Jump to content
Tuts 4 You

How to check address whether its a valid one to read?


LCF-AT

Recommended Posts

Posted

Hi guys,

so yesterday I got an access violation exception in my app by calling the function StrStrA and it seems that the memory block I wanted to check for a string was gone already = AV crash.Somehow strange because I did check before whether a address is present to check = Yes but somehow the block must be freed by anything.

.if MEMBLOCK != FALSE
	invoke StrStr,MEMBLOCK,chr$('Sting2Check')  ; <---- AV inside
	...
.endif

Ok, in this case I did just check whether in the variable MEMBLOCK is anything = normaly the memblock address.Now, the address was still present in variable but not present for real.Now I would like what kind of function/s I can use to verify whether a address is still valid or not before I call the StrStrA function.On internet & MSDN I just found that functions like IsBadReadPtr are obsolete and shouldnt used anymore but there is no linking for alternativ function/s we could use.

greetz

Posted

A pointer having a value does not necessarily mean that it is valid, and there is no easy way I'm aware of to determine the validity of a pointer. So, comparing the pointer to FASLE (or NULL) does not help unless you always set the pointer to NULL after freeing it, which many people say is a good practice.

You have to check what other parts of the code are using the pointer and where it is being freed.

  • Like 1
Posted

Registering a handler for catching segmentation fault or access violation is the right way AFAIK.  Possibly why other methods are deprecated.  Maybe the most generic, easiest way as though empirical, it treats the OS as a black box, and doesnt require knowing its details.

Even is Spectre is mitigated, it could still be used to probe access.  If Spectre style exploit can read it, it was accessible, otherwise it's not.  Before mitigation, you could read the inaccessible memory.

Since you are likely talking about virtual addresses and not physical addresses, the OS should have a wat to check if they are mapped.  If they are mapped, it still does not guarantee permissions.  Nonetheless you are stuck with using various low level memory API related functions the OS provides.  With physical addresses, they are valid if in the addressable range, it's much more hardware specific techniques and details to determine it.

  • Like 1
Posted

Not a perfect solution but there is IsBadReadPtr API. Check it. As MSDN says it is deprecated but still worth to check.

  • Like 1
Posted

Installing SEH handler or calling IsBadReadPtr are trying to deal with the symptoms (crash), not the cause of ther problem (bad pointer to buffer, bad data in buffer or whatever).

Don't just hide the problem - find the real cause of the problem instead.

  • Like 3
Posted

Check if allocation of memory block fails, then gracefully exit and tell user. Check size of memory area allocated. Check size of substring vs area of memory to search in. If substring is > area of memory to search in then thats not going to work and will probably cause the exception. I wouldnt rely on IsBadReadPtr or the like either.

  • Like 1
Posted

Hi guys,

thanks for your answers so far.I think the problem is still in my thread when its using a global varaible to put the allocated address into.I am using already CRIT function.Maybe the problem is at the top of my single running thread....

mov GLOBALMEMORYTOCHECK, NULL  ; <-- global varaible

....at the end of that thread I do alloc space and put that alloc address into the variable above and then I do copy datas into which should get checked outside of that thread (Pre-Thread).Somehow between those small steps the variable must be erased with NULL by another accessing process into the thread.Think so...and then I got AVio in my other running thread who was trying to use the address in variable with StrStr function but it was NULL = AV = App crash = Over & Out.

OK, so I did disable that line above in my thread now and added a memory address check code I wrote also yesterday....

....
.if Is200Status == TRUE && GLOBALMEMORYTOCHECK != FALSE
	invoke ValidateAddress,GLOBALMEMORYTOCHECK
	.if eax == FALSE
		; error
		ret
	.endif
	invoke StrStr,GLOBALMEMORYTOCHECK,chr$('FindStringABC')
	....
.endif

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
ValidateAddress proc uses edi _address:DWORD

; ret _status 0 = error
; ret _status 1 = read only
; ret _status 2 = read / write

local _mbi:MEMORY_BASIC_INFORMATION
	mov edi, _address
	invoke zero,addr _mbi,sizeof _mbi
	invoke VirtualQuery,edi,addr _mbi,sizeof _mbi
	.if eax
		.if 	_mbi.Protect == PAGE_READONLY  || _mbi.Protect == PAGE_EXECUTE_READ         ; read status
			mov eax, TRUE
		.elseif	_mbi.Protect == PAGE_READWRITE || _mbi.Protect == PAGE_EXECUTE_READWRITE	; read write
			mov eax, 2
		.else
			;other
			xor eax,eax
		.endif
	.else
		nop
	.endif
	Ret
ValidateAddress endp

...thats my ValidateAddress function so far.Just checking for normal read or write access flags.If address isnt present anymore by some mistake / variable NULL overwrite or already freed then function returns 0 and I will not call StrStr anymore etc.

greetz

Posted

kao is right, I had assumed this was in context of writing the memory view window of a debugger where dealing with symptoms is a necessity.  If memory addresses are not being validated from user or external input sources, then proper coding techniques like initializing to null and checking return value should be used.

The source code of Windbg would be interesting here, has I ever leaked and does it just use IsBadReadPtr?

  • 2 weeks later...
Posted

Hi guys,

I again a problem with a exception I can not find.This time its a little more strange.Normaly I have added a exception logger in my app to log any exception when it happens to text file but this time it dosent create any file with exception datas!=?Thats strange.

Now I tried checking out Windows app protocol to see whether a exception was logged by Windows itself from my app and Windows did!But infos I got from Windows do not help very much to find the location in my app where it did happen.Look....

Name der fehlerhaften Anwendung: bones.exe
Name des fehlerhaften Moduls: unknown, Version: 0.0.0.0, Zeitstempel: 0x00000000
Ausnahmecode: 0xc0000005
Fehleroffset: 0x776e1cfc

....AccessViolation at 0x776e1cfc.Problem is that the address is not always same = ASLR and also there is no module name logged!How to find out where what happend?

So in the app log of WIndows I can also find another Error infos from others...!

Error: 0xc0000409 in kernelbase.dll from my debugger / OllyDBG 1 / each time if I just start it.Hhmm!

Question: Are there any other tools I can use / run extra to log exceptions with more details so that I can better find the close location where it happens?

greetz

Posted

I see 3 options:
1) Use Windows features to create dump file automatically (https://www.meziantou.net/tip-automatically-create-a-crash-dump-file-on-error.htm and https://docs.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps)
2) Generate minidump yourself: https://stackoverflow.com/a/1547251. But that's kinda hard if you can't catch the exception for some reason.
3) Use a 3rd party library to catch exception and create minidump for you. For example:  http://crashrpt.sourceforge.net/docs/html/index.html 



 

  • Like 1
Posted

Hi kao,

so the CrashRpt looks interesting but can I use it?How does it work?Dosent look like as could I use it with MASM to implement in my soruce code or?

Is there maybe a tool like a packer/protector GUI where I can load my exe file into to add those crashrpt etc?

greetz

Posted

Hi again,

so I did created some RegKeys now to let Windows create dmp files.Now I got already a dmp created by my OllyDBG and now I need to find a way to read that dmp file anyhow.On that page I see I have to load it into Visual Studio.So what version / download I need for this?Some mini version no big klopper app or something etc.Maybe a portable version would be best so I just need to read that dmp files out and dont wanna install any 100 MB+ app.By the way, is it also a free app?

Anyway, some infos what to download would be nice you know.Thanks.

greetz

Posted

Hi,

whats that for a Debugger app and what to install?Is it a big app?Just wanna read that dmp files out you know.I have let created now some minidumps and on internet I see that I could use some apps like BlueScreenView to view dmp mini files but nothing happens.The thing makes me sick again.Yes, you can let create dmp files by Windows but you can not read them with any tool from Windows itself.Why?Why creating dmp files and not providing any tool to read them!=?Maybe I am again too old school but this are really things I dont get in my head.You can buy a car but you can not drive it (somehow like that). :)

Anyway, so what to download now?Just tell me a link of the lowest MB tool if possible.Otherwise I throw that shit out of the "WindowS"!Thanks.

greetz

Posted

Just download and install Visual Studio, Its just a development tool. Once you have it installed you can open .dmp files with it and it will show the exception code and modules loaded at the time of the fault. It will still be up to your to figure out the cause of the crash, as the dmp just is data that you can use to help narrow things down. Realistically tho you can output debug strings in your masm code when calling your functions: OutputDebugString and use DbgView to see that (https://github.com/CobaltFusion/DebugViewPP) or use Donkey's vKim like debug macros in masm which effectively does a similar thing by outputting to a separate window. That will help narrow down where the crash occurred and in what function in occurred. Then you can refine the debug output to narrow it down further.

  • Like 1
Posted

Hi fearless,

how do you mean that with using OutputDebugString function?

What about that Donkey's vKim?

http://www.masmforum.com/board/index.php?topic=16317.0

I did download that Debug3264.zip set but I dont see example how to use it.

Listen, my goal is just to log all needed infos in case of any exception to know where it comes from etc.Maybe you can explain it more in detail how to use it / implement it in my apps etc?

greetz

Posted

Hi again,

I did checkout this...

https://visualstudio.microsoft.com/de/downloads/

...download Community installer.Are you kidding me!?Tons of stuff I can choose to install and only the speech packet has already over 800 MB and choosing any language from there = 7 +/-  GB!!!!!! :slap:

Listen, I just want any exception stuff to add in my apps or anything like that.Why is it again so fornicationed up to find / add something.I can not be that stupid or!=?So if there is anyone who can really HELP me with that then please exlain it well to me for the last idiot on planet you know.Thank you.

greetz

  • Like 1
Posted

Hi,

just a question about AddVectoredExceptionHandler function.So before someone told me that this is the function I have to use to catch ANY exception if ANY does happen.Is that true or not?Just asking because my app didnt log a exception (as I told above) what makes me really wonder to think that AddVectoredExceptionHandler function maybe does not work for every cases of exception...or?Normaly I do use that function only once...

invoke AddVectoredExceptionHandler,TRUE,offset HANDLER_LOG

....just pipe to my Handler Routine where I do just log all info without to handle the exception.

Just wanna know if I set that function that it will also be call my Handler routine for 100% in any case of any exception?Maybe some code in my Handler routine was going wrong to create a log or something.Would it be a good idea to set a MessageBox at the top to show it first before making the log?

greetz

Posted

Hi its me again,

I would like to show my exception log code and wanna know how to improve it or using other methods or anything else what could be better than using my stuff so far.Whole code I did included also with a example file to check.Just try it out and have a look into Exception.asm file.Not pretty good so I think but if you can make it better then its good for me and others too. :) At the end I just wanna have some exception log function code I can add into my app which should then really log all exceptions without exception. :) Thank you.

greetz

ExceptionLog.7z

Posted

was working on something similar in work, its tricky to say the least, esp as you havent handled guarded pages yet, which throw an exception on first touch, then remove the guarded page attribute, so 'touching' the memblock will reset the value, do the virtualquery, if it guarded, regard it as 'leave the fk alone', otherwise process like you do for page_readwrite and so on... you've only hit the tip of the iceberg and it gets pretty messy but the best advice i can give is to save the status of the page first, do what you need to, isbadreadptr etc, then set it back to what it was, which sounds easy until you hit multithreading, where you'll need to incorporate a spinlock in your handler...

tedious, annoying, but once done, rewarding, good luck

  • Like 1
Posted

Hi,

so if you did work already on something lke that from A-Z, did you also release anything yet?Or do you have anything else you can convert to MASM style (or making a static lib)?I think something like that must be already out there.In that case I could use it for my apps and dont need to care about that exception log stuff by myself anymore and could sleep much better you know. :)

Seems to to be tricky to handle all manually and thats why I also was asking for anything else I could use in my Apps which is already working good like using that crashrpt thing but no idea how to use it in my case.

Ok, so you mean I have to check for "guarded pages" = just checking / reading from allowing status after calling VQuery with yes?

One more question about my code you can see so far.So did you see anything the set Handler function could be NOT called?As I told before already, few days before my app did just exit by itself after running hours and my exceotion log did nothing log (also created no file) BUT in WIndows log I saw the exception AVio info from my app from unknwon module.Why did Windows got it and my Handler not?So is it possible that the used AddVectoredExceptionHandler function with my Handler routine could be removed by anything else?What about kernel / user modes?Could the exception happen somehow there and not calling my Handler routine after?Not sure how to exlain it but fact is that my Handler routine wasnt callled in case of a excption what makes me really wonder to think that using the AddVectoredExceptionHandler function isnt maybe the best method to catch really ALL exceptions if any does happen.

greetz

Posted

Hi again,

short another question about Error messages.So there are tons of it and I wanna know whether I can get the error / exception name by ID with any function without to create a own function.The exception I can read from context and now I wanna get the name of it.

invoke GetExceptionName, 0xC0000005h, addr buffer

=

"STATUS_ACCESS_VIOLATION"

...something like that.I dont wanna write all exception names manually by myself etc.On my HDD I found few files called ntstatus.inc from Four-F which includes already very much exception error EQUs like this..

STATUS_HANDLES_CLOSED            equ 8000000Ah
STATUS_NO_INHERITANCE            equ 8000000Bh
STATUS_GUID_SUBSTITUTION_MADE    equ 8000000Ch

...etc and my question is how can I use that include file?Any function XY to call with error equ to get the status name?No idea.I also found a ntstatus.lib file too but dont know how to use them.Anyone a clue?

greetz

Posted

Hi deep,

I did already check out that function but I dont get the error name back like "STATUS_ACCESS_VIOLATION".I found a example calling the function RtlNtStatusToDosError with the exception error code and calling then FormatMessage but in this case I just get a message back "Unvalid access on memory area" in case of AVio but I want to get the status name back "STATUS_ACCESS_VIOLATION" and no description of the error.How to do that?

I'am still thinking about that ntstatus.inc & lib files so somehow I should use them for that but how is the question.Do you know that?

Look here..

https://www.codeproject.com/articles/6503/an-ntstatus-lookup-application

....some kind of lookup app to get the status string.Its not working as the author shows by using that function.

About ntstatus.inc / lib files.There are almost all exception codes inside as equ value as I did post above.Now lets say I do move the value 8000000Ah in eax or I just read that value if I get it on exception in context struct, how get now the status string of that exception.The ntstatus.inc file must be good for something like that but how is the question.

greetz

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...