c - Reading ntdll.dll + offset results in an access violation -


i'm trying read byte byte memory of ntdll.dll loaded inside executable. executable compiled x32 executable on x64 windows 7 machine.

i wrote function called findpattern receives specific byte array , looks byte array in ntdll.dll module.

i have checked function on other modules , i'm sure works fine.

now when im using function on ntdll module, crashes when reads memory ntdll + 0x1000.

i checked on windbg, , windbg cant read memory well:

0:000> db ntdll + ff0 l20 77df0ff0  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................ 77df1000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????

i have no clue why happen, consists 0x9000 bytes

0:000> db ntdll + fff0 l20 77dffff0  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ???????????????? 77e00000  8b 44 24 04 cc c2 04 00-cc 90 c3 90 cc c3 90 90  .d$.............

it didnt happen in other dll checked.. problem can bypassed using readprocessmemory want understand causing it.

running !dh command results:

0:000> !dh ntdll  file type: dll file header values      14c machine (i386)        5 number of sections 55636317 time date stamp mon may 25 20:59:51 2015         0 file pointer symbol table        0 number of symbols       e0 size of optional header     2102 characteristics             executable             32 bit word machine             dll  optional header values      10b magic #     9.00 linker version    d6400 size of code    67400 size of initialized data        0 size of uninitialized data        0 address of entry point    10000 base of code          ----- new ----- 77df0000 image base    10000 section alignment      200 file alignment        3 subsystem (windows cui)     6.01 operating system version     6.01 image version     6.01 subsystem version   180000 size of image      400 size of headers   14c3b3 checksum 00040000 size of stack reserve 00001000 size of stack commit 00100000 size of heap reserve 00001000 size of heap commit      140  dll characteristics             dynamic base             nx compatible    10218 [    f6d2] address [size] of export directory        0 [       0] address [size] of import directory   110000 [   5a028] address [size] of resource directory        0 [       0] address [size] of exception directory   13c600 [    3a18] address [size] of security directory   170000 [    4d30] address [size] of base relocation directory    e60f4 [      38] address [size] of debug directory        0 [       0] address [size] of description directory        0 [       0] address [size] of special directory        0 [       0] address [size] of thread storage directory    71c80 [      40] address [size] of load configuration directory        0 [       0] address [size] of bound import directory        0 [       0] address [size] of import address table directory        0 [       0] address [size] of delay import directory        0 [       0] address [size] of cor20 header directory        0 [       0] address [size] of reserved directory   section header #1    .text name    d6153 virtual size    10000 virtual address    d6200 size of raw data      400 file pointer raw data        0 file pointer relocation table        0 file pointer line numbers        0 number of relocations        0 number of line numbers 60000020 flags          code          (no align specified)          execute read   debug directories(2)     type       size     address  pointer     cv           23       e6130    d6530    format: rsds, guid, 2, wntdll.pdb     (    10)       4       e612c    d652c  section header #2       rt name      1c9 virtual size    f0000 virtual address      200 size of raw data    d6600 file pointer raw data        0 file pointer relocation table        0 file pointer line numbers        0 number of relocations        0 number of line numbers 60000020 flags          code          (no align specified)          execute read  section header #3    .data name     82a8 virtual size   100000 virtual address     6e00 size of raw data    d6800 file pointer raw data        0 file pointer relocation table        0 file pointer line numbers        0 number of relocations        0 number of line numbers c0000040 flags          initialized data          (no align specified)          read write  section header #4    .rsrc name    5a028 virtual size   110000 virtual address    5a200 size of raw data    dd600 file pointer raw data        0 file pointer relocation table        0 file pointer line numbers        0 number of relocations        0 number of line numbers 40000040 flags          initialized data          (no align specified)          read  section header #5   .reloc name     4d30 virtual size   170000 virtual address     4e00 size of raw data   137800 file pointer raw data        0 file pointer relocation table        0 file pointer line numbers        0 number of relocations        0 number of line numbers 42000040 flags          initialized data          discardable          (no align specified)          read

why 10000 section alignment , 10000 base of code both seem include right value need avoid crashing , access violation.

what causing , why happen in ntdll?

there gaps in loaded image shown in dump. file header gets loaded @ 0x77df0000 .text section gets loaded 64k bytes after @ 0x77e00000. result of 64k section alignment noted in post. don't know if there's reason unusual section alignment, except obvious reason want buffer or other element allocated 64k alignment. might somehow related fact virtualalloc has 64k granularity.

you can use virtualquery determine pages valid. every time "for loop" advances new page call virtualquery. if state value mem_commit , allocationprotect value has 1 of page_execute_read, page_execute_readwrite, page_readonly or page_readwrite bits sets , allocatonprotect value doesn't have page_guard bit set know page exists , readable. if not can use regionsize value skip on page, along every page follows has same state.

you can parse pecoff headers @ 0x77df0000 figure out sections loaded, that's fair bit more complicated.


Comments

Post a Comment

Popular posts from this blog

c# - Validate object ID from GET to POST -

i have method allows user access comment have made on site. have post method lets them update comment. my normal solution send entire comment model through, let them update it, update on database when post back. involve sending commentid through in hiddenfor , can manipulated. how can verify commentid sent in get method same i'm getting in post , not able alter comment wish? how can verify commentid sent in method same i'm getting in post? basically have validate following things in post - user logged-in user. authenticated users post comments. commentid in post , should valid commentid , should present in database. userid associated logged-in user should same userid associated comment . comment should contain userid column, can check @ time of update. to make sure update happens comment has been sent in get - hold commentid in session , in post action compare commentid value in session .
Read more

node.js - Custom Model Validator SailsJS -

when using custom model validator checks record within model. return within spread doesn't seem end control flow. //post.js model /** * custom validator **/ types: { isuservalid: function(user_id) { var promise = require('bluebird'); promise.all([ user.findone({id: user_id}) ]) .spread(function(user) { console.log(user); if (user === null || user === undefined) { console.log('failed'); return false; }else{ console.log('passed'); return true; } }); } }, my response standard validation failed response. { "error": "e_validation", "status": 400, "summary": "1 attribute invalid", "model": "post", "invalidattributes": { "owner": [ { "rule": "isuservalid", ...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more