windows - Meaning of !chkimg errors for a crash dump -


i have strange crash dump of app cannot figure out crash reason. noticed !chkimg command reveals errors in dump:

0:013> !chkimg 824985 errors : @eip (77230010-7731016b)

the address range 77230010-7731016b belongs ntdll.dll module. definite sign of malware affected program? can somehow confirm or eliminate hypothesis?

edit: additions based on blabb's answer:

the range size 917851 out of 824985 altered in ntdll (by default !chkimg not check writable sections output seesm suspicous

i executed command in latest version of windbg , found 8219 not 824985 errors.

you cannot assume machine malwared based on possibly corrupt dump

my app consists of several different processes/executables , have dumps each of them. , !chkimg returns same errors of them.

the dumpwrite path can have problems during bsod , corrupt dump written

all dumps user mode not kernel.

also following warning while reloading symbols:

* warning: symbols timestamp wrong 0x521ea8e7 0x4ce7ba58 ntdll.dll

the range size 917851 out of 824985 altered in ntdll (by default !chkimg not check writable sections output seesm suspicous

use chkimg -d should show places original file differs 1 memory
or force command scan module ntdll chkimg -d ntdll

you cannot assume machine malwared based on possibly corrupt dump
dumpwrite path can have problems during bsod , corrupt dump written
check chkimg -db may show zeroes in areas checking
assume have kernel full dump 

orginal file address xxxxxxxx 60 90 cc  memory file                   00 00 00

the above can show such huge discrepancy in chkimg output

lkd> !chkimg nt -d     80501bc8-80501bcb  4 bytes - nt!kiservicetable+24     [ ec cb 60 80:a0 9a 3e a9 ]     80501bf0-80501bf3  4 bytes - nt!kiservicetable+4c (+0x28)     [ 44 c9 5c 80:7e a5 3e a9 ]     80501c08-80501c0b  4 bytes - nt!kiservicetable+64 (+0x18)     [ ba 1c 5b 80:5d e8 42 a9 ]

it possible overwrite section of binary marked image_scn_mem_write writing other section generate access violation , chkimg unless forced not compare these sections image_scn_mem_write attributes in pe header ever shown in query in places no modifications allowed or expected.

here sample code takes dll name , tries writing .data section 

#include <windows.h> #include <stdio.h> int main (int argc,char *argv[]) {     unreferenced_parameter(argc);     hmodule hmod = loadlibrary(argv[1]);     if (hmod)   {         pimage_dos_header doshead = ( pimage_dos_header ) hmod;         dword ntoffset = doshead->e_lfanew + (dword)hmod;         dword datsecoffset = ntoffset + sizeof(image_nt_headers);         pimage_nt_headers nthead = ( pimage_nt_headers )( ntoffset );         dword totsections = nthead->fileheader.numberofsections;         (dword = 0 ; i< totsections ; i++) {             pimage_section_header sechead = (pimage_section_header )                  (datsecoffset + * sizeof(image_section_header));             if( ( sechead->characteristics & image_scn_mem_write ) ==                  image_scn_mem_write ) {                     console_screen_buffer_info csbiinfo;                      handle out = getstdhandle(std_output_handle);                     getconsolescreenbufferinfo(out, &csbiinfo);                     word oldcolor = csbiinfo.wattributes;                     setconsoletextattribute(out,10);                     printf(                         "module %p section %s writable trying write\n",                         hmod,sechead->name);                     for( dword j = sechead->virtualaddress ;                          j < sechead->virtualaddress + sechead->sizeofrawdata ;                          j++)  {                             byte inbyte = *(byte *) ( (byte *)hmod + j);                             *(byte *) ( (byte *)hmod + j) = inbyte;                     }                     printf(                         "module %p section %s written successfully\n",                         hmod,sechead->name);                     setconsoletextattribute(                         getstdhandle(std_output_handle),oldcolor);             } else {                 printf(                     "module %p section %s not writable skipping\n",                     hmod,sechead->name);             }         }         return 0;     } }

output on hexedited dll , ntdll below

:\>xxd -s +0x3c -l 4 -g 4 sec_attr_mod_dll.dll 000003c: b0000000                             ....     :\>set /a 0xb0 + 0xf8 + 0x24 460 :\>xxd -s +460 -l 4 -g 4 sec_attr_mod_dll.dll & xxd -s +500 -l 4 -g 4 sec_attr_m od_dll.dll & xxd -s +540 -l 4 -g 4 sec_attr_mod_dll.dll & xxd -s +580 -l 4 -g 4 sec_attr_mod_dll.dll 00001cc: 400000c0                             @... 00001f4: 400000c0                             @... 000021c: 400000c0                             @... 0000244: 400000c2                             @...  :\>w2dl.exe sec_attr_mod_dll.dll module 10000000 section .text writable trying write module 10000000 section .text written module 10000000 section .rdata writable trying write module 10000000 section .rdata written module 10000000 section .data writable trying write module 10000000 section .data written module 10000000 section .reloc writable trying write module 10000000 section .reloc written  :\>w2dl.exe ntdll.dll module 7c900000 section .text not writable skipping module 7c900000 section .data writable trying write module 7c900000 section .data written module 7c900000 section .rsrc not writable skipping module 7c900000 section .reloc not writable skipping  :\>

Comments

Post a Comment

Popular posts from this blog

php - Submit Form Data without Reloading page -

i know question has been asked , answered bunch of times life of me can not solution work on code. believe if redo code, work properly, , in retrospect time i've spent on issue should have redone code...but beyond deadline , have working prototype up... can advise how update multiple forms on single page without reloading page? horrible @ php , complete noob js/jquery/ajax @ best. html/php in single file , believe causing me problems/is largest obstacle @ getting ajax form processing work. basically, want users to: select teams multiple dropdowns in form group 1 (league champs) , on update update db newly selected team without reloadding page. edit team scores per match , on score submit/update, update db new scores. for each requirement there multiple forms (1 each leagues, 1 each per match) have set class on each form id. everything works via php, form submission reloads page each time submitted , not ideal. i have tried ajax code here http://scotch.io/tutoria...
Read more

linux - Rails running on virtual machine in Windows -

the reason why want switch ubuntu people said gems works better on linux on windows. i don't want macbook pro rails development since love windows , cannot stand lack of apps mac. moreover, people saying ubuntu "better" mac: http://www.reddit.com/r/ubuntu/comments/1bgj1s/are_there_advantages_of_ubuntu_over_os_x_for/ does virtual box work enough doesn't have lag @ all? using i7-3517u cpu 8gb memory. need program in environment lag-free , not sluggish. or there alternatives recommend? i unsure permission settings or complicated stuffs regarding terminal. i'll using terminal develop. i'm still quite new here development in linux. please kind me >< thanks. @holyxiaoxin pretty sure should asking on superuser instead. nevertheless, suggest install ubuntu in partition instead of running virtual machine. here's guide https://help.ubuntu.com/community/windowsdualboot also, yes. developing in virtual machine accurate, @ end experiment w...
Read more