Software Diagnostics Library

Icons for Memory Dump Analysis Patterns (Part 57)

Tuesday, July 13th, 2010

Today we introduce an icon for IRP Distribution Anomaly pattern:

B/W

Color

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Pattern Icons, Visual Dump Analysis | No Comments »

Models for Memory and Trace Analysis Patterns (Part 3)

Tuesday, July 13th, 2010

Here we model Message Hooks pattern using MessageHistory tool. It uses window message hooking mechanism to intercept window messages. Download the tool and run either MessageHistory.exe or MessageHistory64.exe and push its Start button. Whenever any process becomes active after that either mhhooks.dll or mhhooks64.dll gets injected into the process virtual address space. Then we run WinDbg x86 or WinDbg x64, run notepad.exe and attach the debugger noninvasively to it:

*** wait with pending attach Symbol search path is: srv* Executable search path is: WARNING: Process 2932 is not attached as a debuggee The process can be examined but debug events will not be received (b74.f44): Wake debugger - code 80000007 (first chance) USER32!NtUserGetMessage+0xa: 00000000`76f9c92a c3 ret

0:000> .symfix

0:000> .reload

0:000> k Child-SP RetAddr Call Site 00000000`0028f908 00000000`76f9c95e USER32!NtUserGetMessage+0xa 00000000`0028f910 00000000`ff511064 USER32!GetMessageW+0x34 00000000`0028f940 00000000`ff51133c notepad!WinMain+0x182 00000000`0028f9c0 00000000`76e7f56d notepad!DisplayNonGenuineDlgWorker+0x2da 00000000`0028fa80 00000000`770b3281 kernel32!BaseThreadInitThunk+0xd 00000000`0028fab0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

If we don’t select “Noninvasive” in “Attach to Process” dialog box we need to switch from the debugger injected thread to our main notepad application thread:

0:001> .symfix

0:001> .reload

0:001> k Child-SP RetAddr Call Site 00000000`024bfe18 00000000`77178638 ntdll!DbgBreakPoint 00000000`024bfe20 00000000`76e7f56d ntdll!DbgUiRemoteBreakin+0x38 00000000`024bfe50 00000000`770b3281 kernel32!BaseThreadInitThunk+0xd 00000000`024bfe80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

0:001> ~0s USER32!NtUserGetMessage+0xa: 00000000`76f9c92a c3 ret

0:000> k Child-SP RetAddr Call Site 00000000`000af9e8 00000000`76f9c95e USER32!NtUserGetMessage+0xa 00000000`000af9f0 00000000`ff511064 USER32!GetMessageW+0x34 00000000`000afa20 00000000`ff51133c notepad!WinMain+0x182 00000000`000afaa0 00000000`76e7f56d notepad!DisplayNonGenuineDlgWorker+0x2da 00000000`000afb60 00000000`770b3281 kernel32!BaseThreadInitThunk+0xd 00000000`000afb90 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

We then inspect the raw stack data to see any execution residue and find a few related function calls:

0:000> !teb TEB at 000007fffffdd000 ExceptionList: 0000000000000000 StackBase: 0000000000290000 StackLimit: 000000000027f000 SubSystemTib: 0000000000000000 FiberData: 0000000000001e00 ArbitraryUserPointer: 0000000000000000 Self: 000007fffffdd000 EnvironmentPointer: 0000000000000000 ClientId: 0000000000000b74 . 0000000000000f44 RpcHandle: 0000000000000000 Tls Storage: 000007fffffdd058 PEB Address: 000007fffffdf000 LastErrorValue: 0 LastStatusValue: c0000034 Count Owned Locks: 0 HardErrorMode: 0

0:000> dps 000000000027f000 0000000000290000 [...] 00000000`0028e388 00000000`008bd8e0 00000000`0028e390 00000000`00000000 00000000`0028e398 00000000`00000001 00000000`0028e3a0 00000000`00000282 00000000`0028e3a8 00000000`76f966b2 USER32!SendMessageToUI+0x6a 00000000`0028e3b0 00000000`001406b0 00000000`0028e3b8 00000000`004000f8 00000000`0028e3c0 00000000`00000001 00000000`0028e3c8 00000001`800014b8 mhhooks64!CallWndProc+0×2d8 00000000`0028e3d0 00000000`00000000 00000000`0028e3d8 00000000`002f0664 00000000`0028e3e0 00000000`00000001 00000000`0028e3e8 00000000`76f96a72 USER32!ImeNotifyHandler+0xb4 00000000`0028e3f0 00000000`00000000 00000000`0028e3f8 00000000`004000f8 00000000`0028e400 00000000`00000001 00000000`0028e408 000007fe`ff1213b4 IMM32!CtfImmDispatchDefImeMessage+0×60 00000000`0028e410 00000000`00000000 00000000`0028e418 00000000`002f0664 00000000`0028e420 00000000`00000000 00000000`0028e428 00000000`002f0664 00000000`0028e430 00000000`008bd8e0 00000000`0028e438 00000000`76f96a06 USER32!ImeWndProcWorker+0×3af 00000000`0028e440 00000000`00000282 00000000`0028e448 00000000`00000000 00000000`0028e450 00000000`00000001 00000000`0028e458 00000000`004000f8 00000000`0028e460 00000000`00000000 00000000`0028e468 00000000`00000001 00000000`0028e470 00000000`00000000 00000000`0028e478 00000000`00000000 00000000`0028e480 00000000`00000000 00000000`0028e488 00000000`76f9a078 USER32!_fnDWORD+0×44 00000000`0028e490 00000000`00000000 […] 00000000`0028f770 00000000`001406b0 00000000`0028f778 000007ff`fffdd000 00000000`0028f780 00000000`0028f8c8 00000000`0028f788 00000000`008bd8e0 00000000`0028f790 00000000`00000018 00000000`0028f798 00000000`76f885a0 USER32!DispatchHookW+0×2c 00000000`0028f7a0 000022b2`00000000 00000000`0028f7a8 00000000`00000001 00000000`0028f7b0 000007fe`ff2d2560 MSCTF!IMCLock::`vftable’ 00000000`0028f7b8 00000000`00407c50 00000000`0028f7c0 00000000`000c0e51 00000000`0028f7c8 00000000`00000000 00000000`0028f7d0 00000000`00000000 00000000`0028f7d8 00000000`00000113 00000000`0028f7e0 00000000`00000113 00000000`0028f7e8 00000000`00000001 00000000`0028f7f0 00000000`00000000 00000000`0028f7f8 00000000`76f9c3df USER32!UserCallWinProcCheckWow+0×1cb 00000000`0028f800 00000000`ff510000 notepad!CFileDialogEvents_QueryInterface <PERF> (notepad+0×0) 00000000`0028f808 00000000`00000000 00000000`0028f810 00000000`00000000 00000000`0028f818 00000000`00000000 00000000`0028f820 00000000`00000000 00000000`0028f828 00000000`00000038 00000000`0028f830 00000000`00000000 00000000`0028f838 00000000`00000000 00000000`0028f840 00000000`00000000 00000000`0028f848 00000000`770cfdf5 ntdll!KiUserCallbackDispatcherContinue 00000000`0028f850 00000000`00000048 00000000`0028f858 00000000`00000001 00000000`0028f860 00000000`00000000 […]

We also see a 3rd-party module in proximity having “hook” in its module name: mhhooks64. We disassemble its address to see yet another message hooking evidence:

0:000> .asm no_code_bytes Assembly options: no_code_bytes

0:000> ub 00000001`800014b8 mhhooks64!CallWndProc+0×2ae: 00000001`8000148e imul rcx,rcx,30h 00000001`80001492 lea rdx,[mhhooks64!sendMessages (00000001`80021030)] 00000001`80001499 mov dword ptr [rdx+rcx+28h],eax 00000001`8000149d mov r9,qword ptr [rsp+50h] 00000001`800014a2 mov r8,qword ptr [rsp+48h] 00000001`800014a7 mov edx,dword ptr [rsp+40h] 00000001`800014ab mov rcx,qword ptr [mhhooks64!hCallWndHook (00000001`80021028)] 00000001`800014b2 call qword ptr [mhhooks64!_imp_CallNextHookEx (00000001`80017280)]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Pattern Models, Software Behavior Patterns | No Comments »

The Battle for WinDbg Ranking Continues

Tuesday, July 13th, 2010

After the previous announcement of WinDbg.org 3rd ranging place I see it moved to the 2nd first level ranking leaving Wikipedia behind. I think it would be impossible to go ahead of WHDC so I calm down and continue to monitor ranking from time to time only :-)

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Announcements, History | 3 Comments »

Archive for July 13th, 2010

Icons for Memory Dump Analysis Patterns (Part 57)

Models for Memory and Trace Analysis Patterns (Part 3)

The Battle for WinDbg Ranking Continues

Pages

Recent Comments

Categories

Archives

ARM64

Automated Analysis

Blogroll

Debugging Channels

Forensics

Hardware

Linux

Mac OS X

Magazines and Newspapers

Malware Analysis

Medical Diagnostics

Narratology

Related Links

Reversing

Scripting Languages

Source Code

Tracing Tools

Meta

July 2010
M	T	W	T	F	S	S
« Jun				Aug »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31