Win7 application compatibility issue - How to Identify and remediate DEP issue

DEP Description and Terminologies

 

To avoid redundancy, please read the following MSDN article on DEP if this is new to you: http://technet.microsoft.com/en-us/library/cc738483(WS.10).aspx

or

http://technet.microsoft.com/en-us/library/bb457155.aspx

 

How to identify DEP problem using WinDbg

 

When the application encounters DEP problem, an Access Violation exception will be thrown by the OS. Since AV can happen due to different reasons, follow these steps to ascertain that DEP setting is the root cause of the problem.

Start windbg and attach to the application

C:\debuggers>windbg

Press F6 key in windbg and select the process, then click attach. Then press F5 to continue run the application until it encounter Access Violation exception.

Use !analyze command

 

When the DEP incurred exception happens such as the following:

The stored exception information can be accessed via .ecxr.

(5b8.1cbc): Access violation - code c0000005 (first/second chance not available)

eax=002bbe64 ebx=000e05a2 ecx=00000000 edx=00000081 esi=007997d0 edi=007997c8

eip=007997d0 esp=002bbcc0 ebp=002bbce0 iopl=0         nv up ei pl nz ac po nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212

007997d0 c7442404c8977900 mov     dword ptr [esp+4],7997C8h ss:002b:002bbcc4=000e05a2

Execute the following debug command:

0:000>!analyze –v

FAULTING_IP:

+6632

007997d0 c7442404c8977900 mov     dword ptr [esp+4],7997C8h

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)

ExceptionAddress: 007997d0

   ExceptionCode: c0000005 (Access violation)

  ExceptionFlags: 00000000

NumberParameters: 2

   Parameter[0]: 00000008

   Parameter[1]: 007997d0

Attempt to execute non-executable address 007997d0

The !analyze displays the details about the exception. Parameter[0] indicates the type of exception is attempt to execute non-executable. 

 

Additional method to verify DEP related AV

 

At this point, you can be pretty sure of the problem. If you want to see other evidences, continue

0:000> !address @eip

Usage:                  Heap

Allocation Base:        00790000

Base Address:           00790000

End Address:            007a0000

Region Size:            00010000

Type:                   00020000  MEM_PRIVATE

State:                  00001000  MEM_COMMIT

Protect:                00000004  PAGE_READWRITE

The “Protect” property for the EIP address does not have permission to execute code

Review the source code.

To get the source code location, get the callstack by executing this debug command:

0:000> kb200

ChildEBP RetAddr  Args to Child             

WARNING: Frame IP not in any known module. Following frames may be wrong.

002bbcbc 59a9b152 000e05a2 00000081 00000000 0x7997d0

002bbce0 751d6238 000e05a2 00000081 00000000 myDLL!ATL::CWindowImplBaseT<ATL::CWindow,ATL::CWinTraits<1442840576,0> >::StartWindowProc+0x62 [f:\myDLL\atl\include\atlwin.h @ 2097]

002bbd0c 751d7298 59a9b0f0 000e05a2 00000081 user32!InternalCallWinProc+0x23 [d:\w7rtm\windows\core\ntuser\client\i386\callproc.asm @ 106]

002bbd84 751d7177 00000000 59a9b0f0 000e05a2 user32!UserCallWinProcCheckWow+0xd8 [d:\w7rtm\windows\core\ntuser\client\clmsg.c @ 154]

002bbde0 751d942c 012e48b0 00000000 00000081 user32!DispatchClientMessage+0xe0 [d:\w7rtm\windows\core\ntuser\client\client.c @ 3202]

002bbe20 772b00e6 002bbe38 00000000 002bc3b0 user32!__fnINLPCREATESTRUCT+0x91 [d:\w7rtm\windows\core\ntuser\inc\ntcb.h @ 1412]

002bbe34 00000000 00000000 00000000 c0f00000 ntdll!KiUserCallbackDispatcher+0x2e [d:\win7_gdr\minkernel\ntos\rtl\i386\userdisp.asm @ 405]

 

The following atlwin.h reveals offending code at line 2097 trying to execute from a stack allocated local variable function pointer:

template <class TBase, class TWinTraits>

LRESULT CALLBACK CWindowImplBaseT< TBase, TWinTraits >::StartWindowProc(HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam)

{

Read more: linkaiyu

Posted via email from Jasper-net