zan2828 Posted June 3, 2008 Posted June 3, 2008 (edited) Hello,I am using Windows XP Professional SP3, and for the past few weeks explorer.exe has been crashing when I attempt to shutdown the system. Instead of displaying the shutdown dialog with the usual options, there is a momentary stall and explorer.exe crashes with an Application Error.I have since checked the RAM with Memtest, reformatted the system, checked for spyware/malware, but the issue persists. Perhaps one of you will be able to help me in analyzing the minidump. The last three digits in the faulting address (530) are consistent across all the dumps, and the named faulting module, msgina.dll, is also consistent, which leads me to believe that this is not the result of faulty hardware.Below is output of a recent minidump, generated by WinDbg. 0:001> !analyze -v******************************************************************************** ** Exception Analysis ** ************************************************************************************************************************************************************ ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: kernel32!pNlsUserInfo ****** ******************************************************************************************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: kernel32!pNlsUserInfo ****** ****************************************************************************FAULTING_IP: +4d2c53004d2c530 ?? ???EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)ExceptionAddress: 04d2c530 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 04d2c530Attempt to read from address 04d2c530DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTRPROCESS_NAME: explorer.exeERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".READ_ADDRESS: 04d2c530 FAILED_INSTRUCTION_ADDRESS: +4d2c53004d2c530 ?? ???IP_ON_HEAP: 04d2c530FAULTING_THREAD: 00000780PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTRBUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTRLAST_CONTROL_TRANSFER: from 7599840c to 04d2c530STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong.0150fa74 7599840c 00000000 01aee468 0150fad0 0x4d2c5300150fa90 75993a2f 00000002 010464f8 00000000 msgina!CDimmedWindow::Create+0x120150faa4 7ca78a05 0150fac0 0150fad0 010460f8 msgina!_ShellDimScreen+0x670150fcd8 7ca78cca 0001009c 00000002 0150fcfc shell32!CloseWindowsDialog+0x510150fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog+0x2a0150fcfc 01026668 0001009c 00000000 00000111 explorer!CTray::_DoExitWindows+0x860150fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command+0x2da0150fde8 01001b5c 0003004e 00000111 000001fa explorer!CTray::v_WndProc+0x9810150fe0c 7e418734 0003004e 00000111 000001fa explorer!CImpWndProc::s_WndProc+0x650150fe38 7e418816 01001b1d 0003004e 00000111 user32!InternalCallWinProc+0x280150fea0 7e4189cd 000a04d8 01001b1d 0003004e user32!UserCallWinProcCheckWow+0x1500150ff00 7e418a10 0150ff28 00000000 0150ff44 user32!DispatchMessageWorker+0x3060150ff10 01001a35 0150ff28 00000000 010460f8 user32!DispatchMessageW+0xf0150ff44 0100ffd1 00000000 0150ffb4 77f76f42 explorer!CTray::_MessageLoop+0xd90150ff50 77f76f42 010460f8 0000005c 00000000 explorer!CTray::MainThreadProc+0x290150ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc+0x940150ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart+0x37STACK_COMMAND: ~1s; .ecxr ; kbFOLLOWUP_IP: msgina!CDimmedWindow::Create+127599840c 8b3d78169775 mov edi,dword ptr [msgina!_imp__GetSystemMetrics (75971678)]SYMBOL_STACK_INDEX: 1SYMBOL_NAME: msgina!CDimmedWindow::Create+12FOLLOWUP_NAME: MachineOwnerMODULE_NAME: msginaIMAGE_NAME: msgina.dllDEBUG_FLR_IMAGE_TIMESTAMP: 4802a149FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_msgina.dll!CDimmedWindow::CreateBUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_msgina!CDimmedWindow::Create+12Followup: MachineOwner---------I would be very grateful for any assistance you may be able to provide. Thank you.P.S. How do I post a non-scrolling codebox? Edited June 3, 2008 by zan2828
Mordac85 Posted June 4, 2008 Posted June 4, 2008 FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_msgina.dll!CDimmedWindow::CreateI'm not very familiar with debugging Windows, but this makes me think you have a problem with the dialog library msgina.dll. Did you install any kind of VPN software that may have replaced this dll or be causing your issue?
cluberti Posted June 4, 2008 Posted June 4, 2008 No, that's incorrect. Whatever was loaded at 0x4d2c530 is the culprit. But because this is a minidump, and because symbols aren't configured, !analyze -v is guessing.Need an actual .dmp file - can it be uploaded somewhere?
cluberti Posted June 5, 2008 Posted June 5, 2008 Yes, this is the culprit thread:# 1 Id: 76c.784 Suspend: -1 Teb: 7ffdb000 UnfrozenChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong.0150fa74 7599840c 00000000 039764d0 0150fad0 0x4a3c5300150fa90 75993a2f 00000002 010464f8 00000000 msgina!CDimmedWindow::Create+0x120150faa4 7ca78a05 0150fac0 0150fad0 010460f8 msgina!_ShellDimScreen+0x670150fcd8 7ca78cca 0001009c 00000002 0150fcfc shell32!CloseWindowsDialog+0x510150fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog+0x2a0150fcfc 01026668 0001009c 00000000 00000111 explorer!CTray::_DoExitWindows+0x860150fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command+0x2da0150fde8 01001b5c 00030048 00000111 000001fa explorer!CTray::v_WndProc+0x9810150fe0c 7e418734 00030048 00000111 000001fa explorer!CImpWndProc::s_WndProc+0x650150fe38 7e418816 01001b1d 00030048 00000111 user32!InternalCallWinProc+0x280150fea0 7e4189cd 000a04d8 01001b1d 00030048 user32!UserCallWinProcCheckWow+0x1500150ff00 7e418a10 0150ff28 00000000 0150ff44 user32!DispatchMessageWorker+0x3060150ff10 01001a35 0150ff28 00000000 010460f8 user32!DispatchMessageW+0xf0150ff44 0100ffd1 00000000 0150ffb4 77f76f42 explorer!CTray::_MessageLoop+0xd90150ff50 77f76f42 010460f8 0000005c 00000000 explorer!CTray::MainThreadProc+0x290150ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc+0x940150ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart+0x37However, there's literally nothing at all even close to loaded in that memory range, and it also looks like msgina is doing a debugger check:0:001> ub 7599840c msgina!CDimmedWindow::Create+0x3:759983fd 8bec mov ebp,esp759983ff 51 push ecx75998400 51 push ecx75998401 53 push ebx75998402 56 push esi75998403 57 push edi75998404 8bf1 mov esi,ecx75998406 ff1528139775 call dword ptr [msgina!_imp__IsDebuggerPresent (75971328)]0:001> u 75971328msgina!_imp__IsDebuggerPresent:75971328 2331 and esi,dword ptr [ecx]7597132a 817cc4a8827c0031 cmp dword ptr [esp+eax*8-58h],31007C82h75971332 817c6eac807ce605 cmp dword ptr [esi+ebp*2-54h],5E67C80h7597133a 837cdbae80 cmp dword ptr [ebx+ebx*8-52h],0FFFFFF80h7597133f 7cd4 jl msgina!_imp__EnterCriticalSection+0x1 (75971315)75971341 25837c64a1 and eax,0A1647C83h75971346 807c8ede80 cmp byte ptr [esi+ecx*4-22h],80h7597134b 7ccb jl msgina!_imp__LeaveCriticalSection (75971318)Here's a thought - if you disable DEP entirely (add /noexecute=alwaysoff in your boot.ini), does the problem go away?
zan2828 Posted June 5, 2008 Author Posted June 5, 2008 (edited) I haven't tried disabling DEP entirely or via the boot.ini method, but I have disabled it for explorer through the system properties menu.Now, instead of getting DEP error messages I just get a generic Application Error messsage upon explorer crashing.However, my antivirus caught something new (a variant of Win32/Injector.AU) with yesterday's definition update, so this problem MAY be due to an infiltration that was lurking around undetected. A Microsoft employee on a Windbg Google Group browsing the minidump output believes it is a virus too.I haven't crashed since then. I'll keep you posted.Here is the link to the other discussion, BTW. http://groups.google.com/group/microsoft.p...b941315d717753c Edited June 5, 2008 by zan2828
cluberti Posted June 5, 2008 Posted June 5, 2008 I agree with that person as well, and that's why I asked you to disable DEP - it can mask virus issues .
zan2828 Posted June 6, 2008 Author Posted June 6, 2008 (edited) Crashed again, here is another dump file.I will try the boot.ini edit like you suggested.Also, is there a process where I can make more meaningful dumps? Just now, I set Dr Watson to generate full instead of mini dumps, and I noticed that the application errors were tagged with <nosymbols>. Where can I get appropriate symbols?user.rar Edited June 6, 2008 by zan2828
cluberti Posted June 6, 2008 Posted June 6, 2008 Where can I get appropriate symbols?You need to set the symbol path - I prefer the _NT_SYMBOL_PATH System environment variable for this, and set it to SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols.As to the dump, it's the same (different address, but same result - nothing there at all). Please disable DEP via boot.ini before posting any more dumps.
zan2828 Posted June 7, 2008 Author Posted June 7, 2008 (edited) It crashed again, this time with DEP turned off. The dump is exactly the same as last time.Im really at a loss as to what is going on. As I mentioned in first post, formatting the system did nothing to fix the problem.I am going to attach the relevant portion of the Dr. Watson log, if it helps any. I also was able to make another log by following these instructions: http://www.msfn.org/board/Creating-memory-dumps-t90244.htmlAgain thank you for your efforts.log.txtPID_1840__EXPLORER.EXE__Date_06_06_2008__Time_18_41_17PM.raruser.rar Edited June 7, 2008 by zan2828
zan2828 Posted June 7, 2008 Author Posted June 7, 2008 (edited) ADplus 1st and 2nd chance memory dump Windbg output:0:000> !analyze -v******************************************************************************** ** Exception Analysis ** ************************************************************************************************************************************************************ ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: kernel32!pNlsUserInfo ****** ******************************************************************************************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: kernel32!pNlsUserInfo ****** ****************************************************************************FAULTING_IP: +000000000 ?? ???EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)ExceptionAddress: 00000000 ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000NumberParameters: 0FAULTING_THREAD: 00000adcDEFAULT_BUCKET_ID: STATUS_BREAKPOINTPROCESS_NAME: explorer.exeERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.NTGLOBALFLAG: 0APPLICATION_VERIFIER_FLAGS: 0PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINTBUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINTLAST_CONTROL_TRANSFER: from 7c90da8c to 7c90e4f4STACK_TEXT: 01a8fe14 7c90da8c 77e765e3 000001b0 01a8ff74 ntdll!KiFastSystemCallRet01a8fe18 77e765e3 000001b0 01a8ff74 00000000 ntdll!ZwReplyWaitReceivePortEx+0xc01a8ff80 77e76caf 01a8ffa8 77e76ad1 000ba6b0 rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+0x12a01a8ff88 77e76ad1 000ba6b0 0145f9bc 020a7f88 rpcrt4!RecvLotsaCallsWrapper+0xd01a8ffa8 77e76c97 000ba568 01a8ffec 7c80b713 rpcrt4!BaseCachedThreadRoutine+0x7901a8ffb4 7c80b713 020c12e0 0145f9bc 020a7f88 rpcrt4!ThreadStartRoutine+0x1a01a8ffec 00000000 77e76c7d 020c12e0 00000000 kernel32!BaseThreadStart+0x37STACK_COMMAND: ~0s; .ecxr ; kbFOLLOWUP_IP: rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+12a77e765e3 8b7df4 mov edi,dword ptr [ebp-0Ch]SYMBOL_STACK_INDEX: 2SYMBOL_NAME: rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+12aFOLLOWUP_NAME: MachineOwnerMODULE_NAME: rpcrt4IMAGE_NAME: rpcrt4.dllDEBUG_FLR_IMAGE_TIMESTAMP: 4802a106FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_rpcrt4.dll!LRPC_ADDRESS::ReceiveLotsaCallsBUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_rpcrt4!LRPC_ADDRESS::ReceiveLotsaCalls+12aFollowup: MachineOwner---------0:001> !analyze -v******************************************************************************** ** Exception Analysis ** ************************************************************************************************************************************************************ ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: kernel32!pNlsUserInfo ****** ******************************************************************************************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: kernel32!pNlsUserInfo ****** ****************************************************************************FAULTING_IP: +3e6c53003e6c530 ?? ???EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)ExceptionAddress: 03e6c530 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 03e6c530Attempt to read from address 03e6c530DEFAULT_BUCKET_ID: NULL_INSTRUCTION_PTRPROCESS_NAME: explorer.exeERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".READ_ADDRESS: 03e6c530 FAILED_INSTRUCTION_ADDRESS: +3e6c53003e6c530 ?? ???NTGLOBALFLAG: 0APPLICATION_VERIFIER_FLAGS: 0IP_ON_HEAP: 03e6c530IP_IN_FREE_BLOCK: 3e6c530FAULTING_THREAD: 00000748PRIMARY_PROBLEM_CLASS: NULL_INSTRUCTION_PTRBUGCHECK_STR: APPLICATION_FAULT_NULL_INSTRUCTION_PTRLAST_CONTROL_TRANSFER: from 7599840c to 03e6c530STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong.0149fa74 7599840c 00000000 02e6acb0 0149fad0 0x3e6c5300149fa90 75993a2f 00000002 010464f8 00000000 msgina!CDimmedWindow::Create+0x120149faa4 7ca78a05 0149fac0 0149fad0 010460f8 msgina!_ShellDimScreen+0x670149fcd8 7ca78cca 0001009c 00000002 0149fcfc shell32!CloseWindowsDialog+0x510149fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog+0x2a0149fcfc 01026668 0001009c 00000000 00000111 explorer!CTray::_DoExitWindows+0x860149fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command+0x2da0149fde8 01001b5c 00040038 00000111 000001fa explorer!CTray::v_WndProc+0x9810149fe0c 7e418734 00040038 00000111 000001fa explorer!CImpWndProc::s_WndProc+0x650149fe38 7e418816 01001b1d 00040038 00000111 user32!InternalCallWinProc+0x280149fea0 7e4189cd 000a04a0 01001b1d 00040038 user32!UserCallWinProcCheckWow+0x1500149ff00 7e418a10 0149ff28 00000000 0149ff44 user32!DispatchMessageWorker+0x3060149ff10 01001a35 0149ff28 00000000 010460f8 user32!DispatchMessageW+0xf0149ff44 0100ffd1 00000000 0149ffb4 77f76f42 explorer!CTray::_MessageLoop+0xd90149ff50 77f76f42 010460f8 0000005c 00000000 explorer!CTray::MainThreadProc+0x290149ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc+0x940149ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart+0x37STACK_COMMAND: ~1s; .ecxr ; kbFOLLOWUP_IP: msgina!CDimmedWindow::Create+127599840c 8b3d78169775 mov edi,dword ptr [msgina!_imp__GetSystemMetrics (75971678)]SYMBOL_STACK_INDEX: 1SYMBOL_NAME: msgina!CDimmedWindow::Create+12FOLLOWUP_NAME: MachineOwnerMODULE_NAME: msginaIMAGE_NAME: msgina.dllDEBUG_FLR_IMAGE_TIMESTAMP: 4802a149FAILURE_BUCKET_ID: NULL_INSTRUCTION_PTR_c0000005_msgina.dll!CDimmedWindow::CreateBUCKET_ID: APPLICATION_FAULT_NULL_INSTRUCTION_PTR_BAD_IP_msgina!CDimmedWindow::Create+12Followup: MachineOwner---------Here are dumps.http://rapidshare.com/files/120695269/Cras...1-17PM.rar.html Edited June 7, 2008 by zan2828
Mr Snrub Posted June 7, 2008 Posted June 7, 2008 You have a hooked "IsDebuggerPresent" function...Stack trace of crashing thread:0:001> kvChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong.0149fa74 7599840c 00000000 02e6acb0 0149fad0 0x3e6c5300149fa90 75993a2f 00000002 010464f8 00000000 msgina!CDimmedWindow::Create+0x12 (FPO: [Non-Fpo])0149faa4 7ca78a05 0149fac0 0149fad0 010460f8 msgina!_ShellDimScreen+0x67 (FPO: [Non-Fpo])0149fcd8 7ca78cca 0001009c 00000002 0149fcfc shell32!CloseWindowsDialog+0x51 (FPO: [Non-Fpo])0149fce8 010341ff 0001009c 000001fa 010460f8 shell32!ExitWindowsDialog+0x2a (FPO: [Non-Fpo])0149fcfc 01026668 0001009c 00000000 00000111 explorer!CTray::_DoExitWindows+0x86 (FPO: [Non-Fpo])0149fd30 0101c43e 000001fa 00000111 010460f8 explorer!CTray::_Command+0x2da (FPO: [Non-Fpo])0149fde8 01001b5c 00040038 00000111 000001fa explorer!CTray::v_WndProc+0x981 (FPO: [Non-Fpo])0149fe0c 7e418734 00040038 00000111 000001fa explorer!CImpWndProc::s_WndProc+0x65 (FPO: [Non-Fpo])0149fe38 7e418816 01001b1d 00040038 00000111 user32!InternalCallWinProc+0x280149fea0 7e4189cd 000a04a0 01001b1d 00040038 user32!UserCallWinProcCheckWow+0x150 (FPO: [Non-Fpo])0149ff00 7e418a10 0149ff28 00000000 0149ff44 user32!DispatchMessageWorker+0x306 (FPO: [Non-Fpo])0149ff10 01001a35 0149ff28 00000000 010460f8 user32!DispatchMessageW+0xf (FPO: [Non-Fpo])0149ff44 0100ffd1 00000000 0149ffb4 77f76f42 explorer!CTray::_MessageLoop+0xd9 (FPO: [Non-Fpo])0149ff50 77f76f42 010460f8 0000005c 00000000 explorer!CTray::MainThreadProc+0x29 (FPO: [Non-Fpo])0149ffb4 7c80b713 00000000 0000005c 00000000 shlwapi!WrapperThreadProc+0x94 (FPO: [Non-Fpo])0149ffec 00000000 77f76ed3 0007fdbc 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])Top address is bogus, does not exist (hence the crash):0:001> dd 0x3e6c53003e6c530 ???????? ???????? ???????? ????????03e6c540 ???????? ???????? ???????? ????????03e6c550 ???????? ???????? ???????? ????????03e6c560 ???????? ???????? ???????? ????????03e6c570 ???????? ???????? ???????? ????????03e6c580 ???????? ???????? ???????? ????????03e6c590 ???????? ???????? ???????? ????????03e6c5a0 ???????? ???????? ???????? ????????Going back 1 frame in the stack, let's unassemble the caller:0:001> u msgina!CDimmedWindow::Create msgina!CDimmedWindow::Create+0x12msgina!CDimmedWindow::Create:759983fa 8bff mov edi,edi759983fc 55 push ebp759983fd 8bec mov ebp,esp759983ff 51 push ecx75998400 51 push ecx75998401 53 push ebx75998402 56 push esi75998403 57 push edi75998404 8bf1 mov esi,ecx75998406 ff1528139775 call dword ptr [msgina!_imp__IsDebuggerPresent (75971328)]IsDebuggerPresent is the function being called, and it is imported, so let's see where it goes:0:001> dds msgina!_imp__IsDebuggerPresent75971328 7c813123 kernel32!IsDebuggerPresentNow let's unassemble the function in kernel32...0:001> u kernel32!IsDebuggerPresentkernel32!IsDebuggerPresent:7c813123 e908946587 jmp 03e6c5307c813128 cc int 37c813129 8b4030 mov eax,dword ptr [eax+30h]7c81312c 0fb64002 movzx eax,byte ptr [eax+2]7c813130 c3 ret7c813131 90 nop7c813132 90 nop7c813133 90 nopThe jmp instruction is the hook, and the address (0x03e6c530) is why we go boom.We can verify the memory-resident version of the kernel32.dll module with the copy on disk (provided courtesy of the symbols server):0:001> !chkimg -d kernel32.dll 7c813123-7c813128 6 bytes - kernel32!IsDebuggerPresent [ 64 a1 18 00 00 00:e9 08 94 65 87 cc ]6 errors : kernel32.dll (7c813123-7c813128)So 6 bytes in kernel32.dll have been modified by something, and there is the next question - what's hooking that OS function?Checked the other loaded modules (this only works for those we have symbols for, so genuine Microsoft Windows modules):0:001> !for_each_module !chkimg @#ModuleName8 errors : uxtheme (5ad8a69c-5ad8a6a3)10 errors : user32 (7e42384e-7e4595c1)6 errors : kernel32 (7c813123-7c813128)The uxtheme.dll hack I guess is the "allow use of unsigned themes" 3rd party crack:0:001> !chkimg -d uxtheme.dll 5ad8a69c-5ad8a6a3 8 bytes - uxtheme!CThemeSignature::Verify+5 [ 81 ec 88 00 00 00 a1 18:33 f6 8b c6 c9 c2 08 00 ]8 errors : uxtheme.dll (5ad8a69c-5ad8a6a3)0:001> u 5ad8a69c 5ad8a6a3uxtheme!CThemeSignature::Verify+0x5:5ad8a69c 33f6 xor esi,esi5ad8a69e 8bc6 mov eax,esi5ad8a6a0 c9 leave5ad8a6a1 c20800 ret 8The user32.dll hack looks like more hooking, and possibly to the same not-present module as the IsDebuggerPresent hook:0:001> !chkimg -d user32.dll 7e42384e-7e423852 5 bytes - user32!ChangeDisplaySettingsExA [ 8b ff 55 8b ec:e9 dd e6 a4 85 ] 7e4595bd-7e4595c1 5 bytes - user32!ChangeDisplaySettingsExW (+0x35d6f) [ 8b ff 55 8b ec:e9 9e 89 a1 85 ]10 errors : user32.dll (7e42384e-7e4595c1)0:001> u 7e42384e 7e423852user32!ChangeDisplaySettingsExA:7e42384e e9dde6a485 jmp 03e71f300:001> u 7e4595bd 7e4595c1user32!ChangeDisplaySettingsExW:7e4595bd e99e89a185 jmp 03e71f60So 3 Microsoft modules are modified from their original content - are the binaries on disk hacked, or is there something memory resident which is hooking them at load time?Other than uxtheme.dll, have you replaced any DLLs manually?Does the crash occur in Safe Mode?I would recommend running RootkitRevealer and doing a full virus scan if you can't think of any software you have installed which might be hooking the functions for checking for an attached debugger (sometimes used by game cracks to prevent copy protection from detecting a debugger is attached when reverse-engineering, or by emulation software) and also the one for changing the display settings (which seems like a very odd function to hook).http://technet.microsoft.com/en-us/sysinte...s/bb897445.aspx
Mr Snrub Posted June 7, 2008 Posted June 7, 2008 Also, could you open a command prompt and enter the following commands, then copy the contents of t.txt and paste here:cd \dir asfsipc.dll /s > t.txt(After pasting you can delete t.txt)This module is dated 1999, so pre-dates XP, I am interested to know where it is located in case it was installed by a 3rd party program.
zan2828 Posted June 7, 2008 Author Posted June 7, 2008 (edited) As you requested: Volume in drive C is Stuff Volume Serial Number is E8A6-DB4E Directory of C:\WINDOWS\system3212/20/1999 01:16 PM 15,360 asfsipc.dll 1 File(s) 15,360 bytes Total Files Listed: 1 File(s) 15,360 bytes 0 Dir(s) 50,379,988,992 bytes freeuxtheme.dll is the only system dll I have replaced, and I can confirm that the crashes existed prior to my replacing it. I have two other systems with modified uxtheme.dll and the problem does not occur. As for game emulation or cracks, I dont have anything of the sort installed. I'll try out your suggestions. Thank you so much though for narrowing it down.Just wondering: from which dump were you able to extract all this information? Edited June 7, 2008 by zan2828
Mr Snrub Posted June 7, 2008 Posted June 7, 2008 All that information came from the second chance dump from explorer.exe.The location of the DLL doesn't give much away - anything could have installed it to system32 (I was interested to see if it happened to be under %ProgramFiles%).I was half expecting something like a no-cd stub exe for something, or emulation software like Daemon Tools which install kernel drivers which we wouldn't see a trace of in a user-mode dump...Let us know if Rootkit Revealer turns up anything - if it says everything looks clean then we may need a kernel dump to see if there are any hooks in there too.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now