Need help on Corruption on stack

Hi,

I am seeing a crash in my application,
Here is the call stack
0:000> .excr
eax=aa893f00 ebx=150b6f00 ecx=153ec728 edx=153fcec0 esi=153fe330 edi=153ec728
eip=aa893f00 esp=008ff080 ebp=008ff09c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293
aa893f00 ?? ???
0:000> k
*** Stack trace for last set context - .thread/.cxr resets it

ChildEBP RetAddr

WARNING: Frame IP not in any known module. Following frames may be wrong.
00 008ff07c 68b18a3a 0xaa893f00
01 008ff09c 68b09c4b TestExe!TestClass::TestFun1+0x5a [d:\test1.cpp @ 666]
02 008ff0d4 68b31a54 TestExe!TestClass::TestFun2+0x11b [d:\test2.cpp @ 3722]

0:000> x TestExe!TestClass::*
68b189e0 TestExe!TestClass::TestFun1( *, void *)
68b19400 TestExe!TestClass::TestFun2(unsigned long, void *, void *)

Here it means the eax=aa893f00 is something different which is causing the access violation.
So the question is why this is getting changed, who is modifying the stack, how do I identify it. If my understanding is correct then control flow guard can help in this case, but seems that is not available in VS 2008.

Can someone provide input, any help would be appreciated.

Thanks!

I have just provided a code snippet for understanding, however its a big application.

i am not sure i follow your thought process

if you have a crash your first try should probably rely on using !analyze -v

if you mean Register eax as well as eip both are same and it is the
reason for crash then you are mistaken

two registers can have same values on many occasion here is a simple
scenerio that uses a register call (indirect calls)

using some random address
0:000> ? $exentry
Evaluate expression: 5057900 = 004d2d6c

assembling inplace to simulate an indirect call

0:000> a
773305a6 mov eax,4d2d6c
mov eax,4d2d6c
773305ab jmp eax
jmp eax
773305ad

0:000> u . l3
ntdll!LdrpDoDebuggerBreak+0x2c:
773305a6 b86c2d4d00 mov eax,offset calc!WinMainCRTStartup (004d2d6c)
773305ab ffe0 jmp eax
773305ad c040c38b rol byte ptr [eax-3Dh],8Bh

0:000> r
eax=00000000 ebx=00000000 ecx=0023f6a8 edx=772d70f4 esi=fffffffe edi=00000000
eip=773305a6 esp=0023f6c4 ebp=0023f6f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpDoDebuggerBreak+0x2c:
773305a6 b86c2d4d00 mov eax,offset calc!WinMainCRTStartup (004d2d6c)

stepping in

0:000> t
eax=004d2d6c ebx=00000000 ecx=0023f6a8 edx=772d70f4 esi=fffffffe edi=00000000
eip=773305ab esp=0023f6c4 ebp=0023f6f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!LdrpDoDebuggerBreak+0x31:
773305ab ffe0 jmp eax {calc!WinMainCRTStartup (004d2d6c)}
0:000> t
eax=004d2d6c ebx=00000000 ecx=0023f6a8 edx=772d70f4 esi=fffffffe edi=00000000
eip=004d2d6c esp=0023f6c4 ebp=0023f6f0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
calc!WinMainCRTStartup:
004d2d6c e84bfdffff call calc!__security_init_cookie (004d2abc)

notice eip and eax are same here

Thanks for your input. However !analyze -v is just giving the basic info of access violation.

0:000> !analyze -v


  •                                                                         *
    
  •                    Exception Analysis                                   *
    
  •                                                                         *
    

Failed to request MethodData, not in JIT code range
GetUrlPageData2 (WinHttp) failed: 12002.

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

Timeline: !analyze.Start
Name:
Time: 2019-02-03T15:22:33.728Z
Diff: 0 mSec

Timeline: Dump.Current
Name:
Time: 2018-11-21T06:46:21.0Z
Diff: 0 mSec

Timeline: Process.Start
Name:
Time: 2018-11-21T06:43:55.0Z
Diff: 146000 mSec

Timeline: OS.Boot
Name:
Time: 2018-11-21T06:29:24.0Z
Diff: 1017000 mSec

DUMP_CLASS: 2

DUMP_QUALIFIER: 400

CONTEXT: (.ecxr)
eax=aa893f00 ebx=150b6f00 ecx=153ec728 edx=153fcec0 esi=153fe330 edi=153ec728
eip=aa893f00 esp=008ff080 ebp=008ff09c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293
aa893f00 ?? ???
Resetting default scope

FAULTING_IP:
+0
aa893f00 ?? ???

EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: aa893f00
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: aa893f00
Attempt to execute non-executable address aa893f00

DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_NOSOS

FOLLOWUP_IP:
TestExe!TestClass::TestFun+5a [d:\test1.cpp @ 666]
68b18a3a 5f pop edi

EXECUTE_ADDRESS: ffffffffaa893f00

FAILED_INSTRUCTION_ADDRESS:
+0
aa893f00 ?? ???

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 00000008

EXCEPTION_PARAMETER2: aa893f00

WATSON_BKT_PROCSTAMP: 5b200407

WATSON_BKT_PROCVER:
PROCESS_VER_PRODUCT:

WATSON_BKT_MODULE: unknown

WATSON_BKT_MODVER: 0.0.0.0

WATSON_BKT_MODOFFSET: aa893f00

WATSON_BKT_MODSTAMP: bbbbbbb4

BUILD_VERSION_STRING: 16299.637.x86fre.rs3_release_svc.180808-1748

MODLIST_WITH_TSCHKSUM_HASH: 4fa44ef499a598dd3049e7ec1bdff9993cd7e8e5

MODLIST_SHA1_HASH: 35536f12d4499a01b162b44e9f48f11557abf195

NTGLOBALFLAG: 0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS: 0

PRODUCT_TYPE: 1

SUITE_MASK: 272

DUMP_FLAGS: c07

DUMP_TYPE: 3

PROCESS_NAME: unknown

MISSING_CLR_SYMBOL: 0

ANALYSIS_SESSION_HOST:

ANALYSIS_SESSION_TIME: 02-03-2019 20:52:33.0728

ANALYSIS_VERSION: 10.0.17763.132 x86fre

MANAGED_CODE: 1

MANAGED_ENGINE_MODULE: clr

MANAGED_ANALYSIS_PROVIDER: SOS

THREAD_ATTRIBUTES:
OS_LOCALE: JPN

ADDITIONAL_DEBUG_TEXT: SOS.DLL is not loaded for managed code. Analysis might be incomplete

BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_POINTER_INVALID_POINTER_EXECUTE_NOSOS

PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT

PROBLEM_CLASSES:

ID:     [0n313]
Type:   [@ACCESS_VIOLATION]
Class:  Addendum
Scope:  BUCKET_ID
Name:   Omit
Data:   Omit
PID:    [Unspecified]
TID:    [0x1c44]
Frame:  [0] : unknown!unknown

ID:     [0n287]
Type:   [INVALID_POINTER_EXECUTE]
Class:  Primary
Scope:  BUCKET_ID
Name:   Add
Data:   Omit
PID:    [Unspecified]
TID:    [0x1c44]
Frame:  [0] : unknown!unknown

ID:     [0n295]
Type:   [SOFTWARE_NX_FAULT]
Class:  Primary
Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
        BUCKET_ID
Name:   Add
Data:   Omit
PID:    [0x1d2c]
TID:    [0x1c44]
Frame:  [0] : unknown!unknown

ID:     [0n293]
Type:   [INVALID_POINTER]
Class:  Primary
Scope:  BUCKET_ID
Name:   Add
Data:   Omit
PID:    [0x1d2c]
TID:    [0x1c44]
Frame:  [0] : unknown!unknown

ID:     [0n251]
Type:   [NOSOS]
Class:  Addendum
Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
        BUCKET_ID
Name:   Add
Data:   Omit
PID:    [Unspecified]
TID:    [Unspecified]
Frame:  [0]

IP_ON_HEAP: aa893f00
The fault address in not in any loaded module, please check your build’s rebase
log at \bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

LAST_CONTROL_TRANSFER: from 68b18a3a to aa893f00

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
008ff07c 68b18a3a 00000006 153fe330 00000000 0xaa893f00
008ff09c 68b09c4b 68cf0960 68ed04f0 d34f3ed9 TestExe!TestClass::TestFun1+0x5a
008ff0d4 68b31a54 00000002 68cf0960 68ed04f0 TestExe!TestClass::TestFun2+0x11b

Here it says the IP_ON_HEAP aa893f00, does that mean it is causing some heap corruption? But in my opinion this should be the function address pointing to next function. 153fe330 this address is on heap which I have checked is fine.
Please have a look, if you could provide more insight on this. Thanks!!!

  1. windbg seems to look for sos extension is this a managed language
    application
  2. the eip 0xaaxxxxxx cannot be an user mode address under normal
    circumstances

check the testfun class for buffer overflows

or try ub (unassemble back) on the return address on the stack to see
the disassembly prior to last control transfer