Callbacks which point to heap memory should be ignored

Open william-burgess opened this issue 3 years ago • 0 comments

Occasionally timers are found which point to non-executable heap memory:

[+] RtlCreateTimer initial allocation memory layout:
    --> 0x00007FF80D4FF578
    --> 0x00007FFFF2C20AE0
    --> 0x0000000000000001
    --> 0x000001F86D822AB0
    --> 0x000001F86D87E210 (CALLBACK)
    --> 0x00007FFFF2C43230 (PARAM)
    --> 0x0000000000000000
    --> 0x0000000000000000
    --> 0x0000000000000000
    --> 0x0000000000000000
    --> 0x0000000000000000
    --> 0x0000000000000000
    --> 0x00007FF80D4FF558
    --> 0x90001A20E54AE9AD
    --> 0x00007FF807850128
========================================================================================================
[+] Found timer-queue timer:
[+] Virtual address of ntdll!TppTimerpCleanupGroupMemberVFuncs ptr found on the heap: 0x000001F86AD55408
[+] Timer callback: 0x1f86d87e210
[+] Timer parameter: 0x7ffff2c43230
[-] Failed to resolve callback function - SymFromAddr returned error : 126
[-] GetModuleBaseName returned error : 6
[-] Manual symbol resoluton failed
========================================================================================================

As this is a valid ptr it will still be reported, as currently the only check is via IsInvalidPtr. A check could be added to see if ptr is within heap mem.

Oct 10 '22 13:10 william-burgess