Thursday, November 20, 2014

Use After Free: gflags.exe

Pageheap must be enabled on Internet Explorer (iexplore.exe) to observe crash. To enable pageheap on iexplore.exe, run any of the following commands. gflags.exe is installed as part of VC++, .NET etc when Microsoft Debugging Tools option is selected. executing gflags.exe will help us to easily find memory corruptions and tracing heap allocations/frees. 

gflags.exe /i iexplore.exe +hpa +ust 
Enable the Pageheap (HPA) and User Stack Trace (UST) flags.

gflags.exe /p /enable iexplore.exe /full 

C:\Users\praveend>gflags.exe /?
usage: GFLAGS [-r []] |
              [-r +spp TAG | -r +spp SIZE | -r -spp |
              [-k []] |
              [-k +spp TAG | -k +spp SIZE | -k -spp] |
              [-ro [-d | { -i | -t [;...] } [-
p] ] |
              [-ko [-d | { -i | -t [;...] } [-
p] ] |
              [-i []] |
              [-i -tracedb ] |
              [-p ] (use `-p ?' for help)  |

where: is a 32 bit hex number (0x12345678) that specifies
       one or more global flags to set.
       -r operates on system registry settings.
       -r +spp TAG - Set Special Pool tag value.
                     TAG can have up to four characters.
       -r +spp SIZE - Set Special Pool block size value.
                      SIZE must be in hex format, starting with characters 0x.
       -r -spp      - Disable Special Pool tag or block size.
       -k operates on kernel settings of the running system.
          -k +spp TAG   - Set Special Pool tag value at run time.
                          TAG can have up to four characters.
          -k +spp SIZE  - Set Special Pool block size value at run time.
                          SIZE must be in hex format, starting with characters 0
          -k -spp       - Disable Special Pool tag or block size at run time.
       -ro operates on object reference tracing at boot time.
       -ko operates on object reference tracing at run time.
          -d disables object reference tracing. Do not specify any
             other tracing options.
          -i specifies the image name for which
             to capture traces. All processes started up with this
             image file will be traced.
          -t [;...] specifies the pool tags for which
             to capture traces. Pool tags should be 4 letters each,
             separated by ';'. This value is case sensitive.
          -p maintains traces after the objects are destroyed(permanent).
             By default traces are temporary.
          Unless you are using -d you must specify at least one of the
          -i or the -p options. You may specify both in which case
          objects with a pool tag that is among the list of pool tags
          you specify, created by processes with the image filename
          you specify will be traced. -ko settings override -ro settings.
          Also, if you specify a new set of -ko settings the previous
          -ko settings, if any, are lost (same for -ro).
       -i operates on settings for a specific image file.
           [ignored when not suported in the current OS versions]

       If only the switch is specified, then current settings
       are displayed, not modified.  If flags specified for -i
       option are FFFFFFFF, then registry entry for that image
       is deleted

The `-tracedb' option is used to set the size of the stack trace
database used to store runtime stack traces. The actual database
will be created if the `+ust' flag is set in a previous command.
`-tracedb 0' will revert to the default size for the database.

If no arguments are specified to GFLAGS then it displays
a dialog box that allows the user to modify the global
flag settings.

Flags may either be a single hex number that specifies all
32-bits of the GlobalFlags value, or it can be one or more
arguments, each beginning with a + or -, where the + means
to set the corresponding bit(s) in the GlobalFlags and a -
means to clear the corresponding bit(s).  After the + or -
may be either a hex number or a three letter abbreviation
for a GlobalFlag.  Valid abbreviations are:

    soe - Stop On Exception
    sls - Show Loader Snaps
    dic - Debug Initial Command
    shg - Stop on Hung GUI
    htc - Enable heap tail checking
    hfc - Enable heap free checking
    hpc - Enable heap parameter checking
    hvc - Enable heap validation on call
    vrf - Enable application verifier
    ptg - Enable pool tagging
    htg - Enable heap tagging
    ust - Create user mode stack trace database
    kst - Create kernel mode stack trace database
    otl - Maintain a list of objects for each type
    htd - Enable heap tagging by DLL
    dse - Disable stack extensions
    d32 - Enable debugging of Win32 Subsystem
    ksl - Enable loading of kernel debugger symbols
    dps - Disable paging of kernel stacks
    scb - Enable system critical breaks
    dhc - Disable Heap Coalesce on Free
    ece - Enable close exception
    eel - Enable exception logging
    eot - Enable object handle type tagging
    hpa - Enable page heap
    dwl - Debug WINLOGON
    ddp - Disable kernel mode DbgPrint output
    cse - Early critical section event creation
    sue - Stop on Unhandled Exception
    bhd - Enable bad handles detection
    dpd - Disable protected DLL verification
    lpg - Load image using large pages if possible

All images with ust enabled can be accessed in the
USTEnabled key under 'Image File Options'.

Now we can observer crashes in Internet Explore, make Windbg or Olly as your Just In time Debugger!