0

I have app (compiled in delphi) which checks checksum of in memory loaded modules which this program uses (dlls and exe). I am checking for code (text) section and relocation table section of dlls and exe.

Sometimes over time I got different checksums. They occours randomly over different dlls or exe. Sometimes they appeared in code section, sometimes in relocation section. They look something like this:

code section:

Code section

relocation table section:

relocation section

It looks always like this. It is always in 8 byte offsets and it looks like 32 changes (with some same value). We also try to convert hex to assembler, but code does not make any sense. Also in relocation code there is no assembler. Never on same address. Usually also in different system dlls.

What can corrupt memory this way? Does exists some software to catch such event? Any ideas?

Giraffe Lion
  • 1,641
  • 1
  • 11
  • 6

1 Answers1

0

There are various types of software that like to inject code into every running process. Some of them, like Team Viewer, anti-virus programs and other malware may modify modules loaded by the victim process in order to hook certain system functions. This is one possible explanation.

Another explanation might be simple relocation, when a module cannot be loaded at its preferred base address because the address range would overlap memory already in use (e.g. dynamically allocated or occupied by another module). Hence a modification of DLL load order can result in certain modules sometimes getting relocated and sometimes not. The DLL injection mentioned in the first paragraph is one of the possible causes.

In the light of your comment: just looking at the two partial hex dumps makes it impossibly difficult to tell whether the corruption is meaningful/purposeful - like caused by some piece of software with a specific goal in mind - or random.

Even apparently random corruption could be the result of purpose, like some malware trying to get traction by heap spraying, stack smashing or similar. Or it could be the result of a malfunctioning module, like a JPEG library stumbling over an ill-formed picture.

And don't forget hardware failure... We've had memory fail with sporadic bit flips when running stressy programs during a heat wave. Similar things might happen when memory bars heat up under high load, or when the power supply gets overstressed and the quality of its output starts to suffer.

Sorry, without more data to go on there's little one can offer apart from guesswork.

There are, however, some things that you can investigate yourself since you have full control over the program. The corrupted dumps you've shown - code and relocation table - belong to sections that are normally not writeable. If you can ascertain that the affected sections are indeed read-only - for example via VirtualQuery() - then the hypothesis of malfunctioning normal code within your program can be excluded, leaving only malware, malfunctioning god-mode code (drivers) and hardware failure.

Note: VMMap allows visual inspection of the memory of a running process, without the need to write code using VirtualQuery().

Under Windows 95 & Co. there was a peculiar problem because the kernel 'recycled' mapped images of executables in the address spaces of other processes without employing copy-on-write when one of those mappings was modified (meaning the change was visible in all other processes as well).

But that shouldn't happen in the line of Windowzen descended from NT, i.e. from Windows 2000 onwards (yes, we still have one of those running because of a peculiar interface card for expensive custom hardware). I mentioned the problem only because it is an example of how normal code doing normal things could defeat the write-protection of the corrupted segments without even meaning to.

If the corrupted sections are not write-protected then you should investigate why and fix the problem. If all else fails, use VirtualProtect(). Should normal code accidentally try to write to the protected segments then this would cause a fault and termination of the program, and a procdump started for this purpose could take a snapshot (mini dump) of the program at the moment of the fault.

DarthGizka
  • 4,347
  • 1
  • 24
  • 36
  • I have closed system, no net, no team viewer, no antivirus. I check for dlls and exe every 2 minutes. sometimes it runs for weeks without shutdown before corruptin occours. I recalculte addreses so it is always same checksum. And this should not change once it is loaded in memory as no new apps is starting. And relocation table should not change. – Giraffe Lion Dec 28 '19 at 17:26
  • @ Giraffe Lion: I've amended my answer to account for the new information. – DarthGizka Dec 28 '19 at 18:16
  • what data would be useful? I can provide additional data. – Giraffe Lion Dec 28 '19 at 19:52
  • @ Giraffe Lion: ideal would be mini dumps before and after corruption but there are some things that need to be investigated first. Please read the paragraphs I've added regarding VirtualQuery & Co. – DarthGizka Dec 29 '19 at 10:13
  • we use windows 64bit. but application is 32-bit. we tried with vmmap, OllyDbg, process explorer. we find nothing. text/code is read/execute. relocation table is read. program uses directx 9. we have dump before and after, but I can not post it due to aplication nature. how can we find something from dump? It is hard to find error as it is hard (time consuming) to reproduce – Giraffe Lion Dec 29 '19 at 18:28
  • Analysis of the mini dump - for example with [IDA](https://www.hex-rays.com/products/ida/) - could tell us something iff the changes turn out to be purposeful. If not then there wouldn't be much use. But I really think you should exclude the hardware angle first, with copious memory stress tests. Maybe you can find a newer one that incorporates the lessons of Rowhammer... – DarthGizka Dec 29 '19 at 21:25