Crash Dump Analysis Patterns (Part 55)
DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based world view.
Twitter @ DumpAnalysis You can now follow portal and blog news at DumpAnalysis on Twitter.
2009 (0x7D9) - The Year of Debugging 2010 (0x7DA) - The Year of Dump Analysis 2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade
Now it’s time to write about Wild Pointer pattern I briefly mentioned in Local Buffer Overflow post which shows examples of pointers having UNICODE structure in their values. I have also observed pointers with ASCII structure as .formats WinDbg command indicates:
FAILED_INSTRUCTION_ADDRESS:
65747379`735c5357 ?? ???
IP_ON_HEAP: 65747379735c5357
0:012> .formats rip
Evaluate expression:
Hex: 65747379`735c5357
Decimal: 7310595060592825175
Octal: 0625643467456327051527
Binary: 01100101 01110100 01110011 01111001 01110011 01011100 01010011 01010111
Chars: etsys\SW
Time: Wed May 10 22:00:59.282 24767 (GMT+1)
Float: low 1.7456e+031 high 7.21492e+022
Double: 5.30388e+180
Here is another example of a pointer having UNICODE structure:
FAILED_INSTRUCTION_ADDRESS:
0045004c`00490046 ?? ???
0:014> .formats rip
Evaluate expression:
Hex: 0045004c`00490046
Decimal: 19422099815333958
Octal: 0001050004600022200106
Binary: 00000000 01000101 00000000 01001100 00000000 01001001 00000000 01000110
Chars: .E.L.I.F
Time: Wed Jul 19 07:46:21.533 1662 (GMT+1)
Float: low 6.70409e-039 high 6.33676e-039
Double: 2.33646e-307
When we have EIP or RIP pointers I have another pattern to name when the value is coincidentally lies inside some valid region of memory: Wild Code. Here is one example of the latter pattern I’m going to write about soon:
IP_ON_STACK:
+e11ffa8
STACK_TEXT:
0e11ff7c 098eeef2 0xe11ffa8
0e11ff84 77b6b530 dll!StartWorking+0xcab
0e11ffb8 7c826063 msvcrt!_endthreadex+0xa3
0e11ffec 00000000 kernel32!BaseThreadStart+0×34
0:020> u
0e11ffa8 dcff fdiv st(7),st
…
…
…
We see that EIP is very close to EBP/ESP and this explains why !analyze -v reports IP_ON_STACK. Clearly floating-point code is not what we should expect. This example shows that wild pointers sometimes are valid but either through code chain or pointer chain execution reaches Invalid Pointer and a process or a system crashes.
- Dmitry Vostokov @ DumpAnalysis.org -
_1125.png)
Coming Soon:
Crash Dump Analysis for System Administrators
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Also available:
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
March 18th, 2008 at 11:45 am
BTW, if EIP/RIP has been subverted to this point, you have a clear security issue in your code
April 28th, 2008 at 6:23 pm
[…] the pointer value to be non-NULL might not work if the pointer value is random (Wild Pointer pattern) but at least it eliminates this class of problems. NULL pointers can be NULL data […]
June 4th, 2009 at 10:34 am
[…] code is through an invalid address 0×161dc2c so we might guess that this was an instance of wild code pointer or the case of incorrect stack trace. However using techniques to get exception context from hidden […]