search

DynamoRIO / drmemory

Memory Debugger for Windows, Linux, Mac, and Android
Other
2.42k stars 261 forks source link

fill in details of new win8 syscalls and watch allocators like NtWow64AllocateVirtualMemory64 #1153

Open derekbruening opened 9 years ago

derekbruening commented 9 years ago

From bruen...@google.com on February 24, 2013 10:55:14

as part of issue #772 I'm adding entries to the tables but most are unknown

xref DRi#899

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1153

derekbruening commented 9 years ago

From bruen...@google.com on February 24, 2013 14:03:34

this case covers usercalls as well. I filled in some known #s from running calc and app_suite, but there are a bunch of newly inserted ones.

from drsyscall/drsyscallusercallx.h: /* XXX issue #484: win7 seems to have added sthg here since the rest are all shifted; win8 removed it / / FIXME issue #1153: win8 added 2 somewhere between 0x05 and 0x24 / / FIXME issue #1153: on win8, 4 more added between 0x45 and 0x5d / /_ FIXME issue #1153: on win8, 1 more added between 0x5d and 0x6f */

*\ TODO cmp #args for all syscalls

grep pdb ntdll.dll/6.2.9200.16384-wow64/syscalls | grep -v Zw | awk '{print $NF " " $5}' | sort > /tmp/w8

grep pdb ntdll.dll/6.1.7601.17514-wow64/syscalls | grep -v Zw | awk '{print $NF " " $5}' | sort > /tmp/w7

diff /tmp/w7 /tmp/w8

< NtWaitForWorkViaWorkerFactory 8

NtWaitForWorkViaWorkerFactory 16

grep pdb user32.dll/6.1.7601.17514-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w7

grep pdb user32.dll/6.2.9200.16384-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w8

diff /tmp/w7 /tmp/w8 | cut -c 2-100 | sort | uniq -c

  1  NtUserBuildHwndList 28
  1  NtUserBuildHwndList 32
  1  NtUserCreateWindowEx 60
  1  NtUserCreateWindowEx 64
  1  NtUserDwmStartRedirection 4
  1  NtUserDwmStartRedirection 8
  1  NtUserRegisterSessionPort 4
  1  NtUserRegisterSessionPort 8
  1  NtUserSetTimer 16
  1  NtUserSetTimer 20
  1  NtUserSwitchDesktop 12
  1  NtUserSwitchDesktop 8

grep pdb gdi32.dll/6.1.7601.17514-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w7

grep pdb gdi32.dll/6.2.9200.16384-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w8

diff /tmp/w7 /tmp/w8 | cut -c 2-100 | sort | uniq -c

  1  NtGdiBeginGdiRendering 12
  1  NtGdiBeginGdiRendering 8
  1  NtGdiEndGdiRendering 12
  1  NtGdiEndGdiRendering 16
  1  NtGdiOpenDCW 32
  1  NtGdiOpenDCW 36

grep pdb kernel32.dll/6.1.7601.17514-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w7

grep pdb kernel32.dll/6.2.9200.16384-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w8

diff /tmp/w7 /tmp/w8 | cut -c 2-100 | sort | uniq -c

grep pdb imm32.dll/6.1.7600.16385-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w7

grep pdb imm32.dll/6.2.9200.16384-wow64/syscalls | awk '{print $NF " " $5}' > /tmp/w8

diff /tmp/w7 /tmp/w8 | cut -c 2-100 | sort | uniq -c

derekbruening commented 9 years ago

From bruen...@google.com on May 13, 2013 10:09:48

**\ DONE uninits from EnumWindows in app_suite: NtUserBuildHwndList extra arg is the in size! CLOSED: [2013-05-13 Mon 13:06]

64: Dr.M ERRORS FOUND: 64: Dr.M 0 unique, 0 total unaddressable access(es) 64: Dr.M 11 unique, 996 total uninitialized access(es) 64: Dr.M 0 unique, 0 total invalid heap argument(s) 64: Dr.M 0 unique, 0 total GDI usage error(s) 64: Dr.M 0 unique, 0 total warning(s) 64: Dr.M 6 unique, 7 total, 1032 byte(s) of leak(s) 64: Dr.M 4 unique, 4 total, 872 byte(s) of possible leak(s)

DUPLICATE ERROR COUNTS: Error # 1: 197 Error # 2: 197 Error # 3: 197 Error # 4: 197 Error # 5: 197 Error # 9: 2 Error # 10: 3 Error # 11: 3 Error # 20: 2

Error #1: UNINITIALIZED READ: reading 0x00b5f498-0x00b5f49c 4 byte(s)

0 USER32.dll!ValidateHwnd (0x760c765a <USER32.dll+0x765a>)

??:0

1 USER32.dll!EnumWindowsWorker (0x760cc8e6 <USER32.dll+0xc8e6>)

??:0

2 USER32.dll!EnumWindows (0x760d79aa <USER32.dll+0x179aa>)

??:0

3 NtUserTests_Msgbox_Test::TestBody (0x0107aba2 <app_suite_tests.exe+0x1aba2>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284

4 testing::internal::HandleSehExceptionsInMethodIfSupportedtesting::Test,void (0x010aa830 <app_suite_tests.exe+0x4a830>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075

5 testing::internal::HandleExceptionsInMethodIfSupportedtesting::Test,void (0x010aa1eb <app_suite_tests.exe+0x4a1eb>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126

6 testing::Test::Run (0x010962e7 <app_suite_tests.exe+0x362e7>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162

7 testing::TestInfo::Run (0x01096aed <app_suite_tests.exe+0x36aed>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338

8 testing::TestCase::Run (0x01096f6f <app_suite_tests.exe+0x36f6f>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445

9 testing::internal::UnitTestImpl::RunAllTests (0x0109b531 <app_suite_tests.exe+0x3b531>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237

10 testing::internal::HandleSehExceptionsInMethodIfSupportedtesting::internal::UnitTestImpl,bool (0x010aab80 <app_suite_tests.exe+0x4ab80>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075

11 testing::internal::HandleExceptionsInMethodIfSupportedtesting::internal::UnitTestImpl,bool (0x010aa6ab <app_suite_tests.exe+0x4a6ab>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126

Note: @0:00:12.819 in thread 88 Note: instruction: cmp 0x08(%ebp) $0x00000000

Error #2: UNINITIALIZED READ: reading register ecx

0 USER32.dll!PtiWindow (0x760c8cbb <USER32.dll+0x8cbb>)

??:0

1 USER32.dll!GetWindowThreadProcessId (0x760c8deb <USER32.dll+0x8deb>)

??:0

2 enum_windows (0x0107aa13 <app_suite_tests.exe+0x1aa13>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248

3 USER32.dll!EnumWindowsWorker (0x760cc8f2 <USER32.dll+0xc8f2>)

??:0

4 USER32.dll!EnumWindows (0x760d79aa <USER32.dll+0x179aa>)

??:0

5 NtUserTests_Msgbox_Test::TestBody (0x0107aba2 <app_suite_tests.exe+0x1aba2>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284

6 testing::internal::HandleSehExceptionsInMethodIfSupportedtesting::Test,void (0x010aa830 <app_suite_tests.exe+0x4a830>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075

7 testing::internal::HandleExceptionsInMethodIfSupportedtesting::Test,void (0x010aa1eb <app_suite_tests.exe+0x4a1eb>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126

8 testing::Test::Run (0x010962e7 <app_suite_tests.exe+0x362e7>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162

9 testing::TestInfo::Run (0x01096aed <app_suite_tests.exe+0x36aed>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338

10 testing::TestCase::Run (0x01096f6f <app_suite_tests.exe+0x36f6f>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445

11 testing::internal::UnitTestImpl::RunAllTests (0x0109b531 <app_suite_tests.exe+0x3b531>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237

Note: @0:00:12.835 in thread 88 Note: instruction: cmp %ecx 0x08(%eax)

Error #3: UNINITIALIZED READ: reading register si

0 USER32.dll!PtiWindow (0x760c8cef <USER32.dll+0x8cef>)

??:0

1 USER32.dll!GetWindowThreadProcessId (0x760c8deb <USER32.dll+0x8deb>)

??:0

2 enum_windows (0x0107aa13 <app_suite_tests.exe+0x1aa13>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248

3 USER32.dll!EnumWindowsWorker (0x760cc8f2 <USER32.dll+0xc8f2>)

??:0

4 USER32.dll!EnumWindows (0x760d79aa <USER32.dll+0x179aa>)

??:0

5 NtUserTests_Msgbox_Test::TestBody (0x0107aba2 <app_suite_tests.exe+0x1aba2>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284

6 testing::internal::HandleSehExceptionsInMethodIfSupportedtesting::Test,void (0x010aa830 <app_suite_tests.exe+0x4a830>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075

7 testing::internal::HandleExceptionsInMethodIfSupportedtesting::Test,void (0x010aa1eb <app_suite_tests.exe+0x4a1eb>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126

8 testing::Test::Run (0x010962e7 <app_suite_tests.exe+0x362e7>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162

9 testing::TestInfo::Run (0x01096aed <app_suite_tests.exe+0x36aed>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338

10 testing::TestCase::Run (0x01096f6f <app_suite_tests.exe+0x36f6f>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445

11 testing::internal::UnitTestImpl::RunAllTests (0x0109b531 <app_suite_tests.exe+0x3b531>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237

Note: @0:00:12.835 in thread 88 Note: instruction: data16 cmp %si 0x12(%ecx)

Error #4: UNINITIALIZED READ: reading 0x00b5f458-0x00b5f45c 4 byte(s) within 0x00b5f458-0x00b5f45c

0 system call NtUserQueryWindow parameter value #0

<system call>

1 USER32.dll!GetWindowThreadProcessId (0x760ca27b <USER32.dll+0xa27b>)

??:0

2 enum_windows (0x0107aa13 <app_suite_tests.exe+0x1aa13>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248

3 USER32.dll!EnumWindowsWorker (0x760cc8f2 <USER32.dll+0xc8f2>)

??:0

4 USER32.dll!EnumWindows (0x760d79aa <USER32.dll+0x179aa>)

??:0

5 NtUserTests_Msgbox_Test::TestBody (0x0107aba2 <app_suite_tests.exe+0x1aba2>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284

6 testing::internal::HandleSehExceptionsInMethodIfSupportedtesting::Test,void (0x010aa830 <app_suite_tests.exe+0x4a830>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075

7 testing::internal::HandleExceptionsInMethodIfSupportedtesting::Test,void (0x010aa1eb <app_suite_tests.exe+0x4a1eb>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126

8 testing::Test::Run (0x010962e7 <app_suite_tests.exe+0x362e7>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162

9 testing::TestInfo::Run (0x01096aed <app_suite_tests.exe+0x36aed>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338

10 testing::TestCase::Run (0x01096f6f <app_suite_tests.exe+0x36f6f>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445

11 testing::internal::UnitTestImpl::RunAllTests (0x0109b531 <app_suite_tests.exe+0x3b531>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237

Note: @0:00:12.850 in thread 88

Error #5: UNINITIALIZED READ: reading 0x00b5f458-0x00b5f45c 4 byte(s) within 0x00b5f458-0x00b5f45c

0 system call NtUserQueryWindow parameter value #0

<system call>

1 USER32.dll!GetWindowThreadProcessId (0x760c8e64 <USER32.dll+0x8e64>)

??:0

2 enum_windows (0x0107aa13 <app_suite_tests.exe+0x1aa13>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:248

3 USER32.dll!EnumWindowsWorker (0x760cc8f2 <USER32.dll+0xc8f2>)

??:0

4 USER32.dll!EnumWindows (0x760d79aa <USER32.dll+0x179aa>)

??:0

5 NtUserTests_Msgbox_Test::TestBody (0x0107aba2 <app_suite_tests.exe+0x1aba2>)

c:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:284

6 testing::internal::HandleSehExceptionsInMethodIfSupportedtesting::Test,void (0x010aa830 <app_suite_tests.exe+0x4a830>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2075

7 testing::internal::Handle...

derekbruening commented 9 years ago

From bruen...@google.com on May 13, 2013 10:09:48

...ExceptionsInMethodIfSupportedtesting::Test,void (0x010aa1eb <app_suite_tests.exe+0x4a1eb>) c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2126

8 testing::Test::Run (0x010962e7 <app_suite_tests.exe+0x362e7>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2162

9 testing::TestInfo::Run (0x01096aed <app_suite_tests.exe+0x36aed>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2338

10 testing::TestCase::Run (0x01096f6f <app_suite_tests.exe+0x36f6f>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:2445

11 testing::internal::UnitTestImpl::RunAllTests (0x0109b531 <app_suite_tests.exe+0x3b531>)

c:\derek\drmemory\git\src\third_party\googletest\src\gtest.cc:4237

Note: @0:00:12.850 in thread 88

USER32!BuildHwndList+0x39: 760cc7e0 c70640000000 mov dword ptr [esi],0x40 760cc7e6 895e04 mov [esi+0x4],ebx 760cc7e9 57 push edi 760cc7ea 8d7e04 lea edi,[esi+0x4] 760cc7ed 57 push edi 760cc7ee 8d4608 lea eax,[esi+0x8] 760cc7f1 50 push eax 760cc7f2 ff36 push dword ptr [esi] 760cc7f4 ff7518 push dword ptr [ebp+0x18] 760cc7f7 ff7514 push dword ptr [ebp+0x14] 760cc7fa ff7510 push dword ptr [ebp+0x10] 760cc7fd ff750c push dword ptr [ebp+0xc] 760cc800 ff7508 push dword ptr [ebp+0x8] 760cc803 e83d000000 call USER32!NtUserBuildHwndList (760cc845)

NTSTATUS NTAPI NtUserBuildHwndList( HDESK hDesktop, HWND hwndParent, BOOLEAN bChildren, ULONG dwThreadId, ULONG lParam, HWND* pWnd, ULONG* pBufSize);

app xsp=0x01b0fb84 arg 0 = 0x0 arg 1 = 0x0 arg 2 = 0x0 arg 3 = 0x1 arg 4 = 0x0 arg 5 = 0x40 arg 6 = 0x38d9108 arg 7 = 0x38d9104 arg 8 = 0x0 processing pre system call #0x101d.0x0 NtUserBuildHwndList pre considering arg 2 1 80 pre considering arg 6 -7 62 pre storing size 0x0 for arg 6 pre considering arg 7 4 3 pre storing size 0x4 for arg 7 memarg iter pre param 7 parameter #7 0x38d9104-0x38d9108 rw memref: read @0x0000101d 0x038d9104 0x4 bytes (pre-dword 0x00 0xff)

replace_RtlFreeHeap heap=0x00ad0000 flags=0x0 ptr=0x038d9100 check_type_match: alloc flags=0x804 vs free=0x804 free 0x038d9100-0x038d9208

but the new param in the middle is clearly not a pointer param.

native run shows that the 5th param seems to hold a size:

0:000> bp NtUserBuildHwndList 0:000> g Breakpoint 0 hit 0:000> dds esp 01b0fae0 760cc808 USER32!BuildHwndList+0x61 01b0fae4 00000000 01b0fae8 00000000 01b0faec 00000000 01b0faf0 00000001 01b0faf4 00000000 01b0faf8 00000040 01b0fafc 009f91f8 +0x9991f6 01b0fb00 009f91f4 +0x9991f2 01b0fb04 00000000 01b0fb08 00000000 0:000> dd 009f91f0 009f9300 009f91f0 00000040 00000000 baadf00d baadf00d 009f9200 baadf00d baadf00d baadf00d baadf00d 009f9210 baadf00d baadf00d baadf00d baadf00d 009f9220 baadf00d baadf00d baadf00d baadf00d 009f9230 baadf00d baadf00d baadf00d baadf00d 009f9240 baadf00d baadf00d baadf00d baadf00d 009f9250 baadf00d baadf00d baadf00d baadf00d 009f9260 baadf00d baadf00d baadf00d baadf00d 009f9270 baadf00d baadf00d baadf00d baadf00d 009f9280 baadf00d baadf00d baadf00d baadf00d 009f9290 baadf00d baadf00d baadf00d baadf00d 009f92a0 baadf00d baadf00d baadf00d baadf00d 009f92b0 baadf00d baadf00d baadf00d baadf00d 009f92c0 baadf00d baadf00d baadf00d baadf00d 009f92d0 baadf00d baadf00d baadf00d baadf00d 009f92e0 baadf00d baadf00d baadf00d baadf00d 009f92f0 baadf00d baadf00d abababab abababab 009f9300 00000000 post-syscall: 0:000> dd 009f91f0 009f9300 009f91f0 00000040 00000078 baadf00d baadf00d 009f9200 baadf00d baadf00d baadf00d baadf00d 009f9210 baadf00d baadf00d baadf00d baadf00d 009f9220 baadf00d baadf00d baadf00d baadf00d 009f9230 baadf00d baadf00d baadf00d baadf00d 009f9240 baadf00d baadf00d baadf00d baadf00d 009f9250 baadf00d baadf00d baadf00d baadf00d 009f9260 baadf00d baadf00d baadf00d baadf00d 009f9270 baadf00d baadf00d baadf00d baadf00d 009f9280 baadf00d baadf00d baadf00d baadf00d 009f9290 baadf00d baadf00d baadf00d baadf00d 009f92a0 baadf00d baadf00d baadf00d baadf00d 009f92b0 baadf00d baadf00d baadf00d baadf00d 009f92c0 baadf00d baadf00d baadf00d baadf00d 009f92d0 baadf00d baadf00d baadf00d baadf00d 009f92e0 baadf00d baadf00d baadf00d baadf00d 009f92f0 baadf00d baadf00d abababab abababab 009f9300 00000000 0:000> g Breakpoint 0 hit 0:000> dds esp 01b0fae0 760d7988 USER32!BuildHwndList+0xca 01b0fae4 00000000 01b0fae8 00000000 01b0faec 00000000 01b0faf0 00000001 01b0faf4 00000000 01b0faf8 00000078 01b0fafc 009f91f8 +0x9991f6 01b0fb00 009f91f4 +0x9991f2 01b0fb04 00000000 01b0fb08 00000000 0:000> dd 009f91f0 009f9300 009f91f0 00000078 00000000 baadf00d baadf00d 009f9200 baadf00d baadf00d baadf00d baadf00d 009f9210 baadf00d baadf00d baadf00d baadf00d 009f9220 baadf00d baadf00d baadf00d baadf00d 009f9230 baadf00d baadf00d baadf00d baadf00d 009f9240 baadf00d baadf00d baadf00d baadf00d 009f9250 baadf00d baadf00d baadf00d baadf00d 009f9260 baadf00d baadf00d baadf00d baadf00d 009f9270 baadf00d baadf00d baadf00d baadf00d 009f9280 baadf00d baadf00d baadf00d baadf00d 009f9290 baadf00d baadf00d baadf00d baadf00d 009f92a0 baadf00d baadf00d baadf00d baadf00d 009f92b0 baadf00d baadf00d baadf00d baadf00d 009f92c0 baadf00d baadf00d baadf00d baadf00d 009f92d0 baadf00d baadf00d baadf00d baadf00d 009f92e0 baadf00d baadf00d baadf00d baadf00d 009f92f0 baadf00d baadf00d baadf00d baadf00d 009f9300 baadf00d post-syscall: 0:000> dd 009f91f0 009f9300 009f91f0 00000078 00000078 0007007a 0003005c 009f9200 00030222 0003003a 000100ea 000100e8 009f9210 000100d6 000100d2 0001010e 0001010c 009f9220 00010102 000100f0 000100ec 000200b2 009f9230 00020024 00020056 00010116 00010104 009f9240 0002028a 0002023a 000101ee 02da022a 009f9250 002802ae 0004006e 0002021a 00090290 009f9260 0003020e 000301ec 00030208 00020220 009f9270 00030206 000301e4 00070040 0002014c 009f9280 000101cc 00030174 00040016 000101ca 009f9290 00020060 0002002e 00030036 00040194 009f92a0 00010122 00040038 00020050 0003003c 009f92b0 00040044 000101c0 000101a4 0001019e 009f92c0 00020196 0001018a 0001014e 00010158 009f92d0 0001015a 0001015c 00010178 00010186 009f92e0 00010142 00050048 0001019c 00010128 009f92f0 00010120 0001011c 000100fa 000100f8 009f9300 000100f4

derekbruening commented 9 years ago

From bruen...@google.com on October 29, 2013 15:34:27

**\ TODO on win8.1, both calc and app_suite_tests have uninit false pos in tiptsf.dll

Error #1: UNINITIALIZED READ: reading register eax

0 tiptsf.dll!CARET::_ProcessCaretEvents (0x753d1955 <tiptsf.dll+0x1955>) modid:30

1 tiptsf.dll!CARET::ProcessCaretEvents (0x753d1ba5 <tiptsf.dll+0x1ba5>) modid:30

2 USER32.dll!__ClientCallWinEventProc (0x75d5b402 <USER32.dll+0xb402>) modid:17

3 NtUserTests_WindowMessages_Test::TestBody [d:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_w

in.cpp:311](0x010b4856 <app_suite_tests.exe+0x34856) modid:1 Note: @0:00:03.109 in thread 1992 Note: instruction: cmp %eax $0x00000001 error end

w/o syms for tiptsf.dll it matches the calc ones above: Error #2: UNINITIALIZED READ: reading register eax

0 tiptsf.dll!DllCanUnloadNow +0xcb (0x753d1955 <tiptsf.dll+0x1955>)

1 tiptsf.dll!ProcessCaretEvents +0x70 (0x753d1ba5 <tiptsf.dll+0x1ba5>)

2 USER32.dll!__ClientCallWinEventProc

3 NtUserTests_WindowMessages_Test::TestBody [d:\derek\drmemory\git\src\tests\app_suite\ntuser_tests_win.cpp:311]

The test is doing: DestroyWindow(hwnd);

likely culprit:

system call #4977==4977.0 NtUserGetWindowBand

0 tiptsf.dll!CARET::_ProcessCaretEvents+0x9c (0x753d194d <tiptsf.dll+0x194d>) modid:0

I don't know why the unknown syscall handling doesn't detect the single-dword change here:

iterating over args for syscall #0x1371.0x0 NtUserGetWindowBand processing pre system call #0x1371.0x0 NtUserGetWindowBand pre considering arg 0 0 0 processing pre system call #0x1371.0x0 NtUserGetWindowBand pre considering arg 0 0 0 unknown system call #0x1371.0x0 NtUserGetWindowBand pre-unknown-syscall #0x1371.0x0: param 0 == 0x004902bc pre-unknown-syscall #0x1371.0x0: param 1 == 0x012bf30c pre-unknown-syscall #0x1371: param 0 == 0x00000001 19657484 bytes pre-unknown-syscall #0x1371.0x0: param 2 == 0x1a99ba10 pre-unknown-syscall #0x1371.0x0: param 3 == 0x00000000 pre-unknown-syscall #0x1371.0x0: param 4 == 0x004902bc pre-unknown-syscall #0x1371.0x0: param 5 == 0x00008001 pre-unknown-syscall #0x1371.0x0: param 6 == 0x004902bc pre-unknown-syscall #0x1371.0x0: param 9 == 0x00000000 pre-unknown-syscall #0x1371.0x0: param 11 == 0x00000000 processing post system call #0x1371.0x0 NtUserGetWindowBand res=0x1 post considering arg 0 0 0 0x004902bc

From disasm: looks like the OUT param is a single value, which is compared to 1, 2, and 0x10: we'll assume dword type. Return value is compared to 0 only: BOOL?

Live call showing return value of 0x1 and writing to DWORD:

0:000> dds esp L4 001ad650 753d194d tiptsf!CARET::_ProcessCaretEvents+0x9c 001ad654 0012031e 001ad658 001ad684 001ad65c f3545991 0:000> dd 001ad684 001ad684 00340000 004b0490 000001fc 004b0000 001ad694 004b0000 00000000 004b0000 001ad6d0 001ad6a4 77b649ed 50000163 004b0000 00000000 001ad6b4 00310030 001ad764 004bc478 004b0000 001ad6c4 00000000 001ad71c 77b63464 004b0248 0:000> p eax=00001371 ebx=75d59adf ecx=001ad684 edx=00000000 esi=0012031e edi=ffff0000 eip=75d5b2f1 esp=001ad650 ebp=001adb48 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 USER32!NtUserGetWindowBand+0x5: 75d5b2f1 64ff15c0000000 call dword ptr fs:[0C0h] fs:0053:000000c0=779b11d8 0:000> p eax=00000001 ebx=75d59adf ecx=94a00000 edx=00000000 esi=0012031e edi=ffff0000 eip=75d5b2f8 esp=001ad650 ebp=001adb48 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 USER32!NtUserGetWindowBand+0xc: 75d5b2f8 c20800 ret 8 0:000> dds esp L4 001ad650 753d194d tiptsf!CARET::_ProcessCaretEvents+0x9c 001ad654 0012031e 001ad658 001ad684 001ad65c f3545991 0:000> dd 001ad684 001ad684 00000001 004b0490 000001fc 004b0000 001ad694 004b0000 00000000 004b0000 001ad6d0 001ad6a4 77b649ed 50000163 004b0000 00000000 001ad6b4 00310030 001ad764 004bc478 004b0000 001ad6c4 00000000 001ad71c 77b63464 004b0248

so I propose:

BOOL NtUserGetWindowBand(in HANDLE hwnd, out DWORD *value);

derekbruening commented 9 years ago

From bruen...@google.com on June 13, 2014 10:28:10

NtUnmapViewOfSectionEx notes: https://code.google.com/p/dynamorio/issues/detail?id=899#c1