Software Diagnostics Library

Archive for October 28th, 2009

DebugWare Patterns (Part 12)

Wednesday, October 28th, 2009

Support tools can be packaged for delivery as (not counting optional separate readme and EULA files):

- A raw collection of modules
- A single installation package
- A single archived file
- A single self-extractable component

The latter common packaging choice is a pattern itself that I call Self Extractor. Typical examples include sysinternals tools like Process Monitor. Here is a simple unorthodox UML diagram for a single platform tool combining elements from static and component diagrams to illustrate component embedding (not sharing):

SM is a supporting module, for example, a driver, to carry out some task or receive notifications.

Some tools even extract different components depending on the processor architecture, for example, x86 and x64. This is illustrated on a more elaborate UML diagram:

The typical example would be a backward compatible x86 Extractor that extracts an x64 driver (Extractee) for an x64 OS kernel that doesn’t load x86 drivers.

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in DebugWare Patterns, Debugging, Software Architecture, Software Engineering, Software Technical Support, Tools | 2 Comments »

Crash Dump Analysis Patterns (Part 90)

Wednesday, October 28th, 2009

Sometimes we have a managed code exception that was enveloping a handled unmanaged code exception, Mixed (Nested) Exception:

0:000> !analyze -v

[...]

EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000 ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 0

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.

FAULTING_THREAD: 00000cfc

[...]

EXCEPTION_OBJECT: !pe 1f9af1ac Exception object: 1f9af1ac Exception type: System.AccessViolationException Message: Attempted to read or write protected memory. This is often an indication that other memory is corrupt. InnerException: <none> StackTrace (generated): SP IP Function 0012EF3C 28DD9AF9 DllA!Component.getFirstField()+0×11 […] 0012EFC8 7B194170 System_Windows_Forms_ni!System.Windows.Forms. Control.OnClick(System.EventArgs)+0×70 0012EFE0 7B6F74B4 System_Windows_Forms_ni!System.Windows.Forms. Control.WmMouseUp(System.Windows.Forms.Message ByRef, System.Windows.Forms.MouseButtons, Int32)+0×170 0012F06C 7BA29B66 System_Windows_Forms_ni!System.Windows.Forms. Control.WndProc(System.Windows.Forms.Message ByRef)+0×861516 0012F0C4 7B1D1D6A System_Windows_Forms_ni!System.Windows.Forms. ScrollableControl.WndProc(System.Windows.Forms.Message ByRef)+0×2a 0012F0D0 7B1C8640 System_Windows_Forms_ni!System.Windows.Forms. Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)+0×10 0012F0D8 7B1C85C1 System_Windows_Forms_ni!System.Windows.Forms. Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)+0×31 0012F0EC 7B1C849A System_Windows_Forms_ni!System.Windows.Forms. NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)+0×5a

[...]

We see that it was the access violation exception and check the thread with TID cfc:

0:000> kL ChildEBP RetAddr 0012db54 77d70dde ntdll!KiFastSystemCallRet 0012db58 7b1d8e48 user32!NtUserWaitMessage+0xc 0012dbec 7b1d8937 System_Windows_Forms_ni+0x208e48 0012dc44 7b1d8781 System_Windows_Forms_ni+0x208937 0012dc74 7b6edd1f System_Windows_Forms_ni+0x208781 0012dc8c 7b72246b System_Windows_Forms_ni+0x71dd1f 0012dd18 7b722683 System_Windows_Forms_ni+0x75246b 0012dd58 7b6f77f6 System_Windows_Forms_ni+0x752683 0012dd64 7b6fa27c System_Windows_Forms_ni+0x7277f6 0012f148 77d6f8d2 System_Windows_Forms_ni+0x72a27c 0012f174 77d6f794 user32!InternalCallWinProc+0x23 0012f1ec 77d70008 user32!UserCallWinProcCheckWow+0x14b 0012f250 77d70060 user32!DispatchMessageWorker+0x322 0012f260 0a1412fa user32!DispatchMessageW+0xf WARNING: Frame IP not in any known module. Following frames may be wrong. 0012f27c 578439f7 0xa1412fa 0012f2ec 578430c9 WindowsBase_ni+0x939f7 0012f2f8 5784306c WindowsBase_ni+0x930c9 0012f304 55bed46e WindowsBase_ni+0x9306c 0012f310 55bec76f PresentationFramework_ni+0x1cd46e 0012f334 55bd3aa6 PresentationFramework_ni+0x1cc76f

If there was an exception it must be hidden so we inspect the thread raw stack:

0:000> !teb TEB at 7ffdf000 ExceptionList: 0012e470 StackBase: 00130000 StackLimit: 0011e000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdf000 EnvironmentPointer: 00000000 ClientId: 00000b6c . 00000cfc RpcHandle: 00000000 Tls Storage: 7ffdf02c PEB Address: 7ffd4000 LastErrorValue: 0 LastStatusValue: c0000139 Count Owned Locks: 0 HardErrorMode: 0

0:000> dps 0011e000 00130000 0011e000 00000000 0011e004 00000000 0011e008 00000000 [...] 0012e72c 00130000 0012e730 0011e000 0012e734 00ee350d 0012e738 0012ea3c 0012e73c 77f299f7 ntdll!KiUserExceptionDispatcher+0xf 0012e740 0012e750 0012e744 0012e76c 0012e748 0012e750 0012e74c 0012e76c 0012e750 c0000005 0012e754 00000000 0012e758 00000000 0012e75c 77f17d89 ntdll!RtlLeaveCriticalSection+0×9 0012e760 00000002 0012e764 00000001 0012e768 00000028 0012e76c 0001003f 0012e770 00000000 0012e774 00000000 0012e778 00000000 0012e77c 00000000 […]

0:000> .cxr 0012e76c eax=00000020 ebx=09ca1fa0 ecx=781c1b78 edx=00000001 esi=00000020 edi=09ca1ff8 eip=77f17d89 esp=0012ea38 ebp=0012ea3c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 ntdll!RtlLeaveCriticalSection+0x9: 77f17d89 834608ff add dword ptr [esi+8],0FFFFFFFFh ds:0023:00000028=????????

0:000> kL *** Stack trace for last set context - .thread/.cxr resets it ChildEBP RetAddr 0012ea3c 7813e5b5 ntdll!RtlLeaveCriticalSection+0x9 0012ea44 2071c9ba msvcr80!_unlock_file+0x35 WARNING: Stack unwind information not available. Following frames may be wrong. 0012ea68 2071c31e DllB!getType+0×286a 0012ee34 206bbfbc DllB!getType+0×3eb 0012ee68 206c8abb DllC+0xbfbc 0012ee98 79e71ca7 DllC!getFirstField+0×3b 0012f148 77d6f8d2 mscorwks!NDirectGenericStubReturnFromCall 0012f1ec 77d70008 user32!InternalCallWinProc+0×23 0012f240 77db51b9 user32!DispatchMessageWorker+0×322 0012f4a4 79e95feb user32!_W32ExceptionHandler+0×18 0012f4fc 79e968b0 mscorwks!MetaSig::HasRetBuffArg+0×5 0012f50c 79e9643e mscorwks!MetaSig::MetaSig+0×3a 0012f610 79e96534 mscorwks!MethodDesc::CallDescr+0xaf 0012f62c 79e96552 mscorwks!MethodDesc::CallTargetWorker+0×1f 0012f644 79eefa45 mscorwks!MethodDescCallSite::CallWithValueTypes+0×1a 0012f7a8 79eef965 mscorwks!ClassLoader::RunMain+0×223

Therefore we identified DllB and DllC components as suspicious. If we check exception chain we see that .NET runtime registered custom exception handlers:

0:000> !exchain 0012e470: mscorwks!COMPlusNestedExceptionHandler+0 (79edd6d7) 0012f13c: mscorwks!FastNExportExceptHandler+0 (7a00a2e7) 0012f1dc: user32!_except_handler4+0 (77db51ba) 0012f240: user32!_except_handler4+0 (77db51ba) 0012f46c: mscorwks!COMPlusFrameHandler+0 (79edc3bc) 0012f4c0: mscorwks!_except_handler4+0 (79f908a2) 0012f798: mscorwks!_except_handler4+0 (79f908a2) 0012fa04: mscorwks!GetManagedNameForTypeInfo+a680 (7a328d90) 0012fed4: mscorwks!GetManagedNameForTypeInfo+82c8 (7a325a3a) 0012ff20: mscorwks!_except_handler4+0 (79f908a2) 0012ff6c: mscorwks!GetManagedNameForTypeInfo+a6e (7a319ee4) 0012ffc4: ntdll!_except_handler4+0 (77ed9834) Invalid exception stack at ffffffff

We check that GetManagedNameForTypeInfo+a6e (7a319ee4) is an exception handler indeed:

0:000> .asm no_code_bytes Assembly options: no_code_bytes

0:000> uf 7a319ee4 msvcr80!__CxxFrameHandler: 78158aeb push ebp 78158aec mov ebp,esp 78158aee sub esp,8 78158af1 push ebx 78158af2 push esi 78158af3 push edi 78158af4 cld 78158af5 mov dword ptr [ebp-4],eax 78158af8 xor eax,eax 78158afa push eax 78158afb push eax 78158afc push eax 78158afd push dword ptr [ebp-4] 78158b00 push dword ptr [ebp+14h] 78158b03 push dword ptr [ebp+10h] 78158b06 push dword ptr [ebp+0Ch] 78158b09 push dword ptr [ebp+8] 78158b0c call msvcr80!__InternalCxxFrameHandler (7815897e) 78158b11 add esp,20h 78158b14 mov dword ptr [ebp-8],eax 78158b17 pop edi 78158b18 pop esi 78158b19 pop ebx 78158b1a mov eax,dword ptr [ebp-8] 78158b1d mov esp,ebp 78158b1f pop ebp 78158b20 ret

mscorwks!__CxxFrameHandler3: 79f5f258 jmp dword ptr [mscorwks!_imp____CxxFrameHandler3 (79e711c4)]

mscorwks!GetManagedNameForTypeInfo+0xa6e: 7a319ee4 mov edx,dword ptr [esp+8] 7a319ee8 lea eax,[edx+0Ch] 7a319eeb mov ecx,dword ptr [edx-30h] 7a319eee xor ecx,eax 7a319ef0 call mscorwks!__security_check_cookie (79e72037) 7a319ef5 mov eax,offset mscorwks!_CT??_R0H+0xc14 (7a319f00) 7a319efa jmp mscorwks!__CxxFrameHandler3 (79f5f258)

- Dmitry Vostokov @ DumpAnalysis.org -

Posted in .NET Debugging, Crash Dump Analysis, Crash Dump Patterns, Debugging | 3 Comments »

Archive for October 28th, 2009

DebugWare Patterns (Part 12)

Crash Dump Analysis Patterns (Part 90)

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

October 2009
M	T	W	T	F	S	S
« Sep				Nov »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31