Posts tagged: fastfail

Fail Fast Codes

By , January 11, 2022 3:09 pm

When Windows encounters an error condition that might compromise the security of the computer, the program that encounters that condition is terminated as fast as possible. This is done via the Fast Fail mechanism.

Fast Fail is implemented as an intrinsic, which means you can’t redefine it, and you can’t hook it from user mode code. On x86/x64 it’s implemented as an interrupt call, which is handled inside the kernel.

The definitions for these codes are in winnt.h.

DefinitionValueComment
FAST_FAIL_LEGACY_GS_VIOLATION0Do not use. Legacy value.
FAST_FAIL_VTGUARD_CHECK_FAILURE1
FAST_FAIL_STACK_COOKIE_CHECK_FAILURE2
FAST_FAIL_CORRUPT_LIST_ENTRY3
FAST_FAIL_INCORRECT_STACK4
FAST_FAIL_INVALID_ARG5
FAST_FAIL_GS_COOKIE_INIT6
FAST_FAIL_FATAL_APP_EXIT7
FAST_FAIL_RANGE_CHECK_FAILURE8
FAST_FAIL_UNSAFE_REGISTRY_ACCESS9
FAST_FAIL_GUARD_ICALL_CHECK_FAILURE10
FAST_FAIL_GUARD_WRITE_CHECK_FAILURE11
FAST_FAIL_INVALID_FIBER_SWITCH12
FAST_FAIL_INVALID_SET_OF_CONTEXT13
FAST_FAIL_INVALID_REFERENCE_COUNT14
FAST_FAIL_INVALID_JUMP_BUFFER18
FAST_FAIL_MRDATA_MODIFIED19
FAST_FAIL_CERTIFICATION_FAILURE20
FAST_FAIL_INVALID_EXCEPTION_CHAIN21
FAST_FAIL_CRYPTO_LIBRARY22
FAST_FAIL_INVALID_CALL_IN_DLL_CALLOUT23
FAST_FAIL_INVALID_IMAGE_BASE24
FAST_FAIL_DLOAD_PROTECTION_FAILURE25
FAST_FAIL_UNSAFE_EXTENSION_CALL26
FAST_FAIL_DEPRECATED_SERVICE_INVOKED27
FAST_FAIL_INVALID_BUFFER_ACCESS28
FAST_FAIL_INVALID_BALANCED_TREE29
FAST_FAIL_INVALID_NEXT_THREAD30
FAST_FAIL_GUARD_ICALL_CHECK_SUPPRESSED31Telemetry, nonfatal
FAST_FAIL_APCS_DISABLED32
FAST_FAIL_INVALID_IDLE_STATE33
FAST_FAIL_MRDATA_PROTECTION_FAILURE34
FAST_FAIL_UNEXPECTED_HEAP_EXCEPTION35
FAST_FAIL_INVALID_LOCK_STATE36
FAST_FAIL_GUARD_JUMPTABLE37Compiler uses this value. Do not change.
FAST_FAIL_INVALID_LONGJUMP_TARGET38
FAST_FAIL_INVALID_DISPATCH_CONTEXT39
FAST_FAIL_INVALID_THREAD40
FAST_FAIL_INVALID_SYSCALL_NUMBER41Telemetry, nonfatal
FAST_FAIL_INVALID_FILE_OPERATION42Telemetry, nonfatal
FAST_FAIL_LPAC_ACCESS_DENIED43Telemetry, nonfatal
FAST_FAIL_GUARD_SS_FAILURE44
FAST_FAIL_LOADER_CONTINUITY_FAILURE45Telemetry, nonfatal
FAST_FAIL_GUARD_EXPORT_SUPPRESSION_FAILURE46
FAST_FAIL_INVALID_CONTROL_STACK47
FAST_FAIL_SET_CONTEXT_DENIED48
FAST_FAIL_INVALID_IAT49
FAST_FAIL_HEAP_METADATA_CORRUPTION50
FAST_FAIL_PAYLOAD_RESTRICTION_VIOLATION51
FAST_FAIL_LOW_LABEL_ACCESS_DENIED52Telemetry, nonfatal
FAST_FAIL_ENCLAVE_CALL_FAILURE53
FAST_FAIL_UNHANDLED_LSS_EXCEPTON54
FAST_FAIL_ADMINLESS_ACCESS_DENIED55Telemetry, nonfatal
FAST_FAIL_UNEXPECTED_CALL56
FAST_FAIL_CONTROL_INVALID_RETURN_ADDRESS57
FAST_FAIL_UNEXPECTED_HOST_BEHAVIOR58
FAST_FAIL_FLAGS_CORRUPTION59
FAST_FAIL_VEH_CORRUPTION60
FAST_FAIL_ETW_CORRUPTION61
FAST_FAIL_RIO_ABORT62
FAST_FAIL_INVALID_PFN63
FAST_FAIL_GUARD_ICALL_CHECK_FAILURE_XFG64
FAST_FAIL_CAST_GUARD65Compiler uses this value. Do not change.
FAST_FAIL_HOST_VISIBILITY_CHANGE66
FAST_FAIL_KERNEL_CET_SHADOW_STACK_ASSIST67
FAST_FAIL_PATCH_CALLBACK_FAILED68
FAST_FAIL_NTDLL_PATCH_FAILED69
FAST_FAIL_INVALID_FLS_DATA70

The FAST_FAIL_LEGACY_GS_VIOLATION definition is a legacy value and is reserved for compatibility with previous implementations of STATUS_STACK_BUFFER_OVERRUN exception status code.

Invocation

Fail Fail is invoked using the __fastfail() instrinsic.

__fastfail() takes one argument, the fast fail code, and is defined as shown below. Calls to __fastfail() do not return.

#if _MSC_VER >= 1610

DECLSPEC_NORETURN
VOID
__fastfail(
    _In_ unsigned int Code
    );

#pragma intrinsic(__fastfail)

#endif

Handling

In user mode code __fastfail() will be seen as a non-continuable┬ásecond chance exception with code 0xC0000409 (STATUS_STACK_BUFFER_OVERRUN). There is no first chance exception to be handled. This is deliberate – it is assumed that the program state is corrupt and that the exception handling mechanism may have been compromised (think virus, etc).

The fast fail code is the first parameter supplied with the second chance exception. There may be other parameters.

In kernel mode __fastfail() is handled by a specific bugcheck code 0x139 (KERNEL_SECURITY_CHECK_FAILURE).

If a debugger is present it is given a chance to inspect the program before it terminates execution.

Implementation

Native support for __fastfail() was first implemented in Windows 8.

Earlier operating systems will still terminate the application in response to a __fastfail(), via the exception handling or bugcheck mechanism as appropriate to the user/kernel mode.

The header file definition indicates that Visual Studio 2012 (_MSC_VER 1700) onwards include support for __fastfail().

Both Visual Studio 2010, and Visual Studio 2010 SP1 have _MSC_VER defined as 1600. I can’t find an entry for 1610 anywhere.

Panorama Theme by Themocracy