search

illera88 / Ponce

IDA 2016 plugin contest winner! Symbolic Execution just one-click away!
https://docs.idaponce.com
Other
1.5k stars 74 forks source link

SOFTWARE_NX_FAULT_c0000005_Ponce64.dll!Unknown #128

Closed Holit closed 2 years ago

Holit commented 2 years ago

IDA occurred some exception when exiting. Windbg Analyze Result:

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify checksum for Ponce64.dll
*** WARNING: Unable to verify checksum for ida64.dll
*** WARNING: Unable to verify checksum for ida64.exe

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Execute

    Key  : Analysis.CPU.mSec
    Value: 593

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 23813

    Key  : Analysis.Init.CPU.mSec
    Value: 202

    Key  : Analysis.Init.Elapsed.mSec
    Value: 4581

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 78

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 656211

    Key  : Timeline.Process.Start.DeltaSec
    Value: 1

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 7.5.20.1028

FILE_IN_CAB:  ida-20220826-102655-33200.dmp

NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  (.ecxr)
rax=000000000000002f rbx=00007ffc47ff1940 rcx=0000000000000201
rdx=00007ffc46d899e0 rsi=0000000000000000 rdi=00007ffc47ff1940
rip=0000000000000000 rsp=0000005309ffedd8 rbp=0000005309ffef10
 r8=0000000000000000  r9=0000000000000054 r10=0000000000000007
r11=0000005309ffe8e0 r12=000001724366dd70 r13=00000172492353a0
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
00000000`00000000 ??              ???
Resetting default scope

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0000000000000000
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000008
   Parameter[1]: 0000000000000000
Attempt to execute non-executable address 0000000000000000

PROCESS_NAME:  ida64.exe

EXECUTE_ADDRESS: 0

FAILED_INSTRUCTION_ADDRESS: 
+0
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p            0x%p                    %s

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000008

EXCEPTION_PARAMETER2:  0000000000000000

STACK_TEXT:  
00000053`09ffedd8 00007ffc`46d893da     : 00007ffc`47ff1940 00000053`09ffef10 00000000`00000000 00007ffc`47ff1940 : 0x0
00000053`09ffede0 00000000`67daca3d     : 00000172`49210520 00000000`00000000 00000053`09ffef10 00000172`499c8330 : Ponce64+0x193da
00000053`09ffee10 00000000`67daa660     : 00000000`00000000 00000172`4366dd70 00000172`492353a0 00000000`00000000 : ida64!user2bin+0x65dd
00000053`09ffefe0 00000000`67c0b0ed     : 00000172`4d3dd450 00000053`09fff160 00000172`43632340 00000053`09ffef18 : ida64!user2bin+0x4200
00000053`09fff060 00007ff7`b87bb002     : 00000000`00000001 00000000`00000004 00000172`48a08740 00000000`00000001 : ida64!init_database+0xe2d
00000053`09fff470 00007ff7`b87bc619     : 00000053`09fff500 00000000`671d3750 00000053`09fff530 00000053`09fff5e8 : ida64_exe+0x17b002
00000053`09fff4f0 00007ff7`b87bbaaa     : 00007ff7`b8888500 00000053`09fff5a0 00000000`00000001 00000000`00000008 : ida64_exe+0x17c619
00000053`09fff530 00007ff7`b87bbbe2     : 00000000`00000001 00000172`4967c540 00000053`09fff690 00000000`00000000 : ida64_exe+0x17baaa
00000053`09fff5e0 00007ff7`b87bbc0c     : 00000053`00000074 00007ff7`0000000f 00000001`00000003 00000053`09fff690 : ida64_exe+0x17bbe2
00000053`09fff620 00007ff7`b87bc95d     : 00000053`09fff6f8 00000172`488afbc0 00000172`4888c130 00000172`48884910 : ida64_exe+0x17bc0c
00000053`09fff660 00007ff7`b87bcaef     : 00000000`00000002 00000000`00000010 00000172`4369e260 00000172`436b5ed0 : ida64_exe+0x17c95d
00000053`09fff900 00007ff7`b886a492     : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : ida64_exe+0x17caef
00000053`09fff950 00007ffd`05f17034     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ida64_exe+0x22a492
00000053`09fff990 00007ffd`07062651     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0x14
00000053`09fff9c0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

STACK_COMMAND:  ~0s; .ecxr ; kb

SYMBOL_NAME:  ponce64+193da

MODULE_NAME: Ponce64

IMAGE_NAME:  Ponce64.dll

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_c0000005_Ponce64.dll!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {4a12b3bf-5454-a60e-01a0-b24b3d2424c3}

Followup:     MachineOwner
---------

According to failure_bucket_id, this exception seems appeared at ponce64+193da with Access Violation with NX. When using IDA to analyze Ponce64.dll, it seems this part of data was executed.

illera88 commented 2 years ago

I think it was related to https://github.com/illera88/Ponce/issues/129 and that has been fixed in the latest version.

Closing but feel free to reopen if the problem persists