flat assembler
Message board for the users of flat assembler.

Index > Heap > Curious (well, for me) BSOD

Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Today I was talking with a person who got infected by a virus. One of the problems she commented was that after removing AVG and installed Avast a BSOD appeared again so I asked her the minidump to see what the problem was about this time (the last time two of the minidums was related to the sound card drivers and the rest with some networking driver from AVG, the avgtdix.sys).

The BSOD in question was this:
Code:
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c000001d, The exception code that was not handled
Arg2: bf808f9b, The address that the exception occurred at
Arg3: f103887c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------




EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPCI N}  Instrucci n ilegal  Se ha intentado ejecutar una instrucci n ilegal.

FAULTING_IP: 
win32k!hbmSelectBitmap+2c7
bf808f9b 0f              ???

TRAP_FRAME:  f103887c -- (.trap 0xfffffffff103887c)
ErrCode = 00000000
eax=80000000 ebx=f1038934 ecx=e1ecf010 edx=5e5ff05d esi=00000000 edi=e1ecf008
eip=bf808f9b esp=f10388f0 ebp=f1038910 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
win32k!hbmSelectBitmap+0x2c7:
bf808f9b 0f              ???
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

BUGCHECK_STR:  0x8E

PROCESS_NAME:  firefox.exe

LAST_CONTROL_TRANSFER:  from bf808ba2 to bf808f9b

FAILED_INSTRUCTION_ADDRESS: 
win32k!hbmSelectBitmap+2c7
bf808f9b 0f              ???

STACK_TEXT:  
f1038910 bf808ba2 e164f558 55050ff3 00000000 win32k!hbmSelectBitmap+0x2c7
f1038924 804de7ec a7011372 55050ff3 0012f668 win32k!NtGdiSelectBitmap+0x12
f1038924 7c91e4f4 a7011372 55050ff3 0012f668 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f668 00000000 00000000 00000000 00000000 0x7c91e4f4


STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -db !win32k
4 errors : !win32k (bf808f94-bf808f9d)
bf808f90  85  ba  fd  ff *85 *ba  5d  f0  5f  5e  5b  0f *ff *39  fd  ff ......]._^[..9..

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  STRIDE

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_STRIDE

BUCKET_ID:  MEMORY_CORRUPTION_STRIDE

Followup: memory_corruption
---------

kd> lmvm memory_corruption
start    end        module name
    


When I saw Firefox and also those bitmap related symbols I immediately imagined that she visited a site with a specially crafted image but after looking at the memory modification that took place I started to think it was a RAM problem. Here a comparison of the DQWORD at BF808F90 between the minidump and her win32k.sys:
Code:
; Original
;          0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
BF808F90: 85 BA FD FF FF 39 5D F0  5F 5E 5B 0F 85 BA FD FF

; Minidump
;          0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
BF808F90: 85 BA FD FF 85 BA 5D F0  5F 5E 5B 0F FF 39 FD FF    


See the difference? bytes 4 and 5 swapped positions with bytes 12 and 13 respectively.

Since she is infected with those annoying viruses that send spam through MSN Messenger I can't be sure if this is a virus triggered modification or a hardware failure, but, what is the probability of the virus causing this anyway?

This is the difference when seen as Assembly code:
Code:
; IDApro disassembly
.text:BF808F8F                 jnz     loc_BF808D4F
.text:BF808F95                 cmp     [ebp+var_10], ebx
.text:BF808F98                 pop     edi
.text:BF808F99                 pop     esi
.text:BF808F9A                 pop     ebx
.text:BF808F9B                 jnz     loc_BF808D5B

;WinDbg disassembly
bf808f8f 0f85bafdff85    jne     45808d4f
bf808f95 ba5df05f5e      mov     edx,5E5FF05Dh
bf808f9a 5b              pop     ebx
bf808f9b 0f              ???
bf808f9c ff              ???
bf808f9d 39fd            cmp     ebp,edi
bf808f9f ff              ???
    


Well, I just wanted to share this experience with you in case some of you didn't know about this kind of RAM bytes swapping before (like me).

PS: And yes I overlooked the CHKIMG_EXTENSION part of the minidump analysis, but yet it was positive to check with IDApro because it is not mentioned the swapping there.

[edit]Fixed some typos.


Last edited by LocoDelAssembly on 24 Mar 2009, 20:49; edited 1 time in total
Post 21 Mar 2009, 03:41
View user's profile Send private message Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1137
Location: Russian Federation
comrade
Can you share out the .dmp file please?
Post 21 Mar 2009, 16:55
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Here it is. If you find something more share it too Smile

Since it is a minidump I'm trusting there are no personal information glued to it Razz


Description:
Download
Filename: Mini031709-01.zip
Filesize: 20.44 KB
Downloaded: 57 Time(s)

Post 21 Mar 2009, 17:33
View user's profile Send private message Reply with quote
Coddy41



Joined: 18 Jan 2009
Posts: 384
Location: Ohio, USA
Coddy41
I did find this curios Very Happy
Code:
     ÿÿÿÿÿÿÿÿ           I d e n t i f i e r      B   x 8 6   F a m i l y   1 5   M o d e l   4   S t e p p i n g   1   (   P r o c e s s o r N a m e S t r i n g      `                               I n t e l ( R )   P e n t i u m ( R )   4   C P U   2 . 8 0 G H z   "   U p d a t e   S i g n a t u r e                   U p d a t e   S t a t u s             "   V e n d o r I d e n t i f i e r         G e n u i n e I n t e l      M S R 8 B     
It is amasing what van be found in those files.

_________________
Want hosting for free for your asm project? You can PM me. (*.fasm4u.net)
Post 25 Mar 2009, 21:26
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
BTW, just for the record, there was actually no virus at all, the spam sending was originated via a bot from an unknown location as I've received one spam instant message when her computer was not even turned on... After the 10th time I've told her to change her password she changed it and the spam finally ceased.
Post 21 Oct 2009, 00:19
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 8945
Location: ˛                             ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣Posts: 334455
sleepsleep
hi loco,
I tested the latest microsoft security essential,free download and need genuine windows to run.
This antivirus really superb. More advance than those available in market that targetted for end users.
I started offered it to my clients this week. Perhaps u could try.
Post 21 Oct 2009, 00:30
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.