DBG] Access Violation [null terminated string] MS] Windows

string 관련된 AV dump 입니다.

0:030> .lastevent
Last event: 2d0.b3c: Access violation - code c0000005 (first chance)
  debugger time: Tue Apr 13 11:27:35.911 2010 (GMT+9) 

0:030> kbL
ChildEBP RetAddr  Args to Child             
05e4ebe0 12006d8e 0be00040 00152f60 0000004c jODBC!strstr+0x29
05e4ec20 1f810966 0be00040 00152f60 0000004c jODBC!SQLExecDirect+0x3e
05e4ec40 1f7f6e5b 0016ecf8 001de908 0000004c ODBC32!ToAnsi_SQLExecDirect+0x49
05e4ec60 1f7f6d7c 00000001 001de908 0000004c ODBC32!SQLExecDirectCover+0x124
05e4ec84 1f6d715c 0016ecf8 001de908 0000004c ODBC32!SQLExecDirectW+0x3a
05e4ecac 1f6d67a4 00224c18 1f6dde50 00224d98 msdasql!CImpICommandText::ExecuteHelper+0xed
05e4ed6c 1f457bec 020a4640 00000000 1f454ae0 msdasql!CImpICommandText::Execute+0x4c5
05e4edac 1f457683 00216508 00224c18 001de9e0 msado15!CConnection::Execute+0x1a8
05e4ef7c 1f4564fb 001ca5c8 00000000 00000000 msado15!_ExecuteAsync+0x1ce
05e4f03c 1f455e7e 00000000 00000000 00000000 msado15!CQuery::Execute+0xb7c
05e4f0a4 1f4760ff 00224b48 00000000 00000000 msado15!CCommand::_Execute+0x18a
05e4f11c 1f474647 002249c0 002248ec 00000000 msado15!CConnection::OpenRecordset+0x112
05e4f264 1f47a392 00216508 002248ec 00000000 msado15!CConnection::Execute+0x73c
05e4f4e4 75a4c260 00000003 00000006 75a83348 msado15!CConnection::Invoke+0x976
05e4f54c 75a4f3fc 0061fc10 00216508 00000006 vbscript!CatchIDispatchInvoke+0x56
05e4f678 75a33257 00618ba8 00216508 00000006 vbscript!InvokeDispatch+0x302
05e4f6a0 75a328d7 00618ba8 00216508 00000006 vbscript!InvokeByName+0x51
05e4f6dc 779d92b7 00000000 00000080 001a1a94 vbscript!CScriptRuntime::Run+0x3140
05e4f6ec 77a09e36 001a1a94 05e4f85c 00170000 OLEAUT32!SysFreeString+0x57
05e4f708 77fb6d01 00170000 00000000 00000000 OLEAUT32!QueryPathOfRegTypeLib+0x1256

 

jODBC symbol 맞지않습니다.

0:030> lm vm jODBC

start    end        module name

12000000 12e32000   jODBC    M (private pdb symbols)

 

오류(AV)발생한instruction 다음과같습니다.

0:030> r

eax=0be000d0 ebx=000eef60 ecx=1202c754 edx=0015534d esi=00153000 edi=00152f60

eip=1201b829 esp=05e4eb94 ebp=05e4ebe0 iopl=0         nv up ei ng nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000282

jODBC!strstr+0x29:

1201b829 8a06            mov     al,byte ptr [esi]          ds:0023:00153000=??

 

0:030> dd esi

00153000  ???????? ???????? ???????? ????????

00153010  ???????? ???????? ???????? ????????

00153020  ???????? ???????? ???????? ????????

00153030  ???????? ???????? ???????? ????????

00153040  ???????? ???????? ???????? ????????

00153050  ???????? ???????? ???????? ????????

00153060  ???????? ???????? ???????? ????????

00153070  ???????? ???????? ???????? ????????

 

이제esi register ?? 인지또는?? address 참조하는지원인을찾아야합니다.

AV발생했을때의Stack jODBC!strstr assembly 다음과같습니다.

0:030> dds esp ebp

05e4eb94  0016ecf8                                 << esi

05e4eb98  000eef60                                 << ebx

05e4eb9c  000eef60                                 << edi

05e4eba0  12006e5d jODBC!DoSQLExecDirect+0x89   << return address // ODBC!strstr+0x00 때의esp

05e4eba4  00152f60        << [esp+10] 1201b809 mov     edi,dword ptr [esp+10h]

05e4eba8  1202c754 jODBC!handler+0x64 << [esp+8] 1201b800 mov     ecx,dword ptr [esp+8]

05e4ebac  000eef60

05e4ebb0  0016ecf8

05e4ebb4  000eef60

05e4ebb8  001de9a0

05e4ebbc  00152f60

05e4ebc0  0be00040

05e4ebc4  00000000

05e4ebc8  05e4ebac

05e4ebcc  00000000

05e4ebd0  05e4ec10

05e4ebd4  1201abf0 jODBC!_except_handler3

05e4ebd8  12029400 jODBC!WSOCK32_NULL_THUNK_DATA+0x1fc

05e4ebdc  00000000

05e4ebe0  05e4ec20

 

// procedure entry 보이지않는것으로봐서는, FPO 것으로추측됩니다.

0:030> u jODBC!strstr jODBC!strstr+0x85

jODBC!strstr:

1201b800 8b4c2408        mov     ecx,dword ptr [esp+8]

1201b804 57              push    edi

1201b805 53              push    ebx

1201b806 56              push    esi

1201b807 8a11            mov     dl,byte ptr [ecx]

1201b809 8b7c2410        mov     edi,dword ptr [esp+10h]

1201b80d 84d2            test    dl,dl

1201b80f 7469            je      jODBC!strstr+0x7a (1201b87a)

1201b811 8a7101          mov     dh,byte ptr [ecx+1]

1201b814 84f6            test    dh,dh

1201b816 744f            je      jODBC!strstr+0x67 (1201b867)

1201b818 8bf7            mov     esi,edi

1201b81a 8b4c2414        mov     ecx,dword ptr [esp+14h]

1201b81e 8a07            mov     al,byte ptr [edi]

1201b820 46              inc     esi

1201b821 38d0            cmp     al,dl

1201b823 7415            je      jODBC!strstr+0x3a (1201b83a)

1201b825 84c0            test    al,al

1201b827 740b            je      jODBC!strstr+0x34 (1201b834)

1201b829 8a06            mov     al,byte ptr [esi]

1201b82b 46              inc     esi

1201b82c 38d0            cmp     al,dl

1201b82e 740a            je      jODBC!strstr+0x3a (1201b83a)

1201b830 84c0            test    al,al

1201b832 75f5            jne     jODBC!strstr+0x29 (1201b829)

1201b834 5e              pop     esi

1201b835 5b              pop     ebx

1201b836 5f              pop     edi

1201b837 33c0            xor     eax,eax

1201b839 c3              ret

1201b83a 8a06            mov     al,byte ptr [esi]

1201b83c 46              inc     esi

1201b83d 38f0            cmp     al,dh

1201b83f 75eb            jne     jODBC!strstr+0x2c (1201b82c)

1201b841 8d7eff          lea     edi,[esi-1]

1201b844 8a6102          mov     ah,byte ptr [ecx+2]

1201b847 84e4            test    ah,ah

1201b849 7428            je      jODBC!strstr+0x73 (1201b873)

1201b84b 8a06            mov     al,byte ptr [esi]

1201b84d 83c602          add     esi,2

1201b850 38e0            cmp     al,ah

1201b852 75c4            jne     jODBC!strstr+0x18 (1201b818)

1201b854 8a4103          mov     al,byte ptr [ecx+3]

1201b857 84c0            test    al,al

1201b859 7418            je      jODBC!strstr+0x73 (1201b873)

1201b85b 8a66ff          mov     ah,byte ptr [esi-1]

1201b85e 83c102          add     ecx,2

1201b861 38e0            cmp     al,ah

1201b863 74df            je      jODBC!strstr+0x44 (1201b844)

1201b865 ebb1            jmp     jODBC!strstr+0x18 (1201b818)

1201b867 33c0            xor     eax,eax

1201b869 5e              pop     esi

1201b86a 5b              pop     ebx

1201b86b 5f              pop     edi

1201b86c 8ac2            mov     al,dl

1201b86e e993350000      jmp     jODBC!__from_strstr_to_strchr (1201ee06)

1201b873 8d47ff          lea     eax,[edi-1]

1201b876 5e              pop     esi

1201b877 5b              pop     ebx

1201b878 5f              pop     edi

1201b879 c3              ret

1201b87a 8bc7            mov     eax,edi

1201b87c 5e              pop     esi

1201b87d 5b              pop     ebx

1201b87e 5f              pop     edi

1201b87f c3              ret

jODBC!memcmp:

1201b880 8b44240c        mov     eax,dword ptr [esp+0Ch]

1201b884 85c0            test    eax,eax

 

 

1201b800 8b4c2408        mov     ecx,dword ptr [esp+8]  

             @ecx = 1202c754  "MSysConf" (아마도번째Parameter 이겠지요.)

0:030> dc 1202c754 

1202c754  7379534d 666e6f43 00000000 62646f6a  MSysConf....jodb

1202c764  61642e63 00000074 6575516c 00007972  c.dat...lQuery..

1202c774  62646f6a 61642e63 00000074 65766173  jodbc.dat...save

1202c784  00000000 6163207b 45206c6c 7254646e  ....{ call EndTr

1202c794  20736e61 0000007d 4143207b 00204c4c  ans }...{ CALL .

1202c7a4  00000028 00000027 00000027 00000029  (...'...'...)...

1202c7b4  0000003f 00000030 342e2527 2e252d73  ?...0...'%.4s-%.

1202c7c4  252d7332 2d73322e 73322e25 322e252e  2s-%.2s-%.2s.%.2

 

1201b804 57              push    edi

1201b805 53              push    ebx

1201b806 56              push    esi

1201b807 8a11            mov     dl,byte ptr [ecx]           

             @dl = 'M' ("MSysConf")  .

1201b809 8b7c2410        mov     edi,dword ptr [esp+10h]

             @edi = 00152f60 ("SELECT LD_TBl_01, LD_TBL_02, LD_TBL_03 FROM RU.RU_ICU WHERE TYP = 'ISWC')

             // dS  00152f60 표현이안되는것으로null terminate 되어있음을의심할있습니다.    

0:030> dc 00152f60

00152f60  454c4553 20205443 545f444c 305f6c42  SELECT  LD_TBl_0

00152f70  4c202c31 42545f44 32305f4c 444c202c  1, LD_TBL_02, LD

00152f80  4c42545f 2033305f 4d4f5246 2e555220  _TBL_03 FROM RU.

00152f90  495f5552 20205543 52454857 59542045  RU_ICU  WHERE TY

00152fa0  203d2050 53574927 20274356 c0c0c0c0  P = 'IWSVC' ....

00152fb0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

00152fc0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

00152fd0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

 

1201b80d 84d2            test    dl,dl                                     

             Check whether null or not ('\0')

1201b80f 7469            je      jODBC!strstr+0x7a (1201b87a)       

             null 경우종료 

1201b811 8a7101          mov     dh,byte ptr [ecx+1]                 

             @dh ='S' ("MSysConf")

1201b814 84f6            test    dh,dh

1201b816 744f            je      jODBC!strstr+0x67 (1201b867)       

1201b818 8bf7            mov     esi,edi                       

             @esi = @edi = 00152f60 ("SELECT...")

1201b81a 8b4c2414        mov     ecx,dword ptr [esp+14h]          

             @ecx =1202c754 ("MSysConf")

1201b81e 8a07            mov     al,byte ptr [edi]           

             @al = 'S' (SELECT... 에서)

1201b820 46              inc     esi                                       

             @esi = 00152f61 ("ELECT LD... ")

1201b821 38d0            cmp     al,dl                                   

             @dl = 'M' ("MSysConf") @al = 'S' ("SELECT ...")

1201b823 7415            je      jODBC!strstr+0x3a (1201b83a) 

             if (ZF = 0) then jump 1201b83a

1201b825 84c0            test    al,al       

             ("SELECT...") 에서null 확인

1201b827 740b            je      jODBC!strstr+0x34 (1201b834)      

1201b829 8a06            mov     al,byte ptr [esi]           

             av 발생한부분

             @al = 'E'

1201b82b 46              inc     esi

             @esi = "LECT..."                                       

1201b82c 38d0            cmp     al,dl 

             'E' 'M' 비교

1201b82e 740a            je      jODBC!strstr+0x3a (1201b83a)  

1201b830 84c0            test    al,al                                      

1201b832 75f5            jne     jODBC!strstr+0x29 (1201b829)      

             null 경우아래instruction 수행됩니다. 이제Loop 들어가게됩니다.  

...

 

@esi "SELECT LD_TBl_01, LD_TBL_02, LD_TBL_03 FROM RU.RU_ICU WHERE TYP='ISWC'"

@dl (low 8 bits of edx) "MSysConf" character 입니다.

 

@esi 에서@dl 같은값을찾는것으로봐서, "SELECT ..." 에서"MSysConf" string 찾는method 임을있습니다.

0:030> r @al

al=d0

0:030> .formats d0

Evaluate expression:

  Hex:     000000d0

  Decimal: 208

  Octal:   00000000320

  Binary:  00000000 00000000 00000000 11010000

  Chars:   ....

  Time:    Thu Jan 01 09:03:28 1970

  Float:   low 2.9147e-043 high 0

  Double:  1.02766e-321

 

0:030> r @dl

dl=4d

0:030> .formats 4d

Evaluate expression:

  Hex:     0000004d

  Decimal: 77

  Octal:   00000000115

  Binary:  00000000 00000000 00000000 01001101

  Chars:   ...M

  Time:    Thu Jan 01 09:01:17 1970

  Float:   low 1.079e-043 high 0

  Double:  3.80431e-322

 

// @al d0 아래의d0 입니다.

0:030> dc 00153000 -b0 00153000  

00152f50  00000000 00000000 0b26f52c dcbabbbb  ........,.&.....

00152f60  454c4553 20205443 545f444c 305f6c42  SELECT  LD_TBl_0

00152f70  4c202c31 42545f44 32305f4c 444c202c  1, LD_TBL_02, LD

00152f80  4c42545f 2033305f 4d4f5246 2e555220  _TBL_03 FROM RU.

00152f90  495f5552 20205543 52454857 59542045  RU_ICU  WHERE TY

00152fa0  203d2050 53574927 20274356 c0c0c0c0  P = 'IWSVC' ....

00152fb0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

00152fc0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

00152fd0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

00152fe0  c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0  ................

00152ff0  c0c0c0c0 c0c0c0c0 d0d0d0c0 d0d0d0d0  ................

00153000  ????????                             ????

 

따라서, AV 원인은string null '\0' 종료되어있지않기때문에발생한것입니다.

 

*** 참고사항***

byte ptr [1202c754] 4Dh 입니다. ASCII 4Dh 'M' 입니다.

 

0:030> dc 1202c754

1202c754  7379534d 666e6f43 00000000 62646f6a  MSysConf....jodb

1202c764  61642e63 00000074 6575516c 00007972  c.dat...lQuery..

1202c774  62646f6a 61642e63 00000074 65766173  jodbc.dat...save

1202c784  00000000 6163207b 45206c6c 7254646e  ....{ call EndTr

1202c794  20736e61 0000007d 4143207b 00204c4c  ans }...{ CALL .

1202c7a4  00000028 00000027 00000027 00000029  (...'...'...)...

1202c7b4  0000003f 00000030 342e2527 2e252d73  ?...0...'%.4s-%.

1202c7c4  252d7332 2d73322e 73322e25 322e252e  2s-%.2s-%.2s.%.2

 

byte ptr [1202c755] 53h 입니다. ASCII 53h 'S' 입니다.

0:030> dc 1202c755

1202c755  43737953 00666e6f 6a000000 6362646f  SysConf....jodbc

1202c765  7461642e 6c000000 72657551 6a000079  .dat...lQuery..j

1202c775  6362646f 7461642e 73000000 00657661  odbc.dat...save.

1202c785  7b000000 6c616320 6e45206c 61725464  ...{ call EndTra

1202c795  7d20736e 7b000000 4c414320 2800204c  ns }...{ CALL .(

1202c7a5  27000000 27000000 29000000 3f000000  ...'...'...)...?

1202c7b5  30000000 27000000 73342e25 322e252d  ...0...'%.4s-%.2

1202c7c5  2e252d73 252d7332 2e73322e 73322e25  s-%.2s-%.2s.%.2s

 

만일MS 표현한다면

 

mov dl 4dh

mov dh 53h

 

cmp dx 'MS'

je 0x11111111     // jump 합니다.

 


덧글

댓글 입력 영역