Piracy in .NET Code – Part 2 – Even when the code is obfuscated


Continuing with my previous post, one of the biggest security holes I have noticed in certain application is using unsecure Network I/O communication, especially when activating license. I have seen software where they have used the best tool to obfuscate the code, it is extremely hard to disassemble this. But lose out by invoking a web service with plaintext xml for registration and communication. Like I mentioned in my previous post, I am not going to be discussing on how to solve this problem.

I have seen applications which would have a trial period after which the application pops-up a dialog box for activating license. Only if license text matches the format criteria (like xxx-xx-xxxx-xx) the send button enables. To circumvent the disabled button, some of the smart developers could enable the button within the debugger (windbg /cdb) or using a something like HawkEye . This is the first line of defense for the application.

The next thing is launching something like Fiddler and checking out the web service request /response for the activation request. I am sure most of us have dealt with fiddler, and if you are not aware, fiddler gives an option to have a break-point on response from the server. So it is easy to do a Man-in-the-middle attack by injecting your own response or someone could even hack the lmhost file to act as a server.

And just because it is plain text, I have usually seen a bool variable in the response being activated or not. And it is not hard for someone to update the response text and pass it as a response back from the server.

The updated xml might not comply with the response expected by the application, it might throw an exception like this

0:020> !pe

Exception object: 045b4314

Exception type:   System.Xml.XmlException

Message:          Unexpected end of file while parsing Test  has occurred. Line 13, position 81.

InnerException:   <none>

StackTrace (generated):

<none>

StackTraceString: <none>

HResult: 80131940

Because it is xml, usually these applications end up using XmlTextReader to parse it and from the exception someone could figure out what element is expected and build the xml out of this. FYI the XmlTextReader library is usually never obfuscated.

The idea behind this post is to let the dev’s understand the security risks and someone with little advanced knowledge can exploit the holes. This is not just applicable for software piracy, but in general, especially with the RIA growing rapidly we would want to consider the security aspect also.

Visualizing Silverlight / .NET managed memory using Pivot


I got to see this amazing video on Pivot from Gary Flake.  Pivot is about visualizing data. It’s primarily for visualizing patterns and trends. What other way I would use other than analyzing managed memory using pivot. I spend a lot of time in windbg to look at memory for patterns, analyzing memory leaks.  And I also know not many of them want to learn the arcane commands of windbg. So I went ahead took the data from managed memory and ported it in to pivot format , which is cxml. I use the “!Traverseheap –xml” command from sos to generate the xml ,which I port it to cxml format.My initial thought was use dgml to visualize the data, but pivot is way better. Pivot can only be used in Vista+  OS.

FYI I know this is not for everyone, there are geeks who wouldn’t want to look at memory in a visual format, they prefer looking at in cdb.  I took Facebook Silverlight client app and got a snapshot of the memory for this demonstration

The few things that can be done with this are

  • Drill down objects by type with just one click : What I mean by this is , you could probably have 6000 odd types of objects and not instances (instances could be in thousands), but if you wanted to look at all the instance of customer objects  , it is as easy as one click from the filter.

Here is an example of filtering securitypermission objects in memory

  • Drill down members: The objects members can be looked up. So if you are looking at the customer object then you can view  strings, ints and all its members. It WILL NOT have the value for these members. It is not provided by the traverseheap command

  • Filter objects by namespace– All the objects belonging to namespaces can be drilled down.

  • Filter by object size


void Main()
{
 var startString =@"<?xml version=""1.0"" encoding=""utf-8""?>
<?xml-stylesheet type=""text/xsl"" href=""../pivot.xsl""?>
<Collection xmlns:xsi=""http://www.w3.org/2001/XMLSchema-instance"" xmlns:xsd=""http://www.w3.org/2001/XMLSchema""
 Name=""Memory Visualization"" SchemaVersion=""1"" d1p1:Icon=""icon.ico""
 xmlns:d1p1=""http://schemas.microsoft.com/livelabs/pivot/collection/2009"" xmlns=""http://schemas.microsoft.com/collection/metadata/2009"">
 <FacetCategories>
 <FacetCategory Name=""Type"" Type=""String"" d1p1:IsFilterVisible=""true"" d1p1:IsMetaDataVisible=""true"" d1p1:IsWordWheelVisible=""true"" />
 <FacetCategory Name=""Address"" Type=""String"" d1p1:IsFilterVisible=""true"" d1p1:IsMetaDataVisible=""true"" d1p1:IsWordWheelVisible=""true"" />
 <FacetCategory Name=""Size""  Type=""Number"" d1p1:IsFilterVisible=""true"" d1p1:IsMetaDataVisible=""true"" d1p1:IsWordWheelVisible=""true"" />
 <FacetCategory Name=""Namespaces"" Type=""Link"" d1p1:IsFilterVisible=""true"" d1p1:IsMetaDataVisible=""true"" d1p1:IsWordWheelVisible=""true"" />
 <FacetCategory Name=""Members"" Type=""Link"" d1p1:IsFilterVisible=""true"" d1p1:IsMetaDataVisible=""true"" d1p1:IsWordWheelVisible=""true"" />
 </FacetCategories>
 <Items ImgBase=""test.gif"">";

 var endString = @"</Items>
</Collection>";

 var counter = 0;
 var outputFileName = "sl.cxml";
 var dict = new Dictionary<string,string>() { {"String","img5.jpg"},{"Object","img6.jpg"}};
 var getimg = new Func<string,string>((t) => dict.ContainsKey(t) ? dict[t] : "img8.jpg");

 var doc = XDocument.Load(@"c:\Temp\fb.xml");

 var types = (from i in doc.Descendants().Descendants().Descendants("type").AsParallel()
 let ns = i.Attribute("name").Value.SplitEx().ToList()
 select new {Id = int.Parse( i.FirstAttribute.Value),Name = ns.Last(),
 Namespaces = ns.Count()  > 2 ? ns.Take(ns.Count () -2) : ns.Take(ns.Count -1)}).ToList();
 var y = from i in doc.Descendants().Descendants().Descendants("object").AsParallel()
 let type = types.First (t => t.Id== int.Parse( i.Attribute("typeid").Value))
 select new {Address = i.FirstAttribute.Value,
 Type = type.Name,
 Namespaces = type.Namespaces,
 Size = int.Parse( i.LastAttribute.Value),
 children = from k in i.Descendants().AsParallel()
 from o in doc.Descendants().Descendants().Descendants("object").AsParallel()
 where k.FirstAttribute.Value == o.FirstAttribute.Value
 select new {Address = k.FirstAttribute.Value,Type = types.First (t => t.Id == int.Parse( o.Attribute("typeid").Value) ).Name}
 };

 var x = from i in y.Take(2000).AsParallel()
 let increment = new Func<int>(() => Interlocked.Increment(ref counter))
 select new XElement("Item",new XAttribute("Img",getimg(i.Type)),new XAttribute("Id",increment()),new XAttribute("Name",i.Type),
 new XElement("Facets",
 new XElement("Facet",new XAttribute("Name","Type"),
 new XElement("String",new XAttribute("Value",i.Type))),
 new XElement("Facet",new XAttribute("Name","Size"),
 new XElement("Number",new XAttribute("Value",i.Size.ToString()))),
 new XElement("Facet",new XAttribute("Name","Address"),
 new XElement("String",new XAttribute("Value",i.Address))),
 new XElement("Facet",new XAttribute("Name","Namespaces"),
 i.Namespaces.Select (n =>new XElement("Link",new XAttribute("Name",n),new XAttribute("Href",string.Format("{0}#Link=EQ.{1}",outputFileName,n))))),
 i.children.Any() == false ? default(XElement):
 new XElement("Facet",new XAttribute("Name","Members"),
 i.children.Select (n =>new XElement("Link",new XAttribute("Name",n.Type),new XAttribute("Href",string.Format("{0}#Address=EQ.{1}",outputFileName,n.Address)))))
 )).ToString();
 File.WriteAllText(@"c:\temp\sl.cxml",string.Format("{0}{1}{2}",startString,x.Select (s => s).Aggregate(new StringBuilder(), (ag, n) => ag.Append(n)).ToString(),endString));
 Console.WriteLine ("Done");
}

static class Foo
{
 public static IEnumerable<string> SplitEx(this string s)
 {
 if (s.Contains("`") == false)
 return s.Split(new []{'.'});
 else
 {
 var stringList = new List<string>();
 var index =0;
 var counter = 0;
 var splitString = "";
 while (counter < s.Length)
 {
 index = s.IndexOf(".",counter);
 if (index < 0)
 {
 stringList.Add(s.Substring(counter));
 break;
 }
 splitString = s.Substring(counter,index -counter );
 if (splitString.Contains("`"))
 {
 stringList.Add(s.Substring(counter));
 break;
 }
 stringList.Add(splitString);
 counter = index +1;
 }
 return stringList;
 }
 }
}

The above code converts the xml format from !traverseheap to pivot xml format. This is CPU intensive and I have not profiled and fine tuned it. I use plinq for conversion primarily because I have quad-core box. I use pictures from powerpoint for visualizing  objects and I also wrote SplitEx method to avoid splitting namespaces that are part of the type name within generics “GenericEqualityComparer`1[[System.String, mscorlib]]“

And here is the command to get the xml input for the above code as input

!TraverseHeap -xml c:\temp\mem.xml

.NET – How can debug=true extend the life time of local variable


I am sure there are quite a few blog posts that advocate on not set debug=true in production code. The reason being the optimization and performance are turned off. In this blog post I am specifically going to demonstrate how the lifetime of a variable would be extended based on this setting by the JIT Compiler. The JIT compiler explicitly extends the lifetime of the local variables until the end of the method, which might not be required because it is not being used anymore.

using System;
namespace ConsoleApplication2
{
 internal class Program
 {
 private static void Main(string[] args)
 {
 var c = new Customer {Age = 20, Name = "Ted"};
 GC.Collect();
 Console.Read();
 }
 }
 internal class Customer
 {
 public string Name { get; set; }
 public int Age { get; set; }
 }
}

In the above sourcecode I have created a new instance of customer and I am not referring it anywhere after that. I am explicitly invoking GC.Collect so that the objects that aren’t in scope would be collected.

I have compiled this code within VS.NET using the default setting, which essentially is the debug mode. And here is the output after disassembling it, which adds the Debuggable attribute to the assembly

assembly: Debuggable(DebuggableAttribute.DebuggingModes.DisableOptimizations | DebuggableAttribute.DebuggingModes.EnableEditAndContinue | DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints | DebuggableAttribute.DebuggingModes.Default)]

Let’s see how this attribute affects the local variable “c” lifetime. Launched the application and then attached it to Windbg.   Loaded the sosex extension

Here is the output from !mk command

0:000> !mk

Thread 0:

*** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\bc19222db4406c472d9aa1f8b6e0f470\mscorlib.ni.dll

ESP              EIP

00:U 00000000002ee758 00000000774100da ntdll!ZwRequestWaitReplyPort+0xa

01:U 00000000002ee760 00000000772c2b08 KERNEL32!ConsoleClientCallServer+0x54

02:U 00000000002ee790 00000000772f5601 KERNEL32!ReadConsoleInternal+0x1f1

03:U 00000000002ee8e0 000000007730a922 KERNEL32!ReadConsoleA+0xb2

04:U 00000000002ee9c0 00000000772d9934 KERNEL32!zzz_AsmCodeRange_End+0x8bea

05:U 00000000002eea00 000007fef34417c7 clr!DoNDirectCall__PatchGetThreadCall+0x7b

06:M 00000000002eeab0 000007fedfb034a1 DomainNeutralILStubClass.IL_STUB_PInvoke(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr)(+0x0 IL)(+0x0 Native)

07:M 00000000002eebd0 000007fee02af59a System.IO.__ConsoleStream.ReadFileNative(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte[], Int32, Int32, Int32, Int32 ByRef)(+0x53 IL)(+0xba Native)

08:M 00000000002eec40 000007fee02af402 System.IO.__ConsoleStream.Read(Byte[], Int32, Int32)(+0x5d IL)(+0x62 Native)

09:M 00000000002eeca0 000007fedfabe63c System.IO.StreamReader.ReadBuffer()(+0xa0 IL)(+0x5c Native)

0a:M 00000000002eecf0 000007fee0245630 System.IO.StreamReader.Read()(+0x21 IL)(+0x30 Native)

0b:M 00000000002eed30 000007fee02b7458 System.IO.TextReader+SyncTextReader.Read()(+0x0 IL)(+0x38 Native)

0c:M 00000000002eed80 000007ff001701cd *** WARNING: Unable to verify checksum for C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication2\bin\Debug\ConsoleApplication2.exe

ConsoleApplication2.Program.Main(System.String[])(+0x24 IL)(+0xad Native) [C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication2\Program.cs, @ 10,13]

0d:U 00000000002eede0 000007fef34810b4 clr!CallDescrWorker+0x84

0e:U 00000000002eee30 000007fef34811c9 clr!CallDescrWorkerWithHandler+0xa9

0f:U 00000000002eeeb0 000007fef3481245 clr!MethodDesc::CallDescr+0x2a1

10:U 00000000002ef0e0 000007fef3581675 clr!ClassLoader::RunMain+0x228

11:U 00000000002ef330 000007fef35817ac clr!Assembly::ExecuteMainMethod+0xac

12:U 00000000002ef5e0 000007fef3581562 clr!SystemDomain::ExecuteMainMethod+0x452

13:U 00000000002efb90 000007fef3583dd6 clr!ExecuteEXE+0x43

14:U 00000000002efbf0 000007fef3583cf3 clr!CorExeMainInternal+0xc4

15:U 00000000002efc60 000007fef3607365 clr!CorExeMain+0x15

16:U 00000000002efca0 000007fef9393309 mscoreei!CorExeMain+0x41

17:U 00000000002efcd0 000007fef9425b21 MSCOREE!CorExeMain_Exported+0x57

18:U 00000000002efd00 00000000772bf56d KERNEL32!BaseThreadInitThunk+0xd

19:U 00000000002efd30 00000000773f3281 ntdll!RtlUserThreadStart+0x1d

From the call-stack we are interested in the 0c frame. So I switch to the frame using !mframe 0c

The next command is to look at the locals using !mdv and here is the output

0:000> !mdv

Frame 0xc: (ConsoleApplication2.Program.Main(System.String[])):

[A0]:args:0x00000000026a2258 (System.String[])

[L0]:c:0x00000000026a2298 (ConsoleApplication2.Customer)

[L1]:<>g__initLocal0:0x00000000026a2298 (ConsoleApplication2.Customer)

Notice the local variable reference “c” which is of type Customer and so its details are using !mdt c


0:000> !mdt c

00000000026a2298 (ConsoleApplication2.Customer)

<Name>k__BackingField:00000000026a2278 (System.String: "Ted")

<Age>k__BackingField:0x14 (System.Int32)

This is something which usually isn’t surprising to see right.  But if I change the compilation settings to release mode then here is the locals for the same code using !mdv


0:000> !mdv

Frame 0xc: (ConsoleApplication2.Program.Main(System.String[])):

[A0]:args:<?>

[L0]:<>g__initLocal0:<?>

Notice the change we don’t see the variable “c” of type Customer anymore after the GC.Collect in the release mode.  The reason behind this is, in debug mode ,the JIT Compiler explicitly extended the lifetime of the local variable to the end of the method and where as in release mode it does not do it.

Use IntelliTrace without Visual Studio .NET


IntelliTrace is one of the best things in Visual Studio 2010. You can do “time travel” through your managed code. John Robbins has cool cool blog post on the working on IntelliTrace. I knew I could use IntelliTrace in field where the customer does not have VS.NET. To use in field ,I had to figure out the dependencies for IntelliTrace. So I fired up Windbg attached to the IntelliTrace process which would dump the all the modules loaded


Symbol search path is: SRV*D:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 01210000 01218000   D:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\TraceDebugger Tools\IntelliTrace.exe
ModLoad: 77d20000 77ea0000   C:\Windows\SysWOW64\ntdll.dll
ModLoad: 716b0000 716fa000   C:\Windows\SYSTEM32\MSCOREE.DLL
ModLoad: 76fe0000 770e0000   C:\Windows\syswow64\KERNEL32.dll
ModLoad: 75de0000 75e26000   C:\Windows\syswow64\KERNELBASE.dll
ModLoad: 75b90000 75c30000   C:\Windows\syswow64\ADVAPI32.dll
ModLoad: 77360000 7740c000   C:\Windows\syswow64\msvcrt.dll
ModLoad: 76000000 76019000   C:\Windows\SysWOW64\sechost.dll
ModLoad: 75cf0000 75de0000   C:\Windows\syswow64\RPCRT4.dll
ModLoad: 75890000 758f0000   C:\Windows\syswow64\SspiCli.dll
ModLoad: 75880000 7588c000   C:\Windows\syswow64\CRYPTBASE.dll
ModLoad: 71050000 710b6000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
ModLoad: 77440000 77497000   C:\Windows\syswow64\SHLWAPI.dll
ModLoad: 75910000 759a0000   C:\Windows\syswow64\GDI32.dll
ModLoad: 76cf0000 76df0000   C:\Windows\syswow64\USER32.dll
ModLoad: 774a0000 774aa000   C:\Windows\syswow64\LPK.dll
ModLoad: 759a0000 75a3d000   C:\Windows\syswow64\USP10.dll
ModLoad: 770e0000 77140000   C:\Windows\system32\IMM32.DLL
ModLoad: 77710000 777dc000   C:\Windows\syswow64\MSCTF.dll
ModLoad: 6b590000 6bbff000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
ModLoad: 70c00000 70cbe000   C:\Windows\system32\MSVCR100_CLR0400.dll
ModLoad: 6a7c0000 6b583000   C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\246f1a5abb686b9dcdf22d3505b08cea\mscorlib.ni.dll
ModLoad: 71b50000 71b60000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
ModLoad: 76df0000 76f4c000   C:\Windows\syswow64\ole32.dll
ModLoad: 6d2b0000 6db48000   C:\Windows\assembly\NativeImages_v4.0.30319_32\System\964da027ebca3b263a05cadb8eaa20a3\System.ni.dll
ModLoad: 74180000 74188000   C:\Windows\assembly\NativeImages_v4.0.30319_32\IntelliTrace\947780232db1934c92cdfdaf2433bb59\IntelliTrace.ni.exe
ModLoad: 59660000 59a9d000   C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualStu#\c828bb166e9d0df0e9b44a0a7616624a\Microsoft.VisualStudio.IntelliTrace.ni.dll
ModLoad: 618b0000 6196e000   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime.Remo#\dc1f0dbf1d3ba856eccec90b62b55d79\System.Runtime.Remoting.ni.dll
ModLoad: 66330000 66883000   C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\e997d0200c25f7db6bd32313d50b729d\System.Xml.ni.dll
ModLoad: 75c60000 75cef000   C:\Windows\syswow64\oleaut32.DLL
ModLoad: 70a10000 70a70000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
ModLoad: 58fe0000 59085000   C:\Program Files (x86)\Common Files\Microsoft Shared\VSTS 10.0\Trace Debugger\TraceLogProfiler.dll
ModLoad: 77cf0000 77cf5000   C:\Windows\syswow64\PSAPI.DLL
ModLoad: 76020000 76c69000   C:\Windows\syswow64\SHELL32.dll
ModLoad: 752a0000 752a9000   C:\Windows\system32\VERSION.dll
ModLoad: 753e0000 753f6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 75360000 7539b000   C:\Windows\system32\rsaenh.dll
ModLoad: 753d0000 753de000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 650e0000 650e5000   C:\Windows\system32\shfolder.dll
ModLoad: 75300000 7535f000   C:\Windows\system32\sxs.dll
(159c.6bc): Break instruction exception - code 80000003 (first chance)
eax=7ef39000 ebx=00000000 ecx=00000000 edx=77dbf50a esi=00000000 edi=00000000
eip=77d3000c esp=0683fca4 ebp=0683fcd0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!DbgBreakPoint:
77d3000c cc              int     3

So from the above output I figure out the required files for running IntelliTrace without VS.NET is

  1. IntelliTrace.exe
  2. IntelliTrace.exe.config
  3. Microsoft.VisualStudio.IntelliTrace.dll
  4. TraceLogProfiler.dll

The next thing was to check the command line options for IntelliTrace

  1. start
  2. status
  3. stop
  4. run
  5. launch
  6. help

I knew the command line option should have something interesting. So when the IntelliTrace was running I looked at command line options in Process Explorer

"D:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\TraceDebugger Tools\IntelliTrace.EXE" run /n:"test.exe_00001330_01cae6f016c66e1e"
/cp:"C:\Users\naveen\AppData\Local\Microsoft\VisualStudio\10.0\TraceDebugger\Settings\aoqsbu4g.fpj" /f:"Test_00001330_100428_123018.iTrace"

When i tried to open the “C:\Users\naveen\AppData\Local\Microsoft\VisualStudio\10.0\TraceDebugger\Settings\aoqsbu4g.fpj”, I got this error

So I went to the directory and  just made a copy of the file and then I was able to open the file. It was a xml file which contains most of the settings. It is collection plan settings file. The things that I updated in this file were <LogFileDirectory useDefault=”false”>C:\temp\</LogFileDirectory> and <DeleteLogOnExit>false</DeleteLogOnExit> for my test run. There are lot of settings in this file, which can be tweaked based on need,do explore this file.

With all this information, the next thing was to get a clean Installation of  Windows without VS.NET, good thing I had my laptop which had that. So I copied the required dependencies mentioned above along with a simple test.exe  which I used for figuring out Watson Buckets and here are the contents of the directory

And here is the command line option to start tracing Test.exe

C:\Users\naveen\intellitrace\intellitrace>IntelliTrace.exe launch /cp:q0mmz2ch.ixp Test.exe

The /cp:q0mmz2ch.ixp is the collection plan file. Here is the output from the above command

C:\Users\Naveen\intellitrace\intellitrace>IntelliTrace.exe launch /cp:q0mmz2ch.i
xp Test.exe
Microsoft (R) Visual Studio Logger. Version 10.0.30319.1
Copyright (C) Microsoft Corporation. All rights reserved.
C:\Users\Naveen\intellitrace\intellitrace\IntelliTrace.exe run /name:c__temp_9ce
6b8f1-19a5-44b7-909d-512a4c74e632.itrace /logfile:C:\temp\9ce6b8f1-19a5-44b7-909
d-512a4c74e632.iTrace /buffersize:65536 /buffercount:512 /watch:-1 /help- /nolog
o+ /collectionplan:q0mmz2ch.ixp /hidden-
Logger name is ‘c__temp_9ce6b8f1-19a5-44b7-909d-512a4c74e632.itrace’
Log file path ‘C:\temp\9ce6b8f1-19a5-44b7-909d-512a4c74e632.iTrace’
Using 512 buffers of 65536 bytes each.
Logger started.
Logger started.
Press Ctrl+C to stop logging or use ‘IntelliTrace stop /name:c__temp_9ce6b8f1-19
a5-44b7-909d-512a4c74e632.itrace’ from another command line.
Starting process ‘C:\Users\Naveen\intellitrace\intellitrace\Test.exe’
Waiting for process to exit
WatsonTest.WatsonBuckets

Unhandled Exception: System.NullReferenceException: Object reference not set to
an instance of an object.
at WatsonTest.Test.Main(String[] args)
Process exited with exit code -532462766.
Process execution time: 5097 ms
Logger name is ‘c__temp_9ce6b8f1-19a5-44b7-909d-512a4c74e632.itrace’
Stopping logger

That’s cool. I was able to trace it without VS.NET on the box and  I brought the trace file back to dev machine I was able load it up in VS.NET and could see stacks. And also from the above output I figured out  there are other undocumented command line options.

Exploring UnhandledException in .NET and Watson buckets


I wanted to understand about UnhandledExceptions in .NET because of the few questions that I saw in the CLR Forum ,which had watson buckets in the event viewer.  To get deep understanding  unhandled exception filter there is a article on MSDN from CLR Team.

In this post I will be demonstrating how to get the Watson Bucket from within your code . FYI this is the same information  you can get !WatsonBuckets from sos within Windbg whenever there is a termination of the .NET process. !WatsonBuckets is undocumented.  I am using the CLR hosting interfaces to get the watson bucket. Here is the code that throws an unhandled exception and invokes clr to get watson bucket info.

using System;
using System.Runtime.InteropServices;

namespace WatsonTest
{
 internal class Test
 {
 private static void Main(string[] args)
 {
 var t = AppDomain.CurrentDomain;
 t.UnhandledException += (s, e) =>
 {
 var c = GetWatsonBuckets();
 Console.WriteLine(c);
 Console.Read();
 };
 throw new NullReferenceException();
 }
 private static WatsonBuckets GetWatsonBuckets()
 {
 var pParams = new WatsonBuckets();
 IClrRuntimeHost host = null;
 host = Activator.CreateInstance(Type.GetTypeFromCLSID(ClrGuids.ClsIdClrRuntimeHost)) as IClrRuntimeHost;
 if (host != null)
 {
 var clrControl = host.GetCLRControl();
 if (clrControl == null)
 {
 return pParams;
 }
 var clrErrorReportingManager =
 clrControl.GetCLRManager(ref ClrGuids.IClrErrorReportingManager) as IClrErrorReportingManager;
 if (clrErrorReportingManager == null)
 {
 return pParams;
 }
 clrErrorReportingManager.GetBucketParametersForCurrentException(out pParams);
 }
 return pParams;
 }
 }
 // BucketParameters Structure to get watson buckets back from CLR
 //http://msdn.microsoft.com/en-us/library/ms404466(v=VS.100).aspx
 [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
 internal struct WatsonBuckets
 {
 internal int fInited;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string pszEventTypeName;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param0;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param1;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param2;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param3;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param4;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param5;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param6;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param7;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param8;
 [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 0xff)] internal string param9;
 }

 internal static class ClrGuids
 {
 internal static readonly Guid ClsIdClrRuntimeHost = new Guid("90F1A06E-7712-4762-86B5-7A5EBA6BDB02");
 internal static Guid IClrErrorReportingManager = new Guid("980D2F1A-BF79-4c08-812A-BB9778928F78");
 internal static readonly Guid IClrRuntimeHost = new Guid("90F1A06C-7712-4762-86B5-7A5EBA6BDB02");
 }

 [Guid("90F1A06C-7712-4762-86B5-7A5EBA6BDB02"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
 internal interface IClrRuntimeHost
 {
 void Start();
 void Stop();
 void SetHostControl(IntPtr pHostControl);
 IClrControl GetCLRControl();
 void UnloadAppDomain(int dwAppDomainId, bool fWaitUntilDone);
 void ExecuteInAppDomain(int dwAppDomainId, IntPtr pCallback, IntPtr cookie);
 int GetCurrentAppDomainId();

 int ExecuteApplication(string pwzAppFullName, int dwManifestPaths, string[] ppwzManifestPaths,
 int dwActivationData, string[] ppwzActivationData);

 int ExecuteInDefaultAppDomain(string pwzAssemblyPath, string pwzTypeName, string pwzMethodName,
 string pwzArgument);
 }

 [Guid("9065597E-D1A1-4fb2-B6BA-7E1FCE230F61"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
 internal interface IClrControl
 {
 [return: MarshalAs(UnmanagedType.IUnknown)]
 object GetCLRManager([In] ref Guid riid);

 void SetAppDomainManagerType(string pwzAppDomainManagerAssembly, string pwzAppDomainManagerType);
 }
 // IClrErrorReportingManager to get watson bukets back from CLR
 //http://msdn.microsoft.com/en-us/library/ms164367(v=VS.100).aspx
 [Guid("980D2F1A-BF79-4c08-812A-BB9778928F78"), InterfaceType(ComInterfaceType.InterfaceIsIUnknown)]
 internal interface IClrErrorReportingManager
 {
 [PreserveSig]
 int GetBucketParametersForCurrentException(out WatsonBuckets pParams);
 }
}

The watson bucket information has ten items

  1. AppName
  2. Version
  3. ?
  4. Assembly and Module Name
  5. Assembly Version
  6. ?
  7. MethodDef
  8. IL Offset
  9. Exception Type
  10. ?

In the above code WatsonBuckets is a structure to get watson bucket information back from CLR.  In the code I use 3 hosting interfaces, IClrRuntimeHost which is the main interface, the next interface is IClrControl which has GetCLRManager method to get ErrorReportingManger. IClrErrorReportingManager which has the method to get the exception buckets which is GetBucketParametersForCurrentException. I know that there isn’t going to be much of use for this code. But it gives me better understanding of  CLR integrates with watson when ever there is termination of an application.

Exploring SOSEX and Windbg to debug .NET 4.0


With the latest release of sosex comes a new set of functions to debug. It is pretty awesome that one person (Steve) alone could pull of such cool things. In this blog post, I am just going to demonstrate how easy it is to debug managed code using sosex compared to sos.

using System;
using System.Collections.Generic;

namespace MemCheck
{
 internal class Test
 {
 Dictionary<int, string> dict = new Dictionary<int, string>();
 private static void Main(string[] args)
 {
 var p = new Test();
 for (int i = 0; i < 100; i++)
 {
 p.dict.Add(i, i.ToString());
 }
 Console.WriteLine("Done");
 Console.Read();
 }
 }
}

I like to keep the code simple , so it is easy to follow.  The debugging goal for today is to get the Dictionary values. First I am going to demonstrate it using sos and then using sosex.

As usual I start the app and then attach it to windbg.

.loadby sos clr

FYI in  .net 4.0 clr is the dll that has CLR implementation. In prior versions it used to be in mscorwks. The next command would look for the object Test in the memory

!dumpheap -type MemCheck.Test
0:000> !dumpheap -type MemCheck.Test
 Address               MT     Size
0000000002761e20 000007ff00054110       24
 total 0 objects
 Statistics:
 MT    Count    TotalSize Class Name
 000007ff00054110        1           24 MemCheck.Test
 Total 1 objects

The next step is to dump the object

0:000> !do 0000000002761e20
Name:        MemCheck.Test
MethodTable: 000007ff00054110
EEClass:     000007ff00162350
Size:        24(0x18) bytes
File:        C:\Users\naveen\Documents\Visual Studio 2010\Projects\Test\bin\Debug\Test.exe
Fields:
 MT    Field   Offset                 Type VT     Attr            Value Name
000007feec2b7a48  4000001        8 ...tring, mscorlib]]  0 instance 0000000002761e38 dict

Notice the dict object is in the 8th offset . To dump contents  dict object I would use the command !do poi(0000000002761e20+8) , which is pointer deference of Test object on it is 8th offset.  And here is the output

0:000> !do poi(0000000002761e20+8)
Name:        System.Collections.Generic.Dictionary`2[[System.Int32, mscorlib],[System.String, mscorlib]]
MethodTable: 000007feec2b7a48
EEClass:     000007feebe113c0
Size:        88(0x58) bytes
File:        C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
Fields:
 MT    Field   Offset                 Type VT     Attr            Value Name
000007feec27c7d8  4000bee        8       System.Int32[]  0 instance 0000000002764788 buckets
000007feecbd3dc8  4000bef       10 ...non, mscorlib]][]  0 instance 0000000002764ab8 entries
000007feec27c848  4000bf0       40         System.Int32  1 instance              100 count
000007feec27c848  4000bf1       44         System.Int32  1 instance              100 version
000007feec27c848  4000bf2       48         System.Int32  1 instance               -1 freeList
000007feec27c848  4000bf3       4c         System.Int32  1 instance                0 freeCount
000007feec2a5a48  4000bf4       18 ...Int32, mscorlib]]  0 instance 0000000002761ef0 comparer
000007feecc75f78  4000bf5       20 ...Canon, mscorlib]]  0 instance 0000000000000000 keys
000007feecc72078  4000bf6       28 ...Canon, mscorlib]]  0 instance 0000000000000000 values
000007feec275ab8  4000bf7       30        System.Object  0 instance 0000000000000000 _syncRoot
000007feec29a1b8  4000bf8       38 ...SerializationInfo  0 instance 0000000000000000 m_siInfo

And the dictionary object in turn stores them within an array which is again the 8th offset.  This time because we know it is an array we are going to use the !dumparray command on the memory location. The command to get the details is

!dumparray -details poi(poi(0000000002761e20+8)+8)
MT    Field   Offset                 Type VT     Attr            Value Name
 000007feec27c848  400047b        0             System.Int32      1     instance                   -1     m_value
 [195] 0000000002764aa4
 Name:        System.Int32
 MethodTable: 000007feec27c848
 EEClass:     000007feebe00890
 Size:        24(0x18) bytes
 File:        C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
 Fields:
 MT    Field   Offset                 Type VT     Attr            Value Name
 000007feec27c848  400047b        0             System.Int32      1     instance                   -1     m_value
 [196] 0000000002764aa8
 Name:        System.Int32
 MethodTable: 000007feec27c848
 EEClass:     000007feebe00890
 Size:        24(0x18) bytes
 File:        C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
 Fields:
 MT    Field   Offset                 Type VT     Attr            Value Name
 000007feec27c848  400047b        0             System.Int32      1     instance                   -1     m_value

Here is the partial output.

Now lets try and do the same thing using sosex. The one thing that I really like about  the new sosex is that  I can use names rather than pointer deference which is way much easier. Launched the app and then loaded sosex using the command

.load F:\Work\Tools\debuggers\sosex.dll

and then switched the thread from 4th to 0th thread using ~0s.  By default the debugger injects a thread into the process for debugging and that was the 4th thread. The next command I issued was to get stack trace

!mk
0:000> !mk
Thread 0:
 ESP              EIP
00:U 000000000015e408 0000000077bc00da ntdll!ZwRequestWaitReplyPort+0xa
01:U 000000000015e410 0000000077a72b08 KERNEL32!ConsoleClientCallServer+0x54
02:U 000000000015e440 0000000077aa5601 KERNEL32!ReadConsoleInternal+0x1f1
03:U 000000000015e590 0000000077aba922 KERNEL32!ReadConsoleA+0xb2
04:U 000000000015e670 0000000077a89934 KERNEL32!zzz_AsmCodeRange_End+0x8bea
05:U 000000000015e6b0 000007feed0317c7 clr!DoNDirectCall__PatchGetThreadCall+0x7b
06:M 000000000015e760 000007feec1d34a1 DomainNeutralILStubClass.IL_STUB_PInvoke(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte*, Int32, Int32 ByRef, IntPtr)(+0x0 IL)(+0x0 Native)
07:M 000000000015e880 000007feec97f59a System.IO.__ConsoleStream.ReadFileNative(Microsoft.Win32.SafeHandles.SafeFileHandle, Byte[], Int32, Int32, Int32, Int32 ByRef)(+0x53 IL)(+0xba Native)
08:M 000000000015e8f0 000007feec97f402 System.IO.__ConsoleStream.Read(Byte[], Int32, Int32)(+0x5d IL)(+0x62 Native)
09:M 000000000015e950 000007feec18e63c System.IO.StreamReader.ReadBuffer()(+0xa0 IL)(+0x5c Native)
0a:M 000000000015e9a0 000007feec915630 System.IO.StreamReader.Read()(+0x21 IL)(+0x30 Native)
0b:M 000000000015e9e0 000007feec987458 System.IO.TextReader+SyncTextReader.Read()(+0x0 IL)(+0x38 Native)
0c:M 000000000015ea30 000007ff00170213 MemCheck.Test.Main(System.String[])(+0x39 IL)(+0xf3 Native) [C:\Users\naveen\Documents\Visual Studio 2010\Projects\Test\Program.cs, @ 17,13]
0d:U 000000000015eaa0 000007feed0710b4 clr!CallDescrWorker+0x84
0e:U 000000000015eaf0 000007feed0711c9 clr!CallDescrWorkerWithHandler+0xa9
0f:U 000000000015eb70 000007feed071245 clr!MethodDesc::CallDescr+0x2a1
10:U 000000000015eda0 000007feed171675 clr!ClassLoader::RunMain+0x228
11:U 000000000015eff0 000007feed1717ac clr!Assembly::ExecuteMainMethod+0xac
12:U 000000000015f2a0 000007feed171562 clr!SystemDomain::ExecuteMainMethod+0x452
13:U 000000000015f850 000007feed173dd6 clr!ExecuteEXE+0x43
14:U 000000000015f8b0 000007feed173cf3 clr!CorExeMainInternal+0xc4
15:U 000000000015f920 000007feed1f7365 clr!CorExeMain+0x15
16:U 000000000015f960 000007fef8f13309 mscoreei!CorExeMain+0x41
17:U 000000000015f990 000007fef8fa5b21 MSCOREE!CorExeMain_Exported+0x57
18:U 000000000015f9c0 0000000077a6f56d KERNEL32!BaseThreadInitThunk+0xd
19:U 000000000015f9f0 0000000077ba3281 ntdll!RtlUserThreadStart+0x1d

FYI the command !mk has been part of sos from the initial version. I am interested in only looking at the code that I wrote so I would like to move stack frame to 0c which is MemCheck.Test.Main . To do that the command  is !mframe 0c, which moves to that stackframe. The reason to move the particular stack frame is to look for variables in the stack and the command to variables is !mdv , which display managed local variables

0:000> !mdv
Frame 0xc: (MemCheck.Test.Main(System.String[])):
[A0]:args:0x0000000002761dd8 (System.String[])
[L0]:p:0x0000000002761e20 (MemCheck.Test)
[L1]:i:0x0000000000000064 (System.Int32)
[L2]:CS$4$0000:0x0000000000000000 (System.Boolean)

Notice we see the local variable “p” which is of type MemCheck.Test. To display type p we issue the command !mdt p


0:000> !mdt p

0000000002761e20 (MemCheck.Test)

dict:0000000002761e38 (System.Collections.Generic.Dictionary`2[[System.Int32, mscorlib],[System.String, mscorlib]])

I didn’t  have to get memory address , I am using the names which is very intuitive ,especially when we have to debug large application with N levels of nesting.So to get the dict values   from p the command to issue is !mdt -e p.dict

!mdt -e p.dict
[98] (System.Collections.Generic.Dictionary`2+Entry[[System.Int32, mscorlib],[System.String, mscorlib]]) VALTYPE (MT=000007feec2b7b28, ADDR=0000000002765400)
 key:0x62 (System.Int32)
 value:0000000002765e48 (System.String: "98")
[99] (System.Collections.Generic.Dictionary`2+Entry[[System.Int32, mscorlib],[System.String, mscorlib]]) VALTYPE (MT=000007feec2b7b28, ADDR=0000000002765418)
 key:0x63 (System.Int32)
 value:0000000002765e68 (System.String: "99")

Here is the partial output. Notice I never had to use a memory pointer or do a pointer deference .This is very similar to VS.NET debugging where I am used to the variable names compared the memory address.  Thanks to Steve for providing such a cool extension.

Piracy in .NET /Silverlight Code – Part 1 – Even when the code is obfuscated


This is going to be a series of posts where I am going to demonstrating how someone with little advanced knowledge in .NET can hack in to the code, and circumventing licensing logic. I know there are other ways to prevent this ,which I am not going to be discussing about.

The usual assumption is that, if the code is obfuscated and signed , then it is close to impossible for someone to hack in to the code because the method names and variables are jumbled up, which would prevent someone from figuring what is happening.

In this post I am going to demonstrate a simple application which would prevent the user from updating the DataGrid because the user had downloaded only a trial version of the software. The software was supposed to disable grid and prevent the consumer from adding or updating the existing data, in a trial version. This was customer case, whom I helped in figuring out the vulnerability.

Here is the list of things the software did to prevent users from not accessing features that they were not entitled to

  1. Obfuscated the code, that prevented the code from being disassembled.
  2. The code that validated the consumers role either paid / trial alone was maintained in a separate assembly .So that for trial consumer’s, assembly version always returned false, for key features and for the paid subscribers got the assembly version that would return true. The organization assumption was ,by not even having the assembly ,trial users would never be able to circumvent the licensing logic. The customer could not maintain two versions of entire software, one for the trial another one paid because of the cost involved in maintenance and that’s the driving factor behind having a separate assembly.
  3. The code was signed and this prevented the users from hacking into the code and changing the code.

So here is code for figuring out the user role

public interface ICustomer{
bool HasAccess();}

And the trial assembly version code for figuring the role had

public class TrialCustomer : ICustomer {
public bool HasAccess() {
return false;
}
}

And here is the code that actually use the above code

private void Button1Click(object sender, EventArgs e)
{
if (!this.customer.HasAccess()) {
MessageBox.Show("Available only for paid customer");
}
else {
this.dataGridView1.Enabled = true;
}
}

So the idea behind this was, the trial version user would always get false as response, and would never be able to hack, because consumer does not even have library that would return true.

So I was asked to check for vulnerabilities. The first step was to disassemble the code using reflector and you can imagine the code had all weird names because of obfuscation.

The next step was to run the application and check when I get a dialog box for “Available only for paid customer”. The reason behind this was to get a callstack ,because all the methods names are jumbled and I didn’t know where to start.

When the messagebox popped up I attached the application to windbg and here is callstack

0:000> !clrstack

OS Thread Id: 0x4850 (0)

Child SP IP       Call Site

004ce758 752b438d [InlinedCallFrame: 004ce758]

004ce754 636308ec DomainBoundILStubClass.IL_STUB_PInvoke(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)

004ce758 636f4a53 [InlinedCallFrame: 004ce758] System.Windows.Forms.SafeNativeMethods.MessageBox(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)

004ce7ac 636f4a53 System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)

004ce7b0 001b0513 [InlinedCallFrame: 004ce7b0]

004ce84c 001b0513 c.a(System.Object, System.EventArgs)

004ce85c 630bfd6c System.Windows.Forms.Control.OnClick(System.EventArgs)

004ce874 630beb1e System.Windows.Forms.Button.OnClick(System.EventArgs)

004ce88c 636574b8 System.Windows.Forms.Button.OnMouseUp(System.Windows.Forms.MouseEventArgs)

004ce8a8 63629639 System.Windows.Forms.Control.WmMouseUp(System.Windows.Forms.Message ByRef, System.Windows.Forms.MouseButtons, Int32)

004ce93c 639d1a87 System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)

004ce940 639f141d [InlinedCallFrame: 004ce940]

004ce994 639f141d System.Windows.Forms.ButtonBase.WndProc(System.Windows.Forms.Message ByRef)

004ce9d8 6312f8e0 System.Windows.Forms.Button.WndProc(System.Windows.Forms.Message ByRef)

004ce9e4 630ce493 System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)

004ce9ec 630ce411 System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)

004cea00 630ce356 System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)

004ceba4 007a09e5 [InlinedCallFrame: 004ceba4]

004ceba0 631347dc DomainBoundILStubClass.IL_STUB_PInvoke(MSG ByRef)

004ceba4 630de59f [InlinedCallFrame: 004ceba4] System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)

004cebe8 630de59f System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)

004cebec 630de1cc [InlinedCallFrame: 004cebec]

004cec84 630de1cc System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)

004cecdc 630de021 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)

004ced0c 630c5ecd System.Windows.Forms.Application.Run(System.Windows.Forms.Form)

004ced20 001b009a e.a()

004cef58 6d1d213b [GCFrame: 004cef58]

Notice that there is a method c.a(System.Object, System.EventArgs) on the top of stack the before the framework code. This was my starting point, and I looked up for it in the reflector

private void a(object A_0, EventArgs A_1)
{
if (!this.d.a())
{
MessageBox.Show("Available only for paid customer");
}
else
{
this.b.Enabled = true;
}
}

So my next step was to disassemble the call to “this.d.a()” and here is output from reflector

public class d : b
{
// Methods
public bool a()
{
return false;
}
}

And I was hoping there would be a class variable that I could update inside the debugger to activate the feature.  Like I mentioned I before ,I couldn’t update the assembly using ILASM or anything, because the assemblies were signed and there wasn’t any class variable to update. This assembly was for the trial version consumers which were supposed to always return false.

But there was one trick that I had. I could update the register on the function return, So what I mean is, when the function “a” is invoked by the button click to validate the consumer , I would update the return register  from false to true. By doing this my grid would be enabled and I circumvent the logic with the existing constraints.

So here are the steps to do it

  • So I looked for the type “d”  !dumpheap -type d, remember the TrialCustomer class  was the renamed  to d by obfuscator .
  • Go the method table as 00146b9c from the above command , using  the method table  I had to get the entry address for the function public bool a() because the buttonclick  was invoking the function.
  • I used the command  !dumpmt -md 00146b9c   to get the entry address for   d.a()  and here was the entry address 001b0540  .

0:005> !dumpmt -md 00146b9c

EEClass:      0020054c

Module:       00142e9c

Name:         d

mdToken:      02000009

File:         C:\Users\naveen\Documents\Visual Studio 2010\Projects\SecureApplication\bin\Debug\Dotfuscated\SecureApplication.exe

BaseSize:        0xc

ComponentSize:   0x0

Slots in VTable: 6

Number of IFaces in IFaceMap: 1

————————————–

MethodDesc Table

Entry MethodDesc      JIT Name

649f5b34   64795750   PreJIT System.Object.ToString()

649c8be0   64795758   PreJIT System.Object.Equals(System.Object)

649c8af0   64795778   PreJIT System.Object.GetHashCode()

649e8aa0   6479578c   PreJIT System.Object.Finalize()

001b0540   00146b8c      JIT d.a()

0014c085   00146b94     NONE d..ctor()

  • The idea behind getting the address was to set a break-point on 001b0540  . I used the command bp 001b0540 . So when the break-point hits I would create another break-point for the function return, which  is stored in the register @esp  bp poi(@esp). So what bp poi(@esp) essentially means is,   create a break-point on the return of function  , it is almost like having a break-point on the last line inside a function within VS.NET.
  • So when the break-point hits for the function return ,the return value is stored in the @eax register and here is the output

0:000> g

Breakpoint 1 hit

eax=00000000 ebx=0230e6f8 ecx=0230cfcc edx=02328884 esi=0230ce7c edi=02328884

eip=001b04f2 esp=004ce8a0 ebp=004ce8a4 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

001b04f2 85c0            test    eax,eax

Now the trick is to update the @eax register from 00000000 to 00000001, by doing this we are changing the value from false to true, using the command  “r eax=00000001” and here is the output after updating the register

0:000> r

eax=00000001 ebx=0230e6f8 ecx=0230cfcc edx=02328884 esi=0230ce7c edi=02328884

eip=001b04f2 esp=004ce8a0 ebp=004ce8a4 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

001b04f2 85c0            test    eax,eax

Now we have managed to update return of the function, which in turn has let us update the grid ,which was supposed to be available only to the paid customers.

In the forth coming posts I will continue to post of few more things that I figured out.

Debugging .Net framework source code within Windbg


One the coolest thing Microsoft did was to release the .NET Framework source code. In this post, I am going to demonstrate, how we could have a break-point on the .NET framework source code by line numbers ,using Windbg ,very similar to doing in  VS.NET.

The first step towards doing this is to download .NET Framework Source Code and installing it on the local machine. The next step is to set the symbol path environment variable. My _NT_SYMBOL_PATH is set to


SRV*d:\dev\symbols*http://referencesource.microsoft.com/symbols; SRV*d:\dev\symbols*http://msdl.microsoft.com/download/symbols

Setting the correct symbol path is important to download symbols from MS.

Here is the source code that I would be using to demonstrate this


using System;
using System.Net;
namespace Test {
 class Program {
 static void Main(string[] args) {
 Console.WriteLine("Hello World of debugging");
 var wr = WebRequest.Create("http://www.google.com");
 Console.WriteLine("Web request created");
 var req = wr.GetRequestStream();
 Console.WriteLine("Hello World Debugging");
 Console.Read();
 }
 }
}

I am going to demonstrate the same thing using multiple versions of debugger. The first one that I am going to demonstrate is using  Windows Debugger Version 6.12.0002.633 X86 which is the latest version.

Launched the exe within windbg and opened the source code WebRequest.cs and Program.cs withing Windbg.

The WebRequest.cs is the source code that was downloaded from MS Reference Source code and Program.cs is the above sample code.

Then issued the command, to be notified when mscorlib is loaded

sxe ld:mscorlib

And here is the output from the above command

ModLoad: 53fd0000 54ac8000   C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\8c1770d45c63cf5c462eeb945ef9aa5d\mscorlib.ni.dll
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=7efdd000 edi=0040eaf4
eip=7723fc02 esp=0040e9c8 ebp=0040ea1c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!ZwMapViewOfSection+0x12:
7723fc02 83c404          add     esp,4

then issued the following commands to load by sos, sosex and set break-points

.loadby sos mscorwks
.load sosex
!mbm System.Net.WebRequest.Create
!mbp WebRequest.cs 98

So with the above command I am requesting for a break-point on the method  System.Net.WebRequest.Create using symbol (!mbm). I am issuing the command !mbm ,just so that sosex can hook up with CLR for getting notifications on JIT. Without this I was unable to set break-point on source code using line numbers. The next command !mbp WebRequest.cs 98 means, have a break-point on the line number 98  in the WebRequest.cs file . The line 98 contents are “if (!useUriBase)”  .  I forgot to mention the .NET framework 4.0 source code is not released so I am using 3.5

Also make sure that the correct private pdb symbols are loaded for framework assemblies, and to verify that, issue the command “lme” and the output should contain something like this

0:000> lme
start    end        module name
013b0000 013b8000   ConsoleApplication1 C (private pdb symbols)  C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication1\bin\Debug\ConsoleApplication1.pdb
53fd0000 54ac8000   mscorlib_ni C (private pdb symbols)  d:\dev\symbols\mscorlib.pdb\F85F3DD0C7024D528B4C37F1ACF2123D1\mscorlib.pdb
58930000 590c9000   System_ni C (private pdb symbols)  d:\dev\symbols\System.pdb\97A082CB5BC64B30887253632D3901EE1\System.pdb

And here is the output after letting it run

Breakpoint 1 hit
eax=00000001 ebx=0040f37c ecx=0282c160 edx=00000000 esi=008ba398 edi=0282c160
eip=58dec8b7 esp=0040f32c ebp=0040f334 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
System_ni+0x4bc8b7:
58dec8b7 85ff

then issued the commands to see the list of break-points (managed and native)


!mbl

bl

and here is the output

0:000> !mbl
0 e : *!SYSTEM.NET.WEBREQUEST.CREATE ILOffset=0: pass=1 oneshot=false thread=ANY
System!System.Net.WebRequest.Create(Uri, bool)+0xfffffffe(IL)
0 e 58a71630
System!System.Net.WebRequest.Create(string)
1 e 58dec8b7
System!System.Net.WebRequest.Create(Uri)+0xfffffffe(IL)
2 e 58a71600
1 eu: WebRequest.cs, line 98: pass=1 oneshot=false thread=ANY
0:000> bl
0 e 58a71630     0001 (0001)  0:**** System_ni+0x141630
1 e 58dec8b7     0001 (0001)  0:**** System_ni+0x4bc8b7
2 e 58a71600     0001 (0001)  0:**** System_ni+0x141600

because Webrequest.Create has two overloads, sosex has set a break-point on both these methods and that’s the reason we are seeing 3 break-points, instead of 2. And after issuing the “g” command for couple of hits for the Webrequest.Create , then comes the Breakpoint 3 hit. Voila ,we have the managed to set break-point on framework source code using line numbers and here is the output of  !mk command

Breakpoint 3 hit
eax=00000000 ebx=0014ecdc ecx=0282dde4 edx=00000000 esi=00000000 edi=00000000
eip=58a71650 esp=0014ec68 ebp=0014ec84 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
System_ni+0x141650:
58a71650 8bc7            mov     eax,edi
0:000> !mk
ESP      RetAddr
00:M 0014ec68 58a71650 System.Net.WebRequest.Create(System.Uri, Boolean)(+0x23 IL)(+0x0 Native) [f:\dd\ndp\fx\src\Net\System\Net\WebRequest.cs, @ 96,13]
01:M 0014ec8c 58dec8dd System.Net.WebRequest.Create(System.String)(+0x14 IL)(+0x26 Native)
02:M 0014ec9c 005000a9 Test.Program.Main(System.String[])(+0xc IL)(+0x18 Native) [C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication1\Program.cs, @ 7,13]
03:U 0014ecb8 6cfb1b6c mscorwks!CallDescrWorker+0x33
04:U 0014ecc8 6cfc2209 mscorwks!CallDescrWorkerWithHandler+0xa3
05:U 0014ed48 6cfd6511 mscorwks!MethodDesc::CallDescr+0x19c
06:U 0014ee8c 6cfd6544 mscorwks!MethodDesc::CallTargetWorker+0x1f
07:U 0014eea8 6cfd6562 mscorwks!MethodDescCallSite::CallWithValueTypes_RetArgSlot+0x1a
08:U 0014eec0 6d040c45 mscorwks!ClassLoader::RunMain+0x223
09:U 0014f024 6d040b65 mscorwks!Assembly::ExecuteMainMethod+0xa6
0a:U 0014f28c 6d0410b5 mscorwks!SystemDomain::ExecuteMainMethod+0x456
0b:U 0014f75c 6d04129f mscorwks!ExecuteEXE+0x59
0c:U 0014f7ac 6d0411cf mscorwks!_CorExeMain+0x15c
0d:U 0014f7f4 73a461f0 mscoreei!_CorExeMain+0x38
0e:U 0014f800 74337f16 MSCOREE!ShellShim__CorExeMain+0x99
0f:U 0014f810 74334de3 MSCOREE!_CorExeMain_Exported+0x8
10:U 0014f818 74f73677 KERNEL32!BaseThreadInitThunk+0xe
11:U 0014f824 77259d72 ntdll!__RtlUserThreadStart+0x70
12:U 0014f864 77259d45 ntdll!_RtlUserThreadStart+0x1b

Notice on the top frame of the stack (00:M) we see source information. The advantage of this is, for example I can check the values of the local variable with in the function after certain calls ,which wouldn’t  have been possible without jumping hoops. Here is the the output !mdv after the line breakpoint

0:000> !mdv
Frame 0x0: (System.Net.WebRequest.Create(System.Uri, Boolean)):
[A0]:requestUri:0x282d2fc (System.Uri)
[A1]:useUriBase:0x0 (System.Boolean)
[L0]:LookupUri:<?>
[L1]:Current:null (System.Net.WebRequestPrefixElement)
[L2]:Found:0x0 (System.Boolean)
[L3]:LookupLength:<?>
[L4]:prefixList:<?>
[L5]:i:<?>
[L6]:webRequest:<?>

And my next quest was to figure What if I could use the actual break-point on the source code directly instead of using sosex.  So chose program.cs and hit the F9 key on the second Console.WriteLine and the color changed to red

And here is the output o f the bl command

0:000> bl
0 e 58a71630     0001 (0001)  0:**** System_ni+0x141630
1 e 58dec8b7     0001 (0001)  0:**** System_ni+0x4bc8b7
2 e 58a71600     0001 (0001)  0:**** System_ni+0x141600
3 e 58a71650     0001 (0001)  0:**** System_ni+0x141650
4 e 013b0017     0001 (0001)  0:**** ConsoleApplication1!Main+0x17

Notice there is a new break-point 4.  But bad luck, when i let it run it didn’t work and I had to clear the break-point 4 . It failed to create a break-point and here is the output

0:000> g
Unable to insert breakpoint 4 at 013b0017, Win32 error 0n998
“Invalid access to memory location.”
bp4 at 013b0017 failed
WaitForEvent failed
eax=00000000 ebx=0014ecdc ecx=0282dde4 edx=00000000 esi=00000000 edi=00000000
eip=58a71650 esp=0014ec68 ebp=0014ec84 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000346
System_ni+0x141650:
58a71650 8bc7            mov     eax,edi

The next step was to debug the with the version of debugger which had capabilities to see managed call stacks, Windbg version 6.7.5.0. Did the same thing loaded up the exe and the Program.cs in to the debugger and set a break-point on mscorlib load using  ” sxe ld:mscorlib” and then issued the command “.loadby sos mscorwks” ,”.load sosex” and “!mbm System.Net.WebreRequest.Create”. And the let it run, and to my surprise here is the integrated debugging experience, the source code is highlighted, when break-point is hit for WebRequest.Create

And after hitting F10 ,it moved to the next line

Wow this is way cool. The next step was to set a break-point using the bp command on the Program.cs


bp (@@masm(`Program.cs:8+`))

And  the break-point was hit and I was successfully able to have Integrated debugging environment. I know most of us don’t  have Windbg version 6.7.5.0 , but there are few debugging geeks who still have them. I was happy that I kept the version.

Take Away

We should be able to debug within the framework source code using the latest version of debugger and if you have 6.7.5.0 , can have integrated debugging experience similar to VS.NET .

Debugging unknown termination of adplusmanager.exe – Windbg


With the latest release of debugging tools (6.12.0002.633) comes AdplusManager.exe  ,which is in managed code.  The adplusmanager.exe is a tool to manage multiple instance of adplus running across in different machines. Essentially a Master to control different slaves.  I will blog about the usage of this in a future post.

When I tried to start the AdplusManager.exe from the command line , nothing happened. My guess was if I didn’t enter any command line parameters , the tool should come up with the help text in the command line, similar to rest of command line tools I have used from MS. The next option I tried was  “AdplusManager.exe HELP” and there wasn’t any output. Surprisingly I went back to the documentation to look for command line parameters , which I never do, because I expect the tool to provide me with options. After reading the documentation for the parameters , the next option I tried was “D:\Program Files\Debugging Tools for Windows (x64)\adplusmanager.exe” GUI and nothing happened.  The only choice was to launch adplusmanager.exe using Windbg.

Because it was failing on the startup of the application ,I had set a load break-point when mscorwks was loaded in to the process , So that I can load sos after CLR is  loaded.

sxe -c ".loadby sos mscorwks;g" ld:mscorwks

And then setup a break-point on CLR exception , to dump the call stack and exception information

sxe -c "!clrstack;!pe" clr

And here is the output from the debugger

ModLoad: 000007fe`ef420000 000007fe`efdce000   C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
(37760.36d40): CLR exception – code e0434f4d (first chance)
OS Thread Id: 0x36d40 (0)
*** WARNING: Unable to verify checksum for C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\9a017aa8d51322f18a40f414fa35872d\mscorlib.ni.dll
Child-SP         RetAddr          Call Site
000000000026e320 000007fee8f57b24 System.IO.__Error.WinIOError(Int32, System.String)
000000000026e380 000007fee8f570aa System.IO.FileStream.Init(System.String, System.IO.FileMode, System.IO.FileAccess, Int32, Boolean, System.IO.FileShare, Int32, System.IO.FileOptions, SECURITY_ATTRIBUTES, System.String, Boolean)
000000000026e510 000007fee8f587f2 System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions, System.String, Boolean)
000000000026e5a0 000007fee8f25b1b System.IO.FileStream..ctor(System.String, System.IO.FileMode, System.IO.FileAccess, System.IO.FileShare, Int32, System.IO.FileOptions)
000000000026e630 000007fee95fdefa System.IO.StreamWriter..ctor(System.String, Boolean, System.Text.Encoding, Int32)
000000000026e6b0 000007ff001a1653 System.IO.StreamWriter..ctor(System.String)
000000000026e700 000007ff001a15d4 ADPlusManager.Logger.Open(System.String)
000000000026e740 000007ff001a036d ADPlusManager.Logger.Open(System.String, System.String)
000000000026e7b0 000007feef6ed502 ADPlusManager.Program.Main(System.String[])
Exception object: 0000000002599e50
Exception type: System.IO.DirectoryNotFoundException
Message: Could not find a part of the path ‘c:\logs\AdplusManager_20100308_195722_NAVEEN-PC_GUI.log’.
InnerException: <none>
StackTrace (generated):
<none>
StackTraceString: <none>
HResult: 80070003
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
KERNELBASE!RaiseException+0x39:
000007fe`fd05aa7d 4881c4c8000000  add     rsp,0C8h

And the exception is DirectoryNotFoundException because I don’t have C:\logs directory.  The next step was to disassemble the code and Why am I not surprised to see something

Within the exception handler the code is invoking ErrorOutput method

and the ErrorOutput method is trying to Log it to the disk  that’s the reason it blew up. I would imagine that Microsoft would have a caught this bug and addressed it.

Takeaway

Make sure the code within catch block does not throw an exception.

Using windbg as a Sql profiler in .NET


Most of the times when I am debugging using Windbg, I end up debugging code which has  interaction with the Sql server database. So to troubleshoot what is being passed to Sql server I would have to fire up a Sql profiler or open the application log file. Wouldn’t be easy just to use one tool and like the new vs2010 which has  Sql server execute reader command text shown (intellitrace)  in the debugger window.

This is not hard using Windbg . This is a simple trick which can help in every developer be more productive.  And here is the script for getting the Sql Command text on the call to execute reader

bp 000007fee174df30 ".printf \"\\n%mu\", poi(@rcx+20)+c ;g"

on a 64-bit machine. The address to Sql command Execute reader is not going to change because it is ngened 000007fee174df30. I am going to show how to get this information ,so that the same technique can be used to for debugging other code.Here are the steps

!dumpheap -type SqlCommand

0:009> !dumpheap -type SqlCommand
Address               MT     Size
0000000002722e70 000007fee1d6dae0      224
0000000002723618 000007fee1d75d40       56
total 0 objects
Statistics:
MT    Count    TotalSize Class Name
000007fee1d75d40        1           56 System.Data.SqlClient.SqlCommand+CachedAsyncState
000007fee1d6dae01          224 System.Data.SqlClient.SqlCommand
Total 2 objects

.shell -ci "!dumpmt -md 000007fee1d6dae0 "  findstr ExecuteReader

000007fee1cf2450 000007fee1be2078   PreJIT System.Data.SqlClient.SqlCommand.BeginExecuteReader(System.AsyncCallback, System.Object)
000007fee1cedf30 000007fee1be20a0   PreJIT System.Data.SqlClient.SqlCommand.ExecuteReader()
000007fee1cedfb0 000007fee1be20b8   PreJIT System.Data.SqlClient.SqlCommand.ExecuteReader(System.Data.CommandBehavior)
000007fee1cf2460 000007fee1be20d0   PreJIT System.Data.SqlClient.SqlCommand.BeginExecuteReader(System.Data.CommandBehavior)

So the function address is 000007fee1cedf30 and this is where we would need to have a break-point on. Now that we have the address of the function, we would have to know the field offset of the command text so that we can dump the text on to the debugger automatically every time the break-point hits. To do that we would have to dump the contents of the SqlCommand object.

!do 0000000002722e70

0:009> !do 0000000002722e70
Name:        System.Data.SqlClient.SqlCommand
MethodTable: 000007fee1d6dae0
EEClass:     000007fee1bf1840
Size:        224(0xe0) bytes
File:        C:\Windows\Microsoft.Net\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll
Fields:
MT    Field   Offset                 Type VT     Attr            Value Name
000007fee4e22d50  40001cf        8        System.Object  0 instance 0000000000000000 __identity
000007fee4172658  40001ae       10 …ponentModel.ISite  0 instance 0000000000000000 site
000007fee416e0c0  40001af       18 ….EventHandlerList  0 instance 0000000000000000 events
000007fee4e22d50  40001ad       48        System.Object  0   static 0000000000000000 EventDisposed
000007fee4e28c90  4001733       b0         System.Int32  1 instance                1 ObjectID
000007fee4e234b8  4001734       20 System.String  0 instance 0000000002652f70 _commandText
000007fee1d6f378  4001735       b4         System.Int32  1 instance                0 _commandType

From the above result we can identify the _commandtext is in the 20 offset within the SqlCommand object.  So to get the actual Sql text we would have do a poi(@rcx+20)+c. So what is poi? poi is pointer deference. The @rcx register has the Sqlcommand object . So essentially poi(@rcx+20)+c means get the  Sql  command object in the @rcx register and get a pointer of 20th offset (which has the _commandtext) and the “+c” is where the actual text is stored with in the .NET string   object.  The .printf is similar to printf statement in C or Console.WriteLine in .NET.

So now we will be able to dump the Sql text which is being sent to the database without opening another tool. This can even further extended by getting the parameter values and saving all sql text along with the parameter information on to a text file using .logopen command.

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: