Crash Dump Analysis Patterns (Part 36)

The pattern I should have written as one of the first is called Local Buffer Overflow. It is observed on x86 platforms when a local variable and a function return address and/or saved frame pointer EBP are overwritten with some data. As a result, the instruction pointer EIP becomes Wild Pointer and we have a process crash in user mode or a bugcheck in kernel mode. Sometimes this pattern is diagnosed by looking at mismatched EBP and ESP values and in the case of ASCII or UNICODE buffer overflow EIP register may contain 4-char or 2-wchar_t value and ESP or EBP or both registers might point at some string fragment like in the example below:

0:000> r
eax=000fa101 ebx=0000c026 ecx=01010001 edx=bd43a010 esi=000003e0 edi=00000000
eip=0048004a esp=0012f158 ebp=00510044 iopl=0  nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000202
0048004a 0000 add     byte ptr [eax],al  ds:0023:000fa101=??

0:000> kL
ChildEBP RetAddr 
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f154 00420047 0x48004a
0012f158 00440077 0x420047
0012f15c 00420043 0x440077
0012f160 00510076 0x420043
0012f164 00420049 0x510076
0012f168 00540041 0x420049
0012f16c 00540041 0x540041
...
...
...

Good buffer overflow case studies with complete analysis including assembly language tutorial can be found in Buffer Overflow Attacks book.

Buy from Amazon 

- Dmitry Vostokov @ DumpAnalysis.org -

4 Responses to “Crash Dump Analysis Patterns (Part 36)”

  1. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 55) Says:

    […] it’s time to write about Wild Pointer pattern I briefly mentioned in Local Buffer Overflow post which shows examples of pointers having UNICODE structure in their values. I have also […]

  2. Crash Dump Analysis » Blog Archive » Icons for Memory Dump Analysis Patterns (Part 58) Says:

    […] we introduce an icon for Local Buffer Overflow […]

  3. Crash Dump Analysis » Blog Archive » Crash Dump Analysis Patterns (Part 110) Says:

    […] Experts Magazine Online Shared Buffer Overwrite differs from Local Buffer Overflow and heap / pool corruption patterns in not writing over control structures situated at […]

  4. Dmitry Vostokov Says:

    We may also see “Security check failure or stack buffer overrun” c0000409 Translated Exception pointing to c0000005, for example.

Leave a Reply