I inject my dll DseFileSystemExt.dll into all process, and hook CoCreateInstance, I do nothing in dll, but Windows live crash after few seconds aft login.
following calll stack,help me!
environment:
Windows 7 32 and 64 bit
ntdll.dll!_ZwWaitForMultipleObjects@20() + 0x15 字节
ntdll.dll!_ZwWaitForMultipleObjects@20() + 0x15 字节
kernel32.dll!_WaitForMultipleObjectsExImplementation@20() + 0x8e 字节
kernel32.dll!_WaitForMultipleObjects@16() + 0x18 字节
Faultrep.dll!68c2028d()
[下面的框架可能不正确和/或缺失,没有为 Faultrep.dll 加载符号]
Faultrep.dll!68c203a3()
wlcomm.exe!01092060()
ntdll.dll!_RtlpCallVectoredHandlers@12() + 0x1ac83 字节
ntdll.dll!_RtlCallVectoredExceptionHandlers@8() + 0x12 字节
ntdll.dll!_RtlDispatchException@8() + 0x19 字节
ntdll.dll!_KiUserExceptionDispatcher@8() + 0xf 字节
kernel32.dll!_IsBadReadPtr@8() + 0x37 字节
> DseFileSystemExt.dll!0000030F() + 0x48 字节
DseFileSystemExt.dll!000002BD() + 0x46 字节
71af0018()
inetcomm.dll!6b7d618d()
ntdll.dll!_RtlFreeAnsiString@4() + 0x539 字节
KernelBase.dll!_LoadLibraryExA@12() + 0x32 字节
kernel32.dll!_DeactivateActCtx@8() + 0x28 字节
inetcomm.dll!6b7d44c2()
inetcomm.dll!6b7d4491()
inetcomm.dll!6b7d4439()
inetcomm.dll!6b7d4404()
inetcomm.dll!6b7d4348()
inetcomm.dll!6b7d1962()
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 字节
ntdll.dll!_LdrpRunInitializeRoutines@4() - 0x352 字节
ntdll.dll!_LdrpLoadDll@24() + 0x158e 字节
ntdll.dll!_LdrLoadDll@16() + 0x7b 字节
DseFileSystemExt.dll!000002BD() + 0x2b 字节
71af000a()
ole32.dll!LoadLibraryWithLogging() + 0x16 字节
ole32.dll!CClassCache::CDllPathEntry::LoadDll() + 0x3c 字节
ole32.dll!CClassCache::CDllPathEntry::Create_rl() + 0x37 字节
ole32.dll!CClassCache::CClassEntry::CreateDllClassEntry_rl() + 0xa9 字节
ole32.dll!CClassCache::GetClassObjectActivator() - 0x2156a 字节
ole32.dll!CClassCache::GetClassObject() + 0x30 字节
ole32.dll!CServerContextActivator::CreateInstance() + 0xea 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!CApartmentActivator::CreateInstance() + 0x74 字节
ole32.dll!CProcessActivator::CCICallback() + 0x3d 字节
ole32.dll!CProcessActivator::AttemptActivation() + 0x2c 字节
ole32.dll!CProcessActivator::ActivateByContext() + 0x4f 字节
ole32.dll!CProcessActivator::CreateInstance() + 0x49 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!CClientContextActivator::CreateInstance() + 0xb0 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!ICoCreateInstanceEx() - 0x6dd3 字节
ole32.dll!CComActivator::DoCreateInstance() + 0x96 字节
ole32.dll!_CoCreateInstanceEx@24() + 0x38 字节
ole32.dll!_CoCreateInstance@20() + 0x34 字节
DseFileSystemExt.dll!myCoCreateInstance(const _GUID & rclsid={...}, IUnknown * pUnkOuter=0x00000000, unsigned long dwClsContext=1, const _GUID & riid={...}, void * * ppv=0x080ff3f0) 行1498 + 0x1a 字节 C++
71ac000a()
abssm.dll!6885a9ca()
abssm.dll!68856f06()
abssm.dll!688569a3()
abssm.dll!68856b19()
abssm.dll!68852025()
abssm.dll!68856a69()
abssm.dll!68851b0a()
abssm.dll!68851c8a()
kernel32.dll!@BaseThreadInitThunk@12() + 0x12 字节
ntdll.dll!___RtlUserThreadStart@8() + 0x27 字节
ntdll.dll!__RtlUserThreadStart@8() + 0x1b 字节
Windows live 14.0 crash
Re: Windows live 14.0 crash
Addtion:
I remove the CoCreateInstace Hook, it crash again, the following is the stack:
> ntdll.dll!_ZwWaitForMultipleObjects@20() + 0x15 字节
ntdll.dll!_ZwWaitForMultipleObjects@20() + 0x15 字节
kernel32.dll!_WaitForMultipleObjectsExImplementation@20() + 0x8e 字节
kernel32.dll!_WaitForMultipleObjects@16() + 0x18 字节
Faultrep.dll!6981028d()
[下面的框架可能不正确和/或缺失,没有为 Faultrep.dll 加载符号]
Faultrep.dll!698103a3()
wlcomm.exe!00012060()
ntdll.dll!_RtlpCallVectoredHandlers@12() + 0x1ac83 字节
ntdll.dll!_RtlCallVectoredExceptionHandlers@8() + 0x12 字节
ntdll.dll!_RtlDispatchException@8() + 0x19 字节
ntdll.dll!_KiUserExceptionDispatcher@8() + 0xf 字节
kernel32.dll!_IsBadReadPtr@8() + 0x37 字节
DseFileSystemExt.dll!0000030F() + 0x48 字节
DseFileSystemExt.dll!000002BD() + 0x46 字节
71af0018()
inetcomm.dll!6c34618d()
ntdll.dll!_RtlFreeAnsiString@4() + 0x539 字节
KernelBase.dll!_LoadLibraryExA@12() + 0x32 字节
kernel32.dll!_DeactivateActCtx@8() + 0x28 字节
inetcomm.dll!6c3444c2()
inetcomm.dll!6c344491()
inetcomm.dll!6c344439()
inetcomm.dll!6c344404()
inetcomm.dll!6c344348()
inetcomm.dll!6c341962()
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 字节
ntdll.dll!_LdrpRunInitializeRoutines@4() - 0x352 字节
ntdll.dll!_LdrpLoadDll@24() + 0x158e 字节
ntdll.dll!_LdrLoadDll@16() + 0x7b 字节
DseFileSystemExt.dll!000002BD() + 0x2b 字节
71af000a()
ole32.dll!LoadLibraryWithLogging() + 0x16 字节
ole32.dll!CClassCache::CDllPathEntry::LoadDll() + 0x3c 字节
ole32.dll!CClassCache::CDllPathEntry::Create_rl() + 0x37 字节
ole32.dll!CClassCache::CClassEntry::CreateDllClassEntry_rl() + 0xa9 字节
ole32.dll!CClassCache::GetClassObjectActivator() - 0x2156a 字节
ole32.dll!CClassCache::GetClassObject() + 0x30 字节
ole32.dll!CServerContextActivator::CreateInstance() + 0xea 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!CApartmentActivator::CreateInstance() + 0x74 字节
ole32.dll!CProcessActivator::CCICallback() + 0x3d 字节
ole32.dll!CProcessActivator::AttemptActivation() + 0x2c 字节
ole32.dll!CProcessActivator::ActivateByContext() + 0x4f 字节
ole32.dll!CProcessActivator::CreateInstance() + 0x49 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!CClientContextActivator::CreateInstance() + 0xb0 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!ICoCreateInstanceEx() - 0x6dd3 字节
ole32.dll!CComActivator::DoCreateInstance() + 0x96 字节
ole32.dll!_CoCreateInstanceEx@24() + 0x38 字节
ole32.dll!_CoCreateInstance@20() + 0x34 字节
abssm.dll!6889a74c()
abssm.dll!6889a822()
urlmon.dll!77371c9b()
urlmon.dll!77371c1a()
urlmon.dll!77371bbe()
urlmon.dll!77371a57()
urlmon.dll!77371a8e()
urlmon.dll!77371a8e()
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 字节
90909090()
I remove the CoCreateInstace Hook, it crash again, the following is the stack:
> ntdll.dll!_ZwWaitForMultipleObjects@20() + 0x15 字节
ntdll.dll!_ZwWaitForMultipleObjects@20() + 0x15 字节
kernel32.dll!_WaitForMultipleObjectsExImplementation@20() + 0x8e 字节
kernel32.dll!_WaitForMultipleObjects@16() + 0x18 字节
Faultrep.dll!6981028d()
[下面的框架可能不正确和/或缺失,没有为 Faultrep.dll 加载符号]
Faultrep.dll!698103a3()
wlcomm.exe!00012060()
ntdll.dll!_RtlpCallVectoredHandlers@12() + 0x1ac83 字节
ntdll.dll!_RtlCallVectoredExceptionHandlers@8() + 0x12 字节
ntdll.dll!_RtlDispatchException@8() + 0x19 字节
ntdll.dll!_KiUserExceptionDispatcher@8() + 0xf 字节
kernel32.dll!_IsBadReadPtr@8() + 0x37 字节
DseFileSystemExt.dll!0000030F() + 0x48 字节
DseFileSystemExt.dll!000002BD() + 0x46 字节
71af0018()
inetcomm.dll!6c34618d()
ntdll.dll!_RtlFreeAnsiString@4() + 0x539 字节
KernelBase.dll!_LoadLibraryExA@12() + 0x32 字节
kernel32.dll!_DeactivateActCtx@8() + 0x28 字节
inetcomm.dll!6c3444c2()
inetcomm.dll!6c344491()
inetcomm.dll!6c344439()
inetcomm.dll!6c344404()
inetcomm.dll!6c344348()
inetcomm.dll!6c341962()
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 字节
ntdll.dll!_LdrpRunInitializeRoutines@4() - 0x352 字节
ntdll.dll!_LdrpLoadDll@24() + 0x158e 字节
ntdll.dll!_LdrLoadDll@16() + 0x7b 字节
DseFileSystemExt.dll!000002BD() + 0x2b 字节
71af000a()
ole32.dll!LoadLibraryWithLogging() + 0x16 字节
ole32.dll!CClassCache::CDllPathEntry::LoadDll() + 0x3c 字节
ole32.dll!CClassCache::CDllPathEntry::Create_rl() + 0x37 字节
ole32.dll!CClassCache::CClassEntry::CreateDllClassEntry_rl() + 0xa9 字节
ole32.dll!CClassCache::GetClassObjectActivator() - 0x2156a 字节
ole32.dll!CClassCache::GetClassObject() + 0x30 字节
ole32.dll!CServerContextActivator::CreateInstance() + 0xea 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!CApartmentActivator::CreateInstance() + 0x74 字节
ole32.dll!CProcessActivator::CCICallback() + 0x3d 字节
ole32.dll!CProcessActivator::AttemptActivation() + 0x2c 字节
ole32.dll!CProcessActivator::ActivateByContext() + 0x4f 字节
ole32.dll!CProcessActivator::CreateInstance() + 0x49 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!CClientContextActivator::CreateInstance() + 0xb0 字节
ole32.dll!ActivationPropertiesIn::DelegateCreateInstance() + 0x55 字节
ole32.dll!ICoCreateInstanceEx() - 0x6dd3 字节
ole32.dll!CComActivator::DoCreateInstance() + 0x96 字节
ole32.dll!_CoCreateInstanceEx@24() + 0x38 字节
ole32.dll!_CoCreateInstance@20() + 0x34 字节
abssm.dll!6889a74c()
abssm.dll!6889a822()
urlmon.dll!77371c9b()
urlmon.dll!77371c1a()
urlmon.dll!77371bbe()
urlmon.dll!77371a57()
urlmon.dll!77371a8e()
urlmon.dll!77371a8e()
ntdll.dll!_LdrpCallInitRoutine@16() + 0x14 字节
90909090()
Re: Windows live 14.0 crash
Addtion:
after hook the following Function, the crash happend, if i delete the following code, n crash:
HookAPI("SetupApi.dll", "SetupDiSetClassInstallParamsW",Hook_SetupDiSetInstallParamsW, (PVOID*)&OrigSetupDiSetInstallParamsW);
HookAPI("SetupApi.dll", "SetupDiCallClassInstaller",Hook_SetupDiCallClassInstaller, (PVOID*)&OrigSetupDiCallClassInstaller);
HookAPI("SetupApi.dll", "SetupDiGetDeviceRegistryPropertyW",mySetupDiGetDeviceRegistryPropertyW, (PVOID*)&OrigSetupDiGetDeviceRegistryPropertyW);
HookAPI("SetupApi.dll", "SetupDiDeleteDevRegKey",mySetupDiDeleteDevRegKey, (PVOID*)&OrigSetupDiDeleteDevRegKey);
HookAPI("SetupApi.dll", "SetupDiRemoveDevice",mySetupDiRemoveDevice, (PVOID*)&OrigSetupDiRemoveDevice);
and I use MIXTURE_MODE flag as following, no crash happen, why?
HookAPI("SetupApi.dll", "SetupDiSetClassInstallParamsW",Hook_SetupDiSetInstallParamsW, (PVOID*)&OrigSetupDiSetInstallParamsW,NO_SAFE_UNHOOKING|MIXTURE_MODE);
HookAPI("SetupApi.dll", "SetupDiCallClassInstaller",Hook_SetupDiCallClassInstaller, (PVOID*)&OrigSetupDiCallClassInstaller,NO_SAFE_UNHOOKING|MIXTURE_MODE);
//HookAPI("SetupApi.dll", "SetupDiGetDeviceRegistryPropertyA",mySetupDiGetDeviceRegistryPropertyA, (PVOID*)&OrigSetupDiGetDeviceRegistryPropertyA,NO_SAFE_UNHOOKING);
HookAPI("SetupApi.dll", "SetupDiGetDeviceRegistryPropertyW",mySetupDiGetDeviceRegistryPropertyW, (PVOID*)&OrigSetupDiGetDeviceRegistryPropertyW,NO_SAFE_UNHOOKING|MIXTURE_MODE);
HookAPI("SetupApi.dll", "SetupDiDeleteDevRegKey",mySetupDiDeleteDevRegKey, (PVOID*)&OrigSetupDiDeleteDevRegKey,NO_SAFE_UNHOOKING|MIXTURE_MODE);
HookAPI("SetupApi.dll", "SetupDiRemoveDevice",mySetupDiRemoveDevice, (PVOID*)&OrigSetupDiRemoveDevice,NO_SAFE_UNHOOKING|MIXTURE_MODE);
after hook the following Function, the crash happend, if i delete the following code, n crash:
HookAPI("SetupApi.dll", "SetupDiSetClassInstallParamsW",Hook_SetupDiSetInstallParamsW, (PVOID*)&OrigSetupDiSetInstallParamsW);
HookAPI("SetupApi.dll", "SetupDiCallClassInstaller",Hook_SetupDiCallClassInstaller, (PVOID*)&OrigSetupDiCallClassInstaller);
HookAPI("SetupApi.dll", "SetupDiGetDeviceRegistryPropertyW",mySetupDiGetDeviceRegistryPropertyW, (PVOID*)&OrigSetupDiGetDeviceRegistryPropertyW);
HookAPI("SetupApi.dll", "SetupDiDeleteDevRegKey",mySetupDiDeleteDevRegKey, (PVOID*)&OrigSetupDiDeleteDevRegKey);
HookAPI("SetupApi.dll", "SetupDiRemoveDevice",mySetupDiRemoveDevice, (PVOID*)&OrigSetupDiRemoveDevice);
and I use MIXTURE_MODE flag as following, no crash happen, why?
HookAPI("SetupApi.dll", "SetupDiSetClassInstallParamsW",Hook_SetupDiSetInstallParamsW, (PVOID*)&OrigSetupDiSetInstallParamsW,NO_SAFE_UNHOOKING|MIXTURE_MODE);
HookAPI("SetupApi.dll", "SetupDiCallClassInstaller",Hook_SetupDiCallClassInstaller, (PVOID*)&OrigSetupDiCallClassInstaller,NO_SAFE_UNHOOKING|MIXTURE_MODE);
//HookAPI("SetupApi.dll", "SetupDiGetDeviceRegistryPropertyA",mySetupDiGetDeviceRegistryPropertyA, (PVOID*)&OrigSetupDiGetDeviceRegistryPropertyA,NO_SAFE_UNHOOKING);
HookAPI("SetupApi.dll", "SetupDiGetDeviceRegistryPropertyW",mySetupDiGetDeviceRegistryPropertyW, (PVOID*)&OrigSetupDiGetDeviceRegistryPropertyW,NO_SAFE_UNHOOKING|MIXTURE_MODE);
HookAPI("SetupApi.dll", "SetupDiDeleteDevRegKey",mySetupDiDeleteDevRegKey, (PVOID*)&OrigSetupDiDeleteDevRegKey,NO_SAFE_UNHOOKING|MIXTURE_MODE);
HookAPI("SetupApi.dll", "SetupDiRemoveDevice",mySetupDiRemoveDevice, (PVOID*)&OrigSetupDiRemoveDevice,NO_SAFE_UNHOOKING|MIXTURE_MODE);
Re: Windows live 14.0 crash
That's still 5 HookAPI calls you have there which could be reponsible for the crash. Please try to find out which one of them makes Windows live crash.
Re: Windows live 14.0 crash
The 5 hooks not called at all, It just Hooked, Not called.
Re: Windows live 14.0 crash
this time i Just hook
and i set breakpoint in mySetupDiSetClassInstallParamsW, my breakpoint not breaked, but wlcomm.exe crashed, I think the hook lib have bugs.
Code: Select all
HookAPI("SetupApi.dll", "SetupDiSetClassInstallParamsW",mySetupDiSetClassInstallParamsW, (PVOID*)&OrigSetupDiSetInstallParamsW);Re: Windows live 14.0 crash
So you hooked just one API and still wlcomm.exe crashed? What happens if you don't hook any APIs at all, but still include the madCodeHook lib, does it still crash?
Have you called "InitializeMadCHook()" and "FinalizeMadCHook()" properly, btw?
Have you called "InitializeMadCHook()" and "FinalizeMadCHook()" properly, btw?
Re: Windows live 14.0 crash
If I hook other API no crash happen. If I don't hook any API, and just include madCodehook lib, no crash. And I called InitializeMadCHook in dllmain DLL_PROCESS_ATTACH case, and I also called FinalizeMadCHook in dllmain DLL_PROCESS_DETACH case.
Re: Windows live 14.0 crash
Originally you had 5 SetupApi.dll hooks in your code. Now I'm not sure: Is the "SetupDiSetClassInstallParamsW" API hook the only one of those 5 which produces the crash? What happens if you remove the "SetupDiSetClassInstallParamsW" hook and put back in one of the other SetupApi.dll hooks? In other words: Is the crash specific to the "SetupDiSetClassInstallParamsW" API? Or do you get a crash if you hook *any* SetupApi.dll API?
Re: Windows live 14.0 crash
If I hook any SetupApi.dll API, wlcomm.exe will crash. Possibly related setupapi.dll.
Re: Windows live 14.0 crash
Sorry for the late reply.
Hmmmm... I can reproduce the problem, but I can't fully explain it. It seems I can hook kernel32 APIs without Windows Live Messenger 14 getting into trouble. But if *any* setupapi.dll API is hooked, there's a crash, just as you reported. I'm not sure why the crash occurs. I can think of 3 reasons:
(1) Maybe Windows Live Messenger is hooking the setupapi.dll APIs, too. Although I don't understand at all why it would do that. If it does, maybe their hooking engine is badly written, resulting in a crash when used together with madCodeHook.
(2) Maybe Windows Live Messenger tries to uninstall the hooks for whatever funny reason, but only does that partially. E.g. maybe they're restoring the first 5 bytes of the hooked API, but leave the 6th byte untouched. That would result in a crash. Most hooking libraries overwrite the first 5 bytes of an API, but madCodeHook overwrites the first 6 bytes.
(3) Maybe Windows Live Messenger compares the setupapi.dll API to the file on harddisk and intentionally crashes when anything has changed, either as a "security measure" or as some weird kind of copy protection. I've had a behaviour like that with an older AutoCAD version once (but not ntdll APIs instead of setupapi APIs). This really makes the least sense of all to me, though. I think (1) or (2) are more likely.
I don't think this is a madCodeHook bug, because all other processes have no problems with the setupapi hooks and the Messenger has no problems with non-setupapi hooks. Since I don't think it's my fault, there's not so much I can do to fix this. Here are 2 suggestions for you:
(1) You could recommend to your users to update to Windows Live Messenger 2011 (15.0). That one doesn't seem to crash.
(2) Or you could in DLL_PROCESS_ATTACH call GetModuleFileName(0) to check whether you're loaded in the wlcomm.exe process. If you are, you could use the MIXTURE_MODE flag.
Don't know what else to suggest...
Hmmmm... I can reproduce the problem, but I can't fully explain it. It seems I can hook kernel32 APIs without Windows Live Messenger 14 getting into trouble. But if *any* setupapi.dll API is hooked, there's a crash, just as you reported. I'm not sure why the crash occurs. I can think of 3 reasons:
(1) Maybe Windows Live Messenger is hooking the setupapi.dll APIs, too. Although I don't understand at all why it would do that. If it does, maybe their hooking engine is badly written, resulting in a crash when used together with madCodeHook.
(2) Maybe Windows Live Messenger tries to uninstall the hooks for whatever funny reason, but only does that partially. E.g. maybe they're restoring the first 5 bytes of the hooked API, but leave the 6th byte untouched. That would result in a crash. Most hooking libraries overwrite the first 5 bytes of an API, but madCodeHook overwrites the first 6 bytes.
(3) Maybe Windows Live Messenger compares the setupapi.dll API to the file on harddisk and intentionally crashes when anything has changed, either as a "security measure" or as some weird kind of copy protection. I've had a behaviour like that with an older AutoCAD version once (but not ntdll APIs instead of setupapi APIs). This really makes the least sense of all to me, though. I think (1) or (2) are more likely.
I don't think this is a madCodeHook bug, because all other processes have no problems with the setupapi hooks and the Messenger has no problems with non-setupapi hooks. Since I don't think it's my fault, there's not so much I can do to fix this. Here are 2 suggestions for you:
(1) You could recommend to your users to update to Windows Live Messenger 2011 (15.0). That one doesn't seem to crash.
(2) Or you could in DLL_PROCESS_ATTACH call GetModuleFileName(0) to check whether you're loaded in the wlcomm.exe process. If you are, you could use the MIXTURE_MODE flag.
Don't know what else to suggest...