Re: Unhandled exception when pushing esi

Here it is:

MyFilterDrv!RtlStringCbCopyNW:
f03ada26 8bff mov edi,edi
f03ada28 55 push ebp
f03ada29 8bec mov ebp,esp
f03ada2b 8b4d0c mov ecx,[ebp+0xc]
f03ada2e 8b4514 mov eax,[ebp+0x14]
f03ada31 d1e9 shr ecx,1
f03ada33 baffffff7f mov edx,0x7fffffff
f03ada38 d1e8 shr eax,1
f03ada3a 3bca cmp ecx,edx
f03ada3c 7713 ja MyFilterDrv!RtlStringCbCopyNW+0x2b
(f03ada51)
f03ada3e 3bc2 cmp eax,edx
f03ada40 770f ja MyFilterDrv!RtlStringCbCopyNW+0x2b
(f03ada51)
f03ada42 50 push eax
f03ada43 ff7510 push dword ptr [ebp+0x10]
f03ada46 51 push ecx
f03ada47 ff7508 push dword ptr [ebp+0x8]
f03ada4a e895feffff call MyFilterDrv!RtlStringCopyNWorkerW
(f03ad8e4)
f03ada4f eb05 jmp MyFilterDrv!RtlStringCbCopyNW+0x30 (f03ada56)
f03ada51 b80d0000c0 mov eax,0xc000000d
f03ada56 5d pop ebp
f03ada57 c21000 ret 0x10

About the change of stack, it was changed after the .trap f0b82628
command. The stack has a better representation after the command:
CStr::operator+= -> CStr::Cat.

The strange thing is that I don't see how I am calling
RtlStringCbCopyNW. Essentially my code is trying to cat a string (last
2 params to RtlStringCbCatNW) to another string (first 2 params to
RtlStringCbCatNW.) See f03a5f29. I have checked all the unicode strings
and they are all valid and are null terminated correctly. The
RtlStringCbCatNW will first see if the destination string has at least
one character space, if not it returns an error. Then it calls the
RtlStringCatNWorkerW. The worker will then determine the destination
string's current length. After that the concatenation can be done just
like a normal string copy by changing the target to the end of the
destination string. This is done in RtlStringCopyNWorkerW.

MyFilterDrv!CStr::operator+=:
f03a6e4a 8bff mov edi,edi
f03a6e4c 55 push ebp
f03a6e4d 8bec mov ebp,esp
f03a6e4f 8b4508 mov eax,[ebp+0x8]
f03a6e52 56 push esi
f03a6e53 6aff push 0xff
f03a6e55 ffb008010000 push dword ptr [eax+0x108]
f03a6e5b 8bf1 mov esi,ecx
f03a6e5d e87cf0ffff call MyFilterDrv!CStr::Cat (f03a5ede)
f03a6e62 84c0 test al,al
f03a6e64 7504 jnz MyFilterDrv!CStr::operator+=+0x20
(f03a6e6a)
f03a6e66 33c0 xor eax,eax
f03a6e68 eb06 jmp MyFilterDrv!CStr::operator+=+0x26
(f03a6e70)
f03a6e6a 8b8608010000 mov eax,[esi+0x108]
f03a6e70 5e pop esi
f03a6e71 5d pop ebp
f03a6e72 c20400 ret 0x4

MyFilterDrv!CStr::Cat:
f03a5ede 8bff mov edi,edi
f03a5ee0 55 push ebp
f03a5ee1 8bec mov ebp,esp
f03a5ee3 837d0800 cmp dword ptr [ebp+0x8],0x0
f03a5ee7 56 push esi
f03a5ee8 8bf1 mov esi,ecx
f03a5eea 7504 jnz MyFilterDrv!CStr::Cat+0x12 (f03a5ef0)
f03a5eec b001 mov al,0x1
f03a5eee eb5e jmp MyFilterDrv!CStr::Cat+0x70 (f03a5f4e)
f03a5ef0 57 push edi
f03a5ef1 8b7d0c mov edi,[ebp+0xc]
f03a5ef4 83ffff cmp edi,0xffffffff
f03a5ef7 750e jnz MyFilterDrv!CStr::Cat+0x29 (f03a5f07)
f03a5ef9 ff7508 push dword ptr [ebp+0x8]
f03a5efc ff1504eb3af0 call dword ptr [MyFilterDrv!_imp__wcslen
(f03aeb04)]
f03a5f02 8bf8 mov edi,eax
f03a5f04 59 pop ecx
f03a5f05 d1e7 shl edi,1
f03a5f07 57 push edi
f03a5f08 8bce mov ecx,esi
f03a5f0a e87ff7ffff call MyFilterDrv!CStr::Grow (f03a568e)
f03a5f0f 84c0 test al,al
f03a5f11 7504 jnz MyFilterDrv!CStr::Cat+0x39 (f03a5f17)
f03a5f13 32c0 xor al,al
f03a5f15 eb36 jmp MyFilterDrv!CStr::Cat+0x6f (f03a5f4d)
f03a5f17 0fb78606010000 movzx eax,word ptr [esi+0x106]
f03a5f1e 57 push edi
f03a5f1f ff7508 push dword ptr [ebp+0x8]
f03a5f22 50 push eax
f03a5f23 ffb608010000 push dword ptr [esi+0x108]
f03a5f29 e8ee7b0000 call MyFilterDrv!RtlStringCbCatNW
(f03adb1c)
f03a5f2e 85c0 test eax,eax
f03a5f30 7ce1 jl MyFilterDrv!CStr::Cat+0x35 (f03a5f13)
f03a5f32 8b8e08010000 mov ecx,[esi+0x108]
f03a5f38 8d8604010000 lea eax,[esi+0x104]
f03a5f3e 660138 add [eax],di
f03a5f41 0fb700 movzx eax,word ptr [eax]
f03a5f44 d1e8 shr eax,1
f03a5f46 6683244100 and word ptr [ecx+eax*2],0x0
f03a5f4b b001 mov al,0x1
f03a5f4d 5f pop edi
f03a5f4e 5e pop esi
f03a5f4f 5d pop ebp
f03a5f50 c20800 ret 0x8

MyFilterDrv!RtlStringCbCatNW:
f03adb1c 8bff mov edi,edi
f03adb1e 55 push ebp
f03adb1f 8bec mov ebp,esp
f03adb21 8b450c mov eax,[ebp+0xc]
f03adb24 d1e8 shr eax,1
f03adb26 3dffffff7f cmp eax,0x7fffffff
f03adb2b 7607 jbe MyFilterDrv!RtlStringCbCatNW+0x18
(f03adb34)
f03adb2d b80d0000c0 mov eax,0xc000000d
f03adb32 eb12 jmp MyFilterDrv!RtlStringCbCatNW+0x2a
(f03adb46)
f03adb34 8b4d14 mov ecx,[ebp+0x14]
f03adb37 d1e9 shr ecx,1
f03adb39 51 push ecx
f03adb3a ff7510 push dword ptr [ebp+0x10]
f03adb3d 50 push eax
f03adb3e ff7508 push dword ptr [ebp+0x8]
f03adb41 e89affffff call MyFilterDrv!RtlStringCatNWorkerW
(f03adae0)
f03adb46 5d pop ebp
f03adb47 c21000 ret 0x10
f03adb4a cc int 3
f03adb4b cc int 3
f03adb4c cc int 3
f03adb4d cc int 3
f03adb4e cc int 3
f03adb4f cc int 3
MyFilterDrv!__SEH_prolog:
f03adb50 6876d83af0 push 0xf03ad876
f03adb55 64a100000000 mov eax,fs:[00000000]
f03adb5b 50 push eax
f03adb5c 8b442410 mov eax,[esp+0x10]
f03adb60 896c2410 mov [esp+0x10],ebp
f03adb64 8d6c2410 lea ebp,[esp+0x10]
f03adb68 2be0 sub esp,eax
f03adb6a 53 push ebx
f03adb6b 56 push esi
f03adb6c 57 push edi
f03adb6d 8b45f8 mov eax,[ebp-0x8]
f03adb70 8965e8 mov [ebp-0x18],esp
f03adb73 50 push eax
f03adb74 8b45fc mov eax,[ebp-0x4]
f03adb77 c745fcffffffff mov dword ptr [ebp-0x4],0xffffffff
f03adb7e 8945f8 mov [ebp-0x8],eax
f03adb81 8d45f0 lea eax,[ebp-0x10]
f03adb84 64a300000000 mov fs:[00000000],eax
f03adb8a c3 ret
MyFilterDrv!__SEH_epilog:
f03adb8b 8b4df0 mov ecx,[ebp-0x10]
f03adb8e 64890d00000000 mov fs:[00000000],ecx
f03adb95 59 pop ecx
f03adb96 5f pop edi
f03adb97 5e pop esi
f03adb98 5b pop ebx
f03adb99 c9 leave
f03adb9a 51 push ecx
f03adb9b c3 ret




MyFilterDrv!RtlStringCatNWorkerW:
f03adae0 8bff mov edi,edi
f03adae2 55 push ebp
f03adae3 8bec mov ebp,esp
f03adae5 56 push esi
f03adae6 8b750c mov esi,[ebp+0xc]
f03adae9 57 push edi
f03adaea 8b7d08 mov edi,[ebp+0x8]
f03adaed 8d450c lea eax,[ebp+0xc]
f03adaf0 50 push eax
f03adaf1 56 push esi
f03adaf2 57 push edi
f03adaf3 e892feffff call MyFilterDrv!RtlStringLengthWorkerW
(f03ad98a)
f03adaf8 85c0 test eax,eax
f03adafa 7c15 jl MyFilterDrv!RtlStringCatNWorkerW+0x31
(f03adb11)
f03adafc ff7514 push dword ptr [ebp+0x14]
f03adaff 8b450c mov eax,[ebp+0xc]
f03adb02 ff7510 push dword ptr [ebp+0x10]
f03adb05 2bf0 sub esi,eax
f03adb07 56 push esi
f03adb08 8d0447 lea eax,[edi+eax*2]
f03adb0b 50 push eax
f03adb0c e8d3fdffff call MyFilterDrv!RtlStringCopyNWorkerW
(f03ad8e4)
f03adb11 5f pop edi
f03adb12 5e pop esi
f03adb13 5d pop ebp
f03adb14 c21000 ret 0x10


MyFilterDrv!RtlStringCopyNWorkerW:
f03ad8e4 8bff mov edi,edi
f03ad8e6 55 push ebp
f03ad8e7 8bec mov ebp,esp
f03ad8e9 57 push edi
f03ad8ea 8b7d0c mov edi,[ebp+0xc]
f03ad8ed 33c0 xor eax,eax
f03ad8ef 85ff test edi,edi
f03ad8f1 7507 jnz MyFilterDrv!RtlStringCopyNWorkerW+0x16
(f03ad8fa)
f03ad8f3 b80d0000c0 mov eax,0xc000000d
f03ad8f8 eb34 jmp MyFilterDrv!RtlStringCopyNWorkerW+0x4a
(f03ad92e)
f03ad8fa 8b5508 mov edx,[ebp+0x8]
f03ad8fd 56 push esi
f03ad8fe 8b7510 mov esi,[ebp+0x10]
f03ad901 837d1400 cmp dword ptr [ebp+0x14],0x0
f03ad905 7417 jz MyFilterDrv!RtlStringCopyNWorkerW+0x3a
(f03ad91e)
f03ad907 668b0e mov cx,[esi]
f03ad90a 6685c9 test cx,cx
f03ad90d 740f jz MyFilterDrv!RtlStringCopyNWorkerW+0x3a
(f03ad91e)
f03ad90f 66890a mov [edx],cx
f03ad912 42 inc edx
f03ad913 42 inc edx
f03ad914 46 inc esi
f03ad915 46 inc esi
f03ad916 4f dec edi
f03ad917 ff4d14 dec dword ptr [ebp+0x14]
f03ad91a 85ff test edi,edi
f03ad91c 75e3 jnz MyFilterDrv!RtlStringCopyNWorkerW+0x1d
(f03ad901)
f03ad91e 85ff test edi,edi
f03ad920 5e pop esi
f03ad921 7507 jnz MyFilterDrv!RtlStringCopyNWorkerW+0x46
(f03ad92a)
f03ad923 4a dec edx
f03ad924 4a dec edx
f03ad925 b805000080 mov eax,0x80000005
f03ad92a 66832200 and word ptr [edx],0x0
f03ad92e 5f pop edi
f03ad92f 5d pop ebp
f03ad930 c21000 ret 0x10


Thanks again.

Skywing wrote:
Also, this mismatch between the two stack traces here is a bit strange:

f0b8264c f03ada4f f0b826cc 00000000 00000023
nt!KiUnexpectedInterruptTail+0x207
f0b8269c f03a6e62 f0b826cc ffffffff e2184f54
MyFilterDrv!RtlStringCbCopyNW+0x29 (FPO: [Non-Fpo]) (CONV: stdcall)
[d:\srvrtm\public\ddk\inc\ntstrsafe.h @ 1330]
f0b826b0 f03ac0c4 f0b826cc 00000001 8117ed44
MyFilterDrv!CStr::operator+=+0x18 (FPO: [Non-Fpo]) (CONV: thiscall)
[F:\MyFilterDrv\str.h @ 217]

f0b8269c f03a6e62 f0b826cc ffffffff e2184f54 MyFilterDrv!CStr::Cat+0x9 (FPO:
[Non-Fpo]) (CONV: thiscall) [F:\MyFilterDrv\str.h @ 751]
f0b826b0 f03ac0c4 f0b826cc 00000001 8117ed44
MyFilterDrv!CStr::operator+=+0x18 (FPO: [Non-Fpo]) (CONV: thiscall)
[F:\MyFilterDrv\str.h @ 217]

If you unassemble f03ada4f , what do you get?

.

Relevant Pages

  • Feedback on design implementation of a alloc/strncpy
    ... terminated string into it and terminated it. ... mov esi, dword ptr _pSrc$ ... we also need to make room for the NULL terminator ... dword ptr _nLen$; ...
    (comp.lang.asm.x86)
  • Re: Nasm 0.99.01 available
    ... relatively simple string processing code, and POST variables are sent through ... mov esi,env_names ... call puts ... ;;; strcmp Compares a NULL terminated string at esi to one at edi ...
    (alt.lang.asm)
  • Re: MASM Expert needed immediately
    ... let's just follow the code flow through your disassembler and see ... EDI points at the location where you want to store the string. ... On B$OperandSizeOverride = &TRUE, mov W$DisSizeMarker 'W$' ... mov eax D$LibFileMemory | add eax D$LibFileLength ...
    (alt.lang.asm)
  • [SLE] Re: [suse-security] chkroot claims top infected (fwd)
    ... I think this is a false positive from chkrootkit. ... there is "/prof" string in ps and top. ... 0x805520d: mov %eax,0x1b8 ... Then reinstalled the rpm from the apt ...
    (SuSE)
  • Re: confused over shl
    ... string to decimal. ... (AL contains a digit of EBX, ... xor eax, eax; "sum" ... mov ebx, 10; divide by ten ...
    (comp.lang.asm.x86)