I'm currently analyzing a crash dump from a customer that resulted from a BSOD. I can't provide the crash dump for confidentiality reasons, but I've come to a bit of a dead end.
The crash occurs in the RtlSetBit function within the DDK. Here's the context record:
rax=0000000000000000 rbx=fffff8800282da00 rcx=fffffa8007c10340
rdx=0000000000000000 rsi=0000000000000001 rdi=fffffa8007c102e0
rip=fffff8000168d0b4 rsp=fffff880057478e8 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=fffff88001e5dca0
r11=0000000000000000 r12=0000000000000000 r13=fffffa800812feb0
r14=0000000000000001 r15=fffff88003490af0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!RtlSetBit+0x4:
fffff800`0168d0b4 0fab10 bts dword ptr [rax],edx ds:002b:00000000`00000000=????????
Here's the assembly for RtlSetBit:
fffff800`0168d0b0 488b4108 mov rax,qword ptr [rcx+8]
fffff800`0168d0b4 0fab10 bts dword ptr [rax],edx << Exception
fffff800`0168d0b7 c3 ret
What's odd is that, as you can see, rax doesn't contain the contents of rcx+8:
2: kd> dq rcx+8
fffffa80`07c10348 fffffa80`07c10338 0000000b`00000014
Instead, rax shows null.
How is this possible? Am I missing something?
The value was probably 0 at the time the mov rax, qword ptr [rcx+8] executed. Before the bts could execute, another thread modified the value in memory. You then crash on the bts, and when you look at memory, you see the updated value, not the original 0.
You assume, that the instruction before, the move is executed. But just because it is in the assembler before it, it does not necessarily mean that it is executed before. A jump straight to the bts could lead to such a misbehaviour.
Reason for this jump could either be wrong code (dont know if you have handwritten/optimized assembler), or a stack/buffer/array-overflow, that modified the return address on the stack, and made the bts the return address, and others more obscure bugs.
I'm currently analyzing a crash dump from a customer that resulted from a BSOD. I can't provide the crash dump for confidentiality reasons, but I've come to a bit of a dead end.
The crash occurs in the RtlSetBit function within the DDK. Here's the context record:
rax=0000000000000000 rbx=fffff8800282da00 rcx=fffffa8007c10340
rdx=0000000000000000 rsi=0000000000000001 rdi=fffffa8007c102e0
rip=fffff8000168d0b4 rsp=fffff880057478e8 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=fffff88001e5dca0
r11=0000000000000000 r12=0000000000000000 r13=fffffa800812feb0
r14=0000000000000001 r15=fffff88003490af0
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!RtlSetBit+0x4:
fffff800`0168d0b4 0fab10 bts dword ptr [rax],edx ds:002b:00000000`00000000=????????
Here's the assembly for RtlSetBit:
fffff800`0168d0b0 488b4108 mov rax,qword ptr [rcx+8]
fffff800`0168d0b4 0fab10 bts dword ptr [rax],edx << Exception
fffff800`0168d0b7 c3 ret
What's odd is that, as you can see, rax doesn't contain the contents of rcx+8:
2: kd> dq rcx+8
fffffa80`07c10348 fffffa80`07c10338 0000000b`00000014
Instead, rax shows null.
How is this possible? Am I missing something?
The value was probably 0 at the time the mov rax, qword ptr [rcx+8] executed. Before the bts could execute, another thread modified the value in memory. You then crash on the bts, and when you look at memory, you see the updated value, not the original 0.
You assume, that the instruction before, the move is executed. But just because it is in the assembler before it, it does not necessarily mean that it is executed before. A jump straight to the bts could lead to such a misbehaviour.
Reason for this jump could either be wrong code (dont know if you have handwritten/optimized assembler), or a stack/buffer/array-overflow, that modified the return address on the stack, and made the bts the return address, and others more obscure bugs.
0 commentaires:
Enregistrer un commentaire