Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Need help on Corruption on stack

SumitSumit Member Posts: 11

Hi,

I am seeing a crash in my application,
Here is the call stack
0:000> .excr
eax=aa893f00 ebx=150b6f00 ecx=153ec728 edx=153fcec0 esi=153fe330 edi=153ec728
eip=aa893f00 esp=008ff080 ebp=008ff09c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293
aa893f00 ?? ???
0:000> k
*** Stack trace for last set context - .thread/.cxr resets it
# ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
00 008ff07c 68b18a3a 0xaa893f00
01 008ff09c 68b09c4b TestExe!TestClass::TestFun1+0x5a [d:\test1.cpp @ 666]
02 008ff0d4 68b31a54 TestExe!TestClass::TestFun2+0x11b [d:\test2.cpp @ 3722]

0:000> x TestExe!TestClass::*
68b189e0 TestExe!TestClass::TestFun1( *, void *)
68b19400 TestExe!TestClass::TestFun2(unsigned long, void *, void *)

Here it means the eax=aa893f00 is something different which is causing the access violation.
So the question is why this is getting changed, who is modifying the stack, how do I identify it. If my understanding is correct then control flow guard can help in this case, but seems that is not available in VS 2008.

Can someone provide input, any help would be appreciated.

Thanks!

Comments

  • SumitSumit Member Posts: 11

    I have just provided a code snippet for understanding, however its a big application.

  • raj_rraj_r Member - All Emails Posts: 981
    via Email
    i am not sure i follow your thought process

    if you have a crash your first try should probably rely on using !analyze -v

    if you mean Register eax as well as eip both are same and it is the
    reason for crash then you are mistaken

    two registers can have same values on many occasion here is a simple
    scenerio that uses a register call (indirect calls)


    using some random address
    0:000> ? $exentry
    Evaluate expression: 5057900 = 004d2d6c

    assembling inplace to simulate an indirect call

    0:000> a
    773305a6 mov eax,4d2d6c
    mov eax,4d2d6c
    773305ab jmp eax
    jmp eax
    773305ad

    0:000> u . l3
    ntdll!LdrpDoDebuggerBreak+0x2c:
    773305a6 b86c2d4d00 mov eax,offset calc!WinMainCRTStartup (004d2d6c)
    773305ab ffe0 jmp eax
    773305ad c040c38b rol byte ptr [eax-3Dh],8Bh


    0:000> r
    eax=00000000 ebx=00000000 ecx=0023f6a8 edx=772d70f4 esi=fffffffe edi=00000000
    eip=773305a6 esp=0023f6c4 ebp=0023f6f0 iopl=0 nv up ei pl zr na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
    ntdll!LdrpDoDebuggerBreak+0x2c:
    773305a6 b86c2d4d00 mov eax,offset calc!WinMainCRTStartup (004d2d6c)

    stepping in

    0:000> t
    eax=004d2d6c ebx=00000000 ecx=0023f6a8 edx=772d70f4 esi=fffffffe edi=00000000
    eip=773305ab esp=0023f6c4 ebp=0023f6f0 iopl=0 nv up ei pl zr na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
    ntdll!LdrpDoDebuggerBreak+0x31:
    773305ab ffe0 jmp eax {calc!WinMainCRTStartup (004d2d6c)}
    0:000> t
    eax=004d2d6c ebx=00000000 ecx=0023f6a8 edx=772d70f4 esi=fffffffe edi=00000000
    eip=004d2d6c esp=0023f6c4 ebp=0023f6f0 iopl=0 nv up ei pl zr na pe nc
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
    calc!WinMainCRTStartup:
    004d2d6c e84bfdffff call calc!__security_init_cookie (004d2abc)

    notice eip and eax are same here
  • SumitSumit Member Posts: 11

    Thanks for your input. However !analyze -v is just giving the basic info of access violation.

    0:000> !analyze -v


    • *
    • Exception Analysis *
    • *

    Failed to request MethodData, not in JIT code range
    GetUrlPageData2 (WinHttp) failed: 12002.

    KEY_VALUES_STRING: 1

    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1

    Timeline: !analyze.Start
    Name:
    Time: 2019-02-03T15:22:33.728Z
    Diff: 0 mSec

    Timeline: Dump.Current
    Name:
    Time: 2018-11-21T06:46:21.0Z
    Diff: 0 mSec

    Timeline: Process.Start
    Name:
    Time: 2018-11-21T06:43:55.0Z
    Diff: 146000 mSec

    Timeline: OS.Boot
    Name:
    Time: 2018-11-21T06:29:24.0Z
    Diff: 1017000 mSec

    DUMP_CLASS: 2

    DUMP_QUALIFIER: 400

    CONTEXT: (.ecxr)
    eax=aa893f00 ebx=150b6f00 ecx=153ec728 edx=153fcec0 esi=153fe330 edi=153ec728
    eip=aa893f00 esp=008ff080 ebp=008ff09c iopl=0 nv up ei ng nz ac po cy
    cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293
    aa893f00 ?? ???
    Resetting default scope

    FAULTING_IP:
    +0
    aa893f00 ?? ???

    EXCEPTION_RECORD: (.exr -1)
    ExceptionAddress: aa893f00
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000008
    Parameter[1]: aa893f00
    Attempt to execute non-executable address aa893f00

    DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_NOSOS

    FOLLOWUP_IP:
    TestExe!TestClass::TestFun+5a [d:\test1.cpp @ 666]
    68b18a3a 5f pop edi

    EXECUTE_ADDRESS: ffffffffaa893f00

    FAILED_INSTRUCTION_ADDRESS:
    +0
    aa893f00 ?? ???

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

    EXCEPTION_CODE_STR: c0000005

    EXCEPTION_PARAMETER1: 00000008

    EXCEPTION_PARAMETER2: aa893f00

    WATSON_BKT_PROCSTAMP: 5b200407

    WATSON_BKT_PROCVER:
    PROCESS_VER_PRODUCT:

    WATSON_BKT_MODULE: unknown

    WATSON_BKT_MODVER: 0.0.0.0

    WATSON_BKT_MODOFFSET: aa893f00

    WATSON_BKT_MODSTAMP: bbbbbbb4

    BUILD_VERSION_STRING: 16299.637.x86fre.rs3_release_svc.180808-1748

    MODLIST_WITH_TSCHKSUM_HASH: 4fa44ef499a598dd3049e7ec1bdff9993cd7e8e5

    MODLIST_SHA1_HASH: 35536f12d4499a01b162b44e9f48f11557abf195

    NTGLOBALFLAG: 0

    PROCESS_BAM_CURRENT_THROTTLED: 0

    PROCESS_BAM_PREVIOUS_THROTTLED: 0

    APPLICATION_VERIFIER_FLAGS: 0

    PRODUCT_TYPE: 1

    SUITE_MASK: 272

    DUMP_FLAGS: c07

    DUMP_TYPE: 3

    PROCESS_NAME: unknown

    MISSING_CLR_SYMBOL: 0

    ANALYSIS_SESSION_HOST:

    ANALYSIS_SESSION_TIME: 02-03-2019 20:52:33.0728

    ANALYSIS_VERSION: 10.0.17763.132 x86fre

    MANAGED_CODE: 1

    MANAGED_ENGINE_MODULE: clr

    MANAGED_ANALYSIS_PROVIDER: SOS

    THREAD_ATTRIBUTES:
    OS_LOCALE: JPN

    ADDITIONAL_DEBUG_TEXT: SOS.DLL is not loaded for managed code. Analysis might be incomplete

    BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_POINTER_INVALID_POINTER_EXECUTE_NOSOS

    PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT

    PROBLEM_CLASSES:

    ID:     [0n313]
    Type:   [@ACCESS_VIOLATION]
    Class:  Addendum
    Scope:  BUCKET_ID
    Name:   Omit
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x1c44]
    Frame:  [0] : unknown!unknown
    
    ID:     [0n287]
    Type:   [INVALID_POINTER_EXECUTE]
    Class:  Primary
    Scope:  BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [0x1c44]
    Frame:  [0] : unknown!unknown
    
    ID:     [0n295]
    Type:   [SOFTWARE_NX_FAULT]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [0x1d2c]
    TID:    [0x1c44]
    Frame:  [0] : unknown!unknown
    
    ID:     [0n293]
    Type:   [INVALID_POINTER]
    Class:  Primary
    Scope:  BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [0x1d2c]
    TID:    [0x1c44]
    Frame:  [0] : unknown!unknown
    
    ID:     [0n251]
    Type:   [NOSOS]
    Class:  Addendum
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [Unspecified]
    Frame:  [0]
    

    IP_ON_HEAP: aa893f00
    The fault address in not in any loaded module, please check your build's rebase
    log at \bin\build_logs\timebuild\ntrebase.log for module which may
    contain the address if it were loaded.

    LAST_CONTROL_TRANSFER: from 68b18a3a to aa893f00

    STACK_TEXT:
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    008ff07c 68b18a3a 00000006 153fe330 00000000 0xaa893f00
    008ff09c 68b09c4b 68cf0960 68ed04f0 d34f3ed9 TestExe!TestClass::TestFun1+0x5a
    008ff0d4 68b31a54 00000002 68cf0960 68ed04f0 TestExe!TestClass::TestFun2+0x11b

    Here it says the IP_ON_HEAP aa893f00, does that mean it is causing some heap corruption? But in my opinion this should be the function address pointing to next function. 153fe330 this address is on heap which I have checked is fine.
    Please have a look, if you could provide more insight on this. Thanks!!!

  • raj_rraj_r Member - All Emails Posts: 981
    via Email
    1) windbg seems to look for sos extension is this a managed language
    application
    2) the eip 0xaaxxxxxx cannot be an user mode address under normal
    circumstances

    check the testfun class for buffer overflows


    or try ub (unassemble back) on the return address on the stack to see
    the disassembly prior to last control transfer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA