Crash Dump Analysis Patterns (Part 121)
Saturday, December 11th, 2010In addition to hooked functions pattern we should also pay attention to Hooking Level. The latter is the number of patched functions. Often value-added hooksware has configuration options that fine-tune hooking behavior. For example, an application with the less number of patched functions behaved incorrectly and two process user dumps were saved from the working and non-working environment:
0:000> * problem behavior
0:000> !chkimg -lo 50 -d !user32 -v
Searching for module with expression: !user32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\user32.dll\49E0380E9d000\user32.dll
No range specified
Scanning section: .text
Size: 422527
Range to scan: 76e31000-76e9827f
76e3d6f8-76e3d6fc 5 bytes - user32!NtUserSetThreadDesktop
[ b8 30 12 00 00:e9 03 29 13 09 ]
76e3dc2a-76e3dc2e 5 bytes - user32!CreateWindowExA (+0x532)
[ 8b ff 55 8b ec:e9 d1 23 15 09 ]
76e3f8f8-76e3f8fc 5 bytes - user32!PostMessageA (+0x1cce)
[ 8b ff 55 8b ec:e9 03 07 fa 08 ]
76e41305-76e41309 5 bytes - user32!CreateWindowExW (+0x1a0d)
[ 8b ff 55 8b ec:e9 f6 ec 13 09 ]
76e435e3-76e435e7 5 bytes - user32!NtUserSetWindowPos (+0x22de)
[ b8 38 12 00 00:e9 18 ca 11 09 ]
76e48343-76e48347 5 bytes - user32!PeekMessageA (+0x4d60)
[ 8b ff 55 8b ec:e9 b8 7c fb 08 ]
76e48ab3-76e48ab7 5 bytes - user32!GetMessageA (+0x770)
[ 8b ff 55 8b ec:e9 48 75 fd 08 ]
76e4a175-76e4a179 5 bytes - user32!PostMessageW (+0x16c2)
[ 8b ff 55 8b ec:e9 86 5e f8 08 ]
76e4fef7-76e4fefb 5 bytes - user32!GetMessageW (+0x5d82)
[ 8b ff 55 8b ec:e9 04 01 fc 08 ]
76e5045a-76e5045e 5 bytes - user32!PeekMessageW (+0x563)
[ 8b ff 55 8b ec:e9 a1 fb f9 08 ]
76e8d37d-76e8d381 5 bytes - user32!MessageBoxTimeoutW (+0x3cf23)
[ 8b ff 55 8b ec:e9 7e 2c fd 08 ]
76e8d4d9-76e8d4dd 5 bytes - user32!MessageBoxIndirectA (+0x15c)
[ 8b ff 55 8b ec:e9 22 2b ff 08 ]
76e8d5d3-76e8d5d7 5 bytes - user32!MessageBoxIndirectW (+0xfa)
[ 8b ff 55 8b ec:e9 28 2a fe 08 ]
76e8d65d-76e8d661 5 bytes - user32!MessageBoxExW (+0x8a)
[ 8b ff 55 8b ec:e9 9e 29 00 09 ]
Total bytes compared: 422527(100%)
Number of errors: 70
70 errors : !user32 (76e3d6f8-76e8d661)
0:000> u EnumDisplayDevicesW
user32!EnumDisplayDevicesW:
76e3ba5b 8bff mov edi,edi
76e3ba5d 55 push ebp
76e3ba5e 8bec mov ebp,esp
76e3ba60 81ec54030000 sub esp,354h
76e3ba66 a1c090e976 mov eax,dword ptr [user32!__security_cookie (76e990c0)]
76e3ba6b 33c5 xor eax,ebp
76e3ba6d 8945fc mov dword ptr [ebp-4],eax
76e3ba70 53 push ebx
0:000> * expected behavior
0:000> !chkimg -lo 50 -d !user32 -v
Searching for module with expression: !user32
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\mss\user32.dll\49E0380E9d000\user32.dll
No range specified
Scanning section: .text
Size: 422527
Range to scan: 76e31000-76e9827f
76e39c11-76e39c15 5 bytes - user32!MonitorFromPoint
[ 6a 08 68 50 9c:e9 ea 63 10 09 ]
76e3b8ea-76e3b8ee 5 bytes - user32!GetMonitorInfoA (+0x1cd9)
[ 8b ff 55 8b ec:e9 11 47 12 09 ]
76e3ba5b-76e3ba5f 5 bytes - user32!EnumDisplayDevicesW (+0×171)
[ 8b ff 55 8b ec:e9 a0 45 0b 09 ]
76e3d6f8-76e3d6fa 3 bytes - user32!NtUserSetThreadDesktop (+0×1c9d)
[ b8 30 12:e9 03 29 ]
76e3d6fc - user32!NtUserSetThreadDesktop+4 (+0×04)
[ 00:09 ]
76e3dc2a-76e3dc2e 5 bytes - user32!CreateWindowExA (+0×52e)
[ 8b ff 55 8b ec:e9 d1 23 15 09 ]
76e3e7cd-76e3e7d1 5 bytes - user32!SetWindowLongA (+0xba3)
[ 8b ff 55 8b ec:e9 2e 18 03 09 ]
76e3f8f8-76e3f8fc 5 bytes - user32!PostMessageA (+0×112b)
[ 8b ff 55 8b ec:e9 03 07 e7 08 ]
76e41305-76e41309 5 bytes - user32!CreateWindowExW (+0×1a0d)
[ 8b ff 55 8b ec:e9 f6 ec 13 09 ]
76e413b4-76e413b8 5 bytes - user32!SetWindowLongW (+0xaf)
[ 8b ff 55 8b ec:e9 47 ec 03 09 ]
76e41709-76e4170d 5 bytes - user32!MonitorFromRect (+0×355)
[ 6a 08 68 48 17:e9 f2 e8 0e 09 ]
76e435e3-76e435e7 5 bytes - user32!NtUserSetWindowPos (+0×1eda)
[ b8 38 12 00 00:e9 18 ca fe 08 ]
76e440c5-76e440c9 5 bytes - user32!EnumDisplaySettingsExW (+0xae2)
[ 8b ff 55 8b ec:e9 36 bf 06 09 ]
76e441a1-76e441a5 5 bytes - user32!EnumDisplaySettingsW (+0xdc)
[ 8b ff 55 8b ec:e9 5a be 08 09 ]
76e46d4a-76e46d4e 5 bytes - user32!EnumDisplayDevicesA (+0×2ba9)
[ 8b ff 55 8b ec:e9 b1 92 0b 09 ]
76e46fe6-76e46fea 5 bytes - user32!EnumDisplaySettingsA (+0×29c)
[ 8b ff 55 8b ec:e9 15 90 09 09 ]
76e47010-76e47014 5 bytes - user32!EnumDisplaySettingsExA (+0×2a)
[ 8b ff 55 8b ec:e9 eb 8f 07 09 ]
76e47d12-76e47d16 5 bytes - user32!GetMonitorInfoW (+0xd02)
[ 8b ff 55 8b ec:e9 e9 82 10 09 ]
76e48343-76e48347 5 bytes - user32!PeekMessageA (+0×631)
[ 8b ff 55 8b ec:e9 b8 7c e8 08 ]
76e4844c-76e48450 5 bytes - user32!NtUserEnumDisplayMonitors (+0×109)
[ b8 81 11 00 00:e9 af 7b 0c 09 ]
76e488d4-76e488d8 5 bytes - user32!MonitorFromWindow (+0×488)
[ 6a 08 68 28 89:e9 27 77 0d 09 ]
76e48ab3-76e48ab7 5 bytes - user32!GetMessageA (+0×1df)
[ 8b ff 55 8b ec:e9 48 75 ea 08 ]
76e49994-76e49998 5 bytes - user32!GetWindowLongA (+0xee1)
[ 6a 08 68 d0 99:e9 67 66 00 09 ]
76e49af1-76e49af5 5 bytes - user32!GetSystemMetrics (+0×15d)
[ 6a 0c 68 58 9b:e9 0a 65 12 09 ]
76e4a175-76e4a179 5 bytes - user32!PostMessageW (+0×684)
[ 8b ff 55 8b ec:e9 86 5e e5 08 ]
76e4f8bf-76e4f8c3 5 bytes - user32!GetWindowLongW (+0×574a)
[ 6a 08 68 00 f9:e9 3c 07 01 09 ]
76e4fef7-76e4fefb 5 bytes - user32!GetMessageW (+0×638)
[ 8b ff 55 8b ec:e9 04 01 e9 08 ]
76e5045a-76e5045e 5 bytes - user32!PeekMessageW (+0×563)
[ 8b ff 55 8b ec:e9 a1 fb e6 08 ]
76e8d37d-76e8d381 5 bytes - user32!MessageBoxTimeoutW (+0×3cf23)
[ 8b ff 55 8b ec:e9 7e 2c ea 08 ]
76e8d4d9-76e8d4dd 5 bytes - user32!MessageBoxIndirectA (+0×15c)
[ 8b ff 55 8b ec:e9 22 2b ec 08 ]
76e8d5d3-76e8d5d7 5 bytes - user32!MessageBoxIndirectW (+0xfa)
[ 8b ff 55 8b ec:e9 28 2a eb 08 ]
76e8d65d-76e8d661 5 bytes - user32!MessageBoxExW (+0×8a)
[ 8b ff 55 8b ec:e9 9e 29 ed 08 ]
Total bytes compared: 422527(100%)
Number of errors: 154
154 errors : !user32 (76e39c11-76e8d661)
0:000> u EnumDisplayDevicesW
user32!EnumDisplayDevicesW:
76e3ba5b e9a0450b09 jmp 7fef0000
76e3ba60 81ec54030000 sub esp,354h
76e3ba66 a1c090e976 mov eax,dword ptr [user32!__security_cookie (76e990c0)]
76e3ba6b 33c5 xor eax,ebp
76e3ba6d 8945fc mov dword ptr [ebp-4],eax
76e3ba70 53 push ebx
76e3ba71 56 push esi
76e3ba72 8b7510 mov esi,dword ptr [ebp+10h]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -