Archive for February, 2024

Crash Dump Analysis Patterns (Part 288)

Friday, February 23rd, 2024

Modern x64 Windows targets may support hardware shadow stacks. In such a case, WinDbg shows this message even if you open a memory dump on computers that do not support it:

This target supports Hardware-enforced Stack Protection. A HW based
"Shadow Stack" may be available to assist in debugging and analysis.
See aka.ms/userhsp for more info.
dps @ssp

The data from shadow stacks may be useful in case of Local Buffer Overflow. In such a case, we can compare the problem Stack Trace with the Shadow Stack Trace that was supposed to be without the stack region corruption.

For example, if see this exception and Incorrect Stack Trace, we can see that the stack trace should have been if the the return address were not modified:

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(5a34.4bb8): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
Subcode: 0×39 FAST_FAIL_CONTROL_INVALID_RETURN_ADDRESS Shadow stack violation

0:000> k
# Child-SP RetAddr Call Site
00 000000fa`b94ffdf8 000002aa`5d420588 user32!GetMessageW+0×5c
01 000000fa`b94ffe00 000002aa`5d420588 0×000002aa`5d420588
02 000000fa`b94ffe08 00000000`00000000 0×000002aa`5d420588

0:000> r
rax=0000000000000001 rbx=000002aa5d420588 rcx=00007ff9c3d31534
rdx=0000000000000000 rsi=0000000000000000 rdi=000002aa5d420530
rip=00007ff9c3ea538c rsp=000000fab94ffdf8 rbp=000002aa5d420588
r8=000000fab94ffd98 r9=0000000000000000 r10=0000000000000000
r11=0000000000000244 r12=00007ff66b204070 r13=0000000000000000
r14=0000000000000001 r15=00000000ffffffff
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
user32!GetMessageW+0x5c:
00007ff9`c3ea538c ret

0:000> dps @rsp L1
000000fa`b94ffdf8 000002aa`5d420588

0:000> dps @ssp
000000fa`b95fefd0 00007ff9`4ae2f877 mfc140u!AfxInternalPumpMessage+0x27
000000fa`b95fefd8 00007ff9`4ae301b1 mfc140u!CWinThread::Run+0x81
000000fa`b95fefe0 00007ff9`4ae63230 mfc140u!AfxWinMain+0xc0
000000fa`b95fefe8 00007ff6`6b135742 mspaint+0xc5742
000000fa`b95feff0 00007ff9`c500257d kernel32!BaseThreadInitThunk+0x1d
000000fa`b95feff8 00007ff9`c618aa58 ntdll!RtlUserThreadStart+0x28
000000fa`b95ff000 ????????`????????
000000fa`b95ff008 ????????`????????
000000fa`b95ff010 ????????`????????
000000fa`b95ff018 ????????`????????
000000fa`b95ff020 ????????`????????
000000fa`b95ff028 ????????`????????
000000fa`b95ff030 ????????`????????
000000fa`b95ff038 ????????`????????
000000fa`b95ff040 ????????`????????
000000fa`b95ff048 ????????`????????

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging, Windows 11, x64 Windows | Comments Off

Trace Analysis Patterns (Part 243)

Sunday, February 18th, 2024

Trace Variance is the measure of variability of traces and logs in different environments. This trace and log analysis pattern metaphor is borrowed from variance in machine learning like Trace Bias. Here, different environments or the same environment at different times are considered as input data.

Other analysis patterns can be used to investigate Trace Variance such as Bifurcation Point, Trace String, and Polytrace.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Machine Learning, Software Trace Analysis, Trace Analysis Patterns | Comments Off

Trace Analysis Patterns (Part 242)

Sunday, February 18th, 2024

Trace Bias is the measure of how faithfully traces and logs as a models of computation reflect the actual computation. The term bias has many meanings. This trace and log analysis pattern metaphor is borrowed from model bias in machine learning and statistics. Traces, and therefore, their biases range from Empty Traces to Sparse Traces to traces from Time Travel Debugging tools. How we do tracing, for example, via Declarative Traces or Moduli Traces, have direct impact on Trace Bias.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Log Analysis, Machine Learning, Software Trace Analysis, Trace Analysis Patterns | Comments Off

Crash Dump Analysis Patterns (Part 287)

Sunday, February 11th, 2024

Sometimes, when looking at Stack Traces or disassembly of the currently executing code we may see that continued execution would possibly (and sometimes definitely) generate an exception later on, like these sequences of recursive calls from sequential memory snapshots having the same Constant Subtrace may result in Stack Overflow:

0:000> kL
# ChildEBP RetAddr
00 00efeb60 771706c9 ntdll!NtDelayExecution+0xc
01 00efeb84 75fcd18f ntdll!RtlDelayExecution+0xe9
02 00efebec 75fcd12f KERNELBASE!SleepEx+0x4f
03 00efebfc 0014138e KERNELBASE!Sleep+0xf
04 00efec08 00141338 AppD9!ConnectDB+0xe
05 00efec10 0014121a AppD9!StartModeling+0x8
06 00efec70 75d32e53 AppD9!WndProc+0x7a
07 00efec9c 75d23c26 USER32!_InternalCallWinProc+0x2b
08 00efed94 75d224e5 USER32!UserCallWinProcCheckWow+0x4c6
09 00efee10 75d598f8 USER32!DispatchMessageWorker+0x4a5
0a 00efee58 75d59db3 USER32!DialogBox2+0x143
0b 00efee88 75d7ac60 USER32!InternalDialogBox+0xf3
0c 00efef54 75d799f6 USER32!SoftModalMessageBox+0x6f0
0d 00eff0b0 75d7a4f7 USER32!MessageBoxWorker+0x2fd
0e 00eff138 75d7a565 USER32!MessageBoxTimeoutW+0x187
0f 00eff158 00141371 USER32!MessageBoxW+0x45
10 00eff170 0014121a AppD9!StartModeling+0×41
11 00eff1d0 75d32e53 AppD9!WndProc+0×7a
12 00eff1fc 75d23c26 USER32!_InternalCallWinProc+0×2b
13 00eff2f4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
14 00eff370 75d598f8 USER32!DispatchMessageWorker+0×4a5
15 00eff3b8 75d59db3 USER32!DialogBox2+0×143
16 00eff3e8 75d7ac60 USER32!InternalDialogBox+0xf3
17 00eff4b4 75d799f6 USER32!SoftModalMessageBox+0×6f0
18 00eff610 75d7a4f7 USER32!MessageBoxWorker+0×2fd
19 00eff698 75d7a565 USER32!MessageBoxTimeoutW+0×187
1a 00eff6b8 00141371 USER32!MessageBoxW+0×45
1b 00eff6d0 0014121a AppD9!StartModeling+0×41
1c 00eff730 75d32e53 AppD9!WndProc+0×7a
1d 00eff75c 75d23c26 USER32!_InternalCallWinProc+0×2b
1e 00eff854 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
1f 00eff8d0 75d598f8 USER32!DispatchMessageWorker+0×4a5
20 00eff918 75d59db3 USER32!DialogBox2+0×143
21 00eff948 75d7ac60 USER32!InternalDialogBox+0xf3
22 00effa14 75d799f6 USER32!SoftModalMessageBox+0×6f0
23 00effb70 75d7a4f7 USER32!MessageBoxWorker+0×2fd
24 00effbf8 75d7a565 USER32!MessageBoxTimeoutW+0×187
25 00effc18 00141371 USER32!MessageBoxW+0×45
26 00effc30 0014121a AppD9!StartModeling+0×41
27 00effc90 75d32e53 AppD9!WndProc+0×7a
28 00effcbc 75d23c26 USER32!_InternalCallWinProc+0×2b
29 00effdb4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
2a 00effe30 75d22030 USER32!DispatchMessageWorker+0×4a5
2b 00effe3c 0014109d USER32!DispatchMessageW+0×10
2c 00effe68 0014155d AppD9!wWinMain+0×9d
2d (Inline) ——– AppD9!invoke_main+0×1a
2e 00effeb4 769a7ba9 AppD9!__scrt_common_main_seh+0xf8
2f 00effec4 7714bd2b KERNEL32!BaseThreadInitThunk+0×19
30 00efff1c 7714bcaf ntdll!__RtlUserThreadStart+0×2b
31 00efff2c 00000000 ntdll!_RtlUserThreadStart+0×1b

0:000> kL
# ChildEBP RetAddr
00 00efd5e0 771706c9 ntdll!NtDelayExecution+0xc
01 00efd604 75fcd18f ntdll!RtlDelayExecution+0xe9
02 00efd66c 75fcd12f KERNELBASE!SleepEx+0x4f
03 00efd67c 0014138e KERNELBASE!Sleep+0xf
04 00efd688 00141338 AppD9!ConnectDB+0xe
05 00efd690 0014121a AppD9!StartModeling+0x8
06 00efd6f0 75d32e53 AppD9!WndProc+0x7a
07 00efd71c 75d23c26 USER32!_InternalCallWinProc+0x2b
08 00efd814 75d224e5 USER32!UserCallWinProcCheckWow+0x4c6
09 00efd890 75d598f8 USER32!DispatchMessageWorker+0x4a5
0a 00efd8d8 75d59db3 USER32!DialogBox2+0x143
0b 00efd908 75d7ac60 USER32!InternalDialogBox+0xf3
0c 00efd9d4 75d799f6 USER32!SoftModalMessageBox+0x6f0
0d 00efdb30 75d7a4f7 USER32!MessageBoxWorker+0x2fd
0e 00efdbb8 75d7a565 USER32!MessageBoxTimeoutW+0x187
0f 00efdbd8 00141371 USER32!MessageBoxW+0x45
10 00efdbf0 0014121a AppD9!StartModeling+0×41
11 00efdc50 75d32e53 AppD9!WndProc+0×7a
12 00efdc7c 75d23c26 USER32!_InternalCallWinProc+0×2b
13 00efdd74 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
14 00efddf0 75d598f8 USER32!DispatchMessageWorker+0×4a5
15 00efde38 75d59db3 USER32!DialogBox2+0×143
16 00efde68 75d7ac60 USER32!InternalDialogBox+0xf3
17 00efdf34 75d799f6 USER32!SoftModalMessageBox+0×6f0
18 00efe090 75d7a4f7 USER32!MessageBoxWorker+0×2fd
19 00efe118 75d7a565 USER32!MessageBoxTimeoutW+0×187
1a 00efe138 00141371 USER32!MessageBoxW+0×45
1b 00efe150 0014121a AppD9!StartModeling+0×41
1c 00efe1b0 75d32e53 AppD9!WndProc+0×7a
1d 00efe1dc 75d23c26 USER32!_InternalCallWinProc+0×2b
1e 00efe2d4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
1f 00efe350 75d598f8 USER32!DispatchMessageWorker+0×4a5
20 00efe398 75d59db3 USER32!DialogBox2+0×143
21 00efe3c8 75d7ac60 USER32!InternalDialogBox+0xf3
22 00efe494 75d799f6 USER32!SoftModalMessageBox+0×6f0
23 00efe5f0 75d7a4f7 USER32!MessageBoxWorker+0×2fd
24 00efe678 75d7a565 USER32!MessageBoxTimeoutW+0×187
25 00efe698 00141371 USER32!MessageBoxW+0×45
26 00efe6b0 0014121a AppD9!StartModeling+0×41
27 00efe710 75d32e53 AppD9!WndProc+0×7a
28 00efe73c 75d23c26 USER32!_InternalCallWinProc+0×2b
29 00efe834 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
2a 00efe8b0 75d598f8 USER32!DispatchMessageWorker+0×4a5
2b 00efe8f8 75d59db3 USER32!DialogBox2+0×143
2c 00efe928 75d7ac60 USER32!InternalDialogBox+0xf3
2d 00efe9f4 75d799f6 USER32!SoftModalMessageBox+0×6f0
2e 00efeb50 75d7a4f7 USER32!MessageBoxWorker+0×2fd
2f 00efebd8 75d7a565 USER32!MessageBoxTimeoutW+0×187
30 00efebf8 00141371 USER32!MessageBoxW+0×45
31 00efec10 0014121a AppD9!StartModeling+0×41
32 00efec70 75d32e53 AppD9!WndProc+0×7a
33 00efec9c 75d23c26 USER32!_InternalCallWinProc+0×2b
34 00efed94 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
35 00efee10 75d598f8 USER32!DispatchMessageWorker+0×4a5
36 00efee58 75d59db3 USER32!DialogBox2+0×143
37 00efee88 75d7ac60 USER32!InternalDialogBox+0xf3
38 00efef54 75d799f6 USER32!SoftModalMessageBox+0×6f0
39 00eff0b0 75d7a4f7 USER32!MessageBoxWorker+0×2fd
3a 00eff138 75d7a565 USER32!MessageBoxTimeoutW+0×187
3b 00eff158 00141371 USER32!MessageBoxW+0×45
3c 00eff170 0014121a AppD9!StartModeling+0×41
3d 00eff1d0 75d32e53 AppD9!WndProc+0×7a
3e 00eff1fc 75d23c26 USER32!_InternalCallWinProc+0×2b
3f 00eff2f4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
40 00eff370 75d598f8 USER32!DispatchMessageWorker+0×4a5
41 00eff3b8 75d59db3 USER32!DialogBox2+0×143
42 00eff3e8 75d7ac60 USER32!InternalDialogBox+0xf3
43 00eff4b4 75d799f6 USER32!SoftModalMessageBox+0×6f0
44 00eff610 75d7a4f7 USER32!MessageBoxWorker+0×2fd
45 00eff698 75d7a565 USER32!MessageBoxTimeoutW+0×187
46 00eff6b8 00141371 USER32!MessageBoxW+0×45
47 00eff6d0 0014121a AppD9!StartModeling+0×41
48 00eff730 75d32e53 AppD9!WndProc+0×7a
49 00eff75c 75d23c26 USER32!_InternalCallWinProc+0×2b
4a 00eff854 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
4b 00eff8d0 75d598f8 USER32!DispatchMessageWorker+0×4a5
4c 00eff918 75d59db3 USER32!DialogBox2+0×143
4d 00eff948 75d7ac60 USER32!InternalDialogBox+0xf3
4e 00effa14 75d799f6 USER32!SoftModalMessageBox+0×6f0
4f 00effb70 75d7a4f7 USER32!MessageBoxWorker+0×2fd
50 00effbf8 75d7a565 USER32!MessageBoxTimeoutW+0×187
51 00effc18 00141371 USER32!MessageBoxW+0×45
52 00effc30 0014121a AppD9!StartModeling+0×41
53 00effc90 75d32e53 AppD9!WndProc+0×7a
54 00effcbc 75d23c26 USER32!_InternalCallWinProc+0×2b
55 00effdb4 75d224e5 USER32!UserCallWinProcCheckWow+0×4c6
56 00effe30 75d22030 USER32!DispatchMessageWorker+0×4a5
57 00effe3c 0014109d USER32!DispatchMessageW+0×10
58 00effe68 0014155d AppD9!wWinMain+0×9d
59 (Inline) ——– AppD9!invoke_main+0×1a
5a 00effeb4 769a7ba9 AppD9!__scrt_common_main_seh+0xf8
5b 00effec4 7714bd2b KERNEL32!BaseThreadInitThunk+0×19
5c 00efff1c 7714bcaf ntdll!__RtlUserThreadStart+0×2b
5d 00efff2c 00000000 ntdll!_RtlUserThreadStart+0×1b

We call such analysis pattern Near Exception.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Posted in Crash Dump Analysis, Crash Dump Patterns, Software Prognostics | Comments Off