Crash Dump Analysis Patterns (Part 10a)

Optimized VM Layout is a specialization of the general Changed Environment pattern where the whole modules are moved in virtual memory by changing their load order and load addresses. This can result in dormant bugs being exposed and one of workarounds usually is to disable such external optimization programs or services or adding applications that behave improperly to exclusion lists. Some optimized virtual memory cases can easily be detected by looking at module list where system DLLs are remapped to lower addresses instead of 0×7X000000 range:

0:000> lm
start    end        module name
00400000 00416000   Application
00470000 0050b000   advapi32
00520000 00572000   shlwapi
02340000 023cb000   oleaut32

04b80000 0523e000   System_Data_ni
1a400000 1a524000   urlmon
4dd60000 4df07000   GdiPlus
5f120000 5f12e000   ntlanman
5f860000 5f891000   netui1
5f8a0000 5f8b6000   netui0
637a0000 63d28000   System_Xml_ni
64890000 6498c000   System_Configuration_ni
64e70000 6515c000   System_Data
65ce0000 65ecc000   System_Web_Services_ni
71bd0000 71be1000   mpr           
71bf0000 71bf8000   ws2help
71c00000 71c17000   ws2_32
71c20000 71c32000   tsappcmp
71c40000 71c97000   netapi32
73070000 73097000   winspool
75e90000 75e97000   drprov
75ea0000 75eaa000   davclnt
76190000 761a2000   msasn1
761b0000 76243000   crypt32
76a80000 76a92000   atl
76b80000 76bae000   credui
76dc0000 76de8000   adsldpc
76df0000 76e24000   activeds
76f00000 76f08000   wtsapi32
76f10000 76f3e000   wldap32
771f0000 77201000   winsta
77670000 777a9000   ole32
77ba0000 77bfa000   msvcrt
78130000 781cb000   msvcr80
79000000 79046000   mscoree
79060000 790b6000   mscorjit
790c0000 79bf6000   mscorlib_ni
79e70000 7a3ff000   mscorwks
7a440000 7ac2a000   System_ni
7ade0000 7af7c000   System_Drawing_ni
7afd0000 7bc6c000   System_Windows_Forms_ni
7c340000 7c396000   msvcr71
7c8d0000 7d0ce000   shell32
7d4c0000 7d5f0000   kernel32
7d600000 7d6f0000   ntdll
7d800000 7d890000   gdi32
7d8d0000 7d920000   secur32
7d930000 7da00000   user32
7da20000 7db00000   rpcrt4
7dbd0000 7dcd3000   comctl32
7df50000 7dfc0000   uxtheme
7e020000 7e02f000   samlib

The similar address space reshuffling happens with ASLR-enabled applications with the difference that system modules are never remapped below 0×70000000.

 - Dmitry Vostokov @ DumpAnalysis.org -

Leave a Reply