[NTCrash logo] Copyright © 1996 Mark Russinovich and Bryce Cogswell last updated December 31, 1996 NTCrash V1.0 - NT System Call Interface Tester Introduction One of Microsoft's most vocal claims concerning NT is its high degree of robustness. Unfortunately, the truth does not jibe with the message. Here we present a program called NTCrash, which very simple-mindedly blasts random calls into either NTOSKRNL or Win32K (the two system-call interface components of the NT operating system). The results of our testing on NT 4.0 final release and Service Pack 1 are presented below (the results are identical). Note: Microsoft has closed the holes in Service Pack 2 * NTOSRKNL NTOSKRNL is the part of the NT operating system loaded from the file NTOSKRNL.EXE in the system directory. It contains the majority of the Windows NT operating system that executed in kernel-mode, including the Object Manager, the Cache Manager, the Process Manager, the Executive, the Memory Manager and others. Win32 programs typically invoke functions in NTOSKRNL indirectly through KERNEL32.DLL, which calls into NTDLL.DLL, which in-turn traps through the NTOSKRNL system call interface and into NTOSKRNL. NTCrash was unable to trigger a system-call interface fault on NTOSKRNL. This result was expected since NTOSKRNL has undergone few significant changes in the last 4 years, and hence has had much more exposure to testing. * WIN32K Win32K.SYS is a new NT kernel-mode component that has been introduced in NT 4.0. It handles what was previously the responsibility of USER32.DLL and GDI32.DLL, and its inclusion in the privileged part of NT increases the performance of the windowing and messaging functions it handles. Win32 programs invoke functions in Win32K indirectly by calling stubs in USER32.DLL and GDI32.DLL, which trap through a handler in NTOSKRNL that vectors the calls into Win32K functions. NTCrash has been used to isolate and identify 13 distinct Win32K system calls that have poorly implemented parameter validation. The symptoms of tickling these holes range from unrecoverable page faults, to NT blue-screen assertions that something is wrong. Using NTCrash NTCrash is included here with source code. Its default behavior is to spawn 10 threads that barrage Win32K with random system calls. This will crash NT within a second or two. Use NTCrash with caution. We take no responsibility for data loss or corruption it may cause. NTCrash takes two optional command line switches: -n Has NTCrash barrage NTOSKRNL instead of Win32K. -l Enable NTCrash logging mode. NTCrash has a mode of operation that can be used to have it "learn" which system calls cause trouble. This is its logging mode. When the -l switch is used NTCrash logs information about all system calls to a "crash.log" file it creates in its working directory. When it is run again after a crash, it takes the last record from this file and appends it to "bad.log", and then avoids making the same system call. It then creates a new crash log. Repeating this crash, restart procedure builds NTCrash's "bad.log" database of system calls that cause the machine to crash. The first field in a record in these files is the system call number, and the following fields are parameters that were passed to the system call. The -l switch was used to learn of the 13 faulty calls. Microsoft's Microsoft has released NT 4.0 Service Pack 2, which Response closes the holes discovered by NTCrash The Bugs 5 of the 13 bugs are identical as they are made up of cut-and-pasted code. These 5 take a parameter passed from USER32 and perform an indirect call through a table that is indexed with the parameter. No range checking or exception handling is in place before the array is referenced, so passing an out-of-bounds index causes Win32K to reference memory outside of the array, crashing the system. Most of the other 8 bugs are similar in that a parameter is taken from user mode and used as a pointer without first checking for legality of the pointer. For instance, NtUserSetClipboardData() takes a parameter that is blindly treated as a valid pointer to a data structure. Referencing it when it is not obviously leads to trouble. ---------------------------------------------------------------------------- Download NTCrash plus Source (38KB) [Image]