Archive for February 4th, 2009

NULL code pointer, changed environment, hooked functions and execution residue: pattern cooperation

Wednesday, February 4th, 2009

After an upgrade to the new version of a productivity software package one unrelated application started to crash frequently. A crash dump was collected and the following stack trace pointed to a NULL code pointer:

0:000> r
eax=09680104 ebx=0013aefc ecx=0968a710 edx=0cdc0c0c esi=16a19058 edi=00000001
eip=00000000 esp=0013aea8 ebp=0013aeb8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
00000000 ??              ???

0:000> k 100
ChildEBP RetAddr 
WARNING: Frame IP not in any known module. Following frames may be wrong.
0013aea4 096e28a0 0×0
0013aeb8 32e688bd dllC!Abort+0×10
0013aec8 32c82395 dllB+0×589e
0013aed8 32865718 dllB+0×18f1
[…]
0013b0c0 314de1ff dllB+0×4c6
0013b154 31293494 dllA!DllGetLCID+0×46d2d
0013b178 312af217 dllA!DllGetClassObject+0×4e896
[…]
0013f3d0 300e8721 dllA!DllGetClassObject+0×69e42
0013f578 300e7f5a application+0xcff5
[…]
0013ffc0 7c816ff7 application+0×51d5
0013fff0 00000000 kernel32!BaseProcessStart+0×23

To see if changed environment somehow affected this application the presence of any DLL hooks was checked. The following  hooked functions were found in user32.dll:

0:000> !chkimg -lo 50 -d !user32 -v
Searching for module with expression: !user32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\USER32.dll\45F02D7C90000\USER32.dll
No range specified

Scanning section:    .text
Size: 389095
Range to scan: 7e411000-7e46ffe7
    7e4188a6-7e4188aa  5 bytes - USER32!GetWindowLongW
 [ 6a 08 68 e0 88:e9 55 77 a4 01 ]
    7e418f9c-7e418fa0  5 bytes - USER32!GetSystemMetrics (+0×6f6)
 [ 6a 10 68 00 90:e9 5f 70 b5 01 ]
    7e41945d-7e419461  5 bytes - USER32!GetWindowLongA (+0×4c1)
 [ 6a 10 68 78 9f:e9 f5 60 a2 01 ]
    7e41b6ae-7e41b6b2  5 bytes - USER32!GetClientRect (+0×17a8)
 [ 8b ff 55 8b ec:e9 4d 49 9f 01 ]
    7e41b6d4-7e41b6d8  5 bytes - USER32!GetWindowRect (+0×26)
 [ b8 74 11 00 00:e9 98 30 af 01 ]
    7e41d60d-7e41d611  5 bytes - USER32!SetWindowLongA (+0×6aa)
 [ 8b ff 55 8b ec:e9 ee 29 a5 01 ]
    7e41d62b-7e41d62f  5 bytes - USER32!SetWindowLongW (+0×1e)
 [ 6a 08 68 28 f5:e9 0e 0b b2 01 ]
    7e41fc25-7e41fc29  5 bytes - USER32!CreateWindowExW (+0×738)
 [ 8b ff 55 8b ec:e9 d6 03 b6 01 ]
    7e41ff33-7e41ff37  5 bytes - USER32!CreateWindowExA (+0×30e)
Total bytes compared: 389095(100%)
Number of errors: 52
52 errors : !user32 (7e4188a6-7e42e8d5)

The hooking DLL was found to be from that upgraded package:

0:000> u 7e4188a6
USER32!GetWindowLongW:
7e4188a6 e95577a401      jmp     7fe60000
7e4188ab 41              inc     ecx
7e4188ac 7ee8            jle     USER32!_GetWindowLong+0xda (7e418896)
7e4188ae 0e              push    cs
7e4188af fd              std
7e4188b0 ff              ???
7e4188b1 ff8b4d08e816    dec     dword ptr [ebx+16E8084Dh]
7e4188b7 fc              cld

0:000> u 7fe60000
7fe60000 e9bb62b080      jmp     hookA+0×62c0 (009662c0)
7fe60005 6a08            push    8
7fe60007 68e088417e      push    offset USER32!`string’+0×34 (7e4188e0)
7fe6000c e99c885bfe      jmp     USER32!GetWindowLongW+0×7 (7e4188ad)
7fe60011 0000            add     byte ptr [eax],al
7fe60013 0000            add     byte ptr [eax],al
7fe60015 0000            add     byte ptr [eax],al
7fe60017 0000            add     byte ptr [eax],al

0:000> lmv m hookA
start    end        module name
00960000 00976000   hookA     (no symbols)          
    Loaded symbol image file: hookA.dll
    Image path: C:\Program Files\CompanyA\hookA.dll
    Image name: hookA.dll
    […]
    ProductName:      ProductA
    […]

Execution residue from hookA module was also found on the problem thread raw stack and it looks like real code (not a coincidental symbolic information):

0:000> !teb
TEB at 7ffdf000
    ExceptionList:        0013f02c
    StackBase:            00140000
    StackLimit:           0010c000
    SubSystemTib:         00000000
    FiberData:            00001e00
    ArbitraryUserPointer: 00000000
    Self:                 7ffdf000
    EnvironmentPointer:   00000000
    ClientId:             00000c38 . 00000840
    RpcHandle:            00000000
    Tls Storage:          00163268
    PEB Address:          7ffdb000
    LastErrorValue:       0
    LastStatusValue:      0
    Count Owned Locks:    0
    HardErrorMode:        0

0:000> dds 0010c000 00140000
0010c000  00000000
0010c004  00000000
0010c008  00000000
[…]
00121f50  0096d7d1*** ERROR: Module load completed but symbols could not be loaded for hookA.dll
 hookA+0xd7d1
00121f54  00009924
00121f58  00121fb4
00121f5c  00000000
00121f60  00121f9c
00121f64  0096d895 hookA+0xd895
00121f68  00121f78
00121f6c  00000000
00121f70  00122008
00121f74  00000000
00121f78  00000000
00121f7c  00000000
00121f80  00000000
00121f84  00121f6c
00121f88  000001fe
00121f8c  001220fc
00121f90  0096ec98 hookA+0xec98
00121f94  00970e48 hookA+0×10e48
00121f98  00121fb4
00121f9c  7e41b6a3 USER32!_GetClientRect+0×6e
00121fa0  00122008
00121fa4  fffffa01
[…]

0:000> u 0096d895
hookA+0xd895:
0096d895 8bc6            mov     eax,esi
0096d897 8b4df0          mov     ecx,dword ptr [ebp-10h]
0096d89a 64890d00000000  mov     dword ptr fs:[0],ecx
0096d8a1 5f              pop     edi
0096d8a2 5e              pop     esi
0096d8a3 5b              pop     ebx
0096d8a4 8be5            mov     esp,ebp
0096d8a6 5d              pop     ebp

0:000> ub 0096d895
hookA+0xd876:
0096d876 8b65e8          mov     esp,dword ptr [ebp-18h]
0096d879 be0d000000      mov     esi,0Dh
0096d87e c745fcffffffff  mov     dword ptr [ebp-4],0FFFFFFFFh
0096d885 eb05            jmp     hookA+0xd88c (0096d88c)
0096d887 be72000000      mov     esi,72h
0096d88c 8d55dc          lea     edx,[ebp-24h]
0096d88f 52              push    edx
0096d890 e8fbfeffff      call    hookA+0xd790 (0096d790)

As was found the upgraded application had special DLL hooks to improve productivity and ease of use of GUI applications. Fortunately it was possible to disable that hook on a per-application basis and application crashes disappeared.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | No Comments »

2008 in Retrospection

Wednesday, February 4th, 2009

The number of visits / month increased by 50% by the end of the year with more than 125,000 unique visitors in 2008 from 180 countries (150 in 2007) and almost 34% of them coming back. Here are the top 100 network locations out of almost 24,000:

Network Location

Visits

microsoft corp

7849

insignium llc

6206

comcast cable communications inc.

3603

road runner holdco llc

3260

verizon internet services inc.

2263

comite gestor da internet no brasil

1818

deutsche telekom ag

1804

hewlett-packard company

1736

network of citrix systems inc

1667

eircom ltd

1582

japan network information center

1569

reliance communications ltd

1419

videsh sanchar nigam ltd - india.

1414

chunghwa telecom data communication business group

1371

symantec corporation

1228

unknown

1167

data general corporation

1098

microsoft european internet data centres

1096

comcast cable communications

1074

bellsouth.net inc.

1048

ip pools

1025

intel corporation

987

charter communications

967

nib (national internet backbone)

960

korea telecom

895

cncgroup beijing province network

885

cox communications

875

comcast cable communications holdings inc

835

proxad / free sas

785

uunet non-portable customer assignment

710

shaw communications inc.

675

citrix systems inc.

662

xo communications

660

cox communications inc.

655

comcast cable communications ip services

646

qwest communications corporation

617

krnic

571

rcs & rds s.a.

566

jarvis universal purchase company

551

chinanet guangdong province network

545

optimum online (cablevision systems)

541

computer associates international

540

telstra internet

540

dell computer corporation

514

rogers cable communications inc.

509

axa-tech

506

provider local registry

492

chinanet shanghai province network

487

performance systems international inc.

454

telus communications inc.

445

kintiskton llc

444

at&t internet services

443

arcor ag

434

merrill lynch and company inc.

433

ntt communications corporation

428

easynet ltd

426

research in motion limited

419

iinet limited

399

vmware inc.

395

abts (karnataka)

393

symantec inc

390

hoshin gigamedia center inc.

389

zao mtu-intel

389

microsoft corporation

369

telefonica de espana

356

internet service provider

352

time warner telecom inc.

351

@home network japan

348

telekom malaysia berhad

342

sympatico hse

341

network of ign arch. and design gb

327

global crossing

322

wipro technologies

308

xdsl access and service provider in norway

301

chinanet fujian province network

289

at&t global network services

283

comcast cable communications inc

277

neostrada plus

274

samtel

273

oracle datenbanksysteme gmbh

272

provider

266

telecom italia net

265

sun microsystems inc

257

tiscali uk ltd

254

starhub cable vision ltd

251

telecom italia s.p.a. tin easy lite

251

tw telecom holdings inc.

249

earthlink inc.

247

level 3 communications inc.

247

kddi corporation

245

comcast business communications inc.

242

nvidia

242

cisco systems inc.

240

hanaro telecom inc.

239

chinanet jiangsu province network

235

internet provider of donetsk region

234

videotron ltee

230

xs4all internet bv

229

gesti n de direccionamiento uninet

224

dynamic pools

223

Almost 66,000 Google search keywords (more than 100% increase since 2007) pointed to the portal and this blog with 100 most frequent:

Keyword

Visits

kifastsystemcallret

2483

crash dump analysis

1933

crash dump

1551

ntdll!kifastsystemcallret

1072

dump analysis

852

crash dumps

608

windbg commands

560

dumpanalysis.org/asmpedia

537

vista crash dump

537

kmode_exception_not_handled

521

crashdump

509

minidump

429

win32 error 0n2

412

memory dump analysis anthology

395

dynamicbase aslr

362

symbol file could not be found

357

system_service_exception

316

windbg

311

memuon

298

windbg analyze

292

dmitry vostokov

289

warning: frame ip not in any known module. following frames may be wrong.

272

kernel32!pnlsuserinfo

267

time travel debugging

258

crash dump vista

251

memory dump analysis

243

minidump analysis

236

getcontextstate failed, 0×80070026

230

dumpanalysis.org

225

dr watson vista

218

windbg script

206

memory intelligence analysis”"

205

crash dump analyzer

187

kernel_mode_exception_not_handled

182

frame ip not in any known module

180

windows crash dump analysis

179

calling+kernel+functions+from+userspace

175

minidump analyzer

172

windows via c/c++

170

dumpanalysis

169

the stored exception information can be accessed via .ecxr.

159

warning: stack unwind information not available. following frames may be wrong.

159

pool corruption

158

your debugger is not using the correct symbols

158

error: symbol file could not be found

157

windbg scripts

156

drwtsn32 vista

143

windbg cheat sheet

142

minidump analyze

136

adplus

134

memory dump analysis”" download

132

www.dump

128

ibmsprem.exe

126

session_has_valid_views_on_exit (ba)

125

what is a crash dump

125

bios disassembly ninjutsu uncovered

122

the stored exception information can be accessed via .ecxr

122

how to use windbg

121

memory dump

121

trap frame

121

gdb teb

119

type referenced: kernel32!pnlsuserinfo

118

windows dump analysis

118

savedump.exe

115

bugcheck a

113

windbg crash dump

113

0×80070026

110

dxg.sys

110

dump analyzer

109

windbg !analyze

106

how to open corrupt memory dump

105

kisystemservicecopyend

104

exfreepoolwithtag

103

dump

102

windbg command

101

obfreferenceobject

99

analyze minidump

96

forthcoming windows® debugging: practical foundations

95

kiswapcontext

95

failure_bucket_id

93

ntdll kifastsystemcallret

91

regionusageisvad

91

c++ dereferencing null debug

90

receivelotsacalls

90

userdump

90

debug_flr_image_timestamp

89

kifastsystemcall

89

bugcheck 3b

87

your debugger is not using the correct symbols”"

86

vista dr watson

84

windows crash dump

84

“flow analysis was incomplete, some code may be missing”

83

practical foundations of debugging

83

system_thread_exception_not_handled

83

warning: frame ip not in any known module. following frames may be wrong

83

windbg dump

83

dd srvcomputername

81

error: symbol file could not be found.

79

windows dump analyzer

78

crash analyzer

77

Special thanks to 950 web sites that mention the portal and this blog with the first top 100:

google.com

blogs.msdn.com

windbg.dumpanalysis.org

rsdn.ru

jasonhaley.com

dumpanalysis.com

dumpanalysis.org

stumbleupon.com

images.google.com

advancedwindowsdebugging.com

nynaeve.net

blog.flexilis.com

blog.not-a-kernel-guy.com

brianmadden.com

voneinem-windbg.blogspot.com

insidewindows.kr

forum.sysinternals.com

caloni.com.br

en.wikipedia.org

debuglab.com

reddit.com

winvistaclub.com

driveronline.org

127.0.0.1:12108

support.citrix.com

softwareastrology.com

managementbits.com

hanrss.com

opentask.com

msuiche.net

blog.naver.com

bloglines.com

blogs.microsoft.co.il

clausbrod.de

citrixblogger.org

images.google.co.uk

reconstructer.org

advdbg.org

community.citrix.com

google.co.kr

stackoverflow.com

citrite.org

mail.google.com

serious-code.net

shellexecute.wordpress.com

experts-exchange.com

google.co.uk

groups.google.com

wasm.ru

microsoft.com

images.google.co.in

dogpile.com

google.ca

images.google.de

del.icio.us

thinkdigit.com

google.co.in

blog.gamedeff.com

blogs.technet.com

ttoyota.com

goozydumps.wordpress.com

software.rkuster.com

users.livejournal.com

insidekernel.net

insiderim

jpassing.wordpress.com

10.1.12.201

d.hatena.ne.jp

google.ru

archut.net

isisaka.com

facebook.com

devnote.net

evilcodecave.wordpress.com

google-analytics.com

my.live.com

shm.polar.tw

64.233.183.104

technorati.com

delicious.com

tarasc0.blogspot.com

literatescientist.com

search.naver.com

linkedin.com

pubforum.info

twitter.com

nyx.cz

hongyver.pe.kr

cnblogs.com

bishop3000.livejournal.com

webmail.dumpanalysis.org

fafeng.blogbus.com

driverentry.com.br

gp32x.com

windowstips.wordpress.com

vahidnasiri.blogspot.com

209.85.173.104

images.google.ca

kerneldebugging.com

Top 25 visiting countries:

United States

United Kingdom

India

Germany

Canada

China

Russia

Japan

France

South Korea

Ireland

Australia

Taiwan

Netherlands

Israel

Italy

Sweden

Brazil

Singapore

Spain

Ukraine

Romania

Poland

Norway

Belgium

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Announcements, Crash Dump Analysis, DumpAnalysis.org Statistics, History | 1 Comment »

The Source of Intuition about Infinite

Wednesday, February 4th, 2009

What is the source of our intuition about ∞, or ∞, more powers of ∞, and even ∞ number of powers? I believe that the underlying structure of our Universe or at least a universe as a model of Universe, Infinite Memory, with perceived processes as limits and Time Arrow as a bundle of sequences of memory pointers, provides basis for our intuition about infinite.

- Dmitry Vostokov @ DumpAnalysis.org

Posted in Memoidealism, Memory Religion (Memorianity), Philosophy, Science of Memory Dump Analysis | No Comments »