Software Diagnostics Library

Manual parameter reconstruction on x64 Windows systems

Friday, September 4th, 2009

Although the first 2 parameters are passed via registers RCX and RDX they are saved on a stack as the part of a function prolog (as can be seen in many examples from my book x64 Windows Debugging: Practical Foundations):

0:000> uf arithmetic FunctionParameters!arithmetic [c:\dumps\wdpf-x64\functionparameters\arithmetic.cpp @ 2]: 2 00000001`40001020 mov dword ptr [rsp+10h],edx 2 00000001`40001024 mov dword ptr [rsp+8],ecx 2 00000001`40001028 push rdi 3 00000001`40001029 mov eax,dword ptr [rsp+10h] 3 00000001`4000102d mov ecx,dword ptr [rsp+18h] 3 00000001`40001031 add ecx,eax 3 00000001`40001033 mov eax,ecx 3 00000001`40001035 mov dword ptr [rsp+18h],eax 4 00000001`40001039 mov eax,dword ptr [rsp+10h] 4 00000001`4000103d add eax,1 4 00000001`40001040 mov dword ptr [rsp+10h],eax 5 00000001`40001044 mov eax,dword ptr [rsp+10h] 5 00000001`40001048 imul eax,dword ptr [rsp+18h] 5 00000001`4000104d mov dword ptr [rsp+18h],eax 7 00000001`40001051 mov eax,dword ptr [rsp+18h] 8 00000001`40001055 pop rdi 8 00000001`40001056 ret

Notice that RDI is saved too. This helps us later in a more complex case. If we put a breakpoint at arithmetic entry we see that WinDbg is not able to get parameters from RCX and RDX:

0:000> bp 00000001`40001020

0:000> g ModLoad: 000007fe`ff4d0000 000007fe`ff5d8000 C:\Windows\system32\ADVAPI32.DLL ModLoad: 000007fe`fef80000 000007fe`ff0c3000 C:\Windows\system32\RPCRT4.dll Breakpoint 0 hit FunctionParameters!arithmetic: 00000001`40001020 89542410 mov dword ptr [rsp+10h],edx ss:00000000`0012fe88=cccccccc

0:000> kv Child-SP RetAddr : Args to Child : Call Site 00000000`0012fe78 00000001`400010a5 : cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc cccccccc`cccccccc : FunctionParameters!arithmetic 00000000`0012fe80 00000001`4000137c : 00000000`00000001 00000000`00282960 00000000`00000000 00000000`00000000 : FunctionParameters!main+0×35 00000000`0012fec0 00000001`4000114e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FunctionParameters!__tmainCRTStartup+0×21c 00000000`0012ff30 00000000`7776be3d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FunctionParameters!mainCRTStartup+0xe 00000000`0012ff60 00000000`778a6a51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`0012ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0×1d

This seems correct approach in general because at the time of any other breakpoint in the middle of the code parameter passing registers could be already overwritten, for example, RCX at 0000000140001031. However, as soon as we execute the first two MOV instruction one by one, parameters appear on kv output one by one too:

0:000> t ModLoad: 000007fe`fd810000 000007fe`fd845000 C:\Windows\system32\apphelp.dll FunctionParameters!arithmetic+0x4: 00000001`40001024 894c2408 mov dword ptr [rsp+8],ecx ss:00000000`0012fe80=cccccccc

0:000> kv Child-SP RetAddr : Args to Child : Call Site 00000000`0012fe78 00000001`400010a5 : cccccccc`cccccccc cccccccc`00000001 cccccccc`cccccccc cccccccc`cccccccc : FunctionParameters!arithmetic+0×4 00000000`0012fe80 00000001`4000137c : 00000000`00000001 00000000`00282960 00000000`00000000 00000000`00000000 : FunctionParameters!main+0×35 00000000`0012fec0 00000001`4000114e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FunctionParameters!__tmainCRTStartup+0×21c 00000000`0012ff30 00000000`7776be3d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FunctionParameters!mainCRTStartup+0xe 00000000`0012ff60 00000000`778a6a51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`0012ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0×1d

0:000> t FunctionParameters!arithmetic+0x8: 00000001`40001028 57 push rdi

0:000> kv Child-SP RetAddr : Args to Child : Call Site 00000000`0012fe78 00000001`400010a5 : cccccccc`00000001 cccccccc`00000001 cccccccc`cccccccc cccccccc`cccccccc : FunctionParameters!arithmetic+0×8 00000000`0012fe80 00000001`4000137c : 00000000`00000001 00000000`00282960 00000000`00000000 00000000`00000000 : FunctionParameters!main+0×35 00000000`0012fec0 00000001`4000114e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FunctionParameters!__tmainCRTStartup+0×21c 00000000`0012ff30 00000000`7776be3d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FunctionParameters!mainCRTStartup+0xe 00000000`0012ff60 00000000`778a6a51 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd 00000000`0012ff90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0×1d

Now we come to the more complex example:

1: kd> kv *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr : Args to Child : Call Site fffffa60`166a7020 fffffa60`07e9dbf2 : fffffa80`1dbd8820 00000000`00000000 fffffa80`1ec3b7a8 fffffa60`166a7278 : Driver!DeviceWrite+0xae fffffa60`166a7050 fffffa60`062ae7cb : 00000000`00000000 fffffa80`1dbd8820 fffffa60`166a7340 fffffa80`1df4f520 : Driver!RawWrite+0×8a […]

1: kd> r Last set context: rax=000000000083a03b rbx=fffffa801ec3b800 rcx=fffffa8018cdc000 rdx=0000000000000004 rsi=fffffa801ec3b9f0 rdi=0000000005040000 rip=fffffa6007ea006e rsp=fffffa60166a7020 rbp=fffffa801ec3b7a8 r8=fffff6fd400f61e0 r9=000000000083a03b r10=fffffa801ec3b9f8 r11=fffffa801ec3b9f8 r12=fffffa801e7c9000 r13=0000000000000000 r14=000000000038011b r15=fffffa8019891670 iopl=0 nv up ei ng nz na po cy cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010287 Driver!DeviceWrite+0xae: fffffa60`07ea006e mov rax,qword ptr [rdi+10h] ds:002b:00000000`05040010=????????????????

We know that the first parameter to Write function is a pointer to some structure we want to explore because we see from the disassembly that some member from that structure was used ([rcx+320h]) and it was used as a pointer (assigned to RDI) that was trapping ([rdi+10h]):

1: kd> .asm no_code_bytes Assembly options: no_code_bytes

1: kd> u Driver!DeviceWrite Driver!DeviceWrite+0xae+10 Driver!DeviceWrite: fffffa60`07e9ffc0 mov qword ptr [rsp+8],rbx fffffa60`07e9ffc5 mov qword ptr [rsp+10h],rbp fffffa60`07e9ffca mov qword ptr [rsp+18h],rsi fffffa60`07e9ffcf push rdi fffffa60`07e9ffd0 sub rsp,20h fffffa60`07e9ffd4 mov rdi,qword ptr [rcx+320h] […] fffffa60`07ea006e mov rax,qword ptr [rdi+10h] ; TRAP […]

Unfortunately RCX was not saved on the stack and fffffa80`1dbd8820 from kv was just the value of the saved RBX. This can be double-checked by verifying that parameter+320 doesn’t point to RDI value (05040000) at the time of the trap:

1: kd> dq fffffa80`1dbd8820+320 l1 fffffa80`1dbd8b40 00000000`00020000

Looking at DeviceWrite caller we see that RCX was initialized from RDI:

1: kd> ub fffffa60`07e9dbf2 Driver!RawWrite+0x66: fffffa60`07e9dbce mov rax,qword ptr [rdi+258h] fffffa60`07e9dbd5 mov qword ptr [rcx-18h],rax fffffa60`07e9dbd9 mov rax,qword ptr [rdi+260h] fffffa60`07e9dbe0 mov qword ptr [rcx-20h],rax fffffa60`07e9dbe4 mov dword ptr [rdx+10h],ebp fffffa60`07e9dbe7 mov rdx,rsi fffffa60`07e9dbea mov rcx,rdi fffffa60`07e9dbed call Driver!DeviceWrite (fffffa60`07e9ffc0)

We also see that RDI was saved at the function prolog so we can get our real first parameter from the raw stack bearing in mind that 0×20 was subtracted from RSP too:

1: kd> dq esp fffffa60`166a7020 fffffa80`1ec3b800 00000000`05040000 ; SUB RSP, 20H fffffa60`166a7030 fffffa60`07edc5dd fffffa60`07ee6f8f ; fffffa60`166a7040 fffffa80`1ec3b520 fffffa60`07e9dbf2 ; Saved RDI - Return Address fffffa60`166a7050 fffffa80`1dbd8820 00000000`00000000 ; Saved RBX and RBP fffffa60`166a7060 fffffa80`1ec3b7a8 fffffa60`166a7278 ; Saved RSI fffffa60`166a7070 fffffa60`166a7250 fffffa60`01ab5180 fffffa60`166a7080 fffffa80`1e2937c8 fffff800`018a928a fffffa60`166a7090 00000003`0004000d 00000026`0024000d

We see that saved RDI value +320 points to the right expected address:

1: kd> dq fffffa80`1ec3b520+320 l1 fffffa80`1ec3b840 00000000`05040000

Now we can investigate the structure but this is beyond the scope of this post.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Assembly Language, Code Reading, Crash Dump Analysis, Debugging, x64 Windows | 1 Comment »

Wild code and partial stack reconstruction

Friday, September 4th, 2009

I recently got a chance to see an instance of Wild Code pattern in kernel mode:

ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY (fc) An attempt was made to execute non-executable memory. The guilty driver is on the stack trace (and is typically the current instruction pointer). When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: a98ccfc4, Virtual address for the attempted execute. Arg2: 17b1b963, PTE contents. Arg3: a98ccf38, (reserved) Arg4: 00000001, (reserved)

3: kd> .trap 0xffffffffa98ccf38 ErrCode = 00000011 eax=00000000 ebx=bf8c16eb ecx=bf855770 edx=00000026 esi=be4da0e8 edi=0000029e eip=a98ccfc4 esp=a98ccfac ebp=a98ccfa0 iopl=0 nv up ei ng nz ac pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010296 a98ccfc4 dcda fcomp3 st(2)

3: kd> !pte a98ccfc4 VA a98ccfc4 PDE at 00000000C0602A60 PTE at 00000000C054C660 contains 000000000B40A863 contains 8000000017B1B963 pfn b40a ---DA--KWEV pfn 17b1b -G-DA--KW-V

3: kd> k *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. a98ccff0 80889db4 0xa98ccfc4 a98ccff0 00000000 nt!KiCallbackReturn+0×84

We see that the execution address belongs to thread kernel stack range:

3: kd> !thread THREAD 8959f548 Cid 20c4.0dd8 Teb: 7ffdf000 Win32Thread: bc1a9550 RUNNING on processor 3 Not impersonating DeviceMap e183a628 Owning Process 890af4b0 Image: ApplicationA.exe Attached Process N/A Image: N/A Wait Start TickCount 67969974 Ticks: 0 Context Switch Count 2833569 LargeStack UserTime 00:01:18.171 KernelTime 00:00:50.468 Win32 Start Address 0x00401c94 Start Address 0x7c8217f8 Stack Init a98cd260 Current a98ccc48 Base a98ce000 Limit a98c3000 Call a98cd268 Priority 13 BasePriority 8 PriorityDecrement 0 ChildEBP RetAddr Args to Child a98ccea8 8085eced 000000fc a98ccfc4 17b1b963 nt!KeBugCheckEx+0×1b a98ccf20 8088c798 00000008 a98ccfc4 00000000 nt!MmAccessFault+0xb25 a98ccf20 a98ccfc4 00000008 a98ccfc4 00000000 nt!KiTrap0E+0xdc WARNING: Frame IP not in any known module. Following frames may be wrong. a98ccff0 80889db4 0013e3d4 0000000c 00000000 0xa98ccfc4 a98ccff0 00000000 0013e3d4 0000000c 00000000 nt!KiCallbackReturn+0×84

Something must have gone wrong after the return from KiCallbackReturn. On x86 systems this is an IDT entry (2b). See an example output I did while writing down notes on Windows Internals. Windows NT/2000 Native API Reference states that it is the same function as ZwCallBackReturn and it is used to return from win32k.sys user-mode and space callbacks, for example, to send a window message (p. 408). We find the following call on raw stack and use an extended version of k command to get partial stack trace before user-mode callback call:

3: kd> dds a98c3000 a98ce000 [...] a98cd244 a98cd270 a98cd248 80833485 nt!KiSwapThread+0x305 a98cd24c 8959f548 a98cd250 8959f5f0 a98cd254 00000001 a98cd258 8959f548 a98cd25c 00000000 a98cd260 ffffffff a98cd264 00000001 a98cd268 a98cd8a0 a98cd26c a98cd604 a98cd270 a98cd8a8 a98cd274 0013f2e4 a98cd278 7ffdf000 a98cd27c 0013e3ac a98cd280 a98cd2d8 a98cd284 8091d6d1 nt!KeUserModeCallback+0×8f a98cd288 a98cd388 a98cd28c a98cd384 a98cd290 a98cd370 a98cd294 bc1a9550 a98cd298 006fa0e8 a98cd29c 0013f2e4 a98cd2a0 7ffdf000 a98cd2a4 00000018 a98cd2a8 8948c7f8 […]

3: kd> k L=a98cd280 ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. a98cd280 8091d6d1 0xa98ccfc4 a98cd2d8 bf858a9a nt!KeUserModeCallback+0×8f a98cd3b4 bf8a244e win32k!SfnINOUTNCCALCSIZE+0×10b a98cd3fc bf8a13fa win32k!xxxSendMessageToClient+0×176 a98cd448 bf8a130f win32k!xxxSendMessageTimeout+0×1a6 a98cd46c bf85cd68 win32k!xxxSendMessage+0×1b a98cd530 bf85daca win32k!xxxCalcValidRects+0×3bc a98cd58c bf85def4 win32k!xxxEndDeferWindowPosEx+0xf2 a98cd5a8 bf85061c win32k!xxxSetWindowPos+0xb1 a98cd5cc bf8e3df8 win32k!xxxRedrawFrame+0×16 a98cd5d8 bf8a2b69 win32k!xxxDrawMenuBar+0×19 a98cd5f4 8088978c win32k!NtUserCallHwndLock+0×6b a98cd5f4 7c9485ec nt!KiFastCallEntry+0xfc 0013e438 00000000 0×7c9485ec

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns | No Comments »

Bugtation No.102

Friday, September 4th, 2009

I don’t read mere books. I analyze memory dumps. Books are memory dumps. Memory dumps are books.

Dmitry Vostokov, Variation on a theme “A book is a memory dump”

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in Books, Bugtations, Fun with Crash Dumps, Memory Religion (Memorianity), Philosophy | No Comments »

Archive for September 4th, 2009

Manual parameter reconstruction on x64 Windows systems

Wild code and partial stack reconstruction

Bugtation No.102

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

September 2009
M	T	W	T	F	S	S
« Aug				Oct »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30