We are experiencing crashing chrome app on W8. This happens only in case of manual uninjecting during deinitialization of our services while chrome is running.
I was able to analyze this problem and it looks like MCH fails to unhook some of hooked functions. Once the chrome tries to call them, it crashes, because DLL is already unloaded.
The problem is in function FindFileMappingHandle (ObjectTools.cpp). It is enumerating all handles within chrome process, but NtQueryObject sometimes causes exception 0xC0000008 (An invalid handle was specified.) or even 0xC0000005. An it skips unhooking.
A quick fix to your code
from
Code: Select all
...
if ( (SUCCEEDED(pfnNtQueryObject((HANDLE) (i1 * 4), 2, buf, 2048, NULL))) && (buf[1]) &&
(!_wcsicmp((LPWSTR) buf[1], L"Section")) &&
(SUCCEEDED(pfnNtQueryObject((HANDLE) (i1 * 4), 1, buf, 2048, NULL))) && (buf[1])) {
...
Code: Select all
...
BOOL res = FALSE;
__try
{
res = (SUCCEEDED(pfnNtQueryObject((HANDLE) (i1 * 4), 2, buf, 2048, NULL))) && (buf[1]) &&
(!_wcsicmp((LPWSTR) buf[1], L"Section")) &&
(SUCCEEDED(pfnNtQueryObject((HANDLE) (i1 * 4), 1, buf, 2048, NULL))) && (buf[1]);
}
__except (ExceptionFilter(L"NtQueryObject", GetExceptionInformation()))
{
res = FALSE;
}
if ( res ) {
...
What do you think?