[NTCrash logo]
Copyright © 1996 Mark Russinovich and Bryce Cogswell
last updated December 31, 1996
NTCrash V1.0 - NT System Call Interface Tester
Introduction One of Microsoft's most vocal claims concerning NT is
its high degree of robustness. Unfortunately, the
truth does not jibe with the message. Here we present
a program called NTCrash, which very simple-mindedly
blasts random calls into either NTOSKRNL or Win32K
(the two system-call interface components of the NT
operating system). The results of our testing on NT
4.0 final release and Service Pack 1 are presented
below (the results are identical). Note: Microsoft has
closed the holes in Service Pack 2
* NTOSRKNL
NTOSKRNL is the part of the NT operating system
loaded from the file NTOSKRNL.EXE in the system
directory. It contains the majority of the
Windows NT operating system that executed in
kernel-mode, including the Object Manager, the
Cache Manager, the Process Manager, the
Executive, the Memory Manager and others. Win32
programs typically invoke functions in NTOSKRNL
indirectly through KERNEL32.DLL, which calls into
NTDLL.DLL, which in-turn traps through the
NTOSKRNL system call interface and into NTOSKRNL.
NTCrash was unable to trigger a system-call
interface fault on NTOSKRNL. This result was
expected since NTOSKRNL has undergone few
significant changes in the last 4 years, and
hence has had much more exposure to testing.
* WIN32K
Win32K.SYS is a new NT kernel-mode component that
has been introduced in NT 4.0. It handles what
was previously the responsibility of USER32.DLL
and GDI32.DLL, and its inclusion in the
privileged part of NT increases the performance
of the windowing and messaging functions it
handles. Win32 programs invoke functions in
Win32K indirectly by calling stubs in USER32.DLL
and GDI32.DLL, which trap through a handler in
NTOSKRNL that vectors the calls into Win32K
functions.
NTCrash has been used to isolate and identify 13
distinct Win32K system calls that have poorly
implemented parameter validation. The symptoms of
tickling these holes range from unrecoverable
page faults, to NT blue-screen assertions that
something is wrong.
Using NTCrash NTCrash is included here with source code. Its default
behavior is to spawn 10 threads that barrage Win32K
with random system calls. This will crash NT within a
second or two. Use NTCrash with caution. We take no
responsibility for data loss or corruption it may
cause.
NTCrash takes two optional command line switches:
-n Has NTCrash barrage NTOSKRNL instead of
Win32K.
-l Enable NTCrash logging mode.
NTCrash has a mode of operation that can be
used to have it "learn" which system calls
cause trouble. This is its logging mode. When
the -l switch is used NTCrash logs information
about all system calls to a "crash.log" file
it creates in its working directory. When it
is run again after a crash, it takes the last
record from this file and appends it to
"bad.log", and then avoids making the same
system call. It then creates a new crash log.
Repeating this crash, restart procedure builds
NTCrash's "bad.log" database of system calls
that cause the machine to crash. The first
field in a record in these files is the system
call number, and the following fields are
parameters that were passed to the system
call. The -l switch was used to learn of the
13 faulty calls.
Microsoft's Microsoft has released NT 4.0 Service Pack 2, which
Response closes the holes discovered by NTCrash
The Bugs 5 of the 13 bugs are identical as they are made up of
cut-and-pasted code. These 5 take a parameter passed
from USER32 and perform an indirect call through a
table that is indexed with the parameter. No range
checking or exception handling is in place before the
array is referenced, so passing an out-of-bounds index
causes Win32K to reference memory outside of the
array, crashing the system.
Most of the other 8 bugs are similar in that a
parameter is taken from user mode and used as a
pointer without first checking for legality of the
pointer. For instance, NtUserSetClipboardData() takes
a parameter that is blindly treated as a valid pointer
to a data structure. Referencing it when it is not
obviously leads to trouble.
----------------------------------------------------------------------------
Download NTCrash plus Source (38KB)
[Image]