Gflags debugging access out of bounds

2011-9-27

Candle fall

 

I was very unfamiliar with windbg when I called dump yesterday and today, but I also learned some common commands. I heard that there was a tool like gflags a few weeks ago. Today I just tested it.

 

Gflags.exe is a small tool in <debugging tools for Windows>.

Installation download link: http://msdn.microsoft.com/en-us/windows/hardware/gg463016

 

After the installation, set the gflags folder (there are many other good items) to the path of the environment variable for ease of use by the command line. (My computer --> right-click --> Property --> advanced --> environment variable --> system variable --> path)

 

Enter CDB-IAE in the command line cmd.

Set CDB to the default JIT (Just In Time) debugger, so that it will stop when the command line execution crashes.

 

(The last learning materials in this article are quite good)

 

 

 
TestProgram: //////////////////////////////////////// //////////////////////////////////////// /// Int main () {char * P = new char [10]; for (INT I = 0; I! = 11; ++ I) P [I] = I; return 0 ;} //////////////////////////////////////// //////////////////////////////////////// ///
 

 

This is a very simple out-of-bounds program. When I = 10, the access is out-of-bounds. However, if you do not use the test tool, it will not crash. In general, the space obtained by the program is 16 bytes aligned, so P [10] accesses the space added after alignment, which does not cause cross-border crash. However, this is a hidden danger. In order to discover the hidden danger as soon as possible, it is a good choice to use tools.
Gflags is used to track the execution of this program. It can be set that each heap space allocated by new occupies a separate space, and the adjacent location of the space is set to inaccessible, an invalid access error is triggered immediately when the access is out of bounds, and a crash is triggered as soon as possible.

The test procedure is as follows:

1. Use VC to compile the release version Executable File test.exe. (Note: not the debug version)

2. Use the executable file test.exe monitored by gflagregistration.

Run the following command in cmd:Gflags/P/enable test.exe/full/unaligned.

Press enter to display the following information:

**************************************** **************************************** *****

Path: Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options

 Test.exe: Page heap enabled.

**************************************** **************************************** *****

At this time, we have registered the test.exe to be monitored.

 

/P/enable is essential.

/Full indicates that the allocated space is exclusive and adjacent space is inaccessible.

/Unaligned indicates that the allocated space is not aligned, so that the memory will not be hidden because of memory aligned.

3rd, test.exe is executed in double-hitting mode, which will be interrupted:

**************************************** **************************************** *****

(17f8. 5d0): access violation-code c0000005 (!!! Second Chance !!!)

Eax = 0161eff6 EBX = 7c80ac61 ECx = 0000000a edX = 015c5000 ESI = 00000002 EDI = 00000a28

EIP = 00401010 ESP = 0012ff74 EBP = 0012ffc0 iopl = 0 NV up EI ng nz ac pe cy

Cs = 001b Ss = 0023 DS = 0023 es = 0023 FS = 003b GS = 0000 EFL = 00000297

Windbgtest! Main + 0x10:

00401010 880c01 mov byte PTR [ECx + eax], cl ds: 0023: 0161f000 = ??

**************************************** **************************************** *****

If you put the EXE in windbg for execution, run the following command :! Address. It can be found that eax can be read and written,

Eax + ECx is inaccessible:

**************************************** **************************************** *****

0: 000> ! Address eax

 015c0000: 0161e000-00001000

 Type 00020000 mem_private

 Protect 00000004 page_readwrite

 State 00001000 mem_commit

 Usage regionusagepageheap

 Handle 015c1000

0: 000> ! Address eax + ECx

 015c0000: 0161f000-000a1000

 Type 00020000 mem_private

 Protect 00000001 page_noaccess

 State 00001000 mem_commit

 Usage regionusagepageheap

 Handle 015c1000

**************************************** **************************************** *****

4. Cancel tracking:

Run the/p command to view the programs that are currently being tracked:

**************************************** **************************************** *****

C: \ Documents ents and Settings \ cs_wuyg>Gflags/P

Path: Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options

 Player.exe: Page heap enabled with flags (full traces)

 Program: Page heap enabled with flags (full unaligned traces)

 Test.exe: Page heap enabled with flags (full unaligned traces)

 Windbgtest.exe: Page heap enabled with flags (full unaligned traces)

**************************************** **************************************** *****

Use/P/disble to cancel a trail: the situation is as follows:

**************************************** **************************************** *****

C: \ Documents ents and Settings \ cs_wuyg>Gflags/P/disable player.exe

Path: Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options

 Player.exe: Page heap disabled

 

C: \ Documents ents and Settings \ cs_wuyg>Gflags/P

Path: Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options

 Program: Page heap enabled with flags (full unaligned traces)

 Test.exe: Page heap enabled with flags (full unaligned traces)

 Windbgtest.exe: Page heap enabled with flags (full unaligned traces)

**************************************** **************************************** *****

It is strange that the program cannot be canceled. In addition, it is found that the corresponding items in the Registry still exist after disable, but some key values are deleted.

My colleague told me that when gflags is not used, it is best to delete the items in the registry. gflags has a great impact on machine performance.

The Registry is located:HKEY_LOCAL_MACHINE/software/Microsoft/WindowsNT/Image File Execution options

 

5. Notes

1. The program to be tracked by gflags records the program name in the registry. The executable file path name is not required during configuration, but only the file name is required.

2. You can use the command line or GUI. The first two tabs in the GUI are valid for all executable programs. The third is to set the program to be tracked.

3. There are other more powerful tools.

6. Summary

With the simple use of this tool, we can quickly find outCodeAccess is out of bounds.

Whether it is useful in big projects has not been practiced yet.

Use gflags and debug it in.Source codeMore convenient.

 

 

 

 

 

 

 

 

 

7. The following windbg commands are provided:

1 \! Analyze-V

2 \ kV KF KB

3 \~ * K

4 \. ecxr

5 \ lmvm xxx.exe 

 

When analyzing dump, we can see that the call stack is from the bottom up.

Part of the value before the call stack is a parameter, and part of the value is useless information.

After the source file path is set, the. ecxr command can view the current register information and the source code.

 

It is found that many crashes are caused by null pointers and wild pointers. Empty pointers and wild pointers are caused by multi-thread uninstallation and overlapping loading.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Learning materials:

Http://www.cppblog.com/sandy/archive/2007/03/13/19723.html

Http://blog.csdn.net/ayw_hehe/article/details/6796333

Http://www.cppblog.com/sandy/archive/2008/09/27/62877.html

Http://www.cnblogs.com/awpatp/archive/2011/01/01/1923913.html

Http://blog.sina.com.cn/s/blog_484f16880100jrwj.html