The blacklist dictionary linked list apparently gets corrupted when switching back and forth between a 0-byte dictionary and a non-0-byte dictionary.
Steps to repro:
Create two dictionary files. File1.txt will be a valid dictionary with some passwords. File2.txt will be a file with zero bytes of data inside it.
Start up PassFiltEx or PassFiltExTest with the registry pointing to File1.txt.
Once File1.txt is finished parsing, change the registry to point to File2.txt.
Observe that LSASS (or PassFiltExTest) crashes.
I wasn't able to isolate where the memory corruption comes from, but it looks like it happens when trying to traverse the linked list to delete the old blacklist.
The blacklist dictionary linked list apparently gets corrupted when switching back and forth between a 0-byte dictionary and a non-0-byte dictionary.
Steps to repro:
I wasn't able to isolate where the memory corruption comes from, but it looks like it happens when trying to traverse the linked list to delete the old blacklist.