A simple example of how to debug a program crash caused by heap crash uption

In many casesProgramThe crash is consistentHeap upload uption. Once the program is found to crashHeap upload uptionAs a result, we need to enableDebug page heap.In this wayHeap upload uptionFor more information aboutHeap. 

1.Use the following methods to enableDebug page heap.

Method1:Pageheap.exe <processname>

Method2:Gflat.exe/I <process name> + HPA

In fact, the above commands are used in the RegistryImage File Execution MappingCreate the correspondingRegister key.

2.After the preceding settings, install the debugger, as shown in figureWindbg,When a problem occurs.Crash Dump.

Adplus. vbs-crash-P <process name>-o c: \ outpath-quiet.

3.After the problem is reproduced, the correspondingCrash Dump.

4.The following is a brief example:Heap upload uptionAfterDumpAnalysis.

0: 025> kpl

Childebp retaddr

2058f230 7c993319 NTDLL! Dbgbreakpoint (void)

2058f240 7c9a7979 NTDLL! Rtlppageheapstop (unsigned long code = 0xf, char * message = 0x7c9a7c90 "corrupted suffix pattern", unsigned long param1 = 0x4671000, char * description1 = 0x7c9a7c84 "heap handle ", unsigned long param2 = bytes, char * description2 = 0x7c9a7c78 "heap block", unsigned long param3 = 0x418, char * description3 = 0x7c9a7c6c "block size", unsigned long param4 = bytes, char * description4 = 0x7c9a7c58 "partition uption address") + 0x72

2058f2bc 7c9a8b43 NTDLL! Rtlpdphreportcorruptedblock (void * heap = 0x04671000, unsigned long context = 4, void * block = 0x78d54690, struct_ Dph_validation_information * validationinformation = 0x2058f2e0) + 0x1cf

2058f2ec 7c9a8da4 NTDLL! Rtlpdphnormalheapfree (struct _ dph_heap_root * heap = 0x04671000, void * ntheap = 0x04770000, unsigned long flags = 0x1001002, void * block = 0x78d54690) + 0x32

2058f344 7c9abc7b NTDLL! Rtlpdebugpageheapfree (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * address = 0x78d54690) + 0x146

2058f3ac 7c98575a NTDLL! Rtldebugfreeheap (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * baseaddress = 0x78d54690) + 0x2c

2058f484 7c96e608 NTDLL! Rtlfreeheapslowly (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * baseaddress = 0x78d54690) + 0x37

2058f568 78134c39 NTDLL! Rtlfreeheap (void * heaphandle = 0x04670000, unsigned long flags = 0x1001002, void * baseaddress =0x78d54690) + 0x11a

2058f5b4 637150f1 msvcr80! Free (void * pblock = 0x78d54690) + 0xcd

Warning: Stack unwind Information not available. Following frames may be wrong.

2058f600 774fa4a2 mermermodule! Dllunregisterserver + 0xf31

2058f624 774e3427 OLE32! Cstdmarshal: disconnect (unsigned long dwtype = 1) + 0x26c

2058f634 774e33f9 OLE32! Cstdmarshal: handlependingdisconnect (hresult hR = 0x00000000) + 0x2b

2058f684 774e3294 OLE32! Cremoteunknown: remreleaseworker (unsigned short cinterfacerefs = 2, struct tagreminterfaceref * interfacerefs = 0x001abbe0, int ftoplevel = 1) + 0x1bd

2058f698 77c50193 OLE32! Cremoteunknown: remrelease (unsigned short cinterfacerefs = 2, struct tagreminterfaceref * interfacerefs = 0x001abbe0) + 0x15

2058f6b8 77cb33e1 rpcrt4! Invoke (void) + 0x30

2058fab8 77cb2ed5 rpcrt4! NDRC stubcall2 (struct irpcstubbuffer * pthis = upper, struct irpcchannelbuffer * pchannel = lower, struct _ rpc_message * prpcmsg = lower, unsigned long * pdwstubphase = 0x2058faf4) + 0x299

2058fb10 775cd01b rpcrt4! Struct (struct irpcstubbuffer * This = 0x1ff70fe0, struct tagrpcolemessage * prpcmsg = 0x74d5dc38, struct irpcchannelbuffer * prpcchannelbuffer = 0x066bee5c) + 0xc6

2058fb54 775ccfc8 OLE32! Syncstubinvoke (struct tagrpcolemessage * PMSG = complete, struct _ guid * riid = complete, class cidobject * pid = 0x00000000, struct irpcchannelbuffer * pchnl = accept, struct irpcstubbuffer * pstub = accept, unsigned long * pdwfault = 0x2058fcfc) + 0x37

2058fb9c 7750120b OLE32! Stubinvoke (struct tagrpcolemessage * PMSG = warning, class variable * pstdid = warning, struct variable * pstub = warning, struct irpcchannelbuffer * pchnl = warning, struct tagipidentry * pipidentry = 0x80004021, unsigned long * pdwfault = 0x2058fcfc) + 0xa7

2058fc78 77500bf5 OLE32! Warning: contextinvoke (struct tagrpcolemessage * pmessage = 0x00000000, struct irpcstubbuffer * pstub = warning, struct tagipidentry * pipidentry = warning, unsigned long * pdwfault = warning) + 0xec

0: 025> dt _ dph_validation_information 0x2058f2e0

+0x000 reasoncode: 0x10

+ 0x004 exceptioncode: 0x4675000

+0x008 upload uptionlocation: 0x78d54aa8(This address is the address that the program tries to access. When debugging is enabled, the corresponding barrier value should be written on this address.)

 

//Note: accordingDebug page heapIn_ Dph_block_informationThe user data area is stored below. While_ Dph_block_informationOfSizeThe size is20The structure is as follows:

0: 025> dt _ dph_block_information

Ntdll! _ Dph_block_information

+ 0x000 startstamp: uint4b

+ 0x004 heap: ptr32 void

+ 0x008 requestedsize: uint4b

+ 0x00c actualsize: uint4b

+ 0x010 freequeue: _ list_entry

+ 0x010 freepushlist: _ single_list_entry

+ 0x010 traceindex: uint2b

+ 0x018 stacktrace: ptr32 void

+ 0x01c endstamp: uint4b

Therefore MinusSizeof (_ dph_block_information), That is_ Dph_block_information.

 

0: 025> dt0x78d54690-0x20 _ dph_block_information

Ntdll! _ Dph_block_information

+ 0x000 startstamp: 0 xabcdaaaa

+ 0x004 heap: 0x84671000

+ 0x008Requestedsize: 0x418

+ 0x00c actualsize: 0x440

+ 0x010 freequeue: _ list_entry [0x0-0x0]

+ 0x010 freepushlist: _ single_list_entry

+ 0x010 traceindex: 0

+ 0x018 stacktrace: (null)

+ 0x01c endstamp: 0 xdcbaaaaa

 

Next, we can check whether the fence value filled after the user data zone is correct.

0: 025> dd 0x78d54690 + 0x418 L4

78d54aa800000000 a0a0a0a000000000 00000000

As you can see, it should have beenA0a0a0a0The barrier value of is destroyed! IndicatesHeap upload uptionOccurred.

 

0: 025>? 0x78d54690 + 0x418

Evaluate expression: 2027244200 =78d54aa8

In fact, we can see thatAccess violationThe IP address is also the fence address next to the data area requested by the user.

 

OK,Now you knowHeapIf it is destroyed, we need to know how to be destroyed.

At this time, we need to getCall StackInvolved inModuleOfSymbolFile so that we can locate the function that causesHeap upload uption.

Write is rough. If you are free, please polish it later. Let's get together.