ariccio
commented
8 years ago The crash occurs on clicking "Save trace",
with the following extra kernel flags: PROC_THREAD+LOADER+PERF_COUNTER+DISK_IO+HARD_FAULTS+FILENAME+SPLIT_IO+DRIVERS+MEMINFO_WS+VAMAP+FOOTPRINT+MEMORY+REFSET+TIMER
...and the following extra kernel stackwalks: ProcessCreate+ProcessDelete+PagefaultDemandZero+PagefaultGuard+PagefaultHard+VirtualAlloc+VirtualFree+PagefileMappedSectionCreate+DiskReadInit+DiskWriteInit+DiskFlushInit+FileCreate+FileCleanup+FileClose+FileRead+FileWrite+FileSetInformation+FileDelete+FileRename+FileDirEnum+FileFlush+FileQueryInformation+FileDirNotify+FileOpEnd+MapFile+UnMapFile+PowerPreSleep+PowerPostSleep+PowerPerfStateChange+PowerThermalConstraint+HeapAlloc+HeapRealloc+HeapFree.
Here's the WinDbg log of the crash:
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*c:\SymCache*http://msdl.microsoft.com/download/symbols
Deferred SRV*c:\code\symbols*http://chromium-
browser-symsrv.commondatastorage.googleapis.com
Deferred SRV*C:\SymCache*https://msdl.microsoft.com/download/symbols
Deferred SRV*C:\SymCache*https://chromium-browser-symsrv.commondatastorage.googleapis.com
CommandLine: "C:\Users\Alexander Riccio\Downloads\etwpackage\etwpackage\bin\UIforETW.exe"
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*c:\SymCache*http://msdl.microsoft.com/download/symbols
Deferred SRV*c:\code\symbols*http://chromium-
browser-symsrv.commondatastorage.googleapis.com
Deferred SRV*C:\SymCache*https://msdl.microsoft.com/download/symbols
Deferred SRV*C:\SymCache*https://chromium-browser-symsrv.commondatastorage.googleapis.com
Symbol search path is: SRV*c:\SymCache*http://msdl.microsoft.com/download/symbols;SRV*c:\code\symbols*http://chromium-
browser-symsrv.commondatastorage.googleapis.com;SRV*C:\SymCache*https://msdl.microsoft.com/download/symbols;SRV*C:\SymCache*https://chromium-browser-symsrv.commondatastorage.googleapis.com
Executable search path is:
ModLoad: 00007ff7`a3190000 00007ff7`a33a6000 UIforETWStatic_devrel.exe
ModLoad: 00007ffe`0f650000 00007ffe`0f811000 ntdll.dll
ModLoad: 00007ffd`e9290000 00007ffd`e92fd000 C:\WINDOWS\system32\verifier.dll
Page heap: pid 0x160C0: page heap enabled with flags 0x3.
AVRF: UIforETW.exe: pid 0x160C0: flags 0x80403025: application verifier enabled
ModLoad: 00007ffd`f9120000 00007ffd`f915b000 C:\WINDOWS\SYSTEM32\vrfcore.dll
ModLoad: 00007ffd`f7900000 00007ffd`f796c000 C:\WINDOWS\SYSTEM32\vfbasics.dll
ModLoad: 00007ffe`0cbb0000 00007ffe`0cc5d000 C:\WINDOWS\system32\KERNEL32.DLL
ModLoad: 00007ffe`0c5d0000 00007ffe`0c7b8000 C:\WINDOWS\system32\KERNELBASE.dll
ModLoad: 00007ffe`0f4d0000 00007ffe`0f626000 C:\WINDOWS\system32\USER32.dll
ModLoad: 00007ffe`0db00000 00007ffe`0dc86000 C:\WINDOWS\system32\GDI32.dll
*** WARNING: Unable to verify checksum for C:\Users\Alexander Riccio\Downloads\etwpackage\etwpackage\bin\ETWProviders64.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\Alexander Riccio\Downloads\etwpackage\etwpackage\bin\ETWProviders64.dll -
ModLoad: 00007ffd`f9240000 00007ffd`f9263000 C:\Users\Alexander Riccio\Downloads\etwpackage\etwpackage\bin\ETWProviders64.dll
ModLoad: 00007ffe`0cab0000 00007ffe`0cb57000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 00007ffe`0da60000 00007ffe`0dafd000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 00007ffe`0da00000 00007ffe`0da5b000 C:\WINDOWS\system32\sechost.dll
ModLoad: 00007ffe`06770000 00007ffe`067f4000 C:\WINDOWS\SYSTEM32\WINSPOOL.DRV
ModLoad: 00007ffe`0cfc0000 00007ffe`0d0dc000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 00007ffe`0dc90000 00007ffe`0f1ef000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 00007ffe`0bea0000 00007ffe`0bee3000 C:\WINDOWS\system32\cfgmgr32.dll
ModLoad: 00007ffe`0b870000 00007ffe`0b899000 C:\WINDOWS\SYSTEM32\bcrypt.dll
ModLoad: 00007ffe`0bef0000 00007ffe`0c534000 C:\WINDOWS\system32\windows.storage.dll
ModLoad: 00007ffe`0cc60000 00007ffe`0cedd000 C:\WINDOWS\system32\combase.dll
ModLoad: 00007ffe`0bd80000 00007ffe`0bdea000 C:\WINDOWS\system32\bcryptPrimitives.dll
ModLoad: 00007ffe`0f1f0000 00007ffe`0f242000 C:\WINDOWS\system32\shlwapi.dll
ModLoad: 00007ffe`0bcf0000 00007ffe`0bcff000 C:\WINDOWS\system32\kernel.appcore.dll
ModLoad: 00007ffe`0c7c0000 00007ffe`0c875000 C:\WINDOWS\system32\shcore.dll
ModLoad: 00007ffe`0bca0000 00007ffe`0bceb000 C:\WINDOWS\system32\powrprof.dll
ModLoad: 00007ffe`0bc70000 00007ffe`0bc84000 C:\WINDOWS\system32\profapi.dll
ModLoad: 00007ffe`0d8b0000 00007ffe`0d9f3000 C:\WINDOWS\system32\ole32.dll
ModLoad: 00007ffe`0ac90000 00007ffe`0af04000 C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\COMCTL32.dll
ModLoad: 00007ffe`0a130000 00007ffe`0a1c6000 C:\WINDOWS\SYSTEM32\UxTheme.dll
ModLoad: 00007ffe`0cee0000 00007ffe`0cfa1000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 00007ffe`0d480000 00007ffe`0d8a9000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 00007ffe`0d1f0000 00007ffe`0d1f8000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 00007ffe`0aaa0000 00007ffe`0aaaa000 C:\WINDOWS\SYSTEM32\VERSION.dll
ModLoad: 00007ffe`03a40000 00007ffe`03aaa000 C:\WINDOWS\SYSTEM32\OLEACC.dll
ModLoad: 00007ffe`0b770000 00007ffe`0b77b000 C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffe`0cb60000 00007ffe`0cb9b000 C:\WINDOWS\system32\IMM32.DLL
(160c0.160b8): Break instruction exception - code 80000003 (first chance)
ModLoad: 00007ffd`f91b0000 00007ffd`f91c1000 C:\Program Files\Intel\Power Gadget 3.0\EnergyLib64.dll
ModLoad: 00000000`718e0000 00000000`71978000 C:\WINDOWS\SYSTEM32\MSVCP100.dll
ModLoad: 00000000`71da0000 00000000`71e72000 C:\WINDOWS\SYSTEM32\MSVCR100.dll
ModLoad: 00007ffe`0d270000 00007ffe`0d3ca000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 00007ffe`094f0000 00007ffe`09512000 C:\WINDOWS\SYSTEM32\dwmapi.dll
ModLoad: 00007ffe`0a1d0000 00007ffe`0a1f7000 C:\WINDOWS\SYSTEM32\DEVOBJ.dll
ModLoad: 00007ffe`0bd00000 00007ffe`0bd55000 C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 00007ffe`0bc90000 00007ffe`0bca0000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 00007ffe`0c880000 00007ffe`0ca47000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 00007ffe`0b1c0000 00007ffe`0b1f1000 C:\WINDOWS\SYSTEM32\ntmarta.dll
ModLoad: 00007ffe`037d0000 00007ffe`0386c000 C:\WINDOWS\SYSTEM32\efswrt.dll
ModLoad: 00007ffe`064c0000 00007ffe`065f6000 C:\WINDOWS\SYSTEM32\wintypes.dll
ModLoad: 00007ffe`031b0000 00007ffe`03200000 C:\WINDOWS\SYSTEM32\edputil.dll
xperf: error: NT Kernel Logger: Cannot create a file when that file already exists. (0xb7).
The trace you have just captured "C:\Users\ALEXAN~1\AppData\Local\Temp\kernel.etl" may contain personally identifiable information, including but not necessarily limited to paths to files accessed, paths to registry accessed and process names. Exact information depends on the events that were logged. Please be aware of this when sharing out this trace with other people.
The trace you have just captured "C:\Users\ALEXAN~1\AppData\Local\Temp\user.etl" may contain personally identifiable information, including but not necessarily limited to paths to files accessed, paths to registry accessed and process names. Exact information depends on the events that were logged. Please be aware of this when sharing out this trace with other people.
(160c0.12b2c): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
ETWProviders64!ETWKeyDown+0x131b:
00007ffd`f92441cb cd29 int 29h
*** WARNING: Unable to verify checksum for UIforETWStatic_devrel.exe
*** ERROR: Module load completed but symbols could not be loaded for UIforETWStatic_devrel.exe
0:000> !analyze -v
ERROR: FindPlugIns 8007007b
ERROR: Some plugins may not be available [8007007b]
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
ETWProviders64!ETWKeyDown+131b
00007ffd`f92441cb cd29 int 29h
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffdf92441cb (ETWProviders64!ETWKeyDown+0x000000000000131b)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000005
Subcode: 0x5 FAST_FAIL_INVALID_ARG
FAULTING_THREAD: 00012b2c
PROCESS_NAME: UIforETWStatic_devrel.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_PARAMETER1: 0000000000000005
NTGLOBALFLAG: 2000100
APPLICATION_VERIFIER_FLAGS: 80403025
APPLICATION_VERIFIER_LOADED: 1
APP: uiforetwstatic_devrel.exe
ANALYSIS_VERSION: 10.0.10240.9 amd64fre
BUGCHECK_STR: INVALID_ARG_FAILURE_EXPLOITABLE_AVRF
DEFAULT_BUCKET_ID: INVALID_ARG_FAILURE_EXPLOITABLE_AVRF
LAST_CONTROL_TRANSFER: from 00007ffdf9244190 to 00007ffdf92441cb
STACK_TEXT:
000000ef`c18fc9d0 00007ffd`f9244190 : 000000ef`c18fca60 00007ffd`e56c3186 00007ff7`a3237b5c 00007ffd`f9246298 : ETWProviders64!ETWKeyDown+0x131b
000000ef`c18fca00 00007ffd`f92441ad : 000000ef`c18fcb20 000000ef`c18fd410 000000ef`c18fe400 00000000`00000000 : ETWProviders64!ETWKeyDown+0x12e0
000000ef`c18fca40 00007ffd`f924336f : 000000ef`c18fcb20 000000ef`c18fe400 00000000`00000000 00000030`00000001 : ETWProviders64!ETWKeyDown+0x12fd
000000ef`c18fca80 00007ffd`f9243391 : 00000000`00000001 000002db`00000000 00000024`cdbf5000 000002db`00000000 : ETWProviders64!ETWKeyDown+0x4bf
000000ef`c18fcac0 00007ffd`f924282b : 00006090`00216000 00000000`00000024 00000202`002b002b 00007ff7`a3193813 : ETWProviders64!ETWKeyDown+0x4e1
000000ef`c18fcb00 00007ff7`a31a4cf6 : 00007ff7`a3215500 000002db`cbad8620 00000000`00000007 00000000`00000000 : ETWProviders64!ETWMarkWPrintf+0x4b
000000ef`c18fd310 00007ff7`a31b7936 : 00000000`001603b6 00000000`00000001 000000ef`c18fe400 00007ff7`a3216e80 : UIforETWStatic_devrel+0x14cf6
000000ef`c18fd600 00007ff7`a31b769a : 00000000`00000000 00007ff7`a32322d8 00007ffe`0c64d160 00000000`0021abba : UIforETWStatic_devrel+0x27936
000000ef`c18fd630 00007ff7`a31aef4a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`000003e9 : UIforETWStatic_devrel+0x2769a
000000ef`c18fd690 00007ff7`a31b2686 : 00000000`000003e9 00000000`001603b6 00000000`00000000 000000ef`c18fe400 : UIforETWStatic_devrel+0x1ef4a
000000ef`c18fd6d0 00007ff7`a31b368a : 000000ef`c18fe400 000000ef`c18fd860 00000000`001603b6 00000000`00000000 : UIforETWStatic_devrel+0x22686
000000ef`c18fd760 00007ff7`a31b4f94 : 000000ef`c18fe400 00000000`000003e9 00000000`001603b6 00000000`0021abba : UIforETWStatic_devrel+0x2368a
000000ef`c18fd8f0 00007ff7`a31afadb : 00000000`00000000 000002db`c789ce20 00000000`000003e9 00000000`00000111 : UIforETWStatic_devrel+0x24f94
000000ef`c18fd930 00007ff7`a31b02b4 : 000045aa`dfa72bb7 00000000`000f042e 00000001`00000000 00000000`00000000 : UIforETWStatic_devrel+0x1fadb
000000ef`c18fd9f0 00007ffe`0f4e1169 : 00000000`00000000 000000ef`c18fdb70 00000000`00000001 00000000`00000001 : UIforETWStatic_devrel+0x202b4
000000ef`c18fda30 00007ffe`0f4e08f5 : 000002db`c8e77a20 00007ff7`a31b0260 00000000`000f042e 00000000`00000111 : USER32!UserCallWinProcCheckWow+0x1f9
000000ef`c18fdb20 00007ffe`0f4e065b : 00000000`00000000 000002db`cbb2be00 00000000`000003e9 000002db`c8e77a20 : USER32!SendMessageWorker+0x235
000000ef`c18fdbb0 00007ffe`0acf80de : 000002db`cb5f5ee0 00000000`50010001 00000000`00000001 00007ffe`0f664f53 : USER32!SendMessageW+0xfb
000000ef`c18fdc10 00007ffe`0acbf9f7 : 00000000`00000202 000000ef`c18fdcc8 000002db`cb5f5ee0 00000000`00000000 : COMCTL32!Button_ReleaseCapture+0xaa
000000ef`c18fdc50 00007ffe`0f4e1169 : 00000000`00110043 000002db`c789ce78 00000000`00000407 00007ffe`0f4e133c : COMCTL32!Button_WndProc+0x7a7
000000ef`c18fdd10 00007ffe`0f4e0aba : 000000ef`c18fe638 00007ffe`0acbf250 00000000`001603b6 00000000`001603b6 : USER32!UserCallWinProcCheckWow+0x1f9
000000ef`c18fde00 00007ff7`a31b168c : 000000ef`c18fe638 00000000`00000202 00000000`00000000 00000000`00110043 : USER32!CallWindowProcW+0x10a
000000ef`c18fde50 00007ff7`a31b4fac : 000000ef`c18fe638 00000000`00000202 00000000`00000000 00000000`0021abba : UIforETWStatic_devrel+0x2168c
000000ef`c18fde90 00007ff7`a31afadb : 00000000`00000000 000002db`c789ce20 00000000`00000000 00000000`00000202 : UIforETWStatic_devrel+0x24fac
000000ef`c18fded0 00007ff7`a31b02b4 : 000000ef`c18fe078 00000000`001603b6 000000ef`c18fe098 00007ffd`f79073fc : UIforETWStatic_devrel+0x1fadb
000000ef`c18fdf90 00007ffe`0f4e1169 : 00000000`00000000 00000000`00000002 00000000`00000001 00007ffd`f7902822 : UIforETWStatic_devrel+0x202b4
000000ef`c18fdfd0 00007ffe`0f4e0c97 : 000002db`c8e4e440 00007ff7`a31b0260 00000000`001603b6 000000ef`c160a800 : USER32!UserCallWinProcCheckWow+0x1f9
000000ef`c18fe0c0 00007ffe`0f4e3b8f : 00000000`000f042e 00000000`00000000 00000000`00000001 00000000`001603b6 : USER32!DispatchMessageWorker+0x1a7
000000ef`c18fe140 00007ff7`a31b7109 : 000000ef`c18fe400 00000000`00000001 00000000`00000000 00000000`000f042e : USER32!IsDialogMessageW+0x10f
000000ef`c18fe1a0 00007ff7`a31af3c3 : 000002db`c789ce78 00000000`000f042e 000002db`c789ce78 00007ff7`a31b5190 : UIforETWStatic_devrel+0x27109
000000ef`c18fe1d0 00007ff7`a31b4dfe : 00000000`000f042e 00000000`000f042e 000002db`c789ce78 00000000`00000000 : UIforETWStatic_devrel+0x1f3c3
000000ef`c18fe200 00007ff7`a31bd623 : 000000ef`c18fe400 00000000`00000000 00000000`00000000 000002db`c8e77a20 : UIforETWStatic_devrel+0x24dfe
000000ef`c18fe230 00007ff7`a31bd6c8 : 000002db`c789ce78 000002db`c789ce78 000002db`c789ce78 00000000`00000004 : UIforETWStatic_devrel+0x2d623
000000ef`c18fe260 00007ff7`a31b49c4 : 000000ef`c18fe400 00000000`00000000 00000000`00000000 00007ffe`0f4df994 : UIforETWStatic_devrel+0x2d6c8
000000ef`c18fe290 00007ff7`a31aeb38 : 00000000`00000004 00007ff7`a3190000 00000000`00000001 00007ff7`a31b0008 : UIforETWStatic_devrel+0x249c4
000000ef`c18fe2f0 00007ff7`a31aecfd : 000000ef`c18fe400 00000000`00000000 0000a8b1`81ca80ba 00000000`00000012 : UIforETWStatic_devrel+0x1eb38
000000ef`c18fe340 00007ff7`a319f2d3 : 000000ef`c18fe400 000000ef`00000000 00007ff7`00000000 00000000`00000000 : UIforETWStatic_devrel+0x1ecfd
000000ef`c18fe3d0 00007ff7`a31f4485 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : UIforETWStatic_devrel+0xf2d3
000000ef`c18ff9b0 00007ff7`a31ce262 : 00000000`0000000a 00000000`00000000 000000ef`c1609000 000000ef`c1609000 : UIforETWStatic_devrel+0x64485
000000ef`c18ff9f0 00007ffe`0cbc8102 : 00007ff7`a31ce2c0 00000000`00000000 00000000`00000000 00000000`00000000 : UIforETWStatic_devrel+0x3e262
000000ef`c18ffa30 00007ffe`0f6ac2e4 : 00007ffe`0cbc80e0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
000000ef`c18ffa60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
FOLLOWUP_IP:
ETWProviders64!ETWKeyDown+131b
00007ffd`f92441cb cd29 int 29h
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: etwproviders64!ETWKeyDown+131b
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ETWProviders64
IMAGE_NAME: ETWProviders64.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 55f48e89
STACK_COMMAND: ~0s ; kb
BUCKET_ID: INVALID_ARG_FAILURE_EXPLOITABLE_AVRF_etwproviders64!ETWKeyDown+131b
PRIMARY_PROBLEM_CLASS: INVALID_ARG_FAILURE_EXPLOITABLE_AVRF_etwproviders64!ETWKeyDown+131b
FAILURE_PROBLEM_CLASS: INVALID_ARG_FAILURE_EXPLOITABLE_AVRF
FAILURE_EXCEPTION_CODE: c0000409
FAILURE_IMAGE_NAME: ETWProviders64.dll
FAILURE_FUNCTION_NAME: ETWKeyDown
FAILURE_SYMBOL_NAME: ETWProviders64.dll!ETWKeyDown
FAILURE_BUCKET_ID: INVALID_ARG_FAILURE_EXPLOITABLE_AVRF_c0000409_ETWProviders64.dll!ETWKeyDown
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_arg_failure_exploitable_avrf_c0000409_etwproviders64.dll!etwkeydown
FAILURE_ID_HASH: {04c20633-3bfd-c488-628d-a94fcf4507fd}
Followup: MachineOwner
---------
randomascii
I got a real nasty
INVALID_ARG_FAILURE_EXPLOITABLEatETWProviders64!ETWKeyDown+0x131b. I'll update later tonight with more info.