Incomplete session, ALPC and critical section wait chains, blocked thread and dialog box: pattern cooperation

We resume our case studies involving multiple patterns. It was reported that a user couldn’t start a session. A complete memory dump was generated and we found 3 sessions there. Looking at the last one we found it incomplete with only 3 processes (a normal running user session after initialization was expected to have more than 3 processes):

0: kd> !session
Sessions on machine: 3
Valid Sessions: 0 1 2

0: kd> !sprocess 2
Dumping Session 2

_MM_SESSION_SPACE fffffa600a3e1000
_MMSESSION        fffffa600a3e1b40
PROCESS fffffa8007f6c040
SessionId: 2  Cid: 242c    Peb: 7fffffd8000  ParentCid: 2374
DirBase: 58350000  ObjectTable: fffff8800f485630  HandleCount: 192.
Image: csrss.exe

PROCESS fffffa8007de8130
SessionId: 2  Cid: 1a48    Peb: 7fffffde000  ParentCid: 2374
DirBase: 15755000  ObjectTable: fffff8800c742010  HandleCount: 240.
Image: winlogon.exe

PROCESS fffffa8004c2e4a0
SessionId: 2  Cid: 17b8    Peb: 7efdf000  ParentCid: 144c
DirBase: a3b80000  ObjectTable: fffff8800bf1d350  HandleCount: 168.
Image: AppA.exe

Looking at AppA process we find its main thread blocked in ALPC request directed to ServiceA process:

0: kd> !process fffffa8004c2e4a0 ff
PROCESS fffffa8004c2e4a0
SessionId: 2  Cid: 17b8    Peb: 7efdf000  ParentCid: 144c
DirBase: a3b80000  ObjectTable: fffff8800bf1d350  HandleCount: 168.
Image: AppA.exe
VadRoot fffffa8006d7f310 Vads 192 Clone 0 Private 572. Modified 2. Locked 0.
DeviceMap fffff88015685f30
Token                             fffff8800a245050
ElapsedTime                       01:58:00.200
UserTime                          00:00:00.000
KernelTime                        00:00:00.015
QuotaPoolUsage[PagedPool]         140256
QuotaPoolUsage[NonPagedPool]      18368
Working Set Sizes (now,min,max)  (2025, 50, 345) (8100KB, 200KB, 1380KB)
PeakWorkingSetSize                2087
VirtualSize                       74 Mb
PeakVirtualSize                   79 Mb
PageFaultCount                    2351
MemoryPriority                    BACKGROUND
BasePriority                      8
CommitCharge                      741
Job                               fffffa80063de710

THREAD fffffa8006db8440  Cid 17b8.20e0  Teb: 000000007efdb000 Win32Thread: fffff900c0b0c4f0 WAIT: (WrLpcReply) UserMode Non-Alertable
fffffa8006db87d0  Semaphore Limit 0x1
Waiting for reply to ALPC Message fffff8800f487cf0 : queued at port fffffa8004b37d90 : owned by process fffffa8004b11c10
Not impersonating
DeviceMap                 fffff88015685f30
Owning Process            fffffa8004c2e4a0       Image:         AppA.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      4244174        Ticks: 453096 (0:01:57:59.625)
Context Switch Count      132                 LargeStack
UserTime                  00:00:00.031
KernelTime                00:00:00.109
Win32 Start Address AppA!WinMainCRTStartup (0×00000000658c9866)
Stack Init fffffa6008832db0 Current fffffa6008832670
Base fffffa6008833000 Limit fffffa600882a000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           Call Site
fffffa60`088326b0 fffff800`01e5ccfa nt!KiSwapContext+0×7f
fffffa60`088327f0 fffff800`01e519bb nt!KiSwapThread+0×13a
fffffa60`08832860 fffff800`01e86b12 nt!KeWaitForSingleObject+0×2cb
fffffa60`088328f0 fffff800`020d40b4 nt!AlpcpSignalAndWait+0×92
fffffa60`08832980 fffff800`020d0b46 nt!AlpcpReceiveSynchronousReply+0×44
fffffa60`088329e0 fffff800`020c06ef nt!AlpcpProcessSynchronousRequest+0×24f
fffffa60`08832b00 fffff800`01e5a573 nt!NtAlpcSendWaitReceivePort+0×19f
fffffa60`08832bb0 00000000`77cb76ca nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`08832c20)
00000000`000be3f8 00000000`7578993f ntdll!ZwAlpcSendWaitReceivePort+0xa
00000000`000be400 00000000`7577a996 wow64!whNtAlpcSendWaitReceivePort+0×5f
00000000`000be450 00000000`75813688 wow64!Wow64SystemServiceEx+0xca
00000000`000bed00 00000000`7577ab46 wow64cpu!ServiceNoTurbo+0×28
00000000`000bed90 00000000`7577a14c wow64!RunCpuSimulation+0xa
00000000`000bedc0 00000000`77cabbb3 wow64!Wow64LdrpInitialize+0×4b4
00000000`000bf320 00000000`77cab83c ntdll!LdrpInitializeProcess+0×13eb
00000000`000bf5c0 00000000`77c9660e ntdll! ?? ::FNODOBFM::`string’+0×1fbc9
00000000`000bf670 00000000`00000000 ntdll!LdrInitializeThunk+0xe

0: kd> !alpc /m fffff8800f487cf0

Message @ fffff8800f487cf0
MessageID             : 0x0640 (1600)
CallbackID            : 0x36C184 (3588484)
SequenceNumber        : 0x00000002 (2)
Type                  : LPC_REQUEST
DataLength            : 0x0048 (72)
TotalLength           : 0x0070 (112)
Canceled              : No
Release               : No
ReplyWaitReply        : No
Continuation          : Yes
OwnerPort             : fffffa80061946c0 [ALPC_CLIENT_COMMUNICATION_PORT]
WaitingThread         : fffffa8006db8440
QueueType             : ALPC_MSGQUEUE_PENDING
QueuePort             : fffffa8004b37d90 [ALPC_CONNECTION_PORT]
QueuePortOwnerProcess : fffffa8004b11c10 (ServiceA.exe)
ServerThread          : fffffa80066d44b0
QuotaCharged          : No
CancelQueuePort       : 0000000000000000
CancelSequencePort    : 0000000000000000
CancelSequenceNumber  : 0×00000000 (0)
ClientContext         : 00000000007a5630
ServerContext         : 0000000000000000
PortContext           : 0000000005aa3ef0
CancelPortContext     : 0000000000000000
SecurityData          : 0000000000000000
View                  : 0000000000000000

0: kd> !thread fffffa80066d44b0 ff
THREAD fffffa80066d44b0  Cid 07d0.1bec  Teb: 000007fffffa2000 Win32Thread: 0000000000000000 WAIT: (UserRequest) UserMode Non-Alertable
fffffa800728e420  SynchronizationEvent
Impersonation token:  fffff8800a245050 (Level Impersonation)
DeviceMap                 fffff88015685f30
Owning Process            fffffa8004b11c10       Image:         ServiceA.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      4244188        Ticks: 453082 (0:01:57:59.406)
Context Switch Count      43
UserTime                  00:00:00.015
KernelTime                00:00:00.000
Win32 Start Address RPCRT4!ThreadStartRoutine (0×000007feff787780)
Stack Init fffffa6009abbdb0 Current fffffa6009abb940
Base fffffa6009abc000 Limit fffffa6009ab6000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
Child-SP          RetAddr           Call Site
fffffa60`09abb980 fffff800`01e5ccfa nt!KiSwapContext+0×7f
fffffa60`09abbac0 fffff800`01e519bb nt!KiSwapThread+0×13a
fffffa60`09abbb30 fffff800`020be7c8 nt!KeWaitForSingleObject+0×2cb
fffffa60`09abbbc0 fffff800`01e5a573 nt!NtWaitForSingleObject+0×98
fffffa60`09abbc20 00000000`77cb6eba nt!KiSystemServiceCopyEnd+0×13 (TrapFrame @ fffffa60`09abbc20)
00000000`096eedb8 00000000`77c9577a ntdll!ZwWaitForSingleObject+0xa
00000000`096eedc0 00000000`77c95671 ntdll!RtlpWaitOnCriticalSection+0xea
00000000`096eee70 00000000`667dfe24 ntdll!RtlEnterCriticalSection+0xf4

[…]

If we examine ServiceA process we fined a critical section wait chain where a endpoint is blocked in a dialog box:

0: kd> .process /r /p fffffa8004b11c10
Implicit process is now fffffa80`04b11c10
Loading User Symbols

0: kd> !cs -l -o -s
-----------------------------------------
DebugInfo          = 0x00000000003a4880
Critical section   = 0x000000006684d4c0
LOCKED
LockCount          = 0×3
WaiterWoken        = No
OwningThread       = 0×00000000000023f0
RecursionCount     = 0×1
LockSemaphore      = 0×608
SpinCount          = 0×0000000000000000
OwningThread       = .thread fffffa8006948650
ntdll!RtlpStackTraceDataBase is NULL. Probably the stack traces are not enabled.
—————————————–
DebugInfo          = 0×00000000003b7140
Critical section   = 0×000000000023f188 (+0×23F188)
LOCKED
LockCount          = 0×2
WaiterWoken        = No
OwningThread       = 0×0000000000000a38
RecursionCount     = 0×1
LockSemaphore      = 0×344
SpinCount          = 0×0000000000000000
OwningThread       = .thread fffffa8005d3ebb0
ntdll!RtlpStackTraceDataBase is NULL. Probably the stack traces are not enabled.

0: kd> .thread /r /p fffffa8006948650
Implicit thread is now fffffa80`06948650
Implicit process is now fffffa80`04b11c10
Loading User Symbols

0: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
fffffa60`0b5ed980 fffff800`01e5ccfa nt!KiSwapContext+0x7f
fffffa60`0b5edac0 fffff800`01e519bb nt!KiSwapThread+0x13a
fffffa60`0b5edb30 fffff800`020be7c8 nt!KeWaitForSingleObject+0x2cb
fffffa60`0b5edbc0 fffff800`01e5a573 nt!NtWaitForSingleObject+0x98
fffffa60`0b5edc20 00000000`77cb6eba nt!KiSystemServiceCopyEnd+0x13
00000000`089cef08 00000000`77c9577a ntdll!ZwWaitForSingleObject+0xa
00000000`089cef10 00000000`77c95671 ntdll!RtlpWaitOnCriticalSection+0xea
00000000`089cefc0 00000000`667e0ad7 ntdll!RtlEnterCriticalSection+0xf4

[…]

0: kd> .thread /r /p fffffa8005d3ebb0
Implicit thread is now fffffa80`05d3ebb0
Implicit process is now fffffa80`04b11c10
Loading User Symbols

0: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP          RetAddr           Call Site
fffffa60`02ed4c50 fffff800`01e5ccfa nt!KiSwapContext+0x7f
fffffa60`02ed4d90 fffff800`01e625eb nt!KiSwapThread+0x13a
fffffa60`02ed4e00 fffff800`020bfc2e nt!KeWaitForMultipleObjects+0x2eb
fffffa60`02ed4e80 fffff800`020c0273 nt!ObpWaitForMultipleObjects+0x26e
fffffa60`02ed5340 fffff800`01e5a573 nt!NtWaitForMultipleObjects+0xe2
fffffa60`02ed5590 00000000`77cb742a nt!KiSystemServiceCopyEnd+0x13
00000000`034de248 00000000`77a8aff3 ntdll!NtWaitForMultipleObjects+0xa
00000000`034de250 00000000`77bbe2b5 kernel32!WaitForMultipleObjectsEx+0x10b
00000000`034de360 000007fe`fc3d14f2 USER32!RealMsgWaitForMultipleObjectsEx+0x129
00000000`034de400 000007fe`fc3d190f DUser!CoreSC::Wait+0x62
00000000`034de450 000007fe`fc3d188a DUser!CoreSC::WaitMessage+0x6f
00000000`034de490 00000000`77bc538e DUser!MphWaitMessageEx+0x36
00000000`034de4c0 00000000`77cb6db6 USER32!_ClientWaitMessageExMPH+0x1a
00000000`034de510 00000000`77bbd2ba ntdll!KiUserCallbackDispatcherContinue
00000000`034de578 00000000`77bc5118 USER32!NtUserWaitMessage+0xa
00000000`034de580 00000000`77bc5770 USER32!DialogBox2+0×261
00000000`034de600 00000000`77bc57e6 USER32!InternalDialogBox+0×134
00000000`034de660 00000000`77bc5e18 USER32!DialogBoxIndirectParamAorW+0×58
00000000`034de6a0 000007fe`fcf349a6 USER32!DialogBoxIndirectParamW+0×18

[…]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Leave a Reply

You must be logged in to post a comment.