Case of the “Server Returned a Referral”

From the development team that brought us such great bugs such as “Invalid Base Key Error” (https://chentiangemalc.wordpress.com/2014/05/22/case-of-the-invalid-base-key-error/) and “Continuing Case Of ByRef Corruption” (https://chentiangemalc.wordpress.com/2014/07/07/continuing-case-of-byref-corruption-net-patching/) on the latest update to the application we got a new error:

image

Of course if you were expecting a helpful error message, you’ve come to the wrong place. Using Process Explorer ( http://live.sysinternals.com/procexp.exe ) we used the target icon:

image

And dragged it over the message box so we knew exactly what process was throwing the error. We then right clicked the process in Process Explorer and selected Create Full Dump File

image

Loading the dmp file in WinDbg from a simple stack trace we see we are dealing with .NET app thanks to presence of mscorwks and mscoree

0:000> k
Child-SP          RetAddr           Call Site
00000000`002fcad8 00000000`77484bc4 user32!NtUserWaitMessage+0xa
00000000`002fcae0 00000000`77484edd user32!DialogBox2+0x274
00000000`002fcb70 00000000`774d2920 user32!InternalDialogBox+0x135
00000000`002fcbd0 00000000`774d1c15 user32!SoftModalMessageBox+0x9b4
00000000`002fcd00 00000000`774d146b user32!MessageBoxWorker+0x31d
00000000`002fcec0 00000000`774d1362 user32!MessageBoxTimeoutW+0xb3
00000000`002fcf90 000007fe`eb87cd37 user32!MessageBoxW+0x4e
*** WARNING: Unable to verify checksum for System.Windows.Forms.ni.dll
00000000`002fcfd0 000007fe`e8ec8269 mscorwks!DoNDirectCall__PatchGetThreadCall+0x7b
00000000`002fd070 000007fe`e8febeae System_Windows_Forms_ni+0x9a8269
00000000`002fd150 000007fe`e8feb78d System_Windows_Forms_ni+0xacbeae
*** WARNING: Unable to verify checksum for Microsoft.VisualBasic.ni.dll
00000000`002fd2e0 000007fe`f161ff24 System_Windows_Forms_ni+0xacb78d
00000000`002fd330 000007ff`00181455 Microsoft_VisualBasic_ni+0x11ff24
00000000`002fd3f0 000007ff`0017140a 0x000007ff`00181455
00000000`002fd4a0 000007ff`001710b8 0x000007ff`0017140a
00000000`002fd570 000007fe`e8eb8cbb 0x000007ff`001710b8
00000000`002fd720 000007fe`e8ebafbe System_Windows_Forms_ni+0x998cbb
00000000`002fd7e0 000007fe`e94135ba System_Windows_Forms_ni+0x99afbe
00000000`002fd820 000007fe`e8863d26 System_Windows_Forms_ni+0xef35ba
00000000`002fd9d0 000007fe`e8863bc5 System_Windows_Forms_ni+0x343d26
00000000`002fda20 000007fe`e88624c4 System_Windows_Forms_ni+0x343bc5
00000000`002fdad0 000007fe`eb87b08a System_Windows_Forms_ni+0x3424c4
00000000`002fdb10 00000000`77479bd1 mscorwks!UMThunkStubAMD64+0x7a
00000000`002fdba0 00000000`77473bfc user32!UserCallWinProcCheckWow+0x1ad
00000000`002fdc60 00000000`77473b78 user32!CallWindowProcAorW+0xdc
00000000`002fdcb0 000007fe`fc5a6215 user32!CallWindowProcW+0x18
00000000`002fdcf0 000007fe`fc5a69a0 comctl32_7fefc580000!CallOriginalWndProc+0x1d
00000000`002fdd30 000007fe`fc5a6768 comctl32_7fefc580000!CallNextSubclassProc+0x8c
00000000`002fddb0 000007fe`fc5a69a0 comctl32_7fefc580000!DefSubclassProc+0x7c
00000000`002fde00 000007fe`fc5a6877 comctl32_7fefc580000!CallNextSubclassProc+0x8c
00000000`002fde80 00000000`77479bd1 comctl32_7fefc580000!MasterSubclassProc+0xe7
00000000`002fdf20 00000000`774798da user32!UserCallWinProcCheckWow+0x1ad
00000000`002fdfe0 000007fe`eb87cd37 user32!DispatchMessageWorker+0x3b5
00000000`002fe060 000007fe`e887fa57 mscorwks!DoNDirectCall__PatchGetThreadCall+0x7b
00000000`002fe100 000007fe`e887ea03 System_Windows_Forms_ni+0x35fa57
00000000`002fe280 000007fe`e887e278 System_Windows_Forms_ni+0x35ea03
00000000`002fe4d0 000007fe`e887dce5 System_Windows_Forms_ni+0x35e278
00000000`002fe620 000007fe`f16531c7 System_Windows_Forms_ni+0x35dce5
00000000`002fe680 000007fe`f165487c Microsoft_VisualBasic_ni+0x1531c7
00000000`002fe6e0 000007fe`f16528cd Microsoft_VisualBasic_ni+0x15487c
00000000`002fe750 000007ff`001601ff Microsoft_VisualBasic_ni+0x1528cd
00000000`002fe800 000007fe`eb87d512 0x000007ff`001601ff
00000000`002fe850 000007fe`eb76b693 mscorwks!CallDescrWorker+0x82
00000000`002fe8a0 000007fe`ebc5aac1 mscorwks!CallDescrWorkerWithHandler+0xd3
00000000`002fe940 000007fe`eb7c848b mscorwks!MethodDesc::CallDescr+0x2b1
00000000`002feb80 000007fe`eb7ebbb0 mscorwks!ClassLoader::RunMain+0x22b
00000000`002fede0 000007fe`ebd4743d mscorwks!Assembly::ExecuteMainMethod+0xbc
00000000`002ff0d0 000007fe`eb7f90d7 mscorwks!SystemDomain::ExecuteMainMethod+0x47d
00000000`002ff6a0 000007fe`eb7dbdf4 mscorwks!ExecuteEXE+0x47
00000000`002ff6f0 000007fe`f2ac74e5 mscorwks!CorExeMain+0xac
00000000`002ff750 000007fe`f2b65b21 mscoreei!CorExeMain+0xe0
00000000`002ff7a0 00000000`77a359ed mscoree!CorExeMain_Exported+0x57
00000000`002ff7d0 00000000`77b6ba01 kernel32!BaseThreadInitThunk+0xd
00000000`002ff800 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

So we load SOS.dll debugging extension and print CLR stack

0:000> .load c:\windows\microsoft.net\framework64\v2.0.50727\sos.dll
0:000> !clrstack
OS Thread Id: 0x9c8 (0)
Child-SP         RetAddr          Call Site
00000000002fd070 000007fee8febeae DomainBoundILStubClass.IL_STUB(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)
00000000002fd150 000007fee8feb78d System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)
00000000002fd2e0 000007fef161ff24 System.Windows.Forms.MessageBox.Show(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions)
00000000002fd330 000007ff00181455 Microsoft.VisualBasic.Interaction.MsgBox(System.Object, Microsoft.VisualBasic.MsgBoxStyle, System.Object)
00000000002fd3f0 000007ff0017140a QFBox2.modQIK.StartQIK()
00000000002fd4a0 000007ff001710b8 QFBox2.modQIK.FunctionSelection(Int16 ByRef)
00000000002fd570 000007fee8eb8cbb QFBox2.frmMain.txtQIKFunction_KeyUp(System.Object, System.Windows.Forms.KeyEventArgs)
00000000002fd720 000007fee8ebafbe System.Windows.Forms.Control.ProcessKeyEventArgs(System.Windows.Forms.Message ByRef)
00000000002fd7e0 000007fee94135ba System.Windows.Forms.Control.WmKeyChar(System.Windows.Forms.Message ByRef)
00000000002fd820 000007fee8863d26 System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
00000000002fd9d0 000007fee8863bc5 System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)
00000000002fda20 000007fee88624c4 System.Windows.Forms.NativeWindow.Callback(IntPtr, Int32, IntPtr, IntPtr)
00000000002fdad0 000007feeb87b08a DomainBoundILStubClass.IL_STUB(Int64, Int32, Int64, Int64)
00000000002fe100 000007fee887ea03 DomainBoundILStubClass.IL_STUB(MSG ByRef)
00000000002fe280 000007fee887e278 System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32)
00000000002fe4d0 000007fee887dce5 System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
00000000002fe620 000007fef16531c7 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
00000000002fe680 000007fef165487c Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnRun()
00000000002fe6e0 000007fef16528cd Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
00000000002fe750 000007ff001601ff Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(System.String[])
00000000002fe800 000007feeb87d512 QFBox2.My.MyApplication.Main(System.String[])

From this we can determine that the issue is occurring in QFBox2.modQIK.StartQIK() function

Now we look for the exception that was generated, which our programmers unfortunately had not been kind enough to show us:

0:000> !pe
Exception object: 00000000030f3100
Exception type: System.ComponentModel.Win32Exception
Message: A referral was returned from the server
InnerException: <none>
StackTrace (generated):
    SP               IP               Function
    00000000002FD2B0 000007FEEA40BF74 System_ni!System.Diagnostics.Process.StartWithShellExecuteEx(System.Diagnostics.ProcessStartInfo)+0x444
    00000000002FD3B0 000007FEEA40C3CD System_ni!System.Diagnostics.Process.Start(System.Diagnostics.ProcessStartInfo)+0x3d
    00000000002FD3F0 000007FF00181411 QFBox2!QFBox2.modQIK.StartQIK()+0xe1

StackTraceString: <none>
HResult: 80004005

Ok so we know attempting to start a process failed with error “A referral was returned from the server”

What was it trying to start? We can figure this by checking objects on the stack:

0:000> !dumpstackobjects
OS Thread Id: 0x9c8 (0)
RSP/REG          Object           Name
00000000002fcf80 00000000030f2d10 System.String
00000000002fcf90 00000000030f2dc0 System.String
00000000002fcff8 00000000030f3758 System.Windows.Forms.Application+ThreadWindows
00000000002fd008 0000000002e549a8 System.Windows.Forms.Application+ThreadContext
00000000002fd050 00000000030f2d10 System.String
00000000002fd0c0 00000000030f2d10 System.String
00000000002fd0d0 00000000030f2dc0 System.String
00000000002fd110 00000000030f2dc0 System.String
00000000002fd118 00000000030f2d10 System.String
00000000002fd158 00000000030f2d10 System.String
00000000002fd160 00000000030f2dc0 System.String
00000000002fd250 00000000030f2dc0 System.String
00000000002fd258 00000000030f2d10 System.String
00000000002fd2b0 0000000002f543d8 System.Windows.Forms.KeyEventArgs
00000000002fd2b8 00000000030f2d10 System.String
00000000002fd330 0000000002ea4bd0 System.Windows.Forms.TextBox
00000000002fd378 00000000030f2dc0 System.String
00000000002fd3b8 00000000030f2d10 System.String
00000000002fd3d0 0000000002ea4bd0 System.Windows.Forms.TextBox
00000000002fd3f0 00000000030f2d10 System.String
00000000002fd400 00000000030f2dc0 System.String
00000000002fd420 00000000030f2ed0 System.Diagnostics.ProcessStartInfo <—ProcessStartInfo was passed to StartWithShellExecuteEx
00000000002fd438 00000000030f2e00 System.String
00000000002fd440 00000000030f2e70 System.String

We can then dump that object to extract the filename:

0:000> !do 00000000030f2ed0
Name: System.Diagnostics.ProcessStartInfo
MethodTable: 000007feea50a730
EEClass: 000007fee9d5e7e0
Size: 128(0x80) bytes
(C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll)
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
000007feeab17d90  40033f0        8        System.String  0 instance 00000000030f2e00 fileName
000007feeab17d90  40033f1       10        System.String  0 instance 00000000030f2e70 arguments
000007feeab17d90  40033f2       18        System.String  0 instance 0000000000000000 directory
000007feeab17d90  40033f3       20        System.String  0 instance 0000000000000000 verb
000007feea4d7c00  40033f4       68         System.Int32  1 instance                0 windowStyle
000007feeab16f60  40033f5       6c       System.Boolean  1 instance                0 errorDialog
000007feeab1a798  40033f6       60        System.IntPtr  1 instance                0 errorDialogParentHandle
000007feeab16f60  40033f7       6d       System.Boolean  1 instance                1 useShellExecute
000007feeab17d90  40033f8       28        System.String  0 instance 0000000000000000 userName
000007feeab17d90  40033f9       30        System.String  0 instance 0000000000000000 domain
000007feeb30ad60  40033fa       38 …rity.SecureString  0 instance 0000000000000000 password
000007feeab16f60  40033fb       6e       System.Boolean  1 instance                0 loadUserProfile
000007feeab16f60  40033fc       6f       System.Boolean  1 instance                0 redirectStandardInput
000007feeab16f60  40033fd       70       System.Boolean  1 instance                0 redirectStandardOutput
000007feeab16f60  40033fe       71       System.Boolean  1 instance                0 redirectStandardError
000007feeab1fbe0  40033ff       40 System.Text.Encoding  0 instance 0000000000000000 standardOutputEncoding
000007feeab1fbe0  4003400       48 System.Text.Encoding  0 instance 0000000000000000 standardErrorEncoding
000007feeab16f60  4003401       72       System.Boolean  1 instance                0 createNoWindow
000007feeab0f2a8  4003402       50 System.WeakReference  0 instance 0000000000000000 weakParentProcess
000007fee9f9a0a8  4003403       58 ….StringDictionary  0 instance 0000000000000000 environmentVariables

Finally we dump the filename value…
0:000> !do 00000000030f2e00
Name: System.String
MethodTable: 000007feeab17d90
EEClass: 000007feea71e560
Size: 112(0x70) bytes
(C:\WINDOWS\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll)
String: “C:\QIK-QUBE2\QARUN\ARECURRENT\AQIRE32.EXE”
Fields:
              MT    Field   Offset                 Type VT     Attr            Value Name
000007feeab1f000  4000096        8         System.Int32  1 instance               44 m_arrayLength
000007feeab1f000  4000097        c         System.Int32  1 instance               43 m_stringLength
000007feeab197d8  4000098       10          System.Char  1 instance               22 m_firstChar
000007feeab17d90  4000099       20        System.String  0   shared           static Empty
                                 >> Domain:Value  0000000000123340:0000000002e51308 <<
000007feeab19688  400009a       28        System.Char[]  0   shared           static WhitespaceChars
                                 >> Domain:Value  0000000000123340:0000000002e51a58 <<

So what if I launched the process from a cmd prompt or Windows Explorer?

image

We also noticed:

  • the EXE had a recent “Last Modified Date”
  • Copying the EXE to a “clean install Windows 7 machine” the exe failed with same error message
  • The previous version of EXE did not fail with this error message

So why was the new one broken…launching from WinDbg we got a different error:

The requested operation requires elevation.

image

So I looked for a manifest file requesting elevation. There was an Aqire32.exe.Manifest file in the same folder as the EXE but it didn’t refer to elevation:

<?xml version=’1.0′ encoding=’UTF-8′ standalone=’yes’?>
<assembly xmlns=’urn:schemas-microsoft-com:asm.v1′ manifestVersion=’1.0′>
<dependency>
    <dependentAssembly>
      <assemblyIdentity name=”QikComHlp2″ version=”2.0.0.7″ processorArchitecture=”MSIL” />
    </dependentAssembly>
  </dependency>
<dependency>
   <dependentAssembly>
     <assemblyIdentity
       type=”win32″
       name=”Microsoft.Windows.Common-Controls”
       version=”6.0.0.0″
       processorArchitecture=”X86″
       publicKeyToken=”6595b64144ccf1df”
       language=”*”
     />
   </dependentAssembly>
</dependency>
</assembly>

So opened the EXE in Resource Hacker http://angusj.com/resourcehacker/

Here we can see the embedded manifest file:

image

 

Most interesting here is the uiAccess=”true” component.

<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
  <trustInfo xmlns=”urn:schemas-microsoft-com:asm.v3″>
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level=”requireAdministrator” uiAccess=”true”></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

There are several requirements on Windows Vista and later if you want to use uiAccess=”true”

Firstly because this program is outside a “secure location” the following group policy must be set: User Account Control: Only elevate UIAccess applications that are installed in secure locations

We confirmed this policy was applied on the machine using gpresult.

This security setting will enforce the requirement that applications that request execution with a UIAccess integrity level (via a marking of UIAccess=true in their application manifest), must reside in a secure location on the file system.  Secure locations are limited to the following directories:

– \Program Files\, including subdirectories
– \Windows\system32\
– \Program Files (x86)\, including subdirectories for 64 bit versions of Windows

In addition Windows enforces a PKI signature check on any interactive application that requests execution with UIAccess integrity level regardless of the state of this security setting.

Refer:
http://technet.microsoft.com/en-us/library/dd834830.aspx
 http://technet.microsoft.com/en-us/library/jj852244.aspx
 

Using Resource hacker when we deleted the manifest, the application launched fine. However the component requiring UIAccess=true would now fail to work correctly.

image

Using SignTool.exe from Windows SDK we can check if EXE is signed correctly:

image

Ok it is not….

image

So I run…

MakeCert /n CN=Test /r /h 0 /eku “1.3.6.1.5.5.7.3.3,1.3.6.1.4.1.311.10.3.13” /sv test.pvk test.cer

Pvk2Pfx /pvk test.pvk /pi password /spc Test.cer /pfx Test.pfx

signtool sign /f test.pfx /p password c:\qik-qube2\QARUN\ARECURRENT\aqire32.exe

 

However attempting to sign EXE I received error

image

SignTool Error: SignedCode::Sign returned error: 0x800700C1
        Either the file being signed or one of the DLL specified by /j switch is
not a valid Win32 application.
SignTool Error: An error occurred while attempting to sign: c:\qik-qube2\QARUN\A
RECURRENT\AQIRE32.exe

Now 0x800700C1 is a “bad image format” error. Typically thrown when the file image of a dynamic link library (DLL) or an executable program is invalid – or the wrong format i.e. 64-bit loading 32-bit DLL.

However in the case of signtool.exe it is usually the fact that the EXE has some remnant of signature…

So I used delcert.exe to remove the signature from EXE – source code included here:

http://forum.xda-developers.com/showthread.php?p=2508061

image

Then we signed it…

image

As a final step I imported it into root cert

certmgr.exe -add test.cer -s -r localMachine root

image

We can see now it is signed:

image

 

image

And application launches fine now…with the manifest in place.

Now to try to run it in WinDbg we could have tried this to launch it under debugger:

image

Unfortunately we don’t get enough information on what is going on from the stack trace…

0:007> !uniqstack
Processing 6 threads, please wait

.  0  Id: 1b24.2340 Suspend: 1 Teb: 00007ff6`3915e000 Unfrozen
      Start: cmd!mainCRTStartup (00007ff6`39dd65b4)
      Priority: 0  Priority class: 32  Affinity: 3
Child-SP          RetAddr           Call Site
00000001`9b83dfc8 00007ffd`0f5f13ad ntdll!NtWaitForMultipleObjects+0xa
00000001`9b83dfd0 00007ffd`10493b10 KERNELBASE!WaitForMultipleObjectsEx+0xe1
00000001`9b83e2b0 00007ffd`0d96396b USER32!RealMsgWaitForMultipleObjectsEx+0x100
00000001`9b83e360 00007ffd`0d9638be DUser!CoreSC::Wait+0x7f
00000001`9b83e3b0 00007ffd`0d96e825 DUser!CoreSC::WaitMessage+0xa6
00000001`9b83e410 00007ffd`104bff92 DUser!MphWaitMessageEx+0x31
00000001`9b83e440 00007ffd`121ac99f USER32!_ClientWaitMessageExMPH+0x1a
00000001`9b83e490 00007ffd`1049102a ntdll!KiUserCallbackDispatcherContinue
00000001`9b83e4f8 00007ffd`104c07e3 USER32!NtUserWaitMessage+0xa
00000001`9b83e500 00007ffd`104c219a USER32!DialogBox2+0x133
00000001`9b83e590 00007ffd`104c2212 USER32!InternalDialogBox+0x132
00000001`9b83e5f0 00007ffd`104c2248 USER32!DialogBoxIndirectParamAorW+0x56
00000001`9b83e630 00007ffd`0db1a596 USER32!DialogBoxIndirectParamW+0x18
00000001`9b83e670 00007ffd`0daba783 comctl32!SHFusionDialogBoxIndirectParam+0x5a
00000001`9b83e6b0 00007ffd`106bca0a comctl32!CTaskDialog::Show+0x163
00000001`9b83e740 00007ffd`106a7e4c SHLWAPI!TaskDialogIndirect+0x52
00000001`9b83e770 00007ffd`10c3136a SHLWAPI!ShellMessageBoxW+0x164
00000001`9b83e940 00007ffd`10c65350 SHELL32!SHSysErrorMessageBox+0xf6
00000001`9b83ede0 00007ffd`10c65ef0 SHELL32!_ExecErrorMsgBox+0x204
00000001`9b83ee30 00007ffd`10b43ded SHELL32!SHExecuteErrorMessageBox+0x80
00000001`9b83ee60 00007ffd`10908734 SHELL32!`Microsoft::WRL::Module<1,Microsoft::WRL::Details::DefaultModule<5> >::Create’::`2′::`dynamic atexit destructor for ‘module”+0x40993
00000001`9b83eec0 00007ffd`10908674 SHELL32!CShellExecute::ExecuteNormal+0x94
00000001`9b83eef0 00007ffd`109085e9 SHELL32!ShellExecuteNormal+0x4c
00000001`9b83ef20 00007ffd`03b41226 SHELL32!ShellExecuteExW+0x35
00000001`9b83ef50 00007ff6`39dd1bed cmdext!ShellExecuteWorker+0x7e
00000001`9b83f000 00007ff6`39dd1607 cmd!ExecPgm+0x3d1
00000001`9b83f230 00007ff6`39dd1697 cmd!ECWork+0xa3
00000001`9b83f4a0 00007ff6`39dd1379 cmd!FindFixAndRun+0x2ec
00000001`9b83f930 00007ff6`39dd5e89 cmd!Dispatch+0xa1
00000001`9b83f9c0 00007ff6`39dd66c8 cmd!main+0x191
00000001`9b83fa50 00007ffd`11fd168d cmd!eErrorLevel+0x299
00000001`9b83fa90 00007ffd`12184629 KERNEL32!BaseThreadInitThunk+0xd
00000001`9b83fac0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

.  3  Id: 1b24.1ccc Suspend: 1 Teb: 00007ff6`3915c000 Unfrozen
      Start: ntdll!TppWorkerThread (00007ffd`12138e30)
      Priority: 0  Priority class: 32  Affinity: 3
Child-SP          RetAddr           Call Site
00000001`9dc2f748 00007ffd`121390b6 ntdll!NtWaitForWorkViaWorkerFactory+0xa
00000001`9dc2f750 00007ffd`11fd168d ntdll!TppWorkerThread+0x286
00000001`9dc2fb40 00007ffd`12184629 KERNEL32!BaseThreadInitThunk+0xd
00000001`9dc2fb70 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

.  5  Id: 1b24.1d04 Suspend: 1 Teb: 00007ff6`39158000 Unfrozen
      Start: combase!CRpcThreadCache::RpcWorkerThreadEntry (00007ffd`0f9b0310)
      Priority: 0  Priority class: 32  Affinity: 3
Child-SP          RetAddr           Call Site
00000001`9de2f618 00007ffd`0f5f13ad ntdll!NtWaitForMultipleObjects+0xa
00000001`9de2f620 00007ffd`0f9924fa KERNELBASE!WaitForMultipleObjectsEx+0xe1
00000001`9de2f900 00007ffd`0f9925a8 combase!WaitCoalesced+0x96 [d:\blue_gdr\com\published\comutils\coalescedwait.cxx @ 72]
00000001`9de2fb50 00007ffd`0f9ba5e1 combase!CROIDTable::WorkerThreadLoop+0x78 [d:\blue_gdr\com\combase\dcomrem\refcache.cxx @ 1480]
00000001`9de2fba0 00007ffd`0f9ba781 combase!CRpcThread::WorkerLoop+0x31 [d:\blue_gdr\com\combase\dcomrem\threads.cxx @ 264]
00000001`9de2fe10 00007ffd`11fd168d combase!CRpcThreadCache::RpcWorkerThreadEntry+0x46 [d:\blue_gdr\com\combase\dcomrem\threads.cxx @ 67]
00000001`9de2fe40 00007ffd`12184629 KERNEL32!BaseThreadInitThunk+0xd
00000001`9de2fe70 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

.  6  Id: 1b24.9f4 Suspend: 1 Teb: 00007ff6`39155000 Unfrozen
      Start: msvcrt!endthreadex+0x30 (00007ffd`103399b0)
      Priority: 0  Priority class: 32  Affinity: 3
Child-SP          RetAddr           Call Site
00000001`9df4f818 00007ffd`0f5f13ad ntdll!NtWaitForMultipleObjects+0xa
00000001`9df4f820 00007ffd`10493b10 KERNELBASE!WaitForMultipleObjectsEx+0xe1
00000001`9df4fb00 00007ffd`0d9311d2 USER32!RealMsgWaitForMultipleObjectsEx+0x100
00000001`9df4fbb0 00007ffd`0d94e887 DUser!CoreSC::xwProcessNL+0x142
00000001`9df4fc50 00007ffd`0d94e7d3 DUser!GetMessageExA+0x67
00000001`9df4fca0 00007ffd`10339967 DUser!ResourceManager::SharedThreadProc+0xf3
00000001`9df4fd30 00007ffd`10339a0d msvcrt!beginthreadex+0x123
00000001`9df4fd60 00007ffd`11fd168d msvcrt!endthreadex+0xac
00000001`9df4fd90 00007ffd`12184629 KERNEL32!BaseThreadInitThunk+0xd
00000001`9df4fdc0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

.  7  Id: 1b24.232c Suspend: 1 Teb: 00007ff6`39153000 Unfrozen
      Start: ntdll!DbgUiRemoteBreakin (00007ffd`121db930)
      Priority: 0  Priority class: 32  Affinity: 3
Child-SP          RetAddr           Call Site
00000001`a248f958 00007ffd`121db964 ntdll!DbgBreakPoint
00000001`a248f960 00007ffd`11fd168d ntdll!DbgUiRemoteBreakin+0x34
00000001`a248f990 00007ffd`12184629 KERNEL32!BaseThreadInitThunk+0xd
00000001`a248f9c0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

Total threads: 6
Duplicate callstacks: 1 (windbg thread #s follow):
4

Using ProcMon and filtering on path contains Aqire32.exe and operation is CreateFile we can see the following process open the EXE before it fails when launched from a command prompt:

  • MsMpEng.exe (Antimalware Service Executable)
  • csrss.exe (Client Server Runtime Process)
  • svchost.exe (Host Process for Windows Services)
  • consent.exe (Consent UI for administrative applications)

image

We can check what service svchost.exe contains by looking for the service DLL in stack trace properties. Here we find it is Application Information Service 

image

You can see from ProcExp quite a few services are hosted in this process:

image

Looking at consent.exe stack in ProcMon we can see a cert check is occurring before failure:

image

Using Rohitab API Monitor (http://www.rohitab.com/apimonitor)

I enabled monitoring of Security and Identity along with System Administration, System Services, and String Manipulation under Visual C++ Library

image

I ensured “Monitor child process” was ticked

image

So we start monitoring this process:

image

From this we can see the Application Information service calls function CheckElevation

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
31312    8:12:50.132 AM    9    appinfo.dll    CheckElevation ( “C:\qik-qube2\QARUN\ARECURRENT\AQIRE32.exe”, 0x00000068dc2eeb3c, NULL, 0x00000068dc2eeb04, 0x00000068dc2eeb10 )    ERROR_SUCCESS        0.0006713

Then application information launches consent.exe

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
31365    8:12:50.147 AM    9    KERNEL32.DLL    CreateProcessAsUserW ( 0x0000000000000a54, NULL, “consent.exe 2736 364 00000068DC8DD760”, NULL, NULL, FALSE, CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | EXTENDED_STARTUPINFO_PRESENT, NULL, NULL, 0x00000068dc2ee300, 0x00000068dc2ee290 )    TRUE        0.0013189

Then consent.exe performs:

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
1827    8:12:50.365 AM    1    WINTRUST.dll    CryptSIPRetrieveSubjectGuid ( “C:\qik-qube2\QARUN\ARECURRENT\AQIRE32.exe”, 0x0000000000000158, IID_NULL )    TRUE        0.0000770

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
1834    8:12:50.365 AM    1    WINTRUST.dll    CryptSIPLoad ( {c689aab8-8e78-11d0-8c47-00c04fc295ee}, 0, 0x0000005187ca72f0 )    TRUE        0.0010002

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
1965    8:12:50.381 AM    1    WINTRUST.dll    CryptSIPGetCaps ( 0x0000005187ca7240, 0x00000051879ef010 )    TRUE        0.0001413

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
2166    8:12:50.397 AM    1    WINTRUST.dll    CryptSIPRetrieveSubjectGuidForCatalogFile ( “CATADMIN”, 0x0000000000000158, {00000014-0000-0000-0800-000000000000} )    TRUE        0.0000360

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
2168    8:12:50.397 AM    1    WINTRUST.dll    CryptSIPLoad ( {c689aab8-8e78-11d0-8c47-00c04fc295ee}, 0, 0x00000051879ef1f0 )    TRUE        0.0000090

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
2292    8:12:50.397 AM    1    WINTRUST.dll    CryptEncodeObject ( PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 2004, 0x0000005187ca7938, NULL, 0x00000051879eefd8 )    TRUE        0.0009945

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
2616    8:12:50.413 AM    1    WINTRUST.dll    CryptFindOIDInfo ( CRYPT_OID_INFO_OID_KEY, 0x00007ffd0f5b8838, 1 )    0x00007ffd0f75e920        0.0031781

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
3155    8:12:50.475 AM    1    WINTRUST.dll    CryptFindOIDInfo ( CRYPT_OID_INFO_OID_KEY, 0x00007ffd0f5b8838, 1 )    0x00007ffd0f75e920        0.0000004

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
3155    8:12:50.475 AM    1    WINTRUST.dll    CryptFindOIDInfo ( CRYPT_OID_INFO_OID_KEY, 0x00007ffd0f5b8838, 1 )    0x00007ffd0f75e920        0.0000004
3162    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashBlockLength”, “AlgorithmName” )    1        0.0000000
3163    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashBlockLength”, “HashDigestLength” )    -1        0.0000000
3164    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashBlockLength”, “ObjectLength” )    -1        0.0000004
3165    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashBlockLength”, “MultiObjectLength” )    -1        0.0000000
3166    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashBlockLength”, “HashOIDList” )    -1        0.0000004
3167    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashBlockLength”, “HashBlockLength” )    0        0.0000000
3168    8:12:50.475 AM    1    bcrypt.dll    wcscmp ( “HashDigestLength”, “ProviderHandle” )    -1        0.0000000
3169    8:12:50.475 AM    1    bcrypt.dll    wcscmp ( “HashDigestLength”, “PrimitiveType” )    -1        0.0000004
3170    8:12:50.475 AM    1    bcrypt.dll    wcscmp ( “HashDigestLength”, “IsKeyedHash” )    -1        0.0000004
3171    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashDigestLength”, “AlgorithmName” )    1        0.0000000
3172    8:12:50.475 AM    1    bcryptPrimitives.dll    wcscmp ( “HashDigestLength”, “HashDigestLength” )    0        0.0000000
3173    8:12:50.475 AM    1    bcrypt.dll    wcscmp ( “HashDigestLength”, “ObjectLength” )    -1        0.0000000
3174    8:12:50.475 AM    1    bcrypt.dll    wcscmp ( “HashDigestLength”, “MultiObjectLength” )    -1        0.0000000

After this we see an error is displayed:

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
3214    8:12:50.475 AM    1    WINTRUST.dll    _vsnprintf ( 0x00000051879eef50, 511, “CatalogDB: %s: %s at line #%u encountered error 0x%.8lx
“, 0x00000051879eee18 )    89        0.0000041

In comparison with the fixed EXE when consent.exe runs instead of the error we see:

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
2833    8:21:13.531 AM    1    WINTRUST.dll    CryptMsgGetParam ( 0x000000e4c813ac90, CMSG_SIGNER_AUTH_ATTR_PARAM, 0, NULL, 0x000000e4c80bec80 )    TRUE        0.0000414
2879    8:21:13.531 AM    1    WINTRUST.dll    CryptMsgGetParam ( 0x000000e4c813ac90, CMSG_SIGNER_AUTH_ATTR_PARAM, 0, 0x000000e4c8143610, 0x000000e4c80bec80 )    TRUE        0.0002662
2997    8:21:13.563 AM    1    WINTRUST.dll    CertFindAttribute ( “1.3.6.1.4.1.311.2.4.2”, 4, 0x000000e4c8143620 )    NULL    0 = The operation completed successfully.     0.0000008
2998    8:21:13.563 AM    1    WINTRUST.dll    CryptMsgGetParam ( 0x000000e4c813ac90, CMSG_SIGNER_UNAUTH_ATTR_PARAM, 0, NULL, 0x000000e4c80bec80 )    FALSE    -2146889713 = The cryptographic message does not contain all of the requested attributes.     0.0000213
3010    8:21:13.563 AM    1    WINTRUST.dll    CertOpenStore ( CERT_STORE_PROV_MSG, PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0x000000e4c8136470, CERT_STORE_NO_CRYPT_RELEASE_FLAG, 0x000000e4c813ac90 )    0x000000e4c8127fb0        0.0004768

#    Time of Day    Thread    Module    API    Return Value    Error    Duration
3953    8:21:13.750 AM    1    WINTRUST.dll    CertFindAttribute ( “1.2.840.113549.1.9.6”, 0, NULL )    NULL    0 = The operation completed successfully.     0.0000000
3954    8:21:13.750 AM    1    WINTRUST.dll    CertFindAttribute ( “1.3.6.1.4.1.311.3.3.1”, 0, NULL )    NULL    0 = The operation completed successfully.     0.0000000
3956    8:21:13.750 AM    1    WINTRUST.dll    CryptMsgControl ( 0x000000e4c813ac90, 0, CMSG_CTRL_VERIFY_SIGNATURE_EX, 0x000000e4c80becc0 )    TRUE        0.0006312

 

 

 

 

 

 

 

 

 

 

 


 

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in .NET, API Monitor, Debugging, ProcMon, WinDbg and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s