Printed Exception strings - what do all



Similar documents
Slaying the Virtual Memory Monster - Part II

Exception and Interrupt Handling in ARM

PSM/SAK Event Log Error Codes

Faculty of Engineering Student Number:

Helping you avoid stack overflow crashes!

An Introduction to Assembly Programming with the ARM 32-bit Processor Family

Return-oriented programming without returns

THUMB Instruction Set

Interrupt handling. Andrew N. Sloss

Chapter 7D The Java Virtual Machine

CHAPTER 6 TASK MANAGEMENT

M A S S A C H U S E T T S I N S T I T U T E O F T E C H N O L O G Y DEPARTMENT OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE

10 STEPS TO YOUR FIRST QNX PROGRAM. QUICKSTART GUIDE Second Edition

Application Note 195. ARM11 performance monitor unit. Document number: ARM DAI 195B Issued: 15th February, 2008 Copyright ARM Limited 2007

iphone Exploitation One ROPe to bind them all?

CSE 141L Computer Architecture Lab Fall Lecture 2

Dongwoo Kim : Hyeon-jeong Lee s Husband

Off-by-One exploitation tutorial

The ARM Architecture. With a focus on v7a and Cortex-A8

The stack and the stack pointer

CS61: Systems Programing and Machine Organization

HTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011

Overview of the Cortex-M3

Q N X S O F T W A R E D E V E L O P M E N T P L A T F O R M v Steps to Developing a QNX Program Quickstart Guide

Eliminate Memory Errors and Improve Program Stability

Forensic Analysis of Internet Explorer Activity Files

USB Card Reader Configuration Utility. User Manual. Draft!

Application Note. Introduction AN2471/D 3/2003. PC Master Software Communication Protocol Specification

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

A Choices Hypervisor on the ARM architecture

Graded ARM assembly language Examples

SYMETRIX SOLUTIONS: TECH TIP August 2015

OPERATING SYSTEMS MEMORY MANAGEMENT

Nemo 96HD/HD+ MODBUS

Hotpatching and the Rise of Third-Party Patches

3. USB FLASH DRIVE PREPARATION. Almost all current PC firmware permits booting from a USB drive, allowing the launch

Preface. DirX Document Set

Application Note: AN00141 xcore-xa - Application Development

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Erasure Codes Made So Simple, You ll Really Like Them

PROGRAMMING CONCEPTS AND EMBEDDED PROGRAMMING IN C, C++ and JAVA: Lesson-4: Data Structures: Stacks

Chapter 1. Bootstrap. Hardware

Nios II IDE Help System

We r e going to play Final (exam) Jeopardy! "Answers:" "Questions:" - 1 -

Computer Organization and Architecture

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

GPU Tools Sandra Wienke

Modbus RTU Communications RX/WX and MRX/MWX

GB ethernet UDP interface in FPGA

Caml Virtual Machine File & data formats Document version: 1.4

612 CHAPTER 11 PROCESSOR FAMILIES (Corrisponde al cap Famiglie di processori) PROBLEMS

Altera Monitor Program

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Paul Sabanal IBM X-Force Advanced Research. State Of The ART. Exploring The New Android KitKat Runtime IBM Corporation

StrongARM** SA-110 Microprocessor Instruction Timing

Hardware Assisted Virtualization

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

WIZnet S2E (Serial-to-Ethernet) Device s Configuration Tool Programming Guide

02 B The Java Virtual Machine

An Introduction to the ARM 7 Architecture

No. Time Source Destination Protocol Info DNS Standard query A weather.noaa.gov

MarshallSoft AES. (Advanced Encryption Standard) Reference Manual

Where s the FEEB? The Effectiveness of Instruction Set Randomization

How To Understand How A Process Works In Unix (Shell) (Shell Shell) (Program) (Unix) (For A Non-Program) And (Shell).Orgode) (Powerpoint) (Permanent) (Processes

Towards A Unified Hardware Abstraction Layer Architecture for Embedded Systems

CMUX User Guide 30268ST10299A Rev. 3 19/01/09

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING Question Bank Subject Name: EC Microprocessor & Microcontroller Year/Sem : II/IV

Technical Properties. Mobile Operating Systems. Overview Concepts of Mobile. Functions Processes. Lecture 11. Memory Management.

Volume Serial Numbers and Format Date/Time Verification

Interrupts and the Timer Overflow Interrupts Huang Sections What Happens When You Reset the HCS12?

QLogic SRP Module on Linux for OpenFabrics and InfiniPath Version Table of Contents

Debugging of Application Programs on Altera s DE-Series Boards. 1 Introduction

TCG Algorithm Registry. Family 2.0" Level 00 Revision April 17, Published. Contact:

CSC 2405: Computer Systems II

6809 SBUG-E Monitor ROM Version 1.5

Cortex -M0 Devices. Generic User Guide. Copyright 2009 ARM Limited. All rights reserved. ARM DUI 0497A (ID112109)

Efficient Program Exploration by Input Fuzzing

UNIVERSITY OF CALIFORNIA, DAVIS Department of Electrical and Computer Engineering. EEC180B Lab 7: MISP Processor Design Spring 1995

A JIT Compiler for Android s Dalvik VM. Ben Cheng, Bill Buzbee May 2010

USB - FPGA MODULE (PRELIMINARY)

Bypassing Windows Hardware-enforced Data Execution Prevention

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Instruction Set Reference

Altera Monitor Program

ONLINEHELP. Flexi Soft RK512. RK512 Telegram-Listing. RK512 Telegram-Listing

The Operating System and the Kernel

EMV (Chip-and-PIN) Protocol

Persist It Using and Abusing Microsoft s Fix It Patches

Command Param1 Param2 Return1 Return2 Description. 0xE9 0..0x7F (id) speed pos_high pos_low Set servo #id speed & read position

Developer Suite ARM. Assembler Guide. Version 1.2. Copyright 2000, 2001 ARM Limited. All rights reserved. ARM DUI 0068B

Java Virtual Machine, JVM

Advanced Computer Architecture-CS501. Computer Systems Design and Architecture 2.1, 2.2, 3.2

Software based Finite State Machine (FSM) with general purpose processors

Leak Check Version 2.1 for Linux TM

Using System Tracing Tools to Optimize Software Quality and Behavior

IOActive Security Advisory

Transcription:

Printed Exception strings - what do all those flags mean? Data Abort: Thread=9352cc9c Proc=90876ea0 'shell32.exe' AKY=00000005 PC=03f74680(coredll.dll+0x00014680) RA=03257104(aygshell.dll+0x00037104) BVA=060000e0 FSR=00000007 AKY "Access Key" Process slot bitmask corresponding to the processes the excepting thread has access to. For example, the above exception is 0x00000005, which corresponds to: (Hint: the following was copied from Platform Builder window: View Debug Windows Processes) Name VMBase AccessKey TrustLevel hprocess btstereoappui.exe 0x1A000000 0x00001000 Full 0xB30E2766 connmgr.exe 0x16000000 0x00000400 Full 0x5311091E cprog.exe 0x1C000000 0x00002000 Full 0xF3030772 device.exe 0x0A000000 0x00000010 Full 0xB3CEC78E filesys.exe 0x04000000 0x00000002 Full 0x13EEE762 gwes.exe 0x0C000000 0x00000020 Full 0x737A498A nk.exe 0xC2000000 0x00000001 Full 0x13EFF002 pmsnserver.exe 0x10000000 0x00000080 Full 0x5333CD86 poutlook.exe 0x14000000 0x00000200 Full 0xD308FA02 sddaemon.exe 0x12000000 0x00000100 Full 0x7314C62A services.exe 0x0E000000 0x00000040 Full 0x7352CFAA shell.exe 0x08000000 0x00000008 Full 0xD3CD7A82 shell32.exe 0x06000000 0x00000004 Full 0xD352CEDE srvtrust.exe 0x18000000 0x00000800 Full 0x33105BCA PC "Program Counter" Represents the current line of instruction. On ARM platforms, this is the current value of the PC register and EIP (Instruction Pointer) on x86 platforms. If symbols are available, the exception handler will attempt to provide an offset line into the DLL that caused the exception. In the

example above we can find the (fixed up, closest instruction but not over) instruction offset 0x14680 in the coredll.map for the offending instruction. In this case: (Hint: the following was copied and pasted from the coredll.map text file found in the image release directory.) 0001:00013638 GetWindowLongW 10014638 f coredll_all:twinuser.obj 0001:00013648 BeginPaint 10014648 f coredll_all:twinuser.obj 0001:000136cc EndPaint 100146cc f coredll_all:twinuser.obj 0001:00013750 GetDC 10014750 f coredll_all:twinuser.obj 0001:000137d4 ReleaseDC 100147d4 f coredll_all:twinuser.obj 0001:00013858 GetParent 10014858 f coredll_all:twinuser.obj Subtract the function base address above from the remainder reported in the exception handler to find the exact instruction that caused the exception. RA "Return Address" Pointer to the instruction address of the function that called the current function. Had the current function NOT caused an exception, this is where we would return to. The same symbol logic used to resolve function addresses in PC can be used to resolve RA. ARM platforms store this value in LR register and since our example above has a RA= 0x03257104 It should have jumped here: (Hint: the following disassembler output was copied and pasted from the Platform Builder disassembly window found either by right-clicking on the current source file or Window Disassembly.) 032570FC add r1, sp, #0x30 03257100 bl BeginPaint (0325aee0) < Exception caused in here 03257104 ldr lr, [sp, #0x44] < Would have returned here 03257108 ldr r3, [sp, #0x38] 0325710C ldr r2, [sp, #0x3C] ARM, like most platforms manages function Return Addresses on the local stack which allows for nested functions and recursion. Unfortunately this can also lead to problems if the stack somehow gets corrupted not only do you lose the values stored in the stack, but you are at

risk of losing your place and the processor won t know where to resume execution. A good indicator this has happened is when your PC == LR.

BVA "Base Virtual Address" The contents of BVA depend on the type of exception found. If the exception is a Prefetch Abort, the value points directly to the PC register (execution point). If the exception is a Data Abort, then this value points to why the exception was caused. It is a combination of the Virtual Memory base of the module found plus the value that caused the exception. This is easiest to explain through some examples, starting with our original exception BVA=060000e0 which represents: Processes: (Hint: the following was copied from Platform Builder window: View Debug Windows Processes) Name VMBase AccessKey TrustLevel hprocess shell.exe 0x08000000 0x00000008 Full 0xD3CD7A82 shell32.exe 0x06000000 0x00000004 Full 0xD352CEDE srvtrust.exe 0x18000000 0x00000800 Full 0x33105BCA Registers: (Hint: the following was copied from Platform Builder window: View Debug Windows Registers) R2 = 0000000F R3 = 00000000 R4 = 0000000F Disassembly: (Hint: the following disassembler output was copied and pasted from the Platform Builder disassembly window found either by right-clicking on the current source file or Window Disassembly.) 03F7467C ldr r3, [r3] 03F74680 ldr r3, [r3, #0xE0] <<< Exception here, invalid pointer. 03F74684 mov lr, pc 03F74688 bx r3 This line of execution is trying to store the contents of Register 3 into the memory address located at Register 3 + 0xE0 in the context of Shell32.exe (invalid in this case): R3 + 0xE0 + VMBase(shell32.exe) == 0x060000E0

An additional BVA example in ossvcs.dll: (Hint: the following was copied from Platform Builder Output window) Data Abort: Thread=92f44574 Proc=90876ea0 'shell32.exe' AKY=ffffffff PC=02e320c8(ossvcs.dll+0x000320c8) RA=02e0f524(ossvcs.dll+0x0000f524) BVA=07ece200 FSR=00000007 Registers: (Hint: the following was copied from Platform Builder window: View Debug Windows Registers) R8 = 00000000 R9 = 00000000 R10 = 01F31AD0 R11 = 1C05E918 R12 = 01ECE200 Sp = 1C05E500 Lr = 02E0F524 Pc = 02E320C8 Disassembly: (Hint: the following disassembler output was copied and pasted from the Platform Builder disassembly window found either by right-clicking on the current source file or Window Disassembly.) CeGetCurrentTrust: 02E320C4 ldr r12, [pc, #4] 02E320C8 ldr r12, [r12] <<< Exception here, invalid pointer. 02E320CC bx r12 02E320D0??? The line of execution is trying to store Register 12 at the value pointed at in Register 12 in the context of Shell32 (which happens to be invalid). R12 + VMBase(shell32.exe) == 0x07ece200

FSR "Fault Status Register" The FSR represents several flags that will help you understand the nature of your exception. For ARM devices the following flags can be set: #define FSR_ALIGNMENT #define FSR_PAGE_ERROR #define FSR_TRANSLATION #define FSR_DOMAIN_ERROR #define FSR_PERMISSION 0x01 0x02 0x05 0x09 0x0D So, taking our example above, we have: FSR=00000007 == FSR_PAGE_ERROR FSR_TRANSLATION

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information