Thursday, November 20, 2014

Use After Free: gflags.exe

Pageheap must be enabled on Internet Explorer (iexplore.exe) to observe crash. To enable pageheap on iexplore.exe, run any of the following commands. gflags.exe is installed as part of VC++, .NET etc when Microsoft Debugging Tools option is selected. executing gflags.exe will help us to easily find memory corruptions and tracing heap allocations/frees. 

gflags.exe /i iexplore.exe +hpa +ust 
Enable the Pageheap (HPA) and User Stack Trace (UST) flags.

gflags.exe /p /enable iexplore.exe /full 

C:\Users\praveend>gflags.exe /?
usage: GFLAGS [-r []] |
              [-r +spp TAG | -r +spp SIZE | -r -spp |
              [-k []] |
              [-k +spp TAG | -k +spp SIZE | -k -spp] |
              [-ro [-d | { -i | -t [;...] } [-
p] ] |
              [-ko [-d | { -i | -t [;...] } [-
p] ] |
              [-i []] |
              [-i -tracedb ] |
              [-p ] (use `-p ?' for help)  |

where: is a 32 bit hex number (0x12345678) that specifies
       one or more global flags to set.
       -r operates on system registry settings.
       -r +spp TAG - Set Special Pool tag value.
                     TAG can have up to four characters.
       -r +spp SIZE - Set Special Pool block size value.
                      SIZE must be in hex format, starting with characters 0x.
       -r -spp      - Disable Special Pool tag or block size.
       -k operates on kernel settings of the running system.
          -k +spp TAG   - Set Special Pool tag value at run time.
                          TAG can have up to four characters.
          -k +spp SIZE  - Set Special Pool block size value at run time.
                          SIZE must be in hex format, starting with characters 0
x.
          -k -spp       - Disable Special Pool tag or block size at run time.
       -ro operates on object reference tracing at boot time.
       -ko operates on object reference tracing at run time.
          -d disables object reference tracing. Do not specify any
             other tracing options.
          -i specifies the image name for which
             to capture traces. All processes started up with this
             image file will be traced.
          -t [;...] specifies the pool tags for which
             to capture traces. Pool tags should be 4 letters each,
             separated by ';'. This value is case sensitive.
          -p maintains traces after the objects are destroyed(permanent).
             By default traces are temporary.
          Unless you are using -d you must specify at least one of the
          -i or the -p options. You may specify both in which case
          objects with a pool tag that is among the list of pool tags
          you specify, created by processes with the image filename
          you specify will be traced. -ko settings override -ro settings.
          Also, if you specify a new set of -ko settings the previous
          -ko settings, if any, are lost (same for -ro).
       -i operates on settings for a specific image file.
           [ignored when not suported in the current OS versions]

       If only the switch is specified, then current settings
       are displayed, not modified.  If flags specified for -i
       option are FFFFFFFF, then registry entry for that image
       is deleted

The `-tracedb' option is used to set the size of the stack trace
database used to store runtime stack traces. The actual database
will be created if the `+ust' flag is set in a previous command.
`-tracedb 0' will revert to the default size for the database.

If no arguments are specified to GFLAGS then it displays
a dialog box that allows the user to modify the global
flag settings.

Flags may either be a single hex number that specifies all
32-bits of the GlobalFlags value, or it can be one or more
arguments, each beginning with a + or -, where the + means
to set the corresponding bit(s) in the GlobalFlags and a -
means to clear the corresponding bit(s).  After the + or -
may be either a hex number or a three letter abbreviation
for a GlobalFlag.  Valid abbreviations are:

    soe - Stop On Exception
    sls - Show Loader Snaps
    dic - Debug Initial Command
    shg - Stop on Hung GUI
    htc - Enable heap tail checking
    hfc - Enable heap free checking
    hpc - Enable heap parameter checking
    hvc - Enable heap validation on call
    vrf - Enable application verifier
    ptg - Enable pool tagging
    htg - Enable heap tagging
    ust - Create user mode stack trace database
    kst - Create kernel mode stack trace database
    otl - Maintain a list of objects for each type
    htd - Enable heap tagging by DLL
    dse - Disable stack extensions
    d32 - Enable debugging of Win32 Subsystem
    ksl - Enable loading of kernel debugger symbols
    dps - Disable paging of kernel stacks
    scb - Enable system critical breaks
    dhc - Disable Heap Coalesce on Free
    ece - Enable close exception
    eel - Enable exception logging
    eot - Enable object handle type tagging
    hpa - Enable page heap
    dwl - Debug WINLOGON
    ddp - Disable kernel mode DbgPrint output
    cse - Early critical section event creation
    sue - Stop on Unhandled Exception
    bhd - Enable bad handles detection
    dpd - Disable protected DLL verification
    lpg - Load image using large pages if possible

All images with ust enabled can be accessed in the
USTEnabled key under 'Image File Options'.
C:\Users\praveend>

Now we can observer crashes in Internet Explore, make Windbg or Olly as your Just In time Debugger!