niedziela, 5 stycznia 2020

Fax and Scan from Win7 to Win10

Last time I was doing some new little experiments with procmon.exe. In the meantime I decided to look around more deeper in c:\windows\system32 directory. Below you will find few details from the journey. Here we go...
This time we will start here:



I tried the same (localization of the) binary on Windows 7 (32bit) and Windows 10 Enterprise (x64). It will crash anyway. ;)

Environment I used this time:

As you can see Windbg is attached to the process (FYI: on Windows 10 I was not able to attache ImmunityDebugger. If you know any hints/suggestions why - let me know in comments please ;)).

Now we can continue. Steps to reproduce:

1) create a (File>) new fax and add some recipient ('To:'):


Let's say we don't have a(n access to configured) Fax, so we will save a draft of our message.

As you can see I tried to add few 'more details' to my fax-message (but it was not the case this time;)).

Ok, draft of the fax is saved, let's go to Drafts. If you will click on the saved message you'll see your recipient. Now click the icon of the 'person below the Tools' ;) to "crash the application".

From this place you can click:

a) 'Show More Names' - here (c:\users\<you>\contacts) you will find created contact-files. Edit one of them in hexeditor and then goto 'show more names'. Use one of the file you edited (with debugger attached of course ;)).


b) 'New Contact' - we will use this path; see below:


If you'll save now our New Contact you should see the crash in windbg, example is presented below:


For me it looks like our (unicode) string is now in rcx register...

Output from !msec.dll:


I decided to switch to Windows 7. First of all, to see if this app is also installed on the older version and next, to see if it will also crash :)

So, we should be somewhere here:


As you can see (in EDI) there is AAAA-string with (this is) extension ;)



See below:



When I was looking for some information about the crash/bug I found this cached page (looks like I'm not the only one who's checking c:\windows\system32... ;))



Maybe you will find it useful. ;)

See you next time!




Brak komentarzy:

Prześlij komentarz