Crash Dump Analysis Patterns (Part 6)

Crash Dump Analysis Patterns (Part 6)

Now it’s time to“introduce” Invalid Pointer pattern. It’s just a number saved in a register orin a memory location and when we try to interpret it as a memory address itself and follow it (dereference) to fetch memory contents(value) it points to, OS with the help of hardware tells us that the address doesn’t exist or inaccessible due to security restrictions. The following two slides from my old presentation depict the concept of a pointer:

Pointer definition
Pointers depicted

In Windows you have your process memory partitioned into two big regions: kernel space and process space. Space partition isa differentconcept than execution mode (kernel or user, ring 0 or ring 3) whichis a processor state.Code executing in kernel mode (a driver or OS, for example) can access memory that belongs to user space.

Based on this we can make distinction between invalid pointers containing kernel space addresses (start from0×80000000 on x86, no /3Gb switch) and invalid pointers containing user space addresses (below0×7FFFFFFF).

On Windows x64user spaceaddressesarebelow0×0000070000000000 and kernel spaceaddresses start from0xFFFF080000000000.

When you dereference invalid kernel space address you get bug check immediately:

UNEXPECTED_KERNEL_MODE_TRAP (7f)

PAGE_FAULT_IN_NONPAGED_AREA (50)

There is no way you can catch it in your code (by using SEH).

However when you dereference userspace address the course of action depends on whether your processor is in kernel mode (ring 0) or in user mode (ring 3). In any mode you can catch the exception(by using appropriate SEH handler) or leave this to the operating system or debugger. If there was no componentwilling to process the exceptionwhen it happened in user mode you get your process crash and in kernel mode you getbug checks:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)

I summarized all of thison thefollowing diagram:

NULL pointer is a special class of user space pointers. Usually its value is in the range of 0×00000000 - 0×0000FFFF.You can see themused in instructions like

mov esi, dword ptr [ecx+0×10]

and ecxvalue is0×00000000 so you try to access the value located at 0×00000010 memory address.

When you get a crash dump and you see an invalid pointer patternthe next step is to interpretthe pointer valuewhichshould help in understanding possible steps that led to the crash. Pointer value interpretation is the subject of the next part.

- Dmitry Vostokov -