Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Access violation when processing some dlls with Get-RpcServer #27

Closed
mediantt opened this issue Oct 29, 2020 · 1 comment
Closed

Access violation when processing some dlls with Get-RpcServer #27

mediantt opened this issue Oct 29, 2020 · 1 comment

Comments

@mediantt
Copy link 

0:026> !dumpstack
OS Thread Id: 0x2ae4 (26)
Current frame: VCRUNTIME140_CLR0400!memcpy+0xff
Child-SP         RetAddr          Caller, Callee
000000fbf164ce10 00007ffb89cbab46 clr!SafeBuffer::PtrToStructure+0x16, calling VCRUNTIME140_CLR0400!memcpy
000000fbf164ce20 00007ffb89cbab13 clr!SafeBuffer::SizeOfType+0x43, calling clr!MethodTable::GetClass
000000fbf164ce40 00007ffb2a66cc9c (MethodDesc 00007ffb2aa03620 +0x2c System.Runtime.InteropServices.SafeBuffer.GenericPtrToStructure[[System.Byte, mscorlib]](Byte*, Byte ByRef, UInt32)), calling 00007ffb89cbab30 (stub for System.Runtime.InteropServices.SafeBuffer.PtrToStructureNative(Byte*, TypedReference, UInt32))
000000fbf164ce58 00007ffb89b56c5f clr!SafeHandle::DangerousAddRef+0x6f, calling clr!LazyMachStateCaptureState
000000fbf164ce80 00007ffb2a66ca22 (MethodDesc 00007ffb2aa035c0 +0x112 System.Runtime.InteropServices.SafeBuffer.ReadArray[[System.Byte, mscorlib]](UInt64, Byte[], Int32, Int32)), calling (MethodDesc 00007ffb2aa03620 +0 System.Runtime.InteropServices.SafeBuffer.GenericPtrToStructure[[System.Byte, mscorlib]](Byte*, Byte ByRef, UInt32))
000000fbf164cf00 00007ffb2a66c8e8 (MethodDesc 00007ffb2a9e4738 +0x48 NtApiDotNet.Win32.ImageSection.ToArray()), calling (MethodDesc 00007ffb2aa035c0 +0 System.Runtime.InteropServices.SafeBuffer.ReadArray[[System.Byte, mscorlib]](UInt64, Byte[], Int32, Int32))
000000fbf164cf10 00007ffb70abdb8a (MethodDesc 00007ffb706e6918 +0x1a System.Guid.ToByteArray()), calling clr!JIT_NewArr1VC_MP_InlineGetThread
000000fbf164cf40 00007ffb2a66c646 (MethodDesc 00007ffb2a9ec490 +0x56 NtApiDotNet.Win32.RpcServer+<FindRpcServerInterfaces>d__60.MoveNext()), calling (MethodDesc 00007ffb2a9e4738 +0 NtApiDotNet.Win32.ImageSection.ToArray())
000000fbf164cf60 00007ffb2a66c5c1 (MethodDesc 00007ffb2a9ec500 +0x51 NtApiDotNet.Win32.RpcServer+<FindRpcServerInterfaces>d__60.System.Collections.Generic.IEnumerable<NtApiDotNet.Win32.RpcServer.RpcOffset>.GetEnumerator()), calling clr!JIT_WriteBarrier
000000fbf164cf70 00007ffb2a66c445 (MethodDesc 00007ffb2a9e3988 +0x15 NtApiDotNet.Win32.RpcServer+<>c__DisplayClass51_0.<ParsePeFile>b__0(NtApiDotNet.Win32.ImageSection)), calling (MethodDesc 00007ffb2a9e59c8 +0 NtApiDotNet.NtObjectUtils.HasFlagSet[[NtApiDotNet.Win32.RpcServerParserFlags, NtApiDotNet]](NtApiDotNet.Win32.RpcServerParserFlags, NtApiDotNet.Win32.RpcServerParserFlags))
000000fbf164cfa0 00007ffb2a66c2c5 (MethodDesc 00007ffb2a9ebec0 +0x155 System.Linq.Enumerable+<SelectManyIterator>d__17`2[[System.__Canon, mscorlib],[NtApiDotNet.Win32.RpcServer+RpcOffset, NtApiDotNet]].MoveNext()), calling 00007ffb2a53d760
000000fbf164cfc0 00007ffb2a66c14c (MethodDesc 00007ffb2a9ebf30 +0x5c System.Linq.Enumerable+<SelectManyIterator>d__17`2[[System.__Canon, mscorlib],[NtApiDotNet.Win32.RpcServer+RpcOffset, NtApiDotNet]].System.Collections.Generic.IEnumerable<TResult>.GetEnumerator()), calling clr!JIT_WriteBarrier
000000fbf164cfd0 00007ffb89b5b319 clr!JIT_GetCurrentManagedThreadId+0x9, calling clr!GetThread
000000fbf164d000 00007ffb2a66c015 (MethodDesc 00007ffb2a9e5720 +0x45 System.Linq.Enumerable.Any[[NtApiDotNet.Win32.RpcServer+RpcOffset, NtApiDotNet]](System.Collections.Generic.IEnumerable`1<RpcOffset>)), calling 00007ffb2a53d8a0
000000fbf164d050 00007ffb2a6695ae (MethodDesc 00007ffb2a9e14f8 +0x15e NtApiDotNet.Win32.RpcServer.ParsePeFile(System.String, System.String, System.String, NtApiDotNet.Win32.RpcServerParserFlags)), calling (MethodDesc 00007ffb2a9e5720 +0 System.Linq.Enumerable.Any[[NtApiDotNet.Win32.RpcServer+RpcOffset, NtApiDotNet]](System.Collections.Generic.IEnumerable`1<RpcOffset>))
000000fbf164d080 00007ffb89b769ef clr!GCInterface::SuppressFinalize+0x3f

The issue is reproduced with latest chrome.dll, presumably caused by the presence of .retplne section with zero attributes, which is mapped as PAGE_NOACCESS:

0:026> !vprot rdx
BaseAddress:       00007ffb36665000
AllocationBase:    00007ffb2d5b0000
AllocationProtect: 00000080  PAGE_EXECUTE_WRITECOPY
RegionSize:        0000000000001000
State:             00001000  MEM_COMMIT
Protect:           00000001  PAGE_NOACCESS
Type:              01000000  MEM_IMAGE

image

Suggested fix is to check Characteristics in SafeLoadLibraryHandle.SetupValues:

        for (int i = 0; i < header.FileHeader.NumberOfSections; ++i)
        {
            ImageSectionHeader section = (ImageSectionHeader)Marshal.PtrToStructure(buffer + i * header_size, typeof(ImageSectionHeader));
            ImageSection sect = new ImageSection(section, MappedAsImage, base_ptr);
            _image_sections.Add(sect);
        }
tyranid added a commit that referenced this issue Oct 29, 2020
@tyranid
Added characteristics check when parsing RPC servers. Fix for issue #27.
9979994
@tyranid
Copy link
Collaborator

tyranid commented Oct 29, 2020

Thanks I now check the characteristics to ensure the section is supposed to be readable and also added a catch when reading the section data which should hopefully act as a back stop. I appreciate the bug report.

@tyranid tyranid closed this as completed Nov 21, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tyranid @mediantt