PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover Search Help Contact



Documenting the Undocumented Adding CFG Exceptions.pdf


Preview of PDF document documenting-the-undocumented-adding-cfg-exceptions.pdf

Page 1 2 3 45618

Text preview


6/24/2016

Documenting the Undocumented: Adding CFG Exceptions ­ Breaking Malware

(http://breakingmalware.com/wp­content/uploads/2016/06/Figure­3­MsPaint­Crash.png)

Down the Rabbit Hole We Go
I ran it again with my debugger attached to “mspaint.exe” to see what had happened.

(2e18.3520): Security check failure or stack buffer overrun ‐ code c0000409 (!!! second c
hance !!!) 
eax=00000005 ebx=00547d88 ecx=0000000a edx=773182f0 esi=773182f0 edi=0017cb34 
eip=7732b5a0 esp=0017ca70 ebp=0017ca98 iopl=0         nv up ei pl zr na pe nc 
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246 
ntdll!RtlFailFast2: 
7732b5a0 cd29            int     29h

If you’ve never seen “int 29h” I would advise you to run a quick Google search for “int 29h Windows”. You’ll find
a few interesting articles that will tell you that “int 29h” leads to nt!KiRaiseSecurityCheckFailure which will not
help you very much because it’s very generic.
At any rate, it looks like we failed some kind of security check (maybe stack cookies?). The next step would be
to look at the call stack to see if perhaps that would give us a hint as to what was the root cause of the
exception.

http://breakingmalware.com/documentation/documenting­undocumented­adding­control­flow­guard­exceptions/

4/18