Open derekbruening opened 10 years ago
From bruen...@google.com on September 19, 2012 07:47:16
NtUnmapViewOfSectionEx is called on any unmap:
0:001> kn =0x320f034 0x320f020 0x770a27a8
00 0320f01c 76baeacb ntdll!NtUnmapViewOfSectionEx+0xc 01 0320f034 76baeaae KERNELBASE!UnmapViewOfFileEx+0x14 02 0320f044 74596d94 KERNELBASE!UnmapViewOfFile+0xf 03 0320f050 74596fed uxtheme!CSection::~CSection+0x1c
0:001> Uf KERNELBASE!UnmapViewOfFile KERNELBASE!UnmapViewOfFile: 76baea9f 8bff mov edi,edi 76baeaa1 55 push ebp 76baeaa2 8bec mov ebp,esp 76baeaa4 6a00 push 0 76baeaa6 ff7508 push dword ptr [ebp+8] 76baeaa9 e809000000 call KERNELBASE!UnmapViewOfFileEx (76baeab7) 76baeaae 5d pop ebp 76baeaaf c20400 ret 4
BOOL WINAPI UnmapViewOfFile( In LPCVOID lpBaseAddress );
ZwUnmapViewOfSection( IN HANDLE ProcessHandle, IN PVOID BaseAddress );
so whatever the new 3rd arg is, the default is 0. have yet to see it called directly, and no docs on KERNELBASE!UnmapViewOfFileEx, which passes its extra arg straight through.
From bruen...@google.com on October 12, 2012 07:30:24
NtWow64AllocateVirtualMemory64 calls NtAllocateVirtualMemory w/ some caveats:
/* XXX issue #899: for NtWow64AllocateVirtualMemory64, the base and
* size may be 64-bit values? But, when allocating in wow64
* child, the address should be in low 2GB, as only ntdll64 is up
* high.
*/
/* XXX issue #899: NtWow64AllocateVirtualMemory64 has an extra arg after ZeroBits but
* it's ignored in wow64!whNtWow64AllocateVirtualMemory64. We should keep an eye
* out: maybe a future service pack or win9 will use it.
*/
From bruen...@google.com on October 12, 2012 07:32:49
that extra arg may be a separate pointer to the high bits of the base addr
*\ TODO NtSetInformationVirtualMemory
shows up on win10 notepad Save dialog box
**\ TODO use for prefetch
# ChildEBP RetAddr
00 04d0ddc0 70612fb9 KERNELBASE!PrefetchVirtualMemory
01 04d0ddf4 7061305b DUI70!DirectUI::DUIXmlParser::_SetXMLFromResource+0x99
02 04d0de10 7060a9f8 DUI70!DirectUI::DUIXmlParser::SetXMLFromResource+0x1b
03 04d0de28 7085fc6e DUI70!DirectUI::DUIXmlParser::SetXMLFromResource+0x18
04 04d0de50 7085fbcd explorerframe!_DUI_CreateParserFromResourceNoCallback+0x43
05 04d0de6c 7085f787 explorerframe!CSearchBoxDUIHost::_CreateFromResource+0x2f
0:000> dds @@(mc->esp)
0051db2c 74f8d60c KERNELBASE!PrefetchVirtualMemory+0x1c
0051db30 ffffffff
0051db34 00000000
0051db38 00000001
0051db3c 0051db70
0051db40 0051db5c
0051db44 00000004
0051db48 0051db7c
0051db4c 70612fb9 DUI70!DirectUI::DUIXmlParser::_SetXMLFromResource+0x99
0051db50 ffffffff
0051db54 00000001
0051db58 0051db70
0051db5c 00000000
0051db60 0051dbf0
0051db64 00000000
0051db68 00005002
0051db6c 7095e810 explorerframe!wer_NULL_THUNK_DATA_DLA <PERF> (explorerframe+0x18e810)
0051db70 70bca460 explorerframe!wer_NULL_THUNK_DATA_DLA <PERF> (explorerframe+0x3fa460)
0051db74 000011ac
BOOL WINAPI PrefetchVirtualMemory(
_In_ HANDLE hProcess,
_In_ ULONG_PTR NumberOfEntries,
_In_ PWIN32_MEMORY_RANGE_ENTRY VirtualAddresses,
_In_ ULONG Flags
);
typedef struct _WIN32_MEMORY_RANGE_ENTRY {
PVOID VirtualAddress;
SIZE_T NumberOfBytes;
} WIN32_MEMORY_RANGE_ENTRY, *PWIN32_MEMORY_RANGE_ENTRY;
0:000> Uf KERNELBASE!PrefetchVirtualMemory
KERNELBASE!PrefetchVirtualMemory:
74f8d5f0 8bff mov edi,edi
74f8d5f2 55 push ebp
74f8d5f3 8bec mov ebp,esp
74f8d5f5 6a04 push 4
74f8d5f7 8d4514 lea eax,[ebp+14h]
74f8d5fa 50 push eax
74f8d5fb ff7510 push dword ptr [ebp+10h]
74f8d5fe ff750c push dword ptr [ebp+0Ch]
74f8d601 6a00 push 0
74f8d603 ff7508 push dword ptr [ebp+8]
74f8d606 ff15c8460375 call dword ptr [KERNELBASE!_imp__NtSetInformationVirtualMemory (750346c8)]
74f8d60c 85c0 test eax,eax
74f8d60e 790d jns KERNELBASE!PrefetchVirtualMemory+0x2d (74f8d61d)
6 args to syscall look like: NTSTATUS NtSetInformationVirtualMemory( In HANDLE hProcess, In SETMEMORYINFORMATIONCLASS class, 0 == prefetch In ULONG_PTR NumberOfEntries, In PWIN32_MEMORY_RANGE_ENTRY VirtualAddresses, InOut PULONG ? just reusing flags param slot, or these are flags? hardcoded 4 -- sizeof the out val? but it gets STATUS_INVALID_PARAMETER_6
I see 11 calls in this notepad save dialog sequence and they all fail w/ c00000f4 (w/ no write to 5th param). That's STATUS_INVALID_PARAMETER_6 (are these bugs?).
**\ TODO use for CFG
WINAPI SetProcessValidCallTargets(
_In_ HANDLE hProcess,
_In_ PVOID VirtualAddress,
_In_ SIZE_T RegionSize,
_In_ ULONG NumberOfOffsets,
_Inout_ PCFG_CALL_TARGET_INFO OffsetInformation
);
KERNELBASE!SetProcessValidCallTargets:
74f9f150 8bff mov edi,edi
74f9f152 55 push ebp
74f9f153 8bec mov ebp,esp
74f9f155 83ec1c sub esp,1Ch
74f9f158 8b450c mov eax,dword ptr [ebp+0Ch]
74f9f15b 8365e800 and dword ptr [ebp-18h],0
74f9f15f 8365fc00 and dword ptr [ebp-4],0
74f9f163 53 push ebx
74f9f164 8b5d14 mov ebx,dword ptr [ebp+14h]
74f9f167 56 push esi
74f9f168 8945f4 mov dword ptr [ebp-0Ch],eax
74f9f16b 8b4510 mov eax,dword ptr [ebp+10h]
74f9f16e 57 push edi
74f9f16f 8b7d18 mov edi,dword ptr [ebp+18h]
74f9f172 8945f8 mov dword ptr [ebp-8],eax
74f9f175 8d45fc lea eax,[ebp-4]
74f9f178 6a10 push 10h
74f9f17a 8945ec mov dword ptr [ebp-14h],eax
74f9f17d 8d45e4 lea eax,[ebp-1Ch]
74f9f180 50 push eax
74f9f181 8d45f4 lea eax,[ebp-0Ch]
74f9f184 895de4 mov dword ptr [ebp-1Ch],ebx
74f9f187 50 push eax
74f9f188 6a01 push 1
74f9f18a 6a02 push 2
74f9f18c ff7508 push dword ptr [ebp+8]
74f9f18f 897df0 mov dword ptr [ebp-10h],edi
74f9f192 ff15c8460375 call dword ptr [KERNELBASE!_imp__NtSetInformationVirtualMemory (750346c8)]
so infoclass 2
Probably we can ignore this syscall: prefetch and CFG shouldn't overlap w/ DR's concerns.
From bruen...@google.com on September 17, 2012 15:04:57
split from issue #565 # grep pdb ntdll.dll/6.2.9200.16384-wow64/syscalls | grep -v Zw | awk '{print $NF}' | sort > w8
grep pdb ntdll.dll/6.1.7601.17514-wow64/syscalls | grep -v Zw | awk '{print $NF}' | sort > w7
diff w7 w8 | grep '^>'
for core DR these are the ones to look at: NtUnmapViewOfSectionEx NtSetInformationVirtualMemory NtWow64AllocateVirtualMemory64
Original issue: http://code.google.com/p/dynamorio/issues/detail?id=899