Crash Dump Analysis Patterns (Part 55)
CARE: Crash Analysis Report Environment
DATA (Dump Analysis + Trace Analysis) Facebook group
Please join the community of memory (dump) and trace analysis engineers. This group promotes scientific methods and memory dump-based worldview.
Twitter @ DumpAnalysis You can now follow portal and blog news at DumpAnalysis on Twitter
LinkedIn Group Dr. Watson Enthusiasts All about Dr. Watson errors and more. Get news, excerpts and progress reports about the forthcoming book The Science of Dr. Watson: An Illustrated History of Debugging (ISBN 978-1906717070)
2010 (0x7DA) - The Year of Dump Analysis 2011 (0x7DB) - 2020 (0x7E4) The Debugging Decade
Now it’s time to write about Wild Pointer pattern I briefly mentioned in Local Buffer Overflow post which shows examples of pointers having UNICODE structure in their values. I have also observed pointers with ASCII structure as .formats WinDbg command indicates:
FAILED_INSTRUCTION_ADDRESS:
65747379`735c5357 ?? ???
IP_ON_HEAP: 65747379735c5357
0:012> .formats rip
Evaluate expression:
Hex: 65747379`735c5357
Decimal: 7310595060592825175
Octal: 0625643467456327051527
Binary: 01100101 01110100 01110011 01111001 01110011 01011100 01010011 01010111
Chars: etsys\SW
Time: Wed May 10 22:00:59.282 24767 (GMT+1)
Float: low 1.7456e+031 high 7.21492e+022
Double: 5.30388e+180
Here is another example of a pointer having UNICODE structure:
FAILED_INSTRUCTION_ADDRESS:
0045004c`00490046 ?? ???
0:014> .formats rip
Evaluate expression:
Hex: 0045004c`00490046
Decimal: 19422099815333958
Octal: 0001050004600022200106
Binary: 00000000 01000101 00000000 01001100 00000000 01001001 00000000 01000110
Chars: .E.L.I.F
Time: Wed Jul 19 07:46:21.533 1662 (GMT+1)
Float: low 6.70409e-039 high 6.33676e-039
Double: 2.33646e-307
When we have EIP or RIP pointers I have another pattern to name when the value is coincidentally lies inside some valid region of memory: Wild Code. Here is one example of the latter pattern I’m going to write about soon:
IP_ON_STACK:
+e11ffa8
STACK_TEXT:
0e11ff7c 098eeef2 0xe11ffa8
0e11ff84 77b6b530 dll!StartWorking+0xcab
0e11ffb8 7c826063 msvcrt!_endthreadex+0xa3
0e11ffec 00000000 kernel32!BaseThreadStart+0×34
0:020> u
0e11ffa8 dcff fdiv st(7),st
…
…
…
We see that EIP is very close to EBP/ESP and this explains why !analyze -v reports IP_ON_STACK. Clearly floating-point code is not what we should expect. This example shows that wild pointers sometimes are valid but either through code chain or pointer chain execution reaches Invalid Pointer and a process or a system crashes.
- Dmitry Vostokov @ DumpAnalysis.org -
_1125.png)
Coming Soon:
Debugging Notebook: Essential Concepts, WinDbg Commands and Tools
Crash Dump Analysis for System Administrators and Support Engineers
New Magazines:
Debugged! MZ/PE: MagaZine for/from Practicing Engineers
New Books:
Memory Dump Analysis Anthology, Volume 3
First Fault Software Problem Solving: A Guide for Engineers, Managers and Users
x64 Windows Debugging: Practical Foundations
Also available:
Windows Debugging: Practical Foundations
DLL List Landscape: The Art from Computer Memory Space
Dumps, Bugs and Debugging Forensics: The Adventures of Dr. Debugalov
WinDbg: A Reference Poster and Learning Cards
Memory Dump Analysis Anthology, Volume 2
Memory Dump Analysis Anthology, Volume 1
New Children's Book:
March 18th, 2008 at 11:45 am
BTW, if EIP/RIP has been subverted to this point, you have a clear security issue in your code
April 28th, 2008 at 6:23 pm
[…] the pointer value to be non-NULL might not work if the pointer value is random (Wild Pointer pattern) but at least it eliminates this class of problems. NULL pointers can be NULL data […]
June 4th, 2009 at 10:34 am
[…] code is through an invalid address 0×161dc2c so we might guess that this was an instance of wild code pointer or the case of incorrect stack trace. However using techniques to get exception context from hidden […]