In many casesProgramThe crash is consistentHeap upload uption. Once the program is found to crashHeap upload uptionAs a result, we need to enableDebug page heap.In this wayHeap upload uptionFor more information aboutHeap.
1.Use the following methods to enableDebug page heap.
Method1:Pageheap.exe <processname>
Method2:Gflat.exe/I <process name> + HPA
In fact, the above commands are used in the RegistryImage File Execution MappingCreate the correspondingRegister key.
2.After the preceding settings, install the debugger, as shown in figureWindbg,When a problem occurs.Crash Dump.
Adplus. vbs-crash-P <process name>-o c: \ outpath-quiet.
3.After the problem is reproduced, the correspondingCrash Dump.
4.The following is a brief example:Heap upload uptionAfterDumpAnalysis.
0: 025> kpl
Childebp retaddr
2058f230 7c993319 NTDLL! Dbgbreakpoint (void)
2058f240 7c9a7979 NTDLL! Rtlppageheapstop (unsigned long code = 0xf, char * message = 0x7c9a7c90 "corrupted suffix pattern", unsigned long param1 = 0x4671000, char * description1 = 0x7c9a7c84 "heap handle ", unsigned long param2 = bytes, char * description2 = 0x7c9a7c78 "heap block", unsigned long param3 = 0x418, char * description3 = 0x7c9a7c6c "block size", unsigned long param4 = bytes, char * description4 = 0x7c9a7c58 "partition uption address") + 0x72
2058f2bc 7c9a8b43 NTDLL! Rtlpdphreportcorruptedblock (void * heap = 0x04671000, unsigned long context = 4, void * block = 0x78d54690, struct_ Dph_validation_information * validationinformation = 0x2058f2e0) + 0x1cf
2058f2ec 7c9a8da4 NTDLL! Rtlpdphnormalheapfree (struct _ dph_heap_root * heap = 0x04671000, void * ntheap = 0x04770000, unsigned long flags = 0x1001002, void * block = 0x78d54690) + 0x32
2058f344 7c9abc7b NTDLL! Rtlpdebugpageheapfree (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * address = 0x78d54690) + 0x146
2058f3ac 7c98575a NTDLL! Rtldebugfreeheap (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * baseaddress = 0x78d54690) + 0x2c
2058f484 7c96e608 NTDLL! Rtlfreeheapslowly (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * baseaddress = 0x78d54690) + 0x37
2058f568 78134c39 NTDLL! Rtlfreeheap (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * baseaddress =0x78d54690) + 0x11a
2058f5b4 637150f1 msvcr80! Free (void * pblock = 0x78d54690) + 0xcd
Warning: Stack unwind Information not available. Following frames may be wrong.
2058f600 774fa4a2 mermermodule! Dllunregisterserver + 0xf31
2058f624 774e3427 OLE32! Cstdmarshal: disconnect (unsigned long dwtype = 1) + 0x26c
2058f634 774e33f9 OLE32! Cstdmarshal: handlependingdisconnect (hresult hR = 0x00000000) + 0x2b
2058f684 774e3294 OLE32! Cremoteunknown: remreleaseworker (unsigned short cinterfacerefs = 2, struct tagreminterfaceref * interfacerefs = 0x001abbe0, int ftoplevel = 1) + 0x1bd
2058f698 77c50193 OLE32! Cremoteunknown: remrelease (unsigned short cinterfacerefs = 2, struct tagreminterfaceref * interfacerefs = 0x001abbe0) + 0x15
2058f6b8 77cb33e1 rpcrt4! Invoke (void) + 0x30
2058fab8 77cb2ed5 rpcrt4! NDRC stubcall2 (struct irpcstubbuffer * pthis = upper, struct irpcchannelbuffer * pchannel = lower, struct _ rpc_message * prpcmsg = lower, unsigned long * pdwstubphase = 0x2058faf4) + 0x299
2058fb10 775cd01b rpcrt4! Struct (struct irpcstubbuffer * This = 0x1ff70fe0, struct tagrpcolemessage * prpcmsg = 0x74d5dc38, struct irpcchannelbuffer * prpcchannelbuffer = 0x066bee5c) + 0xc6
2058fb54 775ccfc8 OLE32! Syncstubinvoke (struct tagrpcolemessage * PMSG = complete, struct _ guid * riid = complete, class cidobject * pid = 0x00000000, struct irpcchannelbuffer * pchnl = accept, struct irpcstubbuffer * pstub = accept, unsigned long * pdwfault = 0x2058fcfc) + 0x37
2058fb9c 7750120b OLE32! Stubinvoke (struct tagrpcolemessage * PMSG = warning, class variable * pstdid = warning, struct variable * pstub = warning, struct irpcchannelbuffer * pchnl = warning, struct tagipidentry * pipidentry = 0x80004021, unsigned long * pdwfault = 0x2058fcfc) + 0xa7
2058fc78 77500bf5 OLE32! Warning: contextinvoke (struct tagrpcolemessage * pmessage = 0x00000000, struct irpcstubbuffer * pstub = warning, struct tagipidentry * pipidentry = warning, unsigned long * pdwfault = warning) + 0xec
0: 025> dt _ dph_validation_information 0x2058f2e0
+0x000 reasoncode: 0x10
+ 0x004 exceptioncode: 0x4675000
+0x008 upload uptionlocation: 0x78d54aa8(This address is the address that the program tries to access. When debugging is enabled, the corresponding barrier value should be written on this address.)
//Note: accordingDebug page heapIn_ Dph_block_informationThe user data area is stored below. While_ Dph_block_informationOfSizeThe size is20The structure is as follows:
0: 025> dt _ dph_block_information
Ntdll! _ Dph_block_information
+ 0x000 startstamp: uint4b
+ 0x004 heap: ptr32 void
+ 0x008 requestedsize: uint4b
+ 0x00c actualsize: uint4b
+ 0x010 freequeue: _ list_entry
+ 0x010 freepushlist: _ single_list_entry
+ 0x010 traceindex: uint2b
+ 0x018 stacktrace: ptr32 void
+ 0x01c endstamp: uint4b
Therefore MinusSizeof (_ dph_block_information), That is_ Dph_block_information.
0: 025> dt0x78d54690-0x20 _ dph_block_information
Ntdll! _ Dph_block_information
+ 0x000 startstamp: 0 xabcdaaaa
+ 0x004 heap: 0x84671000
+ 0x008Requestedsize: 0x418
+ 0x00c actualsize: 0x440
+ 0x010 freequeue: _ list_entry [0x0-0x0]
+ 0x010 freepushlist: _ single_list_entry
+ 0x010 traceindex: 0
+ 0x018 stacktrace: (null)
+ 0x01c endstamp: 0 xdcbaaaaa
Next, we can check whether the fence value filled after the user data zone is correct.
0: 025> dd 0x78d54690 + 0x418 L4
78d54aa800000000 a0a0a0a000000000 00000000
As you can see, it should have beenA0a0a0a0The barrier value of is destroyed! IndicatesHeap upload uptionOccurred.
0: 025>? 0x78d54690 + 0x418
Evaluate expression: 2027244200 =78d54aa8
In fact, we can see thatAccess violationThe IP address is also the fence address next to the data area requested by the user.
OK,Now you knowHeapIf it is destroyed, we need to know how to be destroyed.
At this time, we need to getCall StackInvolved inModuleOfSymbolFile so that we can locate the function that causesHeap upload uption.
Write is rough. If you are free, please polish it later. Let's get together.