Rare 0xc0000018 error on w81 64b apps

c++ / delphi package - dll injection and api hooking

Rare 0xc0000018 error on w81 64b apps

Postby EaSy » Mon Aug 04, 2014 9:57 am

Hi,
we rarely experience a bug with MCH. All of the injected 64b apps are unable to start because of error "The application was unable to start correctly (0xc0000018)" on w8.1 64b.
I managed to find the source. It is a address collision of MCH data buffer with system dll in app's memory space during its startup.
Verbose loader output says the relocation for kernel32 is needed and then it fails.

MCHbug.png
MCHbug.png (140.84 KiB) Viewed 5470 times


The problem always lasts until the next restart when both kernel32 and MCH data both occupy different addresses. So my guess is, it is really random, but it happens. Thanks for fix.

Sincerely
PP
EaSy
 
Posts: 146
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby madshi » Mon Aug 04, 2014 10:09 am

Are you using the latest madCodeHook build (madCodeHook 3.1.7, installer 2.7.9.0)? I think there was a bugfix a while ago for a problem which sounded somewhat similar to what you're describing now, but I'm not 100% sure right now.
madshi
Site Admin
 
Posts: 9408
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby EaSy » Tue Aug 05, 2014 9:35 am

We are using the latest build. AllocMemEx probably wasn't able to find free page after ntdll (NtTestAlert), so it allocated the one before. But it collided with kernel32. You can look at the addresses. Ntdll starts at 0x7fff5cd90000. The buffer is allocated 0x10000 bytes before at the address 0x7fff5cd80000. It collides with kernel32 which ends at 0x7fff5cd8a000, only 0x6000 bytes before.
EaSy
 
Posts: 146
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby madshi » Thu Aug 21, 2014 7:57 am

Sorry for the late reply. Is there an easy way for me to reproduce the issue? In all my tests on win8.1 x64 I've never seen this issue yet... :( Maybe one thing I could do is to delay the patching a bit, until the first dll gets loaded into the newly created process. I'm already using that trick for some hard-to-handle x64 processes for win8.1. Maybe I could use it for all processes. But I'm a bit worried that it might make injection uneffective if some processes are never loading any dlls. But then, probably every process is linked to kernel32.dll, so it's probably not something I'd need to worry about. Thoughts?
madshi
Site Admin
 
Posts: 9408
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby EaSy » Mon Aug 25, 2014 8:41 am

Hi,
it is very rare. The report is from WM snapshot of w8.1.

The easiest way would be to do "up" search by one 4KB page only, not by 0x10000. There is always some space between dll images in memory.

Sincerely
PP
EaSy
 
Posts: 146
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby EaSy » Mon Sep 22, 2014 1:49 pm

Hi,
any progress?

PP
EaSy
 
Posts: 146
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby madshi » Wed Oct 08, 2014 12:35 pm

Hmmmm... If I made a test build, could you double check whether the problem is gone or not? I don't know any other way because I've trouble reproducing this issue...
madshi
Site Admin
 
Posts: 9408
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby wj_Lee » Tue Apr 28, 2015 12:31 pm

Hi,

I got a simple question,

at release note 3.1.8,
...
(2) fixed: hooking ntdll in non-large-address-aware x64 processes crashed
...

that clause means this issue?


Sincerely
wj_Lee
 
Posts: 6
Joined: Tue Apr 28, 2015 12:29 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby madshi » Tue Apr 28, 2015 1:01 pm

I think that was a different problem. In any case, both problems should be fixed in the latest build.
madshi
Site Admin
 
Posts: 9408
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby EaSy » Mon Feb 08, 2016 10:42 am

Hi,
i want to reopen this issue. It is happening on W10. Here is the screenshot.

2016-02-08 11_23_10-2.png
2016-02-08 11_23_10-2.png (251.38 KiB) Viewed 3629 times


Any idea how to fix it for good?

PP
EaSy
 
Posts: 146
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby madshi » Mon Feb 08, 2016 11:21 am

This issue should be fixed in the latest beta build:

http://madshi.net/madCollectionBeta.exe
madshi
Site Admin
 
Posts: 9408
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby EaSy » Tue Feb 16, 2016 8:07 am

It helped. Thx.

PP
EaSy
 
Posts: 146
Joined: Tue Oct 23, 2012 12:33 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby Overnissen » Mon Mar 07, 2016 9:40 pm

I believe I have a similar problem, it gives the same error anyway and only on Windows10.

I have the hooking .dlls signed, the kernel mode injection drivers configured and signed and it works fine on Win7.

May I ask what I need to update ?

Would it be enough to retrieve the renameme64.sys and renameme32.sys, configure them and sign them, or do I have to rebuild the .dlls with the beta madCodeHook as well ?
Overnissen
 
Posts: 28
Joined: Mon Dec 29, 2014 6:22 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby madshi » Mon Mar 07, 2016 10:03 pm

Just renewing the drivers should do the trick.
madshi
Site Admin
 
Posts: 9408
Joined: Sun Mar 21, 2004 5:25 pm

Re: Rare 0xc0000018 error on w81 64b apps

Postby Overnissen » Tue Mar 08, 2016 4:33 pm

Thanks madshi, I'll give it a go :)
Overnissen
 
Posts: 28
Joined: Mon Dec 29, 2014 6:22 pm

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 7 guests