Heapos Forever win32k!CreateDIBPalette()

#1844 by EP_X0FF
Sat Aug 07, 2010 11:03 am

http://www.ragestorm.net/blogs/?p=255

Result of execution - BSOD in win32k.sys

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e113af57, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf91cbb5, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

READ_ADDRESS: e113af57 Paged pool

FAULTING_IP:
win32k!CreateDIBPalette+71
bf91cbb5 8a5802 mov bl,byte ptr [eax+2]

MM_INTERNAL_CODE: 1

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025f2a

MODULE_NAME: win32k

FAULTING_MODULE: bf800000 win32k

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: Project1.exe

TRAP_FRAME: f816ac50 -- (.trap 0xfffffffff816ac50)
ErrCode = 00000000
eax=e113af55 ebx=00000200 ecx=e10ffbfd edx=00000000 esi=e10ffbf8 edi=00000000
eip=bf91cbb5 esp=f816acc4 ebp=f816acd0 iopl=0 vif nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00090246
win32k!CreateDIBPalette+0x71:
bf91cbb5 8a5802 mov bl,byte ptr [eax+2] ds:0023:e113af57=??
Resetting default scope

LAST_CONTROL_TRANSFER: from 805241a0 to 8053380e

STACK_TEXT:
f816abec 805241a0 00000050 e113af57 00000000 nt!KeBugCheckEx+0x1b
f816ac38 804e1718 00000000 e113af57 00000000 nt!MmAccessFault+0x6f5
f816ac38 bf91cbb5 00000000 e113af57 00000000 nt!KiTrap0E+0xcc
f816acd0 bf91d2e4 e112e00c 00000000 f816ad30 win32k!CreateDIBPalette+0x71
f816ace8 bf8f989d 81e4abb8 f816ad30 81e4abb8 win32k!xxxGetDummyPalette+0x67
f816ad04 bf8f9767 81e4abb8 00000009 f816ad30 win32k!xxxGetClipboardData+0xa2
f816ad54 804de7ec 00000009 0012fd24 0012fd50 win32k!NtUserGetClipboardData+0x72
f816ad54 7c90e4f4 00000009 0012fd24 0012fd50 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fd50 00000000 00000000 00000000 00000000 0x7c90e4f4

STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!CreateDIBPalette+71
bf91cbb5 8a5802 mov bl,byte ptr [eax+2]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: win32k!CreateDIBPalette+71

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_win32k!CreateDIBPalette+71

BUCKET_ID: 0x50_win32k!CreateDIBPalette+71

Followup: MachineOwner
---------

Friend of mine also successfully crashed Windows 2003 SP2 x64.

Greats to author of this wonderful buggy code:

31-Jan-1992 MikeKe From win31

Attachments

bsod1.JPG (61.19 KiB) Viewed 401 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact