Software Diagnostics Library

In Search of Lost CID

Friday, July 11th, 2008

Paraphrasing the title of Marcel Proust’s “In Search of Lost Time” 6-volume classic we can say there is timeless empirical knowledge. One is target CID (Client ID, PID:TID) for RPC calls. We just need to search for even 16-bit numbers and compare them with the list of available PIDs. The example can be found on ntdebugging blog:

Tracking Down a Multi-Process Deadlock

Actually the second dword after PID can contain even 16-bit TID number as can be seen from another example:

1: kd> kv ChildEBP RetAddr Args to Child [...] 00faf828 7778c38b 00faf8f0 00faf9f0 06413b54 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0x112 00faf908 776c0565 06413b54 00fafa00 00faf9f0 ole32!CRpcChannelBuffer::SendReceive2+0xd3 00faf974 776c04fa 06413b54 00fafa00 00faf9f0 ole32!CAptRpcChnl::SendReceive+0xab 00faf9c8 77ce247f 06413b54 00fafa00 00faf9f0 ole32!CCtxComChnl::SendReceive+0×1a9 00faf9e4 77ce252f 03213bdc 00fafa2c 0600016e RPCRT4!NdrProxySendReceive+0×43 00fafdcc 77ce25a6 763050e8 76306bba 00fafe04 RPCRT4!NdrClientCall2+0×206 00fafdec 77c64f87 0000000c 00000005 00fafe3c RPCRT4!ObjectStublessClient+0×8b 00fafdfc 7784ba75 03213bdc 03235858 03235850 RPCRT4!ObjectStubless+0xf […]

1: kd> dpp 06413b54 l8 06413b54 77672418 7778bcdf ole32!CRpcChannelBuffer::QueryInterface 06413b58 776723e8 777267f5 ole32!CRpcChannelBuffer::QueryInterface 06413b5c 00000003 06413b60 00000002 06413b64 0743fde8 0316f080 06413b68 07676528 031d5ad0 06413b6c 064c9c80 064c9d00 06413b70 078843c0 00000000

1: kd> dd 064c9c80 l4 064c9c80 064c9d00 064c9c00 00003108 00001dac ; PID TID

I have been using this technique for a long time and only now see it documented.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, WinDbg Tips and Tricks | 3 Comments »

Crash Dump Analysis Patterns (Part 71)

Friday, July 11th, 2008

Dynamic memory corruption patterns in user and kernel spaces are specializations of one big parent pattern called Corrupt Structure because crashes there happen due to corrupt or overwritten heap or pool control structures (for the latter see Double Free pattern). Another frequently seen specialization is called Critical Section Corruption which is the subject of this post. Critical sections are linked together through statically pre-allocated or heap-allocated helper structure (shown in magenta) although themselves they can be stored anywhere from static and stack area to heap:

0:001> dt -r1 ntdll!_RTL_CRITICAL_SECTION 77795240 +0×000 DebugInfo : 0×00175d28 _RTL_CRITICAL_SECTION_DEBUG +0×000 Type : 0 +0×002 CreatorBackTraceIndex : 0 +0×004 CriticalSection : 0×77795240 _RTL_CRITICAL_SECTION +0×008 ProcessLocksList : _LIST_ENTRY [ 0×173a08 - 0×173298 ] +0×010 EntryCount : 0 +0×014 ContentionCount : 0 +0×018 Spare : [2] 0 +0×004 LockCount : -1 +0×008 RecursionCount : 0 +0×00c OwningThread : (null) +0×010 LockSemaphore : (null) +0×014 SpinCount : 0

0:001> !address 77795240 77670000 : 77792000 - 00005000 Type 01000000 MEM_IMAGE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageImage FullPath C:\WINDOWS\system32\ole32.dll

0:001> !address 0×00175d28 00140000 : 00173000 - 0000d000 Type 00020000 MEM_PRIVATE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageHeap Handle 00140000

0:000> !locks

CritSec ntdll!LdrpLoaderLock+0 at 7c8877a0 WaiterWoken No LockCount 0 RecursionCount 1 OwningThread 1184 EntryCount 0 ContentionCount b04707 *** Locked

0:000> dt -r1 _RTL_CRITICAL_SECTION 7c8877a0 +0×000 DebugInfo : 0×7c8877c0 _RTL_CRITICAL_SECTION_DEBUG +0×000 Type : 0 +0×002 CreatorBackTraceIndex : 0 +0×004 CriticalSection : 0×7c8877a0 _RTL_CRITICAL_SECTION +0×008 ProcessLocksList : _LIST_ENTRY [ 0×7c887be8 - 0×7c887bc8 ] +0×010 EntryCount : 0 +0×014 ContentionCount : 0xb04707 +0×018 Spare : [2] 0 +0×004 LockCount : -2 +0×008 RecursionCount : 1 +0×00c OwningThread : 0×00001184 +0×010 LockSemaphore : 0×0000013c +0×014 SpinCount : 0

0:000> !address 7c8877a0 7c800000 : 7c887000 - 00003000 Type 01000000 MEM_IMAGE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageImage FullPath C:\WINDOWS\system32\ntdll.dll

0:000> !address 0×7c8877c0 7c800000 : 7c887000 - 00003000 Type 01000000 MEM_IMAGE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageImage FullPath C:\WINDOWS\system32\ntdll.dll

Consider the case when CRITICAL_SECTION is defined on a stack and there was Local Buffer Overflow overwriting DebugInfo pointer. Then we have an example of Wild Pointer pattern and traversing the list of critical sections from this point will diverge into completely unrelated memory area or stop there. Consider another example of heap corruption or race condition overwriting ProcessLocksList or CriticalSection pointer. Then we have an instance of Wild Pointer pattern illustrated below:

0:000> !locks

CritSec ntdll!LdrpLoaderLock+0 at 7c8877a0 WaiterWoken No LockCount 0 RecursionCount 1 OwningThread 1184 EntryCount 0 ContentionCount b04707 *** Locked

CritSec +1018de08 at 1018de08 WaiterWoken Yes LockCount -49153 RecursionCount 5046347 OwningThread 460050 EntryCount 0 ContentionCount 0 *** Locked

CritSec +1018ddd8 at 1018ddd8 WaiterWoken Yes LockCount -1 RecursionCount 0 OwningThread 0 *** Locked

CritSec +1018de28 at 1018de28 WaiterWoken Yes LockCount -1 RecursionCount 0 OwningThread 0 *** Locked

CritSec +1018de08 at 1018de08 WaiterWoken Yes LockCount -49153 RecursionCount 5046347 OwningThread 460050 EntryCount 0 ContentionCount 0 *** Locked

CritSec +1018de28 at 1018de28 WaiterWoken Yes LockCount -1 RecursionCount 0 OwningThread 0 *** Locked

CritSec +1018ddd8 at 1018ddd8 WaiterWoken Yes LockCount -1 RecursionCount 0 OwningThread 0 *** Locked

Scanned 841 critical sections

We see the signs of corruption at 1018de08 address which is interpreted as pointing to a locked critical section. To see where the corruption started we need to look at the list of all critical sections either locked or not locked:

0:000> !locks -v

CritSec ntdll!RtlCriticalSectionLock+0 at 7c887780 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 28

CritSec ntdll!LdrpLoaderLock+0 at 7c8877a0 WaiterWoken No LockCount 0 RecursionCount 1 OwningThread 1184 EntryCount 0 ContentionCount b04707 *** Locked

CritSec ntdll!FastPebLock+0 at 7c887740 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 42c9

CritSec ntdll!RtlpCalloutEntryLock+0 at 7c888ea0 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec ntdll!PMCritSect+0 at 7c8883c0 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec ntdll!UMLogCritSect+0 at 7c888400 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec ntdll!RtlpProcessHeapsListLock+0 at 7c887960 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec +80608 at 00080608 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 22

[...]

CritSec cabinet!_adbgmsg+13c at 74fb4658 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec +c6c17c at 00c6c17c LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec +c6c0e4 at 00c6c0e4 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec at 1018de08 does not point back to the debug info at 00136a40 Perhaps the memory that held the critical section has been reused without calling DeleteCriticalSection() ?

CritSec +1018de08 at 1018de08 WaiterWoken Yes LockCount -49153 RecursionCount 5046347 OwningThread 460050 EntryCount 0 ContentionCount 0 *** Locked

CritSec at 1018ddd8 does not point back to the debug info at 00136a68 Perhaps the memory that held the critical section has been reused without calling DeleteCriticalSection() ?

CritSec +1018ddd8 at 1018ddd8 WaiterWoken Yes LockCount -1 RecursionCount 0 OwningThread 0 *** Locked

[...]

We see that the problem appears when the heap-allocated critical section at 00c6c0e4 address is linked to an inconsistent critical section at 0×1018de08 address where memory contains UNICODE string fragment:

0:000> !address 00c6c0e4 00c60000 : 00c60000 - 00010000 Type 00020000 MEM_PRIVATE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageHeap Handle 00c60000

0:000> dt -r1 _RTL_CRITICAL_SECTION 00c6c0e4 +0x000 DebugInfo : 0x00161140 _RTL_CRITICAL_SECTION_DEBUG +0x000 Type : 0 +0x002 CreatorBackTraceIndex : 0 +0x004 CriticalSection : 0x00c6c0e4 _RTL_CRITICAL_SECTION +0×008 ProcessLocksList : _LIST_ENTRY [ 0×136a48 - 0×119f58 ] +0×010 EntryCount : 0 +0×014 ContentionCount : 0 +0×018 Spare : [2] 0 +0×004 LockCount : -1 +0×008 RecursionCount : 0 +0×00c OwningThread : (null) +0×010 LockSemaphore : (null) +0×014 SpinCount : 0

0:000> dt -r _RTL_CRITICAL_SECTION_DEBUG 0×00136a48-0×008 +0×000 Type : 0 +0×002 CreatorBackTraceIndex : 0 +0×004 CriticalSection : 0×1018de08 _RTL_CRITICAL_SECTION +0×000 DebugInfo : 0×000d001b _RTL_CRITICAL_SECTION_DEBUG +0×000 Type : 0 +0×002 CreatorBackTraceIndex : 0 +0×004 CriticalSection : (null) +0×008 ProcessLocksList : _LIST_ENTRY [ 0×0 - 0×0 ] +0×010 EntryCount : 0 +0×014 ContentionCount : 0×37e3c700 +0×018 Spare : [2] 0×8000025 +0×004 LockCount : 196609 +0×008 RecursionCount : 5046347 +0×00c OwningThread : 0×00460050 +0×010 LockSemaphore : 0×00310033 +0×014 SpinCount : 0×520044 +0×008 ProcessLocksList : _LIST_ENTRY [ 0×136a70 - 0×161148 ] +0×000 Flink : 0×00136a70 _LIST_ENTRY [ 0×136a98 - 0×136a48 ] +0×000 Flink : 0×00136a98 _LIST_ENTRY [ 0×136ae8 - 0×136a70 ] +0×004 Blink : 0×00136a48 _LIST_ENTRY [ 0×136a70 - 0×161148 ] +0×004 Blink : 0×00161148 _LIST_ENTRY [ 0×136a48 - 0×119f58 ] +0×000 Flink : 0×00136a48 _LIST_ENTRY [ 0×136a70 - 0×161148 ] +0×004 Blink : 0×00119f58 _LIST_ENTRY [ 0×161148 - 0×16cc3c0 ] +0×010 EntryCount : 0 +0×014 ContentionCount : 0 +0×018 Spare : [2] 0×2e760000

0:000> !address 0x1018de08 10120000 : 10120000 - 00100000 Type 00020000 MEM_PRIVATE Protect 00000004 PAGE_READWRITE State 00001000 MEM_COMMIT Usage RegionUsageIsVAD

The address points miraculously to some DLL:

0:000> du 1018de08 1018de08 "....componentA.dll"

We might suggest that componentA.dll played some role there.

There are other messages from verbose version of !locks WinDbg command pointing to critical section problems:

CritSec componentB!Section+0 at 74004008 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

The CritSec componentC!Info+c at 72455074 has been RE-INITIALIZED. The critical section points to DebugInfo at 00107cc8 instead of 000f4788

CritSec componentC!Info+c at 72455074 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

CritSec componentD!foo+8ec0 at 0101add0 LockCount NOT LOCKED RecursionCount 0 OwningThread 0 EntryCount 0 ContentionCount 0

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | 3 Comments »

Crash Dump Analysis in Russian

Friday, July 11th, 2008

Finally I decided to translate selected blog posts into Russian language to make them available for Russian search engines and additionally improve, or better to say, restore my native language skills because I have been reading and writing mostly in English for the last 8 years:

Анализ Дампов Памяти

I also hope that the ongoing translation will help me in the future to publish Memory Dump Analysis Anthology in Russian language.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Publishing | No Comments »

Archive for July 11th, 2008

In Search of Lost CID

Crash Dump Analysis Patterns (Part 71)

Crash Dump Analysis in Russian

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

July 2008
M	T	W	T	F	S	S
« Jun				Aug »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31