matt_sykes
2010-09-10 12:19:11 UTC
Here is the exception:
fffff880`06159500 483b5020 cmp rdx,qword ptr [rax+20h] ds:
002b:00000000`00000020=????????????????
This is the line that cycles through the linked list in a while loop:
fffff880`06159506 488b00 mov rax,qword ptr [rax]
This is the list:
kd> dl fffffa801ac24f70 100 1
fffffa80`1ac24f70 fffffa80`1aa8f010 <--- this is the start address
fffffa80`1aa8f010 fffffa80`1aff6350
fffffa80`1aff6350 fffffa80`1acec740
fffffa80`1acec740 fffffa80`1b372cf0
fffffa80`1b372cf0 fffffa80`1b546190
fffffa80`1b546190 fffffa80`1b55baf0
fffffa80`1b55baf0 fffffa80`1b551660
fffffa80`1b551660 fffffa80`1ac24f70
The list is got from rcx (first param) + 0xa0:
add rcx,0A0h
and the vale put into rax:
mov rax,qword ptr [rcx]
kd> dt trusted!_TRACKED_PROCESS FFFFFA801AC24ED0
+0x000 List : _LIST_ENTRY [ 0xfffffa80`18df0a50 -
0xfffffa80`1adea5c0 ]
+0x010 Flags : 1
+0x018 ParentId : 0x00000000`00000450
+0x020 ProcessId : 0x00000000`00000a7c
+0x028 ProcessImageNameLength : 0x9a
+0x030 ProcessImageName : 0xfffff8a0`02203c30 -> 0x5c
+0x038 FileLock : _ERESOURCE
+0x0a0 Files : _LIST_ENTRY [ 0xfffffa80`1aa8f010 -
0xfffffa80`1b551660 ] <--- 0xfffffa80`1aa8f010 is a valid address in
the linked list at offset 0xa0 from rcx (the first param).
I dont see how rax can end up zero, it seems utterly impossible.
Here is the assembly for the loop and function initialisation:
fffff880`061594e0 4533d2 xor r10d,r10d
fffff880`061594e3 4885c9 test rcx,rcx
fffff880`061594e6 41b90d0000c0 mov r9d,0C000000Dh
fffff880`061594ec 7428 je Trusted!TrustLookupFileObject
+0x36 (fffff880`06159516)
fffff880`061594ee 4881c1a0000000 add rcx,0A0h
fffff880`061594f5 41b90f0000c0 mov r9d,0C000000Fh
fffff880`061594fb 488b01 mov rax,qword ptr [rcx]
fffff880`061594fe eb09 jmp Trusted!TrustLookupFileObject
+0x29 (fffff880`06159509)
fffff880`06159500 483b5020 cmp rdx,qword ptr [rax+20h]
fffff880`06159504 740a je Trusted!TrustLookupFileObject
+0x30 (fffff880`06159510)
fffff880`06159506 488b00 mov rax,qword ptr [rax]
fffff880`06159509 483bc8 cmp rcx,rax
fffff880`0615950c 75f2 jne Trusted!TrustLookupFileObject
+0x20 (fffff880`06159500)
fffff880`06159500 483b5020 cmp rdx,qword ptr [rax+20h] ds:
002b:00000000`00000020=????????????????
This is the line that cycles through the linked list in a while loop:
fffff880`06159506 488b00 mov rax,qword ptr [rax]
This is the list:
kd> dl fffffa801ac24f70 100 1
fffffa80`1ac24f70 fffffa80`1aa8f010 <--- this is the start address
fffffa80`1aa8f010 fffffa80`1aff6350
fffffa80`1aff6350 fffffa80`1acec740
fffffa80`1acec740 fffffa80`1b372cf0
fffffa80`1b372cf0 fffffa80`1b546190
fffffa80`1b546190 fffffa80`1b55baf0
fffffa80`1b55baf0 fffffa80`1b551660
fffffa80`1b551660 fffffa80`1ac24f70
The list is got from rcx (first param) + 0xa0:
add rcx,0A0h
and the vale put into rax:
mov rax,qword ptr [rcx]
kd> dt trusted!_TRACKED_PROCESS FFFFFA801AC24ED0
+0x000 List : _LIST_ENTRY [ 0xfffffa80`18df0a50 -
0xfffffa80`1adea5c0 ]
+0x010 Flags : 1
+0x018 ParentId : 0x00000000`00000450
+0x020 ProcessId : 0x00000000`00000a7c
+0x028 ProcessImageNameLength : 0x9a
+0x030 ProcessImageName : 0xfffff8a0`02203c30 -> 0x5c
+0x038 FileLock : _ERESOURCE
+0x0a0 Files : _LIST_ENTRY [ 0xfffffa80`1aa8f010 -
0xfffffa80`1b551660 ] <--- 0xfffffa80`1aa8f010 is a valid address in
the linked list at offset 0xa0 from rcx (the first param).
I dont see how rax can end up zero, it seems utterly impossible.
Here is the assembly for the loop and function initialisation:
fffff880`061594e0 4533d2 xor r10d,r10d
fffff880`061594e3 4885c9 test rcx,rcx
fffff880`061594e6 41b90d0000c0 mov r9d,0C000000Dh
fffff880`061594ec 7428 je Trusted!TrustLookupFileObject
+0x36 (fffff880`06159516)
fffff880`061594ee 4881c1a0000000 add rcx,0A0h
fffff880`061594f5 41b90f0000c0 mov r9d,0C000000Fh
fffff880`061594fb 488b01 mov rax,qword ptr [rcx]
fffff880`061594fe eb09 jmp Trusted!TrustLookupFileObject
+0x29 (fffff880`06159509)
fffff880`06159500 483b5020 cmp rdx,qword ptr [rax+20h]
fffff880`06159504 740a je Trusted!TrustLookupFileObject
+0x30 (fffff880`06159510)
fffff880`06159506 488b00 mov rax,qword ptr [rax]
fffff880`06159509 483bc8 cmp rcx,rax
fffff880`0615950c 75f2 jne Trusted!TrustLookupFileObject
+0x20 (fffff880`06159500)