Crash Dump Analysis Patterns (Part 110)

Shared Buffer Overwrite differs from Local Buffer Overflow and heap / pool memory corruption patterns in not writing over control structures situated at dynamically allocated memory or procedure frame (local call stack) boundaries. Its effect is visible when the buffer data contains pointers that become wild after the overwrite and are later dereferenced resulting in a crash. For example, when the overwriting data contains UNICODE and /or ASCII characters we see them in a pointer data:

1: kd> !analyze -v

[...]

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8086c949, The address that the exception occurred at
Arg3: f78eec54, Exception Record Address
Arg4: f78ee950, Context Record Address

[...]

EXCEPTION_RECORD:  f78eec54 -- (.exr 0xfffffffff78eec54)
ExceptionAddress: 8086c949 (nt!ObfDereferenceObject+0x00000023)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
   Parameter[1]: 006f0058
Attempt to write to address 006f0058

CONTEXT:  f78ee950 -- (.cxr 0xfffffffff78ee950)
eax=f78e0001 ebx=ffffffff ecx=006f0070 edx=00000000 esi=006f0058 edi=8087cdae
eip=8086c949 esp=f78eed1c ebp=f78eed2c iopl=0  nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000     efl=00010286
nt!ObfDereferenceObject+0×23:
8086c949 f00fc11e        lock xadd dword ptr [esi],ebx ds:0023:006f0058=????????

[...]

STACK_TEXT:
f78eed2c f707212e 886e6530 f78eed80 f706e04e nt!ObfDereferenceObject+0x23
f78eed38 f706e04e e47b1258 8b2fcb40 808ae5c0 DriverA!CloseConnection+0x16
f78eed80 80880475 8835f248 00000000 8b2fcb40 DriverA!Resume+0x9f
f78eedac 80949c5a 8835f248 00000000 00000000 nt!ExpWorkerThread+0xeb
f78eeddc 8088e0c2 8088038a 00000000 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

1: kd> ub f707212e
DriverA!CloseConnection+0x2:
f707211a push    ebp
f707211b mov     ebp,esp
f707211d push    esi
f707211e mov     esi,dword ptr [ebp+8]
f7072121 mov     ecx,dword ptr [esi+14h]
f7072124 test    ecx,ecx
f7072126 je      DriverA!CloseConnection+0x1a (f7072132)
f7072128 call    dword ptr [DriverA!_imp_ObfDereferenceObject (f70610f4)]

1: kd> db e47b1258 L20
e47b1258  61 67 65 20 57 72 69 74-65 72 00 05 77 00 69 00  age Writer..w.i.
e47b1268  6e 00 73 00 70 00 6f 00-6f 00 6c 00 2c 00 4e 00  n.s.p.o.o.l.,.N.

1: kd> !pool e47b1258
Pool page e47b1258 region is Paged pool
e47b1000 size:  108 previous size:    0  (Allocated)  CM39
e47b1108 size:   38 previous size:  108  (Free)       CMVa
e47b1140 size:   28 previous size:   38  (Allocated)  NtFs
e47b1168 size:    8 previous size:   28  (Free)       CMDa
e47b1170 size:   80 previous size:    8  (Allocated)  FSim
e47b11f0 size:   28 previous size:   80  (Allocated)  CMNb (Protected)
*e47b1218 size:   70 previous size:   28  (Allocated) *CMDa
Pooltag CMDa : value data cache pool tag, Binary : nt!cm

e47b1288 size:   58 previous size:   70  (Allocated)  Sect (Protected)
e47b12e0 size:   18 previous size:   58  (Allocated)  Ntf0
e47b12f8 size:   28 previous size:   18  (Allocated)  NtFs
e47b1320 size:   20 previous size:   28  (Allocated)  CMNb (Protected)
e47b1340 size:   48 previous size:   20  (Allocated)  Ntfc
e47b1388 size:   68 previous size:   48  (Allocated)  Sect (Protected)
e47b13f0 size:   30 previous size:   68  (Allocated)  CMVa
e47b1420 size:   38 previous size:   30  (Allocated)  CMVa
e47b1458 size:    8 previous size:   38  (Free)       CMVa
e47b1460 size:   48 previous size:    8  (Allocated)  CMVa
e47b14a8 size:   d0 previous size:   48  (Allocated)  Ntfo
e47b1578 size:  330 previous size:   d0  (Allocated)  Ntff
e47b18a8 size:   10 previous size:  330  (Free)       NtfE
e47b18b8 size:   e0 previous size:   10  (Allocated)  Ntfo
e47b1998 size:   40 previous size:   e0  (Allocated)  MmSm
e47b19d8 size:    8 previous size:   40  (Free)       Ica
e47b19e0 size:   18 previous size:    8  (Allocated)  Ntf0
e47b19f8 size:   68 previous size:   18  (Allocated)  CMDa
e47b1a60 size:   28 previous size:   68  (Allocated)  ObNm
e47b1a88 size:   b8 previous size:   28  (Allocated)  Port (Protected)
e47b1b40 size:   58 previous size:   b8  (Allocated)  Sect (Protected)
e47b1b98 size:   30 previous size:   58  (Allocated)  CMVa
e47b1bc8 size:    8 previous size:   30  (Free)       NtFA
e47b1bd0 size:  100 previous size:    8  (Allocated)  IoNm
e47b1cd0 size:   18 previous size:  100  (Allocated)  ObDi
e47b1ce8 size:   38 previous size:   18  (Allocated)  CMnb Process: 88469928
e47b1d20 size:   78 previous size:   38  (Free )  NtFI
e47b1d98 size:   68 previous size:   78  (Allocated)  CMDa
e47b1e00 size:   18 previous size:   68  (Allocated)  PsIm (Protected)
e47b1e18 size:   e8 previous size:   18  (Free )  TunP
e47b1f00 size:  100 previous size:   e8  (Allocated)  IoNm

Another example:

0: kd> !analyze -v

[...]

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8083e4d6, The address that the exception occurred at
Arg3: f78cec54, Exception Record Address
Arg4: f78ce950, Context Record Address

[...]

EXCEPTION_RECORD:  f78cec54 -- (.exr 0xfffffffff78cec54)
ExceptionAddress: 8083e4d6 (nt!ObfDereferenceObject+0x00000023)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
   Parameter[1]: 65696c2b
Attempt to write to address 65696c2b

CONTEXT:  f78ce950 -- (.cxr 0xfffffffff78ce950)
eax=f78c0001 ebx=ffffffff ecx=65696c43 edx=00000000 esi=65696c2b edi=8083e407
eip=8083e4d6 esp=f78ced1c ebp=f78ced2c iopl=0  nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000     efl=00010286
nt!ObfDereferenceObject+0×23:
8083e4d6 f00fc11e        lock xadd dword ptr [esi],ebx ds:0023:65696c2b=????????
Resetting default scope

[...]

STACK_TEXT:
f78ced2c f71bd12e 87216470 f78ced80 f71b904e nt!ObfDereferenceObject+0x23
f78ced38 f71b904e e49afb90 8a38eb40 808b70e0 DriverA!CloseConnection+0x16
f78ced80 8082db10 868989e0 00000000 8a38eb40 DriverA!Resume+0x9f
f78cedac 809208bb 868989e0 00000000 00000000 nt!ExpWorkerThread+0xeb
f78ceddc 8083fe9f 8082da53 00000000 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

[...]

0: kd> .formats 65696c2b
Evaluate expression:
Hex:     65696c2b
Decimal: 1701407787
Octal:   14532266053
Binary:  01100101 01101001 01101100 00101011
  Chars:   eil+
Time:    Fri Dec 01 05:16:27 2023
Float:   low 6.88942e+022 high 0
Double:  8.40607e-315

0: kd> db e49afb90 L20
e49afb90  41 41 22 00 1e 00 00 00-00 5f 07 00 01 00 00 00  AA”……_……
e49afba0  01 00 00 00 43 6c 69 65-6e 74 41 2f 41 41 41 41  ….ClientA/AAAA

0: kd> !pool e49afb90
Pool page e49afb90 region is Paged pool
e49af000 size:  330 previous size:    0  (Allocated)  Ntff
e49af330 size:  2c0 previous size:  330  (Allocated)  Toke (Protected)
e49af5f0 size:   78 previous size:  2c0  (Allocated)  NtFU
e49af668 size:   10 previous size:   78  (Free)       CMVI
e49af678 size:   a8 previous size:   10  (Allocated)  Ntfo
e49af720 size:   80 previous size:   a8  (Allocated)  NtFU
e49af7a0 size:   78 previous size:   80  (Allocated)  NtFU
e49af818 size:   18 previous size:   78  (Allocated)  Ntf0
e49af830 size:   20 previous size:   18  (Allocated)  ObHd
e49af850 size:   38 previous size:   20  (Allocated)  MmSm
e49af888 size:   78 previous size:   38  (Allocated)  NtFU
e49af900 size:   28 previous size:   78  (Allocated)  NtFs
e49af928 size:   48 previous size:   28  (Allocated)  Ntfc
e49af970 size:   40 previous size:   48  (Allocated)  CMNb (Protected)
e49af9b0 size:   28 previous size:   40  (Allocated)  NtFs
e49af9d8 size:   30 previous size:   28  (Allocated)  AtmA
e49afa08 size:  108 previous size:   30  (Allocated)  CM39
e49afb10 size:   18 previous size:  108  (Allocated)  Ntf0
e49afb28 size:   30 previous size:   18  (Allocated)  CMVw (Protected)
e49afb58 size:   28 previous size:   30  (Allocated)  MPXC
*e49afb80 size:   70 previous size:   28  (Free) *CMDa
Pooltag CMDa : value data cache pool tag, Binary : nt!cm

e49afbf0 size:   b8 previous size:   70  (Allocated)  Port (Protected)
e49afca8 size:   28 previous size:   b8  (Allocated)  CMNb (Protected)
e49afcd0 size:  330 previous size:   28  (Allocated)  Ntff

Notice that in the latter example the pointer references a freed pool element. If a pointer points to an overwritten buffer the result is similar to a dangling pointer pointing to a reallocated freed buffer. If an object was located in a shared buffer and its data becomes overwritten we can also observe Random Object pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply