It’s not my fault! – A case of remote code injection gone bad

Today we’ll examine a case where a crash is occurring in a Microsoft process, in core Windows code, but the culprit isn’t the crashing code.  In fact, the culprit isn’t even running in the process that crashed!  But before I get ahead of myself, let’s start by examining a crash dump that shows the problem……

5

Debug Fundamentals Exercise 3: Calling conventions

  Today’s exercise will focus on x86 function calling conventions.  The calling convention of a function describes the following:   ·         The order in which parameters are passed ·         Where parameters are placed (pushed on the stack or placed in registers) ·         Whether the caller or the callee is responsible for unwinding the stack on return…

19

Debug Fundamentals Exercise 2: Some reverse engineering for Thanksgiving

  Continuing our series on “Fundamentals Exercises”, we have some more reverse engineering for you!  Again, these exercises are designed more as learning experiences rather than simply puzzlers.  We hope you find them interesting and educational!  Feel free to post your responses here, but we won’t put them on the site until after we post…

42

Debug Fundamentals Exercise 1: Reverse engineer a function

  Hello ntdebuggers!  We’ve seen a lot of interest in our Puzzlers, and we’ve also seen requests and interest in topics covering debugging fundamentals.  So we’ve decided to combine the two topics and post a series of “Fundamentals Exercises”.  These exercises will be designed more as learning experiences rather than simply puzzlers.  We hope you…

38

Some of our favorite debugging-related links

  Today we’re posting links to some of our favorite debugging–related content on the web.  Post your own favorites as a comment to share them with everyone!     Reverse Engineering and Debugging Blogs DumpAnalysis MetaSploit Nynaeve Mark Russinovich’s Blog Steve’s Techspot John Robbins’ Blog Uninformed.org Windbg by Volker CodeProject Debugging Tips DebugInfo Jigar Mehta’s…

4

The default interactive desktop heap size has been increased on 32-bit Vista SP1

  This is going to be a short blog post, but considering the amount of feedback we’ve received on the our two previous desktop heap posts, I think this is worth blogging about.  32-bit Vista SP1 and 32-bit Windows Server 2008 both have a new value for the default size of interactive desktop heaps.  Previously,…

5

Talkback video: Desktop Heap

Hello, Matthew here again.  Starting today, my team will be bringing you content in the form of videos, as well blog posts.  We’ll be hosting these videos on Channel 9, and we’ll link them from the ntdebugging blog.  One way that we’ll be using video is as a means of highlighting topics we’ve already covered,…

3

Desktop Heap, part 2

  Matthew here again – I want to provide some follow-up information on desktop heap.   In the first post I didn’t discuss the size of desktop heap related memory ranges on 64-bit Windows, 3GB, or Vista.   So without further ado, here are the relevant sizes on various platforms…     Windows XP (32-bit)   ·        …

21

This button doesn’t do anything!

  Hello – Matthew here again.  Today I’ll be discussing in detail hang scenario #1 that Tate first mentioned a few blogs posts ago.  From a debugging perspective, in an ideal world an application would always provide some kind of feedback when a failure occurs.  The reality is that sometimes an application just doesn’t do…

8

Desktop Heap Overview

  Desktop heap is probably not something that you spend a lot of time thinking about, which is a good thing.  However, from time to time you may run into an issue that is caused by desktop heap exhaustion, and then it helps to know about this resource.  Let me state up front that things…

101