Madexception reported threadhandle leak in DUI70.dll
Posted: Sun Apr 19, 2020 5:29 pm
Create a form, put a TEdit in form, run and focus to this edit, exit, then mad reported threadhandle leak in DUI70.dll
From the call stack point of view, it is the input method (I use the Asian Unicode environment) that loads dui70
I think mad has detected the creation, but the thread handle release is after mad exits, so mad has not caught the release, so report the leak
thread $1b74:
671a9f4a madExcept32.dll madExceptDbg 4052 CreateThreadCallback
004a7723 Test44Prj.exe madExcept 17661 HookedCreateThread
77416d0f msvcrt.dll _beginthreadex
5c25b730 DUser.dll InitGadgets
5c31d70d DUI70.dll InitThread
77a26357 KERNEL32.DLL BaseThreadInitThunk
:5c329ca0 ; C:\WINDOWS\SysWOW64\DUI70.dll
:77bf5608 ntdll.RtlGetNtSystemRoot + 0x68
:77c03f7f ;
:77c04826 ;
:77c0483d ;
:77c14164 ;
:77bf508c ;
:77c04e8c ;
:77c04db3 ntdll.LdrLoadDll + 0x93
:6719d87c ; C:\madExcept\madExcept32.dll
:71ab1000
:76e58752 ; C:\WINDOWS\SysWOW64\combase.dll
:76e586db ; C:\WINDOWS\SysWOW64\combase.dll
:76e584ef ; C:\WINDOWS\SysWOW64\combase.dll
:76e5b620 ; C:\WINDOWS\SysWOW64\combase.dll
:76e181bc ; C:\WINDOWS\SysWOW64\combase.dll
:76e5a694 ; C:\WINDOWS\SysWOW64\combase.dll
:76e58e92 ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f545 ; C:\WINDOWS\SysWOW64\combase.dll
:76e58a8e ; C:\WINDOWS\SysWOW64\combase.dll
:76e5afda ; C:\WINDOWS\SysWOW64\combase.dll
:76e851c5 ; C:\WINDOWS\SysWOW64\combase.dll
:76e8507d ; C:\WINDOWS\SysWOW64\combase.dll
:76e85001 ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f50d ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f64d ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f514 ; C:\WINDOWS\SysWOW64\combase.dll
:76e1a7e7 ; C:\WINDOWS\SysWOW64\combase.dll
:76e19c15 ; C:\WINDOWS\SysWOW64\combase.dll
:76e19a3e combase.CoCreateInstance + 0xbe
:7778cb29 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ea940 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ef19f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ee4cb ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ea0b8 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777aa04f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776bc7f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7778ec5b ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776a4a8 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776a215 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776a1a1 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:77769e91 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776905d ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777f0d23 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ef291 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777a98b4 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:77767c3a ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7780327a ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777c680f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ba861 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777d86bf ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7777e574 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777a24fb ; C:\WINDOWS\SysWOW64\MSCTF.dll
:778b444b USER32.AddClipboardFormatListener + 0x4b
:77894f8c ; C:\WINDOWS\SysWOW64\USER32.dll
:778940de ; C:\WINDOWS\SysWOW64\USER32.dll
:77893ec0 USER32.DispatchMessageW + 0x10
Vcl.Forms.TApplication.ProcessMessage(???)
From the call stack point of view, it is the input method (I use the Asian Unicode environment) that loads dui70
I think mad has detected the creation, but the thread handle release is after mad exits, so mad has not caught the release, so report the leak
thread $1b74:
671a9f4a madExcept32.dll madExceptDbg 4052 CreateThreadCallback
004a7723 Test44Prj.exe madExcept 17661 HookedCreateThread
77416d0f msvcrt.dll _beginthreadex
5c25b730 DUser.dll InitGadgets
5c31d70d DUI70.dll InitThread
77a26357 KERNEL32.DLL BaseThreadInitThunk
:5c329ca0 ; C:\WINDOWS\SysWOW64\DUI70.dll
:77bf5608 ntdll.RtlGetNtSystemRoot + 0x68
:77c03f7f ;
:77c04826 ;
:77c0483d ;
:77c14164 ;
:77bf508c ;
:77c04e8c ;
:77c04db3 ntdll.LdrLoadDll + 0x93
:6719d87c ; C:\madExcept\madExcept32.dll
:71ab1000
:76e58752 ; C:\WINDOWS\SysWOW64\combase.dll
:76e586db ; C:\WINDOWS\SysWOW64\combase.dll
:76e584ef ; C:\WINDOWS\SysWOW64\combase.dll
:76e5b620 ; C:\WINDOWS\SysWOW64\combase.dll
:76e181bc ; C:\WINDOWS\SysWOW64\combase.dll
:76e5a694 ; C:\WINDOWS\SysWOW64\combase.dll
:76e58e92 ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f545 ; C:\WINDOWS\SysWOW64\combase.dll
:76e58a8e ; C:\WINDOWS\SysWOW64\combase.dll
:76e5afda ; C:\WINDOWS\SysWOW64\combase.dll
:76e851c5 ; C:\WINDOWS\SysWOW64\combase.dll
:76e8507d ; C:\WINDOWS\SysWOW64\combase.dll
:76e85001 ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f50d ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f64d ; C:\WINDOWS\SysWOW64\combase.dll
:76e4f514 ; C:\WINDOWS\SysWOW64\combase.dll
:76e1a7e7 ; C:\WINDOWS\SysWOW64\combase.dll
:76e19c15 ; C:\WINDOWS\SysWOW64\combase.dll
:76e19a3e combase.CoCreateInstance + 0xbe
:7778cb29 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ea940 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ef19f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ee4cb ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ea0b8 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777aa04f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776bc7f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7778ec5b ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776a4a8 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776a215 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776a1a1 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:77769e91 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7776905d ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777f0d23 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ef291 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777a98b4 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:77767c3a ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7780327a ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777c680f ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777ba861 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777d86bf ; C:\WINDOWS\SysWOW64\MSCTF.dll
:7777e574 ; C:\WINDOWS\SysWOW64\MSCTF.dll
:777a24fb ; C:\WINDOWS\SysWOW64\MSCTF.dll
:778b444b USER32.AddClipboardFormatListener + 0x4b
:77894f8c ; C:\WINDOWS\SysWOW64\USER32.dll
:778940de ; C:\WINDOWS\SysWOW64\USER32.dll
:77893ec0 USER32.DispatchMessageW + 0x10
Vcl.Forms.TApplication.ProcessMessage(???)