IDA Debugger Malformed SEH Causes Crash

Hi,

Malformed SEH Code causes IDA Debugger (idag.exe) crash.

This is the crashing code sample

;####  IDA Debugger Crash ####
;
; Author: Giuseppe ‘Evilcry’ Bonfa’
; http://evilcry.altervista.org
; E-Mail: evilcodecave (AT) gmail (DOT) com
;
;  Malformed Exception Handlers causes IDA Debugger Core Dump
;
;##################
.586
.model flat, stdcall
option casemap: none
;###################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib

.data
titolo db “Titolo”,0
testo db “Exception!”,0
.code
START:
assume fs:nothing
push offset exceptHandler
push fs:[0]
mov fs:[0], esp
xor eax,eax
mov eax,[eax]    ;## Generate Exception ##
pop fs:[0]
add esp,4
jmp exit
exceptHandler:
pusha
invoke MessageBox,NULL, ADDR testo, ADDR titolo, MB_OK
popa
xor eax,eax
ret
exit:
invoke ExitProcess, 0
end START

As you can see this is only an SEH that is called in an infinite loop. If this sample code is debugged with IDA Debugger it causes a Dump that blocks IDA.

From the Dump Analysis we can see that the problem is caused by KiFastSystemCallRet

0:000> !analyze -v

FAULTING_IP:
+0
00000000 ??              ???
EXCEPTION_RECORD:  ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD:  000003dc
DEFAULT_BUCKET_ID:  FILL_PATTERN_ffffffff
PROCESS_NAME:  idag.exe
ERROR_CODE: (NTSTATUS) 0x80000003 – {ERRORE DI EXCEPTION}  Breakpoint  È stato raggiunto un breakpoint.
APPLICATION_VERIFIER_FLAGS:  0
PRIMARY_PROBLEM_CLASS:  FILL_PATTERN_ffffffff
BUGCHECK_STR:  APPLICATION_FAULT_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER:  from 7c91e027 to 7c91eb94
STACK_TEXT:
0012a250 7c91e027 7c80aaed ffffffff 0000000c ntdll!KiFastSystemCallRet
0012a254 7c80aaed ffffffff 0000000c 7c91e639 ntdll!NtQueryInformationProcess+0xc
0012a284 7c8132b1 7c8132c4 000001e4 00000364 kernel32!GetErrorMode+0x18
0012a548 00000000 0012a6f0 03de0cd3 03de0ce8 kernel32!GetLongPathNameW+0x3ab
STACK_COMMAND:  ~0s; .ecxr ; kb
FOLLOWUP_IP:
ntdll!KiFastSystemCallRet+0
7c91eb94 c3              ret
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  ntdll!KiFastSystemCallRet+0
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: ntdll
IMAGE_NAME:  ntdll.dll
DEBUG_FLR_IMAGE_TIMESTAMP:  41252c01
FAILURE_BUCKET_ID:  FILL_PATTERN_ffffffff_80000003_ntdll.dll!KiFastSystemCallRet
BUCKET_ID:  APPLICATION_FAULT_FILL_PATTERN_ffffffff_ntdll!KiFastSystemCallRet+0

And this is the Stack BackTrace

0:000> ~*k

.  0  Id: 364.3dc Suspend: 0 Teb: 7ffde000 Unfrozen
ChildEBP RetAddr
0012a250 7c91e027 ntdll!KiFastSystemCallRet
0012a254 7c80aaed ntdll!NtQueryInformationProcess+0xc
0012a284 7c8132b1 kernel32!GetErrorMode+0x18
0012a548 00000000 kernel32!GetLongPathNameW+0x3ab

1  Id: 364.574 Suspend: 0 Teb: 7ffdd000 Unfrozen
ChildEBP RetAddr
0157fd54 7c91e9c0 ntdll!KiFastSystemCallRet
0157fd58 719d4033 ntdll!ZwWaitForSingleObject+0xc
0157fd94 719e104f mswsock!SockWaitForSingleObject+0x1a0
0157fe14 71a3f6cf mswsock!WSPRecvFrom+0x1f0
0157fe58 71a5303e ws2_32!WSARecvFrom+0x7d
0157fe8c 004fc31b wsock32!recvfrom+0x39
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 idag!Debugger_breakpointFinalize+0x1ce7

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: