search

tyranid / oleviewdotnet

A .net OLE/COM viewer and inspector to merge functionality of OleView and Test Container
GNU General Public License v3.0
1.1k stars 182 forks source link

Error while parsing NDR structures #16

Open hatRiot opened 5 years ago

hatRiot commented 5 years ago

Seems like this is a NtApiDotNet issue, but it's manifesting in OVDN so filing here. When attempting to view a proxy definition, I get the following:

(23f0.1c3c): CLR exception - code e0434352 (first chance)
(23f0.1c3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02580234 ecx=02580234 edx=00000000 esi=02580234 edi=008fe6f8
eip=638c4a42 esp=008fe6e0 ebp=008fe704 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
mscorlib_ni+0x3f4a42:
638c4a42 8b01            mov     eax,dword ptr [ecx]  ds:002b:02580234=????????
0:000> !clrstack
OS Thread Id: 0x1c3c (0)
Child SP       IP Call Site
008fe6e0 638c4a42 System.Runtime.InteropServices.Marshal.ReadInt32(IntPtr, Int32)
008fe70c 00957f71 NtApiDotNet.Ndr.CurrentProcessMemoryReader.ReadIntPtr(IntPtr)
008fe718 0095896f NtApiDotNet.Ndr.NdrNativeUtils.ReadPointerArray[[System.__Canon, mscorlib]](NtApiDotNet.Ndr.IMemoryReader, IntPtr, Int32, System.Func`2<IntPtr,System.__Canon>)
008fe740 009588f2 NtApiDotNet.Ndr.ProxyFileInfo.GetNames(NtApiDotNet.Ndr.IMemoryReader)
008fe758 009586dc NtApiDotNet.Ndr.NdrParser.InitFromProxyFileInfo(NtApiDotNet.Ndr.ProxyFileInfo, System.Collections.Generic.IList`1<NtApiDotNet.Ndr.NdrComProxyDefinition>, System.Collections.Generic.HashSet`1<System.Guid>)
008fe7c4 009577ef NtApiDotNet.Ndr.NdrParser.InitFromProxyFileInfoArray(IntPtr, System.Collections.Generic.IList`1<NtApiDotNet.Ndr.NdrComProxyDefinition>, System.Collections.Generic.HashSet`1<System.Guid>)
008fe804 0095681c NtApiDotNet.Ndr.NdrParser.InitFromFile(System.String, System.Guid, System.Collections.Generic.IList`1<NtApiDotNet.Ndr.NdrComProxyDefinition>, System.Collections.Generic.IEnumerable`1<System.Guid>)
008fe858 00956734 NtApiDotNet.Ndr.NdrParser+c__DisplayClass26_0.b__0()
008fe864 009566a4 NtApiDotNet.Ndr.NdrParser.RunWithAccessCatch[[System.Boolean, mscorlib]](System.Func`1)
008fe884 009565d3 NtApiDotNet.Ndr.NdrParser.ReadFromComProxyFile(System.String, System.Guid, System.Collections.Generic.IEnumerable`1<System.Guid>)
008fe8b0 00956273 OleViewDotNet.COMProxyInstance..ctor(System.String, System.Guid, NtApiDotNet.Win32.ISymbolResolver, OleViewDotNet.Database.COMRegistry)
008fe8f4 00955d7d OleViewDotNet.COMProxyInstance.GetFromCLSID(OleViewDotNet.Database.COMCLSIDEntry, NtApiDotNet.Win32.ISymbolResolver)

Under OVDN 1.4 this crashed, but it seems to be caught in 1.8 and error out. Can't provide the hosting DLL, but can provide any further information you may need.

tyranid commented 5 years ago

Trying to inspect the proxy information isn't an exact science, I have to use a simple heuristic to try and find the data. This means that it doesn't always work. It's possible there's a bug here I could fix but it's also possible that there isn't. Without the original proxy DLL it'd be hard to diagnose. This is why I added the code to catch memory access errors, so at least the program doesn't crash.

hatRiot commented 5 years ago

Thanks for the info. I'll take a look myself and contribute back any fixes/changes necessary.