Documenting the Undocumented Adding CFG Exceptions.pdf
Documenting the Undocumented: Adding CFG Exceptions Breaking Malware
Down the Rabbit Hole We Go
I ran it again with my debugger attached to “mspaint.exe” to see what had happened.
(2e18.3520): Security check failure or stack buffer overrun ‐ code c0000409 (!!! second c
eax=00000005 ebx=00547d88 ecx=0000000a edx=773182f0 esi=773182f0 edi=0017cb34
eip=7732b5a0 esp=0017ca70 ebp=0017ca98 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
7732b5a0 cd29 int 29h
If you’ve never seen “int 29h” I would advise you to run a quick Google search for “int 29h Windows”. You’ll find
a few interesting articles that will tell you that “int 29h” leads to nt!KiRaiseSecurityCheckFailure which will not
help you very much because it’s very generic.
At any rate, it looks like we failed some kind of security check (maybe stack cookies?). The next step would be
to look at the call stack to see if perhaps that would give us a hint as to what was the root cause of the