Crash Dump Analysis Patterns (Part 121)

In addition to hooked functions pattern we should also pay attention to Hooking Level. The latter is the number of patched functions. Often value-added hooksware has configuration options that fine-tune hooking behavior. For example, an application with the less number of patched functions behaved incorrectly and two process user dumps were saved from the working and non-working environment:  

0:000> * problem behavior

0:000> !chkimg -lo 50 -d !user32 -v
Searching for module with expression: !user32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\user32.dll\49E0380E9d000\user32.dll
No range specified

Scanning section:    .text
Size: 422527
Range to scan: 76e31000-76e9827f
    76e3d6f8-76e3d6fc  5 bytes - user32!NtUserSetThreadDesktop
 [ b8 30 12 00 00:e9 03 29 13 09 ]
    76e3dc2a-76e3dc2e  5 bytes - user32!CreateWindowExA (+0x532)
 [ 8b ff 55 8b ec:e9 d1 23 15 09 ]
    76e3f8f8-76e3f8fc  5 bytes - user32!PostMessageA (+0x1cce)
 [ 8b ff 55 8b ec:e9 03 07 fa 08 ]
    76e41305-76e41309  5 bytes - user32!CreateWindowExW (+0x1a0d)
 [ 8b ff 55 8b ec:e9 f6 ec 13 09 ]
    76e435e3-76e435e7  5 bytes - user32!NtUserSetWindowPos (+0x22de)
 [ b8 38 12 00 00:e9 18 ca 11 09 ]
    76e48343-76e48347  5 bytes - user32!PeekMessageA (+0x4d60)
 [ 8b ff 55 8b ec:e9 b8 7c fb 08 ]
    76e48ab3-76e48ab7  5 bytes - user32!GetMessageA (+0x770)
 [ 8b ff 55 8b ec:e9 48 75 fd 08 ]
    76e4a175-76e4a179  5 bytes - user32!PostMessageW (+0x16c2)
 [ 8b ff 55 8b ec:e9 86 5e f8 08 ]
    76e4fef7-76e4fefb  5 bytes - user32!GetMessageW (+0x5d82)
 [ 8b ff 55 8b ec:e9 04 01 fc 08 ]
    76e5045a-76e5045e  5 bytes - user32!PeekMessageW (+0x563)
 [ 8b ff 55 8b ec:e9 a1 fb f9 08 ]
    76e8d37d-76e8d381  5 bytes - user32!MessageBoxTimeoutW (+0x3cf23)
 [ 8b ff 55 8b ec:e9 7e 2c fd 08 ]
    76e8d4d9-76e8d4dd  5 bytes - user32!MessageBoxIndirectA (+0x15c)
 [ 8b ff 55 8b ec:e9 22 2b ff 08 ]
    76e8d5d3-76e8d5d7  5 bytes - user32!MessageBoxIndirectW (+0xfa)
 [ 8b ff 55 8b ec:e9 28 2a fe 08 ]
    76e8d65d-76e8d661  5 bytes - user32!MessageBoxExW (+0x8a)
 [ 8b ff 55 8b ec:e9 9e 29 00 09 ]
Total bytes compared: 422527(100%)
Number of errors: 70
70 errors : !user32 (76e3d6f8-76e8d661)

0:000> u EnumDisplayDevicesW
user32!EnumDisplayDevicesW:
76e3ba5b 8bff            mov     edi,edi
76e3ba5d 55              push    ebp
76e3ba5e 8bec            mov     ebp,esp
76e3ba60 81ec54030000    sub     esp,354h
76e3ba66 a1c090e976      mov     eax,dword ptr [user32!__security_cookie (76e990c0)]
76e3ba6b 33c5            xor     eax,ebp
76e3ba6d 8945fc          mov     dword ptr [ebp-4],eax
76e3ba70 53              push    ebx

0:000> * expected behavior 

0:000> !chkimg -lo 50 -d !user32 -v
Searching for module with expression: !user32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\user32.dll\49E0380E9d000\user32.dll
No range specified

Scanning section:    .text
Size: 422527
Range to scan: 76e31000-76e9827f
    76e39c11-76e39c15  5 bytes - user32!MonitorFromPoint
 [ 6a 08 68 50 9c:e9 ea 63 10 09 ]
    76e3b8ea-76e3b8ee  5 bytes - user32!GetMonitorInfoA (+0x1cd9)
 [ 8b ff 55 8b ec:e9 11 47 12 09 ]
    76e3ba5b-76e3ba5f  5 bytes - user32!EnumDisplayDevicesW (+0×171)
 [ 8b ff 55 8b ec:e9 a0 45 0b 09 ]

    76e3d6f8-76e3d6fa  3 bytes - user32!NtUserSetThreadDesktop (+0×1c9d)
 [ b8 30 12:e9 03 29 ]
    76e3d6fc - user32!NtUserSetThreadDesktop+4 (+0×04)
 [ 00:09 ]
    76e3dc2a-76e3dc2e  5 bytes - user32!CreateWindowExA (+0×52e)
 [ 8b ff 55 8b ec:e9 d1 23 15 09 ]
    76e3e7cd-76e3e7d1  5 bytes - user32!SetWindowLongA (+0xba3)
 [ 8b ff 55 8b ec:e9 2e 18 03 09 ]
    76e3f8f8-76e3f8fc  5 bytes - user32!PostMessageA (+0×112b)
 [ 8b ff 55 8b ec:e9 03 07 e7 08 ]
    76e41305-76e41309  5 bytes - user32!CreateWindowExW (+0×1a0d)
 [ 8b ff 55 8b ec:e9 f6 ec 13 09 ]
    76e413b4-76e413b8  5 bytes - user32!SetWindowLongW (+0xaf)
 [ 8b ff 55 8b ec:e9 47 ec 03 09 ]
    76e41709-76e4170d  5 bytes - user32!MonitorFromRect (+0×355)
 [ 6a 08 68 48 17:e9 f2 e8 0e 09 ]
    76e435e3-76e435e7  5 bytes - user32!NtUserSetWindowPos (+0×1eda)
 [ b8 38 12 00 00:e9 18 ca fe 08 ]
    76e440c5-76e440c9  5 bytes - user32!EnumDisplaySettingsExW (+0xae2)
 [ 8b ff 55 8b ec:e9 36 bf 06 09 ]
    76e441a1-76e441a5  5 bytes - user32!EnumDisplaySettingsW (+0xdc)
 [ 8b ff 55 8b ec:e9 5a be 08 09 ]
    76e46d4a-76e46d4e  5 bytes - user32!EnumDisplayDevicesA (+0×2ba9)
 [ 8b ff 55 8b ec:e9 b1 92 0b 09 ]
    76e46fe6-76e46fea  5 bytes - user32!EnumDisplaySettingsA (+0×29c)
 [ 8b ff 55 8b ec:e9 15 90 09 09 ]
    76e47010-76e47014  5 bytes - user32!EnumDisplaySettingsExA (+0×2a)
 [ 8b ff 55 8b ec:e9 eb 8f 07 09 ]
    76e47d12-76e47d16  5 bytes - user32!GetMonitorInfoW (+0xd02)
 [ 8b ff 55 8b ec:e9 e9 82 10 09 ]
    76e48343-76e48347  5 bytes - user32!PeekMessageA (+0×631)
 [ 8b ff 55 8b ec:e9 b8 7c e8 08 ]
    76e4844c-76e48450  5 bytes - user32!NtUserEnumDisplayMonitors (+0×109)
 [ b8 81 11 00 00:e9 af 7b 0c 09 ]
    76e488d4-76e488d8  5 bytes - user32!MonitorFromWindow (+0×488)
 [ 6a 08 68 28 89:e9 27 77 0d 09 ]
    76e48ab3-76e48ab7  5 bytes - user32!GetMessageA (+0×1df)
 [ 8b ff 55 8b ec:e9 48 75 ea 08 ]
    76e49994-76e49998  5 bytes - user32!GetWindowLongA (+0xee1)
 [ 6a 08 68 d0 99:e9 67 66 00 09 ]
    76e49af1-76e49af5  5 bytes - user32!GetSystemMetrics (+0×15d)
 [ 6a 0c 68 58 9b:e9 0a 65 12 09 ]
    76e4a175-76e4a179  5 bytes - user32!PostMessageW (+0×684)
 [ 8b ff 55 8b ec:e9 86 5e e5 08 ]
    76e4f8bf-76e4f8c3  5 bytes - user32!GetWindowLongW (+0×574a)
 [ 6a 08 68 00 f9:e9 3c 07 01 09 ]
    76e4fef7-76e4fefb  5 bytes - user32!GetMessageW (+0×638)
 [ 8b ff 55 8b ec:e9 04 01 e9 08 ]
    76e5045a-76e5045e  5 bytes - user32!PeekMessageW (+0×563)
 [ 8b ff 55 8b ec:e9 a1 fb e6 08 ]
    76e8d37d-76e8d381  5 bytes - user32!MessageBoxTimeoutW (+0×3cf23)
 [ 8b ff 55 8b ec:e9 7e 2c ea 08 ]
    76e8d4d9-76e8d4dd  5 bytes - user32!MessageBoxIndirectA (+0×15c)
 [ 8b ff 55 8b ec:e9 22 2b ec 08 ]
    76e8d5d3-76e8d5d7  5 bytes - user32!MessageBoxIndirectW (+0xfa)
 [ 8b ff 55 8b ec:e9 28 2a eb 08 ]
    76e8d65d-76e8d661  5 bytes - user32!MessageBoxExW (+0×8a)
 [ 8b ff 55 8b ec:e9 9e 29 ed 08 ]
Total bytes compared: 422527(100%)
Number of errors: 154
154 errors : !user32 (76e39c11-76e8d661)

0:000> u EnumDisplayDevicesW
user32!EnumDisplayDevicesW:
76e3ba5b e9a0450b09      jmp     7fef0000
76e3ba60 81ec54030000    sub     esp,354h
76e3ba66 a1c090e976      mov     eax,dword ptr [user32!__security_cookie (76e990c0)]
76e3ba6b 33c5            xor     eax,ebp
76e3ba6d 8945fc          mov     dword ptr [ebp-4],eax
76e3ba70 53              push    ebx
76e3ba71 56              push    esi
76e3ba72 8b7510          mov     esi,dword ptr [ebp+10h]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply