Nov

30

WinDbg and NTCrash2

Filed Under Hack, Technical 

I feel I should elaborate on the previous post, so I am going to describe how to install and configure WinDbg so you can "try this at home". I am only doing this on a Windows XP machine, so if you are using a different platform/version, your mileage may vary.

First, install the Windows Symbol Package required for your operating system. I am using XP SP2, so I chose this Symbol Package.

Then install the Debugging Tools. Since I am using Windows XP on a 32-bit architecture (x86), I chose this package.

Install both the symbols package and the Debug Tools package. Restart if requested.

1.) Start > (All) Programs > Debugging Tools for Windows > WinDbg
2.) Press Control+S (or File > Symbol File Path) to bring up the "Symbol Search Path" dialog
3.) Enter the path you chose when you installed the symbol package (by default, it is C:\windows\symbols). Close WinDbg. If you are asked to save workspace "base", tell it not to ask again, and choose Yes.
4.) Download NTCrash2.zip and extract NTCrash2.exe out of the 'release' folder in the zip, and store it on your desktop (or wherever you like).
5.) Configure your recovery options as directed below:
5a) Right-click "My Computer", > Properties > Advanced tab > Startup and Recovery > Settings (see Figure 1)

Figure 1:
System Properties screenshot - Figure 1

5b) Under the "System Failure" group box, checkmark all three checkmarks (Write an event, Send an alert, Automatically restart) if not checked already. In the "Write debugging information" sub-group box, change the drop down box to "Small memory dump (64KB)" and ensure that the "Small dump directory" is set to "%SystemRoot%\Minidump" (without the quotation marks) (see Figure 2)

Figure 2:
Minidump settings screenshot - Figure 2

At this point, you should navigate to the minidump folder under the Windows folder of your system drive, and delete all of the files in there. (e.g., Start > Run > %SystemRoot%\Minidump)

Note: When you are done with this experiment, you should disable the "Automatically restart" checkmark in the "System Failure" group box. This way, if you get an actual fatal error, you will be able to see the STOP error code. We want it to automatically restart for this experiment for convenience (so that you do not have to hold the power button to turn your machine all the way off when we make it crash).

With all of these settings and tools in place, we are ready to begin. Close any open windows or dialogs, and double click NTCrash2.exe. Wait until your system reboots itself (crashes). If your system reboots itself, Windows will most likely want to send an error report when you return to Windows again. Do not send the error report (but if you do send it, Microsoft will probably tell you there was a fault caused by a device driver or service, or similar).

After the crash, launch WinDbg. Press Control+D (or File > Open Crash Dump...) and nagivate your way to C:\Windows\minidump (or wherever your Windows directory is. You can even type "%SystemRoot%\Minidump" in the file name box to jump directly to it). Select the minidump file. A bunch of nerd words will appear in a new sub-window. At the bottom is a command prompt area. You should type "!analyze -v" to get a stack dump. You'll probably see a file name or two that belongs to the service or driver that crashed when NTCrash2.exe was pounding it. The very first time I experimented with this whole procedure, I had Daemon tools 3.47 installed. I had known that the D-Tools service is called d347bus because it asks you for a name when you install it (and I left it the default name). d347bus was listed as the offending file when I analyzed the crash dump. Immediately thereafter, I downloaded and installed Daemon Tools 4.0 (be sure to uncheck the "DAEMON Tools Search Bar" when you install it - it's ad-supported (it's not malware or spyware, however). After I installed D-Tools 4, I was unable to make the system crash ever again.

As ToastyX has told me, input validation is a very basic, but commonly overlooked, programming procedure. It's the first thing your program should do! You can't just accept garbage from anywhere and then just allow Windows to throw an exception over it. Thankfully, the Daemon Tools team corrected the problem in the 4.0 release. I also noticed that most machines that have Symantec products installed (such as Norton Internet Security 2005) blow up when NTCrash2 pounds on them. I don't recall the exact filename, but it was one of the many, many services that gets installed when you use Symantec/Norton products.

Tags:

Comments

9 Responses to “WinDbg and NTCrash2”

  1. # YC on December 19th, 2005 11:28 PM

    Hi, I've tried NTCrash2, and it keeps on crashing my system with a 0×0000008E SSI.sys error. I've done a search and I can't find any information on SSI.sys. Do you've any idea what it is? Thanks!

  2. # DjLizard on December 19th, 2005 11:54 PM

    I'm pretty sure that belongs to SpySweeper.

    If you're using the latest version, then they have some fixin' to do, because no program should crash when NTCrash2 is running.

  3. # YC on December 20th, 2005 10:06 AM

    Hi DjLizard, it is indeed SpySweeper. Alcohol 120% also caused errors. Thanks for the help! I've uninstalled them both, and no more BSODS. However, NTCRASH2.EXE comes up with a popup. "Unknown Hard Error". I can either abort, retry or ignore. The title for the popup changes each time I click on either of the 3 options, from "NTCRASH2.EXE - Success" to "NTCRASH2.EXE - System Warning". Is this normal?

  4. # YC on December 20th, 2005 10:07 AM

    Sorry for the double post. Anyway, I clicked on Retry a lot of times, and the error finally disappeared and NTCRASH went on. =\

  5. # DjLizard on December 20th, 2005 12:50 PM

    Yeah, that's normal for NTCrash2 at that point in the attack. There are some Windows services that respond in that manner (which is at least better than crashing!)

  6. # YC on December 20th, 2005 2:26 PM

    Ok, so how do I find out what's causing the problem? Also, mine seems to stop at 0xfd. It just stops there =(. Once again, thanks! By the way, any good site that explains how NTCRASH2 works? I've searched but found nothing :(.

  7. # DjLizard on December 20th, 2005 9:19 PM

    NTCrash2 is for testing system services and kernel for tolerance against random garbage being thrown at them. There's really nothing wrong with your computer, except for those couple of programs that don't handle NTCrash2 properly, and that is the fault of the developers. Other than NTCrash2 crashing them, there is nothing wrong with those programs (except that they don't handle garbage at all).

    It's up to the developers of those programs to fix their applications, or not. You basically don't need to do anything except continue to upgrade your applications as new versions come out. Daemon Tools is one example of an application that fixed this problem in their newest release.

    NTCrash and NTCrash2 are mentioned here and here and that's about it. Mark Russinovich and Microsoft use tools such as NTCrash(2) to test stability in applications, services, and APIs.

  8. # YC on December 21st, 2005 12:49 AM

    Ah ok, thanks! Yup I've read through both the SysInternals pages =). Anyway, as I said, if it hangs at 0xfd, does it mean there's something wrong as well? I always end up using Ctrl+C to terminate the program, because it's at 0xfd after an hour or so =(.

  9. # DjLizard on January 25th, 2006 7:55 AM

    Heh, I forgot to reply here. Sorry :)

    No, nothing's wrong at all.

Leave a Reply

Comments are moderated.

If you use the same email address you used in a previous comment that was approved then your comment will bypass moderation.





Comments will be sent to the moderation queue.

Tag motherfucking cloud
Copyright © 2007 DjLizard.net • Powered by WordPress • Using Blue Zinfandel theme by Brian Gardner