Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RtlLookupFunctionEntry import in private kernel32 is infinite loop on win7 #1837

Closed
derekbruening opened this issue Dec 17, 2015 · 0 comments
Closed

RtlLookupFunctionEntry import in private kernel32 is infinite loop on win7 #1837

derekbruening opened this issue Dec 17, 2015 · 0 comments
Assignees
@derekbruening
Labels
Bug-Hang OpSys-Windows OpSys-x64

Comments

@derekbruening
Copy link
Contributor

While working on DynamoRIO/drmemory#1222 I hit an infinite loop:

0:000> x kernel32_450000!RtlLook*
00000000`00480930 KERNEL32_450000!RtlLookupFunctionEntry (<no parameter info>)
00000000`0049b9f0 KERNEL32_450000!RtlLookupFunctionEntryStub (<no parameter info>)

KERNEL32_450000!RtlLookupFunctionEntryStub:
00000000`0049b9f0 48ff2519060500  jmp     qword ptr [KERNEL32_450000!_imp_RtlLookupFunctionEntry (00000000`004ec010)]
0:000> dq 004ec010
00000000`004ec010  00000000`0049b9f0 00000000`00480500

KERNEL32_450000!RtlLookupFunctionEntry:
00000000`00480930 ff25dab60600    jmp     qword ptr [KERNEL32_450000!_imp_RtlLookupFunctionEntry (00000000`004ec010)]

0:000> x kernel32_450000!RtlVirtualU*
00000000`0049b990 KERNEL32_450000!RtlVirtualUnwindStub (<no parameter info>)
00000000`0048093c KERNEL32_450000!RtlVirtualUnwind (<no parameter info>)

KERNEL32_450000!RtlVirtualUnwind:
00000000`0048093c ff250eb70600    jmp     qword ptr [KERNEL32_450000!_imp_RtlVirtualUnwind (00000000`004ec050)]
0:000> dq 004ec050
00000000`004ec050  00000000`0049b990 00000000`00480510

KERNEL32_450000!RtlVirtualUnwindStub:
00000000`0049b990 4c8bdc          mov     r11,rsp
00000000`0049b993 4883ec48        sub     rsp,48h
00000000`0049b997 488b842488000000 mov     rax,qword ptr [rsp+88h]
00000000`0049b99f 498943f0        mov     qword ptr [r11-10h],rax
00000000`0049b9a3 488b842480000000 mov     rax,qword ptr [rsp+80h]
00000000`0049b9ab 498943e8        mov     qword ptr [r11-18h],rax
00000000`0049b9af 488b442478      mov     rax,qword ptr [rsp+78h]
00000000`0049b9b4 498943e0        mov     qword ptr [r11-20h],rax
00000000`0049b9b8 488b442470      mov     rax,qword ptr [rsp+70h]
00000000`0049b9bd 498943d8        mov     qword ptr [r11-28h],rax
00000000`0049b9c1 ff1589060500    call    qword ptr [KERNEL32_450000!_imp_RtlVirtualUnwind (00000000`004ec050)]
00000000`0049b9c7 4883c448        add     rsp,48h
00000000`0049b9cb c3              ret

Vs the app's kernel32.dll:

0:000> x kernel32!RtlLookupFu*
00000000`76fd0930 kernel32!RtlLookupFunctionEntry (<no parameter info>)
00000000`76feb9f0 kernel32!RtlLookupFunctionEntryStub (<no parameter info>)
0:000> U 76feb9f0
kernel32!RtlLookupFunctionEntryStub:
00000000`76feb9f0 48ff2519060500  jmp     qword ptr [kernel32!_imp_RtlLookupFunctionEntry (00000000`7703c010)]
0:000> dq 7703c010
00000000`7703c010  00000000`770e9050 00000000`770cc9a0
0:000> U 76fd0930 
kernel32!RtlLookupFunctionEntry:
00000000`76fd0930 ff25dab60600    jmp     qword ptr [kernel32!_imp_RtlLookupFunctionEntry (00000000`7703c010)]
0:000> U 770e9050 
ntdll!RtlLookupFunctionEntry:
00000000`770e9050 48895c2408      mov     qword ptr [rsp+8],rbx
00000000`770e9055 4889742410      mov     qword ptr [rsp+10h],rsi

0:000> x kernel32!RtlVirt*
00000000`76feb990 kernel32!RtlVirtualUnwindStub (<no parameter info>)
00000000`76fd093c kernel32!RtlVirtualUnwind (<no parameter info>)
0:000> Uf 76feb990
kernel32!RtlVirtualUnwindStub:
00000000`76feb990 4c8bdc          mov     r11,rsp
00000000`76feb993 4883ec48        sub     rsp,48h
00000000`76feb997 488b842488000000 mov     rax,qword ptr [rsp+88h]
00000000`76feb99f 498943f0        mov     qword ptr [r11-10h],rax
00000000`76feb9a3 488b842480000000 mov     rax,qword ptr [rsp+80h]
00000000`76feb9ab 498943e8        mov     qword ptr [r11-18h],rax
00000000`76feb9af 488b442478      mov     rax,qword ptr [rsp+78h]
00000000`76feb9b4 498943e0        mov     qword ptr [r11-20h],rax
00000000`76feb9b8 488b442470      mov     rax,qword ptr [rsp+70h]
00000000`76feb9bd 498943d8        mov     qword ptr [r11-28h],rax
00000000`76feb9c1 ff1589060500    call    qword ptr [kernel32!_imp_RtlVirtualUnwind (00000000`7703c050)]
00000000`76feb9c7 4883c448        add     rsp,48h
00000000`76feb9cb c3              ret
0:000> U 76fd093c 
kernel32!RtlVirtualUnwind:
00000000`76fd093c ff250eb70600    jmp     qword ptr [kernel32!_imp_RtlVirtualUnwind (00000000`7703c050)]
0:000> dq 7703c050
00000000`7703c050  00000000`770d9310 00000000`770d7ff0
0:000> U 770d9310 
ntdll!RtlVirtualUnwind:
00000000`770d9310 894c2408        mov     dword ptr [rsp+8],ecx

C:\Windows\System32>dumpbin /exports kernel32.dll | grep RtlLookupF
       1058  421 0004B9F0 RtlLookupFunctionEntry
C:\Windows\System32>dumpbin /exports kernel32.dll | grep RtlVirtualU
       1065  428 0004B990 RtlVirtualUnwind
C:\Windows\System32>dumpbin /exports ntdll.dll | grep RtlLookupF
       1037  404 00029050 RtlLookupFunctionEntry
       1038  405 00028F40 RtlLookupFunctionTable
C:\Windows\System32>dumpbin /exports ntdll.dll | grep RtlVirtualU
       1276  4F3 00019310 RtlVirtualUnwind
C:\Windows\System32>dumpbin /imports kernel32.dll | grep RtlLookupF
              78E79050     8 RtlLookupFunctionEntry
C:\Windows\System32>dumpbin /imports kernel32.dll | grep RtlVirtualU
              78E69310     E RtlVirtualUnwind
C:\Windows\System32>dumpbin /exports kernelbase.dll | grep RtlVirtualU
C:\Windows\System32>dumpbin /exports kernelbase.dll | grep RtlLookupF
C:\Windows\System32>dumpbin /imports kernelbase.dll | grep RtlLookupF
              78E79050   404 RtlLookupFunctionEntry
C:\Windows\System32>dumpbin /imports kernelbase.dll | grep RtlVirtualU
              78E69310   4F3 RtlVirtualUnwind

Here's the problem:

privload_process_imports: KERNEL32.dll imports from API-MS-Win-Core-RtlSupport-L1-1-0.dll
        import RtlLookupFunctionEntry @ 0x000000000056b9f0 => IAT 0x00000000005bc010
        import RtlVirtualUnwind @ 0x000000000056b990 => IAT 0x00000000005bc050

Yet our loader does:

    else if (str_case_prefix(name, "API-MS-Win-Core-RTLSupport-L1")) {
        if (get_os_version() >= WINDOWS_VERSION_8)
            return "ntdll.dll";
        else
            return "kernel32.dll";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@derekbruening derekbruening

Labels
Bug-Hang OpSys-Windows OpSys-x64
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@derekbruening