[Flopik]

Did someone have seem this issue?

lkd> dt _UNICODE_STRING 0x81ba9bc8 + 0x30
ntdll!_UNICODE_STRING
"\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\d5900f16e80a204ca5" <--- Not valid , incomplete
+0x000 Length : 0x90
+0x002 MaximumLength : 0xf8
+0x004 Buffer : 0xe27aea10 "\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\d5900f16e80a204ca5"


lkd> db e27aea10 l 90
e27aea10 5c 00 57 00 49 00 4e 00-44 00 4f 00 57 00 53 00 \.W.I.N.D.O.W.S.
e27aea20 5c 00 61 00 73 00 73 00-65 00 6d 00 62 00 6c 00 \.a.s.s.e.m.b.l.
e27aea30 79 00 5c 00 4e 00 61 00-74 00 69 00 76 00 65 00 y.\.N.a.t.i.v.e.
e27aea40 49 00 6d 00 61 00 67 00-65 00 73 00 5f 00 76 00 I.m.a.g.e.s._.v.
e27aea50 32 00 2e 00 30 00 2e 00-35 00 30 00 37 00 32 00 2...0...5.0.7.2.
e27aea60 37 00 5f 00 33 00 32 00-5c 00 6d 00 73 00 63 00 7._.3.2.\.m.s.c.
e27aea70 6f 00 72 00 6c 00 69 00-62 00 5c 00 64 00 35 00 o.r.l.i.b.\.d.5.
e27aea80 39 00 30 00 30 00 66 00-31 00 36 00 65 00 38 00 9.0.0.f.1.6.e.8.
e27aea90 30 00 61 00 32 00 30 00-34 00 63 00 61 00 35 00 0.a.2.0.4.c.a.5.

kd> db e27aea10 l F8
e27aea10 5c 00 57 00 49 00 4e 00-44 00 4f 00 57 00 53 00 \.W.I.N.D.O.W.S.
e27aea20 5c 00 61 00 73 00 73 00-65 00 6d 00 62 00 6c 00 \.a.s.s.e.m.b.l.
e27aea30 79 00 5c 00 4e 00 61 00-74 00 69 00 76 00 65 00 y.\.N.a.t.i.v.e.
e27aea40 49 00 6d 00 61 00 67 00-65 00 73 00 5f 00 76 00 I.m.a.g.e.s._.v.
e27aea50 32 00 2e 00 30 00 2e 00-35 00 30 00 37 00 32 00 2...0...5.0.7.2.
e27aea60 37 00 5f 00 33 00 32 00-5c 00 6d 00 73 00 63 00 7._.3.2.\.m.s.c.
e27aea70 6f 00 72 00 6c 00 69 00-62 00 5c 00 64 00 35 00 o.r.l.i.b.\.d.5.
e27aea80 39 00 30 00 30 00 66 00-31 00 36 00 65 00 38 00 9.0.0.f.1.6.e.8.
e27aea90 30 00 61 00 32 00 30 00-34 00 63 00 61 00 35 00 0.a.2.0.4.c.a.5.
e27aeaa0 64 00 62 00 32 00 39 00-65 00 63 00 64 00 61 00 d.b.2.9.e.c.d.a.
e27aeab0 36 00 62 00 65 00 37 00-36 00 38 00 5c 00 6d 00 6.b.e.7.6.8.\.m.
e27aeac0 73 00 63 00 6f 00 72 00-6c 00 69 00 62 00 2e 00 s.c.o.r.l.i.b...
e27aead0 6e 00 69 00 2e 00 64 00-6c 00 6c 00 36 00 62 00 n.i...d.l.l.6.b.
e27aeae0 31 00 65 00 38 00 30 00-30 00 2e 00 4d 00 61 00 1.e.8.0.0...M.a.
e27aeaf0 6e 00 69 00 66 00 65 00-73 00 74 00 00 00 63 00 n.i.f.e.s.t...c.
e27aeb00 65 00 73 00 5c 00 00 00 e.s.\...

I got all kind of wront path with the VAD

C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\1e85062785e286cd9eae
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7C31.tmp\System.Data.OracleClient.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8343.tmp\Microsoft.Build.Framework.dl

[EP_X0FF]

Conditions to reproduce that behavior?

Thread moved.

[Alex]

And what is a size of the allocated pool buffer?

Code: Select all

!pool 0xe27aea10-0x08

[Flopik]

First time it happen on a vm, so I blame VMWARE, but that's now on my physical machine. I will keep you informed

[Flopik]

Got it again :

fffffa80094f8870 ( 2) 400 4bd 14 Mapped Exe EXECUTE_WRITECOPY \Program Files\Winobj.exenobj.exe

lkd> dt _MMVAD fffffa80094f8870
+0x048 Subsection : 0xfffffa80`09dcacd0 _SUBSECTION

lkd> dt _SUBSECTION 0xfffffa80`09dcacd0
nt!_SUBSECTION
+0x000 ControlArea : 0xfffffa80`09dcac50 _CONTROL_AREA
lkd> dt _CONTROL_AREA 0xfffffa80`09dcac50
nt!_CONTROL_AREA
+0x040 FilePointer : _EX_FAST_REF

lkd> dt _EX_FAST_REF 0xfffffa80`09dcac50+ 0x040
nt!_EX_FAST_REF
+0x000 Object : 0xfffffa80`06d223c8 Void
+0x000 RefCnt : 0y1000
+0x000 Value : 0xfffffa80`06d223c8
lkd> ? 0xfffffa80`06d223c8 & ffffffff`fffffff0
Evaluate expression: -6047199517760 = fffffa80`06d223c0
lkd> dt _FILE_OBJECT fffffa80`06d223c0
nt!_FILE_OBJECT
+0x058 FileName : _UNICODE_STRING "\Program Files\Winobj.exenobj.exe"

lkd> dt _UNICODE_STRING fffffa80`06d223c0 + 0x58
nt!_UNICODE_STRING
"???"
Cannot find specified field members.
-----------------------------------------------
lkd> dt _OBJECT_NAME_INFORMATION 0xfffffa80`09463b20
nt!_OBJECT_NAME_INFORMATION
+0x000 Name : _UNICODE_STRING "\Device\HarddiskVolume4\Program Files\Winobj.exe"

From EPROCESS :
+0x2e0 ImageFileName : [15] "Winobj.exenobj"

Im on Windows 7 x64 Sp1

[xpoy]

I guess this is cause by unicode/ascii?

[Brock]

What does your basic skeleton code look like? Without code it's hard to visualize your problem I think. I don't need all the meat in between because it's not necessary. Keep in mind, raw VAD traversal without acquiring i.e> fast mutexes (as the original memory manager does) or locking down the process' address space could lead to such data corruption on your end. Are you using MDLs or are you simply hoping the loaded module's filename buffer remains valid as the process address space changes?

What happens if you substitute raw VAD traversal for ZwQueryVirtualMemory with the MemoryInformationClass = 2 on a module's base address (it will return a UNICODE_STRING with the module filename on >= XP), does it still truncate the filename as it is doing??? By the way, ZwQueryVirtualMemory is not exported from the kernel (last I checked) but you can easily call it through the syscall index held in the SSDT via interrupt 0x2E, hardcode it for a test, pass it down dynamically from usermode etc. Also, Keep in mind that raw VAD access gives you base addresses of loaded modules that need PAGE_SHIFTed so you will need to account for this in order to use the aforementioned API ;)

[Brock]

Just caught the line "I'm on Windows 7 x64 SP1"... In that case, you would be likely using "syscall" instead of legacy int 0x2E. Anyhow, shouldn't be hard to adapt this though.