문제

I'm debugging a file parser(Win32). Every time its crashing at same position when I'm feeding a certain file to it. I don't have access to that source code of that application. I tried to analyze the root cause of the crash, it seems its kind of array out of bound read error. But I'm not sure about it whether any memory is getting corrupted inside it. I've used ADPlus for crash dump , and below I've added the mini dump and adplus log. 

https://dl.dropboxusercontent.com/u/107519001/MINIDUMP_FirstChance_av_AccessViolation_FileParser.exe__0e04_2013-10-25_20-26-29-893_084c.dmp

& 

https://dl.dropboxusercontent.com/u/107519001/ADPlus_log_0e04_2013-10-25_20-26-18-707.log

Debugging Information:

https://dl.dropboxusercontent.com/u/107519001/vc90.pdb

Can anybody please assist me to get into the root cause of the access violation crash.

Thanks in Advance,

도움이 되었습니까?

해결책

FileParser reads binary data from inline1.exe and expects to see valid offsets and structure layout but instead access violation occur. The binary has no valid headers layout ets. Maybe the binary is compressed or encrypted.

Manual stack reconstruction:

0:000> kn =0012f674 0012f674 004071f1
 # ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012f674 73dd1eb6 FileParser+0x71f1
01 0012f6ec 73dd1b9b mfc42!CWnd::OnWndMsg+0x2f4
02 0012f70c 73dd1b05 mfc42!CWnd::WindowProc+0x24
03 0012f76c 73dd2c9c mfc42!AfxCallWndProc+0x91
04 0012f790 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x36
05 0012f7b8 73dd2cd0 mfc42!CWnd::SendMessageToDescendants+0x6a
06 0012f7e0 73ddca6f mfc42!CWnd::SendMessageToDescendants+0x6a
07 0012f808 73ddca0a mfc42!CFrameWnd::InitialUpdateFrame+0x5d
08 0012f814 73de3bd2 mfc42!CDocTemplate::InitialUpdateFrame+0x11
09 0012f844 73de13cf mfc42!CMultiDocTemplate::OpenDocumentFile+0x101
0a 0012fb78 73e3929c mfc42!CDocManager::OpenDocumentFile+0x14c
0b 0012fca0 73dd1fd3 mfc42!CFrameWnd::OnDropFiles+0x76
0c 0012fd1c 73dd1b9b mfc42!CWnd::OnWndMsg+0x411
0d 0012fd3c 73dd1b05 mfc42!CWnd::WindowProc+0x24
0e 0012fd9c 73dd1a58 mfc42!AfxCallWndProc+0x91
0f 0012fdbc 73e6847d mfc42!AfxWndProc+0x36
10 0012fde8 77d48709 mfc42!AfxWndProcBase+0x39
11 0012fe14 77d487eb user32!InternalCallWinProc+0x28
12 0012fe7c 77d489a5 user32!UserCallWinProcCheckWow+0x150
13 0012fedc 77d4bccc user32!DispatchMessageWorker+0x306
14 0012feec 73dd125a user32!DispatchMessageA+0xf
15 0012fefc 73ddb55f mfc42!CWinThread::PumpMessage+0x3c
16 0012ff14 73ddcf95 mfc42!CWinThread::Run+0x48
17 0012ff24 00409472 mfc42!AfxWinMain+0x6a
18 0012ffc0 7c816d4f FileParser+0x9472
19 0012fff0 00000000 kernel32!BaseProcessStart+0x23

Unassemble from File Parser+0x71f1 until File Parser+0x7212 there is access violation occure.

004071ec e8e71b0000      call    FileParser+0x8dd8 (00408dd8)   
004071f1 84db            test    bl,bl
004071f3 0f846f050000    je      FileParser+0x7768 (00407768)
004071f9 8b442414        mov     eax,dword ptr [esp+14h]    *Base address of inline1.exe binary 
004071fd 8b483c          mov     ecx,dword ptr [eax+3Ch]    *must be offset at _IMAGE_NT_HEADERS 
00407200 8b5c0178        mov     ebx,dword ptr [ecx+eax+78h]*must be _IMAGE_DATA_DIRECTORY
00407204 8d4c0118        lea     ecx,[ecx+eax+18h]      *must be _IMAGE_OPTIONAL_HEADER
00407208 03d8            add     ebx,eax            *must be VA _IMAGE_DATA_DIRECTORY
0040720a 8d4c2418        lea     ecx,[esp+18h]      * 
0040720e 895c2434        mov     dword ptr [esp+34h],ebx    *
00407212 8b530c          mov     edx,dword ptr [ebx+0Ch]    *Access violation here

Access violation occure because ebx point to 3fb80000 instead of inside binary file from b80000 until ImageSize: 00006000

Base address inline1.exe loads in eax register. mov eax,dword ptr [esp+14h]

0:000> dps esp+14 L1
0012f510  00b80000 inline1
0:000> lmvm inline1
start    end        module name
00b80000 00b86000   inline1  T (no symbols)           
Loaded symbol image file: inline1.exe
Image path: C:\Documents and Settings\debasish mandal\Desktop\inline1.exe
Image name: inline1.exe
Timestamp:        Sat Sep 28 21:27:18 2013 (52471176)
CheckSum:         00011C84
ImageSize:        00006000
File version:     0.0.0.0
Product version:  0.0.0.0
File flags:       0 (Mask 0)
File OS:          0 Unknown Base
File type:        0.0 Unknown
File date:        00000000.00000000
Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

다른 팁

0:000> .ecxr
eax=00b80000 ebx=3fb80000 ecx=0012f514 edx=0012f448 esi=0012f628 edi=0012f650
eip=00407212 esp=0012f4fc ebp=00000000 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
FileParser+0x7212:
00407212 8b530c          mov     edx,dword ptr [ebx+0Ch] ds:0023:3fb8000c=????????
0:000> kvn
 *** Stack trace for last set context - .thread/.cxr resets it
# ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00000000 00000000 00000000 00000000 00000000 FileParser+0x7212

We must have the FileParser.pdb to have chance to figure out what has happened. The @ebp looks not good,

라이센스 : CC-BY-SA ~와 함께 속성
제휴하지 않습니다 StackOverflow
scroll top