The case of IE7 that would not run

Yesterday I met an interesting behavior of IE7. On one of my computer which runs Windows Server 2003 SP1 I was trying to publish a post to my blog (‘the power of IDA’). But I failed to do that. IE7 was crashing when I tried to write something in the editor. Moreover, IE7 does not correctly display my posts on the blog. Especially when I trying to put a screenshot into the post.

That was not a surprise for me, because I already wrote about such behavior when I was using IE7 RC (http://msmvps.com/blogs/v_scherbina/archive/2006/07/08/IE-7-Beta-3-bugs-_2E002E002E00_.aspx) on July 2006, but now this is the official version that should work… Another idea came into my mind. I told myself: “Maybe I need to get the latest version of IE7 with latest patches, fixes, etc and it will work for me?”.

So, I decided to download the most popular version of IE7: for XP SP2 and install it on my second machine which runs XP2 SP2. I downloaded & installed IE from http://download.microsoft.com. I put the check under ‘install latest updates’ and … it still crashes.

Okey, I have a chance (at least) to figure out what’s wrong in IE. I made the following steps to reproduce the problem:

1. Sign in under my account to http://msmvps.com/blogs/v_scherbina/

2. Go to management panel

3. Open post named ‘The power of IDA’

4. Wait until browser dies

I took the url that causes problem and put it into the home page of IE. Then I restarted program, and … each time I run IE it gets crashed. Excellent, – I have a 100 % reproducible case. I put here screenshot of crash on the font of WinDbg – each time I restart the debugging session I get the message that IE crashed (it’s in russian):

Here is what I see in my WinDbg command window during each session I run the browser:

CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe"

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

ModLoad: 00400000 0049a000 iexplore.exe

ModLoad: 7c900000 7c9b0000 ntdll.dll

ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll

ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll

ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll

ModLoad: 77f10000 77f56000 C:\WINDOWS\system32\GDI32.dll

ModLoad: 77d40000 77dd0000 C:\WINDOWS\system32\USER32.dll

ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll

ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll

ModLoad: 7c9c0000 7d1d4000 C:\WINDOWS\system32\SHELL32.dll

ModLoad: 774e0000 7761c000 C:\WINDOWS\system32\ole32.dll

ModLoad: 61410000 61534000 C:\WINDOWS\system32\urlmon.dll

ModLoad: 77120000 771ac000 C:\WINDOWS\system32\OLEAUT32.dll

ModLoad: 5dca0000 5dce5000 C:\WINDOWS\system32\iertutil.dll

ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll

(9a0.bc): Break instruction exception - code 80000003 (first chance)

eax=00241eb4 ebx=7ffde000 ecx=00000004 edx=00000010 esi=00241f48 edi=00241eb4

eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

ntdll!DbgBreakPoint:

7c901230 cc int 3

0:000> g

ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL

ModLoad: 773d0000 774d2000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

ModLoad: 5d090000 5d127000 C:\WINDOWS\system32\comctl32.dll

ModLoad: 7e1e0000 7e7a9000 C:\WINDOWS\system32\IEFRAME.dll

ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL

ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\UxTheme.dll

ModLoad: 76cc0000 76ccb000 C:\Program Files\Internet Explorer\custsat.dll

ModLoad: 74720000 7476b000 C:\WINDOWS\system32\MSCTF.dll

ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll

ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime

ModLoad: 5dff0000 5e01f000 C:\WINDOWS\system32\IEUI.dll

ModLoad: 76380000 76385000 C:\WINDOWS\system32\MSIMG32.dll

ModLoad: 4ec50000 4edf3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll

ModLoad: 47060000 47081000 C:\WINDOWS\system32\xmllite.dll

ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\apphelp.dll

ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL

ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll

ModLoad: 746f0000 7471a000 C:\WINDOWS\system32\msimtf.dll

ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll

ModLoad: 77a20000 77a74000 C:\WINDOWS\System32\cscui.dll

ModLoad: 76600000 7661d000 C:\WINDOWS\System32\CSCDLL.dll

ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll

ModLoad: 32520000 32532000 C:\Program Files\Microsoft Office\Office10\msohev.dll

ModLoad: 61930000 6197a000 C:\Program Files\Internet Explorer\ieproxy.dll

ModLoad: 771b0000 7727e000 C:\WINDOWS\system32\WININET.dll

ModLoad: 011e0000 011e9000 C:\WINDOWS\system32\Normaliz.dll

ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\MLANG.dll

ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\ws2_32.dll

ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll

ModLoad: 10000000 1000e000 C:\Program Files\Adobe\Acrobat7.0\ActiveX\AcroIEHelper.dll

ModLoad: 7c340000 7c396000 C:\WINDOWS\system32\MSVCR71.dll

ModLoad: 50110000 5015d000 C:\Program Files\CommonFiles\ReGetShared\Catcher.dll

ModLoad: 75e90000 75f40000 C:\WINDOWS\system32\SXS.DLL

ModLoad: 71a50000 71a8f000 C:\WINDOWS\system32\mswsock.dll

ModLoad: 662b0000 66308000 C:\WINDOWS\system32\hnetcfg.dll

ModLoad: 71a90000 71a98000 C:\WINDOWS\System32\wshtcpip.dll

ModLoad: 76ee0000 76f1c000 C:\WINDOWS\system32\RASAPI32.dll

ModLoad: 76e90000 76ea2000 C:\WINDOWS\system32\rasman.dll

ModLoad: 5b860000 5b8b4000 C:\WINDOWS\system32\NETAPI32.dll

ModLoad: 76eb0000 76edf000 C:\WINDOWS\system32\TAPI32.dll

ModLoad: 76e80000 76e8e000 C:\WINDOWS\system32\rtutils.dll

ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll

ModLoad: 5cd70000 5cd77000 C:\WINDOWS\system32\serwvdrv.dll

ModLoad: 5b0a0000 5b0a7000 C:\WINDOWS\system32\umdmxfrm.dll

ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\USERENV.dll

ModLoad: 77c70000 77c93000 C:\WINDOWS\system32\msv1_0.dll

ModLoad: 76d60000 76d79000 C:\WINDOWS\system32\iphlpapi.dll

ModLoad: 02380000 02646000 C:\WINDOWS\system32\msi.dll

ModLoad: 722b0000 722b5000 C:\WINDOWS\system32\sensapi.dll

ModLoad: 71d40000 71d5c000 C:\WINDOWS\system32\actxprxy.dll

ModLoad: 76fc0000 76fc6000 C:\WINDOWS\system32\rasadhlp.dll

ModLoad: 7e830000 7eb9f000 C:\WINDOWS\system32\mshtml.dll

ModLoad: 746c0000 746e9000 C:\WINDOWS\system32\msls31.dll

ModLoad: 72ea0000 72f00000 C:\WINDOWS\system32\ieapfltr.dll

ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll

ModLoad: 77a80000 77b14000 C:\WINDOWS\system32\CRYPT32.dll

ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll

ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll

ModLoad: 77690000 776b1000 C:\WINDOWS\system32\NTMARTA.DLL

ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll

ModLoad: 71bf0000 71c03000 C:\WINDOWS\system32\SAMLIB.dll

ModLoad: 63380000 633f8000 C:\WINDOWS\system32\jscript.dll

ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll

ModLoad: 79000000 79045000 C:\WINDOWS\system32\mscoree.dll

ModLoad: 63f00000 63f0c000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll

ModLoad: 78130000 781cb000 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll

ModLoad: 63f50000 63f68000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll

ModLoad: 64020000 64033000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll

ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll

ModLoad: 79e70000 7a3d1000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

ModLoad: 732d0000 732d5000 C:\WINDOWS\system32\SOFTPUB.DLL

ModLoad: 0ffd0000 0fff8000 C:\WINDOWS\system32\rsaenh.dll

ModLoad: 60340000 60348000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll

ModLoad: 790c0000 79ba8000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\8777c689c6eb554fbb138a684f87bb16\mscorlib.ni.dll

ModLoad: 60650000 6065c000 IEHost.dll

ModLoad: 60650000 6065c000 C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll

ModLoad: 60680000 60688000 IIEHost.dll

ModLoad: 60680000 60688000 C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll

ModLoad: 79060000 790b3000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll

ModLoad: 7a440000 7abfe000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\578bcbd50836b0438e0e0510d3b21e7a\System.ni.dll

ModLoad: 11000000 11016000 image11000000

ModLoad: 11000000 11016000 image11000000

ModLoad: 11000000 11016000 image11000000

ModLoad: 11000000 11016000 image11000000

ModLoad: 11000000 11016000 C:\Documents and Settings\Vladimir Scherbina\LocalSettings\Application Data\assembly\dl3\2AJQAA8N.E81\D2E4KLW7.N96\04a708e5\0007d162_1e06c701\inkarea.dll

ModLoad: 7afd0000 7b4e6000 System.Windows.Forms.dll

ModLoad: 7ade0000 7af74000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8fb3fbffbd7c2419066781e01344f59\System.Drawing.ni.dll

ModLoad: 7afd0000 7bc56000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f51ae980020ed444a321d21d14c7e2cf\System.Windows.Forms.ni.dll

ModLoad: 7afd0000 7b4e6000 C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll

ModLoad: 7ade0000 7af74000 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8fb3fbffbd7c2419066781e01344f59\System.Drawing.ni.dll

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

ModLoad: 5e380000 5e409000 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.bfc): CLR exception - code e0434f4d (first chance)

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

ModLoad: 35c50000 35c89000 C:\WINDOWS\system32\Dxtrans.dll

ModLoad: 76b20000 76b31000 C:\WINDOWS\system32\ATL.DLL

ModLoad: 6d430000 6d43a000 C:\WINDOWS\system32\ddrawex.dll

ModLoad: 73760000 737a9000 C:\WINDOWS\system32\DDRAW.dll

ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll

ModLoad: 35cb0000 35d07000 C:\WINDOWS\system32\Dxtmsft.dll

(9a0.bfc): CLR exception - code e0434f4d (first chance)

(9a0.bfc): CLR exception - code e0434f4d (!!! second chance !!!)

eax=05ddf9ac ebx=0358f760 ecx=00000000 edx=00000025 esi=05ddfa38 edi=e0434f4d

eip=7c81eb33 esp=05ddf9a8 ebp=05ddf9fc iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202

kernel32!RaiseException+0x53:

7c81eb33 5e pop esi

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

WinDbg output shows that problem is caused by exceptions when .NET assemblies are loaded. Strange. I put the breakpoint to LoadLibrary, and restarted the session:

0:000> bp LoadLibraryA

*** ERROR: Module load completed but symbols could not be loaded for iexplore.exe

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\iertutil.dll -

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\urlmon.dll -

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\SHLWAPI.dll -

0:000> bp LoadLibraryW

0:000> bl

0 e 7c801d77 0001 (0001) 0:**** kernel32!LoadLibraryA

1 e 7c80acd3 0001 (0001) 0:**** kernel32!LoadLibraryW

0:000> g

Then I started analyzing the code when each LoadLibrary function was called. The most interesting piece came when IE loaded the mscorwks library. Before IE dies I see the following call:

mscorwks!GetCompileInfo+0x40f5f:

7a006ece e809692b00 call mscorwks!NGenCreateNGenWorker+0x630e1 (7a2bd7dc)

0:018> g

Breakpoint 0 hit

eax=00000001 ebx=00000000 ecx=00000004 edx=00000000 esi=00000800 edi=00000001

eip=7c801d77 esp=0607cdd0 ebp=0607d7fc iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

kernel32!LoadLibraryA:

7c801d77 8bff mov edi,edi

0:018> g

(8f8.f8c): CLR exception - code e0434f4d (first chance)

Seems like something wrong happens inside mscorwks library. I started debugging the code of mscorwks but then realized that a better way is to specify exception filter and analyze the call stack. I made a filter for C++ EH and CLR exceptions and restarted the debugger session. Exception occured, debugger hit and the last function I see in the stack is:

.text:79FE2BBE          l_ThrowException:                       ; CODE XREF: sub_79FE2ABB+DDj

.text:79FE2BBE ; sub_79FE2ABB+E7j ...

.text:79FE2BBE 68 88 F1+ push offset unk_7A34F188

.text:79FE2BC3 8D 85 E0+ lea eax, [ebp-220h] ;

.text:79FE2BC9 50 push eax

.text:79FE2BCA 89 B5 E0+ mov [ebp-220h], esi

.text:79FE2BD0 E8 97 77+ call _CxxThrowException ;

As you can understand it thows exception because of some undefined state. But this is the result of a problem, however, I am interested in more details. Label l_ThrowException is invoked in several cases. Here is the code that calls it:

.text:79FE2B90          l_callUnregisterServer:                 ; CODE XREF: sub_79FE2ABB+AFj

.text:79FE2B90 FF 15 50+ call off_7A381250

.text:79FE2B96 85 C0 test eax, eax

.text:79FE2B98 74 24 jz short l_ThrowException

.text:79FE2B9A FF 15 50+ call off_7A381250

.text:79FE2BA0 85 C0 test eax, eax

.text:79FE2BA2 74 1A jz short l_ThrowException

.text:79FE2BA4 8D 8D E0+ lea ecx, [ebp-220h]

.text:79FE2BAA 81 E9 00+ sub ecx, 0C000h

.text:79FE2BB0 3B 88 EC+ cmp ecx, [eax+1ECh]

.text:79FE2BB6 73 06 jnb short l_ThrowException

.text:79FE2BB8 50 push eax

.text:79FE2BB9 E8 00 C3+ call sub_79FEEEBE

After deeper analyzing I realized that this code detects the type of exception. Step by step I started moving to the upper level. Exception raising code is invoked here:

.text:79FE2B54 loc_79FE2B54: ; CODE XREF: sub_79FE2ABB+84j

.text:79FE2B54 C6 45 FC+ mov byte ptr [ebp-4], 1

.text:79FE2B58 89 7E 04 mov [esi+4], edi

.text:79FE2B5B 6A 05 push 5

.text:79FE2B5D BF 00 40+ mov edi, 4000h

.text:79FE2B62 57 push edi

.text:79FE2B63 E8 67 19+ call sub_79E744CF

.text:79FE2B68 85 C0 test eax, eax

.text:79FE2B6A 74 24 jz short l_callUnregisterServer ; Just before raising exception ...

The loc_79FE2B54 seems to be interesting, because it checks for some flag in sub_79E744CF and if flag is zero it calls l_callUnregisterServer, however, if the flag is non-zero the following code is executed:

.text:79FE2B6C 8B 06                    mov     eax, [esi]

.text:79FE2B6E 6A 00 push 0

.text:79FE2B70 68 56 07+ push 756h

.text:79FE2B75 8B CE mov ecx, esi

.text:79FE2B77 FF 50 08 call dword ptr [eax+8]

.text:79FE2B7A 50 push eax

.text:79FE2B7B 68 20 20+ push 45452020h

.text:79FE2B80 68 00 E6+ push offset aEx_throw_with_ ; "EX_THROW_WITH_INNER Type = 0x%x HR = 0x"...

.text:79FE2B85 6A 03 push 3

.text:79FE2B87 57 push edi

.text:79FE2B88 E8 13 C5+ call sub_7A12F0A0

.text:79FE2B8D 83 C4 1C add esp, 1Ch

I tried to spoof the value of eax and force the CPU to execute mentioned above branch and get well formatted string, but I failed. Values passed to sub_7A12F0A0 was incorrect in this case.

I continued analyzing the code and found an interesting information. The procedure (which is callded before written above code) sub_79E783E9 retrieves the latest error value using GetLastError:

.text:79E783E9 sub_79E783E9 proc near ; CODE XREF: sub_79E7A98F+10p

.text:79E783E9 ; sub_79E7B9F9+34p ...

.text:79E783E9 6A 08 push 8

.text:79E783EB B8 14 D5+ mov eax, offset unk_7A2ED514

.text:79E783F0 E8 BF 93+ call sub_79E717B4

.text:79E783F5 FF 15 90+ call ds:__imp_GetLastError ; it returns 0x0000007F

[...]

.text:79E78431 C3 retn

.text:79E78431 sub_79E783E9 endp ; sp = -0Ch

Error code 0x0000007F maps to ‘The specified procedure could not be found.’ which is quite strange for me, because I don’t see near any code that calls GetProcAddress.

At this point I stopped. I guess, my observations at this point will be helpfull for IE team in fixing this problem. I also hope I will have the time to continue investigations if necessary.

1,438 views

Leave a Reply

Your email address will not be published. Required fields are marked *

Identify yourself * Time limit is exhausted. Please reload CAPTCHA.