6e9008fc pop esi
6e9008fd mov fs:[00000000],ecx
6e900904 pop ebx
6e900905 leave
6e900906 ret 0x4Listing 7.2 (continued)CVariableSet::AddExtensionControlBlockstarts with the setting
up of an exception handler entry and then subtracts ESPby 0x1d0(464 bytes)
to make room for local variables. One can immediately suspect that a signifi-
cant chunk of data is about to be copied into this stack space—few functions
use 464 bytes worth of local variables. In the first snippet the point of interest
is the loading of EAX, which is loaded with the value of the first parameter
(from [ebp+0x8]).
A quick investigation with WinDbg reveals that CVariableSet::
AddExtensionControlBlockis called from HttpExtensionProc, which
is a documented callback that’s used by IIS for communicating with ISAPI
DLLs. A quick trip to the Platform SDK reveals that HttpExtension
Proc receives a single parameter, which is a pointer to an EXTENSION_
CONTROL_BLOCK structure. In the interest of preserving the earth’s forests, I
skip several pages of irrelevant code and get to the three lines at 6e9006b7,
where offset +64 from EAXis loaded into ESIand then finally into EDI. Off-
set +64 in EXTENSION_CONTROL_BLOCKis the lpszQueryString member,
which is exactly what we’re after.
The instruction at 6e9007ba stores EDI into [ebp-0x18] (where it
remains), and then the code goes to look for character 0x3dwithin the string
using strchr. Character 0x3d is ‘=’, so the function is clearly looking for the
end of the string I’m currently dealing with (the ‘=’ character is used as a sepa-
rator in these request strings). If strchrfinds the character the function pro-
ceeds to calculate the distance between the character found and the beginning of266 Chapter 7