Crash Dump Analysis Patterns (Part 117b)
Sunday, May 14th, 2017This is another variant of Invalid Parameter pattern where an invalid parameter is passed to either statically or dynamically linked C runtime function. Exception codes may vary, for example, c000000d and c0000417 as the following examples illustrate:
0:000> k
Child-SP RetAddr Call Site
00000000`0289e858 00007ff8`cf4f13ed ntdll!NtWaitForMultipleObjects+0xa
00000000`0289e860 00007ff8`d1157d51 KERNELBASE!WaitForMultipleObjectsEx+0xe1
00000000`0289eb40 00007ff8`d1157773 kernel32!WerpReportFaultInternal+0x581
00000000`0289f0b0 00007ff8`cf5d1cdf kernel32!WerpReportFault+0x83
00000000`0289f0e0 00007ff6`f0225095 KERNELBASE!UnhandledExceptionFilter+0×23f
00000000`0289f1d0 00007ff6`f021ec89 ModuleA!_invalid_parameter+0xc5
00000000`0289f790 00007ff6`f01a2636 ModuleA!vswprintf_s+0×79
[…]
00000000`0289fdc0 00007ff8`d20b5454 kernel32!BaseThreadInitThunk+0×22
00000000`0289fdf0 00000000`00000000 ntdll!RtlUserThreadStart+0×34
0:000> !analyze -v
[...]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00007ff6f021ec89 (ModuleA!vswprintf_s+0x0000000000000079)
ExceptionCode: c000000d
ExceptionFlags: 00000000
NumberParameters: 0
[…]
EXCEPTION_CODE: (NTSTATUS) 0xc000000d - An invalid parameter was passed to a service or function.
0:000> k
# ChildEBP RetAddr
00 002e6de8 74a01606 ntdll!NtWaitForMultipleObjects+0xc
01 002e6f7c 74a014b8 KERNELBASE!WaitForMultipleObjectsEx+0x136
02 002e6f98 7431a02a KERNELBASE!WaitForMultipleObjects+0x18
03 002e73d4 74319ac6 kernel32!WerpReportFaultInternal+0x545
04 002e73e4 742fcf09 kernel32!WerpReportFault+0x7a
05 002e73ec 74a1a013 kernel32!BasepReportFault+0x19
06 002e7480 73edcc2c KERNELBASE!UnhandledExceptionFilter+0×1b3
07 002e77b8 73ea75b4 msvcr90!_invoke_watson+0xf9
08 002e77e0 5f29a294 msvcr90!wcsncpy_s+0×41
09 002e77fc 5f434563 ModuleB+0×6a294
[…]
44 002efda8 76f19e54 kernel32!BaseThreadInitThunk+0×24
45 002efdf0 76f19e1f ntdll!__RtlUserThreadStart+0×2f
46 002efe00 00000000 ntdll!_RtlUserThreadStart+0×1b
0:000> !analyze -v
[...]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 73ea75b4 (msvcr90!wcsncpy_s+0x00000041)
ExceptionCode: c0000417
ExceptionFlags: 00000001
NumberParameters: 0
[…]
EXCEPTION_CODE: (NTSTATUS) 0xc0000417 - An invalid parameter was passed to a C runtime function.
We can inspect parameters passed to the function where it is possible. In 32-bit memory dumps we may see the first 3 parameters in the output of kv WinDbg command. More than 3 function parameters require the analysis of the raw stack region. 64-bit memory dumps may require disassembled code analysis of the caller (via ub WinDbg command).
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -