This is a mirror of official site: http://jasper-net.blogspot.com/

Win7 application compatibility issue - How to Identify and remediate DEP issue

| Sunday, March 13, 2011
DEP Description and Terminologies
 
To avoid redundancy, please read the following MSDN article on DEP if this is new to you: http://technet.microsoft.com/en-us/library/cc738483(WS.10).aspx
or
 
How to identify DEP problem using WinDbg
 
When the application encounters DEP problem, an Access Violation exception will be thrown by the OS. Since AV can happen due to different reasons, follow these steps to ascertain that DEP setting is the root cause of the problem.
Start windbg and attach to the application

C:\debuggers>windbg

Press F6 key in windbg and select the process, then click attach. Then press F5 to continue run the application until it encounter Access Violation exception.
Use !analyze command
 
When the DEP incurred exception happens such as the following:
The stored exception information can be accessed via .ecxr.
(5b8.1cbc): Access violation - code c0000005 (first/second chance not available)
eax=002bbe64 ebx=000e05a2 ecx=00000000 edx=00000081 esi=007997d0 edi=007997c8
eip=007997d0 esp=002bbcc0 ebp=002bbce0 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
007997d0 c7442404c8977900 mov     dword ptr [esp+4],7997C8h ss:002b:002bbcc4=000e05a2

Execute the following debug command:

0:000>!analyze –v
FAULTING_IP:
+6632
007997d0 c7442404c8977900 mov     dword ptr [esp+4],7997C8h
EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 007997d0
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 007997d0
Attempt to execute non-executable address 007997d0

The !analyze displays the details about the exception. Parameter[0] indicates the type of exception is attempt to execute non-executable. 
 
Additional method to verify DEP related AV
 
At this point, you can be pretty sure of the problem. If you want to see other evidences, continue

0:000> !address @eip
Usage:                  Heap
Allocation Base:        00790000
Base Address:           00790000
End Address:            007a0000
Region Size:            00010000
Type:                   00020000  MEM_PRIVATE
State:                  00001000  MEM_COMMIT
Protect:                00000004  PAGE_READWRITE

The “Protect” property for the EIP address does not have permission to execute code

Review the source code.

To get the source code location, get the callstack by executing this debug command:

0:000> kb200
ChildEBP RetAddr  Args to Child             
WARNING: Frame IP not in any known module. Following frames may be wrong.
002bbcbc 59a9b152 000e05a2 00000081 00000000 0x7997d0
002bbce0 751d6238 000e05a2 00000081 00000000 myDLL!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<1442840576,0> >::StartWindowProc+0x62 [f:\myDLL\atl\include\atlwin.h @ 2097]
002bbd0c 751d7298 59a9b0f0 000e05a2 00000081 user32!InternalCallWinProc+0x23 [d:\w7rtm\windows\core\ntuser\client\i386\callproc.asm @ 106]
002bbd84 751d7177 00000000 59a9b0f0 000e05a2 user32!UserCallWinProcCheckWow+0xd8 [d:\w7rtm\windows\core\ntuser\client\clmsg.c @ 154]
002bbde0 751d942c 012e48b0 00000000 00000081 user32!DispatchClientMessage+0xe0 [d:\w7rtm\windows\core\ntuser\client\client.c @ 3202]
002bbe20 772b00e6 002bbe38 00000000 002bc3b0 user32!__fnINLPCREATESTRUCT+0x91 [d:\w7rtm\windows\core\ntuser\inc\ntcb.h @ 1412]
002bbe34 00000000 00000000 00000000 c0f00000 ntdll!KiUserCallbackDispatcher+0x2e [d:\win7_gdr\minkernel\ntos\rtl\i386\userdisp.asm @ 405]
 
The following atlwin.h reveals offending code at line 2097 trying to execute from a stack allocated local variable function pointer:
template <class TBase, class TWinTraits>
LRESULT CALLBACK CWindowImplBaseT< TBase, TWinTraits >::StartWindowProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{

Read more: linkaiyu

Posted via email from Jasper-net

0 comments: