Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Re: windbg digest: October 21, 2017

Osiris_PedrosoOsiris_Pedroso Member Posts: 24
Hi Misc.usage,

"kv" is a souped up "dps @esp" with the space between function addresses
removed by WinDBG looking a FPO information from the PDB.
When FPO info not available, WinDBG will do best it can and sometimes, it
gets it right.

If memory serves me, MoveSmall is a label within strcpy asm code that will
copy the heading or trailing bytes that are not 8 byte aligned.
The 8 byte aligned ones within the string are copied 8 bytes at a time.

Look at the code being executed and if there are string copy/string move
being done or even a non-string like a "int arrayOfInts[100] = {0};", it
makes sense that MoveSmall would be there. The compiler uses it to
initialize that array full of zeros.

A lot of times, the problem is that the count of characters to be copied
has been overwritten but strcpy will obey, overwriting lots of stuff, even
crashing the process depending on the target address of the copy (e.g. if
it happens to be a local variable on the stack, your process is toast).

Happy debugging,
Osiris


On Sun, Oct 22, 2017 at 12:00 AM Kernel Debugging Interest List digest <
[email protected]> wrote:

> WINDBG Digest for Saturday, October 21, 2017.
>
> 1. Weird looking entry at top of stack
>
> ----------------------------------------------------------------------
>
> Subject: Weird looking entry at top of stack
> From: [email protected]
> Date: Sat, 21 Oct 2017 11:16:48 -0400 (EDT)
> X-Message-Number: 1
>
> I am staring at a crash dump that is running into an access violation
> exception while executing a mov instruction in VCRUNTIME140!MoveSmall
> (which is part of memcpy.asm code.)
>
> My question is MoveSmall doesn't even look like a *function*. Its a jump
> label where control can be transferred if necessary. I am unable to
> reconcile why it shows up on 'kv'. The previous function that supposedly
> transferred control there is not even meant to call anything in
> VCRUNTIME140.
>
> Sorry I am unable to post anything of value here because of propreitory
> reasons. If the question cannot be answered as is, please feel free to let
> me know.
>
>
>
>
> ---
>
> END OF DIGEST
>
> ---
> You are currently subscribed to windbg as: [email protected]
> To unsubscribe send a blank email to [email protected]
>

Comments

  • DilipDilip Member Posts: 10
    Thank you Osiris. MoveSmall seems to be a label in memcpy.asm. Nevertheless I will take a closer look and see if buffer is being overrun somewhere.
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,627
    "[email protected] windbg"@lists.osr.com wrote:
    > Thank you Osiris. MoveSmall seems to be a label in memcpy.asm. Nevertheless I will take a closer look and see if buffer is being overrun somewhere.

    The source code for the runtime library ships with the product. 
    MoveSmall is a table of function pointers for handlers of moves up to 16
    bytes.  It is not executable code.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • DilipDilip Member Posts: 10
    Hello Tim -- That MoveSmall is not executable code seems obvious in hindsight :-) I got misled by how the debugger was interpreting the symbol at that address. One other question, when I do this:

    0:000> x VCRUNTIME140!MoveSmall
    0000xxxx`xxxxxxxx VCRUNTIME140!MoveSmall = 0xc4d0

    I am not sure how to interpret that output. What does that 0xc4d0 mean?
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,627
    "[email protected] windbg"@lists.osr.com wrote:
    > Hello Tim -- That MoveSmall is not executable code seems obvious in hindsight :-) I got misled by how the debugger was interpreting the symbol at that address. One other question, when I do this:
    >
    > 0:000> x VCRUNTIME140!MoveSmall
    > 0000xxxx`xxxxxxxx VCRUNTIME140!MoveSmall = 0xc4d0
    >
    > I am not sure how to interpret that output. What does that 0xc4d0 mean?

    It's just trying to show you the contents of the variable.  Again, you
    can look up this source code in your Visual Studio directory, in
    vc\crt\src\amd64\memcpy.asm.  MoveSmall is a table of offsets to
    routines that handle moves of from 0 to 16 bytes.  The first entry
    happens to be the degenerate case of a 0-byte move, so this says the
    MoveSmall0 function is located 0xC4D0 bytes from the start of the module.

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE